[Freeipa-devel] Adding a new DNA plugin configuration in IPAv3

Alexander Bokovoy abokovoy at redhat.com
Thu Feb 2 11:39:23 UTC 2012 

On Thu, 02 Feb 2012, Sumit Bose wrote:
> Simo, thank you for give detailed responses and explanations here. To
> make it - hopefully - even clearer I try to describe the step that are
> necessary to enable IPA for trust and to create trust to AD domains.
> 
> I assume that we start from a running IPAv2 setup with replication:
> 
> 1. Update IPA to v3, install the new packages, run everything that is
> needed for the update. This step will not create anything related to
> trust (only the needed python code and config file templates are
> installed)
> 
> 2. Call ipa-adtrust-install to enable IPA to handle trust, this will
>   - create the samba configuration
>   - add cn=trust to the DIT
>   - generate a domain SID and stores it in the DIT
>   - add the well know administrator and admin group SIDs to the admin user
>     and the admins group respectively
>   - activate the CLDAP directory server plugin
>   - add DNA configuration to automatically add SIDs to users and groups
> on the server where ipa-adtrust-install
At this point 'ipa trust ...' set of commands mentioned in (5) will be 
able to operate because we'll have enough information about our own 
domain to proceed with trusts to other domains.


> 3. Now SIDs can be added to users and groups, this can be done
>   - as Simo mentioned above with the help of a directory server task to
>     generate them as fast a possible
>   - but if there are concerns about the traffic caused by the
>     replication, this can also be done by an external script, with a
>     rate limitation or during non-office hours
> this process might take some time, but since it has to be done only once
> I think it is even acceptable if it needs some days to finish, as long
> as it is documented :-)
Agree. 

There are two separate phases here, actually:
	- trust creation
	- trust usage

Normal usage is possible after step (3), creating trusts is possible 
before (3), albeight it wouldn't be quite usable besides administrator 
account.
 
> 4. Now ipa-adtrust-install can be called on other IPA servers which will
> now skip the configuration steps which can already be found in the
> replicated tree, some of the remaining ones are:
>   - create the samba configuration
>   - activate the CLDAP directory server plugin
>   - add SID DNA configuration with an empty range
ACK. There is also need to add DNS records to get these IPA servers in 
use for AD discovery.

 
> 5. Finally a trust to an AD domain can be created my calling 'net rpc
> trust create ...' (Alexander is working on the integration into the ipa
> utility so that it will be more like 'ipa adtrust-create' or similar).
Yep.

-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list