Red Hat SummitChapter 4. Managing DNS locations in IdM
Manage Identity Management (IdM) DNS locations to optimize traffic and reduce latency between clients and servers. Configuring these locations ensures that clients discover and prioritize the nearest available services.
4.1. Prerequisites
- You understand the concept of DNS-based service discovery in IdM.
- You understand deployment considerations for DNS locations in IdM.
- You understand the concept of DNS time-to-live (TTL).
4.2. Creating DNS locations using the IdM Web UI
Define new DNS locations through the IdM Web UI to group servers by physical or logical site. This organization helps the environment to direct client requests to local infrastructure, improving response times.
Prerequisites
- Your IdM deployment has integrated DNS.
- You have a permission to create DNS locations in IdM. For example, you are logged in as IdM admin.
Procedure
-
Open the
IPA Servertab. -
Select
Topologysubtab. -
Click
IPA Locationsin the navigation bar. - Click at the top of the locations list.
- Fill in the location name.
- Click the button to save the location.
- Optional: Repeat the steps to add further locations.
4.3. Creating DNS locations using the IdM CLI
Add DNS locations via the command line with the ipa location-add command. This tool quickly registers new geographic or network-based sites within the Identity Management (IdM) database for future server assignment.
Prerequisites
- Your IdM deployment has integrated DNS.
- You have a permission to create DNS locations in IdM. For example, you are logged in as IdM admin.
Procedure
For example, to create a new location
germany, enter:$ ipa location-add germany---------------------------- Added IPA location "germany" ---------------------------- Location name: germany- Optional: Repeat the step to add further locations.
4.4. Assigning an IdM server to a DNS location using the IdM Web UI
Associate specific Identity Management (IdM) servers with defined locations using the Topology tab in the IdM Web UI. Setting a service weight during this process further refines how clients distribute their connection attempts.
Prerequisites
- Your IdM deployment has integrated DNS.
- You are logged in as a user with a permission to assign a server to a DNS location, for example the IdM admin user.
-
You have
rootaccess to the host that you want to assign a DNS location to. - You have created the IdM DNS locations to which you want to assign servers.
Procedure
-
Open the
IPA Servertab. -
Select the
Topologysubtab. -
Click
IPA Serversin the navigation. - Click on the IdM server name.
Select a DNS location, and optionally set a service weight:
Assigning a server to a DNS location
- Click .
On the command line (CLI) of the host you assigned in the previous steps the DNS location to, restart the
namedservice:[root@idmserver-01 ~]# systemctl restart named- Optional: Repeat the steps to assign DNS locations to further IdM servers.
4.5. Assigning an IdM server to a DNS location using the IdM CLI
Use the ipa server-mod command to link a server to a specific DNS location. Restarting the named service afterward activates the new routing logic, ensuring the server advertises itself to the correct local clients.
Prerequisites
- Your IdM deployment has integrated DNS.
- You are logged in as a user with a permission to assign a server to a DNS location, for example the IdM admin user.
-
You have
rootaccess to the host that you want to assign a DNS location to. - You have created the IdM DNS locations to which you want to assign servers.
Procedure
Optional: List all configured DNS locations:
[root@server ~]# ipa location-find----------------------- 2 IPA locations matched ----------------------- Location name: australia Location name: germany ----------------------------- Number of entries returned: 2 -----------------------------Assign the server to the DNS location. For example, to assign the location
germanyto the server idmserver-01.idm.example.com, run:# ipa server-mod idmserver-01.idm.example.com --location=germany[...] -------------------------------------------------- Modified IPA server "idmserver-01.idm.example.com" -------------------------------------------------- Servername: idmserver-01.idm.example.com Min domain level: 0 Max domain level: 1 Location: germany Enabled server roles: DNS server, NTP serverRestart the
namedservice on the host you assigned in the previous steps the DNS location to:# systemctl restart named- Optional: Repeat the steps to assign DNS locations to further IdM servers.
4.6. Configuring an IdM client to use IdM servers in the same location
Point clients to a local DNS server via DHCP or manual network configuration. When the client’s primary DNS server resides in its assigned Identity Management (IdM) location, the client prioritizes local IdM services for all authentication and lookup tasks.
IdM servers are assigned to DNS locations as described in Assigning an IdM server to a DNS location using the IdM Web UI. Now you can configure the clients to use a DNS server that is in the same location as the IdM servers:
-
If a
DHCPserver assigns the DNS server IP addresses to the clients, configure theDHCPservice. For further details about assigning a DNS server in yourDHCPservice, see theDHCPservice documentation. -
If your clients do not receive the DNS server IP addresses from a
DHCPserver, manually set the IPs in the client’s network configuration. For further details about configuring the network on Red Hat Enterprise Linux, see the Configuring Network Connection Settings section in the Red Hat Enterprise Linux Networking Guide.
If you configure the client to use a DNS server that is assigned to a different location, the client contacts IdM servers in both locations.
Example 4.1. Different name server entries depending on the location of the client
The following example shows different name server entries in the /etc/resolv.conf file for clients in different locations:
Clients in Prague:
nameserver 10.10.0.1
nameserver 10.10.0.2Clients in Paris:
nameserver 10.50.0.1
nameserver 10.50.0.3Clients in Oslo:
nameserver 10.30.0.1Clients in Berlin:
nameserver 10.30.0.1If each of the DNS servers is assigned to a location in IdM, the clients use the IdM servers in their location.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}