Bug 753120
Summary: | RFE: IPAv2 Support for graphical installer and as kickstart option | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Sigbjorn Lie <sigbjorn> |
Component: | authconfig | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 16 | CC: | abokovoy, anaconda-maint-list, bcook, dpal, jonathan, sgallagh, tmraz, vanmeeuwen+fedora |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | authconfig-6.2.1-1.fc17 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-03-06 20:43:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Sigbjorn Lie
2011-11-11 11:46:59 UTC
Re-assigning to authconfig. The FreeIPA option currently available in authconfig refers to FreeIPA v1. We need to extend authconfig to be able to enroll clients in a FreeIPA v2+ environment, preferably during firstboot and kickstart. There are three different scenarios when ipa-client should be invoked. 1) Manual enrollment of a single system 2) Bulk enrollment of the BM systems 3) Bulk enrollment of the VM systems This bug should focus on the scenario 1) i.e have an option in the authconfig to make a system a part of an IPA v2+ domain. In this case authconfig should ask user for the either administrative account and corresponding password or have an option to enroll using the system account. If system account is chosen the user should be prompted for the OTP that has been sent to him out of band. Scenario 2) should be covered by bug https://bugzilla.redhat.com/show_bug.cgi?id=751175 and effectively a documentation issue as kickstart already has all the means to enroll the client. What is missing is the distribution of the OTPs and embedding them into the kickstart files. We leave this to the admin. The only thing we can do is document best prctices of how to do this and what are the security implications. I suggest that BZ mentioned above is turned into a doc bug. Scenario 3) is solved by the cloud management tools that are out of scope here. authconfig-6.2.0-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/authconfig-6.2.0-1.fc17 Package authconfig-6.2.0-1.fc17: * should fix your issue, * was pushed to the Fedora 17 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing authconfig-6.2.0-1.fc17' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-1897/authconfig-6.2.0-1.fc17 then log in and leave karma (feedback). authconfig-6.2.1-1.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/authconfig-6.2.1-1.fc17 authconfig-6.2.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. |