Product SiteDocumentation Site

Frequently Asked Questions

Q: Is it possible to change the IP address of the master server?
Q: Why are there restrictions on the length of user and group names? How can I change this?
Q: What is the difference between a replica and a master server?
Q: Can I promote a replica to function as the master?
Q: Why does the ipa-client-install script fail to find the IPA server on a network that uses Active Directory DNS?
Q: Can an administrator who is connected to "Server B" revoke a certificate issued by "Server A"?
Is it possible to change the IP address of the master server?
Yes. If you are only changing the IP address, it is sufficient to update the /etc/hosts file, the system configuration, and the DNS entry.
Why are there restrictions on the length of user and group names? How can I change this?
User and group name lengths are specified in the policy. The default maximum username length is 32 characters. The maximum configurable length for user or group names is 255 characters. This complements some supported client operating systems which limit the length of usernames.
The default settings can be changed in the FreeIPA UI or using the ipa config-mod command. For example:
4 ipa config-mod --maxusername=50
What is the difference between a replica and a master server?
A master server maintains a certificate authority. A replica server has its certificate issued by the master CA.
Can I promote a replica to function as the master?
Why does the ipa-client-install script fail to find the IPA server on a network that uses Active Directory DNS?
Active Directory has its own SRV records for Kerberos and LDAP. The ipa-client-install script can retrieve those records instead of any that have been added for the FreeIPA domain.
When running ipa-client-install, manually enter the server information to ensure that the script uses the FreeIPA SRV records instead of Active Directory records. The ipa-client-install options are listed in Section B.6.1, “ipa-client-install”.
Can an administrator who is connected to "Server B" revoke a certificate issued by "Server A"?
Yes, assuming that Servers A and B contain non-cloned CAs which have their database information replicated to share revocation information only.