Re: [Freeipa-users] Manage records while primary IPA is down
Dimitar Georgievski wrote: This question is really about HA of FreeIPA. I've noticed that new records cannot be added on the replica server while the primary is down. Ideally these services should be always available even when the Primary server is down (for maintenance or other reasons). Is it possible to have another Primary server replicating with the first Primary or to use one of the Replica servers to manage records while the Primary server is down. All servers in IPA are equal masters, the only difference may be the services running on any given server (DNS and a CA). The exception is if a master runs out of DNA values or has never been used to add an entry that requires one and the original IPA master is down. An IPA server will request a DNA range the first time it needs one but doesn't get one until then. I'm guessing that is what happened. I believe IPA 3.3 added some options to ipa-replica-manage to be able to control the DNA configuration. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Manage records while primary IPA is down
On 01/13/2014 01:33 PM, Rob Crittenden wrote: Dimitar Georgievski wrote: This question is really about HA of FreeIPA. I've noticed that new records cannot be added on the replica server while the primary is down. Ideally these services should be always available even when the Primary server is down (for maintenance or other reasons). Is it possible to have another Primary server replicating with the first Primary or to use one of the Replica servers to manage records while the Primary server is down. All servers in IPA are equal masters, the only difference may be the services running on any given server (DNS and a CA). The exception is if a master runs out of DNA values or has never been used to add an entry that requires one and the original IPA master is down. An IPA server will request a DNA range the first time it needs one but doesn't get one until then. I'm guessing that is what happened. I believe IPA 3.3 added some options to ipa-replica-manage to be able to control the DNA configuration. We might be talking about the entries that have certificates. Is this the case? If so the certificate operations are proxied to the server that has full CA but AFAIR there is not failover there and I vaguely recall that there was ticket filed to address this scenario. So which entries we are talking about? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Manage records while primary IPA is down
I was referring to user accounts, and I believe they require certificates. With the Primary IPA being down I was not able to create new user entries on the replica servers. Hopefully the CA fail-over requirement is addressed in a new release of FreeIPA. Thanks, Dimitar On Mon, Jan 13, 2014 at 1:36 PM, Dmitri Pal d...@redhat.com wrote: On 01/13/2014 01:33 PM, Rob Crittenden wrote: Dimitar Georgievski wrote: This question is really about HA of FreeIPA. I've noticed that new records cannot be added on the replica server while the primary is down. Ideally these services should be always available even when the Primary server is down (for maintenance or other reasons). Is it possible to have another Primary server replicating with the first Primary or to use one of the Replica servers to manage records while the Primary server is down. All servers in IPA are equal masters, the only difference may be the services running on any given server (DNS and a CA). The exception is if a master runs out of DNA values or has never been used to add an entry that requires one and the original IPA master is down. An IPA server will request a DNA range the first time it needs one but doesn't get one until then. I'm guessing that is what happened. I believe IPA 3.3 added some options to ipa-replica-manage to be able to control the DNA configuration. We might be talking about the entries that have certificates. Is this the case? If so the certificate operations are proxied to the server that has full CA but AFAIR there is not failover there and I vaguely recall that there was ticket filed to address this scenario. So which entries we are talking about? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Manage records while primary IPA is down
On 01/13/2014 03:01 PM, Dimitar Georgievski wrote: I was referring to user accounts, and I believe they require certificates. With the Primary IPA being down I was not able to create new user entries on the replica servers. Hm? What kind of error you get? What does HTTP log shows on the replica you are performing operation against? User accounts have a certificate attribute but it is not used yet so it might be something else not related to certificates. Answers to the questions above would help. Also here are some hints that might be helpful in collecting and preparing information for our analysis: http://www.freeipa.org/page/Troubleshooting Hopefully the CA fail-over requirement is addressed in a new release of FreeIPA. Thanks, Dimitar On Mon, Jan 13, 2014 at 1:36 PM, Dmitri Pal d...@redhat.com mailto:d...@redhat.com wrote: On 01/13/2014 01:33 PM, Rob Crittenden wrote: Dimitar Georgievski wrote: This question is really about HA of FreeIPA. I've noticed that new records cannot be added on the replica server while the primary is down. Ideally these services should be always available even when the Primary server is down (for maintenance or other reasons). Is it possible to have another Primary server replicating with the first Primary or to use one of the Replica servers to manage records while the Primary server is down. All servers in IPA are equal masters, the only difference may be the services running on any given server (DNS and a CA). The exception is if a master runs out of DNA values or has never been used to add an entry that requires one and the original IPA master is down. An IPA server will request a DNA range the first time it needs one but doesn't get one until then. I'm guessing that is what happened. I believe IPA 3.3 added some options to ipa-replica-manage to be able to control the DNA configuration. We might be talking about the entries that have certificates. Is this the case? If so the certificate operations are proxied to the server that has full CA but AFAIR there is not failover there and I vaguely recall that there was ticket filed to address this scenario. So which entries we are talking about? rob ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ http://www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com mailto:Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
