Bug 239055 - Update to support centralized authentication server
Update to support centralized authentication server
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: authconfig (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
: FutureFeature, Reopened
Depends On: 464903
Blocks: 239054 freeipa10
  Show dependency treegraph
Reported: 2007-05-04 13:42 EDT by Brian Stevens
Modified: 2014-09-08 20:40 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-09-08 04:45:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Karl MacMillan 2007-05-04 13:42:16 EDT
Add support for the new centralized authentication server.
Comment 1 RHEL Product and Program Management 2007-06-05 16:27:48 EDT
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Since this
bugzilla is in a component that is not approved for the current
release, it has been closed with resolution deferred.  You may
reopen this bugzilla for consideration in the next release.
Comment 8 Karl Wirth 2008-09-11 20:53:43 EDT
Three use cases:
1) An IPA server is available and can be detected automatically. Authconfig proposes that server as one of the options. The user selects, modification is possible.
2) The user points authconfig to a IPA server. - Similar to the existing KRB and LDAP setups, but integrated as one IPA tab with only one entry line.
3) Either of those but with an automated kickstart installation.
The requirements from that should be pretty straight forward:
* Add an additional tab for IPA to authconfig, selecting it deactivates the LDAP/KRB ones (are there others?).
* Have an "detect automatically" botton that fills the entry fields or let's the user select if multiple servers results. This calls out and uses DNS to find IPA realm (given on user input, as appropriate DNS client configuration may not always be already given)
* ipa client code is called to make RHEL a member of the IPA realm
* Integrate with kickstart to allow automatic configuration / selection.

After that authconfig should verify connection to the IPA server, register (if that is needed / already implemented) and provision the required / available certificates and keys. If there is value in using only parts of the IPA features, it should allow selecting which features to use.

Again, if there are additional options, they should be integrated with kickstart.
Comment 10 RHEL Product and Program Management 2009-02-11 06:28:17 EST
This bugzilla has Keywords FutureFeature or HardwareEnablement and thus does not meet the
release criteria for FasTrack. This FasTrack request has been denied.
This bugzilla must be addressed in a minor release.
Comment 14 Simo Sorce 2009-06-12 10:59:35 EDT
Given IPA can have a complex configuration setup, what we should aim at is building a simple interface in authconfig that calls out an ipa provided script for the actual configuration.

The idea is to provide a minimal set of parameters needed by the script and sufficient for it to connect to the ipa server and automatically configure the client based on information retrieved from the server.

I think there are 1 necessary fields to provide and 3 optional.

Necessary field:

Optional fields:
Admin username
Admin password

The realm is necessary to be bale to try and find the ipa server through DNS queries, if that fails the IPA Server FQDN becomes necessary.

The Admin credentials are optional because the admin may already have a valid kerberos ticket. The Admin username should be prepoluated by checking the credential cache, if there is no credential cache username and password become necessary options, if a credential cache exists the username is prefilled (the user must be able to change it and add an optional password in case the ticket found is not that of a privileged admin.

The good thing about this design is that it could be used unchanged also to configure samba/winbindd I think. The amount of information needed would be the same.

If autodiscovery of credentials caches etc.. is too complex for a first release it is perfectly fine to require admin username and password in a first implementation, and not make them options.

Comment 15 RHEL Product and Program Management 2009-11-06 13:48:42 EST
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release. If you would like
this request to be reviewed for the next minor release, ask your
support representative to set the next rhel-x.y flag to "?".
Comment 16 Tomas Mraz 2011-09-08 04:45:46 EDT
The support for adding/removing pam_sss and nss_sss to the configuration files is already there. Backporting the full support from RHEL-6 would be too intrusive.

Note You need to log in before you can comment on or make changes to this bug.