From f2fb6552c91fa530597e6deb776d90344bfe67bd Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 11 Oct 2011 17:30:33 -0400 Subject: Make ipa-join work against an LDAP server that disallows anon binds We determine the realm in the client installer so we can deduce the base dn, pass that into ipa-join so we don't have to hunt for it. Re-order the bind so when doing an OTP enrollment so we can use the host entry to authenticate before we retrieve the subject base, then initiate the enrollment. If ipa-join is called without a basedn it will still attempt to determine it, but it will fail if anonymous binds are not allowed. https://fedorahosted.org/freeipa/ticket/1935 --- ipa-client/man/ipa-join.1 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'ipa-client/man') diff --git a/ipa-client/man/ipa-join.1 b/ipa-client/man/ipa-join.1 index 60facdfa9..49887c7a0 100644 --- a/ipa-client/man/ipa-join.1 +++ b/ipa-client/man/ipa-join.1 @@ -20,7 +20,7 @@ .SH "NAME" ipa\-join \- Join a machine to an IPA realm and get a keytab for the host service principal .SH "SYNOPSIS" -ipa\-join [\fB\-d\fR|\fB\-\-debug\fR] [\fB\-q\fR|\fB\-\-quiet\fR] [\fB\-u\fR|\fB\-\-unenroll\fR] [\fB\-h\fR|\fB\-\-hostname\fR hostname] [\fB\-s\fR|\fB\-\-server\fR hostame] [\fB\-k\fR|\fB\-\-keytab\fR filename] [\fB\-w\fR|\fB\-\-bindpw\fR password] [\fB\-?\fR|\fB\-\-help\fR] [\fB\-\-usage\fR] +ipa\-join [\fB\-d\fR|\fB\-\-debug\fR] [\fB\-q\fR|\fB\-\-quiet\fR] [\fB\-u\fR|\fB\-\-unenroll\fR] [\fB\-h\fR|\fB\-\-hostname\fR hostname] [\fB\-s\fR|\fB\-\-server\fR hostame] [\fB\-k\fR|\fB\-\-keytab\fR filename] [\fB\-w\fR|\fB\-\-bindpw\fR password] [\fB-b\fR|\-\-\fBbasedn basedn\fR] [\fB\-?\fR|\fB\-\-help\fR] [\fB\-\-usage\fR] .SH "DESCRIPTION" Joins a host to an IPA realm and retrieves a kerberos \fIkeytab\fR for the host service principal, or unenrolls an enrolled host from an IPA server. @@ -61,6 +61,9 @@ The keytab file where to append the new key (will be created if it does not exis \fB\-w,\-\-bindpw password\fR The password to use if not using Kerberos to authenticate. Use a password of this particular host (one time password created on IPA server) .TP +\fB\-b,\-\-basedn basedn\fR +The basedn of the IPA server (of the form dc=example,dc=com). This is only needed when not using Kerberos to authenticate and anonymous binds are disallowed in the IPA LDAP server. +.TP \fB\-u,\-\-unenroll\fR Unenroll this host from the IPA server. No keytab entry is removed in the process (see -- cgit