On Mon, Oct 06, 2014 at 06:38:59PM +0200, Petr Spacek wrote: > On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) > wrote: > >Thanks for the additional data. It starts to make sense now, but I'm > >wondering if that could possibly be a weakness > >in the IdM model ? > > Well, define a weakness :-) > > Whole IPA server is built around LDAP database so LDAP is single point of > failure *for one particular* IPA server. > > IPA offers a solution called "replicas". You can have multiple IPA servers > with (two-way) replicated LDAP database so outage on N-1 servers will not > affect your clients as long as clients are able to fail-over to the last > functional server.
The question is, what should happen when no LDAP server can be used? Should the forwarding suddenly kick in for all zones which will cause completely different data to be served? Or should the DNS server refuse to serve anything at that point (even the forwarding) because it has no way to know what should be forwarded and what not (I assume bind does not keep around list of zones that were LDAP-backed the last time LDAP worked). There probably should be at least an option (if not default) for bind to serve nothing if LDAP is not accessible. -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project