1026658 – [RFE] Request to provide IPA as modules

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1026658 - [RFE] Request to provide IPA as modules

Summary: [RFE] Request to provide IPA as modules

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-11-05 07:55 UTC by Frederic Hornain
Modified:	2013-11-06 10:06 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-11-06 10:06:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Frederic Hornain 2013-11-05 07:55:13 UTC

Description of the request:

Customer would like to install and use only one or several part(s) of IPA - e.g. DNS Management Interface only - and then not to have to install the entire solution - e.g. Kerberos, NTP, LDAP, etc.. - like it is for the moment just for using the DNS part.

Thanks for your support and your time.

BR
/f

Comment 1 Martin Kosek 2013-11-05 08:10:36 UTC

Hello Frederic,

Thanks for the interest. FreeIPA is an identity, authentication, authorization stack. DNS is a supplementary module supporting it's function. However, with just DNS, there is no FreeIPA - that said, I do not think that this something that FreeIPA team would focus on. 

You can, however, install a FreeIPA server with DNS support and then consume only the DNS part, but of course, it is quite a heavy machinery for the task. Other option is to use the bind-dyndb-ldap component of FreeIPA stack, which will let you configure a custom LDAP as a DNS data source for BIND name server (as FreeIPA uses it). But of course, you would not have FreeIPA Web UI DNS page.

Comment 3 Petr Spacek 2013-11-05 15:33:51 UTC

Let me rephrase what Martin told:

FreeIPA integrates those components:
    LDAP
    Kerberos
    PKI (optional)
    DNS
    Certmonger (optional)
    Web UI
    Trusts (optional)
    Client (optional)
    NTP (optional)

DNS uses those:
    LDAP
    DNS
    Web UI

Let me make clear that DNS in FreeIPA depends on LDAP server (389 DS) and BIND anyway. They want to use Web UI (I guess), so there are not much things to extract. They can install FreeIPA without PKI/Dogtag certificate authority and without NTP if they want.

So after all, the only 'unnecessary' component for DNS-only use case is Kerberos. Note that nothing forces them to really use the integrated Kerberos server, it will just sit there and authenticate admin user to the Web UI.

Comment 4 Frederic Hornain 2013-11-05 21:41:14 UTC

Dear *,

The idea is to propose IPA as modules which could be installed separately and should manage their dependence with other modules. Finally, the module choice  will be reflected in the  Web UI as well.
E.G. If customer decide to use IPA only for as a DNS Sever, the WebUI should only contains DNS related elements and not RBAC, Host and user which are useless in that case.

BR
/f

Comment 5 Martin Kosek 2013-11-06 10:06:29 UTC

We implement FreeIPA exactly this way - we have optional functionality like DNS or AD Trust Integration as separate packages with a separate installer. When the optional piece is configured, it is shown in the Web UI.

All these optional pieces require FreeIPA core, that is mostly Kerberos, LDAP and HTTP. Without the core, FreeIPA makes no sense. But it does not work the other way around - like IPA AD trust integration with IPA, or IPA DNS without IPA. I am sorry, but I have to close this particular request as WONTFIX.

Note You need to log in before you can comment on or make changes to this bug.