On 25.4.2014 00:15, Dave Jones wrote:
Hi Rob,
I was considering installing replicas using puppet. Having pre-prepared
replica files available would be easier than having to run an
ipa-replica-prepare and scp copy.
I had guessed the ldap/kerberos replication would handle the user/password/DNS
updates, and that changing CA certificates would be the most likely cause of
gpg file invalidation.
I'm working on DNSSEC support in FreeIPA right now. It is possible that
replica-file validity will lowered by this work. (We will need to distribute
one new key as part of the replica file so the replica file will become
invalid if the key was changed in meantime. Maybe we will find some other
solution for it, I don't know ...)
Petr^2 Spacek
On 24 Apr 2014, at 23:40, Rob Crittenden <rcrit...@redhat.com> wrote:
Dave Jones wrote:
Hi,
Should the replica gpg created by ipa-replica-prepare be re-created when there
have been trivial changes such as adding/modifying a user/group/password on the
IPA server?
What change of condition(s) in the ‘master’ IPA host would prevent reuse of a
previously prepared replica gpg file, or otherwise render it invalid?
I'm assuming there is some specific scenario you have in mind.
Typically a replica file is not needed after a master is installed. The only
exception is if you install without a CA and then decide to use ipa-ca-install
to add it later.
We generally recommend that a replica be installed fairly soon after
preparation of the file, days, not months, but even then it may still be viable.
As for data modification (users, groups, etc) it should have no impact
whatsoever. Once a replica is installed it is a full IPA master and the 389-ds
replication protocol will keep it in sync.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
