On pe, 08 marras 2019, Ronald Wimmer via FreeIPA-users wrote:
On 08.11.19 11:08, Alexander Bokovoy via FreeIPA-users wrote:
[...]
Are these assumptions true:
- ipaA became a trust controller by issuing the "ipa trust-add" command
- ipaB will have to be configured as trust agent
Correct. By running ipa-adtrust-install --add-agents on ipaA, you can
add ipaB to the set of trust agents.
Thank you very much. Now I have a working setup.
Just two remaining questions...
1)
If I wanted another server to be a trust controller I would run
"ipa-adtrust-install" on that server?
Correct.
2)
In order to add all remaining IPA servers as a trust agent I could run
"ipa-adtrust-install --add-agents" on any trust controller in my
setup?
Correct.
One catch that is not fixed yet is promotion of the compat tree
configurations on trust agents. There is a need to update cn=config
entries to add special attributes. We do it in ipa-adtrust-install so
they are always correct on the trust controllers but since
ipa-adtrust-install isn't run on trust agents themselves, no changes
done to cn=config there. We need to solve this somehow, via some kind of
a remote call similar how replica connectivity check is done.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
