FreeIPA server installation currently support only 2 modes:
We should enhance our ipa-server-install to: 1. Accept Active Directory user+password. This can be a random user which is privileged to manage DNS domain for IPA 2. At the end of installation, nsupdate is run with Kerberos credentials to set the records in AD server
To also allow updates when replica is updated, we need more persistent access. Either think about updating it via AD Trust, or let admin pass a keytab for the special user which could be stored in secret LDAP attribute which could be accessed by IPA masters so that they can do SRV record updates when needed.
To allow client updates, AD would need to be configured to accept nsupdates from FreeIPA's host/host.fqdn@IPA.REALM (to be further investigated).
host/host.fqdn@IPA.REALM
3.4 development was shifted for one month, moving tickets to reflect reality better.
Alternative solution is to follow Petr's advise in http://www.redhat.com/archives/freeipa-devel/2013-September/msg00247.html and use nsupdate instead of LDAP based DNS record management.
nsupdate
We decided to push this out of 3.4, it is not a priority for this release.
Starting to shape next release
This is duplicate of broader #4424.
Metadata Update from @mkosek: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.2 Backlog
Login to comment on this ticket.