I was referring to user accounts, and I believe they require certificates.
With the Primary IPA being down I was not able to create new user entries
on the replica servers.
Hopefully the CA fail-over requirement is addressed in a new release of
On Mon, Jan 13, 2014 at 1:36 PM, Dmitri Pal <d...@redhat.com> wrote:
> On 01/13/2014 01:33 PM, Rob Crittenden wrote:
> > Dimitar Georgievski wrote:
> >> This question is really about HA of FreeIPA. I've noticed that new
> >> records cannot be added on the replica server while the primary is down.
> >> Ideally these services should be always available even when the Primary
> >> server is down (for maintenance or other reasons).
> >> Is it possible to have another Primary server replicating with the first
> >> Primary or to use one of the Replica servers to manage records while the
> >> Primary server is down.
> > All servers in IPA are equal masters, the only difference may be the
> > services running on any given server (DNS and a CA).
> > The exception is if a master runs out of DNA values or has never been
> > used to add an entry that requires one and the original IPA master is
> > down. An IPA server will request a DNA range the first time it needs
> > one but doesn't get one until then. I'm guessing that is what happened.
> > I believe IPA 3.3 added some options to ipa-replica-manage to be able
> > to control the DNA configuration.
> We might be talking about the entries that have certificates. Is this
> the case?
> If so the certificate operations are proxied to the server that has full
> CA but AFAIR there is not failover there and I vaguely recall that there
> was ticket filed to address this scenario.
> So which entries we are talking about?
> > rob
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipaemail@example.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> Thank you,
> Dmitri Pal
> Sr. Engineering Manager for IdM portfolio
> Red Hat Inc.
> Looking to carve out IT costs?
> Freeipa-users mailing list
Freeipa-users mailing list