[Freeipa-devel] [PATCH 0281] Validate adding a privilege to a permission

2015-07-09 Thread Martin Basti 

https://fedorahosted.org/freeipa/ticket/5075

Patch attached.

--
Martin Basti

From c8b9a1126a3c59183b39774333294cc413a26043 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Thu, 9 Jul 2015 16:48:36 +0200
Subject: [PATCH] Validate adding privilege to a permission

Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.

https://fedorahosted.org/freeipa/ticket/5075
---
 ipalib/plugins/permission.py |  7 +++
 ipalib/plugins/privilege.py  | 27 ++-
 ipalib/util.py   | 27 +++
 3 files changed, 36 insertions(+), 25 deletions(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index f2e896935cc777801ec3a70262372f296b1ea2b8..75532b35039428621bd180f916bb704b7cd9166e 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -29,6 +29,7 @@ from ipalib.capabilities import client_has_capability
 from ipalib.aci import ACI
 from ipapython.dn import DN
 from ipalib.request import context
+from ipalib.util import validate_permission_to_privilege
 
 __doc__ = _(
 Permissions
@@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember):
 Add members to a permission.
 NO_CLI = True
 
+def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options):
+# We can only add permissions with bind rule type set to
+# permission (or old-style permissions)
+validate_permission_to_privilege(self, ldap, keys[-1])
+return dn
+
 
 @register()
 class permission_remove_member(baseldap.LDAPRemoveMember):
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index 867544359f76fdcb44cd3015f7466a46ba492bec..ce5df4f848be3ba88adf329f246948c3e439af64 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -20,6 +20,7 @@
 from ipalib.plugins.baseldap import *
 from ipalib import api, _, ngettext, errors
 from ipalib.plugable import Registry
+from ipalib.util import validate_permission_to_privilege
 
 __doc__ = _(
 Privileges
@@ -185,31 +186,7 @@ class privilege_add_permission(LDAPAddReverseMember):
 if options.get('permission'):
 # We can only add permissions with bind rule type set to
 # permission (or old-style permissions)
-ldapfilter = ldap.combine_filters(rules='', filters=[
-'(objectClass=ipaPermissionV2)',
-'(!(ipaPermBindRuleType=permission))',
-ldap.make_filter_from_attr('cn', options['permission'],
-   rules='|'),
-])
-try:
-entries, truncated = ldap.find_entries(
-filter=ldapfilter,
-attrs_list=['cn', 'ipapermbindruletype'],
-base_dn=DN(self.api.env.container_permission,
-   self.api.env.basedn),
-size_limit=1)
-except errors.NotFound:
-pass
-else:
-entry = entries[0]
-message = _('cannot add permission %(perm)s with bindtype '
-'%(bindtype)s to a privilege')
-raise errors.ValidationError(
-name='permission',
-error=message % {
-'perm': entry.single_value['cn'],
-'bindtype': entry.single_value.get(
-'ipapermbindruletype', 'permission')})
+validate_permission_to_privilege(self, ldap, options['permission'])
 return dn
 
 
diff --git a/ipalib/util.py b/ipalib/util.py
index 649a4875fde0b44844749946cce53d81f7f6eea4..626b463d532b3f7da5e5fef46ddb673af31ced35 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -809,3 +809,30 @@ def get_topology_connection_errors(graph):
 if not_visited:
 connect_errors.append((m, list(visited), list(not_visited)))
 return connect_errors
+
+
+def validate_permission_to_privilege(obj, ldap, permission):
+ldapfilter = ldap.combine_filters(rules='', filters=[
+'(objectClass=ipaPermissionV2)',
+'(!(ipaPermBindRuleType=permission))',
+ldap.make_filter_from_attr('cn', permission, rules='|'),
+])
+try:
+entries, truncated = ldap.find_entries(
+filter=ldapfilter,
+attrs_list=['cn', 'ipapermbindruletype'],
+base_dn=DN(obj.api.env.container_permission,
+   obj.api.env.basedn),
+size_limit=1)
+except errors.NotFound:
+pass
+else:
+entry = entries[0]
+message = _('cannot add permission %(perm)s with bindtype '
+'%(bindtype)s to a privilege')
+raise errors.ValidationError(
+

[Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id

2015-07-09 Thread Martin Basti 

https://fedorahosted.org/freeipa/ticket/5074

Patch attached.

--
Martin Basti

From f6fb2885ad8a84e874ce940868072675c7180443 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Thu, 9 Jul 2015 17:17:21 +0200
Subject: [PATCH] Prevent to rename certprofile profile id

https://fedorahosted.org/freeipa/ticket/5074
---
 ipalib/plugins/certprofile.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
index 6f9a41875b2a276b521219156e630817a9c41fdc..5550ed942521dbab2e783fba1570520268f9b378 100644
--- a/ipalib/plugins/certprofile.py
+++ b/ipalib/plugins/certprofile.py
@@ -291,6 +291,9 @@ class certprofile_mod(LDAPUpdate):
 
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
 ca_enabled_check()
+# Once a profile id is set it cannot be changed
+if 'cn' in entry_attrs:
+raise errors.ACIError(info=_('cn is immutable'))
 if 'file' in options:
 with self.api.Backend.ra_certprofile as profile_api:
 profile_api.disable_profile(keys[0])
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0281] Validate adding a privilege to a permission

2015-07-09 Thread Jan Cholasta 

Hi,

Dne 9.7.2015 v 16:55 Martin Basti napsal(a):

https://fedorahosted.org/freeipa/ticket/5075

Patch attached.


the check is very plugin-specific, so I don't think it should be in 
ipalib.util. You can keep it in privilege and import it from there in 
permission just fine.


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0282] Prevent to rename certprofile profile id

2015-07-09 Thread Jan Cholasta 

Hi,

Dne 9.7.2015 v 17:21 Martin Basti napsal(a):

https://fedorahosted.org/freeipa/ticket/5074

Patch attached.


NACK, you should remove the --rename option from certprofile-mod. You 
can do it by removing rdn_is_primary_key = True from certprofile.


Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [RFC] Community Portal - Where to go next?

2015-07-09 Thread Petr Vobornik 

On 07/03/2015 06:28 AM, David Kupka wrote:

On 02/07/15 22:07, Drew Erny wrote:

Hi, all,

The core functionality of the community portal is more-or-less complete.
In a local development environment, you can go to a web page, put in
information, and have that information reflected in the FreeIPA server.
There's definitely some polishing needed (for example, there is no
styling to the web pages), but the core functionality is all there.

What I need now is for someone to go through the source code, which can
be found at github.com/dperny/freeipa-communityportal, and let me know
if everything seems sound and sane.

I also, perhaps more importantly, need some help on where to go with
this next. The core functionality is all there, but how I'm going to
deploy this to a live environment is still a bit hazy where I should
start to make that happen. There are many ways to deploy a cherrypy web
application, and I'm not sure which path is best. Or, if deployment
isn't important yet at this stage in the prototype, what should I focus
my efforts on now?

Thanks,

Drew Erny



Hi Drew,
when all the core functionality is done and ready then polish it, pack
it, ship it :-)

IIUC, the community portal is a part of WebUI so I would package it
together, iow in freeipa-server. Or create another package depending on
freeipa-server.



IIRC we discussed it and agreed that it will be a separate application.

I think that it would be nice to deploy it on OpenShift v3.
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 898-900 webui: user and multiple certs improvements

2015-07-09 Thread Martin Basti 

On 09/07/15 00:35, Petr Vobornik wrote:

== [PATCH] 898 webui: cert-request improvements ==
Certificate request action and dialog now supports 'profile_id',
'add' and 'principal' options. 'add' and 'principal' are disaplayed
only if certificate is added from certificate search facet.

Certificate search facet allows to add a certificate.

User details facet allows to add a certificate.

part of
https://fedorahosted.org/freeipa/ticket/5046

== [PATCH] 899 webui: show multiple cert ==
New certificate widget which replaced certificate status widget.

It can display multiple certs. Drawback is that it cannot display
if the certificate was revoked. Web UI does not have the information.

part of: https://fedorahosted.org/freeipa/ticket/5045

== [PATCH] 900 webui: remove cert manipulation actions from host and 
service ==

Remove
* cert_view
* cert_get
* cert_revoke
* cert_restore

These actions require serial number which is not provided to Web UI if
multiple certificates are present.

As an alternative to patch 900 we could also provide the original 
interface if there is only one cert and hide the actions if there are 
multiple certs.


note: {user|host|service}-{add|remove}_cert command support is still 
missing.




