Hide Forgot
Description of problem: For background: http://post-office.corp.redhat.com/archives/idm-tech/2017-November/msg00441.html As part of our deployment, we have a few IPA replicas that we do not want users hitting directly for IPA client registration and day to day queries (hosts designed as backup servers, KRA, etc). There appears to be no way to exclude servers from being returned to clients during auto-discovery. Even with using DNS Locations, all replicas are returned to the client, just at a higher priority value. There should be some way to mark an IPA server as 'unadvertised' and not included in any SRV records. This would be useful for replicas dedicated to backups, CRL, KRA or other admin activities. Thanks!
Upstream ticket: https://pagure.io/freeipa/issue/7307
Fixed upstream: ipa-4-6: cb85342 Add hidden replica feature 016c47f ipatests: Exercise hidden replica feature 7691162 Simplify and improve tests da9f62d Implement server-state --state=enabled/hidden d12cca4 Consider hidden servers as role provider ed00466 Improve config-show to show hidden servers 131c1ab More test fixes bcf70c5 Don't allow to hide last server for a role d8d6799 Synchronize hidden state from IPA master role e40d92f Test replica installation from hidden replica d1eb4c7 Add design draft a0f00e6 Don't fail if config-show does not return servers aa3f60b Unify and simplify LDAP service discovery aba0fce Use api.env.container_masters ec94a68 Consolidate container_masters queries ipa-4-7: ddf8e16 Add hidden replica feature f96f4a1 ipatests: Exercise hidden replica feature 585bc52 Simplify and improve tests f3daa45 Implement server-state --state=enabled/hidden 0bf26c5 Consider hidden servers as role provider de1a075 Improve config-show to show hidden servers 3e2fb21 More test fixes dc2a5ec Don't allow to hide last server for a role 87f9119 Synchronize hidden state from IPA master role 467ceaf Test replica installation from hidden replica 66c961d Add design draft c76620e Don't fail if config-show does not return servers master: 025facb Add hidden replica feature 0770d8a ipatests: Exercise hidden replica feature 99133eb Simplify and improve tests 94b8635 Implement server-state --state=enabled/hidden d810e1f Consider hidden servers as role provider 56d97f9 Improve config-show to show hidden servers f839d3c More test fixes e7e0f19 Don't allow to hide last server for a role 8b1bb21 Synchronize hidden state from IPA master role e04dc9a Test replica installation from hidden replica d727321 Add design draft 713c9b0 Don't fail if config-show does not return servers
ipa-4-7: b4bade0 Unify and simplify LDAP service discovery 885cb17 Use api.env.container_masters 99eb7e0 Consolidate container_masters queries
ipa-server version: ipa-server-4.6.5-7.el7.x86_64 Tested the bug with following scenarios: 1.Verify that Hidden replica can be setup as a direct replica installation 2.Verify that Hidden replica can be setup using replica promotion 3.Verify that Replica can be setup from another Replica already configured as Hidden Replica 4.Verify that Error message is displayed when state of all master is changed to 'hidden'. 5.Verify that replica can be demoted to be a hidden replica. 6.Verify that hidden replica can be promoted. 7.Verify that KRA installation works on replica setup as hidden Replica
IPA-Version: ipa-server-4.6.5-8.el7.x86_64 All the Tier1 Tests PASSED successfully related to following scenarios: Tested the bug with following scenarios: 1.Verify that Hidden replica can be setup as a direct replica installation 2.Verify that Hidden replica can be setup using replica promotion 3.Verify that Replica can be setup from another Replica already configured as Hidden Replica 4.Verify that Error message is displayed when state of all master is changed to 'hidden'. 5.Verify that replica can be demoted to be a hidden replica. 6.Verify that hidden replica can be promoted. 7.Verify that KRA installation works on replica setup as hidden Replica 8.Verify that Backup / Restore feature runs successfully against hidden replica Thus on the basis of above observations and comments#9, Comment#13, Comment#14, Comment#15, marking status of this bug to 'VERIFIED'
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2241
Upstream test added in master: https://pagure.io/freeipa/c/6064365aa09c9fcee01cb9be2bbe994adc361263
Upstream test added ipa-4-7: https://pagure.io/freeipa/c/90c22dbc46910739b1ed43c5a1e94afdc464fe75 ipa-4-8: https://pagure.io/freeipa/c/f2fb2208c13a21dfe24f4944691af09159cde8f2 ipa-4-6: https://pagure.io/freeipa/c/ad3ddbb80d9f1dd3556afdc9cf506f3bae7f6783 The test is in ipatests/test_integration/test_replica_promotion.py::TestHiddenReplicaPromotion::test_hidden_replica_automatic_crl