Rob Crittenden wrote: > Here is sort of a tricky problem, need some advice (LONG). > > When we bootstrap an IPA server we create a number of principals for > the server itself. We create a host/, HTTP/ and ldap/ principal using > kadmin.local. By using kadmin.local this entry is put into > cn=kerberos,dc=example,dc=com. > > This has the nice side effect of making these records not appear as > service entries so they are unmodifiable by anyone, meaning an admin > will have a really hard time hosing their server. > > The downside is that these records do not appear as service entries, > so if you search for services on the IPA server you'll get nothing. >
How do we search? What base DN we use? One of the solutions might be to install these principals as is and only later apply ipaService object class to them so that the search for services would find them. Would be a bit ugly since as far as I understand these services are in a different location in the tree but this approach might be less painfull than LDIF and delete and add. I hope that we will get the RDN renames pretty soon so that this would not be an issue but it might not be soon enough for v2. -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel