Red Hat Bugzilla – Bug 753120
RFE: IPAv2 Support for graphical installer and as kickstart option
Last modified: 2012-03-06 15:43:18 EST
On Thu, 10 Nov 2011, Sigbjorn Lie wrote:
> I just installed Fedora 16 and noticed that there now was an option
> for using FreeIPA as autentication database. Awesome!
> But why the normal ldap/kerberos options that met me when I chose
> FreeIPA (see the attachment). I was picturing auto-detection, and
> just a username and password, same as the simplified CLI installer.
Looks like it wasn't finished well enough in time to release and
re-used existing LDAP settings page. This is just my guess, this was
done outside FreeIPA team.
> Is this on the roadmap for the Fedora/RHEL installer?
Would be nice, indeed. Could you please raise a bug for Fedora
installer to improve 'FreeIPA authentication' settings page? And add
me to the CC: list.
/ Alexander Bokovoy
Re-assigning to authconfig.
The FreeIPA option currently available in authconfig refers to FreeIPA v1.
We need to extend authconfig to be able to enroll clients in a FreeIPA v2+ environment, preferably during firstboot and kickstart.
There are three different scenarios when ipa-client should be invoked.
1) Manual enrollment of a single system
2) Bulk enrollment of the BM systems
3) Bulk enrollment of the VM systems
This bug should focus on the scenario 1) i.e have an option in the authconfig to make a system a part of an IPA v2+ domain. In this case authconfig should ask user for the either administrative account and corresponding password or have an option to enroll using the system account. If system account is chosen the user should be prompted for the OTP that has been sent to him out of band.
Scenario 2) should be covered by bug https://bugzilla.redhat.com/show_bug.cgi?id=751175 and effectively a documentation issue as kickstart already has all the means to enroll the client. What is missing is the distribution of the OTPs and embedding them into the kickstart files. We leave this to the admin. The only thing we can do is document best prctices of how to do this and what are the security implications. I suggest that BZ mentioned above is turned into a doc bug.
Scenario 3) is solved by the cloud management tools that are out of scope here.
authconfig-6.2.0-1.fc17 has been submitted as an update for Fedora 17.
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing authconfig-6.2.0-1.fc17'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
authconfig-6.2.1-1.fc17 has been submitted as an update for Fedora 17.
authconfig-6.2.1-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.