Re: [Freeipa-users] freeIPA and AD in multi-homed environment
On 04/28/2015 07:35 AM, Alexander Frolushkin wrote: Hello. We were also planned relatively large deployment (8 sites, 19 IPA servers), and for now our experience told us that Red Hat official support is a must-have option for IPA in mission-critical environment. IPA is still a very fresh solution and it have some issues you may face. I would say that it is not that fresh, however, it is being constantly enhanced and actively developed. That definitely has some impact so having a supported version in production is strongly recommended. WBR, Alexander Frolushkin *From:*freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] *On Behalf Of *??? *Sent:* Tuesday, April 28, 2015 5:05 PM *To:* Alexander Bokovoy *Cc:* freeipa-users@redhat.com *Subject:* Re: [Freeipa-users] freeIPA and AD in multi-homed environment Thank you for quick response. So, did I got it right, that this limitation is affecting only RedHat support agreement, and not the technical side of configuration? We're considering the CentOS 7 deployment, and we don't have Red Hat support agreement. Maybe it's a stupid question, but since we don't have support agreement, can I still ask questions in RedHat mailing list? (I haven't found any forums/KBs/mailing lists dedicated solely to freeIPA and CentOS). 2015-04-28 13:26 GMT+03:00 Alexander Bokovoy aboko...@redhat.com mailto:aboko...@redhat.com: On Tue, 28 Apr 2015, ??? wrote: - Hi all. I've got a rather big domain environment with 10 distributed locations, and I'm considering using FreeIPA as an id manager for linux users and servers, alongside with existing AD, using trusts. In every location, there are 2 DCs for windows environment, and I'm thinking about deployment of 2 freeIPA servers for each location, with replicas. This document states that I can't use more than 20 servers per IPA domain: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_up_IPA_Replicas.html#replica-topologies - No more than 20 servers and replicas should be involved in a single Identity Management domain. - How strict is this restriction? Is there any way I can deploy freeIPA in this situation, assuming that number of locations would increace over time? Is there any other limitations to integrate freeIPA in AD? The limitations described above are for supported configurations deployed on Red Hat Enterprise Linux. If you want a larger configuration to be supported, you need to contact your Red Hat representatives and work out with them exact support statement. -- / Alexander Bokovoy ?? ? ? ? ? ??? ?? ???, ??? ??? ??. ? ? ? ??? ??, ??? ?? ? ??? ???-, ? ?. ?? ?? ??? ? ?, ?? ?, ?, ??? ??? ??? ?? ? ??? ??? ? ? ? ?. ?? ??? ? , ??, ??? ??? ?? ? ??? ?? ?? ? ? ? ? ??? ? ? ??. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Thank you, Dmitri Pal Sr. Engineering Manager IdM portfolio Red Hat, Inc. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeIPA and AD in multi-homed environment
Hello. We were also planned relatively large deployment (8 sites, 19 IPA servers), and for now our experience told us that Red Hat official support is a must-have option for IPA in mission-critical environment. IPA is still a very fresh solution and it have some issues you may face. WBR, Alexander Frolushkin From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-boun...@redhat.com] On Behalf Of Арсений Черняков Sent: Tuesday, April 28, 2015 5:05 PM To: Alexander Bokovoy Cc: freeipa-users@redhat.com Subject: Re: [Freeipa-users] freeIPA and AD in multi-homed environment Thank you for quick response. So, did I got it right, that this limitation is affecting only RedHat support agreement, and not the technical side of configuration? We're considering the CentOS 7 deployment, and we don't have Red Hat support agreement. Maybe it's a stupid question, but since we don't have support agreement, can I still ask questions in RedHat mailing list? (I haven't found any forums/KBs/mailing lists dedicated solely to freeIPA and CentOS). 2015-04-28 13:26 GMT+03:00 Alexander Bokovoy aboko...@redhat.commailto:aboko...@redhat.com: On Tue, 28 Apr 2015, Арсений Черняков wrote: - Hi all. I've got a rather big domain environment with 10 distributed locations, and I'm considering using FreeIPA as an id manager for linux users and servers, alongside with existing AD, using trusts. In every location, there are 2 DCs for windows environment, and I'm thinking about deployment of 2 freeIPA servers for each location, with replicas. This document states that I can't use more than 20 servers per IPA domain: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_up_IPA_Replicas.html#replica-topologies - No more than 20 servers and replicas should be involved in a single Identity Management domain. - How strict is this restriction? Is there any way I can deploy freeIPA in this situation, assuming that number of locations would increace over time? Is there any other limitations to integrate freeIPA in AD? The limitations described above are for supported configurations deployed on Red Hat Enterprise Linux. If you want a larger configuration to be supported, you need to contact your Red Hat representatives and work out with them exact support statement. -- / Alexander Bokovoy Информация в этом сообщении предназначена исключительно для конкретных лиц, которым она адресована. В сообщении может содержаться конфиденциальная информация, которая не может быть раскрыта или использована кем-либо, кроме адресатов. Если вы