Dmitri Pal wrote:
On 04/25/2014 05:06 AM, Petr Spacek wrote:
On 25.4.2014 00:15, Dave Jones wrote:
Hi Rob,

I was considering installing replicas using puppet.  Having
pre-prepared replica files available would be easier than having to
run an ipa-replica-prepare and scp copy.

I had guessed the ldap/kerberos replication would handle the
user/password/DNS updates, and that changing CA certificates would be
the most likely cause of gpg file invalidation.

I'm working on DNSSEC support in FreeIPA right now. It is possible
that replica-file validity will lowered by this work. (We will need to
distribute one new key as part of the replica file so the replica file
will become invalid if the key was changed in meantime. Maybe we will
find some other solution for it, I don't know ...)

May be the solution is to run a cron job on the server that would
prepare a replica file and refresh it under source control every so often?

The downside is you could end up issuing a whole ton of certificates for the same service, the majority of which aren't being used, and are unrevoked.


Freeipa-users mailing list

Reply via email to