#4993 Create lightweight design document for ipa-client-install
Opened 8 years ago by lslebodn. Modified 4 years ago

Purpose:

  • should help people to manually configure client against ipa
  • should be used for troubleshooting of installation

It should also help to understand "container use-case". Which part of installation is necessary for which component.


Here is a part of related mail communication:

I'm not freeipa developer but I'll try to describe what ipa-client-install 
does.

- time synchronisation && configure ntp (can be disabled with --no-ntp) 
  In my opinion ntp/chrony should run in separate container 
- download keytab for host /etc/krb5.keytab 
- generate krb5 /etc/krb5.conf 
- download certificate from IPA server 
- configure ipa defaults (/etc/ipa/default) 
- generate sssd.conf (/etc/sssd.conf) 
- configure certmonger 
- configure pam stack 
- create openldap configuration (/etc/openldap/ldap.conf)

ipa-client install also touch some other configuration files. here is a list 
of aguments for disabling such features. (copy & paste): 
   --no-nisdomain      do not configure NIS domain name 
   --no-ssh            do not configure OpenSSH client 
   --no-sshd           do not configure OpenSSH server 
   --no-sudo           do not configure SSSD as data source for sudo 
   --no-dns-sshfp      do not automatically create DNS SHFP records

After this descrition I realized you might want to share krb5.conf and 
krb5.keytab between sssd-container and host. You can prepare image 
with installed ipa-client and run ipa-client in container created from this 
image. "docker diff" shoudl show you all changed/created files.

It should be mentioned that setting "nisdomainname" is necessary for sudo and not for sssd.

Processing leftovers from 4.2 backlog - this ticket was found as suitable for consideration in next big feature release - 4.4.

Metadata Update from @lslebodn:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5 backlog

7 years ago

Metadata Update from @rcritten:
- Issue close_status updated to: None
- Issue tagged with: documentation

4 years ago

Login to comment on this ticket.

Metadata