[Freeipa-users] FreeIPA + Foreman 1.5

Tomas Babej tbabej at redhat.com
Mon Apr 28 09:33:55 UTC 2014 

On 04/28/2014 11:23 AM, Stephen Benjamin wrote:
>
> ----- Original Message -----
>> From: "Jakub Hrozek" <jhrozek at redhat.com>
>> To: freeipa-users at redhat.com
>> Sent: Monday, April 28, 2014 10:55:16 AM
>> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
>>
>> On Fri, Apr 25, 2014 at 04:16:11AM -0400, Stephen Benjamin wrote:
>>> ----- Original Message -----
>>>> From: "Jan Cholasta" <jcholast at redhat.com>
>>>> To: "Martin Kosek" <mkosek at redhat.com>, dpal at redhat.com, "Stephen
>>>> Benjamin" <stbenjam at redhat.com>
>>>> Cc: freeipa-users at redhat.com
>>>> Sent: Friday, April 25, 2014 9:44:37 AM
>>>> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
>>>> AFAIK you can use ldap sudo provider with IPA, see e.g.
>>>> <http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD>
>>> I got this working, and seems to work across recent Fedora releases too.
>>> This at least removes the requirement on using the old bind password
>>> method.  Thanks!
>> In recent Fedora releases, where the IPA sudo provider is available, the
>> "legacy" LDAP provider should not be used. There might be problems with
>> enumeration for instance when combining two different providers.
> Can I have a link then to how this is setup? Do you also
> need the LDAP URL's, nisdomain, etc?
>
> Or is it just one setting and done?
>
>
>>> Is there a way for sssd to use _srv_ for the krb5_server line?
>> Yes, it should just work.
>>
>>> Here's an updated Kickstart snippet:
>>>   https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb
>>>
>>> If we know what the Syntax will be for sudo (or will it be default
>>> in 4.0?), then I can include the logic already not to do it manually.
>> Sorry, I'm not sure I understand the question? With recent enough
>> clients (6.6+, 7.0+, any supported Fedora) you should use
>> sudo_provider=ipa, with older ones you should use sudo_provider=ldap
> It's been mentioned elsewhere in the thread that the ipa-client-install
> in some feature version will do this, if that's the case I shouldn't be
>  doing in a kickstart snippet.
>
> Will it be like automount: ipa-client-automount, or will it be an install
> flag?  Does it exist yet?

It will be the default behaviour, that is, a flag will be available to
turn it *off* (--no-sudo).

Yes, patches are on review and close to being pushed (waiting for the CI
coverage),
it will be the part of the next upstream release.

>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

-- 
Tomas Babej
Associate Software Engineer | Red Hat | Identity Management
RHCE | Brno Site | IRC: tbabej | freeipa.org 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140428/4131e2c4/attachment.htm>

More information about the Freeipa-users mailing list