Bug 1026658 - [RFE] Request to provide IPA as modules
[RFE] Request to provide IPA as modules
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Martin Kosek
Namita Soman
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2013-11-05 02:55 EST by Frederic Hornain
Modified: 2013-11-06 05:06 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-11-06 05:06:29 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Frederic Hornain 2013-11-05 02:55:13 EST
Description of the request:

Customer would like to install and use only one or several part(s) of IPA - e.g. DNS Management Interface only - and then not to have to install the entire solution - e.g. Kerberos, NTP, LDAP, etc.. - like it is for the moment just for using the DNS part.

Thanks for your support and your time.

Comment 1 Martin Kosek 2013-11-05 03:10:36 EST
Hello Frederic,

Thanks for the interest. FreeIPA is an identity, authentication, authorization stack. DNS is a supplementary module supporting it's function. However, with just DNS, there is no FreeIPA - that said, I do not think that this something that FreeIPA team would focus on. 

You can, however, install a FreeIPA server with DNS support and then consume only the DNS part, but of course, it is quite a heavy machinery for the task. Other option is to use the bind-dyndb-ldap component of FreeIPA stack, which will let you configure a custom LDAP as a DNS data source for BIND name server (as FreeIPA uses it). But of course, you would not have FreeIPA Web UI DNS page.
Comment 3 Petr Spacek 2013-11-05 10:33:51 EST
Let me rephrase what Martin told:

FreeIPA integrates those components:
    PKI (optional)
    Certmonger (optional)
    Web UI
    Trusts (optional)
    Client (optional)
    NTP (optional)

DNS uses those:
    Web UI

Let me make clear that DNS in FreeIPA depends on LDAP server (389 DS) and BIND anyway. They want to use Web UI (I guess), so there are not much things to extract. They can install FreeIPA without PKI/Dogtag certificate authority and without NTP if they want.

So after all, the only 'unnecessary' component for DNS-only use case is Kerberos. Note that nothing forces them to really use the integrated Kerberos server, it will just sit there and authenticate admin user to the Web UI.
Comment 4 Frederic Hornain 2013-11-05 16:41:14 EST
Dear *,

The idea is to propose IPA as modules which could be installed separately and should manage their dependence with other modules. Finally, the module choice  will be reflected in the  Web UI as well.
E.G. If customer decide to use IPA only for as a DNS Sever, the WebUI should only contains DNS related elements and not RBAC, Host and user which are useless in that case.

Comment 5 Martin Kosek 2013-11-06 05:06:29 EST
We implement FreeIPA exactly this way - we have optional functionality like DNS or AD Trust Integration as separate packages with a separate installer. When the optional piece is configured, it is shown in the Web UI.

All these optional pieces require FreeIPA core, that is mostly Kerberos, LDAP and HTTP. Without the core, FreeIPA makes no sense. But it does not work the other way around - like IPA AD trust integration with IPA, or IPA DNS without IPA. I am sorry, but I have to close this particular request as WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.