I was considering installing replicas using puppet. Having pre-prepared
replica files available would be easier than having to run an
ipa-replica-prepare and scp copy.
I had guessed the ldap/kerberos replication would handle the user/password/DNS
updates, and that changing CA certificates would be the most likely cause of
gpg file invalidation.
Again, thank you for speedy response and clarification!
On 24 Apr 2014, at 23:40, Rob Crittenden <rcrit...@redhat.com> wrote:
> Dave Jones wrote:
>> Should the replica gpg created by ipa-replica-prepare be re-created when
>> there have been trivial changes such as adding/modifying a
>> user/group/password on the IPA server?
>> What change of condition(s) in the ‘master’ IPA host would prevent reuse of
>> a previously prepared replica gpg file, or otherwise render it invalid?
> I'm assuming there is some specific scenario you have in mind.
> Typically a replica file is not needed after a master is installed. The only
> exception is if you install without a CA and then decide to use
> ipa-ca-install to add it later.
> We generally recommend that a replica be installed fairly soon after
> preparation of the file, days, not months, but even then it may still be
> As for data modification (users, groups, etc) it should have no impact
> whatsoever. Once a replica is installed it is a full IPA master and the
> 389-ds replication protocol will keep it in sync.
Freeipa-users mailing list