[Freeipa-devel] DHCP integration into FreeIPA

Dmitri Pal dpal at redhat.com
Wed May 2 16:26:48 UTC 2012 

On 05/01/2012 10:07 PM, William Brown wrote:
> Hi,
>
> I believe the topic of DHCP integration has come up before. I think
> there have been other requests for this, but I think I would like to
> elaborate on some of mine (and others) thoughts on why this would be
> excellent in FreeIPA.  When I refer to DHCP I speak of the ISC-DHCP3/4
> servers. 
>
> DHCP at the current point of time is difficult to manage in a larger
> and smaller business or network setup. In the smaller setup, there may
> not be enough expertise to go around which presents a key person risk,
> and for a large business, with hundreds to thousands of workstations,
> managing the dhcp configuration by hand becomes quite hard. As a
> result, some people have created tools that generate the configuration
> file and copy it out to servers, but this is quite a kludgy solution.
> Alternately, you can store the DHCP configuration is LDAP. Again, a
> tool must be written to manage this LDAP branch, as having people edit
> it by hand is inadvisable. However, as a result, these tools aren't
> released into the open source world, so no one can benefit from their
> presence.
>
> FreeIPA already has the majority of components in place to fill this
> gap (Namely, 389DS, DNS and access to hosts) - with a goal of managing
> Users and Hosts effectively, in my view, DHCP is one last pieces of
> the host management puzzle. 
>
> DHCP would be similar to DNS in FreeIPA, in that it would be an
> optional component. 
>
> During the install, just because you have opted for having DHCP
> support, should not make your FreeIPA server a DHCP server. The DHCP
> server "role" could be allocated to other hosts via the freeIPA admin
> tools.  That way you don't need to install a FreeIPA domain controller
> at every location that needs DHCP. You also avoid the chicken and egg
> problem of "How does my FreeIPA server get an IP if the DHCP server is
> on another host that relies upon FreeIPA being available". This could
> also potentially take advantage of the concept of "locations" also.
>
> Having DHCP support would allow users to quickly and reliably setup
> network infrastructure, namely, DNS and DHCP on their systems.
> Additionally, having FreeIPA DHCP aware, would mean that for subnets
> you control, you can automatically generate the reverse hosts zone
> into DNS. 
>
> You would gain an avenue of updating DNS names for hosts, without
> necessarily having the FreeIPA client tools installed. You could
> supplement this to show which hosts on a network are and are not part
> of the FreeIPA domain to allow easier auditing of systems.
>
> Users gain easy access to redundancy in DHCP server configuration,
> that is more difficult to achieve than with the traditional
> configuration files. 
>
> Permissions over the control of DHCP (And potentially even subnets
> within) can be delegated to users and roles. 
>
> The FreeIPA join tool can automatically create static host entries,
> and transmit the DHCP DUID (Both for IPv4 and IPv6) to the FreeIPA
> servers. Even if you don't "assign" an IPA to this static entry, this
> simplifies administration of hosts on a network. (Have you ever sat
> down and entered in 100 machines mac addresses manually into a web UI?
> It's not fun). In the future, this kind of integration would mean that
> an administrator could easily add PXE boot arguments to the DHCP
> server for tools like satellite kickstarting. (Which may even be
> exposed over an API and satellite can just hook into that .... the
> potential is great.)
>
> FreeIPA join can automatically enable DHCP6 on clients, allowing more
> network flexibility than standard router advertisement.  
>
> You avoid people needing to write their own DHCP management solution
> that may have bugs or other latent issues, in favour of a high quality
> tool provided by FreeIPA. This becomes a very attractive feature to
> help with FreeIPA adoption. 
>
>
> Thoughts, questions, comments?
>

It makes sense as we start to understand more and more requirements,
thank you.
However we are currently swamped with other features and bugs. You can
look into trac to see how many things are there on our plate.

Would you be able to help and contribute to this effort?

Thanks
Dmitri

> Sincerely,
>
> William Brown
>
> Research & Teaching, Technology Services
> The University of Adelaide, AUSTRALIA 5005
>
> CRICOS Provider Number 00123M
> -----------------------------------------------------------------------------
> IMPORTANT: This message may contain confidential or legally privileged
> information. If you think it was sent to you by mistake, please delete all
> copies and advise the sender. For the purposes of the SPAM Act 2003, this
> email is authorised by The University of Adelaide.
>
> pgp.mit.edu <http://pgp.mit.edu>
> http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2 <http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x3C0AC6DAB2F928A2>
>
>
>
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20120502/42850843/attachment.htm>

More information about the Freeipa-devel mailing list