Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers.

Site: Boston
Site: London

Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site.

Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston:
_ldap._tcp        in    srv    0 100 389 boston-ipa-server1
_ldap._tcp        in    srv    0 100 389 boston-ipa-server2

London._sites.ipa.domain.com would contain the srv entries for IPA serers in London:
_ldap._tcp        in    srv    0 100 389 london-ipa-server1
_ldap._tcp        in    srv    0 100 389 london-ipa-server2

Now point the client's DNS "search" entry to point to the local site first, then search the full name space:
Boston client's /etc/resolv.conf:
search Boston._sites.ipa.domain.com ipa.domain.com

London client's /etc/resolv.conf:
search London._sites.ipa.domain.com ipa.domain.com

The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub.

I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain "Sites" within the IPA webui/cli. *blink* ;)

What's your thoughts on this?


Freeipa-users mailing list

Reply via email to