After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran into this particular problem.
Is it right that I need to have an ID range where all DNA ranges have to fit in? And that the DNA range of each IPA server has to be distinct from the ranges of the other IPA servers?
I will start by checking each IPA server with
ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
(according to what Rob wrote on his blog some years ago https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ )
Cheers, Ronald
Ronald Wimmer via FreeIPA-users wrote:
After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran into this particular problem.
Is it right that I need to have an ID range where all DNA ranges have to fit in? And that the DNA range of each IPA server has to be distinct from the ranges of the other IPA servers?
I will start by checking each IPA server with
ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
(according to what Rob wrote on his blog some years ago https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ )
Not every master has to have a range. Only those masters that you create users and groups on. The DNA plugin should be smart enough to skip any conflicting allocations but why press it? It isn't a whole lot of extra work to manually set things up if you have to do that anyway and you can sleep better knowing that duplicate values aren't possible.
Yes, it needs to fit within any IPA ranges you have created. You can have more than one.
Otherwise you could theoretically end up in a conflict with other ranges, like a trust, which would be bad.
There is nothing constraining what DNA range you set. The IPA ranges are there for a hint.
rob
On 06.07.20 19:52, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran into this particular problem.
Is it right that I need to have an ID range where all DNA ranges have to fit in? And that the DNA range of each IPA server has to be distinct from the ranges of the other IPA servers?
I will start by checking each IPA server with
ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
(according to what Rob wrote on his blog some years ago https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ )
Not every master has to have a range. Only those masters that you create users and groups on. The DNA plugin should be smart enough to skip any conflicting allocations but why press it? It isn't a whole lot of extra work to manually set things up if you have to do that anyway and you can sleep better knowing that duplicate values aren't possible.
Yes, it needs to fit within any IPA ranges you have created. You can have more than one.
Otherwise you could theoretically end up in a conflict with other ranges, like a trust, which would be bad.
There is nothing constraining what DNA range you set. The IPA ranges are there for a hint.
So. If my ID range for the IPA domain is
ID Range 1246600000 1246800000
I could set the DNA ranges like that:
DNA Range ipa1 1246600001 1246620001
DNA Range ipa2 1246620002 1246640002
DNA Range ipa3 1246640003 1246660003
DNA Range ipa4 1246660004 1246680004
DNA Range ipa5 1246680005 1246700005
DNA Range ipa6 1246700006 1246720006
DNA Range ipa7 1246720007 1246740007
DNA Range ipa8 1246740008 1246760008
Do you agree?
Do I have to use ldapmodify or could I use
ipa-replica-manage dnarange-set ipa1.mydomain.at 1246600001-1246620001 ?
Cheers, Ronald
Ronald Wimmer via FreeIPA-users wrote:
On 06.07.20 19:52, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran into this particular problem.
Is it right that I need to have an ID range where all DNA ranges have to fit in? And that the DNA range of each IPA server has to be distinct from the ranges of the other IPA servers?
I will start by checking each IPA server with
ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
(according to what Rob wrote on his blog some years ago https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ )
Not every master has to have a range. Only those masters that you create users and groups on. The DNA plugin should be smart enough to skip any conflicting allocations but why press it? It isn't a whole lot of extra work to manually set things up if you have to do that anyway and you can sleep better knowing that duplicate values aren't possible.
Yes, it needs to fit within any IPA ranges you have created. You can have more than one.
Otherwise you could theoretically end up in a conflict with other ranges, like a trust, which would be bad.
There is nothing constraining what DNA range you set. The IPA ranges are there for a hint.
So. If my ID range for the IPA domain is
ID Range 1246600000 1246800000
I could set the DNA ranges like that:
DNA Range ipa1 1246600001 1246620001
DNA Range ipa2 1246620002 1246640002
DNA Range ipa3 1246640003 1246660003
DNA Range ipa4 1246660004 1246680004
DNA Range ipa5 1246680005 1246700005
DNA Range ipa6 1246700006 1246720006
DNA Range ipa7 1246720007 1246740007
DNA Range ipa8 1246740008 1246760008
Do you agree?
Do I have to use ldapmodify or could I use
ipa-replica-manage dnarange-set ipa1.mydomain.at 1246600001-1246620001 ?
You can use ipa-replica-manage.
As I write in the blog, not every server is required to have a range set. It is only needed on servers that users will be created on and it will ask its peers for a range if a need arises.
So sure, you can micromanage it like this if you want but if you create another server and it needs a range it will split one of these.
rob
Quoting Rob Crittenden rcritten@redhat.com:
Ronald Wimmer via FreeIPA-users wrote:
On 06.07.20 19:52, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran into this particular problem.
Is it right that I need to have an ID range where all DNA ranges have to fit in? And that the DNA range of each IPA server has to be distinct from the ranges of the other IPA servers?
I will start by checking each IPA server with
ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
(according to what Rob wrote on his blog some years ago https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ )
Not every master has to have a range. Only those masters that you create users and groups on. The DNA plugin should be smart enough to skip any conflicting allocations but why press it? It isn't a whole lot of extra work to manually set things up if you have to do that anyway and you can sleep better knowing that duplicate values aren't possible.
Yes, it needs to fit within any IPA ranges you have created. You can have more than one.
Otherwise you could theoretically end up in a conflict with other ranges, like a trust, which would be bad.
There is nothing constraining what DNA range you set. The IPA ranges are there for a hint.
So. If my ID range for the IPA domain is
ID Range 1246600000 1246800000
I could set the DNA ranges like that:
DNA Range ipa1 1246600001 1246620001
DNA Range ipa2 1246620002 1246640002
DNA Range ipa3 1246640003 1246660003
DNA Range ipa4 1246660004 1246680004
DNA Range ipa5 1246680005 1246700005
DNA Range ipa6 1246700006 1246720006
DNA Range ipa7 1246720007 1246740007
DNA Range ipa8 1246740008 1246760008
Do you agree?
Do I have to use ldapmodify or could I use
ipa-replica-manage dnarange-set ipa1.mydomain.at 1246600001-1246620001 ?
You can use ipa-replica-manage.
As I write in the blog, not every server is required to have a range set. It is only needed on servers that users will be created on and it will ask its peers for a range if a need arises.
So sure, you can micromanage it like this if you want but if you create another server and it needs a range it will split one of these.
The thing is that I put a loadbalancer in front of all the eight IPA servers (so that users can access the Web GUI like ipa.linux.mydomain.at where the actual servers are blabla2-8.linux.mydomain.at). When accessing the web interface the user does not know on which IPA server he ended up. In this scenario every IPA server would need a range of its own, right?
Cheers, Ronald
Ronald Wimmer via FreeIPA-users wrote:
Quoting Rob Crittenden rcritten@redhat.com:
Ronald Wimmer via FreeIPA-users wrote:
On 06.07.20 19:52, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran into this particular problem.
Is it right that I need to have an ID range where all DNA ranges have to fit in? And that the DNA range of each IPA server has to be distinct from the ranges of the other IPA servers?
I will start by checking each IPA server with
ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
(according to what Rob wrote on his blog some years ago https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ )
Not every master has to have a range. Only those masters that you create users and groups on. The DNA plugin should be smart enough to skip any conflicting allocations but why press it? It isn't a whole lot of extra work to manually set things up if you have to do that anyway and you can sleep better knowing that duplicate values aren't possible.
Yes, it needs to fit within any IPA ranges you have created. You can have more than one.
Otherwise you could theoretically end up in a conflict with other ranges, like a trust, which would be bad.
There is nothing constraining what DNA range you set. The IPA ranges are there for a hint.
So. If my ID range for the IPA domain is
ID Range 1246600000 1246800000
I could set the DNA ranges like that:
DNA Range ipa1 1246600001 1246620001
DNA Range ipa2 1246620002 1246640002
DNA Range ipa3 1246640003 1246660003
DNA Range ipa4 1246660004 1246680004
DNA Range ipa5 1246680005 1246700005
DNA Range ipa6 1246700006 1246720006
DNA Range ipa7 1246720007 1246740007
DNA Range ipa8 1246740008 1246760008
Do you agree?
Do I have to use ldapmodify or could I use
ipa-replica-manage dnarange-set ipa1.mydomain.at 1246600001-1246620001 ?
You can use ipa-replica-manage.
As I write in the blog, not every server is required to have a range set. It is only needed on servers that users will be created on and it will ask its peers for a range if a need arises.
So sure, you can micromanage it like this if you want but if you create another server and it needs a range it will split one of these.
The thing is that I put a loadbalancer in front of all the eight IPA servers (so that users can access the Web GUI like ipa.linux.mydomain.at where the actual servers are blabla2-8.linux.mydomain.at). When accessing the web interface the user does not know on which IPA server he ended up. In this scenario every IPA server would need a range of its own, right?
Seems so. Again, it's not exactly wrong to manually do it, you just lose some automation and risk splitting the values deeply when creating new masters so just keep this in mind. You may have to manually re-adjust at some point.
rob
On 10.09.20 17:35, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
Quoting Rob Crittenden rcritten@redhat.com:
Ronald Wimmer via FreeIPA-users wrote:
On 06.07.20 19:52, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran into this particular problem.
Is it right that I need to have an ID range where all DNA ranges have to fit in? And that the DNA range of each IPA server has to be distinct from the ranges of the other IPA servers?
I will start by checking each IPA server with
ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
(according to what Rob wrote on his blog some years ago https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ )
Not every master has to have a range. Only those masters that you create users and groups on. The DNA plugin should be smart enough to skip any conflicting allocations but why press it? It isn't a whole lot of extra work to manually set things up if you have to do that anyway and you can sleep better knowing that duplicate values aren't possible.
