The basic technology is solid and the admin tools reasonable. However it has the same problems as all large, integrated systems: if the system isn’t in exactly the state they expect, significant administrative operations such as upgrading version or adding a replica will fail. Those things are done by python code with large libraries. If you have to debug it and you’re not familiar with the code it can take a while. It’s not common, but we’ve run into a couple of failures, both on version upgrade and adding replica.
My impression is that the cert code is the most trouble-prone. If you don’t need it to manage certificates, install it without that facility. You can’t change once it’s installed, as far as I can see: I think you can add a cert system, but I don’t believe you can remove it. It’s kind of hard to come up with any reasonable alternatives to IPA though, if you need what it does. If you need kerberos and user management, particularly if you need redundant servers or two-factor authentication (we needed both), it would be a real challenge to do it any other way (other than using Active Directory, and that has issues of its own, and getting two factor working in Linux might not be practical). Run the ipa servers in VMs. Before doing upgrades, copy the VMs and try the upgrade in the copy. VMs also simplify backups. You can just snapshot all the systems. That gives you a clean, consistent backup. (Indeed some of the documentation implies that the alternative ways of doing backup have enough issues that running in VMs is the only reasonable approach.) I didn’t start out to do IPA. I needed a new Kerberos server. (Ours was so out of date that update was impractical.) I also wanted to replace a much of semi-consistent NIS domains with good central management. I looked at doing MIT Kerberos and Open LDAP. But then I’d have to build management tools. It looked like the IPA designers had thought about most of the things we’d need. The Unix traditionalist in my still hates huge python-bases systems. But I think IPA is kind of inevitable if you need what it does. Note that I’m using the copy that’s bundled with Centos. I think that’s more likely to work than installing freeipa over a random OS. The systems you’re managing don’t have to be Centos. But for the servers I strongly recommend Redhat or Centos. > On May 8, 2018, at 5:23:58 AM, Duncan Colhoun via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > Hi All > > I hope this is the appropriate forum for this question. > > Can I get some feedback on the overall experience setting up and running > Free-IPA. I am looking at implementing Free-IPA to enhance/replace an > OpenLDAP environment. > > So please share any horror/success stories. > > Rgds > > Duncan > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/OVSDO7C7CWTEF2VGYUJCUFMMWMRFFNG5/
