Hello FreeIPA-users. The Subject line is the core of my question here;
I'll provide a bit more detail below.
I work for what is (effectively) a startup, non-profit internet
provider. I have an extensive Windows background, and "know enough to
be dangerous" with Linux & BSD (have been tinkering with GNU/Linux on
and off since Slackware 3.0 or 3.1). I'm very familiar with Windows
Active Directory, but the org does not have any AD infrastructure right
now (and being nonprofit, are trying to avoid spending money for MS,
especially when all of the other VMs will be Linux or BSD anyway).
Given the nonprofit nature, I discovered FreeIPA when looking for a
free centralized directory system. The goal is to consolidate all
credentials for *other* Linux VMs (customer-facing DNS, CRM web server,
SNMP/network graphing servers, etc) as well as provide a back-end for
RADIUS for management of network equipment (switches, routers, P2P
wireless, etc). Simplifying DNS management and replication is also
appealing, I'd rather administrate one system than two or three.
In case it changes your opinion of the plan at all - all of the network
equipment and VMs will be on *private* (10.x) IPv4 space and behind one
or more firewalls, at least initially. We do want to add public IPv6,
but do not have that yet. We only have a small allocation (/26) of
public v4 from our upstream that will be NATed through a firewall and
not directly on any devices. The traffic to FreeIPA is going to be
internal-only, I do not plan on exposing FreeIPA's DNS "to the world"
at all. Even customer-facing internal DNS will likely be through
separate caching forwarders pointing back to FreeIPA.
I have a completely unused, publicly registered domain (let's just call
it "example.net" for this thread) available to dedicate to this system.
We also own "example.org" and are using that for our public web
presence, and I intend to keep that entirely standalone.
Given that I have no current "interoperability" concerns, is there
anything "wrong" with putting FreeIPA directly at the root of
example.net Or would it be more wise, from an interop, security, or
manageability standpoint (i.e. a "best practice"), to root FreeIPA at
something like
auth.example.net or
ipa.example.net and then have a
separate set of nameservers handling the base domain? If I put
FreeIPA's root (and Kerberos realm) in a subdomain, is it possible to
*also* have it manage the parent domain's DNS entries?
I've read through the Quick Start Guide and Deployment Recommendations
(
https://www.freeipa.org/page/Deployment_Recommendations), which is
part of how I've come to the decisions I've made thus far. I couldn't
really find guidance one way or the other on whether FreeIPA "should"
be in a subdomain or not, hence this posting. I would appreciate any
insight the community can provide!
It really depends on you. ;)
I run my home's FreeIPA deployment at 'example.net' and rely on firewalls
and external DNS server to provide a safer outer view to it. There is
nothing wrong with this approach -- as well as with 'ipa.example.net'
approach either.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland