<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 04/02/15 11:39, Roberto Cornacchia
wrote:<br>
</div>
<blockquote
cite="mid:CAFGv-=ewo4VEi8E=dMsuku5pL1hyDkpy1LADj8+6JvWVSWrcLA@mail.gmail.com"
type="cite">
<div dir="ltr">Thank you Craig and Martin for your useful input.
<div><br>
</div>
<div>You both definitely recommend not to use <a
moz-do-not-send="true" href="http://example.com">example.com</a>
for the internal IPA DNS. </div>
<div><br>
</div>
<div>I was in any case going to avoid .local suffix and any
invented top-level domain, after some reading on this topic.</div>
<div><br>
</div>
<div>Using a subdomain like <a moz-do-not-send="true"
href="http://internal.example.com">internal.example.com</a>
seems reasonable. </div>
<div>I was under the impression that the freeIPA domain needed
to be a top-level one, but maybe I was wrong here? Can I still
keep <a moz-do-not-send="true" href="http://example.com">example.com</a>
outside and have freeIPA manage <a moz-do-not-send="true"
href="http://internal.example.com">internal.example.com</a>?<br>
</div>
</div>
</blockquote>
<br>
IPA DNS is designed only for internal network, so having an internal
subdomain is good use case. You can keep example.com outside of IPA
DNS, you just need to configure proper forwarder address pointing to
external DNS.<br>
<br>
Martin^2<br>
<br>
<blockquote
cite="mid:CAFGv-=ewo4VEi8E=dMsuku5pL1hyDkpy1LADj8+6JvWVSWrcLA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 4 February 2015 at 10:34, Martin
Basti <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">
<div>On 03/02/15 16:52, Craig White wrote:<br>
</div>
<blockquote type="cite">
<div>
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
<a moz-do-not-send="true"
href="mailto:freeipa-users-bounces@redhat.com"
target="_blank">freeipa-users-bounces@redhat.com</a>
[<a moz-do-not-send="true"
href="mailto:freeipa-users-bounces@redhat.com"
target="_blank">mailto:freeipa-users-bounces@redhat.com</a>]
<b>On Behalf Of </b>Roberto Cornacchia<br>
<b>Sent:</b> Tuesday, February 03, 2015 5:20
AM<br>
<b>To:</b> <a moz-do-not-send="true"
href="mailto:freeipa-users@redhat.com"
target="_blank">freeipa-users@redhat.com</a><br>
<b>Subject:</b> [Freeipa-users] basic question
on DNS configuration</span></p>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">Hi guys,</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">I can't wait to get
freeIPA installed in our small enterprise,
but I'd first like to get a couple of basic
things straight. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">My first doubt is about
the DNS configuration. Currently, we use a
setting that I guess is rather common for
small enterprises:</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">We own an <a
moz-do-not-send="true"
href="http://example.com" target="_blank">example.com</a>
domain which is managed by the DNS of an
external provider. </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">A couple of subdomains
point to public IP addresses outside our
local network (e.g. <a
moz-do-not-send="true"
href="http://www.example.com"
target="_blank">www.example.com</a> is
hosted at our internet provider, <a
moz-do-not-send="true"
href="http://server1.example.com"
target="_blank">server1.example.com</a>
points at a server hosted in a datacenter,
etc).</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">All the remaining
subdomain (*.<a moz-do-not-send="true"
href="http://example.com" target="_blank">example.com</a>)
point at one IP which corresponds to our
local router. </p>
</div>
<div>
<p class="MsoNormal">Then we use some simple
forwarding rules to forward on to machines
that are behind the router (<a
moz-do-not-send="true"
href="http://service1.example.com"
target="_blank">service1.example.com</a>,
<a moz-do-not-send="true"
href="http://desktop1.example.com"
target="_blank">desktop1.example.com</a>,
<a moz-do-not-send="true"
href="http://desktop2.example.com"
target="_blank"> desktop2.example.com</a>,
etc).</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Internally, because the
enterprise is rather small, we are not using
a DNS, but simply /etc/hosts files on each
machine. When they can't resolve <a
moz-do-not-send="true"
href="http://whatever.example.com"
target="_blank">whatever.example.com</a>,
then the request goes to the external DNS.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">(sorry about the long-ish
background information, probably this
configuration is commonly named somehow, but
I don't know how)</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Now, a first simple
question for you guys would be: </p>
</div>
<div>
<p class="MsoNormal">When installing freeIPA,
with DNS, is the network configuration above
still advisable? Can there be any problem?
