[Freeipa-users] freeipa master server disaster recovery
root
freeipa at voidembraced.net
Tue Jan 12 22:42:38 UTC 2010
Greetings FreeIPA mailing list:
I have an FC11 environment setup for testing the FreeIPA implementation of
kerberos+ldap w/admin utils. Our primary purpose for kerberos right now is
to provide auth services for coda. However, once that gnat is squished,
we'll of course be using kerberos for various other authentication services
as well, and possibly using ldap for all manner of things (top of the list
is basic server configuration information).
So far, FreeIPA is a wonderful product and has very much simplified our
deployment.
My only real disappointment with FreeIPA, in fact, was seeing the notion of
a "master server". Moreover, I have not been able to determine what
configuration or crucial data is stored on the master server -- of utmost
importance, is _where_ said crucial configuration/data is stored so that we
may suitably back it up.
This of course raises disaster recovery questions. Such as, in the event of
a disaster, is it possible (and advisable?) to somehow "promote" a FreeIPA
slave/peer server to "master" status? Or must we deploy a new server with
the same name as the old and then somehow sync up the non-master data from
the slave/peer(s)? Obviously, the best scenario would be that we could do
either, as the decision on whether to promote or re-deploy will depend
heavily on circumstances surrounding the failure.
I am assuming the following scenario:
*) master server goes down
*) slave/peer(s) continue taking updates, the only exception being no
FreeIPA servers may be deployed (correct??)
*) several days pass
*) master server is determined irreparable
At which point, what should we have done prior to this failure, to give us
the most options for recovery?
Are there worse scenarios we can plan for? Any other actions we can take
that might save our bacon down the road?
Just trying to think ahead. ;)
Many thanks for the product, and the support!
Regards,
-Don
Systems Administrator
{void}
More information about the Freeipa-users
mailing list