This does a number of things under the hood:
- Use authconfig to enable sssd in nss and pam
- Configure /etc/sssd/sssd.conf to use our IPA provider
- Enable the certmonger process and request a server cert
- join the IPA domain and retrieve a principal. The clinet machine
*must* exist in IPA to be able to do a join.
- And then undo all this on uninstall
When we un-enroll a client we'll do a bit of cleanup including removing
any principals for the IPA realm from /etc/krb5.keytab.
This removes principals in 2 ways:
- By principal, only entries matching the full principal are removed
- By realm. Any principal for that realm is removed
This does not change the KDC at all, just removes entries from a file
on the client machine.
This is needed because in the client installer we actually perform the
join before creating the configuration files that join uses. All we need
is the IPA server to join to and we have that from the CLI options so
use that.
Because ipa-join calls ipa-getkeytab I'd like to keep the return values in
sync. ipa-join returns the value returned by ipa-getkeytab so in order to
tell what failed the return values need to mean the same things and not
This will create a host service principal and may create a host entry (for
admins). A keytab will be generated, by default in /etc/krb5.keytab
If no kerberos credentails are available then enrollment over LDAPS is used
if a password is provided.
This change requires that openldap be used as our C LDAP client. It is much
easier to do SSL using openldap than mozldap (no certdb required). Otherwise
we'd have to write a slew of extra code to create a temporary cert database,
import the CA cert, ...
rest of the krb5.conf configuration were. This clearly breaks
with the default EXAMPLE.COM realm configuratrion. Furthermore
it makes it not possible to try to 'fix' an installation by
rerruninng ipa-client-install
This patch removes the special case and avoids krb5.conf only
if the on_master flag is passed.
Fix also one inner 'if' statement to be simpler to understand.
Fix make maintainer-clean
Also make RPM naming consistent by using a temp RELEASE file.
This one helps when testing builds using rpms.
Just 'echo X > RELEASE' to build a new rpms (X, X+1, X+2 ...)
Version 1.1.0 was released some times ago, bump up to 1.1.1
I've been on a crusade (;-) to remove useless if-before-free tests,
so ran a script that spotted some here. I think I removed the first
batch (without braces) automatically, then manually removed the ones
with curly braces around the free statements.
You may well have doubts about the portability of removing those
tests, but as long as you don't care about SunOS4 or earlier, you'll
be fine. I've done similar things for e.g., coreutils, glibc, and git,
and have had no problems.
We were just shutting down the KDC if it had been started prior to IPA
installation. We need to stop it in all cases.
And we should restart nscd as it may have made an LDAP connection.
The file VERSION is now the sole-source of versioning.
The generated .spec files will been removed in the maintainer-clean targets
and have been removed from the repository.
By default a GIT build is done. To do a non-GIT build do:
When updating the version you can run this to regenerate the version:
$ make version-update
The version can be determined in Python by using ipaserver.version.VERSION
FreeIPA relies on RedHat's Directory Server, which uses mozldap.
A FreeIPA build using mozldap would reduce the project's dependencies and
redundant code. In addition, mozldap uses NSS instead of OpenSSL.
This is beneficial for the reasons listed in [1].