Small update on this. The replica without CA is not going to find any CA as the master is "dead" so we need a CA.
The question is how to approach, you have a replica with only ldap information and no CA. Is it possible to create a split-brain like, install IPA1 as a normal ipa server, so it becomes CA, but than ? I wonder if you can create a (ipa1)replica from your replica2 with (ipa1)replica as your CA. The reason why I saw this in my tests is from older docs. The docs say to create a replica server but never mentioned the CA in it... so I'm quite sure that lots of people have a replica installation between 2 servers which only has one CA. Discussing this with Simo on IRC it seems to be some nice writing to have in the docs and now I found out... I'm trying to create this using my tests. But some unclear things have to be made clear first. Cheers, Matt 2015-07-06 19:01 GMT+02:00 Matt . <[email protected]>: > Rob, > > Isn't it impossible to install a CA on a replica when it's master "died" ? > > I know there is normally one CA, but this is kinda confusing me so I'm > testing out scenarios. > > Thanks, > > Matt > > 2015-07-06 18:10 GMT+02:00 Matt . <[email protected]>: >> Hi Rob, >> >> OK, I had difficulties with that and try it. >> >> What I actually did is: >> >> Turned off IPA1 (to act it like a dead one) and removed it from ipa2. >> >> Now when I install a new replica with ipa2 as it's master/source I get >> complains there is no CA. So my ipa2 needs to become ca in some way. >> >> I need to check but I thought I did what you said which didn't work... >> I need to debug it an report you this evening. >> >> Thanks, >> >> Matt >> >> 2015-07-06 17:54 GMT+02:00 Rob Crittenden <[email protected]>: >>> Matt . wrote: >>>> >>>> Hi All, >>>> >>>> I'm cleaning up and playing around with some old dev setups and >>>> reviewing these tests. >>>> >>>> This is a replica setup but the replica is no CA. Now I'm testing out >>>> how to manage cluster when I remove the ipa1 (CA) and create a new >>>> replica with CA from the ipa2. >>>> >>>> IPA2 should become CA and out of that I can setup a replica again. >>>> What is my best approach to test this ? >>> >>> >>> Hard to say given I have no insight into your topology, but to add a CA >>> post-install use ipa-ca-install <replica-file> >>> >>> rob >>> -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
