Just some user notes
I really like the IPA server topology graph through the web front end, visualising the
agreements between servers is really useful. You can add or remove agreements here too,
for both domain and CA (for servers that have CA enabled)
I've deployed 6 IPA servers equally across our three main sites and enabled CA on all
of them, this seems to work fine and I've succefully moved the CA renewal master twice
(due to external reasons.)
Check the red hat documentation on replication agreements, I recall there are some useful
notes there on planning.
From: lejeczek via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Tuesday, 29 October 2019, 14:24
To: FreeIPA users list
Subject: [Freeipa-users] Re: number of topology segments for 3 servers clean setup?
On 29/10/2019 08:51, Alexander Bokovoy wrote:
On ti, 29 loka 2019, lejeczek via FreeIPA-users wrote:
> hi everyone,
> I wanted to ask about number of segments after a clean IPA setup with 3
> I see for both 'domain' & 'ca' two segments created by
> installations, which makes me wonder - should there not be three? no/yes
> & why?
You really need to show what you have rather than assume we know what
For three masters, there are several ways of connecting them so that
there are two segments. Or may be you connected all three in a triangle.
For example: A <-> B <-> C, B <-> A <-> C, A <-> B
<-> C <-> A
Without knowing your topology it is not possible to say what is correct
and what is not.
sorry was being vague. Question was not about correct or not but rather
I sought to confirm that what IPA replicas (3 masters in total)
installers created in topology - which was two segments - was what IPA
does by default (and not seek to create every every possible chain in
topology, in my case it'd be that triangle) and not a result of some
I now assume that it simply is - each replica installation process
creates just one segment: new-replica <-> used_master ?
many thanks, L.