Ronald Wimmer via FreeIPA-users wrote: > On 06.07.20 19:52, Rob Crittenden wrote: >> Ronald Wimmer via FreeIPA-users wrote: >>> After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran >>> into this particular problem. >>> >>> Is it right that I need to have an ID range where all DNA ranges have to >>> fit in? And that the DNA range of each IPA server has to be distinct >>> from the ranges of the other IPA servers? >>> >>> I will start by checking each IPA server with >>> >>> ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix >>> IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' >>> >>> (according to what Rob wrote on his blog some years ago >>> https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ ) >> >> Not every master has to have a range. Only those masters that you create >> users and groups on. The DNA plugin should be smart enough to skip any >> conflicting allocations but why press it? It isn't a whole lot of extra >> work to manually set things up if you have to do that anyway and you can >> sleep better knowing that duplicate values aren't possible. >> >> Yes, it needs to fit within any IPA ranges you have created. You can >> have more than one. >> >> Otherwise you could theoretically end up in a conflict with other >> ranges, like a trust, which would be bad. >> >> There is nothing constraining what DNA range you set. The IPA ranges are >> there for a hint. > > So. If my ID range for the IPA domain is > > ID Range > 1246600000 > 1246800000 > > I could set the DNA ranges like that: > > DNA Range ipa1 > 1246600001 > 1246620001 > > DNA Range ipa2 > 1246620002 > 1246640002 > > DNA Range ipa3 > 1246640003 > 1246660003 > > DNA Range ipa4 > 1246660004 > 1246680004 > > DNA Range ipa5 > 1246680005 > 1246700005 > > DNA Range ipa6 > 1246700006 > 1246720006 > > DNA Range ipa7 > 1246720007 > 1246740007 > > DNA Range ipa8 > 1246740008 > 1246760008 > > Do you agree? > > Do I have to use ldapmodify or could I use > > ipa-replica-manage dnarange-set ipa1.mydomain.at 1246600001-1246620001 ?
You can use ipa-replica-manage. As I write in the blog, not every server is required to have a range set. It is only needed on servers that users will be created on and it will ask its peers for a range if a need arises. So sure, you can micromanage it like this if you want but if you create another server and it needs a range it will split one of these. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
