What level of network connectivity is required between replicas that do not share a replication agreement?
For years I have been running an IdM environment where there is often limited connectivity between replicas that do not have replication agreements with each other, and I don't believe that I've seen any problems that result from that. Recently, I have been working to upgrade from RHEL7's IdM to RHEL8's IdM and encountered a situation where this did become a problem: certmonger, via ipa-submit, tried to get a certificate during the installation of the second upgraded replica. It tried a significant number of replicas other than the one it had a replication agreement with, and ended up timing out due to multiple network connection timeouts to those remote replicas. The total number of connections it tried was exacerbated by the fact that there was literally only one replica that could respond positively, regardless of network issues, since it required the newer version of IdM. First, is it expected that it try all of the CA replicas instead of just the one it has a replication agreement with? I think the answer here might be "yes" just because it's just an IdM client during this transaction, and, in fact, might have no CA replication agreements at all, but some confirmation would be appreciated. Second, are there any other network connectivity requirements between replicas that don't have replication agreements? Am I going to run into other problems because my replicas in Spain can't directly communicate with my replicas in New Zealand? Third, I've been relying on specifying specific replicas in sssd.conf's ipa_server to ensure that clients connect only to specific replicas. Should I be doing something else instead? I know that I probably should be using IPA Locations, and I'll pursue that after upgrades, but is there something else? Should I also be using the host and ca_host directives in /etc/ipa/default.conf, and, if so, can multiple hosts be listed there? Thanks, -- William Faulk -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
