We have a large Windows environment and around 50 RHEL servers (which will grow
to a few hundred in the future). Our goal is to be able to login with our AD
credentials and have sudo centrally managed. To be able to manage users and
their access/permissions we are looking into IdM combined with a unidirectional
non-transitive AD-trust so our existing AD users can authenticate on the RHEL
I have a few (high level) questions regarding the setup of IdM:
1) There is an integrated DNS component (BIND). Is this component
required? Because we would like to keep DNS managed by Windows (A and CNAME
records). I have seen that there's a forward only policy, but what's the point
of that? Can't we just directly use the Windows DNS then instead of forwarding,
i.e. point the client's nameservers to the Windows nameservers? I'm obviously
missing something crucial, sorry :)
2) A Certificate Authority will be installed as well. What's the function
of this CA? Is it required? Can we do a CA-less setup? What are the limitations
of a CA-less setup?
3) Is IPv6 a requirement or can it be disabled?
4) How could disaster recovery be implemented? Is it easy to backup and
5) Is it correct that we can achieve high availability by setting up a
replica IdM server and configure the clients to use both servers?
Thank you if you can answer any (or maybe all, who knows!) of the questions
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project