On 11/05/2013 03:17 PM, Rich Megginson wrote:
>>> 2. What is the difference between 'primary' and 'secondary'. What does
>>> happen, if the primary machine gets destroyed?
>> In IPA all replicas are the same, they only would differ by the paths
>> they sync with each other and by presence of integrated CA (if any).

Do I need CA in normal cases or is it just an additional and optional
service? In other words is this CA the same as used by replicas and
clients and the UI..etc?

>> If you have deployed original IPA server with integrated CA, then your
>> other replicas better to have at least one with CA configured to allow
>> proper recovery in case primary one is destroyed.

Is there any caveats to not deploy CA on all replicas as a simples solution?

>>> 4. How many "master" can I use?
>> Technically there could be 65536 different masters in 389-ds replication
>> topology.


>>> 5. If I have a network like this:
>>> A1______B1
>>> A2          B2
>>> A2 and B1,2 are replicated from A1
>>> If the connection gets lost between A and B site, are B1 and 2 (and
>>> A1,2) replicated fine?
>> I assume from the above that B1 does not know about B2 (and vice versa)?

Well, that is actually one of the questions. B1 and B2 are on the same
sites and failover nodes from point of view of clients.

>> Once connectivity between sites A and B restored, all unreplicated data
>> will be replicated. There could be conflicts if there were changes on
>> both sides during the split but majority of them are solved
>> automatically by 389-ds.

The main question is that B1 and B2 are not replicated to each other
automatically? What about the case if

A1 -- replication -- A2 --- replication --- B1 -- replication -- B2

If B1 gets destroyed, how B2 and A2 (and A1) gets synchronized?
Especially automatically...?
Is there such a failover configuration?

>>> 6. If a client is installed with ipa-client-install using A1 and A1
>>> gets
>>> lost, does the client know, where it needs to connect (failover..)?
>> IPA server which was used to enroll the host will be primary one (A1 in
>> your example). There is failover in sssd.conf to use SRV records of the
>> domain, and trying servers in the order returned by the SRV records.

Ahh. Then if I use external DNS, I need to configure these srv records
manually, that's all, right?

>>> 7. Can I install slave (read-only) replicas so clients access them only
>>> for queries and for changes (like pw change) they access master
>>> servers?
>> No read-only replicas available for IPA. All replicas are read-write and
>> propagate changes across replication paths as defined in replication
>> agreements. All IPA servers are really masters, thus we have
>> multi-master replication rather than master-slave.

Perfect, thanks for the clarification!


Freeipa-users mailing list

Reply via email to