On 02/19/2013 02:13 PM, Guy Matz wrote:
> Hi! FreeIPA newbie here, with experience in DNS & LDAP . . .
> I am inheriting a FreeIPA installation which needs to expand to
> multiple datacenters, and was hoping for a little advice. The current
> freeipa setup uses a subdomain, ny.company.com - with a kerberos realm
> NY7.COMPANY.COM - and I'm wondering if I want to continue this by
> creating additional subdomains & realms for the other datacenters, or
> if I'm better off flattening the namespace to company.com for all
> The reasons to use subdomains are generally:
> 1. to avoid naming collisions
> 2. to delegate administration to some other unit.
> Did I miss anything? I don't plan on doing either of those, so I'm
> looking to flatten the namespace. Anyone have any thoughts?
> Especially on the kerberos portion of this question? Thanks a lot!!
IPA does not support multiple kerberos realms yet.
In IPA case DNS domain might not match kerberos domain so AFAIU (and
please correct me if I am wrong) you can use one Kerberos realm with
multiple DNS sobdomains for different offices. And with the latest
changes in IPA 3.0 you should be able to delegate administration of the
DNS zones to other admins.
> Freeipa-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list