Thanks a lot,Will try it. On Thu, Aug 31, 2023 at 10:40 AM Yavor Marinov <[email protected]> wrote:
> Hey guys, > > I would suggest an easier and quite simple method: create a subdomain in > your current DNS, and describe its NSes to point to FreeIPA's DNSes. > Configure FreeIPA with a subdomain, instead of the domain and if you need > to create forwarding rules in FreeIPA to use your main DNS as a forwarder. > Additionally newly added infra, can be just CNAME-ed into your main DNS > with specifics (or even A record). Offering this, because in current infra > we are using google's DNS for the domain, and our centralized login can be > used with both of the domain and the subdomain. The only "frustrating" > thing is that i need to change the client's DNS (eg resolv.conf) when I'm > enrolling them, to point to FreeIPA and be able to properly enroll their > DNS records into FreeIPA > > ~br > > On Wed, Aug 30, 2023 at 11:26 PM Rafael Jeffman via FreeIPA-users < > [email protected]> wrote: > >> >> Hi Pradeep, >> >> On Wed, Aug 30, 2023 at 3:27 PM Pradeep KNS via FreeIPA-users < >> [email protected]> wrote: >> > >> > Hi Rob, >> > >> > Thank you for your valuable insights on FreeIPA and DNS. I have an >> existing internal DNS server that I would like to integrate with FreeIPA's >> DNS feature. As I understand it, FreeIPA can serve as an integrated DNS >> solution. However, I would like to ensure that my existing internal DNS >> infrastructure is utilized alongside FreeIPA's DNS capabilities. >> > >> > Could you provide guidance on how to configure FreeIPA to work with my >> internal DNS server? Specifically, I'd like to achieve the following: >> > >> > Use FreeIPA for centralized user authentication and management. >> >> That would be just setting up FreeIPA and maintaining correct DNS records, >> so I won't jump into this one. >> >> > Integrate my existing internal DNS server with FreeIPA's DNS, so I can >> manage internal DNS records within FreeIPA while maintaining the internal >> DNS functionality. >> > >> >> Is a short answer: you can't. >> >> The longer answer might provide a way to almost have what you want. >> >> FreeIPA's embedded nameserver has to be authoritative, and you can only >> manage its records, not the ones on your current DNS infrastructure. >> >> To change DNS management to FreeIPA you'd have to set your internal DNS >> nameserver to be a secondary nameserver, and configure FreeIPA's >> nameserver to notify the internal nameserver of changes. It's doable, but >> I >> would not recommend doing so. >> >> Another possibility is to change DNS infrastructure to use FreeIPA >> instead of >> the current nameserver. >> >> If you can manage your internal zones with the limitations that FreeIPA's >> nameserver has (e.g. split-view is not supported), then you could plan on >> retiring the current nameserver in favor of the FreeIPA one. With >> replicas you >> can also get redundancy on the nameservers. >> >> If your current nameserver is exposed to the world, again, I'd suggest >> against >> this move. >> >> Bottom line, either use your current DNS infrastructure or fully migrate >> to >> FreeIPA. >> >> Rafael >> >> > I want to avoid any conflicts between FreeIPA's DNS and my existing >> internal DNS server. Your expertise in this matter would greatly assist me >> in achieving a successful and well-integrated DNS solution. >> > >> > Thank you for your time and support. >> > >> > >> > On Wed, Aug 30, 2023 at 6:34 PM Rob Crittenden <[email protected]> >> wrote: >> >> >> >> Pradeep KNS via FreeIPA-users wrote: >> >> > Hello Team, >> >> > >> >> > While setting up Freeipa in my Linux infrastructure.I noticed a >> strange >> >> > warning. I would like to clarify before rolling into production. >> >> > * >> >> > * >> >> > *|DNS zone alpha-grep.com <http://alpha-grep.com>. already exists >> in DNS >> >> > and is handled by server(s): ['ns2.', 'ns1.'] Please make sure that >> the >> >> > domain is properly delegated to this IPA server.|* >> >> > >> >> > Detailed installation log i have updated in this link. Please >> suggest me >> >> > will it be any security flaw in future.Before installing it on >> production. >> >> > >> >> > https://bpa.st/AMITK >> >> >> >> I'm not sure what security issue you are worried about but you >> >> explicitly allow this configuration with the --allow-zone-overlap >> >> install option. >> >> >> >> Your domain DNS is managed externally and you've installed a DNS server >> >> to be authoritative for the same domain. If you want to expose you IPA >> >> DNS to the Internet you'll need to repoint the nameservers on your >> >> domain to your IPA host. >> >> >> >> If what you're hoping to do is provide views, to limit what hosts are >> >> resolvable depending on where the request is coming from, that is not >> >> available in IPA. While IPA uses bind under the hood not all >> >> capabilities are exposed. >> >> >> >> So whether this configuration is acceptable or not is up to you. >> >> >> >> rob >> >> >> > _______________________________________________ >> > FreeIPA-users mailing list -- [email protected] >> > To unsubscribe send an email to >> [email protected] >> > Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> > Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >> >> >> -- >> Rafael Guterres Jeffman >> Senior Software Engineer >> FreeIPA - Red Hat >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
