[Freeipa-users] FW: FW: FW: named and IpA
Petr Spacek
pspacek at redhat.com
Mon Oct 13 11:02:38 UTC 2014
On 10.10.2014 10:32, Jan Pazdziora wrote:
> On Mon, Oct 06, 2014 at 06:38:59PM +0200, Petr Spacek wrote:
>> On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
>>> Thanks for the additional data. It starts to make sense now, but I'm wondering if that could possibly be a weakness
>>> in the IdM model ?
>>
>> Well, define a weakness :-)
>>
>> Whole IPA server is built around LDAP database so LDAP is single point of
>> failure *for one particular* IPA server.
>>
>> IPA offers a solution called "replicas". You can have multiple IPA servers
>> with (two-way) replicated LDAP database so outage on N-1 servers will not
>> affect your clients as long as clients are able to fail-over to the last
>> functional server.
>
> The question is, what should happen when no LDAP server can be
> used?
>
> Should the forwarding suddenly kick in for all zones which will
> cause completely different data to be served? Or should the DNS
> server refuse to serve anything at that point (even the forwarding)
> because it has no way to know what should be forwarded and what
> not (I assume bind does not keep around list of zones that were
> LDAP-backed the last time LDAP worked).
>
> There probably should be at least an option (if not default) for bind
> to serve nothing if LDAP is not accessible.
In the past, named refused to start when LDAP was not available. Later it was
flagged as bug and current behavior was implemented:
https://bugzilla.redhat.com/show_bug.cgi?id=662930
Feel free to open RFE.
--
Petr^2 Spacek
More information about the Freeipa-users
mailing list