Rob Crittenden wrote: > This largish patch adds host enrollment. There are several scenarios > that are covered. All of these assume that the IPA client machine has > already been set up (ipa-client-install): > Does ipa-client-install bring admin utils? What is its purpose? I though the sequence of operations would be somewhat (do not look at the names, I do not expect them to be exactly as I put them): yum install ipa-client-enrollment ipa-enroll ...
The enroll will also do some configuration as it used to do in v1 but other than that I expected the mentioned sequence. I scanned quickly through the patch but was not able to see whether things work as I expect or not. > 1. Full admin enrollment. This will create the host entry, a host/ > service principal and a keytab for that principal in /etc/krb5.keytab. > > 2. Junior admin enrollment. There are lots of levels of delegation > possible here, but at a minimum they would be able to enroll an > existing host by creating the service principal and keytab. Additional > rights such as adding a host could be added as well. > > 3. Bulk enrollment. If a host entry is pre-created by another admin > and it contains an enrollment password (in the userPassword attribute) > then an LDAP-based enrollment can take place. The client binds as the > host and generates a keytab for itself. > > One really significant change is I've switch to openldap as the LDAP > client. Doing SSL with mozldap would have required a significant > amount of more code (because we can't assume there is already an NSS > db lying around that trusts the IPA CA). > > I didn't completely disable the mozldap option but by default things > will build with openldap now. > > This also adds a first pass at Get Effective Rights support. This is > so we can know in advance if an operation would succeed and makes > things generally nicer. > > rob > ------------------------------------------------------------------------ > > _______________________________________________ > Freeipa-devel mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-devel -- Thank you, Dmitri Pal Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
