On 09.07.25 13:54, Alexander Bokovoy wrote:
On Срд, 09 ліп 2025, Ronald Wimmer via FreeIPA-users wrote:
Currently, we operate three separate IPA instances across different
domains, each separated by firewalls. Since we require a unified user
and group base across all of them, managing this setup has become
quite cumbersome.
Would it be feasible to consolidate everything into a single IPA
instance serving all three domains? I'm aware of features like IPA
locations and the ability to configure additional realms, but would
those be sufficient?
In my opinion, one possible approach might be to set up a central IPA
environment with four servers, complemented by "satellite" replicas in
each domain. These could be prioritized by clients within their
respective networks using the locations feature.
It is unclear what do you mean by 'domains' and 'realms' here.
IPA deployment consists of only a single Kerberos realm that can include
systems deployed in multiple DNS domains. This deployment is a single
IPA organizational domain. A single IPA server can only host a single
IPA organizational domain. Vice-versa, a single IPA host (client or
server) can only be enrolled into a single IPA organizational domain,
represented by the single Kerberos realm.
There is no support and no plans for co-hosting multiple Kerberos realms
and organizational domains on the same physical IPA server.
Let me try to clarify...
No we have an IPA instance linux.mydomain.at (domain: linux.mydomain.at,
realm: LINUX.MYDOMAIN.AT) that holds IPA clients in these domains:
- linux.mydomain.at (Kerberos works as expected here)
- doma.mydomain.at*
- domb.mydomain.at*
- mydomain.at*
* Kerberos does not work here but it does not matter as we do not need it
Then we have two different, firewall-separated IPA instances:
- linux.dmzdomain.at
- linux.otherdomain.at
My question is. If we do not care about Kerberos functionality would it
be possible to "co-host" linux.dmzdomain.at and linux.otherdomain.at on
our main instance as we already do now with doma.mydomain.at for example?
If yes, would it work to place an "IPA satellite" server in both of
these domains and let clients only talk to this particular machine? (so
we would only need FW rules from our main instance to these satellite
machines.)
Would such a setup work? Would it make sense to you?
Cheers,
Ron
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
