Hi Ondrej, Thanks. That RFE is for SSSD client only. I would like to see the management of sites within the IPA webui/cli.
Regards, Siggi On Thu, October 20, 2011 09:02, Ondrej Valousek wrote: > I have come across this already, BZ already created: > > > https://fedorahosted.org/sssd/ticket/1032 > > > On 10/19/2011 10:25 PM, Sigbjorn Lie wrote: > >> The London/newyork dns sub-domains would be used for looking up srv records >> for the local >> kerberos/ldap servers only. The actual domain configured on the client and >> the kerberos and LDAP >> base would still be the ipa.domain.com. >> >> Sync with AD would still be done between ipa.domain.com<-> ad.domain.com. >> >> >> >> Rgds, >> Siggi >> >> >> >> On Wed, October 19, 2011 22:15, Steven Jones wrote: >> >>> Ah right, yes, one realm. >>> >>> >>> >>> However how would you password sync with AD? >>> >>> >>> >>> So say London.ad.ms.com and Newyork.ad.ms.com >>> >>> >>> >>> With NY as the "head" >>> >>> >>> >>> So with london.ipa.unix.com and newyork.ipa.unix.com >>> >>> >>> >>> Is there still only one winsync agreement? >>> >>> >>> >>> >>> >>> regards >>> >>> Steven Jones >>> >>> >>> >>> Technical Specialist - Linux RHCE >>> >>> >>> >>> Victoria University, Wellington, NZ >>> >>> >>> >>> 0064 4 463 6272 >>> >>> >>> >>> ________________________________________ >>> From: Sigbjorn Lie [[email protected]] >>> Sent: Thursday, 20 October 2011 9:11 a.m. >>> To: Steven Jones >>> Cc: [email protected] >>> Subject: RE: [Freeipa-users] The concept of sites... >>> >>> >>> >>> I see your point with a messy dns infrastructure, however this would happen >>> in the >>> background. >>> >>> >>> You would still only have one kerberos realm per IPA instance. >>> >>> >>> >>> >>> Rgds, >>> Siggi >>> >>> >>> >>> >>> >>> >>> On Wed, October 19, 2011 21:30, Steven Jones wrote: >>> >>> >>>> Hi, >>>> >>>> >>>> >>>> >>>> I think AD sort of does this which they have now backed away from? >>>> >>>> >>>> >>>> >>>> From my very limited understanding having sub-domains/realms seems to be >>>> counter-productive....in that trying to do cross-realm >>>> trusts/passwords/user info becomes a >>>> nightmare? >>>> >>>> I know somehow I have to get unix.vuw.ac.nz to talk to staff.vuw.ac.nz and >>>> student.vuw.ac.nz in a winsync (password) agreement, I dont know even if >>>> that's possible? >>>> Yet with a flat domain to >>>> flat domain its easy? >>>> >>>> regards >>>> >>>> Steven Jones >>>> >>>> >>>> >>>> >>>> Technical Specialist - Linux RHCE >>>> >>>> >>>> >>>> >>>> Victoria University, Wellington, NZ >>>> >>>> >>>> >>>> >>>> 0064 4 463 6272 >>>> >>>> >>>> >>>> >>>> ________________________________________ >>>> From: [email protected] [[email protected]] >>>> on behalf of >>>> Sigbjorn >>>> Lie [[email protected]] >>>> Sent: Thursday, 20 October 2011 8:14 a.m. >>>> To: [email protected] >>>> Subject: [Freeipa-users] The concept of sites... >>>> >>>> >>>> >>>> >>>> Hi, >>>> >>>> >>>> >>>> >>>> Has there been given any thought to the concept of sites within IPA to >>>> improve cross-site implementations? This should be easy to implement as >>>> you are already >>>> using DNS >>>> SRV records to locate the ldap/kerberos servers. >>>> >>>> >>>> >>>> >>>> E.g. >>>> Site: Boston >>>> Site: London >>>> >>>> >>>> >>>> >>>> >>>> Create a subdomain of the IPA dns domain named _sites, and a subdomain >>>> of _sites for each site. >>>> >>>> Boston._sites.ipa.domain.com would contain the srv entries for IPA >>>> servers in Boston: _ldap._tcp in srv 0 100 389 >>>> boston-ipa-server1 _ldap._tcp in >>>> srv 0 100 389 boston-ipa-server2 ..... >>>> >>>> >>>> >>>> London._sites.ipa.domain.com would contain the srv entries for IPA >>>> serers in London: _ldap._tcp in srv 0 100 389 >>>> london-ipa-server1 _ldap._tcp in >>>> srv 0 100 389 london-ipa-server2 .... >>>> >>>> >>>> >>>> Now point the client's DNS "search" entry to point to the local site >>>> first, then search the full name space: Boston client's /etc/resolv.conf: >>>> search >>>> Boston._sites.ipa.domain.com ipa.domain.com >>>> >>>> >>>> >>>> London client's /etc/resolv.conf: >>>> search London._sites.ipa.domain.com ipa.domain.com >>>> >>>> >>>> The main ipa.domain.com could still contain srv records for all IPA >>>> servers, or selected IPA servers at the central hub. >>>> >>>> I know I can do this manually within the DNS managment in IPA today, >>>> however it would be a lot easier to maintain "Sites" within the IPA >>>> webui/cli. *blink* ;) >>>> >>>> What's your thoughts on this? >>>> >>>> >>>> >>>> >>>> >>>> >>>> Regards, >>>> Siggi >>>> >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Freeipa-users mailing list >>>> [email protected] >>>> https://www.redhat.com/mailman/listinfo/freeipa-users >>>> >>>> >>>> >>>> >>> >>> >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users >> > > > The information contained in this e-mail and in any attachments is > confidential and is designated > solely for the attention of the intended recipient(s). If you are not an > intended recipient, you > must not use, disclose, copy, distribute or retain this e-mail or any part > thereof. If you have > received this e-mail in error, please notify the sender by return e-mail and > delete all copies of > this e-mail from your computer system(s). Please direct any additional > queries to: > [email protected]. Thank You. > Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. > 378073. > Registered Office: South County Business Park, Leopardstown, Dublin > 18_______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
