On 04/09/2015 04:05 PM, Rob Crittenden wrote:
Right now when a new master is installed it is not configured with a CA
unless one passes in --setup-ca (or afterward runs ipa-ca-install).

Over and over we've seen people who have multiple masters and a single
CA, in some cases that CA machine is gone, leaving the realm with no CA
at all.

I think this is due to the fact that CA replicas are not created by
default and the users are not aware of the implications of a single
point-of-failure since things otherwise seem to be working.

So perhaps the default should be to install a CA unless the user
requests one not be installed. A related task may be to create an
uninstaller for just the CA.

rob


From a general perspective:

When I hear "replica" it evokes a "clone", something equal/identical.

Based on this, the expected behavior for me would be that:

- if master has DNS and CA, then the new replica would also have DNS and CA (without any configuration option needed). - if an optional service is missing then replica wouldn't have it as well by default

This would required reverse options like: --no-dns.
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to