#3701 [RFE] Update FreeIPA DNS in Active Directory
Closed: Duplicate None Opened 10 years ago by mkosek.

FreeIPA server installation currently support only 2 modes:

  • FreeIPA+DNS: server owns a DNS zone and adds all needed records in it
  • FreeIPA without DNS: server is installed, required records are printed to BIND zone file and passed to user. In that case, no SRV record updates are done when for example replica is added/removed.

We should enhance our ipa-server-install to:
1. Accept Active Directory user+password. This can be a random user which is privileged to manage DNS domain for IPA
2. At the end of installation, nsupdate is run with Kerberos credentials to set the records in AD server

To also allow updates when replica is updated, we need more persistent access. Either think about updating it via AD Trust, or let admin pass a keytab for the special user which could be stored in secret LDAP attribute which could be accessed by IPA masters so that they can do SRV record updates when needed.

To allow client updates, AD would need to be configured to accept nsupdates from FreeIPA's host/host.fqdn@IPA.REALM (to be further investigated).


3.4 development was shifted for one month, moving tickets to reflect reality better.

Alternative solution is to follow Petr's advise in http://www.redhat.com/archives/freeipa-devel/2013-September/msg00247.html and use nsupdate instead of LDAP based DNS record management.

We decided to push this out of 3.4, it is not a priority for this release.

Starting to shape next release

This is duplicate of broader #4424.

Metadata Update from @mkosek:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.2 Backlog

7 years ago

Login to comment on this ticket.

Metadata