Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-108763

[ansible-freeipa] Enhance ipaclient role DNS resolver configuration to work with DOT in enforced policy

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-10.1
    • ansible-freeipa
    • None
    • No
    • Moderate
    • rhel-idm-zta
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      The ipaclient role is able to configure the DNS resolver before deploying the IPA client. This is enabled using the variables

      ipaclient_configure_dns_resolver=yes
ipaclient_dns_servers=<DNS server IP>

      This is also working for DOT with the IPA DNS server as long as the relaxed policy is used. 

      Using the enforced policy requires to configure the DNS resolver in a different way.

      The goal will be to not simply copy the CA over to the client host, but instead to have a more secure solution that for example uses certificates with limited validity.

      New variables will be needed like for example

      ipaclient_dot_servers=<DOT server IP>

       

              twoerner Thomas Woerner
              twoerner Thomas Woerner
              Thomas Woerner Thomas Woerner
              Varun Mylaraiah Varun Mylaraiah
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: