[Freeipa-users] The concept of sites...
Sigbjorn Lie
sigbjorn at nixtra.com
Wed Oct 19 20:25:48 UTC 2011
The London/newyork dns sub-domains would be used for looking up srv records for the local
kerberos/ldap servers only. The actual domain configured on the client and the kerberos and LDAP
base would still be the ipa.domain.com.
Sync with AD would still be done between ipa.domain.com <-> ad.domain.com.
Rgds,
Siggi
On Wed, October 19, 2011 22:15, Steven Jones wrote:
> Ah right, yes, one realm.
>
>
> However how would you password sync with AD?
>
>
> So say London.ad.ms.com and Newyork.ad.ms.com
>
>
> With NY as the "head"
>
>
> So with london.ipa.unix.com and newyork.ipa.unix.com
>
>
> Is there still only one winsync agreement?
>
>
>
>
> regards
>
> Steven Jones
>
>
> Technical Specialist - Linux RHCE
>
>
> Victoria University, Wellington, NZ
>
>
> 0064 4 463 6272
>
>
> ________________________________________
> From: Sigbjorn Lie [sigbjorn at nixtra.com]
> Sent: Thursday, 20 October 2011 9:11 a.m.
> To: Steven Jones
> Cc: freeipa-users at redhat.com
> Subject: RE: [Freeipa-users] The concept of sites...
>
>
> I see your point with a messy dns infrastructure, however this would happen in the background.
>
>
> You would still only have one kerberos realm per IPA instance.
>
>
>
> Rgds,
> Siggi
>
>
>
>
>
> On Wed, October 19, 2011 21:30, Steven Jones wrote:
>
>> Hi,
>>
>>
>>
>> I think AD sort of does this which they have now backed away from?
>>
>>
>>
>> From my very limited understanding having sub-domains/realms seems to be
>> counter-productive....in that trying to do cross-realm trusts/passwords/user info becomes a
>> nightmare?
>>
>> I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in
>> a winsync (password) agreement, I dont know even if that's possible? Yet with a flat domain to
>> flat domain its easy?
>>
>> regards
>>
>> Steven Jones
>>
>>
>>
>> Technical Specialist - Linux RHCE
>>
>>
>>
>> Victoria University, Wellington, NZ
>>
>>
>>
>> 0064 4 463 6272
>>
>>
>>
>> ________________________________________
>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of Sigbjorn
>> Lie [sigbjorn at nixtra.com]
>> Sent: Thursday, 20 October 2011 8:14 a.m.
>> To: freeipa-users at redhat.com
>> Subject: [Freeipa-users] The concept of sites...
>>
>>
>>
>> Hi,
>>
>>
>>
>> Has there been given any thought to the concept of sites within IPA to
>> improve cross-site implementations? This should be easy to implement as you are already using
>> DNS
>> SRV records to locate the ldap/kerberos servers.
>>
>>
>>
>> E.g.
>> Site: Boston
>> Site: London
>>
>>
>>
>>
>> Create a subdomain of the IPA dns domain named _sites, and a subdomain
>> of _sites for each site.
>>
>> Boston._sites.ipa.domain.com would contain the srv entries for IPA
>> servers in Boston: _ldap._tcp in srv 0 100 389 boston-ipa-server1 _ldap._tcp
>> in srv 0 100 389 boston-ipa-server2 .....
>>
>>
>>
>> London._sites.ipa.domain.com would contain the srv entries for IPA
>> serers in London: _ldap._tcp in srv 0 100 389 london-ipa-server1 _ldap._tcp
>> in srv 0 100 389 london-ipa-server2 ....
>>
>>
>>
>> Now point the client's DNS "search" entry to point to the local site
>> first, then search the full name space: Boston client's /etc/resolv.conf: search
>> Boston._sites.ipa.domain.com ipa.domain.com
>>
>>
>> London client's /etc/resolv.conf:
>> search London._sites.ipa.domain.com ipa.domain.com
>>
>>
>> The main ipa.domain.com could still contain srv records for all IPA
>> servers, or selected IPA servers at the central hub.
>>
>> I know I can do this manually within the DNS managment in IPA today,
>> however it would be a lot easier to maintain "Sites" within the IPA webui/cli. *blink* ;)
>>
>> What's your thoughts on this?
>>
>>
>>
>>
>>
>> Regards,
>> Siggi
>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>>
>>
>
>
>
More information about the Freeipa-users
mailing list