On Fri, 2011-11-11 at 16:17 +0200, Alexander Bokovoy wrote:
> On Fri, 11 Nov 2011, Stephen Gallagher wrote:
> > > I just installed Fedora 16 and noticed that there now was an option for
> > > using FreeIPA as autentication database. Awesome!
> > >
> > > But why the normal ldap/kerberos options that met me when I chose
> > > FreeIPA (see the attachment). I was picturing auto-detection, and just a
> > > username and password, same as the simplified CLI installer.
> > >
> > > Is this on the roadmap for the Fedora/RHEL installer?
> > >
> > > And, what about IPA options for the "auth" kickstart directive?
> > >
> > That has actually been there since Fedora 14, and it's meant for use
> > with FreeIPA v1, not v2. We do need to do something about that for F17,
> > though.
> Should installer schedule running ipa-client-install and enroll the
> machine? Many options can be re-used from the installer itself
> (hostname is known at this point, as well as how network was
> configured), so there is handful of things to discover.
Hostname in many cases will probably be wrong (left to default
localhost.localdomain) so we should detect if the host name is in the
same domain as the ipa server and ask if the user wouldn't want to
change is (suggesting the 'right' one). We would have to refuse to
proceed if the hostname is localhost.localdomain or any combination
where the host part is localhost and the domain part is localdomain.
> Though I would get discovery part of the ipa-client-install reused
> here -- like finding out kerberos setup via DNS and if that fails,
> show UI to enter all additional details, then schedule
> actual enrollment.
The other problem here is that you may not have admin credentials.
We will need to support using an enrollment password as well as just
skip the join but otherwise configure the rest to work, and tell the
user to call the admin to complete the join later (or maybe just skip it
Simo Sorce * Red Hat, Inc * New York
Freeipa-users mailing list