I believe the topic of DHCP integration has come up before. I think there have 
been other requests for this, but I think I would like to elaborate on some of 
mine (and others) thoughts on why this would be excellent in FreeIPA.  When I 
refer to DHCP I speak of the ISC-DHCP3/4 servers. 

DHCP at the current point of time is difficult to manage in a larger and 
smaller business or network setup. In the smaller setup, there may not be 
enough expertise to go around which presents a key person risk, and for a large 
business, with hundreds to thousands of workstations, managing the dhcp 
configuration by hand becomes quite hard. As a result, some people have created 
tools that generate the configuration file and copy it out to servers, but this 
is quite a kludgy solution. Alternately, you can store the DHCP configuration 
is LDAP. Again, a tool must be written to manage this LDAP branch, as having 
people edit it by hand is inadvisable. However, as a result, these tools aren't 
released into the open source world, so no one can benefit from their presence.

FreeIPA already has the majority of components in place to fill this gap 
(Namely, 389DS, DNS and access to hosts) - with a goal of managing Users and 
Hosts effectively, in my view, DHCP is one last pieces of the host management 

DHCP would be similar to DNS in FreeIPA, in that it would be an optional 

During the install, just because you have opted for having DHCP support, should 
not make your FreeIPA server a DHCP server. The DHCP server "role" could be 
allocated to other hosts via the freeIPA admin tools.  That way you don't need 
to install a FreeIPA domain controller at every location that needs DHCP. You 
also avoid the chicken and egg problem of "How does my FreeIPA server get an IP 
if the DHCP server is on another host that relies upon FreeIPA being 
available". This could also potentially take advantage of the concept of 
"locations" also.

Having DHCP support would allow users to quickly and reliably setup network 
infrastructure, namely, DNS and DHCP on their systems. Additionally, having 
FreeIPA DHCP aware, would mean that for subnets you control, you can 
automatically generate the reverse hosts zone into DNS. 

You would gain an avenue of updating DNS names for hosts, without necessarily 
having the FreeIPA client tools installed. You could supplement this to show 
which hosts on a network are and are not part of the FreeIPA domain to allow 
easier auditing of systems.

Users gain easy access to redundancy in DHCP server configuration, that is more 
difficult to achieve than with the traditional configuration files. 

Permissions over the control of DHCP (And potentially even subnets within) can 
be delegated to users and roles. 

The FreeIPA join tool can automatically create static host entries, and 
transmit the DHCP DUID (Both for IPv4 and IPv6) to the FreeIPA servers. Even if 
you don't "assign" an IPA to this static entry, this simplifies administration 
of hosts on a network. (Have you ever sat down and entered in 100 machines mac 
addresses manually into a web UI? It's not fun). In the future, this kind of 
integration would mean that an administrator could easily add PXE boot 
arguments to the DHCP server for tools like satellite kickstarting. (Which may 
even be exposed over an API and satellite can just hook into that .... the 
potential is great.)

FreeIPA join can automatically enable DHCP6 on clients, allowing more network 
flexibility than standard router advertisement.  

You avoid people needing to write their own DHCP management solution that may 
have bugs or other latent issues, in favour of a high quality tool provided by 
FreeIPA. This becomes a very attractive feature to help with FreeIPA adoption. 

Thoughts, questions, comments?


William Brown

Research & Teaching, Technology Services
The University of Adelaide, AUSTRALIA 5005

CRICOS Provider Number 00123M
IMPORTANT: This message may contain confidential or legally privileged
information. If you think it was sent to you by mistake, please delete all
copies and advise the sender. For the purposes of the SPAM Act 2003, this
email is authorised by The University of Adelaide.


Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Freeipa-devel mailing list

Reply via email to