Has there been given any thought to the concept of sites within IPA to
improve cross-site implementations? This should be easy to implement as
you are already using DNS SRV records to locate the ldap/kerberos servers.
Create a subdomain of the IPA dns domain named _sites, and a subdomain
of _sites for each site.
Boston._sites.ipa.domain.com would contain the srv entries for IPA
servers in Boston:
_ldap._tcp in srv 0 100 389 boston-ipa-server1
_ldap._tcp in srv 0 100 389 boston-ipa-server2
London._sites.ipa.domain.com would contain the srv entries for IPA
serers in London:
_ldap._tcp in srv 0 100 389 london-ipa-server1
_ldap._tcp in srv 0 100 389 london-ipa-server2
Now point the client's DNS "search" entry to point to the local site
first, then search the full name space:
Boston client's /etc/resolv.conf:
search Boston._sites.ipa.domain.com ipa.domain.com
London client's /etc/resolv.conf:
search London._sites.ipa.domain.com ipa.domain.com
The main ipa.domain.com could still contain srv records for all IPA
servers, or selected IPA servers at the central hub.
I know I can do this manually within the DNS managment in IPA today,
however it would be a lot easier to maintain "Sites" within the IPA
webui/cli. *blink* ;)
What's your thoughts on this?
Freeipa-users mailing list