Re: [Freeipa-devel] [PATCH] 249 host enrollment

Tue, 11 Aug 2009 10:16:26 -0700 

Hey Rob:
I'll probably be writing a test plan and automating this soon. Can you direct me to all available design, configuration, implementation documentation for host enrollment and the join utility? This is all I have right now ... 

https://wiki.idm.lab.bos.redhat.com/export/idmwiki/images/1/11/Machine_Authentication_Usage_Scenarios_rev3.pdf

Thanks
Jenny


Rob Crittenden wrote:

This largish patch adds host enrollment. There are several scenarios 
that are covered. All of these assume that the IPA client machine has 
already been set up (ipa-client-install):



1. Full admin enrollment. This will create the host entry, a host/ 
service principal and a keytab for that principal in /etc/krb5.keytab.



2. Junior admin enrollment. There are lots of levels of delegation 
possible here, but at a minimum they would be able to enroll an 
existing host by creating the service principal and keytab. Additional 
rights such as adding a host could be added as well.



3. Bulk enrollment. If a host entry is pre-created by another admin 
and it contains an enrollment password (in the userPassword attribute) 
then an LDAP-based enrollment can take place. The client binds as the 
host and generates a keytab for itself.



One really significant change is I've switch to openldap as the LDAP 
client. Doing SSL with mozldap would have required a significant 
amount of more code (because we can't assume there is already an NSS 
db lying around that trusts the IPA CA).



I didn't completely disable the mozldap option but by default things 
will build with openldap now.



This also adds a first pass at Get Effective Rights support. This is 
so we can know in advance if an operation would succeed and makes 
things generally nicer.


rob
------------------------------------------------------------------------

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel



--
Jenny Galipeau <jgali...@redhat.com>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel






















					Reply via email to