Quoting Rob Crittenden <rcritten(a)redhat.com>:
Ronald Wimmer via FreeIPA-users wrote:
> On 06.07.20 19:52, Rob Crittenden wrote:
>> Ronald Wimmer via FreeIPA-users wrote:
>>> After upgrading to OL 8.1 and replacing all of my 8 IPA servers I ran
>>> into this particular problem.
>>>
>>> Is it right that I need to have an ID range where all DNA ranges have to
>>> fit in? And that the DNA range of each IPA server has to be distinct
>>> from the ranges of the other IPA servers?
>>>
>>> I will start by checking each IPA server with
>>>
>>> ldapsearch -x -D 'cn=Directory Manager' -W -b 'cn=Posix
>>> IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config'
>>>
>>> (according to what Rob wrote on his blog some years ago
>>>
https://rcritten.wordpress.com/2015/01/05/freeipa-and-no-dna-range/ )
>>
>> Not every master has to have a range. Only those masters that you create
>> users and groups on. The DNA plugin should be smart enough to skip any
>> conflicting allocations but why press it? It isn't a whole lot of extra
>> work to manually set things up if you have to do that anyway and you can
>> sleep better knowing that duplicate values aren't possible.
>>
>> Yes, it needs to fit within any IPA ranges you have created. You can
>> have more than one.
>>
>> Otherwise you could theoretically end up in a conflict with other
>> ranges, like a trust, which would be bad.
>>
>> There is nothing constraining what DNA range you set. The IPA ranges are
>> there for a hint.
>
> So. If my ID range for the IPA domain is
>
> ID Range
> 1246600000
> 1246800000
>
> I could set the DNA ranges like that:
>
> DNA Range ipa1
> 1246600001
> 1246620001
>
> DNA Range ipa2
> 1246620002
> 1246640002
>
> DNA Range ipa3
> 1246640003
> 1246660003
>
> DNA Range ipa4
> 1246660004
> 1246680004
>
> DNA Range ipa5
> 1246680005
> 1246700005
>
> DNA Range ipa6
> 1246700006
> 1246720006
>
> DNA Range ipa7
> 1246720007
> 1246740007
>
> DNA Range ipa8
> 1246740008
> 1246760008
>
> Do you agree?
>
> Do I have to use ldapmodify or could I use
>
> ipa-replica-manage dnarange-set ipa1.mydomain.at 1246600001-1246620001 ?
You can use ipa-replica-manage.
As I write in the blog, not every server is required to have a range
set. It is only needed on servers that users will be created on and it
will ask its peers for a range if a need arises.
So sure, you can micromanage it like this if you want but if you create
another server and it needs a range it will split one of these.
The thing is that I put a loadbalancer in front of all the eight IPA
servers (so that users can access the Web GUI like
ipa.linux.mydomain.at where the actual servers are
blabla2-8.linux.mydomain.at). When accessing the web interface the
user does not know on which IPA server he ended up. In this scenario
every IPA server would need a range of its own, right?
Cheers,
Ronald