[Freeipa-users] Replacing the "master"
Martin Kosek
mkosek at redhat.com
Fri Sep 4 06:21:58 UTC 2015
On 09/04/2015 12:00 AM, Rob Crittenden wrote:
> Steven Jones wrote:
>> I have a 3 node IPA cluster, I have replaced the 2 "slaves" however when I
>> try and remove the last one the master? it says,
>>
>> "[root at vuwunicoipam001 thing]# ipa-replica-manage del vuwunicoipam002.xxxxxxxx
>> Directory Manager password:
>>
>> Deleting a master is irreversible.
>> To reconnect to the remote master you will need to prepare a new replica file
>> and re-install.
>> Continue to delete? [no]: yes
>> Deleting this server will orphan 'vuwunicoipam001xxxxxxxxx and
>> vuwunicoipam003.xxxxxxxxx
>> You will need to reconfigure your replication topology to delete this server.
>> [root at vuwunicoipam001 thing]# ipa-replica-manage list
>> Directory Manager password:
>>
>> vuwunicoipam002.xxxxxxxx master
>> vuwunicoipam003.xxxxxxxx master
>> vuwunicoipam001.xxxxxxxx master
>> [root at vuwunicoipam001 thing]#"
>>
>> So how do I re-configure?
>
> Every server is a master. The only differences may be the services running (CA
> and/or DNS) and only one generates the CRL and manages certificate renewal.
> Otherwise they are all equal masters.
>
> This doesn't show the topology. Were I to guess it looks like:
>
> 001
> / \
> 002 003
>
> So you need to run ipa-replica-manage connect vuwunicoipam002 vuwunicoipam003
>
> Then you should be able to delete 0001. Just be sure at least one of those
> other masters has a CA, if not both of them. You may need ipa-csreplica-manage
> connect to connect that topology.
>
> Also be aware of the DNA config. A master doesn't automatically get one. It
> only gets it when it creates an entry that needs a range.
However, in this case this should not be a problem AFAIK, given that
ipa-replica-manage tries to preserve the DNA range, from FreeIPA 3.2:
https://fedorahosted.org/freeipa/ticket/3321
Martin
More information about the Freeipa-users
mailing list