[Freeipa-devel] [PATCH] 249 host enrollment

[Rob Crittenden]

This largish patch adds host enrollment. There are several scenarios 
that are covered. All of these assume that the IPA client machine has 
already been set up (ipa-client-install):

1. Full admin enrollment. This will create the host entry, a host/ 
service principal and a keytab for that principal in /etc/krb5.keytab.

2. Junior admin enrollment. There are lots of levels of delegation 
possible here, but at a minimum they would be able to enroll an existing 
host by creating the service principal and keytab. Additional rights 
such as adding a host could be added as well.

3. Bulk enrollment. If a host entry is pre-created by another admin and 
it contains an enrollment password (in the userPassword attribute) then 
an LDAP-based enrollment can take place. The client binds as the host 
and generates a keytab for itself.

One really significant change is I've switch to openldap as the LDAP 
client. Doing SSL with mozldap would have required a significant amount 
of more code (because we can't assume there is already an NSS db lying 
around that trusts the IPA CA).

I didn't completely disable the mozldap option but by default things 
will build with openldap now.

This also adds a first pass at Get Effective Rights support. This is so 
we can know in advance if an operation would succeed and makes things 
generally nicer.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-249-join.patch
Type: application/mbox
Size: 83390 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090811/c194654a/attachment.mbox>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090811/c194654a/attachment.bin>