1813853 – [RFE] Implement IdM DNS Location support for clients not using IdM DNS service

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1813853 - [RFE] Implement IdM DNS Location support for clients not using IdM DNS service

Summary: [RFE] Implement IdM DNS Location support for clients not using IdM DNS service

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Pavel Březina
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-16 10:08 UTC by Martin Kosek
Modified:	2023-09-15 00:30 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-03-09 13:47:55 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Martin Kosek 2020-03-16 10:08:38 UTC

Description of problem:
Some of the environments need to ensure that clients from given physical locations only contact IdM servers from that site as authentication to IdM servers in other sites are too expensive and cause authentication delays.

IdM Server does support DNS locations, as documented in [1]. The default mean of configuring the support on the IdM client side is via ipa_enable_dns_sites setting [2]. However, the ipa_enable_dns_sites will only work reliably if a DNS server that a client is using is supporting queries to "_location.<client hostname>", which is only supported by IdM DNS service (bind-dyndb-ldap). This RFE is a request to have a configuration that will support environments also with non-IdM DNS resolvers.

A *workaround* can be configuring "dns_discovery_domain" [3] and pinning it to "<site>._locations.<ipa-domain>" where <site> is configured IdM Server Location for that given site.

Proposed solution could be ability to define "ipa_site = <site>", similar to existing "ad_site" setting, that would pin SSSD to use DNS SRV records from <site>._locations.<ipa-domain>.


[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/dns-locations

[2] ipa_enable_dns_sites (boolean)
           Enables DNS sites - location based service discovery.

           If true and service discovery (see Service Discovery paragraph at the bottom of the man page) is enabled, then the SSSD will first attempt location based discovery using a query that contains
           "_location.hostname.example.com" and then fall back to traditional SRV discovery. If the location based discovery succeeds, the IPA servers located with the location based discovery are treated
           as primary servers and the IPA servers located using the traditional SRV discovery are used as back up servers

           Default: false

[3] dns_discovery_domain (string)
           If service discovery is used in the back end, specifies the domain part of the service discovery DNS query.

           Default: Use the domain part of machine's hostname

Comment 5 Pavel Březina 2021-03-09 13:47:55 UTC

I'm closing this RFE since there is no customer case attached and we currently don't have understanding on what are customers needs and environments.

Comment 6 Red Hat Bugzilla 2023-09-15 00:30:18 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.