IPA API clients have hard time finding IPA API end-point.
Currently we have heuristics based on LDAP server's address. This will break as soon as we split IPA among multiple containers etc.
IPA should provide a new URI record at contant name (like _ipajsonapi._tcp) which can be used for independent API endpoint discovery.
It would be good to do this sooner rather than later because it will limit number of clients which will break in future when the split is done.
Also, IPA API clients should use these values first instead of hardcoded values in /etc/ipa/default.conf. Fixing this will enable API clients to prefer local servers (i.e. use DNS locations as implemented in ticket:2008).
Unclear what is the value though... Revisit in 2.2
The value is that it will allow FreeIPA to coexist better in mixed environments. Currently, if ActiveDirectory owns _ldap._tcp for the domain, SSSD clients cannot use service discovery.
If we provide a separate _ipa._tcp SRV record, then both Windows and SSSD clients can coexist easily.
But how you make the clients that look for ldap or kerberos suddenly look for IPA? We can do the changes to ipa-client or SSSD but not to Kerberos for example. So does it really help?
Dmitri, this is an additional feature, it should not REPLACE _ldap._tcp or _krb5._tcp, it should complement it. SSSD can be set to prefer _ipa._tcp and fall back to _ldap._tcp. Other clients can continue to use _ldap._tcp or can be enhanced to look for _ipa._tcp if they also want to avoid this ambiguity.
Right now, it would be a clear value-add for SSSD with FreeIPA.
Suggestion from Simo/Dmitri: have several records one ipa kerberos, another for ipa ldap and one for ipa rpc.
We should probably have multiple SRV records as we do still want to be able to have a ipa ldap replica (a future read only one for example) that doe snot host a krb server. So the 2 should be disjunct.
Something like ldap._tcp._ipa, _kerb5._udp._ipa, _krb5._tcp._ipa may make sense.
We should solve ticket:4998 at the same time so the randomly-selected server is printed or logged somewhere.
Also, we might think about introducing _srv_ option for /etc/ipa/default.conf so the behavior can be controlled in similar way as with SSSD.
(The option host should be multivalued, of course.).
Metadata Update from @sgallagh:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 4.5 backlog
to comment on this ticket.