Greetings FreeIPA mailing list: Thinking outside of the box for a moment, is it possible to divorce the FreeIPA "master" feature of deploying FreeIPA servers from the FreeIPA cluster which handles everything else? Keeps it safe and out of harms way, especially considering it has the CA key on it. This could be done a couple of different ways. One would be to just have the master FreeIPA "server" deployed as a VM instance -- we only dust it off and start it up when a new server needs deployment, and shut it back down after it's generated the replica file. While crude for my environment, this would work really well for a VM based shop. The elegant approach for us is to run the FreeIPA replica generation feature on our kickstart+puppet server, where it only generates FreeIPA replica files and simply doesn't handle any FreeIPA requests. Since KickStart would most likely need to generate the replica file as I believe the way puppet works prevents it from doing much server side execution, is there a problem with generating replica files willy nilly and then deleting them? I.E.: Running ipa-replica-prepare for each server deployed, but simply deleting the gpg file for all servers excluding those being deployed as FreeIPA slave/peer(s).

Regardless, taking a step back from specific implementation details, is the general idea sound? Beyond generating replica files, must there be any other communication between the master server and the other slave/peer(s)? E.G.: The master must make updates to ldap/kerberos/etc. as a part of generating the replica file.

Many thanks for the product, and the support!

Systems Administrator

Freeipa-users mailing list

Reply via email to