Bug 1813853 - [RFE] Implement IdM DNS Location support for clients not using IdM DNS service [NEEDINFO]
Summary: [RFE] Implement IdM DNS Location support for clients not using IdM DNS service
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: Pavel Březina
QA Contact: sssd-qe
Whiteboard: sync-to-jira
Depends On:
TreeView+ depends on / blocked
Reported: 2020-03-16 10:08 UTC by Martin Kosek
Modified: 2021-03-09 13:47 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-03-09 13:47:55 UTC
Type: Bug
Target Upstream Version:
pbrezina: needinfo? (afarley)

Attachments (Terms of Use)

Description Martin Kosek 2020-03-16 10:08:38 UTC
Description of problem:
Some of the environments need to ensure that clients from given physical locations only contact IdM servers from that site as authentication to IdM servers in other sites are too expensive and cause authentication delays.

IdM Server does support DNS locations, as documented in [1]. The default mean of configuring the support on the IdM client side is via ipa_enable_dns_sites setting [2]. However, the ipa_enable_dns_sites will only work reliably if a DNS server that a client is using is supporting queries to "_location.<client hostname>", which is only supported by IdM DNS service (bind-dyndb-ldap). This RFE is a request to have a configuration that will support environments also with non-IdM DNS resolvers.

A *workaround* can be configuring "dns_discovery_domain" [3] and pinning it to "<site>._locations.<ipa-domain>" where <site> is configured IdM Server Location for that given site.

Proposed solution could be ability to define "ipa_site = <site>", similar to existing "ad_site" setting, that would pin SSSD to use DNS SRV records from <site>._locations.<ipa-domain>.

[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/dns-locations

[2] ipa_enable_dns_sites (boolean)
           Enables DNS sites - location based service discovery.

           If true and service discovery (see Service Discovery paragraph at the bottom of the man page) is enabled, then the SSSD will first attempt location based discovery using a query that contains
           "_location.hostname.example.com" and then fall back to traditional SRV discovery. If the location based discovery succeeds, the IPA servers located with the location based discovery are treated
           as primary servers and the IPA servers located using the traditional SRV discovery are used as back up servers

           Default: false

[3] dns_discovery_domain (string)
           If service discovery is used in the back end, specifies the domain part of the service discovery DNS query.

           Default: Use the domain part of machine's hostname

Comment 5 Pavel Březina 2021-03-09 13:47:55 UTC
I'm closing this RFE since there is no customer case attached and we currently don't have understanding on what are customers needs and environments.

Note You need to log in before you can comment on or make changes to this bug.