The attached patch is a work in progress for https://fedorahosted.org/freeipa/ticket/2614 (BZ 828866).
I am sharing now to make the approach clear and solicit feedback. It has been tested for server install, replica install (with and without CA) and CA-replica install (all hosts running master+patch). Migration from earlier versions and server/replica/CA install on a CA-less deployment are not yet tested; these will be tested over coming days and patch will be tweaked as necessary. Commit message has a fair bit to say so I won't repeat here but let me know your questions and comments. Thanks, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code