Goal:

• Domain: A customer may have multiple identity domains. The backend needs some rules to assign the correct domain to a host. Matching rules can take information such as FQDN of the host or metadata from the cloud provider into account.
• Location: An identity domain can span several data centers and regions. Communication to a remote, distant server is typically slower and sometimes more costly than local communication. A match rule should assign correct DNS location and automount location to a client.
• Additional options: ipa-client-install takes additional options such as --mkhomedir, --automount-location, --ssh-trust-dns, --subid, --all-ip-addresses, and --enable-dns-updates. A matching rule should provide additional options to hosts.

Acceptance Criteria:

• ... 

Open questions:

• Should we also have an option to modify DNS settings (systemd-resolved, resolv.conf, ...) with expected DNS servers? In most cases, clients will use internal DNS servers. DNS locations are provided by DNS servers.
• Should image builder provide options to bake some options into an image?
• Cloud providers have APIs that allow a client to figure out information about itself (host metadata). Can we use the information to identity machine, region/zone, and additional user metadata like tags?
• Can we use cloud provider's instance tags for domain matching rules? This could provide an alternative approach for hosts that do not use images from image builder.