Red Hat Bugzilla – Bug 1026658
[RFE] Request to provide IPA as modules
Last modified: 2013-11-06 05:06:29 EST
Description of the request:
Customer would like to install and use only one or several part(s) of IPA - e.g. DNS Management Interface only - and then not to have to install the entire solution - e.g. Kerberos, NTP, LDAP, etc.. - like it is for the moment just for using the DNS part.
Thanks for your support and your time.
Thanks for the interest. FreeIPA is an identity, authentication, authorization stack. DNS is a supplementary module supporting it's function. However, with just DNS, there is no FreeIPA - that said, I do not think that this something that FreeIPA team would focus on.
You can, however, install a FreeIPA server with DNS support and then consume only the DNS part, but of course, it is quite a heavy machinery for the task. Other option is to use the bind-dyndb-ldap component of FreeIPA stack, which will let you configure a custom LDAP as a DNS data source for BIND name server (as FreeIPA uses it). But of course, you would not have FreeIPA Web UI DNS page.
Let me rephrase what Martin told:
FreeIPA integrates those components:
DNS uses those:
Let me make clear that DNS in FreeIPA depends on LDAP server (389 DS) and BIND anyway. They want to use Web UI (I guess), so there are not much things to extract. They can install FreeIPA without PKI/Dogtag certificate authority and without NTP if they want.
So after all, the only 'unnecessary' component for DNS-only use case is Kerberos. Note that nothing forces them to really use the integrated Kerberos server, it will just sit there and authenticate admin user to the Web UI.
The idea is to propose IPA as modules which could be installed separately and should manage their dependence with other modules. Finally, the module choice will be reflected in the Web UI as well.
E.G. If customer decide to use IPA only for as a DNS Sever, the WebUI should only contains DNS related elements and not RBAC, Host and user which are useless in that case.
We implement FreeIPA exactly this way - we have optional functionality like DNS or AD Trust Integration as separate packages with a separate installer. When the optional piece is configured, it is shown in the Web UI.
All these optional pieces require FreeIPA core, that is mostly Kerberos, LDAP and HTTP. Without the core, FreeIPA makes no sense. But it does not work the other way around - like IPA AD trust integration with IPA, or IPA DNS without IPA. I am sorry, but I have to close this particular request as WONTFIX.