[Freeipa-devel] [PATCH] 664 entitlement support

Rob Crittenden rcritten at redhat.com
Wed Jan 5 21:08:19 UTC 2011 

Dmitri Pal wrote:
> Rob Crittenden wrote:
>> This patch adds a plugin and tools for managing entitlements for host
>> machines.
>>
>> Testing is rather complex so I've attached a script to help set up the
>> Candlepin server. You'll need to ping me out of band for the backend
>> data. This configures the Candlepin server with an in-memory database
>> so any time tomcat6 is restarted you'll need to reload the data.
>>
>> You have to run candlepin.setup as root. This will configure your
>> Fedora tomcat6 instance.
>>
>> Once your candlepin server is setup and IPA is installed do something
>> like:
>>
>> $ ipa entitle-register admin
>> (password is admin)
>>
>> $ ipa entitle-consume 25
>>
>> $ ipa entitle-status
>> (verify that it is 25)
>>
>> # ipa-compliance
>> (should be 1 of 50)
>>
>> Our tools can consume only, not return entitlements.
>>
>> tickets 28, 79 and 278.
>>
>> rob
> Does the patch include all items from ticket 79? Should we split the
> ticket, especially third bullet and treat it separately? Is it
> addressed, do we still plan to provide a quesry in the docs?
> Once Nalin created something like this:
>
> Date comparisons in LDAP search filters compare using the ISO
> representation of the time, given in YYYYMMDDHHMMSSZ form, which is more
> or less what they look like on the wire.  For example, search for people
> hired at Red Hat since Sunday:
>
>    ldapsearch -x -h ldap.corp.redhat.com -b dc=redhat,dc=com \
>    	"(rhathiredate>=201004110000Z)" cn
>
> The KDC (in 1.8 and later) will update krbLastSuccessfulAuth,
> krbLastFailedAuth, and krbLoginFailedCount when a client attempts to
> authenticate, so I expect that the search filter would look something
> like this:
>
>    "(&(|(krbLastFailedAuth>=201004110000Z)(krbLastSuccessfulAuth>=201004110000Z))(krbPrincipalName=*))"
>
> Keep in mind that we probably don't index either "krbLastFailedAuth" or
> "krbLastSuccessfulAuth" for searching, so the search would probably take
> a while to run.

No, the patch does not have the "find old hosts" part in it.

I was planning to only test for krbLastSuccessfulAuth. Since this is a 
keytab I seriously doubt it will ever have a failed auth. I was going to 
update the ticket with the query and provide it to David for documentation.

> Does the patch include cron job to run license check and log into the
> syslog the results if you are out of compliance?

Yes.

> Does it count the servers and the clients i.e all the entries that have
> a host principal and a keytab?

Yes.

> I have seen a FIXME comment in one of the patches below. Is this
> intended or omission?

Unrelated to this feature and not show-stoppers, just recognizing some 
limitations.

rob

More information about the Freeipa-devel mailing list