[Freeipa-devel] [PATCH 0042] Allow host re-enrollment using delegation
Tomas Babej
tbabej at redhat.com
Fri Mar 22 17:17:24 UTC 2013
On Fri 22 Mar 2013 05:54:12 PM CET, Rob Crittenden wrote:
> Petr Viktorin wrote:
>> On 03/18/2013 02:49 PM, Tomas Babej wrote:
>>> On 03/18/2013 02:46 PM, Tomas Babej wrote:
>>>> Hi,
>>>>
>>>> A new option --force-join has been added to ipa-client-install.
>>>> It forces the host enrollment even if the host entry exists.
>>>> Old certificate is revoked, new certificate and ssh key pair
>>>> generated. See the relevant design for the re-enrollment part:
>>>> http://freeipa.org/page/V3/Client_install_using_keytab
>>
>> --force-join is not mentioned there. Since you're adding a new option,
>> you need to document it.
>
> What is the difference between force-join and force? All force does is
> let the install continue if the join fails, so if we're forcing join
> to succeed too...
>
There's more of different behaviour in ipa-client-install with --force
option:
- in case of install error, changes are not rolled back
- in unattended mode, using --force allows to retrieve the CA cert
using HTTP
- Kerberos and LDAP settings are forced
I'm not against merging the options, It just seemed to me as though
they provide
support for slightly different use cases.
Though, man page for ipa-client-install says about --force option the
following:
"Force the settings even if errors occur".
>>
>>>> https://fedorahosted.org/freeipa/ticket/3482
>>>>
>>>> Tomas
>>>
>>> A-and the patch itself.
>>
>> The patch itself works fine.
>>
>>
>>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list