[Freeipa-devel] [PATCH] 273 join a host to an IPA domain

Rob Crittenden rcritten at redhat.com
Mon Sep 14 21:07:33 UTC 2009 

NOTE, this patch replaces a previous patch to do the same thing. I fixed 
a few problems Simo pointed out and re-based it against the current master.

This largish patch adds host enrollment. There are several scenarios 
that are covered. All of these assume that the IPA client machine has 
already been set up (ipa-client-install):

1. Full admin enrollment. This will create the host entry, a host/ 
service principal and a keytab for that principal in /etc/krb5.keytab.

2. Junior admin enrollment. There are lots of levels of delegation 
possible here, but at a minimum they would be able to enroll an existing 
host by creating the service principal and keytab. Additional rights 
such as adding a host could be added as well.

3. Bulk enrollment. If a host entry is pre-created by another admin and 
it contains an enrollment password (in the userPassword attribute) then 
an LDAP-based enrollment can take place. The client binds as the host 
and generates a keytab for itself.

One really significant change is I've switch to openldap as the LDAP 
client. Doing SSL with mozldap would have required a significant amount 
of more code (because we can't assume there is already an NSS db lying 
around that trusts the IPA CA).

I didn't completely disable the mozldap option but by default things 
will build with openldap now.

This also adds a first pass at Get Effective Rights support. This is so 
we can know in advance if an operation would succeed and makes things 
generally nicer.

rob

-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-273-join.patch
Type: application/mbox
Size: 79093 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090914/3dd24387/attachment.mbox>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090914/3dd24387/attachment.bin>

More information about the Freeipa-devel mailing list