Yes, it needs to fit within any IPA ranges you have created. You can have more than one.
Otherwise you could theoretically end up in a conflict with other ranges, like a trust, which would be bad.
There is nothing constraining what DNA range you set. The IPA ranges are there for a hint.
So. If my ID range for the IPA domain is
ID Range 1246600000 1246800000
I could set the DNA ranges like that:
DNA Range ipa1 1246600001 1246620001
DNA Range ipa2 1246620002 1246640002
DNA Range ipa3 1246640003 1246660003
DNA Range ipa4 1246660004 1246680004
DNA Range ipa5 1246680005 1246700005
DNA Range ipa6 1246700006 1246720006
DNA Range ipa7 1246720007 1246740007
DNA Range ipa8 1246740008 1246760008
Do you agree?
Do I have to use ldapmodify or could I use
ipa-replica-manage dnarange-set ipa1.mydomain.at 1246600001-1246620001 ?
You can use ipa-replica-manage.
As I write in the blog, not every server is required to have a range set. It is only needed on servers that users will be created on and it will ask its peers for a range if a need arises.
So sure, you can micromanage it like this if you want but if you create another server and it needs a range it will split one of these.
The thing is that I put a loadbalancer in front of all the eight IPA servers (so that users can access the Web GUI like ipa.linux.mydomain.at where the actual servers are blabla2-8.linux.mydomain.at). When accessing the web interface the user does not know on which IPA server he ended up. In this scenario every IPA server would need a range of its own, right?
Seems so. Again, it's not exactly wrong to manually do it, you just lose some automation and risk splitting the values deeply when creating new masters so just keep this in mind. You may have to manually re-adjust at some point.
How exactly would that look in a fresh IPA installation? Would every IPA server have it's own range?
Cheers, Ronald
Ronald Wimmer wrote:
On 10.09.20 17:35, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote:
Quoting Rob Crittenden rcritten@redhat.com:
Ronald Wimmer via FreeIPA-users wrote:
On 06.07.20 19:52, Rob Crittenden wrote:
Ronald Wimmer via FreeIPA-users wrote: > After upgrading to OL 8.1 and replacing all of my 8 IPA servers I > ran > into this particular problem. > > Is it right that I need to have an ID range where all DNA ranges > have to > fit in? And that the DNA range of each IPA server has to be distinct > from the ranges of the other IPA servers? > > I will start by checking each IPA server with > > ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix > IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' > > (according to what Rob wrote on his blog some years ago > https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ > )
Not every master has to have a range. Only those masters that you create users and groups on. The DNA plugin should be smart enough to skip any conflicting allocations but why press it? It isn't a whole lot of extra work to manually set things up if you have to do that anyway and you can sleep better knowing that duplicate values aren't possible.
Yes, it needs to fit within any IPA ranges you have created. You can have more than one.
Otherwise you could theoretically end up in a conflict with other ranges, like a trust, which would be bad.
There is nothing constraining what DNA range you set. The IPA ranges are there for a hint.
So. If my ID range for the IPA domain is
ID Range 1246600000 1246800000
I could set the DNA ranges like that:
DNA Range ipa1 1246600001 1246620001
DNA Range ipa2 1246620002 1246640002
DNA Range ipa3 1246640003 1246660003
DNA Range ipa4 1246660004 1246680004
DNA Range ipa5 1246680005 1246700005
DNA Range ipa6 1246700006 1246720006
DNA Range ipa7 1246720007 1246740007
DNA Range ipa8 1246740008 1246760008
Do you agree?
Do I have to use ldapmodify or could I use
ipa-replica-manage dnarange-set ipa1.mydomain.at 1246600001-1246620001 ?
You can use ipa-replica-manage.
As I write in the blog, not every server is required to have a range set. It is only needed on servers that users will be created on and it will ask its peers for a range if a need arises.
So sure, you can micromanage it like this if you want but if you create another server and it needs a range it will split one of these.
The thing is that I put a loadbalancer in front of all the eight IPA servers (so that users can access the Web GUI like ipa.linux.mydomain.at where the actual servers are blabla2-8.linux.mydomain.at). When accessing the web interface the user does not know on which IPA server he ended up. In this scenario every IPA server would need a range of its own, right?
Seems so. Again, it's not exactly wrong to manually do it, you just lose some automation and risk splitting the values deeply when creating new masters so just keep this in mind. You may have to manually re-adjust at some point.
How exactly would that look in a fresh IPA installation? Would every IPA server have it's own range?
It depends. Only the first server is allocated a range. If any additional servers are added they will only get a range if they add an entry that requires the range (user or group).
rob
freeipa-users@lists.fedorahosted.org