Are there any options to deploy it within an existing domain with the constraints being:
- no domain delegation - write access to the applicable zone file prohibited - registering/using an external domain impossible; also no external nameserver access - FreeIPA allowing for no single label domain; hack to override not sensible if multi-forest windows connection where to be necessary in the future - apparently no alternative to DNS as for Kerberos config files?
john doe via FreeIPA-users wrote:
Are there any options to deploy it within an existing domain with the constraints being:
- no domain delegation
DNS domain delegation? Do you mean it doesn't delegate any domains or it doesn't require delegation?
- write access to the applicable zone file prohibited
IPA stores zones in LDAP, not flat files. You can limit write access to LDAP to specific users and/or groups.
- registering/using an external domain impossible; also no external nameserver access
Is a firewall insufficient to control nameserver access? Is this IPA server going to be Internet-facing or something? Credentials are required to read/write to IPA so that will control access. There is no switch for "allow client enrollment only from these domains" but not just anyone can enroll.
- FreeIPA allowing for no single label domain; hack to override not sensible if multi-forest windows connection where to be necessary in the future
IPA doesn't allow single lable DNS domains. How this relates to AD forest trust I have no idea.
- apparently no alternative to DNS as for Kerberos config files?
I don't understand the question. Do you mean for autodiscovery? You can hardcode hostnames all over and use only /etc/hosts if you want but the installation will be fragile and high maintenance.
rob
freeipa-users@lists.fedorahosted.org