On 10.10.2014 10:32, Jan Pazdziora wrote:
On Mon, Oct 06, 2014 at 06:38:59PM +0200, Petr Spacek wrote:
On 6.10.2014 17:22, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) 
wrote:
Thanks for the additional data.    It starts to make sense now, but I'm 
wondering if that could possibly be a weakness
in the IdM model ?


Well, define a weakness :-)

Whole IPA server is built around LDAP database so LDAP is single point of
failure *for one particular* IPA server.

IPA offers a solution called "replicas". You can have multiple IPA servers
with (two-way) replicated LDAP database so outage on N-1 servers will not
affect your clients as long as clients are able to fail-over to the last
functional server.

The question is, what should happen when no LDAP server can be
used?

Should the forwarding suddenly kick in for all zones which will
cause completely different data to be served? Or should the DNS
server refuse to serve anything at that point (even the forwarding)
because it has no way to know what should be forwarded and what
not (I assume bind does not keep around list of zones that were
LDAP-backed the last time LDAP worked).

There probably should be at least an option (if not default) for bind
to serve nothing if LDAP is not accessible.

In the past, named refused to start when LDAP was not available. Later it was flagged as bug and current behavior was implemented:
https://bugzilla.redhat.com/show_bug.cgi?id=662930

Feel free to open RFE.

--
Petr^2 Spacek

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to