Re: [Freeipa-users] Replication for sites not using FreeIPA for DNS?
On 01/18/2012 12:17 PM, Ian Levesque wrote: Hello, I'm running IPA version 2.1.3-9 on RHEL 6.2 and just configured master/master replication. From what I can tell in the documentation [1], all of the client-discovering-a-replica magic happens via SRV records in DNS. This is quite different from what I'm used to, coming from managing an Open Directory service in which the replicated server's FQDN is passed on to the client through LDAP as an additional LDAP/KDC server to add to the client's local config. My question is how can I take advantage of replication if we're not using the FreeIPA-blessed DNS server? Do I need to manually tweak the SSSD config to make it aware of a second LDAP/KDC server? Is there a hidden flag I can pass ipa-client-install to do this for me? The answer is in the today thread called Forcing IPA clients to prioritise different IPA Servers. See comment from Stephen Gallagher. He describes what to set in the SSSD config explicitly to identify the servers that will be used. Thanks for any insight! Ian -- [1] http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Identity_Management_Guide/index.html#ipa-servers-replicas ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication for sites not using FreeIPA for DNS?
On Jan 18, 2012, at 2:08 PM, Stephen Gallagher wrote: On Wed, 2012-01-18 at 12:17 -0500, Ian Levesque wrote: Hello, I'm running IPA version 2.1.3-9 on RHEL 6.2 and just configured master/master replication. From what I can tell in the documentation [1], all of the client-discovering-a-replica magic happens via SRV records in DNS. This is quite different from what I'm used to, coming from managing an Open Directory service in which the replicated server's FQDN is passed on to the client through LDAP as an additional LDAP/KDC server to add to the client's local config. My question is how can I take advantage of replication if we're not using the FreeIPA-blessed DNS server? Do I need to manually tweak the SSSD config to make it aware of a second LDAP/KDC server? Is there a hidden flag I can pass ipa-client-install to do this for me? In addition to Dmitri's comments (and mine in the Forcing IPA clients to prioritise different IPA Servers thread) you should be aware that just because you're not using FreeIPA as the DNS server, it doesn't mean that you can't use SRV records to solve this problem. The SRV records are looked up on whatever DNS server is configured in /etc/resolv.conf. So if you ask your DNS administrator to add SRV records for your FreeIPA replicas, you can still continue this way. Otherwise, your best bet is to edit the sssd.conf directly (for now. As Dmitri says, we're looking at other approaches for future FreeIPA releases). Many thanks to both of you for your replies. I'm curious why you don't employ a feature similar to Apple's approach, where replica information is passed to the client. In this scenario, SSSD can be notified of the configuration and handle it automatically... I'm personally not a big fan of using DNS for service management, and would prefer to have the server and client hash it out amongst themselves. That said, I appreciate the workaround and can easily incorporate it into our deployment workflow. Best regards, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Replication for sites not using FreeIPA for DNS?
On 01/18/2012 03:38 PM, Ian Levesque wrote: On Jan 18, 2012, at 2:08 PM, Stephen Gallagher wrote: On Wed, 2012-01-18 at 12:17 -0500, Ian Levesque wrote: Hello, I'm running IPA version 2.1.3-9 on RHEL 6.2 and just configured master/master replication. From what I can tell in the documentation [1], all of the client-discovering-a-replica magic happens via SRV records in DNS. This is quite different from what I'm used to, coming from managing an Open Directory service in which the replicated server's FQDN is passed on to the client through LDAP as an additional LDAP/KDC server to add to the client's local config. My question is how can I take advantage of replication if we're not using the FreeIPA-blessed DNS server? Do I need to manually tweak the SSSD config to make it aware of a second LDAP/KDC server? Is there a hidden flag I can pass ipa-client-install to do this for me? In addition to Dmitri's comments (and mine in the Forcing IPA clients to prioritise different IPA Servers thread) you should be aware that just because you're not using FreeIPA as the DNS server, it doesn't mean that you can't use SRV records to solve this problem. The SRV records are looked up on whatever DNS server is configured in /etc/resolv.conf. So if you ask your DNS administrator to add SRV records for your FreeIPA replicas, you can still continue this way. Otherwise, your best bet is to edit the sssd.conf directly (for now. As Dmitri says, we're looking at other approaches for future FreeIPA releases). Many thanks to both of you for your replies. I'm curious why you don't employ a feature similar to Apple's approach, where replica information is passed to the client. In this scenario, SSSD can be notified of the configuration and handle it automatically... I'm personally not a big fan of using DNS for service management, and would prefer to have the server and client hash it out amongst themselves. That said, I appreciate the workaround and can easily incorporate it into our deployment workflow. We looked into passing configuration at early stages but seemed to be much more complex and less extensible than DNS based solution. Best regards, Ian ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
