[Freeipa-users] Manage records while primary IPA is down

Dmitri Pal dpal at redhat.com
Mon Jan 13 20:24:52 UTC 2014 

On 01/13/2014 03:01 PM, Dimitar Georgievski wrote:
>
> I was referring to user accounts, and I believe they require
> certificates. With the Primary IPA being down I was not able to create
> new user entries on the replica servers.

Hm? What kind of error you get? What does HTTP log shows on the replica
you are performing operation against?
User accounts have a certificate attribute but it is not used yet so it
might be something else not related to certificates.
Answers to the questions above would help.
Also here are some hints that might be helpful in collecting and
preparing information for our analysis: 
http://www.freeipa.org/page/Troubleshooting
>
> Hopefully the CA fail-over requirement is addressed in a new release
> of FreeIPA.
>
> Thanks,
>
> Dimitar
>
>
> On Mon, Jan 13, 2014 at 1:36 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
>     On 01/13/2014 01:33 PM, Rob Crittenden wrote:
>     > Dimitar Georgievski wrote:
>     >> This question is really about HA of FreeIPA. I've noticed that new
>     >> records cannot be added on the replica server while the primary
>     is down.
>     >>
>     >> Ideally these services should be always available even when the
>     Primary
>     >> server is down (for maintenance or other reasons).
>     >>
>     >> Is it possible to have another Primary server replicating with
>     the first
>     >> Primary or to use one of the Replica servers to manage records
>     while the
>     >> Primary server is down.
>     >
>     > All servers in IPA are equal masters, the only difference may be the
>     > services running on any given server (DNS and a CA).
>     >
>     > The exception is if a master runs out of DNA values or has never
>     been
>     > used to add an entry that requires one and the original IPA
>     master is
>     > down. An IPA server will request a DNA range the first time it needs
>     > one but doesn't get one until then. I'm guessing that is what
>     happened.
>     >
>     > I believe IPA 3.3 added some options to ipa-replica-manage to be
>     able
>     > to control the DNA configuration.
>
>
>     We might be talking about the entries that have certificates. Is this
>     the case?
>     If so the certificate operations are proxied to the server that
>     has full
>     CA but AFAIR there is not failover there and I vaguely recall that
>     there
>     was ticket filed to address this scenario.
>
>     So which entries we are talking about?
>
>     >
>     > rob
>     >
>     > _______________________________________________
>     > Freeipa-users mailing list
>     > Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     > https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>     --
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager for IdM portfolio
>     Red Hat Inc.
>
>
>     -------------------------------
>     Looking to carve out IT costs?
>     www.redhat.com/carveoutcosts/ <http://www.redhat.com/carveoutcosts/>
>
>
>
>     _______________________________________________
>     Freeipa-users mailing list
>     Freeipa-users at redhat.com <mailto:Freeipa-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140113/4f64a119/attachment.htm>

More information about the Freeipa-users mailing list