[Freeipa-devel] IPA server virtual appliance

Mark McLoughlin markmc at redhat.com
Sat Dec 22 11:46:40 UTC 2007 

On Fri, 2007-12-21 at 14:33 -0500, Karl MacMillan wrote:
> On Fri, 2007-12-21 at 14:19 +0000, Mark McLoughlin wrote:

> >      The idea is we'd have something like ipa-server-install do 
> >      whatever it can at build time and configure a basic web interface 
> >      with e.g. no kerberos auth, and its with that web interface you'd 
> >      choose the realm name, directory server and admin passwords etc.
> > 
> 
> Not certain how much more can be done ahead of time. The problem stems
> from the fact that everything is stored in the directory and where it is
> stored is dependent on the name of the realm. So everything depends on
> the realm name.

	Yep, agreed - the most that can be done is e.g. set up the firstboot
web interface, enable ntp etc. ... pretty much everything else is
dependant on the realm name.

> >   2) Allowing everything that can be configured through this first boot 
> >      interface to be changed later - e.g. an admin should be able to 
> >      change the kerberos realm (yes, this is non-trivial)
> > 
> 
> I agree this would be nice, but definitely non-trivial.

	As a first guess, I'm thinking we'd dump the contents of the directory,
replace the realm name everywhere, create a new directory instance,
re-do the kerberos config, re-create the principals with the new realm
name, update the httpd config and reload httpd.

	That all sounds like "just coding" to me, but I do see two things I'm
not liking:

  - When you click the "change realm name" button on the web interface, 
    you could have the user see a "updating ..." page with a progress 
    bar and then forward them back after a timeout ... but they'll 
    immediately see "access denied" because they won't have a ticket. 
    So, it'd have to be a lame "please obtain a ticket and reload" type 
    page.

  - We allow people to directly modify the directory with the usual 
    LDAP tools, right? So, in theory, an admin could add something 
    realm name dependant in the directory that the conversion code 
    wouldn't know anything about and admins would have to sort that
    out themselves.

> >   3) Adding system configuration to the web interface - e.g. you should 
> >      be able to change network/timezone configuration through the web 
> >      interface.
> > 
> 
> Interesting - so the web ui would be a single point of configuration.

	Yes - I see this as being a positive way of distinguishing this
appliance from the rpath or joomla type appliances where you have a
completely separate web UI for system configuration. I'd like this
appliance to be as convincing as a typical hardware appliance like a
linksys router or whatever.

>  On the 1.2 schedule is work on a plugin system - that could accomodate
> things like this.

	That sounds cool.

Cheers,
Mark.

More information about the Freeipa-devel mailing list