On Аўт, 28 кас 2025, Ronald Wimmer via FreeIPA-users wrote:
On 10/28/25 11:49, Ronald Wimmer via FreeIPA-users wrote:
Is it feasible to operate a single central IPA instance (with one
IPA realm) that serves several IPA domains?
Since we have firewalls between the central instance and the
individual domains, what do we need to take into account besides
what’s mentioned in Red Hat solution 357673? We no longer have any
AD trusts in place.
As far as I understand, IPA clients in each domain would need to
communicate directly with the central instance, since the IPA
architecture doesn’t support proxy or relay servers in each domain —
is that correct?
Any insights or experiences on this setup would be greatly appreciated!
Follow-up question:
Would it work to place one FreeIPA replica per site (per DNS domain),
so that the central instance communicates with these replicas, and
clients in each site only talk to their local replica?
That's what a lot of deployments look like, nothing extraordinary.
You may search here in archives, we had discussions in past about
similar setup where there are separate nodes in different AWS regions.
Replicas have to be able to communicate with each other but clients only
need to talk to the replicas.
The goal would be to keep all clients within a single FreeIPA realm
but reduce cross-site traffic through the firewalls.
As long as you pin clients to the servers in the specific site, they
should be fine.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
