[Freeipa-users] The concept of sites...

Sigbjorn Lie sigbjorn at nixtra.com
Wed Oct 19 20:21:40 UTC 2011 


On Wed, October 19, 2011 21:27, Simo Sorce wrote:
> On Wed, 2011-10-19 at 15:24 -0400, Dmitri Pal wrote:
>
>> On 10/19/2011 03:14 PM, Sigbjorn Lie wrote:
>>
>>> Hi,
>>>
>>>
>>> Has there been given any thought to the concept of sites within IPA to
>>> improve cross-site implementations? This should be easy to implement as you are already using
>>> DNS SRV records to locate the ldap/kerberos
>>> servers.
>>>
>>> E.g.
>>> Site: Boston
>>> Site: London
>>>
>>>
>>>
>>> Create a subdomain of the IPA dns domain named _sites, and a subdomain
>>> of _sites for each site.
>>>
>>> Boston._sites.ipa.domain.com would contain the srv entries for IPA
>>> servers in Boston: _ldap._tcp        in    srv    0 100 389 boston-ipa-server1
>>> _ldap._tcp        in    srv    0 100 389 boston-ipa-server2
>>> .....
>>>
>>>
>>> London._sites.ipa.domain.com would contain the srv entries for IPA
>>> serers in London: _ldap._tcp        in    srv    0 100 389 london-ipa-server1
>>> _ldap._tcp        in    srv    0 100 389 london-ipa-server2
>>> ....
>>>
>>>
>>> Now point the client's DNS "search" entry to point to the local site
>>> first, then search the full name space: Boston client's /etc/resolv.conf:
>>> search Boston._sites.ipa.domain.com ipa.domain.com
>>>
>>> London client's /etc/resolv.conf:
>>> search London._sites.ipa.domain.com ipa.domain.com
>>>
>>>
>>> The main ipa.domain.com could still contain srv records for all IPA
>>> servers, or selected IPA servers at the central hub.
>>>
>>> I know I can do this manually within the DNS managment in IPA today,
>>> however it would be a lot easier to maintain "Sites" within the IPA webui/cli. *blink* ;)
>>>
>>> What's your thoughts on this?
>>>
>>>
>>>
>>>
>> Please file an RFE in BZ.
>>
>
> Please take a look at this document before filing any bz:
> http://freeipa.org/page/DNS_Location_Discovery
>



SPF uses TXT records. Could the SUBNET dns records be substituted with TXT records?

Use the configured LDAP base as dns search as fallback if there is no records found in the dns
domain given by the dhcp server?

I understand that was your major conserns?


Rgds,
Siggi

More information about the Freeipa-users mailing list