----- Original Message ----- > From: "Jakub Hrozek" <jhro...@redhat.com> > To: email@example.com > Sent: Monday, April 28, 2014 10:55:16 AM > Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5 > > On Fri, Apr 25, 2014 at 04:16:11AM -0400, Stephen Benjamin wrote: > > ----- Original Message ----- > > > From: "Jan Cholasta" <jchol...@redhat.com> > > > To: "Martin Kosek" <mko...@redhat.com>, d...@redhat.com, "Stephen > > > Benjamin" <stben...@redhat.com> > > > Cc: firstname.lastname@example.org > > > Sent: Friday, April 25, 2014 9:44:37 AM > > > Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5 > > > > > AFAIK you can use ldap sudo provider with IPA, see e.g. > > > <http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD> > > > > I got this working, and seems to work across recent Fedora releases too. > > This at least removes the requirement on using the old bind password > > method. Thanks! > > In recent Fedora releases, where the IPA sudo provider is available, the > "legacy" LDAP provider should not be used. There might be problems with > enumeration for instance when combining two different providers.
Can I have a link then to how this is setup? Do you also need the LDAP URL's, nisdomain, etc? Or is it just one setting and done? > > > > Is there a way for sssd to use _srv_ for the krb5_server line? > > Yes, it should just work. > > > > > Here's an updated Kickstart snippet: > > > > https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb > > > > If we know what the Syntax will be for sudo (or will it be default > > in 4.0?), then I can include the logic already not to do it manually. > > Sorry, I'm not sure I understand the question? With recent enough > clients (6.6+, 7.0+, any supported Fedora) you should use > sudo_provider=ipa, with older ones you should use sudo_provider=ldap It's been mentioned elsewhere in the thread that the ipa-client-install in some feature version will do this, if that's the case I shouldn't be doing in a kickstart snippet. Will it be like automount: ipa-client-automount, or will it be an install flag? Does it exist yet? _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users