john doe via FreeIPA-users wrote: > Are there any options to deploy it within an existing domain with the > constraints being: > > - no domain delegation
DNS domain delegation? Do you mean it doesn't delegate any domains or it doesn't require delegation? > - write access to the applicable zone file prohibited IPA stores zones in LDAP, not flat files. You can limit write access to LDAP to specific users and/or groups. > - registering/using an external domain impossible; also no external > nameserver access Is a firewall insufficient to control nameserver access? Is this IPA server going to be Internet-facing or something? Credentials are required to read/write to IPA so that will control access. There is no switch for "allow client enrollment only from these domains" but not just anyone can enroll. > - FreeIPA allowing for no single label domain; hack to override not sensible > if multi-forest windows connection where to be necessary in the future IPA doesn't allow single lable DNS domains. How this relates to AD forest trust I have no idea. > - apparently no alternative to DNS as for Kerberos config files? I don't understand the question. Do you mean for autodiscovery? You can hardcode hostnames all over and use only /etc/hosts if you want but the installation will be fragile and high maintenance. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
