Hey Rob:
I'll probably be writing a test plan and automating this soon. Can you
direct me to all available design, configuration, implementation
documentation for host enrollment and the join utility? This is all I
have right now ...
https://wiki.idm.lab.bos.redhat.com/export/idmwiki/images/1/11/Machine_Authentication_Usage_Scenarios_rev3.pdf
Thanks
Jenny
Rob Crittenden wrote:
This largish patch adds host enrollment. There are several scenarios
that are covered. All of these assume that the IPA client machine has
already been set up (ipa-client-install):
1. Full admin enrollment. This will create the host entry, a host/
service principal and a keytab for that principal in /etc/krb5.keytab.
2. Junior admin enrollment. There are lots of levels of delegation
possible here, but at a minimum they would be able to enroll an
existing host by creating the service principal and keytab. Additional
rights such as adding a host could be added as well.
3. Bulk enrollment. If a host entry is pre-created by another admin
and it contains an enrollment password (in the userPassword attribute)
then an LDAP-based enrollment can take place. The client binds as the
host and generates a keytab for itself.
One really significant change is I've switch to openldap as the LDAP
client. Doing SSL with mozldap would have required a significant
amount of more code (because we can't assume there is already an NSS
db lying around that trusts the IPA CA).
I didn't completely disable the mozldap option but by default things
will build with openldap now.
This also adds a first pass at Get Effective Rights support. This is
so we can know in advance if an operation would succeed and makes
things generally nicer.
rob
------------------------------------------------------------------------
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
--
Jenny Galipeau <jgali...@redhat.com>
Principal Software QA Engineer
Red Hat, Inc. Security Engineering
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel