3:53 p.m.
Hi,
I'm currently evaluating a couple of options to migrate our dated
OpenLDAP installation to a more up2date, maintainable and and user
friendly solution.
One of the possibilities I found is of course FreeIPA and I hope this
is the right place to as couple of basic questions, in order to get a
better understanding if FreeIPA can meet our requirements.
Our current setup looks like this:
OpenLDAP used as storage for user, DHCP and DNS information:
#1 users are either regular Unix (Linux, FreeBSD) shell users
#2 or they are users accessing our mail services (dovecot/postfix)
#3 (a low number of) certificates are currently handled by TinyCA
#4 DHCP is handled by multiple, distributed ISC DHCP servers,
configured to pull their configuration from OpenLDAP (network
definitions, routers, NTP servers, MAC addresses etc.)
#5 DNS is handled by multiple, distributed PowerDNS instances, which
again retrieve their DNS data from OpenLDAP
As far as I can understand, FreeIPA can easily handle #1, #2 and #3.
But what about DHCP and DNS? I understand that FreeIPA's backbone is
the 389 DS. I guess migrating our DHCP DIT into 389 is doable, but what
about administration of those entries? Can this be done by FreeIPA?
Regarding DHCP, all I found were some older documents describing
intentions to implement it [1], but I'm uncertain if that ever
happened.
Regarding DNS, I am aware that FreeIPA comes with bind, but if
possible, I'd really like to stay with PowerDNS. Is that possible? And
if not, how tightly integrated is bind into FreeIPA? One mandatory
requirement is that we need to have multiple, geographically
distributed nameservers that hold various amounts of DNS data
(currently determined by LDAP filters). I of course understand that
bind is perfectly capable of doing this, but depending on the level of
integration between FreeIPA and bind, I'm not exactly sure how "easy"
this can be done.
Thanks in advance
Udo
[1] https://pagure.io/freeipa/issue/939
--
Udo Rader, GF/CEO
BestSolution.at EDV Systemhaus GmbH
Eduard-Bodem-Gasse 5-7, A-6020 Innsbruck
http://www.bestsolution.at/
Reg. Nr. FN 222302s am Firmenbuchgericht Innsbruck
7:50 a.m.
Udo,
On Fri, 11 May 2018, Udo Rader via FreeIPA-users wrote:
[...] Our current setup looks like this:
OpenLDAP used as storage for user, DHCP and DNS information:
#1 users are either regular Unix (Linux, FreeBSD) shell users
#2 or they are users accessing our mail services (dovecot/postfix)
#3 (a low number of) certificates are currently handled by TinyCA
#4 DHCP is handled by multiple, distributed ISC DHCP servers, configured
to pull their configuration from OpenLDAP (network definitions, routers,
NTP servers, MAC addresses etc.)
#5 DNS is handled by multiple, distributed PowerDNS instances, which
again retrieve their DNS data from OpenLDAP
As far as I can understand, FreeIPA can easily handle #1, #2 and #3.
But what about DHCP and DNS? I understand that FreeIPA's backbone is the
389 DS. I guess migrating our DHCP DIT into 389 is doable, but what
about administration of those entries? Can this be done by FreeIPA?
Regarding DHCP, all I found were some older documents describing
intentions to implement it [1], but I'm uncertain if that ever happened.
Regarding DNS, I am aware that FreeIPA comes with bind, but if possible,
I'd really like to stay with PowerDNS. Is that possible? And if not, how
tightly integrated is bind into FreeIPA? One mandatory requirement is
that we need to have multiple, geographically distributed nameservers
that hold various amounts of DNS data (currently determined by LDAP
filters). I of course understand that bind is perfectly capable of doing
this, but depending on the level of integration between FreeIPA and
bind, I'm not exactly sure how "easy" this can be done.
our IPA-Installation is completely separated from both our DHCP- and
DNS-Servers, that are maintained using Netdot [1]. All I needed to do was
to add a certain set of DNS-entries to our DNS zone files. Those entries
can be displayed with
---
ipa dns-update-system-records --dry-run
---
[1] https://github.com/cvicente/Netdot
Mit freundlichen Gruessen/With best regards,
--Daniel.
4:59 a.m.
On Mon, 2018-05-14 at 14:50 +0200, dbischof(a)hrz.uni-kassel.de wrote:
Udo,
On Fri, 11 May 2018, Udo Rader via FreeIPA-users wrote:
> But what about DHCP and DNS? I understand that FreeIPA's backbone
> is the
> 389 DS. I guess migrating our DHCP DIT into 389 is doable, but
> what
> about administration of those entries? Can this be done by FreeIPA?
>
> Regarding DHCP, all I found were some older documents describing
> intentions to implement it [1], but I'm uncertain if that ever
> happened.
>
> Regarding DNS, I am aware that FreeIPA comes with bind, but if
> possible,
> I'd really like to stay with PowerDNS. Is that possible? And if
> not, how
> tightly integrated is bind into FreeIPA? One mandatory requirement
> is
> that we need to have multiple, geographically distributed
> nameservers
> that hold various amounts of DNS data (currently determined by
> LDAP
> filters). I of course understand that bind is perfectly capable of
> doing
> this, but depending on the level of integration between FreeIPA
> and
> bind, I'm not exactly sure how "easy" this can be done.
our IPA-Installation is completely separated from both our DHCP- and
DNS-Servers, that are maintained using Netdot [1]. All I needed to do
was
to add a certain set of DNS-entries to our DNS zone files. Those
entries
can be displayed with
---
ipa dns-update-system-records --dry-run
---
[1] https://github.com/cvicente/Netdot
Danke Daniel!
this look very promising, I'll look into Netdot (never heard of it
before).
--
Udo Rader, GF/CEO
BestSolution.at EDV Systemhaus GmbH
Eduard-Bodem-Gasse 5-7, A-6020 Innsbruck
http://www.bestsolution.at/
Reg. Nr. FN 222302s am Firmenbuchgericht Innsbruck
8:10 a.m.
On pe, 11 touko 2018, Udo Rader via FreeIPA-users wrote:
Hi,
I'm currently evaluating a couple of options to migrate our dated
OpenLDAP installation to a more up2date, maintainable and and user
friendly solution.
One of the possibilities I found is of course FreeIPA and I hope this
is the right place to as couple of basic questions, in order to get a
better understanding if FreeIPA can meet our requirements.
Our current setup looks like this:
OpenLDAP used as storage for user, DHCP and DNS information:
#1 users are either regular Unix (Linux, FreeBSD) shell users
#2 or they are users accessing our mail services (dovecot/postfix)
#3 (a low number of) certificates are currently handled by TinyCA
#4 DHCP is handled by multiple, distributed ISC DHCP servers,
configured to pull their configuration from OpenLDAP (network
definitions, routers, NTP servers, MAC addresses etc.)
#5 DNS is handled by multiple, distributed PowerDNS instances, which
again retrieve their DNS data from OpenLDAP
As far as I can understand, FreeIPA can easily handle #1, #2 and #3.
But what about DHCP and DNS? I understand that FreeIPA's backbone is
the 389 DS. I guess migrating our DHCP DIT into 389 is doable, but what
about administration of those entries? Can this be done by FreeIPA?
Regarding DHCP, all I found were some older documents describing
intentions to implement it [1], but I'm uncertain if that ever
happened.
It did not happen, indeed. Most time was spent on two things:
- make other projects to implement features required, mostly around
single sign-on with GSSAPI for ISC DHCP and similar
- make sure we can design a better DHCP storage DIT and schema, an
opportunity to refactor actual DHCP schema.
The second part was unfinished.
So yes, you could import DHCP DIT and manage it yourself but FreeIPA
will not help you with that. You can start developing a management
plugin for that too, following my examples att github[1]
Regarding DNS, I am aware that FreeIPA comes with bind, but if
possible, I'd really like to stay with PowerDNS. Is that possible? And
if not, how tightly integrated is bind into FreeIPA? One mandatory
requirement is that we need to have multiple, geographically
distributed nameservers that hold various amounts of DNS data
(currently determined by LDAP filters). I of course understand that
bind is perfectly capable of doing this, but depending on the level of
integration between FreeIPA and bind, I'm not exactly sure how "easy"
this can be done.
You can use an approach taken by OpenSUSE folks:
https://discourse.nordisch.org/t/fun-with-freeipa-and-a-slightly-more-com...
[1] See https://github.com/abbra/freeipa-desktop-profile,
https://github.com/abbra/freeipa-userstatus-plugin and other
freeipa-* plugins there.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
5:13 a.m.
On Mon, 2018-05-14 at 16:10 +0300, Alexander Bokovoy wrote:
On pe, 11 touko 2018, Udo Rader via FreeIPA-users wrote:Hi,
> [...]
>
> But what about DHCP and DNS? I understand that FreeIPA's backbone
> is
> the 389 DS. I guess migrating our DHCP DIT into 389 is doable, but
> what
> about administration of those entries? Can this be done by FreeIPA?
>
> Regarding DHCP, all I found were some older documents describing
> intentions to implement it [1], but I'm uncertain if that ever
> happened.
It did not happen, indeed. Most time was spent on two things:
- make other projects to implement features required, mostly around
single sign-on with GSSAPI for ISC DHCP and similar
- make sure we can design a better DHCP storage DIT and schema, an
opportunity to refactor actual DHCP schema.
The second part was unfinished.
So yes, you could import DHCP DIT and manage it yourself but FreeIPA
will not help you with that. You can start developing a management
plugin for that too, following my examples att github[1]
I understand that technically I can of course import the DIT, but if I
can't manage it later using FreeIPA, that would only be half the fun.
I'll look into the plugin samples though, if there is no better option
available.
> Regarding DNS, I am aware that FreeIPA comes with bind, but if
> possible, I'd really like to stay with PowerDNS. Is that possible?
> And
> if not, how tightly integrated is bind into FreeIPA? One mandatory
> requirement is that we need to have multiple, geographically
> distributed nameservers that hold various amounts of DNS data
> (currently determined by LDAP filters). I of course understand that
> bind is perfectly capable of doing this, but depending on the level
> of
> integration between FreeIPA and bind, I'm not exactly sure how
> "easy"
> this can be done.
You can use an approach taken by OpenSUSE folks:
https://discourse.nordisch.org/t/fun-with-freeipa-and-a-slightly-
more-complex-dns-setup/437
haha, that's really cool, but a little bit too hackish for my taste :)
[1] See https://github.com/abbra/freeipa-desktop-profile,
https://github.com/abbra/freeipa-userstatus-plugin and other
freeipa-* plugins there.
--
Udo Rader, GF/CEO
BestSolution.at EDV Systemhaus GmbH
Eduard-Bodem-Gasse 5-7, A-6020 Innsbruck
http://www.bestsolution.at/
Reg. Nr. FN 222302s am Firmenbuchgericht Innsbruck
3:44 p.m.
Udo Rader via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
Our current setup looks like this:
...
#4 DHCP is handled by multiple, distributed ISC DHCP servers,
configured to pull their configuration from OpenLDAP (network
definitions, routers, NTP servers, MAC addresses etc.)
...
Regarding DHCP, all I found were some older documents describing
intentions to implement it [1], but I'm uncertain if that ever
happened.
I'm using dnsmasq for DHCP. My workflow is something like this:
- A host gets added to FreeIPA, its IP address is stored in LDAP for
IPA's DNS.
- I manually add the MAC address to the server record:
ipa host-mod <host> --macaddress=<mac>
- A script pulls the hosts from IPA and generates a config fragment for
dnsmasq. If there were changes, dnsmasq is reloaded.
Jochen
#!/bin/bash
tmp=/etc/dnsmasq.d/dynamic-hosts.conf.tmp
KRBPRINC='host/<host>.example.org(a)EXAMPLE.ORG'
kinit -k $KRBPRINC
cat > $tmp <<EOF
# This file has all hosts with their MAC and IP addresses.
# It is created by the cron job /root/scripts/update-dhcp-hosts-from-ipa.sh
# and reads host/mac/ip from freeipa.
EOF
cp ${tmp} ${tmp}.empty
LC_ALL=C ipa host-find --all | awk '
/MAC address:/ { for(i=3;i<=NF;i++){mac_address=mac_address $i}; }
/Class: vpnclient/ { tag="set:vpnclient," }
/Class: efi/ { tag="set:efi," }
/Class: pi-hole/ { tag="set:pi-hole," }
/serverhostname:/ {
if ( mac_address != "" )
print mac_address " " $2 " " tag ;
tag=""; mac_address="" }' | \
while read -r mac_address host tag; do
# shellcheck disable=SC2018,SC2019
mac_address=$(echo "$mac_address" | tr 'A-Z'
'a-z')
ip=$(getent ahostsv4 "$host" | head -n 1 | cut -f1 -d '
' )
echo "dhcp-host=$mac_address,id:*,$tag$ip,$host,24h"
done >> ${tmp}.$$
LC_ALL=C.UTF-8 ipa host-find --all --raw | awk '
/fqdn:/ { ipstr=""; split($2,host,".") }
# for multi-home hosts, description contains the interface-name.
/iface:/ { "getent ahostsv4 " host[1] "-" $2 | getline ipstr;
split(ipstr, ip, " ");
if ( ip[1] != "" )
printf "dhcp-host=" $3 ",id:*," ip[1]
"," host[1] "-" $2 ",24h\n"
else
printf "ERROR: no ip for host »%s« and interface
»%s«.\n", host[1], $2 > "/dev/stderr" }' >> ${tmp}.$$
sort < ${tmp}.$$ > $tmp
rm -f ${tmp}.$$
kdestroy -A
if cmp -s $out $tmp; then
rm -f $tmp ${tmp}.empty
else
if cmp -s ${tmp} ${tmp}.empty; then
rm -f ${tmp} ${tmp}.empty
else
mv $tmp $out
rm -f ${tmp}.empty
systemctl restart dnsmasq.service
fi
fi
--
This space is intentionally left blank.
2173
days inactive
2177
days old
freeipa-users@lists.fedorahosted.org
5 comments
4 participants
participants (4)
-
Alexander Bokovoy -
dbischof@hrz.uni-kassel.de -
Jochen Hein -
Udo Rader