Realm_Domains

Realm_Domains#

__NOTOC__

Overview#

Related tickets: #2945, #2848, #3407

We want to allow administrators to maintain a list of domains associated with IPA Kerberos realm. This list will be stored in LDAP, under cn=RealmDomains,cn=ipa,cn=etc,$SUFFIX.

We need to expose an interface to display and modify this list via IPA commands:

  • realmdomains-show

  • realmdomains-mod

Use Cases#

  • IPA administrator can display/modify the list of domains associated with IPA realm

  • ipa dnszone-add command can be hooked to realmdomains-mod, to automatically add domain to the list of domains associated with IPA realm if this is not a reverse domain and not a pure forwarder

  • Trust code can use this list to expose to trusted parties

Design#

Update LDAP schema to add the RealmDomainscontainer. The default value for associatedDomain attribute will be the DNS domain of the IPA server:

dn: cn=Realm Domains,cn=ipa,cn=etc,$SUFFIX
default:objectClass: domainRelatedObject
default:objectClass: nsContainer
default:objectClass: top
default:cn: Realm Domains
default:associatedDomain: $DOMAIN

Add two new IPA commands:

  • realmdomains-show, to display the current list of realm domains

  • realmdomains-mod, to modify the list

Feature Managment#

UI

A new page needs to be added to UI. This page will be able to handle all mentioned operations with realm domains: display the current list, add a new domain, remove an existing domain. The new page will be added under ‘Identity’ section.

CLI

realmdomains-show#

realmdomains-show will display the current list of realm domains, stored in cn=RealmDomains,cn=ipa,cn=etc,$SUFFIX.

realmdomains-mod#

realmdomains-mod will modify the list of realm domains. Modifications can be performed in several ways:

  • To replace the list of realm domains with a new list (or a single value):

realmdomains-mod –domain=ourdomain.com realmdomains-mod –domain={ourdomain.com,domain2.com,domain3.com}

  • To add a domain to the list:

realmdomains-mod--add-domain=newdomain.com

  • To delete a domain from the list:

realmdomains-mod--del-domain=olddomain.com

It will be possible to use either the --domain option, or a combination of --add-domain and --del-domain.

The following checks will be performed:

  • Check that we are not deleting the DNS domain of the IPA server from the list

  • Check that domain is a valid DNS domain name

  • Check that domain is accessible through DNS (provide –force option to skip this check)

Questions#

dnszone-*#

  • Should dnszone-del delete associatedDomain when whole DNS zone is being deleted?

  • Should dnszone-add offer an option to create associatedDomain attribute for the new zone?

pspacek 03:26, 7 February 2013 (EST)

Update regarding DNS integration: DNS <-> realmdomains integration has been implemented. Details are covered in this design page.

akrivoka 05:05, 7 May 2013 (EDT)

Major configuration options and enablement#

N/A

Replication#

N/A

Updates and Upgrades#

Container cn=RealmDomains,cn=ipa,cn=etc,$SUFFIXneeds to be created in LDAP. This will be achieved by adding a new update file install/updates/40-realm_domains.update, with the following contents:

# Add the Realm Domains container

dn: cn=Realm Domains,cn=ipa,cn=etc,$SUFFIX
default:objectClass: domainRelatedObject
default:objectClass: nsContainer
default:objectClass: top
default:cn: Realm Domains
default:associatedDomain: $DOMAIN

and referencing this file in install/updates/Makefile.am.

A reference to this container will also be added to the DEFAULT_CONFIG variable in ipalib/constants.py

Dependencies#

N/A

External Impact#

N/A

Design page authors#

akrivoka 12:15, 6 February 2013 (EST)