On 01/18/2012 03:38 PM, Ian Levesque wrote:
> On Jan 18, 2012, at 2:08 PM, Stephen Gallagher wrote:
>> On Wed, 2012-01-18 at 12:17 -0500, Ian Levesque wrote:
>>> Hello,
>>> I'm running IPA version 2.1.3-9 on RHEL 6.2 and just configured
>>> master/master replication. From what I can tell in the documentation
>>> [1], all of the client-discovering-a-replica magic happens via SRV
>>> records in DNS. This is quite different from what I'm used to, coming
>>> from managing an Open Directory service in which the replicated
>>> server's FQDN is passed on to the client through LDAP as an additional
>>> LDAP/KDC server to add to the client's local config.
>>> My question is how can I take advantage of replication if we're not
>>> using the FreeIPA-blessed DNS server? Do I need to manually tweak the
>>> SSSD config to make it aware of a second LDAP/KDC server? Is there a
>>> hidden flag I can pass ipa-client-install to do this for me?
>> In addition to Dmitri's comments (and mine in the "Forcing IPA clients
>> to prioritise different IPA Servers" thread) you should be aware that
>> just because you're not using FreeIPA as the DNS server, it doesn't mean
>> that you can't use SRV records to solve this problem.
>> The SRV records are looked up on whatever DNS server is configured
>> in /etc/resolv.conf. So if you ask your DNS administrator to add SRV
>> records for your FreeIPA replicas, you can still continue this way.
>> Otherwise, your best bet is to edit the sssd.conf directly (for now. As
>> Dmitri says, we're looking at other approaches for future FreeIPA
>> releases).
> Many thanks to both of you for your replies. I'm curious why you don't employ 
> a feature similar to Apple's approach, where replica information is passed to 
> the client. In this scenario, SSSD can be notified of the configuration and 
> handle it automatically... I'm personally not a big fan of using DNS for 
> service management, and would prefer to have the server and client hash it 
> out amongst themselves. That said, I appreciate the workaround and can easily 
> incorporate it into our deployment workflow.
We looked into passing configuration at early stages but seemed to be
much more complex and less extensible than DNS based solution.

> Best regards,
> Ian
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to