[Freeipa-users] FW: FW: FW: named and IpA

Jan Pazdziora jpazdziora at redhat.com
Fri Oct 10 08:32:45 UTC 2014

On Mon, Oct 06, 2014 at 06:38:59PM +0200, Petr Spacek wrote:
> On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
> >Thanks for the additional data.    It starts to make sense now, but I'm wondering if that could possibly be a weakness
> >in the IdM model ?
> Well, define a weakness :-)
> Whole IPA server is built around LDAP database so LDAP is single point of
> failure *for one particular* IPA server.
> IPA offers a solution called "replicas". You can have multiple IPA servers
> with (two-way) replicated LDAP database so outage on N-1 servers will not
> affect your clients as long as clients are able to fail-over to the last
> functional server.

The question is, what should happen when no LDAP server can be

Should the forwarding suddenly kick in for all zones which will
cause completely different data to be served? Or should the DNS
server refuse to serve anything at that point (even the forwarding)
because it has no way to know what should be forwarded and what
not (I assume bind does not keep around list of zones that were
LDAP-backed the last time LDAP worked).

There probably should be at least an option (if not default) for bind
to serve nothing if LDAP is not accessible.

Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat

More information about the Freeipa-users mailing list