[Freeipa-users] FW: FW: FW: named and IpA

Petr Spacek pspacek at redhat.com
Mon Oct 13 11:02:38 UTC 2014

On 10.10.2014 10:32, Jan Pazdziora wrote:
> On Mon, Oct 06, 2014 at 06:38:59PM +0200, Petr Spacek wrote:
>> On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote:
>>> Thanks for the additional data.    It starts to make sense now, but I'm wondering if that could possibly be a weakness
>>> in the IdM model ?
>> Well, define a weakness :-)
>> Whole IPA server is built around LDAP database so LDAP is single point of
>> failure *for one particular* IPA server.
>> IPA offers a solution called "replicas". You can have multiple IPA servers
>> with (two-way) replicated LDAP database so outage on N-1 servers will not
>> affect your clients as long as clients are able to fail-over to the last
>> functional server.
> The question is, what should happen when no LDAP server can be
> used?
> Should the forwarding suddenly kick in for all zones which will
> cause completely different data to be served? Or should the DNS
> server refuse to serve anything at that point (even the forwarding)
> because it has no way to know what should be forwarded and what
> not (I assume bind does not keep around list of zones that were
> LDAP-backed the last time LDAP worked).
> There probably should be at least an option (if not default) for bind
> to serve nothing if LDAP is not accessible.

In the past, named refused to start when LDAP was not available. Later it was 
flagged as bug and current behavior was implemented:

Feel free to open RFE.

Petr^2 Spacek

More information about the Freeipa-users mailing list