[Freeipa-devel] [PATCH] 664 entitlement support

Dmitri Pal dpal at redhat.com
Wed Jan 5 17:18:57 UTC 2011 

Rob Crittenden wrote:
> This patch adds a plugin and tools for managing entitlements for host
> machines.
>
> Testing is rather complex so I've attached a script to help set up the
> Candlepin server. You'll need to ping me out of band for the backend
> data. This configures the Candlepin server with an in-memory database
> so any time tomcat6 is restarted you'll need to reload the data.
>
> You have to run candlepin.setup as root. This will configure your
> Fedora tomcat6 instance.
>
> Once your candlepin server is setup and IPA is installed do something
> like:
>
> $ ipa entitle-register admin
> (password is admin)
>
> $ ipa entitle-consume 25
>
> $ ipa entitle-status
> (verify that it is 25)
>
> # ipa-compliance
> (should be 1 of 50)
>
> Our tools can consume only, not return entitlements.
>
> tickets 28, 79 and 278.
>
> rob
Does the patch include all items from ticket 79? Should we split the
ticket, especially third bullet and treat it separately? Is it
addressed, do we still plan to provide a quesry in the docs?
Once Nalin created something like this:

Date comparisons in LDAP search filters compare using the ISO
representation of the time, given in YYYYMMDDHHMMSSZ form, which is more
or less what they look like on the wire.  For example, search for people
hired at Red Hat since Sunday:

  ldapsearch -x -h ldap.corp.redhat.com -b dc=redhat,dc=com \
  	"(rhathiredate>=201004110000Z)" cn

The KDC (in 1.8 and later) will update krbLastSuccessfulAuth,
krbLastFailedAuth, and krbLoginFailedCount when a client attempts to
authenticate, so I expect that the search filter would look something
like this:

  "(&(|(krbLastFailedAuth>=201004110000Z)(krbLastSuccessfulAuth>=201004110000Z))(krbPrincipalName=*))"

Keep in mind that we probably don't index either "krbLastFailedAuth" or
"krbLastSuccessfulAuth" for searching, so the search would probably take
a while to run.


======================================
Does the patch include cron job to run license check and log into the
syslog the results if you are out of compliance?
Does it count the servers and the clients i.e all the entries that have
a host principal and a keytab?
I have seen a FIXME comment in one of the patches below. Is this
intended or omission?


> ------------------------------------------------------------------------
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-devel mailing list