[Freeipa-users] FW: FW: FW: named and IpA

Petr Spacek pspacek at redhat.com
Mon Oct 6 16:38:59 UTC 2014

On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
> Thanks for the additional data.    It starts to make sense now, but I'm wondering if that could possibly be a weakness
> in the IdM model ?

Well, define a weakness :-)

Whole IPA server is built around LDAP database so LDAP is single point of 
failure *for one particular* IPA server.

IPA offers a solution called "replicas". You can have multiple IPA servers 
with (two-way) replicated LDAP database so outage on N-1 servers will not 
affect your clients as long as clients are able to fail-over to the last 
functional server.

I hope I understood you question :-)

Petr^2 Spacek

> Al
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
> Sent: Monday, October 06, 2014 7:35 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FW: FW: named and IpA
> On 6.10.2014 15:17, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
>> Thanks very much for the additional input.  The configuration as you describe it is correct with a minor detail
>> correction that I didn't notice earlier. is the master for the osn.cxo.cpqcorp.net zone while
>> is a slave for that zone.    But as you have said, both are authoritative for that zone.
>> I won't belabor the point and will move on to try a different configuration as my ultimate goal here is to create
>> trust domains between a linux and an AD domain.     To that end I will reconfigure the current IdM server such that
>> it is in a different subnet and domain.
>> I just find it odd that when ipa is shutdown and named is restarted on
>> the system designated as the IdM server, that dns works and the forwarders are not ignored as they are when ipa is running.
> The reason is that authoritative data are stored in LDAP but global forwarding configuration (specified on ipa-server-install command line) is stored in /etc/named.conf.
> LDAP server is not reachable when IPA is down so BIND cannot see zones in LDAP and "global" forwarding in named.conf causes that it accidentally works for you.
> Forwarding is evil :-)
> --
> Petr^2 Spacek
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project

Petr^2 Spacek

More information about the Freeipa-users mailing list