Hi, I think AD sort of does this which they have now backed away from?
>From my very limited understanding having sub-domains/realms seems to be >counter-productive....in that trying to do cross-realm trusts/passwords/user >info becomes a nightmare? I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and student.vuw.ac.nz in a winsync (password) agreement, I dont know even if that's possible? Yet with a flat domain to flat domain its easy? regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 ________________________________________ From: [email protected] [[email protected]] on behalf of Sigbjorn Lie [[email protected]] Sent: Thursday, 20 October 2011 8:14 a.m. To: [email protected] Subject: [Freeipa-users] The concept of sites... Hi, Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers. E.g. Site: Boston Site: London Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site. Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston: _ldap._tcp in srv 0 100 389 boston-ipa-server1 _ldap._tcp in srv 0 100 389 boston-ipa-server2 ..... London._sites.ipa.domain.com would contain the srv entries for IPA serers in London: _ldap._tcp in srv 0 100 389 london-ipa-server1 _ldap._tcp in srv 0 100 389 london-ipa-server2 .... Now point the client's DNS "search" entry to point to the local site first, then search the full name space: Boston client's /etc/resolv.conf: search Boston._sites.ipa.domain.com ipa.domain.com London client's /etc/resolv.conf: search London._sites.ipa.domain.com ipa.domain.com The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub. I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain "Sites" within the IPA webui/cli. *blink* ;) What's your thoughts on this? Regards, Siggi _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