Or should I rather use a different domain
for the internal network (I would really NOT
like this option, but I'm very interested to
know why I should, if that is the case).</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">A second basic question
is:</p>
</div>
<div>
<p class="MsoNormal">Would you see any
potential problem in installing freeIPA on a
FC21 Server which currently hosts Atlassian
Jira + Atlassian Stash (therefore git
repositories) + the required mysql
databases?</p>
</div>
<div>
<p class="MsoNormal">My guess would be that
they would not interfere, as:</p>
</div>
<div>
<p class="MsoNormal">- httpd (and related
ports) is currently unused)</p>
</div>
<div>
<p class="MsoNormal">- Both Jira and Stash use
thier own tomcat installation on custom
ports</p>
</div>
<div>
<p class="MsoNormal">- mysql shouldn't be a
problem?</p>
</div>
<div>
<p class="MsoNormal">- The machine isn't
overloaded at all (4-5 developers use those
services)</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Am I overlooking
something? Obviously I'd rather have a
dedicated freeIPA server, but if the above
mentioned coexistence isn't a problem, then
this would be more cost-effective.</p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Thank you very much for
your help, I'm looking forward to this
upgrade.</p>
</div>
<div>
<div style="border:none;border-bottom:solid
windowtext 1.0pt;padding:0in 0in 1.0pt 0in">
<p class="MsoNormal"
style="border:none;padding:0in">Roberto</p>
</div>
</div>
<div>
<p class="MsoNormal"><span
style="color:#1f497d">I would recommend
that you create a ‘local’ domain for your
internal LAN though you certainly can use
your domain name for both the internal LAN
and the external world. Obviously you
would have to create ‘manual’ entries in
DNS for the external servers (like <a
moz-do-not-send="true"
href="http://www.example.com"
target="_blank">www.example.com</a>) so
your internal LAN systems can resolve it.
If you have a ‘local’ domain for your
internal LAN, there aren’t name
collisions, no need to manually maintain
DNS entries for off-LAN servers and no
confusion of essentially faking your LAN
systems into believing that the IPA server
is authoritative for <a
moz-do-not-send="true"
href="http://example.com"
target="_blank">example.com</a> domain
when the rest of the world thinks
otherwise. The choice is yours.</span></p>
<p class="MsoNormal"><span
style="color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="color:#1f497d">As for using F21 –
you get the latest version of FreeIPA
which is something I wish I had here.</span></p>
<p class="MsoNormal"><span
style="color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="color:#1f497d">Git / Stash / Jira
represent a fairly hefty memory footprint
even if there isn’t that much CPU load. If
you have the RAM and cpu cores to handle
tossing FreeIPA onto the stack, go for it.
You probably will want a replica too as
the replica keeps your LAN running if the
primary server is unavailable for whatever
reason and it minimizes backup needs
substantially.</span></p>
<p class="MsoNormal"><span
style="color:#1f497d"> </span></p>
<p class="MsoNormal"><span
style="color:#1f497d">Craig</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"></span></p>
</div>
<div>
<p class="MsoNormal"> </p>
</div>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</div>
</div>
Hello,<br>
<br>
For using 'local.' domain please read following message,
to avoid issues on Fedora:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/archives/freeipa-users/2015-February/msg00010.html"
target="_blank">https://www.redhat.com/archives/freeipa-users/2015-February/msg00010.html</a><br>
<br>
You cant use '<a moz-do-not-send="true"
href="http://example.com" target="_blank">example.com</a>'
zone for internal IPA DNS.<br>
<br>
You can create your internal sub zone, like '<a
moz-do-not-send="true"
href="http://internal.example.com" target="_blank">internal.example.com</a>',
'<a moz-do-not-send="true" href="http://corp.example.com"
target="_blank">corp.example.com</a>', where IPA managed
hosts will be added. It is preferred solution instead of
creating '.local' hostnames. Then you can set up global
forwarder on IPA DNS to your external DNS, where other
names than '<a moz-do-not-send="true"
href="http://internal.example.com" target="_blank">internal.example.com</a>'
will be resolved.<br>
<br>
If I understand correctly, it is internal network, so you
do not need public resolvable domain names.<span
class="HOEnZb"><font color="#888888"><br>
<pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Martin Basti</pre>
</body>
</html>