[Freeipa-users] Removing DNS component
Martin Basti
mbasti at redhat.com
Thu Dec 8 17:05:53 UTC 2016
On 08.12.2016 12:01, Brian Candler wrote:
> FreeIPA (4.2.0) was installed with the DNS component enabled, but I
> want to pull this out. Is it possible to remove it and clean up the
> records which were already there?
>
> e.g. is it sufficient just to delete everything under
> cn=dns,dc=example,dc=com ? I notice there are bunch of permissions
> entries in other parts of the tree which reference these with
> ipaPermTarget, do they have to go too?
>
> Or would I have to re-install from scratch?
>
> Thanks,
>
> Brian.
>
Hello,
I suggest to keep DNS tree there and all permissions, just remove all
zones using IPA API and disable DNS service and dnssyncd service in
LDAP, because removing DNS completely is unsupported and untested
dn: cn=DNS,cn=vm-028.ipa.test,cn=masters,cn=ipa,cn=etc,$SUFFIX
objectClass: ipaConfigObject
objectClass: nsContainer
objectClass: top
ipaConfigString: startOrder 30
ipaConfigString: enabledService <--- remove this
cn: DNS
dn: cn=DNSKeySync,cn=vm-028.ipa.test,cn=masters,cn=ipa,$SUFFIX
objectClass: nsContainer
objectClass: top
ipaConfigString: dnssecVersion 1
ipaConfigString: startOrder 110
ipaConfigString: enabledService <---- remove this
cn: DNSKeySync
It will keep ipa dns* command working but without any effect
in case you *really* want to remove DNS completely, disable services ^,
and revert everything added by
https://github.com/freeipa/freeipa/blob/master/install/share/dns.ldif
and https://github.com/freeipa/freeipa/blob/master/install/share/dnssec.ldif
But unsupported, nobody knows what may happen.
Martin
More information about the Freeipa-users
mailing list