[Freeipa-devel] [PATCH] 249 host enrollment

Rob Crittenden rcritten at redhat.com
Tue Aug 11 17:16:26 UTC 2009 

Dmitri Pal wrote:
> Rob Crittenden wrote:
>> This largish patch adds host enrollment. There are several scenarios
>> that are covered. All of these assume that the IPA client machine has
>> already been set up (ipa-client-install):
>>
> Does ipa-client-install  bring admin utils?
> What is its purpose?

It configures the machine to be an IPA client. It configures nss_ldap, 
etc. It also creates some configuration files we need such as what IPA 
server to talk to and the CA cert for that server.

> I though the sequence of operations would be somewhat (do not look at
> the names, I do not expect them to be exactly as I put them):
> yum install ipa-client-enrollment
> ipa-enroll ...
> 
> The enroll will also do some configuration as it used to do in v1 but
> other than that I expected  the mentioned sequence.
> I scanned quickly through the patch but was not able to see whether
> things work as I expect or not.

I did this as a separate step. It can be included in the 
ipa-client-install sequence though it currently is not.

> 
>> 1. Full admin enrollment. This will create the host entry, a host/
>> service principal and a keytab for that principal in /etc/krb5.keytab.
>>
>> 2. Junior admin enrollment. There are lots of levels of delegation
>> possible here, but at a minimum they would be able to enroll an
>> existing host by creating the service principal and keytab. Additional
>> rights such as adding a host could be added as well.
>>
>> 3. Bulk enrollment. If a host entry is pre-created by another admin
>> and it contains an enrollment password (in the userPassword attribute)
>> then an LDAP-based enrollment can take place. The client binds as the
>> host and generates a keytab for itself.
>>
>> One really significant change is I've switch to openldap as the LDAP
>> client. Doing SSL with mozldap would have required a significant
>> amount of more code (because we can't assume there is already an NSS
>> db lying around that trusts the IPA CA).
>>
>> I didn't completely disable the mozldap option but by default things
>> will build with openldap now.
>>
>> This also adds a first pass at Get Effective Rights support. This is
>> so we can know in advance if an operation would succeed and makes
>> things generally nicer.
>>
>> rob
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Freeipa-devel mailing list
>> Freeipa-devel at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090811/e9555cbd/attachment.bin>

More information about the Freeipa-devel mailing list