[Freeipa-users] install IPA replica multi-hosts (ipa packages version 3.3.3-18)

Dmitri Pal dpal at redhat.com
Mon Mar 10 18:55:39 UTC 2014 

On 03/10/2014 11:16 AM, artjazz at free.fr wrote:
> Selon Petr Spacek<pspacek at redhat.com>:
>
>> On 7.3.2014 16:57, Dmitri Pal wrote:
>>> On 03/07/2014 10:29 AM, artjazz at free.fr wrote:
>>>> Selon Petr Spacek<pspacek at redhat.com>:
>>>>
>>>>>>   On 7.3.2014 14:16,artjazz at free.fr  wrote:
>>>>>>>   >   I want to install ipa server with a replica. The replica has 2
>> NICs
>>>>>> : the
>>>>>>   ipa
>>>>>>>   >   server is connected on the first interface and all the clients are
>>>>>>   connected on
>>>>>>>   >   the second interface. The two networks are completely separated, 2
>>>>>> subnets
>>>>>>   and
>>>>>>>   >   not routed.
>>>>>>   I'm curious - what is the reasoning behind this?:-)
>>>> The goal is to separate the administration flux and the userland flux.
>>>>
>>> The problem is that it is not that clean.
>>> One server can connect to another on different ports and using different
>>> protocols for different purposes. And client can actually be a proxy that
>> does
>>> some admin tasks via LDAP or executes remote administrative commands.
>>>
>>> I think may be it is better to explore FW rules.
>>> For example create a FW rule that would allow only Kerberos and LDAP
>>> connections from a set of hosts that would be clients. Hm but that again
>> would
>>> prevent you from enrolling new systems since the ipa-client-install
>> connects
>>> to IPA via admin interface during the enrollment stage.
>>>
>>> May be there is some magic that can be done using DNS zones but I am not
>> sure...
>>
>> Let me summarize this thread to:
>> Sorry, this is not supported.
> Thanks for your answer; It's clear for me now, I understand why my different
> tests didn't work.
>
> Just for my information because it's a little bit confusing when I read in the
> FreeIPA_Guide (Fedora18)  the following sentence:
> 19.5. Setting DNS Entries for Multi-Homed Servers
> Some server machines may support multiple network interface cards (NICs).
> Multi-homed machines typically have multiple IPs, all assigned to the same
> hostname. This works fine in FreeIPA most of the time because it listens on all
> available interfaces, except localhost. For a server to be available through any
> NIC, edit the DNS zone file and add entries for each IP address. For example:
> ipaserver  IN A  192.168.1.100
> ipaserver  IN A  192.168.1.101
> ipaserver  IN A  192.168.1.102
>
> What is the architecture of the Multi-Homed Servers in this case ?

What do you mean "architecture" in this context?
Are you asking "what is the reason to have this host be multihomed"?
The main reason is because this is how for example EC2 (and similar) 
works. One machine will have internal NIC seen by the systems inside EC2 
and another seen by systems outside EC2.
To be able to work with clients inside and outside the cloud both NICs 
needs to be listed.

>
>> It becomes extremely complex very quickly and we don't have manpower to
>> maintain support for this kind of scenarios.
> I understand well.
>
>> Ideas and patches are welcome! :-)
> I can try to think about it.
> Best Regards.
>
>> --
>> Petr^2 Spacek
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list