On pe, 11 touko 2018, Udo Rader via FreeIPA-users wrote:
Hi,
I'm currently evaluating a couple of options to migrate our dated
OpenLDAP installation to a more up2date, maintainable and and user
friendly solution.
One of the possibilities I found is of course FreeIPA and I hope this
is the right place to as couple of basic questions, in order to get a
better understanding if FreeIPA can meet our requirements.
Our current setup looks like this:
OpenLDAP used as storage for user, DHCP and DNS information:
#1 users are either regular Unix (Linux, FreeBSD) shell users
#2 or they are users accessing our mail services (dovecot/postfix)
#3 (a low number of) certificates are currently handled by TinyCA
#4 DHCP is handled by multiple, distributed ISC DHCP servers,
configured to pull their configuration from OpenLDAP (network
definitions, routers, NTP servers, MAC addresses etc.)
#5 DNS is handled by multiple, distributed PowerDNS instances, which
again retrieve their DNS data from OpenLDAP
As far as I can understand, FreeIPA can easily handle #1, #2 and #3.
But what about DHCP and DNS? I understand that FreeIPA's backbone is
the 389 DS. I guess migrating our DHCP DIT into 389 is doable, but what
about administration of those entries? Can this be done by FreeIPA?
Regarding DHCP, all I found were some older documents describing
intentions to implement it [1], but I'm uncertain if that ever
happened.
It did not happen, indeed. Most time was spent on two things:
- make other projects to implement features required, mostly around
single sign-on with GSSAPI for ISC DHCP and similar
- make sure we can design a better DHCP storage DIT and schema, an
opportunity to refactor actual DHCP schema.
The second part was unfinished.
So yes, you could import DHCP DIT and manage it yourself but FreeIPA
will not help you with that. You can start developing a management
plugin for that too, following my examples att github[1]
Regarding DNS, I am aware that FreeIPA comes with bind, but if
possible, I'd really like to stay with PowerDNS. Is that possible? And
if not, how tightly integrated is bind into FreeIPA? One mandatory
requirement is that we need to have multiple, geographically
distributed nameservers that hold various amounts of DNS data
(currently determined by LDAP filters). I of course understand that
bind is perfectly capable of doing this, but depending on the level of
integration between FreeIPA and bind, I'm not exactly sure how "easy"
this can be done.
You can use an approach taken by OpenSUSE folks:
https://discourse.nordisch.org/t/fun-with-freeipa-and-a-slightly-more-com...
[1] See
https://github.com/abbra/freeipa-desktop-profile,
https://github.com/abbra/freeipa-userstatus-plugin and other
freeipa-* plugins there.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland