Bug 1813853

Summary: [RFE] Implement IdM DNS Location support for clients not using IdM DNS service
Product: Red Hat Enterprise Linux 8 Reporter: Martin Kosek <mkosek>
Component: sssdAssignee: Pavel Březina <pbrezina>
Status: CLOSED INSUFFICIENT_DATA QA Contact: sssd-qe <sssd-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: afarley, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, thalman, tscherf
Target Milestone: rcKeywords: FutureFeature, Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-09 13:47:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Martin Kosek 2020-03-16 10:08:38 UTC 
Description of problem:
Some of the environments need to ensure that clients from given physical locations only contact IdM servers from that site as authentication to IdM servers in other sites are too expensive and cause authentication delays.

IdM Server does support DNS locations, as documented in [1]. The default mean of configuring the support on the IdM client side is via ipa_enable_dns_sites setting [2]. However, the ipa_enable_dns_sites will only work reliably if a DNS server that a client is using is supporting queries to "_location.<client hostname>", which is only supported by IdM DNS service (bind-dyndb-ldap). This RFE is a request to have a configuration that will support environments also with non-IdM DNS resolvers.

A *workaround* can be configuring "dns_discovery_domain" [3] and pinning it to "<site>._locations.<ipa-domain>" where <site> is configured IdM Server Location for that given site.

Proposed solution could be ability to define "ipa_site = <site>", similar to existing "ad_site" setting, that would pin SSSD to use DNS SRV records from <site>._locations.<ipa-domain>.


[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/dns-locations

[2] ipa_enable_dns_sites (boolean)
           Enables DNS sites - location based service discovery.

           If true and service discovery (see Service Discovery paragraph at the bottom of the man page) is enabled, then the SSSD will first attempt location based discovery using a query that contains
           "_location.hostname.example.com" and then fall back to traditional SRV discovery. If the location based discovery succeeds, the IPA servers located with the location based discovery are treated
           as primary servers and the IPA servers located using the traditional SRV discovery are used as back up servers

           Default: false

[3] dns_discovery_domain (string)
           If service discovery is used in the back end, specifies the domain part of the service discovery DNS query.

           Default: Use the domain part of machine's hostname
Comment 5 Pavel Březina 2021-03-09 13:47:55 UTC 
I'm closing this RFE since there is no customer case attached and we currently don't have understanding on what are customers needs and environments.
Comment 6 Red Hat Bugzilla 2023-09-15 00:30:18 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days