[Freeipa-users] IPA replica without CA, how to become CA

Matt . yamakasi.014 at gmail.com
Mon Jul 6 18:05:56 UTC 2015 

Small update on this.

The replica without CA is not going to find any CA as the master is
"dead" so we need a CA.

The question is how to approach, you have a replica with only ldap
information and no CA.

Is it possible to create a split-brain like, install IPA1 as a normal
ipa server, so it becomes CA, but than ? I wonder if you can create a
(ipa1)replica from your replica2 with (ipa1)replica as your CA.

The reason why I saw this in my tests is from older docs. The docs say
to create a replica server but never mentioned the CA in it... so I'm
quite sure that lots of people have a replica installation between 2
servers which only has one CA.

Discussing this with Simo on IRC it seems to be some nice writing to
have in the docs and now I found out... I'm trying to create this
using my tests.

But some unclear things have to be made clear first.

Cheers,

Matt

2015-07-06 19:01 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
> Rob,
>
> Isn't it impossible to install a CA on a replica when it's master "died" ?
>
> I know there is normally one CA, but this is kinda confusing me so I'm
> testing out scenarios.
>
> Thanks,
>
> Matt
>
> 2015-07-06 18:10 GMT+02:00 Matt . <yamakasi.014 at gmail.com>:
>> Hi Rob,
>>
>> OK, I had difficulties with that and try it.
>>
>> What I actually did is:
>>
>> Turned off IPA1 (to act it like a dead one) and removed it from ipa2.
>>
>> Now when I install a new replica with ipa2 as it's master/source I get
>> complains there is no CA. So my ipa2 needs to become ca in some way.
>>
>> I need to check but I thought I did what you said which didn't work...
>> I need to debug it an report you this evening.
>>
>> Thanks,
>>
>> Matt
>>
>> 2015-07-06 17:54 GMT+02:00 Rob Crittenden <rcritten at redhat.com>:
>>> Matt . wrote:
>>>>
>>>> Hi All,
>>>>
>>>> I'm cleaning up and playing around with some old dev setups and
>>>> reviewing these tests.
>>>>
>>>> This is a replica setup but the replica is no CA. Now I'm testing out
>>>> how to manage cluster when I remove the ipa1 (CA)  and create a new
>>>> replica with CA from the ipa2.
>>>>
>>>> IPA2 should become CA and out of that I can setup a replica again.
>>>> What is my best approach to test this ?
>>>
>>>
>>> Hard to say given I have no insight into your topology, but to add a CA
>>> post-install use ipa-ca-install <replica-file>
>>>
>>> rob
>>>

More information about the Freeipa-users mailing list