[Freeipa-users] Are replica gpg files reusable?
Dave Jones
Dave.Jones at spilgames.com
Thu Apr 24 22:15:27 UTC 2014
Hi Rob,
I was considering installing replicas using puppet. Having pre-prepared replica files available would be easier than having to run an ipa-replica-prepare and scp copy.
I had guessed the ldap/kerberos replication would handle the user/password/DNS updates, and that changing CA certificates would be the most likely cause of gpg file invalidation.
Again, thank you for speedy response and clarification!
Cheers, Dave
On 24 Apr 2014, at 23:40, Rob Crittenden <rcritten at redhat.com> wrote:
> Dave Jones wrote:
>> Hi,
>>
>> Should the replica gpg created by ipa-replica-prepare be re-created when there have been trivial changes such as adding/modifying a user/group/password on the IPA server?
>>
>> What change of condition(s) in the ‘master’ IPA host would prevent reuse of a previously prepared replica gpg file, or otherwise render it invalid?
>
> I'm assuming there is some specific scenario you have in mind.
>
> Typically a replica file is not needed after a master is installed. The only exception is if you install without a CA and then decide to use ipa-ca-install to add it later.
>
> We generally recommend that a replica be installed fairly soon after preparation of the file, days, not months, but even then it may still be viable.
>
> As for data modification (users, groups, etc) it should have no impact whatsoever. Once a replica is installed it is a full IPA master and the 389-ds replication protocol will keep it in sync.
>
> rob
More information about the Freeipa-users
mailing list