Bug 1026658

Summary: [RFE] Request to provide IPA as modules
Product: Red Hat Enterprise Linux 6 Reporter: Frederic Hornain <fhornain>
Component: ipaAssignee: Martin Kosek <mkosek>
Status: CLOSED WONTFIX QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.6CC: pspacek, rcritten
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-06 10:06:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frederic Hornain 2013-11-05 07:55:13 UTC 
Description of the request:

Customer would like to install and use only one or several part(s) of IPA - e.g. DNS Management Interface only - and then not to have to install the entire solution - e.g. Kerberos, NTP, LDAP, etc.. - like it is for the moment just for using the DNS part.

Thanks for your support and your time.

BR
/f
Comment 1 Martin Kosek 2013-11-05 08:10:36 UTC 
Hello Frederic,

Thanks for the interest. FreeIPA is an identity, authentication, authorization stack. DNS is a supplementary module supporting it's function. However, with just DNS, there is no FreeIPA - that said, I do not think that this something that FreeIPA team would focus on. 

You can, however, install a FreeIPA server with DNS support and then consume only the DNS part, but of course, it is quite a heavy machinery for the task. Other option is to use the bind-dyndb-ldap component of FreeIPA stack, which will let you configure a custom LDAP as a DNS data source for BIND name server (as FreeIPA uses it). But of course, you would not have FreeIPA Web UI DNS page.
Comment 3 Petr Spacek 2013-11-05 15:33:51 UTC 
Let me rephrase what Martin told:

FreeIPA integrates those components:
    LDAP
    Kerberos
    PKI (optional)
    DNS
    Certmonger (optional)
    Web UI
    Trusts (optional)
    Client (optional)
    NTP (optional)

DNS uses those:
    LDAP
    DNS
    Web UI

Let me make clear that DNS in FreeIPA depends on LDAP server (389 DS) and BIND anyway. They want to use Web UI (I guess), so there are not much things to extract. They can install FreeIPA without PKI/Dogtag certificate authority and without NTP if they want.

So after all, the only 'unnecessary' component for DNS-only use case is Kerberos. Note that nothing forces them to really use the integrated Kerberos server, it will just sit there and authenticate admin user to the Web UI.
Comment 4 Frederic Hornain 2013-11-05 21:41:14 UTC 
Dear *,

The idea is to propose IPA as modules which could be installed separately and should manage their dependence with other modules. Finally, the module choice  will be reflected in the  Web UI as well.
E.G. If customer decide to use IPA only for as a DNS Sever, the WebUI should only contains DNS related elements and not RBAC, Host and user which are useless in that case.

BR
/f
Comment 5 Martin Kosek 2013-11-06 10:06:29 UTC 
We implement FreeIPA exactly this way - we have optional functionality like DNS or AD Trust Integration as separate packages with a separate installer. When the optional piece is configured, it is shown in the Web UI.

All these optional pieces require FreeIPA core, that is mostly Kerberos, LDAP and HTTP. Without the core, FreeIPA makes no sense. But it does not work the other way around - like IPA AD trust integration with IPA, or IPA DNS without IPA. I am sorry, but I have to close this particular request as WONTFIX.