Name

rolekit.roles.domaincontroller — rolekit Domain Controller Role Documentation

DESCRIPTION

The Domain Controller role provides a comprehensive identity management solution for Linux clients. This role can provide management tools for users, user-groups, systems, name resolution and more.

DEPLOYMENT

The Domain Controller role can be deployed using the rolectl command-line utility or through the rolekit D-BUS API. When using the rolectl tool, a settings file must be created in the JSON format.

Mandatory Settings

These settings must always be present or the deployment will be unable to complete.

admin_password

Specify the initial password for the admin user of FreeIPA. This password can be changed later through normal password-change operations.

Optional Settings

This section provides a list of optional settings for deployment.

domain_name

The name of the domain that the new controller should create.

Default: unset. Autodetected from the machine hostname.

realm_name

The name of the Kerberos single-sign-on realm to be created.

Default: unset. Autodetected as the domain_name in all upper-case.

dm_password

The password for the Directory Manager account on the FreeIPA LDAP server. This option cannot easily be changed later.

Default: unset. If not specified, a random password will be generated and retrievable later via the D-BUS API.

serve_dns

If this option is set to True, the Domain Controller will also function as a DNS server.

Default: True

primary_ip

The IP address of the public ethernet interface on the system.

This option is mandatory if serve_dns is True (default).

reverse_zone

If this option is set, the DNS server will also manage the reverse zone specified by the argument in the form 122.168.192.in-addr.arpa.

Default: unset. Do not serve the reverse zone

dns_forwarders

Set the DNS forwarder addresses. This must be in the form of a dictionary: 

"dns_forwarders": {"ipv4": [
                            "198.41.0.4",  # a.root-servers.net
                            "192.228.79.201",  # b.root-servers.net
                            "192.33.4.12"],  # c.root-servers.net
                   "ipv6": [
                            "2001:500:2d::d",  # d.root-servers.net
                            "2001:500:2f::f",  # f.root-servers.net
                            "2001:500:1::803f:235"]  # h.root-servers.net
                  }

This option is only used if serve_dns is True.

Default: unset. If not specified, the DNS forwarders will default to the public root servers.

id_start

Manually select the lower bound for IDs in the created domain.

Default: unset. A range of 200,000 IDs is randomly selected (Recommended)

Note 1: Additional ranges can be added using the FreeIPA administration UI later.

Note 2: If this option is specified, id_max must also be specified.

id_max

Manually select the upper bound for IDs in the created domain.

Default: unset. A range of 200,000 IDs is randomly selected (Recommended)

Note 1: Additional ranges can be added using the FreeIPA administration UI later.

Note 2: If this option is specified, id_start must also be specified.

Example settings.json

{
  "admin_password": "rolekitrules!",
  "serve_dns": True,
  "primary_ip": "192.168.122.2",
  "id_start": 200000,
  "id_max": 400000
}

See Also

rolekit(1), rolectl(1), roled(5), rolekit.dbus(5), rolekit.roles(5), rolekit.roles.domaincontroller(5)

Notes

rolekit home page at fedorahosted.org:

https://fedorahosted.org/rolekit/

More documentation with examples:

http://fedoraproject.org/wiki/rolekit