On Mon, 20 Mar 2017, David Kupka wrote:
FreeIPA can be deployed in environment with existing DNS and/or CA server. IIRC you have following options:
None of the documentation I've managed to find thus far addresses the general question of which option(s) to choose, and why; in particular, the "Deployment Recommendations" page just presents the options without actually recommending one over another. What's missing is how they behave in the real world, and which tradeoffs cause the least trouble.
Maybe that question is too general... Here's a few specifics that fell out of a bunch of experimentation:
Is there any utility in installing DNS and delegating a zone to FreeIPA if none of the clients will live in that zone?
Is there any current or planned method for absorbing an existing CA cert into a (newly) FreeIPA-installed Dogtag instance that'd allow for continued issuance of a variety of client and service certs from FreeIPA, without having to manage an external CA?
-Rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project