[Freeipa-users] FreeIPA + Foreman 1.5
Jakub Hrozek
jhrozek at redhat.com
Mon Apr 28 12:51:26 UTC 2014
On Mon, Apr 28, 2014 at 05:23:18AM -0400, Stephen Benjamin wrote:
>
>
> ----- Original Message -----
> > From: "Jakub Hrozek" <jhrozek at redhat.com>
> > To: freeipa-users at redhat.com
> > Sent: Monday, April 28, 2014 10:55:16 AM
> > Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
> >
> > On Fri, Apr 25, 2014 at 04:16:11AM -0400, Stephen Benjamin wrote:
> > > ----- Original Message -----
> > > > From: "Jan Cholasta" <jcholast at redhat.com>
> > > > To: "Martin Kosek" <mkosek at redhat.com>, dpal at redhat.com, "Stephen
> > > > Benjamin" <stbenjam at redhat.com>
> > > > Cc: freeipa-users at redhat.com
> > > > Sent: Friday, April 25, 2014 9:44:37 AM
> > > > Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
> > >
> > > > AFAIK you can use ldap sudo provider with IPA, see e.g.
> > > > <http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD>
> > >
> > > I got this working, and seems to work across recent Fedora releases too.
> > > This at least removes the requirement on using the old bind password
> > > method. Thanks!
> >
> > In recent Fedora releases, where the IPA sudo provider is available, the
> > "legacy" LDAP provider should not be used. There might be problems with
> > enumeration for instance when combining two different providers.
>
> Can I have a link then to how this is setup? Do you also
> need the LDAP URL's, nisdomain, etc?
man sssd-ipa should have a nice example of setting up the sssd.conf for
sudo_provider=ldap
>
> Or is it just one setting and done?
With sudo_provider=ipa, it's just that one line. You still need to
configure the nisdomain etc.
>
>
> > >
> > > Is there a way for sssd to use _srv_ for the krb5_server line?
> >
> > Yes, it should just work.
> >
> > >
> > > Here's an updated Kickstart snippet:
> > > https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb
> > >
> > > If we know what the Syntax will be for sudo (or will it be default
> > > in 4.0?), then I can include the logic already not to do it manually.
> >
> > Sorry, I'm not sure I understand the question? With recent enough
> > clients (6.6+, 7.0+, any supported Fedora) you should use
> > sudo_provider=ipa, with older ones you should use sudo_provider=ldap
>
> It's been mentioned elsewhere in the thread that the ipa-client-install
> in some feature version will do this, if that's the case I shouldn't be
> doing in a kickstart snippet.
>
> Will it be like automount: ipa-client-automount, or will it be an install
> flag? Does it exist yet?
Looks like this feature is not implemented completely yet:
https://fedorahosted.org/freeipa/ticket/3358
More information about the Freeipa-users
mailing list