[Freeipa-devel] [PATCH] 273 join a host to an IPA domain
Pavel Zuna
pzuna at redhat.com
Tue Sep 15 12:09:42 UTC 2009
Rob Crittenden wrote:
> NOTE, this patch replaces a previous patch to do the same thing. I fixed
> a few problems Simo pointed out and re-based it against the current master.
>
> This largish patch adds host enrollment. There are several scenarios
> that are covered. All of these assume that the IPA client machine has
> already been set up (ipa-client-install):
>
> 1. Full admin enrollment. This will create the host entry, a host/
> service principal and a keytab for that principal in /etc/krb5.keytab.
>
> 2. Junior admin enrollment. There are lots of levels of delegation
> possible here, but at a minimum they would be able to enroll an existing
> host by creating the service principal and keytab. Additional rights
> such as adding a host could be added as well.
>
> 3. Bulk enrollment. If a host entry is pre-created by another admin and
> it contains an enrollment password (in the userPassword attribute) then
> an LDAP-based enrollment can take place. The client binds as the host
> and generates a keytab for itself.
>
> One really significant change is I've switch to openldap as the LDAP
> client. Doing SSL with mozldap would have required a significant amount
> of more code (because we can't assume there is already an NSS db lying
> around that trusts the IPA CA).
>
> I didn't completely disable the mozldap option but by default things
> will build with openldap now.
>
> This also adds a first pass at Get Effective Rights support. This is so
> we can know in advance if an operation would succeed and makes things
> generally nicer.
>
> rob
Looking good!
I noticed it makes changes to the host plugin and since this is probably going
to get into the tree first: here's an updated version of my host plugin patch.
Pavel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Make-the-host-plugin-use-baseldap-classes.patch
Type: application/mbox
Size: 14146 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090915/e79b97b3/attachment.mbox>
More information about the Freeipa-devel
mailing list