On 1/29/20 11:12 AM, Daniel PC via FreeIPA-users wrote:
Hello
I'm building a cluster with 8 servers divided into 2 sites of 4 servers.
I understand from the documentation that only the first server should be
installed as a server, all others can be installed as replicas from the first
one.
Am I understanding this right?
Is there some difference between a server and a replica from an operational
point of view?
Hi Daniel,
if each replica is installed with the same set of services as the first
server, there is no functional difference (*). For instance, if master
was configured with CA, KRA, DNS, AD trust controller and the replicas
also host the same services, any replica could replace the master.
(*) The only difference is related to the master CA role. This role can
be taken by only one server, and consists in CA renewal master and CRL
generation master. If the server hosting this role needs to be
decommissioned, you can move this role to another master.
Please read the book "Planning Identity Management" [1], especially the
IdM Terminology chapter [2], and in "Configuring and Managing IdM" the
sections related to Changing and resetting IdM CA renewal master [3] and
Generating CRL on the IdM CA server [4]
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/planning_identity_management/index
[2]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/planning_identity_management/overview-of-planning-for-identity-management-and-access-control-planning-dns-and-host-names#IdM_terminology_overview-of-planning-idm-and-access-control
[3]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/ipa-ca-renewal_configuring-and-managing-idm#changing-ca-renewal_ipa-ca-renewal
[4]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/generating-crl-on-the-idm-ca-server_configuring-and-managing-idm
Thank you
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org