[Freeipa-users] The concept of sites...

Steven Jones Steven.Jones at vuw.ac.nz
Wed Oct 19 19:30:29 UTC 2011 

Hi,

I think AD sort of does this which they have now backed away from? 

>From my very limited understanding having sub-domains/realms seems to be counter-productive....in that trying to do cross-realm trusts/passwords/user info becomes a nightmare?

I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible?  Yet with a flat domain to flat domain its easy?

regards

Steven Jones

Technical Specialist - Linux RHCE

Victoria University, Wellington, NZ

0064 4 463 6272

________________________________________
From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn Lie [sigbjorn at nixtra.com]
Sent: Thursday, 20 October 2011 8:14 a.m.
To: freeipa-users at redhat.com
Subject: [Freeipa-users] The concept of sites...

Hi,

Has there been given any thought to the concept of sites within IPA to
improve cross-site implementations? This should be easy to implement as
you are already using DNS SRV records to locate the ldap/kerberos servers.

E.g.
Site: Boston
Site: London


Create a subdomain of the IPA dns domain named _sites, and a subdomain
of _sites for each site.

Boston._sites.ipa.domain.com would contain the srv entries for IPA
servers in Boston:
_ldap._tcp        in    srv    0 100 389 boston-ipa-server1
_ldap._tcp        in    srv    0 100 389 boston-ipa-server2
.....

London._sites.ipa.domain.com would contain the srv entries for IPA
serers in London:
_ldap._tcp        in    srv    0 100 389 london-ipa-server1
_ldap._tcp        in    srv    0 100 389 london-ipa-server2
....

Now point the client's DNS "search" entry to point to the local site
first, then search the full name space:
Boston client's /etc/resolv.conf:
search Boston._sites.ipa.domain.com ipa.domain.com

London client's /etc/resolv.conf:
search London._sites.ipa.domain.com ipa.domain.com


The main ipa.domain.com could still contain srv records for all IPA
servers, or selected IPA servers at the central hub.

I know I can do this manually within the DNS managment in IPA today,
however it would be a lot easier to maintain "Sites" within the IPA
webui/cli. *blink* ;)

What's your thoughts on this?



Regards,
Siggi



_______________________________________________
Freeipa-users mailing list
Freeipa-users at redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list