[Freeipa-users] Best practices for core servers
Bret Wortman
bret.wortman at damascusgrp.com
Wed Apr 30 11:01:56 UTC 2014
I can already see from this that our key problem may have been that we
had one server functioning as the hub and every other remote replica had
just one agreement, but those agreements were all with the hub. So that
hub had ten agreements.
Badness.
We'll give this some good attention as we move forward. Thanks for the
pointer, Martin.
Bret
On 04/30/2014 03:15 AM, Martin Kosek wrote:
> On 04/28/2014 01:03 PM, Bret Wortman wrote:
>> We are planning to reconfigure our core Freeipa servers, basically building a
>> replacement infrastructure and migrating to it. What we're planning right now is
>> a core of three Freeipa servers each of which has a CA, with as much
>> distribution of replication as we can manage. I imagine that means one of them
>> replicates to the other two but am open to other ideas.
> You can configure them to replica to each other.
>
>> For remote locations, we're planning to stand up caching-only DNS servers, as
>> authenticating back to the main IPA servers works extremely well; it's just DNS
>> that needs a little help.
>>
>> Any thoughts before I start setting these servers (VMs, most likely) up?
> You may want to read our upstream Deployment Recommendations article, it may
> save you some bad decisions from the start:
>
> http://www.freeipa.org/page/Deployment_Recommendations
>
> If we see that we missed anything in this article, it would be great to enhance it.
>
> Martin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3766 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140430/bed57b68/attachment.p7s>
More information about the Freeipa-users
mailing list