Hi,
In several scenarios when CA must be accessed, I face issues with the algorithm to select IPA server running CA.
Wanted to check if there is an easy solution in place that I am missing...
For example, if I run "ipa vault-retrieve" on IPA server that doesn't run CA/KRA, it will forward the request to another IPA server.
But how will it choose one?
From my tests, looks like the algorithm is:
- If "ca_host" is defined in /etc/ipa/default.conf, use that IPA server
- If it's not defined, fallback to LDAP lookup - query "cn=masters,cn=ipa,cn=etc,<base-dn>" for servers that have KRA and... choose the first result.
So the problem is that neither of these two methods is redundant. If the chosen IPA server is down, it just fails, it doesn't try the others.
Is there any solution for this?
I thought it was specific to Vault access, but I discovered the same thing when I simply do "ipa host-disable" for some host.
Seems that also in this case there is a need to access CA, so the IPA server applies the same algorithm as above - so it looks.
And again, no redundancy. If it cannot reach the chosen IPA server, it won't try any other.
Can you confirm that the algorighm is as described above?
Or am I missing anything?
Thanks.
---
Regards,
Dmitry Perets