We're using the ethers table in NIS today to generate DHCP config files for clients to we can send different TFTP,DNS,etc options to different clients depening on which type of machine they are (mostly Windows, Linux, etc). At some locations we're also required to only serve IP to clients known by mac address. I'm missing a ethers table in IPA. Having the MAC address added as an attribute to the host object, and a lookup table for ethers, like the hostgroup to netgroup lookup table is done would be very useful. Any plans for this?
Would the following solve the problem: 1) Adding MAC address attribute to the schema (it is already there macAddress we can just add it as an option attribute to the hosts object - should not cause any grief). 2) Add management plugin to manage this attribute - will require some python work - contributions are welcome. 3) Will require minor UI changes I suspect 4) Add the field to the admin model so that access control over it is handled properly. 5) Create a NIS map for ethers and serve it from the nis plugin from IPA. I do not think you are talking about any integration with SSSD or you need ethers map to be available offline too? ASAIU the map is need for DHCP servers only, right and not need to be available on every machine?
s/ASAIU/AFAIU
Yes that would solve the problem. No offline/SSSD access is required. This is for DHCP servers, kickstart service and Solaris Jumpstart only. No 5 is not urgent, if even required. I would suggest also adding a lookup under compat, like cn=ethers,cn=compat so the ethers table can be accessed through NSS on both Solaris and Linux without any modifications on the client.
> I would suggest also adding a lookup under compat, like cn=ethers,cn=compat so > the ethers table can be accessed through NSS on both Solaris and Linux without > any modifications on the client. If I read it right the file consists of pair: MAC and IP-or-hostname But the actual schema for the ou=ethers,dc=.. according to RFC should contain objects ieee802Device, bootableDevice those are extensions of the device class. Device class has a cn attribute as the mandatory. So what we can do in the compat is to expose host objects with fqdn attribute translated into cn and and auxiliary ieee802Device class with mac address attribute. Is that what you are looking for?
Yes that sounds correct. Below is an example of what I've used in a LDAP server earlier. I believe the cn should translate to the fqdn as you suggested though. dn: cn=machine1,ou=ethers,dc=test,dc=com cn: machine1 macAddress: 00:04:75:AD:B5:8F objectClass: device objectClass: ieee802Device objectClass: top
I see this has been added to the roadmap at version 2.2 of IPA. When is version 2.2 expected? Will this change reach RHEL 6 at some point?
(In reply to comment #6) > I see this has been added to the roadmap at version 2.2 of IPA. When is version > 2.2 expected? Will this change reach RHEL 6 at some point? 2.2 - is planned to be available by the end of this year or early next year. It will be incorporated into the RHEL release that is scheduled several months after this date. I can't be more specific than this at the point.
I see this is planned for the 3.0 release. I would urge for this to be included into a 2.1 release. This is required for everyone using jumpstart or kickstart with NIS/LDAP today to be able to migrate to IPA.
(In reply to comment #8) > I see this is planned for the 3.0 release. I would urge for this to be included > into a 2.1 release. This is required for everyone using jumpstart or kickstart > with NIS/LDAP today to be able to migrate to IPA. Sorry we do not have capacity to do it now. 3.0 is the version that we will be working in the fall with estimated delivery in winter.
I've started adding the objectclass: ieee802Device, and setting the macAddress property on the computer objects under cn=computers,cn=accounts,<SUFFIX> manually using ldapmodify. I achieve my goal by adding "ethers: ldap" to /etc/nsswitch.conf on Linux and Solaris clients. I'm now able to look up the entries at the client when using "getent ethers <hostname>". Added to the RFE as agreed with R. Crittenden at IRC.
Fixed upstream: master: https://fedorahosted.org/freeipa/changeset/52e3488b75e1ed2de7a021148169901a522dbbcb ipa-2-2: https://fedorahosted.org/freeipa/changeset/d8314c5c054b98a3e583477eff66e6067745f0b6
I see the CLI option is available in v 2.1.90. Thanks. Will this option also become available in the GUI?
TBD, we're in bug fix mode right now.