Small update on this.

The replica without CA is not going to find any CA as the master is
"dead" so we need a CA.

The question is how to approach, you have a replica with only ldap
information and no CA.

Is it possible to create a split-brain like, install IPA1 as a normal
ipa server, so it becomes CA, but than ? I wonder if you can create a
(ipa1)replica from your replica2 with (ipa1)replica as your CA.

The reason why I saw this in my tests is from older docs. The docs say
to create a replica server but never mentioned the CA in it... so I'm
quite sure that lots of people have a replica installation between 2
servers which only has one CA.

Discussing this with Simo on IRC it seems to be some nice writing to
have in the docs and now I found out... I'm trying to create this
using my tests.

But some unclear things have to be made clear first.



2015-07-06 19:01 GMT+02:00 Matt . <>:
> Rob,
> Isn't it impossible to install a CA on a replica when it's master "died" ?
> I know there is normally one CA, but this is kinda confusing me so I'm
> testing out scenarios.
> Thanks,
> Matt
> 2015-07-06 18:10 GMT+02:00 Matt . <>:
>> Hi Rob,
>> OK, I had difficulties with that and try it.
>> What I actually did is:
>> Turned off IPA1 (to act it like a dead one) and removed it from ipa2.
>> Now when I install a new replica with ipa2 as it's master/source I get
>> complains there is no CA. So my ipa2 needs to become ca in some way.
>> I need to check but I thought I did what you said which didn't work...
>> I need to debug it an report you this evening.
>> Thanks,
>> Matt
>> 2015-07-06 17:54 GMT+02:00 Rob Crittenden <>:
>>> Matt . wrote:
>>>> Hi All,
>>>> I'm cleaning up and playing around with some old dev setups and
>>>> reviewing these tests.
>>>> This is a replica setup but the replica is no CA. Now I'm testing out
>>>> how to manage cluster when I remove the ipa1 (CA)  and create a new
>>>> replica with CA from the ipa2.
>>>> IPA2 should become CA and out of that I can setup a replica again.
>>>> What is my best approach to test this ?
>>> Hard to say given I have no insight into your topology, but to add a CA
>>> post-install use ipa-ca-install <replica-file>
>>> rob

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to