Hi Duncan A few things I've learned:
Understand how replication agreements work as part of your planning. Choose a suitable location for the live CA server. Deploy a replica by promoting an sssd client. Unless you have a reason not to, always use --setup-ca to the ipa-replica-install command to give the flexibility of having any of your replicas take over the role of CA if needed (we've certainly moved our CA from site to site before now) I wish I'd setup DNS within FreeIPA and had a mini DNS domain just for the FreeIPA systems themselves. We implemented our original IPAs into our existing DNS at site1, now when deploying replicas in site 2 - that has an existing, different DNS domain - we've had to extend the DNS of site 1 into site 2 just for the replicas there in site 2. So now we have nodes in site with DNS names used only in site 1 - this will only spread more and more as we extend into other sites. FreeIPA servers must be in the same DNS domain, that's all. sssd clients can be in any DNS domain. Best practises recommend to have at least 2 IPA replicas per site, however due to network constraints (I think promoting a sssd client to a replica requires connectivity to all other replicas, however one of our sites with working replicas is not reachable from this remote site) we have an entire remote site connecting to 2 IPA servers in 2 other locations, each location having its own IPSEC tunnel to the remote site - so far this works really well. Overall, a good experience, the ssh-key/sudo/hbac facilities are excellent. sssd on the clients is really good too, completely replaces legacy tools like nscd (woohoo!) Regards Angus On 8 May 2018 at 11:23, Duncan Colhoun via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi All > > I hope this is the appropriate forum for this question. > > Can I get some feedback on the overall experience setting up and running > Free-IPA. I am looking at implementing Free-IPA to enhance/replace an > OpenLDAP environment. > > So please share any horror/success stories. > > Rgds > > Duncan > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
