[Freeipa-users] Are replica gpg files reusable?

[Petr Spacek]

On 25.4.2014 00:15, Dave Jones wrote:
> Hi Rob,
>
> I was considering installing replicas using puppet.  Having pre-prepared replica files available would be easier than having to run an ipa-replica-prepare and scp copy.
>
> I had guessed the ldap/kerberos replication would handle the user/password/DNS updates, and that changing CA certificates would be the most likely cause of gpg file invalidation.

I'm working on DNSSEC support in FreeIPA right now. It is possible that 
replica-file validity will lowered by this work. (We will need to distribute 
one new key as part of the replica file so the replica file will become 
invalid if the key was changed in meantime. Maybe we will find some other 
solution for it, I don't know ...)

Petr^2 Spacek

> On 24 Apr 2014, at 23:40, Rob Crittenden <rcritten at redhat.com> wrote:
>
>> Dave Jones wrote:
>>> Hi,
>>>
>>> Should the replica gpg created by ipa-replica-prepare be re-created when there have been trivial changes such as adding/modifying a user/group/password on the IPA server?
>>>
>>> What change of condition(s) in the ‘master’ IPA host would prevent reuse of a previously prepared replica gpg file, or otherwise render it invalid?
>>
>> I'm assuming there is some specific scenario you have in mind.
>>
>> Typically a replica file is not needed after a master is installed. The only exception is if you install without a CA and then decide to use ipa-ca-install to add it later.
>>
>> We generally recommend that a replica be installed fairly soon after preparation of the file, days, not months, but even then it may still be viable.
>>
>> As for data modification (users, groups, etc) it should have no impact whatsoever. Once a replica is installed it is a full IPA master and the 389-ds replication protocol will keep it in sync.
>>
>> rob