----- Original Message -----
> From: "Jakub Hrozek" <jhro...@redhat.com>
> To: firstname.lastname@example.org
> Sent: Monday, April 28, 2014 10:55:16 AM
> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
> On Fri, Apr 25, 2014 at 04:16:11AM -0400, Stephen Benjamin wrote:
> > ----- Original Message -----
> > > From: "Jan Cholasta" <jchol...@redhat.com>
> > > To: "Martin Kosek" <mko...@redhat.com>, d...@redhat.com, "Stephen
> > > Benjamin" <stben...@redhat.com>
> > > Cc: email@example.com
> > > Sent: Friday, April 25, 2014 9:44:37 AM
> > > Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
> > > AFAIK you can use ldap sudo provider with IPA, see e.g.
> > > <http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD>
> > I got this working, and seems to work across recent Fedora releases too.
> > This at least removes the requirement on using the old bind password
> > method. Thanks!
> In recent Fedora releases, where the IPA sudo provider is available, the
> "legacy" LDAP provider should not be used. There might be problems with
> enumeration for instance when combining two different providers.
Can I have a link then to how this is setup? Do you also
need the LDAP URL's, nisdomain, etc?
Or is it just one setting and done?
> > Is there a way for sssd to use _srv_ for the krb5_server line?
> Yes, it should just work.
> > Here's an updated Kickstart snippet:
> > https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb
> > If we know what the Syntax will be for sudo (or will it be default
> > in 4.0?), then I can include the logic already not to do it manually.
> Sorry, I'm not sure I understand the question? With recent enough
> clients (6.6+, 7.0+, any supported Fedora) you should use
> sudo_provider=ipa, with older ones you should use sudo_provider=ldap
It's been mentioned elsewhere in the thread that the ipa-client-install
in some feature version will do this, if that's the case I shouldn't be
doing in a kickstart snippet.
Will it be like automount: ipa-client-automount, or will it be an install
flag? Does it exist yet?
Freeipa-users mailing list