не адресат этого сообщения, то использование, переадресация, копирование или распространение содержания сообщения или его части незаконно и запрещено. Если Вы получили это сообщение ошибочно, пожалуйста, незамедлительно сообщите отправителю об этом и удалите со всем содержимым само сообщение и любые возможные его копии и приложения. The information contained in this communication is intended solely for the use of the individual or entity to whom it is addressed and others authorized to receive it. It may contain confidential or legally privileged information. The contents may not be disclosed or used by anyone other than the addressee. If you are not the intended recipient(s), any use, disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it is prohibited and may be unlawful. If you have received this communication in error please notify us immediately by responding to this email and then delete the e-mail and all attachments and any copies thereof. (c)20mf50 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeIPA and AD in multi-homed environment
Thank you for quick response. So, did I got it right, that this limitation is affecting only RedHat support agreement, and not the technical side of configuration? We're considering the CentOS 7 deployment, and we don't have Red Hat support agreement. Maybe it's a stupid question, but since we don't have support agreement, can I still ask questions in RedHat mailing list? (I haven't found any forums/KBs/mailing lists dedicated solely to freeIPA and CentOS). 2015-04-28 13:26 GMT+03:00 Alexander Bokovoy aboko...@redhat.com: On Tue, 28 Apr 2015, Арсений Черняков wrote: - Hi all. I've got a rather big domain environment with 10 distributed locations, and I'm considering using FreeIPA as an id manager for linux users and servers, alongside with existing AD, using trusts. In every location, there are 2 DCs for windows environment, and I'm thinking about deployment of 2 freeIPA servers for each location, with replicas. This document states that I can't use more than 20 servers per IPA domain: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_up_IPA_Replicas.html#replica-topologies - No more than 20 servers and replicas should be involved in a single Identity Management domain. - How strict is this restriction? Is there any way I can deploy freeIPA in this situation, assuming that number of locations would increace over time? Is there any other limitations to integrate freeIPA in AD? The limitations described above are for supported configurations deployed on Red Hat Enterprise Linux. If you want a larger configuration to be supported, you need to contact your Red Hat representatives and work out with them exact support statement. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeIPA and AD in multi-homed environment
On Tue, 28 Apr 2015, Арсений Черняков wrote: Thank you for quick response. So, did I got it right, that this limitation is affecting only RedHat support agreement, and not the technical side of configuration? We're considering the CentOS 7 deployment, and we don't have Red Hat support agreement. Technically 389-ds can address up to 65535 replicas but this says nothing about actual performance which is always a function of your workload, environment, and a number of other factors. If you hit any issues, without support contract they would be handled by a community -- where we all are -- and may involve longer time. I hope it is clear as people involved are giving out their volunteering effort. Maybe it's a stupid question, but since we don't have support agreement, can I still ask questions in RedHat mailing list? (I haven't found any forums/KBs/mailing lists dedicated solely to freeIPA and CentOS). This mailing list is part of FreeIPA community, we see here a lot of questions from different parties using different distributions. It is hosted by Red Hat but not really tied to Red Hat. Still, if you have concerns on getting your whole infrastructure depending on free software solutions, there are solution providers that would be happy to help you in deploying and supporting them. Just don't expect their contract obligations necessarily extend to the community mailing list. :) -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] freeIPA and AD in multi-homed environment
On Tue, 28 Apr 2015, Арсений Черняков wrote: - Hi all. I've got a rather big domain environment with 10 distributed locations, and I'm considering using FreeIPA as an id manager for linux users and servers, alongside with existing AD, using trusts. In every location, there are 2 DCs for windows environment, and I'm thinking about deployment of 2 freeIPA servers for each location, with replicas. This document states that I can't use more than 20 servers per IPA domain: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/Setting_up_IPA_Replicas.html#replica-topologies - No more than 20 servers and replicas should be involved in a single Identity Management domain. - How strict is this restriction? Is there any way I can deploy freeIPA in this situation, assuming that number of locations would increace over time? Is there any other limitations to integrate freeIPA in AD? The limitations described above are for supported configurations deployed on Red Hat Enterprise Linux. If you want a larger configuration to be supported, you need to contact your Red Hat representatives and work out with them exact support statement. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project