ACK

--
Martin Basti

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Notice: release-4-2-0 was tagged, ipa-4-2 branch created eom

2015-07-09 Thread Petr Vobornik 


--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 901 Bump 4.3 development version to 4.2.90

2015-07-09 Thread Petr Vobornik 


--
Petr Vobornik
From 3696c70bd0aacf7a2f5b0b00f52445d798379034 Mon Sep 17 00:00:00 2001
From: Petr Vobornik pvobo...@redhat.com
Date: Thu, 9 Jul 2015 12:29:33 +0200
Subject: [PATCH] Bump 4.3 development version to 4.2.90

---
 VERSION | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/VERSION b/VERSION
index b2f7a9a3e73b5f38741f7266054e3429803d7036..679ab95ea859a1d5b3fcc29bc2c2e30df100092b 100644
--- a/VERSION
+++ b/VERSION
@@ -21,7 +21,7 @@
 
 IPA_VERSION_MAJOR=4
 IPA_VERSION_MINOR=2
-IPA_VERSION_RELEASE=0
+IPA_VERSION_RELEASE=90
 
 
 # For 'alpha' releases the version will be #
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 901 Bump 4.3 development version to 4.2.90

2015-07-09 Thread Tomas Babej 


On 07/09/2015 12:36 PM, Petr Vobornik wrote:
 
 
 

ACK, pushed to master: 0569910fead3b33a0806b216823738cf17283108

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 898-900 webui: user and multiple certs improvements

2015-07-09 Thread Petr Vobornik 

On 07/09/2015 10:54 AM, Martin Basti wrote:

On 09/07/15 00:35, Petr Vobornik wrote:

== [PATCH] 898 webui: cert-request improvements ==
Certificate request action and dialog now supports 'profile_id',
'add' and 'principal' options. 'add' and 'principal' are disaplayed
only if certificate is added from certificate search facet.

Certificate search facet allows to add a certificate.

User details facet allows to add a certificate.

part of
https://fedorahosted.org/freeipa/ticket/5046

== [PATCH] 899 webui: show multiple cert ==
New certificate widget which replaced certificate status widget.

It can display multiple certs. Drawback is that it cannot display
if the certificate was revoked. Web UI does not have the information.

part of: https://fedorahosted.org/freeipa/ticket/5045

== [PATCH] 900 webui: remove cert manipulation actions from host and
service ==
Remove
* cert_view
* cert_get
* cert_revoke
* cert_restore

These actions require serial number which is not provided to Web UI if
multiple certificates are present.

As an alternative to patch 900 we could also provide the original
interface if there is only one cert and hide the actions if there are
multiple certs.

note: {user|host|service}-{add|remove}_cert command support is still
missing.



ACK



pushed to master:
* 7c481b1e90dbb6821b71707c4012b3857adb84e2 webui: cert-request improvements
* cf8b56cc75af43a26f1bd7fadb29a2ab0dd64633 webui: show multiple cert
* 0b943f3ce9cb70fa8b68aa44ec525d50604b84a2 webui: remove cert 
manipulation actions from host and service

--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message

2015-07-09 Thread Veronika Kabatova 
The attached patch solves the https://fedorahosted.org/freeipa/ticket/3959 
ticket.

Veronika KabatovaFrom 70abe5901c15e71735a0e4e26ea90334b233135b Mon Sep 17 00:00:00 2001
From: Veronika Kabatova vkaba...@redhat.com
Date: Thu, 9 Jul 2015 13:22:24 +0200
Subject: [PATCH] Enhance the DNSNotARecordError message

Enhance the DNSNotARecordError message as proposed in ticket #3959. User
is now suggested to use --force option.

https://fedorahosted.org/freeipa/ticket/3959
---
 ipalib/errors.py | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/ipalib/errors.py b/ipalib/errors.py
index 63ec22269467b769d276c443f6b3dbed38cd766e..d874e68829e1a5491dec402d5976c3adfa556e84 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1142,12 +1142,14 @@ class DNSNotARecordError(ExecutionError):
  raise DNSNotARecordError()
 Traceback (most recent call last):
   ...
-DNSNotARecordError: Host does not have corresponding DNS A/ record
+DNSNotARecordError: Host does not have corresponding DNS A/ record,
+use --force to continue anyway
 
 
 
 errno = 4019
-format = _('Host does not have corresponding DNS A/ record')
+format = _('Host does not have corresponding DNS A/ record, use'
+   ' --force to continue anyway')
 
 class ManagedGroupError(ExecutionError):
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCHES 0279-0280] Backport index fixes into IPA 4.1

2015-07-09 Thread Martin Basti 

Backport following commits into IPA 4-1:
  57fba7a56f88c517b3ebb03842f1cc18bc129ebb
  16f47ed4520d4f89db39d1dc58be7a8efb1d8612

Patches attached.


