Ronald Wimmer wrote: > On 10.09.20 17:35, Rob Crittenden wrote: >> Ronald Wimmer via FreeIPA-users wrote: >>> >>> Quoting Rob Crittenden <[email protected]>: >>> >>>> Ronald Wimmer via FreeIPA-users wrote: >>>>> On 06.07.20 19:52, Rob Crittenden wrote: >>>>>> Ronald Wimmer via FreeIPA-users wrote: >>>>>>> After upgrading to OL 8.1 and replacing all of my 8 IPA servers I >>>>>>> ran >>>>>>> into this particular problem. >>>>>>> >>>>>>> Is it right that I need to have an ID range where all DNA ranges >>>>>>> have to >>>>>>> fit in? And that the DNA range of each IPA server has to be distinct >>>>>>> from the ranges of the other IPA servers? >>>>>>> >>>>>>> I will start by checking each IPA server with >>>>>>> >>>>>>> ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix >>>>>>> IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' >>>>>>> >>>>>>> (according to what Rob wrote on his blog some years ago >>>>>>> https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ >>>>>>> ) >>>>>> >>>>>> Not every master has to have a range. Only those masters that you >>>>>> create >>>>>> users and groups on. The DNA plugin should be smart enough to skip >>>>>> any >>>>>> conflicting allocations but why press it? It isn't a whole lot of >>>>>> extra >>>>>> work to manually set things up if you have to do that anyway and you >>>>>> can >>>>>> sleep better knowing that duplicate values aren't possible. >>>>>> >>>>>> Yes, it needs to fit within any IPA ranges you have created. You can >>>>>> have more than one. >>>>>> >>>>>> Otherwise you could theoretically end up in a conflict with other >>>>>> ranges, like a trust, which would be bad. >>>>>> >>>>>> There is nothing constraining what DNA range you set. The IPA ranges >>>>>> are >>>>>> there for a hint. >>>>> >>>>> So. If my ID range for the IPA domain is >>>>> >>>>> ID Range >>>>> 1246600000 >>>>> 1246800000 >>>>> >>>>> I could set the DNA ranges like that: >>>>> >>>>> DNA Range ipa1 >>>>> 1246600001 >>>>> 1246620001 >>>>> >>>>> DNA Range ipa2 >>>>> 1246620002 >>>>> 1246640002 >>>>> >>>>> DNA Range ipa3 >>>>> 1246640003 >>>>> 1246660003 >>>>> >>>>> DNA Range ipa4 >>>>> 1246660004 >>>>> 1246680004 >>>>> >>>>> DNA Range ipa5 >>>>> 1246680005 >>>>> 1246700005 >>>>> >>>>> DNA Range ipa6 >>>>> 1246700006 >>>>> 1246720006 >>>>> >>>>> DNA Range ipa7 >>>>> 1246720007 >>>>> 1246740007 >>>>> >>>>> DNA Range ipa8 >>>>> 1246740008 >>>>> 1246760008 >>>>> >>>>> Do you agree? >>>>> >>>>> Do I have to use ldapmodify or could I use >>>>> >>>>> ipa-replica-manage dnarange-set ipa1.mydomain.at >>>>> 1246600001-1246620001 ? >>>> >>>> You can use ipa-replica-manage. >>>> >>>> As I write in the blog, not every server is required to have a range >>>> set. It is only needed on servers that users will be created on and it >>>> will ask its peers for a range if a need arises. >>>> >>>> So sure, you can micromanage it like this if you want but if you create >>>> another server and it needs a range it will split one of these. >>> >>> The thing is that I put a loadbalancer in front of all the eight IPA >>> servers (so that users can access the Web GUI like ipa.linux.mydomain.at >>> where the actual servers are blabla2-8.linux.mydomain.at). When >>> accessing the web interface the user does not know on which IPA server >>> he ended up. In this scenario every IPA server would need a range of its >>> own, right? >> >> Seems so. Again, it's not exactly wrong to manually do it, you just lose >> some automation and risk splitting the values deeply when creating new >> masters so just keep this in mind. You may have to manually re-adjust at >> some point. > > How exactly would that look in a fresh IPA installation? Would every IPA > server have it's own range?
It depends. Only the first server is allocated a range. If any additional servers are added they will only get a range if they add an entry that requires the range (user or group). rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
