[Freeipa-devel] [PATCH] 249 host enrollment
Rob Crittenden
rcritten at redhat.com
Tue Aug 11 16:56:10 UTC 2009
This largish patch adds host enrollment. There are several scenarios
that are covered. All of these assume that the IPA client machine has
already been set up (ipa-client-install):
1. Full admin enrollment. This will create the host entry, a host/
service principal and a keytab for that principal in /etc/krb5.keytab.
2. Junior admin enrollment. There are lots of levels of delegation
possible here, but at a minimum they would be able to enroll an existing
host by creating the service principal and keytab. Additional rights
such as adding a host could be added as well.
3. Bulk enrollment. If a host entry is pre-created by another admin and
it contains an enrollment password (in the userPassword attribute) then
an LDAP-based enrollment can take place. The client binds as the host
and generates a keytab for itself.
One really significant change is I've switch to openldap as the LDAP
client. Doing SSL with mozldap would have required a significant amount
of more code (because we can't assume there is already an NSS db lying
around that trusts the IPA CA).
I didn't completely disable the mozldap option but by default things
will build with openldap now.
This also adds a first pass at Get Effective Rights support. This is so
we can know in advance if an operation would succeed and makes things
generally nicer.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-249-join.patch
Type: application/mbox
Size: 83390 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090811/c194654a/attachment.mbox>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090811/c194654a/attachment.bin>
More information about the Freeipa-devel
mailing list