[Freeipa-users] Confused/lost at promoting a replica into a master
Rob Crittenden
rcritten at redhat.com
Tue May 1 13:48:51 UTC 2012
David Copperfield wrote:
> I think the problem is figured out, though solution is not easy. Would
> some one please open a bug for this problem.
>
> Another close question to ask: Does this means the IPA PKI/CA system is
> still in its beta/alpha stage, and better avoid in production IPA
> deployment?
>
> I've see messages, Q/A in mail list of 389 Directory Server and freeIPA
> much, much more often than the Dogtag. If so, I can use --selfsign to
> install IPA masters and replicas now, and wait until the Dogtag is
> mature enough. because this IPA solution is the core of our business
> authentication and authorization, and so I have been asked several times
> to make it reliable and easy to maintain. Otherwise the admin. official
> would rather to keep existing Kerberos+OpenLDAP solution which is time
> proven.
As Rich pointed out, there are per-instance specific versions of the
scripts. This is related to the templates you saw in the rpm.
CAs are not sexy which may be why the dogtag list is low volume. I get
the feeling that many people just get by with self-signed certificates
that are managed by hand. There is a fair bit of discussion in the
freenode #dogtag IRC channel from time to time.
There is no way to migrate from one CA type to another within IPA
(without re-installing IPA).
rob
More information about the Freeipa-users
mailing list