I was referring to user accounts, and I believe they require certificates. With the Primary IPA being down I was not able to create new user entries on the replica servers.
Hopefully the CA fail-over requirement is addressed in a new release of FreeIPA. Thanks, Dimitar On Mon, Jan 13, 2014 at 1:36 PM, Dmitri Pal <[email protected]> wrote: > On 01/13/2014 01:33 PM, Rob Crittenden wrote: > > Dimitar Georgievski wrote: > >> This question is really about HA of FreeIPA. I've noticed that new > >> records cannot be added on the replica server while the primary is down. > >> > >> Ideally these services should be always available even when the Primary > >> server is down (for maintenance or other reasons). > >> > >> Is it possible to have another Primary server replicating with the first > >> Primary or to use one of the Replica servers to manage records while the > >> Primary server is down. > > > > All servers in IPA are equal masters, the only difference may be the > > services running on any given server (DNS and a CA). > > > > The exception is if a master runs out of DNA values or has never been > > used to add an entry that requires one and the original IPA master is > > down. An IPA server will request a DNA range the first time it needs > > one but doesn't get one until then. I'm guessing that is what happened. > > > > I believe IPA 3.3 added some options to ipa-replica-manage to be able > > to control the DNA configuration. > > > We might be talking about the entries that have certificates. Is this > the case? > If so the certificate operations are proxied to the server that has full > CA but AFAIR there is not failover there and I vaguely recall that there > was ticket filed to address this scenario. > > So which entries we are talking about? > > > > > rob > > > > _______________________________________________ > > Freeipa-users mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager for IdM portfolio > Red Hat Inc. > > > ------------------------------- > Looking to carve out IT costs? > www.redhat.com/carveoutcosts/ > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users >
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
