Hey Rob:
I'll probably be writing a test plan and automating this soon. Can you direct me to all available design, configuration, implementation documentation for host enrollment and the join utility? This is all I have right now ...



Rob Crittenden wrote:
This largish patch adds host enrollment. There are several scenarios that are covered. All of these assume that the IPA client machine has already been set up (ipa-client-install):

1. Full admin enrollment. This will create the host entry, a host/ service principal and a keytab for that principal in /etc/krb5.keytab.

2. Junior admin enrollment. There are lots of levels of delegation possible here, but at a minimum they would be able to enroll an existing host by creating the service principal and keytab. Additional rights such as adding a host could be added as well.

3. Bulk enrollment. If a host entry is pre-created by another admin and it contains an enrollment password (in the userPassword attribute) then an LDAP-based enrollment can take place. The client binds as the host and generates a keytab for itself.

One really significant change is I've switch to openldap as the LDAP client. Doing SSL with mozldap would have required a significant amount of more code (because we can't assume there is already an NSS db lying around that trusts the IPA CA).

I didn't completely disable the mozldap option but by default things will build with openldap now.

This also adds a first pass at Get Effective Rights support. This is so we can know in advance if an operation would succeed and makes things generally nicer.


Freeipa-devel mailing list

Jenny Galipeau <jgali...@redhat.com>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering

Freeipa-devel mailing list

Reply via email to