[Freeipa-users] FW: FW: FW: FW: named and IpA

Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) licause at hp.com
Mon Oct 6 18:48:16 UTC 2014 

I'm sure my doubts from from my lack of experience with IM at this time.    Perhaps with a bit more driving time
I'll come to appreciate the package a bit more.

Thanks again for your patience and explainations.

Al

-----Original Message-----
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
Sent: Monday, October 06, 2014 9:39 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FW: FW: FW: named and IpA

On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
> Thanks for the additional data.    It starts to make sense now, but I'm wondering if that could possibly be a weakness
> in the IdM model ?

Well, define a weakness :-)

Whole IPA server is built around LDAP database so LDAP is single point of failure *for one particular* IPA server.

IPA offers a solution called "replicas". You can have multiple IPA servers with (two-way) replicated LDAP database so outage on N-1 servers will not affect your clients as long as clients are able to fail-over to the last functional server.

I hope I understood you question :-)

Petr^2 Spacek

>
> Al
>
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com 
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
> Sent: Monday, October 06, 2014 7:35 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FW: FW: named and IpA
>
> On 6.10.2014 15:17, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
>> Thanks very much for the additional input.  The configuration as you describe it is correct with a minor detail
>> correction that I didn't notice earlier.    16.112.240.27 is the master for the osn.cxo.cpqcorp.net zone while
>> 16.112.240.40 is a slave for that zone.    But as you have said, both are authoritative for that zone.
>>
>> I won't belabor the point and will move on to try a different configuration as my ultimate goal here is to create
>> trust domains between a linux and an AD domain.     To that end I will reconfigure the current IdM server such that
>> it is in a different subnet and domain.
>>
>> I just find it odd that when ipa is shutdown and named is restarted 
>> on the system designated as the IdM server, that dns works and the forwarders are not ignored as they are when ipa is running.
>
> The reason is that authoritative data are stored in LDAP but global forwarding configuration (specified on ipa-server-install command line) is stored in /etc/named.conf.
>
> LDAP server is not reachable when IPA is down so BIND cannot see zones in LDAP and "global" forwarding in named.conf causes that it accidentally works for you.
>
> Forwarding is evil :-)
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>


--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list