john doe via FreeIPA-users wrote:
Are there any options to deploy it within an existing domain with the
constraints being:
- no domain delegation
DNS domain delegation? Do you mean it doesn't delegate any domains or it
doesn't require delegation?
- write access to the applicable zone file prohibited
IPA stores zones in LDAP, not flat files. You can limit write access to
LDAP to specific users and/or groups.
- registering/using an external domain impossible; also no external
nameserver access
Is a firewall insufficient to control nameserver access? Is this IPA
server going to be Internet-facing or something? Credentials are
required to read/write to IPA so that will control access. There is no
switch for "allow client enrollment only from these domains" but not
just anyone can enroll.
- FreeIPA allowing for no single label domain; hack to override not
sensible if multi-forest windows connection where to be necessary in the future
IPA doesn't allow single lable DNS domains. How this relates to AD
forest trust I have no idea.
- apparently no alternative to DNS as for Kerberos config files?
I don't understand the question. Do you mean for autodiscovery? You can
hardcode hostnames all over and use only /etc/hosts if you want but the
installation will be fragile and high maintenance.
rob