Rob Crittenden wrote:
NOTE, this patch replaces a previous patch to do the same thing. I fixed a few problems Simo pointed out and re-based it against the current master.

This largish patch adds host enrollment. There are several scenarios that are covered. All of these assume that the IPA client machine has already been set up (ipa-client-install):

1. Full admin enrollment. This will create the host entry, a host/ service principal and a keytab for that principal in /etc/krb5.keytab.

2. Junior admin enrollment. There are lots of levels of delegation possible here, but at a minimum they would be able to enroll an existing host by creating the service principal and keytab. Additional rights such as adding a host could be added as well.

3. Bulk enrollment. If a host entry is pre-created by another admin and it contains an enrollment password (in the userPassword attribute) then an LDAP-based enrollment can take place. The client binds as the host and generates a keytab for itself.

One really significant change is I've switch to openldap as the LDAP client. Doing SSL with mozldap would have required a significant amount of more code (because we can't assume there is already an NSS db lying around that trusts the IPA CA).

I didn't completely disable the mozldap option but by default things will build with openldap now.

This also adds a first pass at Get Effective Rights support. This is so we can know in advance if an operation would succeed and makes things generally nicer.

Looking good!

I noticed it makes changes to the host plugin and since this is probably going to get into the tree first: here's an updated version of my host plugin patch.


Attachment: 0001-Make-the-host-plugin-use-baseldap-classes.patch
Description: application/mbox

Freeipa-devel mailing list

Reply via email to