[Freeipa-devel] Allowing existing IPA hosts to be used for installing a replica
Simo Sorce
simo at redhat.com
Thu Jun 7 12:57:30 UTC 2012
On Wed, 2012-06-06 at 23:08 -0400, Rob Crittenden wrote:
> Scott Poore wrote:
> > Running this by the mailing list to see if I should open an RFE.
> >
> > Should we have the ability to install replicas where the host entries already exist in IPA?
> >
> > So, we could in theory do a host-add before running ipa-replica-install on the soon to be replica. There may be some useful cases for supporting this. Could be useful in a location that starts growing for "promoting" a client to a Replica for use in that location. Maybe as an override flag to the ipa-replica-install command?
> >
> > Thoughts?
>
> I asked Scott to pose this to the list. I'm a little uneasy about it but
> perhaps I'm just paranoid.
>
> This isn't proposing that an enrolled client be able to become a
> replica, but right now if a host entry exists for a target replica
> server we require it be removed before proceeding.
>
> The reason being we don't know what else is associated with that host
> (well, we do, but it sure seems like a lot of work to fetch it all). The
> host could already have an HTTP server, for example. Or it could have
> other certs or services.
>
> So the question is, is it adequate to require the removal or should we
> go through the trouble to see if there are any conflicting services? We
> don't have a TGT when preparing a replica so this would mean a bit of
> manual LDAP work which could very well be a pain source in the future.
Uhmm why should we care at replica preparation time ?
All the kerberos keys are created at install time, is it for certs ?
In that case I would suggest we defer creation of certs to install time
so it becomes non-issue.
At install time we detect if certs/keys are already available (and
functional) and we just reuse them if so.
What am I missing ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list