Bug 464903
Summary: | Update to support centralized authentication server | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tomas Mraz <tmraz> |
Component: | authconfig | Assignee: | Orphan Owner <extras-orphan> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | gdeschner, jfenal, sgallagh, sgrubb, ssorce, tmraz |
Target Milestone: | --- | Keywords: | FutureFeature |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Enhancement | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2020-05-28 12:51:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 239055 |
Description
Tomas Mraz
2008-10-01 09:46:46 UTC
Tomas, I'd be happy to work with you on this. Here are a few starting points. I will describe the current state (v1.1) and give some comments on the future plans (v2). 1) Autodetection in FreeIPA v1.1 (the current version in Fedora 8,9,10b) is limited to special DNS entries. Examples of how to set up DNS is available at http://www.freeipa.com/page/IpaConcepts#IPA_and_DNS 2) IPA v1.1 provides only three services right now. a. LDAP - IPA provides authentication by using nss_ldap, the same way that configuring LDAP authentication in authconfig works now. b. Kerberos 5 - IPA provides Kerberos 5 authentication exactly as done in authconfig right now. c. NTP - IPA configures the client to use the IPA server as the authority for NTP synchronization, for the benefit of Kerberos authentication. 3) IPA v2 will have a number of new services and change the way that authentication is handled. a. The client machine itself will be enrolled in IPA and be given a kerberos keytab as well as service principals b. New PAM and NSS modules will be included to handle authentication/authorization. As such, IPA v2 will drastically change the needs of authconfig. Recommendations: I am assuming that authconfig is being run after the package ipa-client is available, along with its dependencies. 1) Query the DNS for the existence of _kerberos._tcp.domain.com SRV and _ldap.domain.com SRC. This is the same way that the ipa-client-install tool discovers an IPA server. 2) Make use of the ipa-client-install tool. It can be called with the following syntax to directly enroll a PC into IPA: /usr/sbin/ipa-client-install -U [--domain=example.com] [--server=ipamaster.example.com] [--realm=EXAMPLE.COM] If --domain, --server and --realm are omitted, these fields will be populated by the following algorithm: The longest DNS suffix of the hostname that satisfies a lookup of _SERVICE.domain.com (so host.sub.domain.com would check _ldap.sub.domain.com and then _ldap.domain.com) where SERVICE is ldap._tcp, kerberos and kerberos._udp, respectively. If you have any other questions, please feel free to ask. This package has changed maintainer in the Fedora. Reassigning to the new maintainer of this component. Authconfig has been replaced by authselect. |