Main gripe (which doesn't have any plans for resolution) - no facility for read-only replicas in untrusted sites.
On 8 May 2018 at 12:04, Angus Clarke <subscripti...@angusclarke.com> wrote: > Hi Duncan > > A few things I've learned: > > Understand how replication agreements work as part of your planning. > > Choose a suitable location for the live CA server. > > Deploy a replica by promoting an sssd client. Unless you have a reason not > to, always use --setup-ca to the ipa-replica-install command to give the > flexibility of having any of your replicas take over the role of CA if > needed (we've certainly moved our CA from site to site before now) > > I wish I'd setup DNS within FreeIPA and had a mini DNS domain just for the > FreeIPA systems themselves. We implemented our original IPAs into our > existing DNS at site1, now when deploying replicas in site 2 - that has an > existing, different DNS domain - we've had to extend the DNS of site 1 into > site 2 just for the replicas there in site 2. So now we have nodes in site > with DNS names used only in site 1 - this will only spread more and more as > we extend into other sites. FreeIPA servers must be in the same DNS domain, > that's all. sssd clients can be in any DNS domain. > > Best practises recommend to have at least 2 IPA replicas per site, however > due to network constraints (I think promoting a sssd client to a replica > requires connectivity to all other replicas, however one of our sites with > working replicas is not reachable from this remote site) we have an entire > remote site connecting to 2 IPA servers in 2 other locations, each location > having its own IPSEC tunnel to the remote site - so far this works really > well. > > Overall, a good experience, the ssh-key/sudo/hbac facilities are > excellent. sssd on the clients is really good too, completely replaces > legacy tools like nscd (woohoo!) > > Regards > Angus > > > > > > > On 8 May 2018 at 11:23, Duncan Colhoun via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Hi All >> >> I hope this is the appropriate forum for this question. >> >> Can I get some feedback on the overall experience setting up and running >> Free-IPA. I am looking at implementing Free-IPA to enhance/replace an >> OpenLDAP environment. >> >> So please share any horror/success stories. >> >> Rgds >> >> Duncan >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedo >> rahosted.org >> > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
