I'm sure my doubts from from my lack of experience with IM at this time.    
Perhaps with a bit more driving time
I'll come to appreciate the package a bit more.

Thanks again for your patience and explainations.

Al

-----Original Message-----
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
Sent: Monday, October 06, 2014 9:39 AM
To: freeipa-users@redhat.com
Subject: Re: [Freeipa-users] FW: FW: FW: named and IpA

On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) 
wrote:
> Thanks for the additional data.    It starts to make sense now, but I'm 
> wondering if that could possibly be a weakness
> in the IdM model ?

Well, define a weakness :-)

Whole IPA server is built around LDAP database so LDAP is single point of 
failure *for one particular* IPA server.

IPA offers a solution called "replicas". You can have multiple IPA servers with 
(two-way) replicated LDAP database so outage on N-1 servers will not affect 
your clients as long as clients are able to fail-over to the last functional 
server.

I hope I understood you question :-)

Petr^2 Spacek

>
> Al
>
> -----Original Message-----
> From: freeipa-users-boun...@redhat.com 
> [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Petr Spacek
> Sent: Monday, October 06, 2014 7:35 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] FW: FW: named and IpA
>
> On 6.10.2014 15:17, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) 
> wrote:
>> Thanks very much for the additional input.  The configuration as you 
>> describe it is correct with a minor detail
>> correction that I didn't notice earlier.    16.112.240.27 is the master for 
>> the osn.cxo.cpqcorp.net zone while
>> 16.112.240.40 is a slave for that zone.    But as you have said, both are 
>> authoritative for that zone.
>>
>> I won't belabor the point and will move on to try a different configuration 
>> as my ultimate goal here is to create
>> trust domains between a linux and an AD domain.     To that end I will 
>> reconfigure the current IdM server such that
>> it is in a different subnet and domain.
>>
>> I just find it odd that when ipa is shutdown and named is restarted 
>> on the system designated as the IdM server, that dns works and the 
>> forwarders are not ignored as they are when ipa is running.
>
> The reason is that authoritative data are stored in LDAP but global 
> forwarding configuration (specified on ipa-server-install command line) is 
> stored in /etc/named.conf.
>
> LDAP server is not reachable when IPA is down so BIND cannot see zones in 
> LDAP and "global" forwarding in named.conf causes that it accidentally works 
> for you.
>
> Forwarding is evil :-)
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>


--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to