On 25.4.2014 00:15, Dave Jones wrote:
Hi Rob,

I was considering installing replicas using puppet.  Having pre-prepared 
replica files available would be easier than having to run an 
ipa-replica-prepare and scp copy.

I had guessed the ldap/kerberos replication would handle the user/password/DNS 
updates, and that changing CA certificates would be the most likely cause of 
gpg file invalidation.

I'm working on DNSSEC support in FreeIPA right now. It is possible that replica-file validity will lowered by this work. (We will need to distribute one new key as part of the replica file so the replica file will become invalid if the key was changed in meantime. Maybe we will find some other solution for it, I don't know ...)

Petr^2 Spacek

On 24 Apr 2014, at 23:40, Rob Crittenden <rcrit...@redhat.com> wrote:

Dave Jones wrote:

Should the replica gpg created by ipa-replica-prepare be re-created when there 
have been trivial changes such as adding/modifying a user/group/password on the 
IPA server?

What change of condition(s) in the ‘master’ IPA host would prevent reuse of a 
previously prepared replica gpg file, or otherwise render it invalid?

I'm assuming there is some specific scenario you have in mind.

Typically a replica file is not needed after a master is installed. The only 
exception is if you install without a CA and then decide to use ipa-ca-install 
to add it later.

We generally recommend that a replica be installed fairly soon after 
preparation of the file, days, not months, but even then it may still be viable.

As for data modification (users, groups, etc) it should have no impact 
whatsoever. Once a replica is installed it is a full IPA master and the 389-ds 
replication protocol will keep it in sync.


Freeipa-users mailing list

Reply via email to