On 11/11/2011 03:40 PM, Simo Sorce wrote:
On Fri, 2011-11-11 at 16:17 +0200, Alexander Bokovoy wrote:
On Fri, 11 Nov 2011, Stephen Gallagher wrote:
I just installed Fedora 16 and noticed that there now was an option for
using FreeIPA as autentication database. Awesome!
But why the normal ldap/kerberos options that met me when I chose
FreeIPA (see the attachment). I was picturing auto-detection, and just a
username and password, same as the simplified CLI installer.
Is this on the roadmap for the Fedora/RHEL installer?
And, what about IPA options for the "auth" kickstart directive?
That has actually been there since Fedora 14, and it's meant for use
with FreeIPA v1, not v2. We do need to do something about that for F17,
Should installer schedule running ipa-client-install and enroll the
machine? Many options can be re-used from the installer itself
(hostname is known at this point, as well as how network was
configured), so there is handful of things to discover.
Hostname in many cases will probably be wrong (left to default
localhost.localdomain) so we should detect if the host name is in the
same domain as the ipa server and ask if the user wouldn't want to
change is (suggesting the 'right' one). We would have to refuse to
proceed if the hostname is localhost.localdomain or any combination
where the host part is localhost and the domain part is localdomain.
Though I would get discovery part of the ipa-client-install reused
here -- like finding out kerberos setup via DNS and if that fails,
show UI to enter all additional details, then schedule
The other problem here is that you may not have admin credentials.
We will need to support using an enrollment password as well as just
skip the join but otherwise configure the rest to work, and tell the
user to call the admin to complete the join later (or maybe just skip it
I don't use the $ currency, but here's my 0.02 NOK. :)
Keep it simple.
If the hostname is not resolvable and not specified as a known IPA DNS
domain -> fail with error message.
Not enough permissions to complete enrollment -> fail with error message.
Freeipa-users mailing list