On 04/28/2014 11:23 AM, Stephen Benjamin wrote: > > ----- Original Message ----- >> From: "Jakub Hrozek" <[email protected]> >> To: [email protected] >> Sent: Monday, April 28, 2014 10:55:16 AM >> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5 >> >> On Fri, Apr 25, 2014 at 04:16:11AM -0400, Stephen Benjamin wrote: >>> ----- Original Message ----- >>>> From: "Jan Cholasta" <[email protected]> >>>> To: "Martin Kosek" <[email protected]>, [email protected], "Stephen >>>> Benjamin" <[email protected]> >>>> Cc: [email protected] >>>> Sent: Friday, April 25, 2014 9:44:37 AM >>>> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5 >>>> AFAIK you can use ldap sudo provider with IPA, see e.g. >>>> <http://fedoraproject.org/wiki/QA:Testcase_freeipav3_sudo_sssd#Configure_SSSD> >>> I got this working, and seems to work across recent Fedora releases too. >>> This at least removes the requirement on using the old bind password >>> method. Thanks! >> In recent Fedora releases, where the IPA sudo provider is available, the >> "legacy" LDAP provider should not be used. There might be problems with >> enumeration for instance when combining two different providers. > Can I have a link then to how this is setup? Do you also > need the LDAP URL's, nisdomain, etc? > > Or is it just one setting and done? > > >>> Is there a way for sssd to use _srv_ for the krb5_server line? >> Yes, it should just work. >> >>> Here's an updated Kickstart snippet: >>> >>> https://github.com/stbenjam/community-templates/blob/freeipa-fixes/snippets/freeipa_register.erb >>> >>> If we know what the Syntax will be for sudo (or will it be default >>> in 4.0?), then I can include the logic already not to do it manually. >> Sorry, I'm not sure I understand the question? With recent enough >> clients (6.6+, 7.0+, any supported Fedora) you should use >> sudo_provider=ipa, with older ones you should use sudo_provider=ldap > It's been mentioned elsewhere in the thread that the ipa-client-install > in some feature version will do this, if that's the case I shouldn't be > doing in a kickstart snippet. > > Will it be like automount: ipa-client-automount, or will it be an install > flag? Does it exist yet?
It will be the default behaviour, that is, a flag will be available to turn it *off* (--no-sudo). Yes, patches are on review and close to being pushed (waiting for the CI coverage), it will be the part of the next upstream release. > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
