With a multi master setup FreeIPA could be considered "resilient" however this is dependant on some other architectural considerations. For our customers we deploy two per location and put both servers as entries in /etc/resolv.conf. As FreeIPA service discovery is done with SRV records this approach seems to just work™.
Using freeipa for DNS can be a bit of a double edged sword because it does not yet support some of the DNS features essential in complex environments such as split horizon. For vanilla installations it seems DNS is essential to FreeIPA's resilience. Trying to do IP failover or other tricks seems to cause havoc with Kerberos but we never really tried. On 16 October 2015 at 07:03, Youenn PIOLET <piole...@gmail.com> wrote: > Hi there. > > I'd like to integrate FreeIPA in a multi-location production environment. > We got servers in US/Europe/South America/Pacific Ocean with some high > latency links. The parc I manage is a mixed linux environment with less > than 1000 servers. I also plan to use FreeIPA as backend for Radius > authentication on various network equipments. > > I plan to deploy a replica architecture similar to the recommandation > article in official Documentation: > http://www.freeipa.org/page/Deployment_Recommendations with two replicas > per region and at least one replica per DC. FreeIPA will become my DNS for > internal resolution. > > FreeIPA servers will run on latest CentOS. > > I've got two questions: > > 1) Version: > Should I wait for IPA 4.2 or is IPA 4.1.4 a good / stable / trust-full > solution for authentication, upgrade, maintainability, resilience ? Will > 4.2.X be too young and unstable for a massive implementation ? I'm quite > interested about 4.2 but don't want to wait too long for a release on > Centos. How easy would be an upgrade of all replicas from 4.1.4 to 4.2 in > an IPA replication topology? > > 2) Resiliency: > How to make FreeIPA service resilient? Is there an official / easy and > secure way to converge to an other IPA server (with DNS?) when a replica is > down? I've got the chance to work on an MPLS network with the Anycast > possibility. Is it something workable with FreeIPA/Kerberos ? > > Thanks by advance for your suggestions > -- > Youenn Piolet > piole...@gmail.com > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project