From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Roberto Cornacchia
Sent: Tuesday, February 03, 2015 5:20 AM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] basic question on DNS configuration

Hi guys,

I can't wait to get freeIPA installed in our small enterprise, but I'd first 
like to get a couple of basic things straight.

My first doubt is about the DNS configuration. Currently, we use a setting that 
I guess is rather common for small enterprises:

We own an example.com<http://example.com> domain which is managed by the DNS of 
an external provider.

A couple of subdomains point to public IP addresses outside our local network 
(e.g. www.example.com<http://www.example.com> is hosted at our internet 
provider, server1.example.com<http://server1.example.com> points at a server 
hosted in a datacenter, etc).

All the remaining subdomain (*.example.com<http://example.com>) point at one IP 
which corresponds to our local router.
Then we use some simple forwarding rules to forward on to machines that are 
behind the router (service1.example.com<http://service1.example.com>, 
desktop1.example.com<http://desktop1.example.com>, 
desktop2.example.com<http://desktop2.example.com>, etc).

Internally, because the enterprise is rather small, we are not using a DNS, but 
simply /etc/hosts files on each machine. When they can't resolve 
whatever.example.com<http://whatever.example.com>, then the request goes to the 
external DNS.

(sorry about the long-ish background information, probably this configuration 
is commonly named somehow, but I don't know how)

Now, a first simple question for you guys would be:
When installing freeIPA, with DNS, is the network configuration above still 
advisable? Can there be any problem? Or should I rather use a different domain 
for the internal network (I would really NOT like this option, but I'm very 
interested to know why I should, if that is the case).


A second basic question is:
Would you see any potential problem in installing freeIPA on a FC21 Server 
which currently hosts Atlassian Jira + Atlassian Stash (therefore git 
repositories) + the required mysql databases?
My guess would be that they would not interfere, as:
- httpd (and related ports) is currently unused)
- Both Jira and Stash use thier own tomcat installation on custom ports
- mysql shouldn't be a problem?
- The machine isn't overloaded at all (4-5 developers use those services)

Am I overlooking something? Obviously I'd rather have a dedicated freeIPA 
server, but if the above mentioned coexistence isn't a problem, then this would 
be more cost-effective.

Thank you very much for your help, I'm looking forward to this upgrade.
Roberto
I would recommend that you create a ‘local’ domain for your internal LAN though 
you certainly can use your domain name for both the internal LAN and the 
external world. Obviously you would have to create ‘manual’ entries in DNS for 
the external servers (like www.example.com<http://www.example.com>) so your 
internal LAN systems can resolve it. If you have a ‘local’ domain for your 
internal LAN, there aren’t name collisions, no need to manually maintain DNS 
entries for off-LAN servers and no confusion of essentially faking your LAN 
systems into believing that the IPA server is authoritative for example.com 
domain when the rest of the world thinks otherwise. The choice is yours.

As for using F21 – you get the latest version of FreeIPA which is something I 
wish I had here.

Git / Stash / Jira represent a fairly hefty memory footprint even if there 
isn’t that much CPU load. If you have the RAM and cpu cores to handle tossing 
FreeIPA onto the stack, go for it. You probably will want a replica too as the 
replica keeps your LAN running if the primary server is unavailable for 
whatever reason and it minimizes backup needs substantially.

Craig

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to