On 03/02/15 16:52, Craig White wrote:
[mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *Roberto
*Sent:* Tuesday, February 03, 2015 5:20 AM
*Subject:* [Freeipa-users] basic question on DNS configuration
I can't wait to get freeIPA installed in our small enterprise, but I'd
first like to get a couple of basic things straight.
My first doubt is about the DNS configuration. Currently, we use a
setting that I guess is rather common for small enterprises:
We own an example.com <http://example.com> domain which is managed by
the DNS of an external provider.
A couple of subdomains point to public IP addresses outside our local
network (e.g. www.example.com <http://www.example.com> is hosted at
our internet provider, server1.example.com
<http://server1.example.com> points at a server hosted in a
All the remaining subdomain (*.example.com <http://example.com>) point
at one IP which corresponds to our local router.
Then we use some simple forwarding rules to forward on to machines
that are behind the router (service1.example.com
Internally, because the enterprise is rather small, we are not using a
DNS, but simply /etc/hosts files on each machine. When they can't
resolve whatever.example.com <http://whatever.example.com>, then the
request goes to the external DNS.
(sorry about the long-ish background information, probably this
configuration is commonly named somehow, but I don't know how)
Now, a first simple question for you guys would be:
When installing freeIPA, with DNS, is the network configuration above
still advisable? Can there be any problem? Or should I rather use a
different domain for the internal network (I would really NOT like
this option, but I'm very interested to know why I should, if that is
A second basic question is:
Would you see any potential problem in installing freeIPA on a FC21
Server which currently hosts Atlassian Jira + Atlassian Stash
(therefore git repositories) + the required mysql databases?
My guess would be that they would not interfere, as:
- httpd (and related ports) is currently unused)
- Both Jira and Stash use thier own tomcat installation on custom ports
- mysql shouldn't be a problem?
- The machine isn't overloaded at all (4-5 developers use those services)
Am I overlooking something? Obviously I'd rather have a dedicated
freeIPA server, but if the above mentioned coexistence isn't a
problem, then this would be more cost-effective.
Thank you very much for your help, I'm looking forward to this upgrade.
I would recommend that you create a ‘local’ domain for your internal
LAN though you certainly can use your domain name for both the
internal LAN and the external world. Obviously you would have to
create ‘manual’ entries in DNS for the external servers (like
www.example.com <http://www.example.com>) so your internal LAN systems
can resolve it. If you have a ‘local’ domain for your internal LAN,
there aren’t name collisions, no need to manually maintain DNS entries
for off-LAN servers and no confusion of essentially faking your LAN
systems into believing that the IPA server is authoritative for
example.com domain when the rest of the world thinks otherwise. The
choice is yours.
As for using F21 – you get the latest version of FreeIPA which is
something I wish I had here.
Git / Stash / Jira represent a fairly hefty memory footprint even if
there isn’t that much CPU load. If you have the RAM and cpu cores to
handle tossing FreeIPA onto the stack, go for it. You probably will
want a replica too as the replica keeps your LAN running if the
primary server is unavailable for whatever reason and it minimizes
backup needs substantially.
For using 'local.' domain please read following message, to avoid issues
You cant use 'example.com' zone for internal IPA DNS.
You can create your internal sub zone, like 'internal.example.com',
'corp.example.com', where IPA managed hosts will be added. It is
preferred solution instead of creating '.local' hostnames. Then you can
set up global forwarder on IPA DNS to your external DNS, where other
names than 'internal.example.com' will be resolved.
If I understand correctly, it is internal network, so you do not need
public resolvable domain names.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project