[Freeipa-users] FreeIPA Deployment and resiliency

[Youenn PIOLET]

Hi there.

I'd like to integrate FreeIPA in a multi-location production environment.
We got servers in US/Europe/South America/Pacific Ocean with some high
latency links. The parc I manage is a mixed linux environment with less
than 1000 servers. I also plan to use FreeIPA as backend for Radius
authentication on various network equipments.

I plan to deploy a replica architecture similar to the recommandation
article in official Documentation:
http://www.freeipa.org/page/Deployment_Recommendations with two replicas
per region and at least one replica per DC. FreeIPA will become my DNS for
internal resolution.

FreeIPA servers will run on latest CentOS.

I've got two questions:

1) Version:
Should I wait for IPA 4.2 or is IPA 4.1.4 a good / stable / trust-full
solution for authentication, upgrade, maintainability, resilience ? Will
4.2.X be too young and unstable for a massive implementation ? I'm quite
interested about 4.2 but don't want to wait too long for a release on
Centos. How easy would be an upgrade of all replicas from 4.1.4 to 4.2 in
an IPA replication topology?

2) Resiliency:
How to make FreeIPA service resilient? Is there an official / easy and
secure way to converge to an other IPA server (with DNS?) when a replica is
down? I've got the chance to work on an MPLS network with the Anycast
possibility. Is it something workable with FreeIPA/Kerberos ?

Thanks by advance for your suggestions
--
Youenn Piolet
piolet.y at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20151016/c918240f/attachment.htm>