Quoting Rob Crittenden <rcritten(a)redhat.com>:
> Ronald Wimmer via FreeIPA-users wrote:
>> On 06.07.20 19:52, Rob Crittenden wrote:
>>> Ronald Wimmer via FreeIPA-users wrote:
>>>> After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran
>>>> into this particular problem.
>>>>
>>>> Is it right that I need to have an ID range where all DNA ranges
>>>> have to
>>>> fit in? And that the DNA range of each IPA server has to be distinct
>>>> from the ranges of the other IPA servers?
>>>>
>>>> I will start by checking each IPA server with
>>>>
>>>> ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix
>>>> IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
>>>>
>>>> (according to what Rob wrote on his blog some years ago
>>>>
https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ )
>>>
>>> Not every master has to have a range. Only those masters that you
>>> create
>>> users and groups on. The DNA plugin should be smart enough to skip any
>>> conflicting allocations but why press it? It isn't a whole lot of extra
>>> work to manually set things up if you have to do that anyway and you
>>> can
>>> sleep better knowing that duplicate values aren't possible.
>>>
>>> Yes, it needs to fit within any IPA ranges you have created. You can
>>> have more than one.
>>>
>>> Otherwise you could theoretically end up in a conflict with other
>>> ranges, like a trust, which would be bad.
>>>
>>> There is nothing constraining what DNA range you set. The IPA ranges
>>> are
>>> there for a hint.
>>
>> So. If my ID range for the IPA domain is
>>
>> ID Range
>> 1246600000
>> 1246800000
>>
>> I could set the DNA ranges like that:
>>
>> DNA Range ipa1
>> 1246600001
>> 1246620001
>>
>> DNA Range ipa2
>> 1246620002
>> 1246640002
>>
>> DNA Range ipa3
>> 1246640003
>> 1246660003
>>
>> DNA Range ipa4
>> 1246660004
>> 1246680004
>>
>> DNA Range ipa5
>> 1246680005
>> 1246700005
>>
>> DNA Range ipa6
>> 1246700006
>> 1246720006
>>
>> DNA Range ipa7
>> 1246720007
>> 1246740007
>>
>> DNA Range ipa8
>> 1246740008
>> 1246760008
>>
>> Do you agree?
>>
>> Do I have to use ldapmodify or could I use
>>
>> ipa-replica-manage dnarange-set ipa1.mydomain.at 1246600001-1246620001 ?
>
> You can use ipa-replica-manage.
>
> As I write in the blog, not every server is required to have a range
> set. It is only needed on servers that users will be created on and it
> will ask its peers for a range if a need arises.
>
> So sure, you can micromanage it like this if you want but if you create
> another server and it needs a range it will split one of these.
The thing is that I put a loadbalancer in front of all the eight IPA
servers (so that users can access the Web GUI like ipa.linux.mydomain.at
where the actual servers are blabla2-8.linux.mydomain.at). When
accessing the web interface the user does not know on which IPA server
he ended up. In this scenario every IPA server would need a range of its
own, right?
Seems so. Again, it's not exactly wrong to manually do it, you just lose
some automation and risk splitting the values deeply when creating new
masters so just keep this in mind. You may have to manually re-adjust at
some point.
rob