freeipa

FreeIPA is an integrated Identity and Authentication solution for Linux/UNIX networked environments.  |  http://www.freeipa.org/

#2008 [RFE] IPA should support and manage DNS Locations

Created 6 years ago by dpal
Modified 2 years ago

https://bugzilla.redhat.com/show_bug.cgi?id=747612

It is related to bug #743503 but to mange the site on the server side.

The original request is the following:

Has there been given any thought to the concept of sites within IPA to improve
cross-site implementations? This should be easy to implement as you are already
using DNS SRV records to locate the ldap/kerberos servers.

E.g.
Site: Boston
Site: London


Create a subdomain of the IPA dns domain named _sites, and a subdomain of
_sites for each site.

Boston._sites.ipa.domain.com would contain the srv entries for IPA servers in
Boston:
_ldap._tcp        in    srv    0 100 389 boston-ipa-server1
_ldap._tcp        in    srv    0 100 389 boston-ipa-server2
.....

London._sites.ipa.domain.com would contain the srv entries for IPA serers in
London:
_ldap._tcp        in    srv    0 100 389 london-ipa-server1
_ldap._tcp        in    srv    0 100 389 london-ipa-server2
....

Now point the client's DNS "search" entry to point to the local site first,
then search the full name space:
Boston client's /etc/resolv.conf:
search Boston._sites.ipa.domain.com ipa.domain.com

London client's /etc/resolv.conf:
search London._sites.ipa.domain.com ipa.domain.com


The main ipa.domain.com could still contain srv records for all IPA servers, or
selected IPA servers at the central hub.

I know I can do this manually within the DNS managment in IPA today, however it
would be a lot easier to maintain "Sites" within the IPA webui/cli. *blink* ;)

Start when have time.

This work should be done following this plan:
http://freeipa.org/page/DNS_Location_Discovery

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=815621 (Red Hat Enterprise Linux 6)

Based on the feedback in the BZ this is pretty important so I am bumping the priority.

BZ 815621 is another RFE, it will be cloned to another ticket.

Putting back in needs triage as it seems like it belongs in 3.3 backlog.

Stretch goal for 4.2. The first pass would require 2 parts to happen:

  • bind-dyndb-ldap to generate the _location records for clients, based on named.conf configuration (upstream ticket)
  • FreeIPA UI - for creating the locations and setting up the priorities of the SRV records. The procedure may be as follows:
    • Create location "Brno"
    • Click "Add servers", select Brno-located servers and add them with priority "10" and weight "100". Click Done
    • Click "Add servers", select New York located servers and add them with priority "50" and weight "100". Click Done.
    • Click "Create location"

Whether this would create DNS records directly or it would create a special location object while DNS records will be pre-populated by DS plugin is implementation detail.

Moving to 4.3, we are too close to 4.2 deadline to be able to handle this stretch RFE.

#2008 would be hard to implement without #5620.

Would be really nice to show the locations on the topology graph in some way. Should we open a separate RFE or it is in scope?

master:

  • 29a8615 DNS Locations: Always create DNS related privileges
  • 180d745 DNS Locations: add new attributes and objectclasses
  • bae6214 DNS Locations: location-* commands
  • 7c3bcaf DNS Locations: API tests
  • 121e34b Allow to use non-Str attributes as keys for members
  • 15abfcf DNS Locations: extend server-* command with locations
  • 79544aa DNS Location: location-show: return list of servers in location
  • fd2bd60 DNS Locations: when removing location remove it from servers first
  • 42719ac DNS Locations: extend tests with server-* commands

User interface added, other patches will follow

master:

  • 85d083c Require 389-ds-base >= 1.3.5.6

master:

  • 0f5cca0 DNS Locations: add index for ipalocation attribute
  • d7671ee DNS Locations: fix location-del
  • 745a2e6 DNS Locations: add idnsTemplateObject objectclass
  • 87c23ba DNS Locations: DNS data management
  • 394b094 DNS Locations: permission: allow to read status of services
  • cf634a4 DNS Locations: add ACI for template attribute
  • e231595 DNS Locations: command dns-update-system-records
  • 45a9326 DNS Locations: use dns_update_service_records in installers
  • a5a6cea DNS Locations: adtrustinstance simplify dns management
  • a7e4639 DNS Locations: use automatic records update in ipa-adtrust-install
  • 4076e8e DNS Locations: server-mod: add automatic records update
  • 88a0952 DNS Locations: dnsservers: add required objectclasses
  • 2157ea0 DNS Locations: dnsserver-* commands
  • 52590d6 DNS Locations: dnsserver: put server_id option into named.conf
  • 08265f1 DNS Locations: dnsserver: use the newer config way in installer
  • d70e52b DNS Locations: dnsserver: remove config when replica is removed

master:

  • ef12cad DNS Locations: set proper substitution variable
  • 1997733 DNS Locations: require to restart named-pkcs11 affter location change
  • 8dde120 DNS Locations: show warning if there is no DNS servers in location
  • b293121 DNS Locations: prevent to remove used locations
  • bbf8227 DNS Locations: do not generate location records for unused locations
  • 3c50e42 DNS Locations: location-del: remove location record
  • 4155eb7 DNS Locations: Rename ipalocationweight to ipaserviceweight
  • 313e63e DNS Locations: generate NTP records
  • 88ac58a upgrade: don't fail if zone does not exists in in find
  • e82ce43 DNS Location: add list of roles and DNS servers to location-show
  • 8253727 DNS Locations: dnsserver: print specific error when DNS is not installed

master:

  • b6bab8d DNS Locations: make ipa-ca record generation more robust

master:

  • 894be1b dns: fix dns_update_system_records to work with thin client

master:

  • 926462d Server-del: fix system records removal

master:

  • c6f7d94 DNS Locations: server-mod: fix if statement

master:

  • e42f662 Revert "DNS Locations: do not generate location records for unused locations"
  • 218734b DNS Locations: hide option --no-msdcs in adtrust-install
  • 7bf3b1d DNS Locations: optimization: use server-find to get information

master:

  • 104040c DNS Locations: cleanup of bininstance
2 years ago

Metadata Update from @dpal:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.4

Login to comment on this ticket.

enhancement

#5620 #2956 #5181 #5976

DNS

http://www.freeipa.org/page/V4/DNS_Location_Mechanism/Test_Plan

#5732

0

wanted

https://fedorahosted.org/bind-dyndb-ldap/ticket/126

https://bugzilla.redhat.com/show_bug.cgi?id=747612

http://www.freeipa.org/page/V4/DNS_Location_Mechanism

cancel