Re: [Freeipa-devel] [PATCH] 273 join a host to an IPA domain
On 09/24/2009 07:58 PM, Jason Gerard DeRose wrote: ack. pushed to master. Opps, perhaps too late, but I'd like to NAK this patch. I've been using the code in ipa-join.c as an example and have discovered several problems with the use of the xmlrpc-c library, which by the way I truly dislike. I'm going to wait until I've got my xmlrpc-c code working to my satisfaction before I post the issues. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 273 join a host to an IPA domain
ack. pushed to master. This patch was missing a "BuildRequires: xmlrpc-c-devel", which I fixed in my attached patch. I pushed it to master under 1-line rule. On Mon, 2009-09-14 at 17:07 -0400, Rob Crittenden wrote: > NOTE, this patch replaces a previous patch to do the same thing. I fixed > a few problems Simo pointed out and re-based it against the current master. > > This largish patch adds host enrollment. There are several scenarios > that are covered. All of these assume that the IPA client machine has > already been set up (ipa-client-install): > > 1. Full admin enrollment. This will create the host entry, a host/ > service principal and a keytab for that principal in /etc/krb5.keytab. > > 2. Junior admin enrollment. There are lots of levels of delegation > possible here, but at a minimum they would be able to enroll an existing > host by creating the service principal and keytab. Additional rights > such as adding a host could be added as well. > > 3. Bulk enrollment. If a host entry is pre-created by another admin and > it contains an enrollment password (in the userPassword attribute) then > an LDAP-based enrollment can take place. The client binds as the host > and generates a keytab for itself. > > One really significant change is I've switch to openldap as the LDAP > client. Doing SSL with mozldap would have required a significant amount > of more code (because we can't assume there is already an NSS db lying > around that trusts the IPA CA). > > I didn't completely disable the mozldap option but by default things > will build with openldap now. > > This also adds a first pass at Get Effective Rights support. This is so > we can know in advance if an operation would succeed and makes things > generally nicer. > > rob > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel >From e2ecf02822867170e3b4f19f5ba749d3c94d899c Mon Sep 17 00:00:00 2001 From: Jason Gerard DeRose Date: Thu, 24 Sep 2009 17:49:16 -0600 Subject: [PATCH] Added BuildRequires: xmlrpc-c-devel --- ipa.spec.in |1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/ipa.spec.in b/ipa.spec.in index 713a4c5..2408b07 100644 --- a/ipa.spec.in +++ b/ipa.spec.in @@ -38,6 +38,7 @@ BuildRequires: policycoreutils >= %{POLICYCOREUTILSVER} BuildRequires: python-cherrypy BuildRequires: python-setuptools BuildRequires: python-krbV +BuildRequires: xmlrpc-c-devel %description IPA is an integrated solution to provide centrally managed Identity (machine, -- 1.6.0.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 273 join a host to an IPA domain
Pavel Zuna wrote: Rob Crittenden wrote: NOTE, this patch replaces a previous patch to do the same thing. I fixed a few problems Simo pointed out and re-based it against the current master. This largish patch adds host enrollment. There are several scenarios that are covered. All of these assume that the IPA client machine has already been set up (ipa-client-install): 1. Full admin enrollment. This will create the host entry, a host/ service principal and a keytab for that principal in /etc/krb5.keytab. 2. Junior admin enrollment. There are lots of levels of delegation possible here, but at a minimum they would be able to enroll an existing host by creating the service principal and keytab. Additional rights such as adding a host could be added as well. 3. Bulk enrollment. If a host entry is pre-created by another admin and it contains an enrollment password (in the userPassword attribute) then an LDAP-based enrollment can take place. The client binds as the host and generates a keytab for itself. One really significant change is I've switch to openldap as the LDAP client. Doing SSL with mozldap would have required a significant amount of more code (because we can't assume there is already an NSS db lying around that trusts the IPA CA). I didn't completely disable the mozldap option but by default things will build with openldap now. This also adds a first pass at Get Effective Rights support. This is so we can know in advance if an operation would succeed and makes things generally nicer. rob Looking good! I noticed it makes changes to the host plugin and since this is probably going to get into the tree first: here's an updated version of my host plugin patch. Pavel Oops! Bad patch. Pavel 0001-Make-the-host-plugin-use-baseldap-classes.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 273 join a host to an IPA domain
Rob Crittenden wrote: NOTE, this patch replaces a previous patch to do the same thing. I fixed a few problems Simo pointed out and re-based it against the current master. This largish patch adds host enrollment. There are several scenarios that are covered. All of these assume that the IPA client machine has already been set up (ipa-client-install): 1. Full admin enrollment. This will create the host entry, a host/ service principal and a keytab for that principal in /etc/krb5.keytab. 2. Junior admin enrollment. There are lots of levels of delegation possible here, but at a minimum they would be able to enroll an existing host by creating the service principal and keytab. Additional rights such as adding a host could be added as well. 3. Bulk enrollment. If a host entry is pre-created by another admin and it contains an enrollment password (in the userPassword attribute) then an LDAP-based enrollment can take place. The client binds as the host and generates a keytab for itself. One really significant change is I've switch to openldap as the LDAP client. Doing SSL with mozldap would have required a significant amount of more code (because we can't assume there is already an NSS db lying around that trusts the IPA CA). I didn't completely disable the mozldap option but by default things will build with openldap now. This also adds a first pass at Get Effective Rights support. This is so we can know in advance if an operation would succeed and makes things generally nicer. rob Looking good! I noticed it makes changes to the host plugin and since this is probably going to get into the tree first: here's an updated version of my host plugin patch. Pavel 0001-Make-the-host-plugin-use-baseldap-classes.patch Description: application/mbox ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 273 join a host to an IPA domain
Rob Crittenden wrote: > NOTE, this patch replaces a previous patch to do the same thing. I > fixed a few problems Simo pointed out and re-based it against the > current master. > > This largish patch adds host enrollment. There are several scenarios > that are covered. All of these assume that the IPA client machine has > already been set up (ipa-client-install): > > 1. Full admin enrollment. This will create the host entry, a host/ > service principal and a keytab for that principal in /etc/krb5.keytab. > > 2. Junior admin enrollment. There are lots of levels of delegation > possible here, but at a minimum they would be able to enroll an > existing host by creating the service principal and keytab. Additional > rights such as adding a host could be added as well. > > 3. Bulk enrollment. If a host entry is pre-created by another admin > and it contains an enrollment password (in the userPassword attribute) > then an LDAP-based enrollment can take place. The client binds as the > host and generates a keytab for itself. > > One really significant change is I've switch to openldap as the LDAP > client. Doing SSL with mozldap would have required a significant > amount of more code (because we can't assume there is already an NSS > db lying around that trusts the IPA CA). > > I didn't completely disable the mozldap option but by default things > will build with openldap now. > > This also adds a first pass at Get Effective Rights support. This is > so we can know in advance if an operation would succeed and makes > things generally nicer. > > rob > > GREAT!!! > > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. --- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel