DNS for AD-IPA Integration
FreeIPA AD Integration
FreeIPA (Identity, Policy, Audit) is a Linux-based identity management solution
that can interoperate with AD via cross-forest trusts or direct integration.
Using ipa.lime.abiz.com as a subordinate domain under lime.abiz.com is a valid approach,
as it maintains a clear DNS hierarchy and allows FreeIPA to leverage AD's DNS for resolution.
DNS of hosts under RHEL IdM (a branded version of FreeIPA) is delegated to IdM by AD
TL;DR
Hosts under FreeIPA (e.g., host1.ipa.lime.abiz.com)
should have their DNS records managed by the FreeIPA server's DNS service for the ipa.lime.abiz.com zone.
This aligns with best practices for DNS hierarchy, ensures proper integration with FreeIPA's identity management features,
and supports FIPS and security compliance in an air-gapped network.
Proper DNS delegation from AD to FreeIPA and correct configuration of FreeIPA's DNS service are critical for seamless operation.
For detailed guidance, refer to FreeIPA’s documentation on DNS management and Microsoft’s AD DNS delegation guidelines.
Subordinate FreeIPA Domain (ipa.lime.abiz.com)
- FreeIPA Integration: FreeIPA (Identity, Policy, Audit) is a Linux-based identity management solution
that can interoperate with AD via cross-forest trusts or direct integration.
Using
ipa.lime.abiz.comas a subordinate domain underlime.abiz.comis a valid approach, as it maintains a clear DNS hierarchy and allows FreeIPA to leverage AD's DNS for resolution. - Trust Relationship: In an air-gapped network, a cross-forest trust between AD (
lime.abiz.com) and FreeIPA (ipa.lime.abiz.com) can be established using Kerberos and LDAP. Both systems must use FIPS-validated cryptographic modules (e.g., OpenSSL in FIPS mode for FreeIPA, Microsoft's CNG for AD) to meet FIPS requirements. Ensure that Kerberos tickets and LDAP communications use FIPS-compliant algorithms (e.g., AES-256, SHA-256). - DNS Resolution: FreeIPA requires a properly configured DNS environment.
The AD domain's DNS servers must host the zone for
lime.abiz.comand delegate theipa.lime.abiz.comsubdomain to FreeIPA's DNS servers (if FreeIPA manages its own DNS). This ensures seamless resolution and avoids conflicts.
Why FreeIPA Should Manage DNS for Its Hosts
DNS Delegation:
- In a properly configured environment, the AD domain's DNS servers (for
lime.abiz.com) delegate theipa.lime.abiz.comsubdomain to FreeIPA's DNS servers. This means FreeIPA's DNS server is authoritative for theipa.lime.abiz.comzone, and it should manage all DNS records for hosts within that subdomain (e.g.,host1.ipa.lime.abiz.com). - This delegation ensures that FreeIPA can handle dynamic DNS updates, service (
SRV) records, and other DNS entries required for its hosts, such as those for Kerberos (_kerberos._tcp.ipa.lime.abiz.com) and LDAP (_ldap._tcp.ipa.lime.abiz.com).
- In a properly configured environment, the AD domain's DNS servers (for
FreeIPA's Integrated DNS:
- FreeIPA includes a built-in DNS server (based on BIND) designed to manage DNS for its clients. When a host like
host1.ipa.lime.abiz.comenrolls in FreeIPA, it automatically registers its DNS records (e.g.,A,AAAA,PTR, andSRVrecords) with the FreeIPA DNS server via secure dynamic updates (usingGSS-TSIGwith Kerberos). - This integration simplifies management and ensures that FreeIPA-specific records (e.g., for Kerberos realms or LDAP services) are correctly maintained.
- FreeIPA includes a built-in DNS server (based on BIND) designed to manage DNS for its clients. When a host like
AD-FreeIPA Trust:
- In an AD-FreeIPA trust setup, AD clients resolve
lime.abiz.comnames via AD's DNS servers, while FreeIPA clients resolveipa.lime.abiz.comnames via FreeIPA's DNS servers. The trust relationship relies on proper DNS resolution, so FreeIPA hosts must have their DNS managed by FreeIPA to avoid resolution issues. - For example,
host1.ipa.lime.abiz.comneeds itsArecord in the FreeIPA DNS zone to ensure FreeIPA clients and services (e.g., Kerberos, LDAP) can locate it.
- In an AD-FreeIPA trust setup, AD clients resolve
FIPS and Security Compliance:
- Managing DNS records on FreeIPA's DNS server ensures compliance with security standards (e.g., FIPS) by using secure dynamic updates and supporting DNSSEC (if enabled). FreeIPA's DNS server can be configured to use FIPS-validated cryptographic modules (e.g., OpenSSL in FIPS mode) for secure operations.
Configuration Steps
To ensure that client hosts like host1.ipa.lime.abiz.com have their DNS managed by the FreeIPA server:
DNS Delegation:
At AD DNS host(s) (for lime.abiz.com), create a delegation for ipa.lime.abiz.com
pointing to the FreeIPA server's IP address.
This is done by adding NS (Name Server) records for the FreeIPA DNS server in the lime.abiz.com zone.
ipa.lime.abiz.com. IN NS ipa-server.ipa.lime.abiz.com.
ipa-server.ipa.lime.abiz.com. IN A 192.168.1.10
- Where
ipa-serveris the hostname of this RHEL IdM (FreeIPA) host.
FreeIPA DNS Setup:
At FreeIPA host, enable DNS service, and configured it to manage the ipa.lime.abiz.com zone.
This can be set up during FreeIPA installation or later using the command: ipa dnszone-add.
zone=ipa.lime.abiz.com
ipa dnszone-add $zone --name-server=$(hostname).$zone
Host Enrollment:
At client host(s), When enrolling a host (e.g., host1.ipa.lime.abiz.com) in FreeIPA,
use the ipa-client-install command with the --enable-dns-updates option.
This ensures the host's DNS records (e.g., A, PTR)
are automatically registered in the ipa.lime.abiz.com zone.
zone=ipa.lime.abiz.com
ipa-client-install --domain=$zone --server=$(hostname).$zone --enable-dns-updates
Verify DNS Records:
At FreeIPA host, confirm that the host's DNS records are correctly registered in FreeIPA's DNS zone.
zone=ipa.lime.abiz.com
ipa dnsrecord-find $zone
Output should include:
Record name: host1
A record: 192.168.1.100
Client Configuration:
Configure clients (e.g., RHEL hosts) to use the FreeIPA DNS server (e.g., ipa-server.ipa.lime.abiz.com) for name resolution.
Update /etc/resolv.conf or NetworkManager settings to point to the FreeIPA server's IP address.
Additional Considerations
- Reverse DNS (PTR Records): If FreeIPA manages reverse DNS for the RFC 1918 subnet
(e.g.,
1.168.192.in-addr.arpafor192.168.1.0/24), ensure the reverse zone is delegated from AD's DNS to FreeIPA's DNS. This allows FreeIPA to manage PTR records for its hosts. - DNSSEC: Enable DNSSEC on FreeIPA's DNS server for added security, especially to meet stringent security requirements in an air-gapped network.
- AD-FreeIPA Trust: Ensure the trust between
lime.abiz.com(AD) andipa.lime.abiz.com(FreeIPA) is configured correctly, with both domains resolving each othersSRVrecords for Kerberos and LDAP. This may require conditional forwarders or stub zones in AD foripa.lime.abiz.com. - Air-Gapped Environment: In an air-gapped network, all DNS resolution must occur internally. Ensure no external DNS servers are referenced, and all DNS traffic stays within the RFC 1918 network.