<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hello,<br>
<br>
comments inline<br>
<br>
<div class="moz-cite-prefix">On 03.03.2016 13:11, Geselle Stijn
wrote:<br>
</div>
<blockquote
cite="mid:986ED6C5BA6EFD49B00A4CEABE2E8FDA276AFA49@HICTATRIUEM023.msnet.railb.be"
type="cite">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
mso-fareast-language:EN-US;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0cm;
margin-right:0cm;
margin-bottom:0cm;
margin-left:36.0pt;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1276868476;
mso-list-type:hybrid;
mso-list-template-ids:-1252332434 134807569 134807577 134807579 134807567 134807577 134807579 134807567 134807577 134807579;}
@list l0:level1
{mso-level-text:"%1\)";
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level2
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level3
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level4
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level5
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level6
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
@list l0:level7
{mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level8
{mso-level-number-format:alpha-lower;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-18.0pt;}
@list l0:level9
{mso-level-number-format:roman-lower;
mso-level-tab-stop:none;
mso-level-number-position:right;
text-indent:-9.0pt;}
ol
{margin-bottom:0cm;}
ul
{margin-bottom:0cm;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We have a large Windows environment and
around 50 RHEL servers (which will grow to a few hundred in
the future). Our goal is to be able to login with our AD
credentials and have sudo centrally managed. To be able to
manage users and their access/permissions we are looking into
IdM combined with a unidirectional non-transitive AD-trust so
our existing AD users can authenticate on the RHEL servers.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I have a few (high level) questions
regarding the setup of IdM:<o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="mso-list:Ignore">1)<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]-->There is an integrated DNS
component (BIND). Is this component required? Because we would
like to keep DNS managed by Windows (A and CNAME records). I
have seen that there’s a forward only policy, but what’s the
point of that? Can’t we just directly use the Windows DNS then
instead of forwarding, i.e. point the client’s nameservers to
the Windows nameservers? I’m obviously missing something
crucial, sorry
<span style="font-family:Wingdings">J</span></p>
</div>
</blockquote>
DNS subsytem is optional, you can use windows DNS for IPA (manual
configuration needed for each replica)<br>
<br>
<blockquote
cite="mid:986ED6C5BA6EFD49B00A4CEABE2E8FDA276AFA49@HICTATRIUEM023.msnet.railb.be"
type="cite">
<div class="WordSection1">
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="mso-list:Ignore">2)<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]-->A Certificate Authority will be
installed as well. What’s the function of this CA? Is it
required? Can we do a CA-less setup? What are the limitations
of a CA-less setup?<o:p></o:p></p>
</div>
</blockquote>
You can do CA-less install.<br>
<br>
<blockquote
cite="mid:986ED6C5BA6EFD49B00A4CEABE2E8FDA276AFA49@HICTATRIUEM023.msnet.railb.be"
type="cite">
<div class="WordSection1">
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="mso-list:Ignore">3)<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]-->Is IPv6 a requirement or can it
be disabled?</p>
</div>
</blockquote>
IPv6 is not required, but you cannot disable whole IPv6 stack due
some bugs in IPA components (I don't remember which)<br>
<blockquote
cite="mid:986ED6C5BA6EFD49B00A4CEABE2E8FDA276AFA49@HICTATRIUEM023.msnet.railb.be"
type="cite">
<div class="WordSection1">
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="mso-list:Ignore">4)<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]-->How could disaster recovery be
implemented? Is it easy to backup and restore?</p>
</div>
</blockquote>
The best backup is to have multiple replicas, then snapshots and
also we have ipa-backup feature, but as I said replicas are the best<br>
<blockquote
cite="mid:986ED6C5BA6EFD49B00A4CEABE2E8FDA276AFA49@HICTATRIUEM023.msnet.railb.be"
type="cite">
<div class="WordSection1">
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><o:p></o:p></p>
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><!--[if !supportLists]--><span
style="mso-list:Ignore">5)<span style="font:7.0pt
"Times New Roman"">
</span></span><!--[endif]-->Is it correct that we can
achieve high availability by setting up a replica IdM server
and configure the clients to use both servers?</p>
</div>
</blockquote>
Clients should be able to detect replicas using SRV records, so yes.<br>
<blockquote
cite="mid:986ED6C5BA6EFD49B00A4CEABE2E8FDA276AFA49@HICTATRIUEM023.msnet.railb.be"
type="cite">
<div class="WordSection1">
<p class="MsoListParagraph"
style="text-indent:-18.0pt;mso-list:l0 level1 lfo1"><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thank you if you can answer any (or maybe
all, who knows!) of the questions above!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Regards,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Stijn<o:p></o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
Martin<br>
</body>
</html>