On Thu, 26 May 2016, thierry bordaz wrote:
The limitation would be to run the provisioning on IPA master. During provisioning, membership attribute will be invalid (memberof not computed). Is it acceptable that IPA master contains invalid membership for some time ?
Consider provisioning to be at the same level as running
ipa-server-upgrade -- access via 389/636 ports is not allowed, LDAPI is
the only interface enabled which implies there would be no problem if we
set expectations right: provisioning mode is offline.

Yes I agree, provisioning mode is offline.
My concern is about side effects on the rest of the topology if we are putting IPA master offline (is password update possible on replica ?).
Sure, update on replica would be queued in replication queue. Password
changes are local anyway, they result in updates of few password
attributes and that's all. These attributes replicated in the same way
as anything else.
/ Alexander Bokovoy

Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to