[Freeipa-users] zeroconf/bonjour & FreeIPA

Alexander Bokovoy abokovoy at redhat.com
Wed Sep 25 07:43:16 UTC 2013 

On Wed, 25 Sep 2013, Christian Horn wrote:
>On Wed, Sep 25, 2013 at 08:52:53AM +0200, Petr Spacek wrote:
>> On 25.9.2013 08:20, Christian Horn wrote:
>> >
>> >Hm.. another nice idea would be to announce services via
>> >zeroconf/bonjour.  I guess effectively its the same as having clients
>> >search in DNS "who offers service XYZ" which we already do for ker-
>> >beros, ldap etc.
>>
>> Interesting idea. Do you know any real use cases? I have not seen
>> Bonjour in real use except for network printers.
>
>It can be used for all protocols, so "generic service dis-
>covery".  So one could setup a client in a network and see
>"oh, someone offers XMPP service".  "Here are printers
>announcing services." "This DLNA server offers video
>streamin."
>
>I think the big window managers like gnome3 also started to
>use those and offer
>
>
>> Please create RFE ticket (request for enhancement) to prevent it
>> from falling through the cracks:
>> https://fedorahosted.org/freeipa/newticket
>
>Will do, bringing it up there makes definitely sense.
>But really curious on how widely (or if at all) there is
>interest in this.  I think this style of service discovery
>is currently more used in desktop environments than in
>server environments.
Before adding a support for this in FreeIPA it is worth to see if any of
supposed clients would already have it supported.

- OpenLDAP:
   - no support for zeroconf protocol though a request for adding that
     was filed in 2006: http://www.openldap.org/its/index.cgi/Contrib?id=4455
     and abandoned since 2007.

- MIT Kerberos:
   - no zeroconf support

- Heimdal Kereberos:
   - no zeroconf support

For Kerberos zeroconf integration represents some issues since it is
generally not guaranteed that IP address of the client would stay the
same through the life time of the zeroconf-based network application.
Kerberos protocol has some support for NAT-ed clients (a closest scheme
where a client IP may fluctuate during session time) so this might not
be a big deal, also given that LL networks aren't really in use where
Kerberos is in use. However, lack of zeroconf support in libkrb5 makes
questionable whole excercise.

After all, libkrb5 is able to configure itself, including default realm
information, through SRV and TXT records of the default DNS domain
supplied to the client.

If any other services managed by IPA server (i.e. the ones we can see in
'ipa service-find') need to be exposed to zeroconf-enabled clients, some
contextual information is needed in order to publish. A mere existence of
the record in IPA database does not mean the service is actually
available for use. In zeroconf it is duty of applications that provide
the services to publish them to the zeroconf clients. This means when
service is available, it is published (via avahi, for example). If
service is not running, it is not published.

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list