[Freeipa-devel] [PATCH] 249 host enrollment

Dmitri Pal dpal at redhat.com
Tue Aug 11 17:11:33 UTC 2009 

Rob Crittenden wrote:
> This largish patch adds host enrollment. There are several scenarios
> that are covered. All of these assume that the IPA client machine has
> already been set up (ipa-client-install):
>
Does ipa-client-install  bring admin utils?
What is its purpose?
I though the sequence of operations would be somewhat (do not look at
the names, I do not expect them to be exactly as I put them):
yum install ipa-client-enrollment
ipa-enroll ...

The enroll will also do some configuration as it used to do in v1 but
other than that I expected  the mentioned sequence.
I scanned quickly through the patch but was not able to see whether
things work as I expect or not.

> 1. Full admin enrollment. This will create the host entry, a host/
> service principal and a keytab for that principal in /etc/krb5.keytab.
>
> 2. Junior admin enrollment. There are lots of levels of delegation
> possible here, but at a minimum they would be able to enroll an
> existing host by creating the service principal and keytab. Additional
> rights such as adding a host could be added as well.
>
> 3. Bulk enrollment. If a host entry is pre-created by another admin
> and it contains an enrollment password (in the userPassword attribute)
> then an LDAP-based enrollment can take place. The client binds as the
> host and generates a keytab for itself.
>
> One really significant change is I've switch to openldap as the LDAP
> client. Doing SSL with mozldap would have required a significant
> amount of more code (because we can't assume there is already an NSS
> db lying around that trusts the IPA CA).
>
> I didn't completely disable the mozldap option but by default things
> will build with openldap now.
>
> This also adds a first pass at Get Effective Rights support. This is
> so we can know in advance if an operation would succeed and makes
> things generally nicer.
>
> rob
> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list