[Freeipa-users] Some high level questions (DNS & CA)

[Geselle Stijn]

Hello,

We have a large Windows environment and around 50 RHEL servers (which will grow to a few hundred in the future). Our goal is to be able to login with our AD credentials and have sudo centrally managed. To be able to manage users and their access/permissions we are looking into IdM combined with a unidirectional non-transitive AD-trust so our existing AD users can authenticate on the RHEL servers.

I have a few (high level) questions regarding the setup of IdM:

1)      There is an integrated DNS component (BIND). Is this component required? Because we would like to keep DNS managed by Windows (A and CNAME records). I have seen that there's a forward only policy, but what's the point of that? Can't we just directly use the Windows DNS then instead of forwarding, i.e. point the client's nameservers to the Windows nameservers? I'm obviously missing something crucial, sorry :)

2)      A Certificate Authority will be installed as well. What's the function of this CA? Is it required? Can we do a CA-less setup? What are the limitations of a CA-less setup?

3)      Is IPv6 a requirement or can it be disabled?

4)      How could disaster recovery be implemented? Is it easy to backup and restore?

5)      Is it correct that we can achieve high availability by setting up a replica IdM server and configure the clients to use both servers?

Thank you if you can answer any (or maybe all, who knows!) of the questions above!

Regards,

Stijn
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160303/967ab947/attachment.htm>