[Freeipa-users] FW: FW: FW: FW: named and IpA
Licause, Al (CSC AMS BCS - UNIX/Linux Network Support)
licause at hp.com
Mon Oct 6 18:48:16 UTC 2014
I'm sure my doubts from from my lack of experience with IM at this time. Perhaps with a bit more driving time
I'll come to appreciate the package a bit more.
Thanks again for your patience and explainations.
From: freeipa-users-bounces at redhat.com [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
Sent: Monday, October 06, 2014 9:39 AM
To: freeipa-users at redhat.com
Subject: Re: [Freeipa-users] FW: FW: FW: named and IpA
On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
> Thanks for the additional data. It starts to make sense now, but I'm wondering if that could possibly be a weakness
> in the IdM model ?
Well, define a weakness :-)
Whole IPA server is built around LDAP database so LDAP is single point of failure *for one particular* IPA server.
IPA offers a solution called "replicas". You can have multiple IPA servers with (two-way) replicated LDAP database so outage on N-1 servers will not affect your clients as long as clients are able to fail-over to the last functional server.
I hope I understood you question :-)
> -----Original Message-----
> From: freeipa-users-bounces at redhat.com
> [mailto:freeipa-users-bounces at redhat.com] On Behalf Of Petr Spacek
> Sent: Monday, October 06, 2014 7:35 AM
> To: freeipa-users at redhat.com
> Subject: Re: [Freeipa-users] FW: FW: named and IpA
> On 6.10.2014 15:17, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
>> Thanks very much for the additional input. The configuration as you describe it is correct with a minor detail
>> correction that I didn't notice earlier. 22.214.171.124 is the master for the osn.cxo.cpqcorp.net zone while
>> 126.96.36.199 is a slave for that zone. But as you have said, both are authoritative for that zone.
>> I won't belabor the point and will move on to try a different configuration as my ultimate goal here is to create
>> trust domains between a linux and an AD domain. To that end I will reconfigure the current IdM server such that
>> it is in a different subnet and domain.
>> I just find it odd that when ipa is shutdown and named is restarted
>> on the system designated as the IdM server, that dns works and the forwarders are not ignored as they are when ipa is running.
> The reason is that authoritative data are stored in LDAP but global forwarding configuration (specified on ipa-server-install command line) is stored in /etc/named.conf.
> LDAP server is not reachable when IPA is down so BIND cannot see zones in LDAP and "global" forwarding in named.conf causes that it accidentally works for you.
> Forwarding is evil :-)
> Petr^2 Spacek
> Manage your subscription for the Freeipa-users mailing list:
> Go To http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project
More information about the Freeipa-users