[Freeipa-devel] [PATCH] 273 join a host to an IPA domain
Rob Crittenden
rcritten at redhat.com
Mon Sep 14 21:07:33 UTC 2009
NOTE, this patch replaces a previous patch to do the same thing. I fixed
a few problems Simo pointed out and re-based it against the current master.
This largish patch adds host enrollment. There are several scenarios
that are covered. All of these assume that the IPA client machine has
already been set up (ipa-client-install):
1. Full admin enrollment. This will create the host entry, a host/
service principal and a keytab for that principal in /etc/krb5.keytab.
2. Junior admin enrollment. There are lots of levels of delegation
possible here, but at a minimum they would be able to enroll an existing
host by creating the service principal and keytab. Additional rights
such as adding a host could be added as well.
3. Bulk enrollment. If a host entry is pre-created by another admin and
it contains an enrollment password (in the userPassword attribute) then
an LDAP-based enrollment can take place. The client binds as the host
and generates a keytab for itself.
One really significant change is I've switch to openldap as the LDAP
client. Doing SSL with mozldap would have required a significant amount
of more code (because we can't assume there is already an NSS db lying
around that trusts the IPA CA).
I didn't completely disable the mozldap option but by default things
will build with openldap now.
This also adds a first pass at Get Effective Rights support. This is so
we can know in advance if an operation would succeed and makes things
generally nicer.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-273-join.patch
Type: application/mbox
Size: 79093 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090914/3dd24387/attachment.mbox>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090914/3dd24387/attachment.bin>
More information about the Freeipa-devel
mailing list