Hi, I believe the topic of DHCP integration has come up before. I think there have been other requests for this, but I think I would like to elaborate on some of mine (and others) thoughts on why this would be excellent in FreeIPA. When I refer to DHCP I speak of the ISC-DHCP3/4 servers.
DHCP at the current point of time is difficult to manage in a larger and smaller business or network setup. In the smaller setup, there may not be enough expertise to go around which presents a key person risk, and for a large business, with hundreds to thousands of workstations, managing the dhcp configuration by hand becomes quite hard. As a result, some people have created tools that generate the configuration file and copy it out to servers, but this is quite a kludgy solution. Alternately, you can store the DHCP configuration is LDAP. Again, a tool must be written to manage this LDAP branch, as having people edit it by hand is inadvisable. However, as a result, these tools aren't released into the open source world, so no one can benefit from their presence. FreeIPA already has the majority of components in place to fill this gap (Namely, 389DS, DNS and access to hosts) - with a goal of managing Users and Hosts effectively, in my view, DHCP is one last pieces of the host management puzzle. DHCP would be similar to DNS in FreeIPA, in that it would be an optional component. During the install, just because you have opted for having DHCP support, should not make your FreeIPA server a DHCP server. The DHCP server "role" could be allocated to other hosts via the freeIPA admin tools. That way you don't need to install a FreeIPA domain controller at every location that needs DHCP. You also avoid the chicken and egg problem of "How does my FreeIPA server get an IP if the DHCP server is on another host that relies upon FreeIPA being available". This could also potentially take advantage of the concept of "locations" also. Having DHCP support would allow users to quickly and reliably setup network infrastructure, namely, DNS and DHCP on their systems. Additionally, having FreeIPA DHCP aware, would mean that for subnets you control, you can automatically generate the reverse hosts zone into DNS. You would gain an avenue of updating DNS names for hosts, without necessarily having the FreeIPA client tools installed. You could supplement this to show which hosts on a network are and are not part of the FreeIPA domain to allow easier auditing of systems. Users gain easy access to redundancy in DHCP server configuration, that is more difficult to achieve than with the traditional configuration files. Permissions over the control of DHCP (And potentially even subnets within) can be delegated to users and roles. The FreeIPA join tool can automatically create static host entries, and transmit the DHCP DUID (Both for IPv4 and IPv6) to the FreeIPA servers. Even if you don't "assign" an IPA to this static entry, this simplifies administration of hosts on a network. (Have you ever sat down and entered in 100 machines mac addresses manually into a web UI? It's not fun). In the future, this kind of integration would mean that an administrator could easily add PXE boot arguments to the DHCP server for tools like satellite kickstarting. (Which may even be exposed over an API and satellite can just hook into that .... the potential is great.) FreeIPA join can automatically enable DHCP6 on clients, allowing more network flexibility than standard router advertisement. You avoid people needing to write their own DHCP management solution that may have bugs or other latent issues, in favour of a high quality tool provided by FreeIPA. This becomes a very attractive feature to help with FreeIPA adoption. Thoughts, questions, comments? Sincerely, William Brown Research & Teaching, Technology Services The University of Adelaide, AUSTRALIA 5005 CRICOS Provider Number 00123M ----------------------------------------------------------------------------- IMPORTANT: This message may contain confidential or legally privileged information. If you think it was sent to you by mistake, please delete all copies and advise the sender. For the purposes of the SPAM Act 2003, this email is authorised by The University of Adelaide. pgp.mit.edu http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
