Bug 747612 - [RFE] IPA should support and manage DNS sites
Summary: [RFE] IPA should support and manage DNS sites
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: All
OS: Linux
unspecified
low
Target Milestone: rc
: 7.1
Assignee: Pavel Picka
QA Contact: Namita Soman
Marc Muehlfeld
URL:
Whiteboard:
Keywords: FutureFeature
: 991229 1044733 (view as bug list)
Depends On: 743503 1204506
Blocks: 1203710 1349053
TreeView+ depends on / blocked
 
Reported: 2011-10-20 13:55 UTC by Dmitri Pal
Modified: 2016-12-15 09:36 UTC (History)
19 users (show)

(edit) 
IdM now supports DNS locations

This update adds support for DNS location management to the Identity Management (IdM) integrated DNS server to improve cross-site implementations. Previously, clients using DNS records to locate IdM servers could not distinguish local servers from servers located in remote geographical locations. This update enables clients using DNS discovery to find the nearest servers, and to use the network in an optimized way. As a result, administrators can manage DNS locations and assign servers to them in the IdM web user interface and from the command line.

For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/index.html#dns-locations
Clone Of:
: 1044733 1349053 (view as bug list)
(edit)
Last Closed: 2016-11-04 05:42:46 UTC

Attachments (Terms of Use)
evidence (903 bytes, text/plain)
2016-08-23 11:28 UTC, Pavel Picka 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Dmitri Pal 2011-10-20 13:55:41 UTC 
It is related to bug #743503 but to mange the site on the server side.

The original request is the following:

Has there been given any thought to the concept of sites within IPA to improve cross-site implementations? This should be easy to implement as you are already using DNS SRV records to locate the ldap/kerberos servers.

E.g.
Site: Boston
Site: London


Create a subdomain of the IPA dns domain named _sites, and a subdomain of _sites for each site.

Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in Boston:
_ldap._tcp        in    srv    0 100 389 boston-ipa-server1
_ldap._tcp        in    srv    0 100 389 boston-ipa-server2
.....

London._sites.ipa.domain.com would contain the srv entries for IPA serers in London:
_ldap._tcp        in    srv    0 100 389 london-ipa-server1
_ldap._tcp        in    srv    0 100 389 london-ipa-server2
....

Now point the client's DNS "search" entry to point to the local site first, then search the full name space:
Boston client's /etc/resolv.conf:
search Boston._sites.ipa.domain.com ipa.domain.com

London client's /etc/resolv.conf:
search London._sites.ipa.domain.com ipa.domain.com


The main ipa.domain.com could still contain srv records for all IPA servers, or selected IPA servers at the central hub.

I know I can do this manually within the DNS managment in IPA today, however it would be a lot easier to maintain "Sites" within the IPA webui/cli. *blink* ;)
Comment 1 Dmitri Pal 2011-10-20 14:00:10 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2008
Comment 2 Martin Kosek 2013-08-06 07:25:47 UTC 
*** Bug 991229 has been marked as a duplicate of this bug. ***
Comment 4 Martin Kosek 2015-03-27 13:35:45 UTC 
*** Bug 1044733 has been marked as a duplicate of this bug. ***
Comment 6 Petr Vobornik 2016-04-14 14:10:33 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2956
Comment 7 Petr Vobornik 2016-06-02 10:18:11 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5181
Comment 8 Petr Vobornik 2016-06-02 13:00:56 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5905
Comment 22 Martin Bašti 2016-06-28 13:25:47 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/104040cf363ec50d8006474422f2c13e44266806
Comment 24 Petr Vobornik 2016-06-29 14:36:20 UTC 
additonal webui part:

master:
https://fedorahosted.org/freeipa/changeset/31a13c9e9849eca794aa7908bc252185c4b36678
Comment 26 Petr Spacek 2016-07-07 10:35:43 UTC 
All the information we have about the feature can be found on
http://www.freeipa.org/page/V4/DNS_Location_Mechanism

Please let me or mbasti know if something is unclear or if an infomation is missing.
Comment 36 Pavel Picka 2016-08-23 11:28 UTC 
Created attachment 1193302 [details]
evidence

Verified using upstream test on 4.4.0-8.el7
Comment 38 errata-xmlrpc 2016-11-04 05:42:46 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html
Note You need to log in before you can comment on or make changes to this bug.