On 05/23/2014 06:42 AM, Martin Kosek wrote:
On 05/23/2014 07:01 AM, James wrote:
I'm trying to understand some of the FreeIPA replication internals so
that I can better know how to do this properly in Puppet without
storing any secret information in Puppet, and so that automating
FreeIPA is awesome.
Please point me to any docs, if there is reading I could be doing :)
Here are some open questions I have:
1) Is the GPG file created with ipa-replica-prepare using a symmetric
password and is that password equal to the dm_password ? If not, where
do the pub/priv key pairs come from and how do they get transferred to
the replica.
Yes. Grep for function expand_replica_info in FreeIPA git.
2) If I have root on the IPA server (actually all of them) how can I
run ipa-replica-prepare without needing interactive prompting for
entering the password. It's not possible with puppet. Is there another
(possibly less user friendly even) method to "prepare" the replica?
What is prepare actually doing?
For, you can for example use --password for passing the DM password.
I guess the question is more:
If I am root is there any way to do the operation without providing the
password but rather using something like LDAPI to drive the operation.
The issue is that if you use puppet there is no way to get the password
dynamically from some kind of source without baking it into the scripts.
Baking passwords into scripts is bad so to avoid it there needs to be a
way for root to install replica without it. I am not sure it is
currently possible though.
3) With a multi master setup, what happens if I run the same action
(eg: user-mod or user-add or user-del) on more than one server.
I would not do that, you risk replication conflicts on entries or attributes.
More here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/8.2/html/Administration_Guide/Managing_Replication-Solving_Common_Replication_Conflicts.html
Can I
run it on any server?
Yes.
What if I run different user-mod commands of the
same user on different masters. Is there split brain?
Then you get a replication conflict. I think in case of attributes, last
modification wins.
Are all the
transactions and writes synchronous across the whole cluster?
They are not synchronous, it takes some time for a change to replica to all
masters.
Please
point me to a doc that explains this FAQ stuff if possible. Sorry for
the noise
You should be able to get a reasonable starting information here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Deployment_Guide/Designing_the_Replication_Process.html
or here:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Directory_Server/9.0/html/Administration_Guide/Managing_Replication.html
HTH,
Martin
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
