Quoting Rob Crittenden <[email protected]>:
Ronald Wimmer via FreeIPA-users wrote:
On 06.07.20 19:52, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran
into this particular problem.
Is it right that I need to have an ID range where all DNA ranges have to
fit in? And that the DNA range of each IPA server has to be distinct
from the ranges of the other IPA servers?
I will start by checking each IPA server with
ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix
IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
(according to what Rob wrote on his blog some years ago
https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ )
Not every master has to have a range. Only those masters that you create
users and groups on. The DNA plugin should be smart enough to skip any
conflicting allocations but why press it? It isn't a whole lot of extra
work to manually set things up if you have to do that anyway and you can
sleep better knowing that duplicate values aren't possible.
Yes, it needs to fit within any IPA ranges you have created. You can
have more than one.
Otherwise you could theoretically end up in a conflict with other
ranges, like a trust, which would be bad.
There is nothing constraining what DNA range you set. The IPA ranges are
there for a hint.
So. If my ID range for the IPA domain is
ID Range
1246600000
1246800000
I could set the DNA ranges like that:
DNA Range ipa1
1246600001
1246620001
DNA Range ipa2
1246620002
1246640002
DNA Range ipa3
1246640003
1246660003
DNA Range ipa4
1246660004
1246680004
DNA Range ipa5
1246680005
1246700005
DNA Range ipa6
1246700006
1246720006
DNA Range ipa7
1246720007
1246740007
DNA Range ipa8
1246740008
1246760008
Do you agree?
Do I have to use ldapmodify or could I use
ipa-replica-manage dnarange-set ipa1.mydomain.at 1246600001-1246620001 ?
You can use ipa-replica-manage.
As I write in the blog, not every server is required to have a range
set. It is only needed on servers that users will be created on and it
will ask its peers for a range if a need arises.
So sure, you can micromanage it like this if you want but if you create
another server and it needs a range it will split one of these.
The thing is that I put a loadbalancer in front of all the eight IPA
servers (so that users can access the Web GUI like
ipa.linux.mydomain.at where the actual servers are
blabla2-8.linux.mydomain.at). When accessing the web interface the
user does not know on which IPA server he ended up. In this scenario
every IPA server would need a range of its own, right?
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
