Hi list
I am after some pointers on the best way to deploy FreeIPA for an organization that spans
many continents (Europe, Asia/Oceania, Africa). Our two largest locations have network
latencies of anywhere up to 600ms, and so far trials with FreeIPA have proven that the
replication becomes unreliable.. this is our current deployment:
User objects:
- ~2500
Groups:
- ~300
Computers
- ~2000
Locations (all replias deployed with CA, KRA, domain roles)
Italy:
4 x Replicas
Sydney:
4x Replicas
Singapore:
3x Replicas
Cape Town:
3x Replicas
So far have found it difficult to keep all replication going reliably, some account
changes will take a considerable amount of time to replicate and if there is a big event
like deleting > 10 objects (users or computers) it can cause some of the replicas to
become unresponsive for a period of time (restarting dirsrv sometimes helps us here and
sometimes replicas never catch up and have to be re-initialized). The replication
agreements seem fairly well balanced based on best practice documentation I could find.
The deployment has all replicas in one single domain, we do not run DNS Services in
FreeIPA due to some complexities in our domain, all replicas are visible to each other and
computers via appropriate DNS SRV records with correct weighting for the location (we
maintain a unique DNS view per location).
We are running FreeIPA 4.6.8 on CentOS 7 currently but looking at moving to Red Hat 9 and
possibly in the near future.
Any advice on the best deployment or configuration for this to succeed would be greatly
appreciated
regards
M
Show replies by thread