On 05/26/2016 12:23 PM, Alexander Bokovoy wrote:
On Thu, 26 May 2016, thierry bordaz wrote:
The limitation would be to run the provisioning on IPA master.
During provisioning, membership attribute will be invalid (memberof
not computed). Is it acceptable that IPA master contains invalid
membership for some time ?
Consider provisioning to be at the same level as running
ipa-server-upgrade -- access via 389/636 ports is not allowed, LDAPI is
the only interface enabled which implies there would be no problem
if we
set expectations right: provisioning mode is offline.
Yes I agree, provisioning mode is offline.
My concern is about side effects on the rest of the topology if we
are putting IPA master offline (is password update possible on
replica ?).
Sure, update on replica would be queued in replication queue. Password
changes are local anyway, they result in updates of few password
attributes and that's all. These attributes replicated in the same way
as anything else.
Yes that is right.
I remember a discussion about the master key that was only available on
IPA master and I thought that IPA master had a specific role around krb
attributes. But if provisioning can be done on IPA master, it is then a
good idea to use root/ldapi to avoid getting DM password.
thanks for all your feedback and help
thierry
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
