[Freeipa-users] Are replica gpg files reusable?

Dmitri Pal dpal at redhat.com
Fri Apr 25 13:45:05 UTC 2014 

On 04/25/2014 05:06 AM, Petr Spacek wrote:
> On 25.4.2014 00:15, Dave Jones wrote:
>> Hi Rob,
>>
>> I was considering installing replicas using puppet.  Having 
>> pre-prepared replica files available would be easier than having to 
>> run an ipa-replica-prepare and scp copy.
>>
>> I had guessed the ldap/kerberos replication would handle the 
>> user/password/DNS updates, and that changing CA certificates would be 
>> the most likely cause of gpg file invalidation.
>
> I'm working on DNSSEC support in FreeIPA right now. It is possible 
> that replica-file validity will lowered by this work. (We will need to 
> distribute one new key as part of the replica file so the replica file 
> will become invalid if the key was changed in meantime. Maybe we will 
> find some other solution for it, I don't know ...)
>


May be the solution is to run a cron job on the server that would 
prepare a replica file and refresh it under source control every so often?

> Petr^2 Spacek
>
>> On 24 Apr 2014, at 23:40, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>>> Dave Jones wrote:
>>>> Hi,
>>>>
>>>> Should the replica gpg created by ipa-replica-prepare be re-created 
>>>> when there have been trivial changes such as adding/modifying a 
>>>> user/group/password on the IPA server?
>>>>
>>>> What change of condition(s) in the ‘master’ IPA host would prevent 
>>>> reuse of a previously prepared replica gpg file, or otherwise 
>>>> render it invalid?
>>>
>>> I'm assuming there is some specific scenario you have in mind.
>>>
>>> Typically a replica file is not needed after a master is installed. 
>>> The only exception is if you install without a CA and then decide to 
>>> use ipa-ca-install to add it later.
>>>
>>> We generally recommend that a replica be installed fairly soon after 
>>> preparation of the file, days, not months, but even then it may 
>>> still be viable.
>>>
>>> As for data modification (users, groups, etc) it should have no 
>>> impact whatsoever. Once a replica is installed it is a full IPA 
>>> master and the 389-ds replication protocol will keep it in sync.
>>>
>>> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list