Hi,
In several scenarios when CA must be accessed, I face issues with the algorithm to select IPA server running CA. Wanted to check if there is an easy solution in place that I am missing...
For example, if I run "ipa vault-retrieve" on IPA server that doesn't run CA/KRA, it will forward the request to another IPA server. But how will it choose one? From my tests, looks like the algorithm is: - If "ca_host" is defined in /etc/ipa/default.conf, use that IPA server - If it's not defined, fallback to LDAP lookup - query "cn=masters,cn=ipa,cn=etc,<base-dn>" for servers that have KRA and... choose the first result. So the problem is that neither of these two methods is redundant. If the chosen IPA server is down, it just fails, it doesn't try the others. Is there any solution for this?
I thought it was specific to Vault access, but I discovered the same thing when I simply do "ipa host-disable" for some host. Seems that also in this case there is a need to access CA, so the IPA server applies the same algorithm as above - so it looks. And again, no redundancy. If it cannot reach the chosen IPA server, it won't try any other.
Can you confirm that the algorighm is as described above? Or am I missing anything?
Thanks.
--- Regards, Dmitry Perets
OK, I was probably a bit inaccurate about the algorithm with LDAP lookup. I had an impression that IPA always picks the first value, but it looks like it does have some randomization, but somehow the first entries are chosen more often. I had to run "ipa vault-retrieve" 5-8 times until it finally chose the right IPA server.
While this randomization is better than no randomization at all, still I believe that's a suboptimal behavior... When a chosen IPA server fails, it must try another one immediately, instead of failing... I think the role model here is how IPA discovers servers via SRV records or how krb5 discovers KDCs - there is a way to specify preference, but at the same time there is automatic resilience...
Then again, maybe I got this all totally wrong...=)
--- Regards, Dmitry Perets
On ke, 11 syys 2019, Dmitry Perets via FreeIPA-users wrote:
Hi,
In several scenarios when CA must be accessed, I face issues with the algorithm to select IPA server running CA. Wanted to check if there is an easy solution in place that I am missing...
For example, if I run "ipa vault-retrieve" on IPA server that doesn't run CA/KRA, it will forward the request to another IPA server. But how will it choose one? From my tests, looks like the algorithm is:
- If "ca_host" is defined in /etc/ipa/default.conf, use that IPA server
- If it's not defined, fallback to LDAP lookup - query "cn=masters,cn=ipa,cn=etc,<base-dn>" for servers that have KRA and... choose the first result.
So the problem is that neither of these two methods is redundant. If the chosen IPA server is down, it just fails, it doesn't try the others. Is there any solution for this?
I thought it was specific to Vault access, but I discovered the same thing when I simply do "ipa host-disable" for some host. Seems that also in this case there is a need to access CA, so the IPA server applies the same algorithm as above - so it looks. And again, no redundancy. If it cannot reach the chosen IPA server, it won't try any other.
Can you confirm that the algorighm is as described above? Or am I missing anything?
I think the latter should be fixed with https://pagure.io/freeipa/issue/7475 which is in RHEL 7.7.
freeipa-users@lists.fedorahosted.org
-
Alexander Bokovoy -
Dmitry Perets