--
Martin Basti

From 3af07555cd8913ca7b503f14dc820800c1f9dd8d Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Thu, 9 Jul 2015 13:21:16 +0200
Subject: [PATCH] Fix indicies ntUserDomainId, ntUniqueId

ntUserDomainId and ntUniqueId  contained eq,pres index value,
which is not valid.
---
 install/share/indices.ldif|  6 --
 install/updates/20-indices.update | 14 ++
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/install/share/indices.ldif b/install/share/indices.ldif
index ad678e0b2123d961c957d3071ba48ff70bf27e7a..4a891b567e5485c0ab5705ae7fd82b39d9fcb4e2 100644
--- a/install/share/indices.ldif
+++ b/install/share/indices.ldif
@@ -89,12 +89,14 @@ nsMatchingRule: integerOrderingMatch
 dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: modify
 replace: nsIndexType
-nsIndexType: eq,pres
+nsIndexType: eq
+nsIndexType: pres
 
 dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: modify
 replace: nsIndexType
-nsIndexType: eq,pres
+nsIndexType: eq
+nsIndexType: pres
 
 dn: cn=fqdn,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 changetype: add
diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index a8a432d9c28a7fb4ca74582e36d4c39fd98df2cf..b4a572b4ce41db6fa865468c8fb36046395d585e 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -150,3 +150,17 @@ default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
 only:nsIndexType: eq,pres,sub
+
+dn: cn=ntUniqueId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: ntUniqueId
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+only:nsIndexType: eq
+only:nsIndexType: pres
+
+dn: cn=ntUserDomainId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
+default:cn: ntUserDomainId
+default:ObjectClass: top
+default:ObjectClass: nsIndex
+only:nsIndexType: eq
+only:nsIndexType: pres
-- 
2.4.3

From 9c7d208154af217210cc84573e8407286c09b43f Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Tue, 5 May 2015 19:47:07 +0200
Subject: [PATCH] Server Upgrade: fix memberUid index

https://fedorahosted.org/freeipa/ticket/5007
---
 install/updates/20-indices.update | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/install/updates/20-indices.update b/install/updates/20-indices.update
index b4a572b4ce41db6fa865468c8fb36046395d585e..cb93f361cd554d36d8ec3c02a152deaa9b5422e3 100644
--- a/install/updates/20-indices.update
+++ b/install/updates/20-indices.update
@@ -10,7 +10,8 @@ default:cn: memberuid
 default:ObjectClass: top
 default:ObjectClass: nsIndex
 default:nsSystemIndex: false
-default:nsIndexType: eq,pres
+only:nsIndexType: eq
+only:nsIndexType: pres
 
 dn: cn=memberHost,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
 default:cn: memberHost
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 897 fix error message when certificate CN is invalid

2015-07-09 Thread David Kupka 

On 09/07/15 00:28, Petr Vobornik wrote:

The error message was probably copied from mail address check below.



ACK.

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 897 fix error message when certificate CN is invalid

2015-07-09 Thread Petr Vobornik 

On 07/09/2015 11:21 AM, David Kupka wrote:

On 09/07/15 00:28, Petr Vobornik wrote:

The error message was probably copied from mail address check below.



ACK.



Pushed to master: f0e88e9b13c0c950cb02f377ac13c8e5b9188a34
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] How to support Designate?

2015-07-09 Thread Martin Basti 

On 08/07/15 20:45, Rich Megginson wrote:

On 07/08/2015 11:56 AM, Rich Megginson wrote:

On 07/08/2015 10:11 AM, Petr Spacek wrote:

On 8.7.2015 17:10, Rich Megginson wrote:

On 07/08/2015 04:31 AM, Petr Spacek wrote:

On 1.7.2015 17:12, Rich Megginson wrote:

On 07/01/2015 09:10 AM, Petr Spacek wrote:

On 1.7.2015 16:43, Rich Megginson wrote:
How much work would it be to support IPA as an AXFR/IXFR client 
or server

with
Designate?  Right now, their miniDNS component only supports 
being a master

and sending updates via AXFR, but they have IXFR support planned.
I need to read more about it. Could you please point me to some 
comprehensive

docs about Designate?

