[Freeipa-users] Fedora 16 installer

Sigbjorn Lie sigbjorn at nixtra.com
Fri Nov 11 17:09:13 UTC 2011 

On 11/11/2011 03:40 PM, Simo Sorce wrote:
> On Fri, 2011-11-11 at 16:17 +0200, Alexander Bokovoy wrote:
>> On Fri, 11 Nov 2011, Stephen Gallagher wrote:
>>>> I just installed Fedora 16 and noticed that there now was an option for
>>>> using FreeIPA as autentication database. Awesome!
>>>>
>>>> But why the normal ldap/kerberos options that met me when I chose
>>>> FreeIPA (see the attachment). I was picturing auto-detection, and just a
>>>> username and password, same as the simplified CLI installer.
>>>>
>>>> Is this on the roadmap for the Fedora/RHEL installer?
>>>>
>>>> And, what about IPA options for the "auth" kickstart directive?
>>>>
>>> That has actually been there since Fedora 14, and it's meant for use
>>> with FreeIPA v1, not v2. We do need to do something about that for F17,
>>> though.
>> Should installer schedule running ipa-client-install and enroll the
>> machine? Many options can be re-used from the installer itself
>> (hostname is known at this point, as well as how network was
>> configured), so there is handful of things to discover.
> Hostname in many cases will probably be wrong (left to default
> localhost.localdomain) so we should detect if the host name is in the
> same domain as the ipa server and ask if the user wouldn't want to
> change is (suggesting  the 'right' one). We would have to refuse to
> proceed if the hostname is localhost.localdomain or any combination
> where the host part is localhost and the domain part is localdomain.
>
>> Though I would get discovery part of the ipa-client-install reused
>> here -- like finding out kerberos setup via DNS and if that fails,
>> show UI to enter all additional details, then schedule
>> actual enrollment.
> The other problem here is that you may not have admin credentials.
> We will need to support using an enrollment password as well as just
> skip the join but otherwise configure the rest to work, and tell the
> user to call the admin to complete the join later (or maybe just skip it
> altogether).
>
I don't use the $ currency, but here's my 0.02 NOK.  :)

Keep it simple.

If the hostname is not resolvable and not specified as a known IPA DNS 
domain -> fail with error message.

Not enough permissions to complete enrollment -> fail with error message.



Rgds,
Siggi

More information about the Freeipa-users mailing list