[Freeipa-users] Are replica gpg files reusable?
Dmitri Pal
dpal at redhat.com
Fri Apr 25 13:45:05 UTC 2014
On 04/25/2014 05:06 AM, Petr Spacek wrote:
> On 25.4.2014 00:15, Dave Jones wrote:
>> Hi Rob,
>>
>> I was considering installing replicas using puppet. Having
>> pre-prepared replica files available would be easier than having to
>> run an ipa-replica-prepare and scp copy.
>>
>> I had guessed the ldap/kerberos replication would handle the
>> user/password/DNS updates, and that changing CA certificates would be
>> the most likely cause of gpg file invalidation.
>
> I'm working on DNSSEC support in FreeIPA right now. It is possible
> that replica-file validity will lowered by this work. (We will need to
> distribute one new key as part of the replica file so the replica file
> will become invalid if the key was changed in meantime. Maybe we will
> find some other solution for it, I don't know ...)
>
May be the solution is to run a cron job on the server that would
prepare a replica file and refresh it under source control every so often?
> Petr^2 Spacek
>
>> On 24 Apr 2014, at 23:40, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>>> Dave Jones wrote:
>>>> Hi,
>>>>
>>>> Should the replica gpg created by ipa-replica-prepare be re-created
>>>> when there have been trivial changes such as adding/modifying a
>>>> user/group/password on the IPA server?
>>>>
>>>> What change of condition(s) in the ‘master’ IPA host would prevent
>>>> reuse of a previously prepared replica gpg file, or otherwise
>>>> render it invalid?
>>>
>>> I'm assuming there is some specific scenario you have in mind.
>>>
>>> Typically a replica file is not needed after a master is installed.
>>> The only exception is if you install without a CA and then decide to
>>> use ipa-ca-install to add it later.
>>>
>>> We generally recommend that a replica be installed fairly soon after
>>> preparation of the file, days, not months, but even then it may
>>> still be viable.
>>>
>>> As for data modification (users, groups, etc) it should have no
>>> impact whatsoever. Once a replica is installed it is a full IPA
>>> master and the 389-ds replication protocol will keep it in sync.
>>>
>>> rob
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
More information about the Freeipa-users
mailing list