Hi All
I hope this is the appropriate forum for this question.
Can I get some feedback on the overall experience setting up and running Free-IPA. I am looking at implementing Free-IPA to enhance/replace an OpenLDAP environment.
So please share any horror/success stories.
Rgds
Duncan
Hi Duncan
A few things I've learned:
Understand how replication agreements work as part of your planning.
Choose a suitable location for the live CA server.
Deploy a replica by promoting an sssd client. Unless you have a reason not to, always use --setup-ca to the ipa-replica-install command to give the flexibility of having any of your replicas take over the role of CA if needed (we've certainly moved our CA from site to site before now)
I wish I'd setup DNS within FreeIPA and had a mini DNS domain just for the FreeIPA systems themselves. We implemented our original IPAs into our existing DNS at site1, now when deploying replicas in site 2 - that has an existing, different DNS domain - we've had to extend the DNS of site 1 into site 2 just for the replicas there in site 2. So now we have nodes in site with DNS names used only in site 1 - this will only spread more and more as we extend into other sites. FreeIPA servers must be in the same DNS domain, that's all. sssd clients can be in any DNS domain.
Best practises recommend to have at least 2 IPA replicas per site, however due to network constraints (I think promoting a sssd client to a replica requires connectivity to all other replicas, however one of our sites with working replicas is not reachable from this remote site) we have an entire remote site connecting to 2 IPA servers in 2 other locations, each location having its own IPSEC tunnel to the remote site - so far this works really well.
Overall, a good experience, the ssh-key/sudo/hbac facilities are excellent. sssd on the clients is really good too, completely replaces legacy tools like nscd (woohoo!)
Regards Angus
On 8 May 2018 at 11:23, Duncan Colhoun via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi All
I hope this is the appropriate forum for this question.
Can I get some feedback on the overall experience setting up and running Free-IPA. I am looking at implementing Free-IPA to enhance/replace an OpenLDAP environment.
So please share any horror/success stories.
Rgds
Duncan _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Main gripe (which doesn't have any plans for resolution) - no facility for read-only replicas in untrusted sites.
On 8 May 2018 at 12:04, Angus Clarke subscriptions@angusclarke.com wrote:
Hi Duncan
A few things I've learned:
Understand how replication agreements work as part of your planning.
Choose a suitable location for the live CA server.
Deploy a replica by promoting an sssd client. Unless you have a reason not to, always use --setup-ca to the ipa-replica-install command to give the flexibility of having any of your replicas take over the role of CA if needed (we've certainly moved our CA from site to site before now)
I wish I'd setup DNS within FreeIPA and had a mini DNS domain just for the FreeIPA systems themselves. We implemented our original IPAs into our existing DNS at site1, now when deploying replicas in site 2 - that has an existing, different DNS domain - we've had to extend the DNS of site 1 into site 2 just for the replicas there in site 2. So now we have nodes in site with DNS names used only in site 1 - this will only spread more and more as we extend into other sites. FreeIPA servers must be in the same DNS domain, that's all. sssd clients can be in any DNS domain.
Best practises recommend to have at least 2 IPA replicas per site, however due to network constraints (I think promoting a sssd client to a replica requires connectivity to all other replicas, however one of our sites with working replicas is not reachable from this remote site) we have an entire remote site connecting to 2 IPA servers in 2 other locations, each location having its own IPSEC tunnel to the remote site - so far this works really well.
Overall, a good experience, the ssh-key/sudo/hbac facilities are excellent. sssd on the clients is really good too, completely replaces legacy tools like nscd (woohoo!)
Regards Angus
On 8 May 2018 at 11:23, Duncan Colhoun via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hi All
I hope this is the appropriate forum for this question.
Can I get some feedback on the overall experience setting up and running Free-IPA. I am looking at implementing Free-IPA to enhance/replace an OpenLDAP environment.
So please share any horror/success stories.
Rgds
Duncan _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedo rahosted.org
Hi,
Duncan Colhoun via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Can I get some feedback on the overall experience setting up and running Free-IPA. I am looking at implementing Free-IPA to enhance/replace an OpenLDAP environment.
I'm running a small FreeIPA (2 servers) installation in a family network. Install is easy, administration is also easy. I'm really happy with SSO and CA for internal SSL servers.
Be prepared to read the Red Hat manuals and when problems show up, don't hesitate to ask here. I found most fixes in the archive, but reading this lists helped too. The developers are really helpful and friendly.
So please share any horror/success stories.
I'm not comfortable resolving replication conflicts, but they really are exceptional events.
Jochen
The basic technology is solid and the admin tools reasonable. However it has the same problems as all large, integrated systems: if the system isn’t in exactly the state they expect, significant administrative operations such as upgrading version or adding a replica will fail. Those things are done by python code with large libraries. If you have to debug it and you’re not familiar with the code it can take a while. It’s not common, but we’ve run into a couple of failures, both on version upgrade and adding replica.
My impression is that the cert code is the most trouble-prone. If you don’t need it to manage certificates, install it without that facility. You can’t change once it’s installed, as far as I can see: I think you can add a cert system, but I don’t believe you can remove it.
It’s kind of hard to come up with any reasonable alternatives to IPA though, if you need what it does. If you need kerberos and user management, particularly if you need redundant servers or two-factor authentication (we needed both), it would be a real challenge to do it any other way (other than using Active Directory, and that has issues of its own, and getting two factor working in Linux might not be practical).
Run the ipa servers in VMs. Before doing upgrades, copy the VMs and try the upgrade in the copy. VMs also simplify backups. You can just snapshot all the systems. That gives you a clean, consistent backup. (Indeed some of the documentation implies that the alternative ways of doing backup have enough issues that running in VMs is the only reasonable approach.)
I didn’t start out to do IPA. I needed a new Kerberos server. (Ours was so out of date that update was impractical.) I also wanted to replace a much of semi-consistent NIS domains with good central management. I looked at doing MIT Kerberos and Open LDAP. But then I’d have to build management tools. It looked like the IPA designers had thought about most of the things we’d need. The Unix traditionalist in my still hates huge python-bases systems. But I think IPA is kind of inevitable if you need what it does.
Note that I’m using the copy that’s bundled with Centos. I think that’s more likely to work than installing freeipa over a random OS. The systems you’re managing don’t have to be Centos. But for the servers I strongly recommend Redhat or Centos.
On May 8, 2018, at 5:23:58 AM, Duncan Colhoun via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Hi All
I hope this is the appropriate forum for this question.
Can I get some feedback on the overall experience setting up and running Free-IPA. I am looking at implementing Free-IPA to enhance/replace an OpenLDAP environment.
So please share any horror/success stories.
Rgds
Duncan _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org
-
Angus Clarke -
Charles Hedrick -
Duncan Colhoun -
Jochen Hein