[Freeipa-devel] [RFC] IPA "firstboot" UI

Rob Crittenden rcritten at redhat.com
Tue Jan 29 14:49:31 UTC 2008 

Mark McLoughlin wrote:
> Hi,
> 	I wanted to get people's feedback on a proposal I have to replace the
> questions currently asked on the command line by ipa-server-install with
> a "firstboot" type web UI.
> 
> 	The basic idea would be that you'd run ipa-server-install with no
> arguments and then use the firstboot web UI to configure the realm name,
> administrator password and hostname (if needed).
> 
> 	The reason I'm looking to do this is for an IPA appliance - the first
> time a user boots the appliance they would use this UI instead of
> running ipa-server-install. However, I think this is a much model for
> first-time configuration for IPA as a whole.
> 
> 	The changes I'm proposing to support this include:
> 
>   - ipa-server-install will set up the directory server, apache and the 
>     web UI
> 
>   - The realm name, hostname, etc. configuration should be stored in 
>     the directory server in cn=config,dc=IPA
> 
>   - The web UI will merely modify this configuration in the directory
> 
>   - A daemon will run as root, watch the directory for any 
>     configuration changes and apply those changes to the system
> 
>   - So, e.g. the firstboot UI code will set the ipaRealmName attribute 
>     and the daemon will create that realm
> 
>   - In the future a UI will also be added to support changing the realm 
>     name at a later stage
> 
>   - Also in the future I hope to be able to add some system 
>     configuration to the UI e.g. timezone, networking etc. and this 
>     would be implemented using the same mechanism
> 
> 	I've uploaded my rough patches for people to look at rather than
> spamming the list, but I lamely failed to quickly publish these patches
> as a nice mercurial repo which could be easily used with mq, so here's
> how to apply them:
> 
>   $> hg clone http://hg.fedoraproject.org/hg/freeipa ipa-firstboot
>   $> mkdir -p ipa-firstboot/.hg/patches
>   $> cd ipa-firstboot/.hg/patches
>   $> wget http://markmc.fedorapeople.org/ipa/ipa-firstboot-patches/series
>   $> grep '^[^#]' series | xargs -i wget http://markmc.fedorapeople.org/ipa/ipa-firstboot-patches/{}
>   $> hg qpush -a
> 
> 	To try it out, run ipa-server-install and login connect to
> http://master.example.com/firstboot
> 
> 	I've also posted a TODO list here:
> 
>   http://markmc.fedorapeople.org/ipa/ipa-firstboot-patches/TODO
> 
> 	Any and all feedback welcome ... I'm hoping to have this in 1.2.
> 
> Thanks,
> Mark.

I'm having problems with this.

First a couple of questions. I know the UI is still rough but:

- Why ask for both hostname and IP address?
- A realm is typically upper-case, are you automatically doing this?

Once I click on Next I end up at the IPA page which results in a failed 
login because I don't have a ticket yet.

I can't get a ticket at the command-line either, I get:

kinit(v5): Preauthentication failed while getting initial credentials

I think I like the naming convention. I don't think we really need to 
stomp all over other DS instances. If they are using our ports then we 
should be able to detect that now.

Simo, should we switch the instance naming to slapd-IPA from slapd-REALM 
and stop removing all existing instances (except perhaps, for ours)?

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20080129/1ceccd10/attachment.bin>

More information about the Freeipa-devel mailing list