Rob Crittenden wrote: > Dmitri Pal wrote: >> Rob Crittenden wrote: >>> This patch adds a plugin and tools for managing entitlements for host >>> machines. >>> >>> Testing is rather complex so I've attached a script to help set up the >>> Candlepin server. You'll need to ping me out of band for the backend >>> data. This configures the Candlepin server with an in-memory database >>> so any time tomcat6 is restarted you'll need to reload the data. >>> >>> You have to run candlepin.setup as root. This will configure your >>> Fedora tomcat6 instance. >>> >>> Once your candlepin server is setup and IPA is installed do something >>> like: >>> >>> $ ipa entitle-register admin >>> (password is admin) >>> >>> $ ipa entitle-consume 25 >>> >>> $ ipa entitle-status >>> (verify that it is 25) >>> >>> # ipa-compliance >>> (should be 1 of 50) >>> >>> Our tools can consume only, not return entitlements. >>> >>> tickets 28, 79 and 278. >>> >>> rob >> Does the patch include all items from ticket 79? Should we split the >> ticket, especially third bullet and treat it separately? Is it >> addressed, do we still plan to provide a quesry in the docs? >> Once Nalin created something like this: >> >> Date comparisons in LDAP search filters compare using the ISO >> representation of the time, given in YYYYMMDDHHMMSSZ form, which is more >> or less what they look like on the wire. For example, search for people >> hired at Red Hat since Sunday: >> >> ldapsearch -x -h ldap.corp.redhat.com -b dc=redhat,dc=com \ >> "(rhathiredate>=201004110000Z)" cn >> >> The KDC (in 1.8 and later) will update krbLastSuccessfulAuth, >> krbLastFailedAuth, and krbLoginFailedCount when a client attempts to >> authenticate, so I expect that the search filter would look something >> like this: >> >> >> "(&(|(krbLastFailedAuth>=201004110000Z)(krbLastSuccessfulAuth>=201004110000Z))(krbPrincipalName=*))" >> >> >> Keep in mind that we probably don't index either "krbLastFailedAuth" or >> "krbLastSuccessfulAuth" for searching, so the search would probably take >> a while to run. > > No, the patch does not have the "find old hosts" part in it. > > I was planning to only test for krbLastSuccessfulAuth. Since this is a > keytab I seriously doubt it will ever have a failed auth. I was going > to update the ticket with the query and provide it to David for > documentation. >
This is sufficient. >> Does the patch include cron job to run license check and log into the >> syslog the results if you are out of compliance? > > Yes. > >> Does it count the servers and the clients i.e all the entries that have >> a host principal and a keytab? > > Yes. > >> I have seen a FIXME comment in one of the patches below. Is this >> intended or omission? > > Unrelated to this feature and not show-stoppers, just recognizing some > limitations. > > rob > Thanks! > _______________________________________________ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel