Add missing FreeIPA install steps
We need a couple of additional steps for the IPA setup. Change-Id: I8038a6ca4ad6ea02184195a4052a22d84a658fa2
This commit is contained in:
parent
9b50d12e59
commit
f32bea5415
|
@ -84,6 +84,26 @@ Configure FreeIPA::
|
|||
--auto-reverse /
|
||||
--unattended
|
||||
|
||||
By default, FreeIPA does not public it's Certificate Revocation List (CRL)
|
||||
on startup. As the CRL is retrieved when the overcloud nodes retrieve
|
||||
certificates from FreeIPA, we should configure it to do so and restart
|
||||
FreeIPA.::
|
||||
|
||||
sed -i -e \
|
||||
's/ca.crl.MasterCRL.publishOnStart=.*/ca.crl.MasterCRL.publishOnStart=true/' \
|
||||
/etc/pki/pki-tomcat/ca/CS.cfg
|
||||
systemctl restart ipa
|
||||
|
||||
Finally, if your IPA server is not at 4.8.5 or higher, you will need to add an
|
||||
ACL to allow for the proper generation of certificates with a IP SAN.::
|
||||
|
||||
cat << EOF | ldapmodify -x -D "cn=Directory Manager" -w $DIRECTORY_MANAGER_PASSWORD
|
||||
dn: cn=dns,dc=example,dc=com
|
||||
changetype: modify
|
||||
add: aci
|
||||
aci: (targetattr = "aaaarecord || arecord || cnamerecord || idnsname || objectclass || ptrrecord")(targetfilter = "(&(objectclass=idnsrecord)(|(aaaarecord=*)(arecord=*)(cnamerecord=*)(ptrrecord=*)(idnsZoneActive=TRUE)))")(version 3.0; acl "Allow hosts to read DNS A/AAA/CNAME/PTR records"; allow (read,search,compare) userdn = "ldap:///fqdn=*,cn=computers,cn=accounts,dc=example,dc=com";)
|
||||
EOF
|
||||
|
||||
Please refer to ``ipa-server-install --help`` for specifics on each argument or
|
||||
reference the `FreeIPA documentation`_. The directions above are only a guide.
|
||||
You may need to adjust certain values and configuration options to use FreeIPA,
|
||||
|
|
Loading…
Reference in New Issue