On 10.09.20 17:35, Rob Crittenden wrote:
> Ronald Wimmer via FreeIPA-users wrote:
>>
>> Quoting Rob Crittenden <rcritten(a)redhat.com>:
>>
>>> Ronald Wimmer via FreeIPA-users wrote:
>>>> On 06.07.20 19:52, Rob Crittenden wrote:
>>>>> Ronald Wimmer via FreeIPA-users wrote:
>>>>>> After upgrading to OL 8.1 and replacing all of my 8 IPA servers
I
>>>>>> ran
>>>>>> into this particular problem.
>>>>>>
>>>>>> Is it right that I need to have an ID range where all DNA ranges
>>>>>> have to
>>>>>> fit in? And that the DNA range of each IPA server has to be
distinct
>>>>>> from the ranges of the other IPA servers?
>>>>>>
>>>>>> I will start by checking each IPA server with
>>>>>>
>>>>>> ldapsearch -x -D 'cn=Directory Manager' -W -b
'cn=Posix
>>>>>> IDs,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config'
>>>>>>
>>>>>> (according to what Rob wrote on his blog some years ago
>>>>>>
https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/
>>>>>> )
>>>>>
>>>>> Not every master has to have a range. Only those masters that you
>>>>> create
>>>>> users and groups on. The DNA plugin should be smart enough to skip
>>>>> any
>>>>> conflicting allocations but why press it? It isn't a whole lot
of
>>>>> extra
>>>>> work to manually set things up if you have to do that anyway and you
>>>>> can
>>>>> sleep better knowing that duplicate values aren't possible.
>>>>>
>>>>> Yes, it needs to fit within any IPA ranges you have created. You can
>>>>> have more than one.
>>>>>
>>>>> Otherwise you could theoretically end up in a conflict with other
>>>>> ranges, like a trust, which would be bad.
>>>>>
>>>>> There is nothing constraining what DNA range you set. The IPA ranges
>>>>> are
>>>>> there for a hint.
>>>>
>>>> So. If my ID range for the IPA domain is
>>>>
>>>> ID Range
>>>> 1246600000
>>>> 1246800000
>>>>
>>>> I could set the DNA ranges like that:
>>>>
>>>> DNA Range ipa1
>>>> 1246600001
>>>> 1246620001
>>>>
>>>> DNA Range ipa2
>>>> 1246620002
>>>> 1246640002
>>>>
>>>> DNA Range ipa3
>>>> 1246640003
>>>> 1246660003
>>>>
>>>> DNA Range ipa4
>>>> 1246660004
>>>> 1246680004
>>>>
>>>> DNA Range ipa5
>>>> 1246680005
>>>> 1246700005
>>>>
>>>> DNA Range ipa6
>>>> 1246700006
>>>> 1246720006
>>>>
>>>> DNA Range ipa7
>>>> 1246720007
>>>> 1246740007
>>>>
>>>> DNA Range ipa8
>>>> 1246740008
>>>> 1246760008
>>>>
>>>> Do you agree?
>>>>
>>>> Do I have to use ldapmodify or could I use
>>>>
>>>> ipa-replica-manage dnarange-set ipa1.mydomain.at
>>>> 1246600001-1246620001 ?
>>>
>>> You can use ipa-replica-manage.
>>>
>>> As I write in the blog, not every server is required to have a range
>>> set. It is only needed on servers that users will be created on and it
>>> will ask its peers for a range if a need arises.
>>>
>>> So sure, you can micromanage it like this if you want but if you create
>>> another server and it needs a range it will split one of these.
>>
>> The thing is that I put a loadbalancer in front of all the eight IPA
>> servers (so that users can access the Web GUI like ipa.linux.mydomain.at
>> where the actual servers are blabla2-8.linux.mydomain.at). When
>> accessing the web interface the user does not know on which IPA server
>> he ended up. In this scenario every IPA server would need a range of its
>> own, right?
>
> Seems so. Again, it's not exactly wrong to manually do it, you just lose
> some automation and risk splitting the values deeply when creating new
> masters so just keep this in mind. You may have to manually re-adjust at
> some point.
How exactly would that look in a fresh IPA installation? Would every IPA
server have it's own range?
It depends. Only the first server is allocated a range. If any
additional servers are added they will only get a range if they add an
entry that requires the range (user or group).
rob