[Freeipa-users] dns location based discovery

Petr Spacek pspacek at redhat.com
Wed Jun 1 07:40:02 UTC 2016 

On 31.5.2016 17:41, Winfried de Heiden wrote:
> Hi all,
> 
> I've been playing on this topic but one can implement services discovery. 
> Allthough it looks a bit dirty, you add _sites support to IPA by manually create 
> a DNS zone, something like:
> 
> _tcp.locationX._sites.example.com
> and
> _tcp.locationY._sites.example.com
> 
> and put two SRV records, _ldap en _kerberos, in it.
> 
> Now, add "dns_discovery_domain = locationX._sites.example.com" or 
> "dns_discovery_domain = locationY._sites.example.com"
> 
> dns location based discovery is there...?

In principle yes, it should work just fine if you edit sssd.conf on all clients.

FreeIPA 4.4.0 will make maintenance of it simpler and will remove the
requirement to reconfigure SSSD on clients.

Petr^2 Spacek

> 
> Just curious....!
> 
> Winny
> 
> Op 30-05-16 om 18:39 schreef Martin Basti:
>>
>>
>>
>>
>> On 30.05.2016 18:16, Winfried de Heiden wrote:
>>> Hi all,
>>> Thanks for the quick answer even though I send it to the wrong email address.
>>> About "Please note that for AD users (which is IIRC the majority of your 
>>> environment), SSSD should
>>> already choose the right site." I noticed that, but I was curious about  the 
>>> IPA part as well....
>>>
>>> Now, it looks like this is going to be an item for IPA 4.4 
>>> (http://www.freeipa.org/page/V4/DNS_Location_Mechanism/)
>>> Willl it be?
>> Yes it will be there (unless something very very bad happen)
>>
>>>
>>> IPA 4.4 is announced "the end of May". When can we expect Freeipa 4.4, I 
>>> curious to test....
>>
>> Soon :)
>>
>> Martin
>>>
>>> Kind regards,
>>>
>>> Winny//
>>> ///
>>>
>>> /
>>> Op 30-05-16 om 17:54 schreef Jakub Hrozek:
>>>>
>>>> On Mon, May 30, 2016 at 05:22:33PM +0200, Sumit Bose wrote:
>>>>>
>>>>> On Mon, May 30, 2016 at 05:13:35PM +0200, Winfried de Heiden wrote:
>>>>>>
>>>>>> Hi all, The sssd-ipa man page will tell:        ipa_enable_dns_sites 
>>>>>> (boolean)            Enables DNS sites - location based service discovery. 
>>>>>>            If true and service discovery (see Service Discovery paragraph 
>>>>>> at the bottom of the man page) is enabled, then the SSSD will first 
>>>>>> attempt            location based discovery using a query that contains 
>>>>>> "_location.hostname.example.com" and then fall back to traditional SRV 
>>>>>> discovery. If the            location based discovery succeeds, the IPA 
>>>>>> servers located with the location based discovery are treated as primary 
>>>>>> servers and the IPA servers            located using the traditional SRV 
>>>>>> discovery are used as back up servers After enabling it in a EL 6.8 IPA 
>>>>>> client (together with some debugging) this will show up in the sssd 
>>>>>> logging: (Mon May 30 16:51:08 2016) [sssd[be[blabla.bla]]] 
>>>>>> [resolv_discover_srv_next_domain] (0x0400): SRV resolution of service 
>>>>>> 'ldap'. Will use DNS discovery domain '_location.ipa-client-6.blabla.bla' 
>>>>>> (Mon May 30 16:51:08 2016) [sssd[be[blabla.bla]]] [resolv_getsrv_send] 
>>>>>> (0x0100): Trying to resolve SRV record of 
>>>>>> '_ldap._tcp._location.ipa-client-6.blabla.bla' Since this option is 
>>>>>> mentioned in the sssd-ipa man page, it sugests I could implement this 
>>>>>> location based service discovery. But how? Any documentation on this? How 
>>>>>> to implement on the server? How to implement a location on the client 
>>>>>> (while running ipa-client-install) Hope someone can help, it would be nice 
>>>>>> a client will choose the correct server based on it's location...
>>>>>
>>>>> In this case SSSD was a bit faster then the server side. Please monitor 
>>>>> https://fedorahosted.org/freeipa/ticket/2008 for the progress. There is a 
>>>>> link to a design page with more details as well. HTH bye, Sumit P.S. I 
>>>>> changed the mailing-list address to @redhat.com.
>>>>
>>>> btw Winfried, I saw today the case you filed. Please note that for AD users 
>>>> (which is IIRC the majority of your environment), SSSD should already choose 
>>>> the right site. The RFE Sumit linked is 'just' about the IPA side of the 
>>>> equation.

More information about the Freeipa-users mailing list