Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1518939

Summary: RFE: Extend IPA to support unadvertised replicas
Product: Red Hat Enterprise Linux 7 Reporter: Brian J. Atkisson <batkisso>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: unspecified    
Version: 7.4CC: fcami, frenaud, gswami, mkosek, ndehadra, pasik, pcech, pvoborni, rcritten, saime, tmihinto, tscherf
Target Milestone: rcKeywords: FutureFeature, TechPreview
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.5-2.el7 Doc Type: Technology Preview
Doc Text:
.Setting up IdM as a hidden replica is now available as a Technology Preview This enhancement enables administrators to set up an Identity Management (IdM) replica as a hidden replica. A hidden replica is an IdM server that has all services running and available. However, it is not advertised to other clients or masters because no `SRV` records exist for the services in DNS, and LDAP server roles are not enabled. Therefore, clients cannot use service discovery to detect hidden replicas. Hidden replicas are primarily designed for dedicated services that can otherwise disrupt clients. For example, a full backup of IdM requires to shut down all IdM services on the master or replica. Since no clients use a hidden replica, administrators can temporarily shut down the services on this host without affecting any clients. Other use cases include high-load operations on the IdM API or the LDAP server, such as a mass import or extensive queries. To install a new hidden replica, use the `ipa-replica-install --hidden-replica` command. To change the state of an existing replica, use the `ipa server-state` command.
 Story Points: ---
Clone Of:
: 1719767 (view as bug list) Environment:
Last Closed: 2019-08-06 13:09:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1647919, 1719767    

Description Brian J. Atkisson 2017-11-29 19:59:01 UTC 
Description of problem:

For background: http://post-office.corp.redhat.com/archives/idm-tech/2017-November/msg00441.html

As part of our deployment, we have a few IPA replicas that we do not
want users hitting directly for IPA client registration and day to day
queries (hosts designed as backup servers, KRA, etc). There appears to be no way to exclude servers from being returned to clients during auto-discovery.

Even with using DNS Locations, all replicas are returned to the client, just at a higher priority value.  There should be some way to mark an IPA server as 'unadvertised' and not included in any SRV records.

This would be useful for replicas dedicated to backups, CRL, KRA or other admin activities.

Thanks!
Comment 3 Florence Blanc-Renaud 2017-12-06 13:34:49 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7307
Comment 6 Florence Blanc-Renaud 2019-03-29 09:11:29 UTC 
Fixed upstream:
ipa-4-6:

    cb85342 Add hidden replica feature
    016c47f ipatests: Exercise hidden replica feature
    7691162 Simplify and improve tests
    da9f62d Implement server-state --state=enabled/hidden
    d12cca4 Consider hidden servers as role provider
    ed00466 Improve config-show to show hidden servers
    131c1ab More test fixes
    bcf70c5 Don't allow to hide last server for a role
    d8d6799 Synchronize hidden state from IPA master role
    e40d92f Test replica installation from hidden replica
    d1eb4c7 Add design draft
    a0f00e6 Don't fail if config-show does not return servers
    aa3f60b Unify and simplify LDAP service discovery
    aba0fce Use api.env.container_masters
    ec94a68 Consolidate container_masters queries

ipa-4-7:
    ddf8e16 Add hidden replica feature
    f96f4a1 ipatests: Exercise hidden replica feature
    585bc52 Simplify and improve tests
    f3daa45 Implement server-state --state=enabled/hidden
    0bf26c5 Consider hidden servers as role provider
    de1a075 Improve config-show to show hidden servers
    3e2fb21 More test fixes
    dc2a5ec Don't allow to hide last server for a role
    87f9119 Synchronize hidden state from IPA master role
    467ceaf Test replica installation from hidden replica
    66c961d Add design draft
    c76620e Don't fail if config-show does not return servers


master:
    025facb Add hidden replica feature
    0770d8a ipatests: Exercise hidden replica feature
    99133eb Simplify and improve tests
    94b8635 Implement server-state --state=enabled/hidden
    d810e1f Consider hidden servers as role provider
    56d97f9 Improve config-show to show hidden servers
    f839d3c More test fixes
    e7e0f19 Don't allow to hide last server for a role
    8b1bb21 Synchronize hidden state from IPA master role
    e04dc9a Test replica installation from hidden replica
    d727321 Add design draft
    713c9b0 Don't fail if config-show does not return servers
Comment 7 Florence Blanc-Renaud 2019-03-29 09:49:59 UTC 
ipa-4-7:
    b4bade0 Unify and simplify LDAP service discovery
    885cb17 Use api.env.container_masters
    99eb7e0 Consolidate container_masters queries
Comment 9 Nikhil Dehadrai 2019-05-07 11:52:44 UTC 
ipa-server version: ipa-server-4.6.5-7.el7.x86_64

Tested the bug with following scenarios:
1.Verify that Hidden replica can be setup as a direct replica installation
2.Verify that Hidden replica can be setup using replica promotion
3.Verify that Replica can be setup from another Replica already configured as Hidden Replica
4.Verify that Error message is displayed when state of all master is changed to 'hidden'.
5.Verify that replica can be demoted to be a hidden replica.
6.Verify that hidden replica can be promoted.
7.Verify that KRA installation works on replica setup as hidden Replica
Comment 16 Nikhil Dehadrai 2019-05-17 09:25:44 UTC 
IPA-Version: ipa-server-4.6.5-8.el7.x86_64


All the Tier1 Tests PASSED successfully related to following scenarios:

Tested the bug with following scenarios:
1.Verify that Hidden replica can be setup as a direct replica installation
2.Verify that Hidden replica can be setup using replica promotion
3.Verify that Replica can be setup from another Replica already configured as Hidden Replica
4.Verify that Error message is displayed when state of all master is changed to 'hidden'.
5.Verify that replica can be demoted to be a hidden replica.
6.Verify that hidden replica can be promoted.
7.Verify that KRA installation works on replica setup as hidden Replica
8.Verify that Backup / Restore feature runs successfully against hidden replica


Thus on the basis of above observations and comments#9, Comment#13, Comment#14, Comment#15, marking status of this bug to 'VERIFIED'
Comment 19 errata-xmlrpc 2019-08-06 13:09:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:2241
Comment 20 Florence Blanc-Renaud 2019-09-13 12:48:24 UTC 
Upstream test added in
master:
https://pagure.io/freeipa/c/6064365aa09c9fcee01cb9be2bbe994adc361263
Comment 21 Florence Blanc-Renaud 2019-09-13 16:16:01 UTC 
Upstream test added
ipa-4-7:
https://pagure.io/freeipa/c/90c22dbc46910739b1ed43c5a1e94afdc464fe75

ipa-4-8:
https://pagure.io/freeipa/c/f2fb2208c13a21dfe24f4944691af09159cde8f2

ipa-4-6:
https://pagure.io/freeipa/c/ad3ddbb80d9f1dd3556afdc9cf506f3bae7f6783

The test is in ipatests/test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::test_hidden_replica_automatic_crl