Dmitri Pal wrote:
Rob Crittenden wrote:
This patch adds a plugin and tools for managing entitlements for host
machines.
Testing is rather complex so I've attached a script to help set up the
Candlepin server. You'll need to ping me out of band for the backend
data. This configures the Candlepin server with an in-memory database
so any time tomcat6 is restarted you'll need to reload the data.
You have to run candlepin.setup as root. This will configure your
Fedora tomcat6 instance.
Once your candlepin server is setup and IPA is installed do something
like:
$ ipa entitle-register admin
(password is admin)
$ ipa entitle-consume 25
$ ipa entitle-status
(verify that it is 25)
# ipa-compliance
(should be 1 of 50)
Our tools can consume only, not return entitlements.
tickets 28, 79 and 278.
rob
Does the patch include all items from ticket 79? Should we split the
ticket, especially third bullet and treat it separately? Is it
addressed, do we still plan to provide a quesry in the docs?
Once Nalin created something like this:
Date comparisons in LDAP search filters compare using the ISO
representation of the time, given in YYYYMMDDHHMMSSZ form, which is more
or less what they look like on the wire. For example, search for people
hired at Red Hat since Sunday:
ldapsearch -x -h ldap.corp.redhat.com -b dc=redhat,dc=com \
"(rhathiredate>=201004110000Z)" cn
The KDC (in 1.8 and later) will update krbLastSuccessfulAuth,
krbLastFailedAuth, and krbLoginFailedCount when a client attempts to
authenticate, so I expect that the search filter would look something
like this:
"(&(|(krbLastFailedAuth>=201004110000Z)(krbLastSuccessfulAuth>=201004110000Z))(krbPrincipalName=*))"
Keep in mind that we probably don't index either "krbLastFailedAuth" or
"krbLastSuccessfulAuth" for searching, so the search would probably take
a while to run.
No, the patch does not have the "find old hosts" part in it.
I was planning to only test for krbLastSuccessfulAuth. Since this is a
keytab I seriously doubt it will ever have a failed auth. I was going to
update the ticket with the query and provide it to David for documentation.
Does the patch include cron job to run license check and log into the
syslog the results if you are out of compliance?
Yes.
Does it count the servers and the clients i.e all the entries that have
a host principal and a keytab?
Yes.
I have seen a FIXME comment in one of the patches below. Is this
intended or omission?
Unrelated to this feature and not show-stoppers, just recognizing some
limitations.
rob
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
