On Fri, 2014-05-23 at 12:42 +0200, Martin Kosek wrote: > On 05/23/2014 07:01 AM, James wrote: > > I'm trying to understand some of the FreeIPA replication internals so > > that I can better know how to do this properly in Puppet without > > storing any secret information in Puppet, and so that automating > > FreeIPA is awesome. > > > > Please point me to any docs, if there is reading I could be doing :) > > > > Here are some open questions I have: > > > > 1) Is the GPG file created with ipa-replica-prepare using a symmetric > > password and is that password equal to the dm_password ? If not, where > > do the pub/priv key pairs come from and how do they get transferred to > > the replica. > > Yes. Grep for function expand_replica_info in FreeIPA git. Found it, very helpful, thanks!
> > > > > 2) If I have root on the IPA server (actually all of them) how can I > > run ipa-replica-prepare without needing interactive prompting for > > entering the password. It's not possible with puppet. Is there another > > (possibly less user friendly even) method to "prepare" the replica? > > What is prepare actually doing? > > For, you can for example use --password for passing the DM password. Good to know, but I'd like to avoid knowing the password actually. More in the other thread... > > > > 3) With a multi master setup, what happens if I run the same action > > (eg: user-mod or user-add or user-del) on more than one server. > > I would not do that, you risk replication conflicts on entries or attributes. > More here: > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html If the exact same action is run on different servers at the same time, will it still cause a replication conflict, or will it auto-resolve ? > > > Can I > > run it on any server? > > Yes. > > > What if I run different user-mod commands of the > > same user on different masters. Is there split brain? > > Then you get a replication conflict. I think in case of attributes, last > modification wins. > > > Are all the > > transactions and writes synchronous across the whole cluster? > > They are not synchronous, it takes some time for a change to replica to all > masters. > > > Please > > point me to a doc that explains this FAQ stuff if possible. Sorry for > > the noise > > You should be able to get a reasonable starting information here: > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Designing_the_Replication_Process.html > > or here: > > https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication.html This is good information, thanks. I will have to do my homework and come back when I have more questions. Thanks again, James > > HTH, > Martin
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
