Re: [Freeipa-devel] [PATCH] 329 real services
On Mon, 2009-12-07 at 23:21 -0500, Rob Crittenden wrote: > Make the IPA server host and its services "real" IPA entries > > We use kadmin.local to bootstrap the creation of the kerberos principals > for the IPA server machine: host, HTTP and ldap. This works fine and has > the side-effect of protecting the services from modification by an admin > (which would likely break the server). > > Unfortunately this also means that the services can't be managed by > useful utilities such as certmonger. So we have to create them as "real" > services instead. > > This is a relatively manual process so if the schema for hosts or > services changes this may require updates as well. > > There remains a minor problem. If you create a replica, during the > installation of that replica it will create host and service entries > too. But if you retire this replica those entries will remain. The next > time you try to install the replica it will fail with dupliate entries. > I'll address this in the future as the easy workaround is to run `ipa > host-del replica.example.com` and re-install the replica. > > rob ack. pushed to master. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 329 real services
Make the IPA server host and its services "real" IPA entries We use kadmin.local to bootstrap the creation of the kerberos principals for the IPA server machine: host, HTTP and ldap. This works fine and has the side-effect of protecting the services from modification by an admin (which would likely break the server). Unfortunately this also means that the services can't be managed by useful utilities such as certmonger. So we have to create them as "real" services instead. This is a relatively manual process so if the schema for hosts or services changes this may require updates as well. There remains a minor problem. If you create a replica, during the installation of that replica it will create host and service entries too. But if you retire this replica those entries will remain. The next time you try to install the replica it will fail with dupliate entries. I'll address this in the future as the easy workaround is to run `ipa host-del replica.example.com` and re-install the replica. rob freeipa-329-services.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
