[Freeipa-users] The concept of sites...

Sigbjorn Lie sigbjorn at nixtra.com
Thu Oct 20 09:55:29 UTC 2011 

Hi Ondrej,

Thanks. That RFE is for SSSD client only. I would like to see the management of sites within the
IPA webui/cli.




Regards,
Siggi


On Thu, October 20, 2011 09:02, Ondrej Valousek wrote:
> I have come across this already, BZ already created:
>
>
> https://fedorahosted.org/sssd/ticket/1032
>
>
> On 10/19/2011 10:25 PM, Sigbjorn Lie wrote:
>
>> The London/newyork dns sub-domains would be used for looking up srv records for the local
>> kerberos/ldap servers only. The actual domain configured on the client and the kerberos and LDAP
>>  base would still be the ipa.domain.com.
>>
>> Sync with AD would still be done between ipa.domain.com<->  ad.domain.com.
>>
>>
>>
>> Rgds,
>> Siggi
>>
>>
>>
>> On Wed, October 19, 2011 22:15, Steven Jones wrote:
>>
>>> Ah right, yes, one realm.
>>>
>>>
>>>
>>> However how would you password sync with AD?
>>>
>>>
>>>
>>> So say    London.ad.ms.com  and Newyork.ad.ms.com
>>>
>>>
>>>
>>> With NY as the "head"
>>>
>>>
>>>
>>> So with london.ipa.unix.com and newyork.ipa.unix.com
>>>
>>>
>>>
>>> Is there still only one winsync agreement?
>>>
>>>
>>>
>>>
>>>
>>> regards
>>>
>>> Steven Jones
>>>
>>>
>>>
>>> Technical Specialist - Linux RHCE
>>>
>>>
>>>
>>> Victoria University, Wellington, NZ
>>>
>>>
>>>
>>> 0064 4 463 6272
>>>
>>>
>>>
>>> ________________________________________
>>> From: Sigbjorn Lie [sigbjorn at nixtra.com]
>>> Sent: Thursday, 20 October 2011 9:11 a.m.
>>> To: Steven Jones
>>> Cc: freeipa-users at redhat.com
>>> Subject: RE: [Freeipa-users] The concept of sites...
>>>
>>>
>>>
>>> I see your point with a messy dns infrastructure, however this would happen in the
>>> background.
>>>
>>>
>>> You would still only have one kerberos realm per IPA instance.
>>>
>>>
>>>
>>>
>>> Rgds,
>>> Siggi
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Wed, October 19, 2011 21:30, Steven Jones wrote:
>>>
>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>>
>>>> I think AD sort of does this which they have now backed away from?
>>>>
>>>>
>>>>
>>>>
>>>> From my very limited understanding having sub-domains/realms seems to be
>>>> counter-productive....in that trying to do cross-realm trusts/passwords/user info becomes a
>>>> nightmare?
>>>>
>>>> I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and
>>>> student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible?
>>>> Yet with a flat domain to
>>>> flat domain its easy?
>>>>
>>>> regards
>>>>
>>>> Steven Jones
>>>>
>>>>
>>>>
>>>>
>>>> Technical Specialist - Linux RHCE
>>>>
>>>>
>>>>
>>>>
>>>> Victoria University, Wellington, NZ
>>>>
>>>>
>>>>
>>>>
>>>> 0064 4 463 6272
>>>>
>>>>
>>>>
>>>>
>>>> ________________________________________
>>>> From: freeipa-users-bounces at redhat.com [freeipa-users-bounces at redhat.com] on behalf of
>>>> Sigbjorn
>>>> Lie [sigbjorn at nixtra.com]
>>>> Sent: Thursday, 20 October 2011 8:14 a.m.
>>>> To: freeipa-users at redhat.com
>>>> Subject: [Freeipa-users] The concept of sites...
>>>>
>>>>
>>>>
>>>>
>>>> Hi,
>>>>
>>>>
>>>>
>>>>
>>>> Has there been given any thought to the concept of sites within IPA to
>>>> improve cross-site implementations? This should be easy to implement as you are already
>>>> using DNS
>>>> SRV records to locate the ldap/kerberos servers.
>>>>
>>>>
>>>>
>>>>
>>>> E.g.
>>>> Site: Boston
>>>> Site: London
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Create a subdomain of the IPA dns domain named _sites, and a subdomain
>>>> of _sites for each site.
>>>>
>>>> Boston._sites.ipa.domain.com would contain the srv entries for IPA
>>>> servers in Boston: _ldap._tcp        in    srv    0 100 389 boston-ipa-server1 _ldap._tcp in
>>>> srv    0 100 389 boston-ipa-server2 .....
>>>>
>>>>
>>>>
>>>> London._sites.ipa.domain.com would contain the srv entries for IPA
>>>> serers in London: _ldap._tcp        in    srv    0 100 389 london-ipa-server1 _ldap._tcp in
>>>> srv    0 100 389 london-ipa-server2 ....
>>>>
>>>>
>>>>
>>>> Now point the client's DNS "search" entry to point to the local site
>>>> first, then search the full name space: Boston client's /etc/resolv.conf: search
>>>> Boston._sites.ipa.domain.com ipa.domain.com
>>>>
>>>>
>>>>
>>>> London client's /etc/resolv.conf:
>>>> search London._sites.ipa.domain.com ipa.domain.com
>>>>
>>>>
>>>> The main ipa.domain.com could still contain srv records for all IPA
>>>> servers, or selected IPA servers at the central hub.
>>>>
>>>> I know I can do this manually within the DNS managment in IPA today,
>>>> however it would be a lot easier to maintain "Sites" within the IPA webui/cli. *blink* ;)
>>>>
>>>> What's your thoughts on this?
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Regards,
>>>> Siggi
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Freeipa-users mailing list
>>>> Freeipa-users at redhat.com
>>>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>>
>
>
> The information contained in this e-mail and in any attachments is confidential and is designated
> solely for the attention of the intended recipient(s). If you are not an intended recipient, you
> must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have
> received this e-mail in error, please notify the sender by return e-mail and delete all copies of
> this e-mail from your computer system(s). Please direct any additional queries to:
> communications at s3group.com. Thank You.
> Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073.
> Registered Office: South County Business Park, Leopardstown, Dublin
> 18_______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list