Thanks!


http://docs.openstack.org/developer/designate/architecture.html
Designate in setups with mini-DNS acts as DNS master server, i.e. 
the only
source of DNS data/truth. Currently FreeIPA can act only as 
master, too, which

is not possible.
By master do you mean unable to accept AXFR/IXFR from another 
server?
Sort of. DNS is conceptually built around concept of single 
authoritative
database hosted on Primary Master server. The database is then 
transferred
using AXFR to Slave servers, which are read-only (and can forward 
update

requests to the Primary Master).

See http://tools.ietf.org/html/rfc2136#section-1

The Primary Master server is the place where changes are made. There 
is by
definition only one primary master server per zone, so FreeIPA and 
Designare

cannot be Primary Masters at the same time.

We need to decide who is going to have control over the data.


I can see several alternatives:

A) Add support for slave zones to FreeIPA.
It should be relatively easy and I guess doable in Fedora 23 time 
frame if it

gets appropriate priority.

For plain/insecure DNS zones it will allow us to use FreeIPA in 
place of any
other DNS server but the added value will be negligible because 
FreeIPA acting

as a slave cannot change the data.

The real added value could be the ability of FreeIPA to 
DNSSEC-sign zones and
do the DNSSEC key management. I believe that we should be able to 
re-use
machinery we implemented for master zones in FreeIPA so DNSSEC 
signing for

slave zones should be almost 'for free'.

When implemented, FreeIPA could become the easiest way how to 
secure DNS in
Designate with DNSSEC technology even in cases where all the data 
are managed

by Designate API.
This sounds interesting.  This seems like it would fit in with the 
typical
OpenStack use case - create a new host, assign it a hostname in a 
sub-zone.

To be sure we understood each other:
In the scenarios where FreeIPA acts as Slave server, the change is 
done in
Designate and then a new version of the DNS zone is transferred to 
FreeIPA.
After that FreeIPA can DNSSEC-sign the zone and serve the signed 
version to

the clients.



B) We can avoid implementing slave zones by using 'agent':
http://docs.openstack.org/developer/designate/glossary.html

If I'm not mistaken, this is what you implemented last year.
I implemented support in Designate for a FreeIPA backend which used 
the JSON

HTTPS API to send updates from Designate to FreeIPA.
Designate has deprecated support for backends.

The agent approach is basically putting a mini-DNS-like daemon on 
each
system which can accept AXFR from Designate.  This agent would then 
use the

backend code I developed to send the data to FreeIPA.

Wow, that is a lot of complexity. I suspect that something like this is
already implemented in dnssyncd written by Martin Basti:
https://github.com/bastiak/dnssyncd


How does this work?  Does it receive zone transfer (AXFR? IXFR?) from 
a DNS master, then update LDAP with those records?
It receives AXFR/IXFR, Notify from DNS master, and updates data by 
Dynamic DNS.


You can write own plugin for it to support any DNS server/backend.
But it is proof of concept, it is not rock stable.

Martin




Anyway, I do not see any value in doing so in this particular scenario.
Designate would be the authoritative source of data (Primary Master) 
so from
functional point of view it would be the same (or worse) than 
variant (A),

just with more code and more error prone.


C) We can say that combining FreeIPA DNS and Designate does not 
make sense and

drop what you did last year.

It was already dropped when the backend approach was deprecated.


In current architecture it really does not add
any value *unless* we add DNSSEC to the mix.


D) Integrate IPA installers with Designate API.
This is somehow complementary to variants A (and C) and would 
allow us to
automatically add DNS records required by FreeIPA to Designate 
during FreeIPA

installation and replica management.
I wrote a script (ipaextractor.py) that will extract DNS data from 
FreeIPA and

store it in Designate.  That would be a good place to start.
Generally FreeIPA should integrate with other DNS server 
implementations in a

way similar to this:
https://fedorahosted.org/freeipa/ticket/4424