On Sun, Mar 12, 2017 at 10:47:02PM -0400, Rob Foehl wrote: > I'm looking at deploying FreeIPA in a few environments with substantial DNS > and/or CA infrastructure, and have some choices to make... > > How much trouble will I have if FreeIPA is delegated a zone like > ipa.example.com with all clients in example.com or other children? (No > overlap with AD-managed zones, but in at least one case autodiscovery won't > be possible due to mixed clients in the parent zone.) > > What's the best way to play nice with existing PKI -- generate a CA CSR at > installation time and sign that? Is there any provision for automatically > renewing these certs, say if the external CA were to be subsumed by a > dedicated Dogtag instance? > > Advice and experience appreciated, before I paint myself into a corner > somewhere... Thanks! > > -Rob > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project
Hello Rob, FreeIPA can be deployed in environment with existing DNS and/or CA server. IIRC you have following options: - regarding DNS: -- Delegate DNS zone for FreeIPA. It will then manage the zone and add records there. Obviously, it will not add records for clients in other zones. -- Don't setup DNS in FreeIPA and keep managing all records in your current DNS server. There's plan to integrate with external DNS servers [1] but nothing was done yet. - regarding CA: -- install CA-less FreeIPA - you need to issue certificates for HTTPD and 389-DS with your certificate server and provide those when installing FreeIPA server -- install FreeIPA with CA certificate signed with external CA. Use --external-ca option. The installation will be interupted to let you sign generated CSR. FreeIPA will then issue all needed certificates. -- install FreeIPA with self-signed CA certificate. This is default but then you need to distribute the certificate to all clients. Certmonger [2] is configured during ipa-server-install to track and renew certificates. [1] https://www.freeipa.org/page/V4/External_DNS_integration_with_installer [2] https://pagure.io/certmonger -- David Kupka
signature.asc
Description: PGP signature
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
