Ronald Wimmer via FreeIPA-users wrote: > After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran > into this particular problem. > > Is it right that I need to have an ID range where all DNA ranges have to > fit in? And that the DNA range of each IPA server has to be distinct > from the ranges of the other IPA servers? > > I will start by checking each IPA server with > > ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix > IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' > > (according to what Rob wrote on his blog some years ago > https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ )
Not every master has to have a range. Only those masters that you create users and groups on. The DNA plugin should be smart enough to skip any conflicting allocations but why press it? It isn't a whole lot of extra work to manually set things up if you have to do that anyway and you can sleep better knowing that duplicate values aren't possible. Yes, it needs to fit within any IPA ranges you have created. You can have more than one. Otherwise you could theoretically end up in a conflict with other ranges, like a trust, which would be bad. There is nothing constraining what DNA range you set. The IPA ranges are there for a hint. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
