Bug 753120 - RFE: IPAv2 Support for graphical installer and as kickstart option
RFE: IPAv2 Support for graphical installer and as kickstart option
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
All Linux
unspecified Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2011-11-11 06:46 EST by Sigbjorn Lie
Modified: 2012-03-06 15:43 EST (History)
8 users (show)

See Also:
Fixed In Version: authconfig-6.2.1-1.fc17
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-03-06 15:43:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Sigbjorn Lie 2011-11-11 06:46:59 EST
On Thu, 10 Nov 2011, Sigbjorn Lie wrote:
> I just installed Fedora 16 and noticed that there now was an option
> for using FreeIPA as autentication database. Awesome!
> But why the normal ldap/kerberos options that met me when I chose
> FreeIPA (see the attachment). I was picturing auto-detection, and
> just a username and password, same as the simplified CLI installer.

Looks like it wasn't finished well enough in time to release and 
re-used existing LDAP settings page. This is just my guess, this was 
done outside FreeIPA team.

> Is this on the roadmap for the Fedora/RHEL installer?

Would be nice, indeed. Could you please raise a bug for Fedora 
installer to improve 'FreeIPA authentication' settings page? And add 
me to the CC: list.

/ Alexander Bokovoy
Comment 1 Stephen Gallagher 2011-11-11 09:01:49 EST
Re-assigning to authconfig.

The FreeIPA option currently available in authconfig refers to FreeIPA v1.

We need to extend authconfig to be able to enroll clients in a FreeIPA v2+ environment, preferably during firstboot and kickstart.
Comment 2 Dmitri Pal 2011-11-15 17:57:12 EST
There are three different scenarios when ipa-client should be invoked.

1) Manual enrollment of a single system
2) Bulk enrollment of the BM systems
3) Bulk enrollment of the VM systems

This bug should focus on the scenario 1) i.e have an option in the authconfig to make a system a part of an IPA v2+ domain. In this case authconfig should ask user for the either administrative account and corresponding password or have an option to enroll using the system account. If system account is chosen the user should be prompted for the OTP that has been sent to him out of band.   

Scenario 2) should be covered by bug https://bugzilla.redhat.com/show_bug.cgi?id=751175 and effectively a documentation issue as kickstart already has all the means to enroll the client. What is missing is the distribution of the OTPs and embedding them into the kickstart files. We leave this to the admin. The only thing we can do is document best prctices of how to do this and what are the security implications. I suggest that BZ mentioned above is turned into a doc bug.

Scenario 3) is solved by the cloud management tools that are out of scope here.
Comment 3 Fedora Update System 2012-02-16 17:25:09 EST
authconfig-6.2.0-1.fc17 has been submitted as an update for Fedora 17.
Comment 4 Fedora Update System 2012-02-16 22:58:00 EST
Package authconfig-6.2.0-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing authconfig-6.2.0-1.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2012-02-18 14:33:33 EST
authconfig-6.2.1-1.fc17 has been submitted as an update for Fedora 17.
Comment 6 Fedora Update System 2012-03-06 15:43:18 EST
authconfig-6.2.1-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.