Re: [Freeipa-users] Some high level questions (DNS & CA)
On 3.3.2016 13:26, Martin Basti wrote: > Hello, > > comments inline > > On 03.03.2016 13:11, Geselle Stijn wrote: >> >> Hello, >> >> We have a large Windows environment and around 50 RHEL servers (which will >> grow to a few hundred in the future). Our goal is to be able to login with >> our AD credentials and have sudo centrally managed. To be able to manage >> users and their access/permissions we are looking into IdM combined with a >> unidirectional non-transitive AD-trust so our existing AD users can >> authenticate on the RHEL servers. >> >> I have a few (high level) questions regarding the setup of IdM: >> >> 1)There is an integrated DNS component (BIND). Is this component required? >> Because we would like to keep DNS managed by Windows (A and CNAME records). >> I have seen that there’s a forward only policy, but what’s the point of >> that? Can’t we just directly use the Windows DNS then instead of forwarding, >> i.e. point the client’s nameservers to the Windows nameservers? I’m >> obviously missing something crucial, sorry J >> > DNS subsytem is optional, you can use windows DNS for IPA (manual > configuration needed for each replica) Today we released new version of docs, please see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/ipa-linux-services.html#dns for further details regarding DNS. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Some high level questions (DNS & CA)
Hello, We have a large Windows environment and around 50 RHEL servers (which will grow to a few hundred in the future). Our goal is to be able to login with our AD credentials and have sudo centrally managed. To be able to manage users and their access/permissions we are looking into IdM combined with a unidirectional non-transitive AD-trust so our existing AD users can authenticate on the RHEL servers. I have a few (high level) questions regarding the setup of IdM: 1) There is an integrated DNS component (BIND). Is this component required? Because we would like to keep DNS managed by Windows (A and CNAME records). I have seen that there's a forward only policy, but what's the point of that? Can't we just directly use the Windows DNS then instead of forwarding, i.e. point the client's nameservers to the Windows nameservers? I'm obviously missing something crucial, sorry :) 2) A Certificate Authority will be installed as well. What's the function of this CA? Is it required? Can we do a CA-less setup? What are the limitations of a CA-less setup? 3) Is IPv6 a requirement or can it be disabled? 4) How could disaster recovery be implemented? Is it easy to backup and restore? 5) Is it correct that we can achieve high availability by setting up a replica IdM server and configure the clients to use both servers? Thank you if you can answer any (or maybe all, who knows!) of the questions above! Regards, Stijn -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project