[Freeipa-users] Some high level questions (DNS & CA)
Martin Basti
mbasti at redhat.com
Thu Mar 3 12:26:56 UTC 2016
Hello,
comments inline
On 03.03.2016 13:11, Geselle Stijn wrote:
>
> Hello,
>
> We have a large Windows environment and around 50 RHEL servers (which
> will grow to a few hundred in the future). Our goal is to be able to
> login with our AD credentials and have sudo centrally managed. To be
> able to manage users and their access/permissions we are looking into
> IdM combined with a unidirectional non-transitive AD-trust so our
> existing AD users can authenticate on the RHEL servers.
>
> I have a few (high level) questions regarding the setup of IdM:
>
> 1)There is an integrated DNS component (BIND). Is this component
> required? Because we would like to keep DNS managed by Windows (A and
> CNAME records). I have seen that there’s a forward only policy, but
> what’s the point of that? Can’t we just directly use the Windows DNS
> then instead of forwarding, i.e. point the client’s nameservers to the
> Windows nameservers? I’m obviously missing something crucial, sorry J
>
DNS subsytem is optional, you can use windows DNS for IPA (manual
configuration needed for each replica)
> 2)A Certificate Authority will be installed as well. What’s the
> function of this CA? Is it required? Can we do a CA-less setup? What
> are the limitations of a CA-less setup?
>
You can do CA-less install.
> 3)Is IPv6 a requirement or can it be disabled?
>
IPv6 is not required, but you cannot disable whole IPv6 stack due some
bugs in IPA components (I don't remember which)
>
> 4)How could disaster recovery be implemented? Is it easy to backup and
> restore?
>
The best backup is to have multiple replicas, then snapshots and also we
have ipa-backup feature, but as I said replicas are the best
>
> 5)Is it correct that we can achieve high availability by setting up a
> replica IdM server and configure the clients to use both servers?
>
Clients should be able to detect replicas using SRV records, so yes.
>
> Thank you if you can answer any (or maybe all, who knows!) of the
> questions above!
>
> Regards,
>
> Stijn
>
>
>
Martin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160303/118b6e71/attachment.htm>
More information about the Freeipa-users
mailing list