diff options
author | Alexander Bokovoy <abokovoy@redhat.com> | 2015-06-04 21:29:36 +0000 |
---|---|---|
committer | Tomas Babej <tbabej@redhat.com> | 2015-07-08 01:56:52 +0200 |
commit | 14992a07fc7ea6bb5c028e5fefaf7394af00a555 (patch) | |
tree | 696fd8e3adf224af4efffa7661c4002580e6acff /install/tools/man | |
parent | aa21600822543a3a07a3d808bc6085d4088fa5e6 (diff) | |
download | freeipa-14992a07fc7ea6bb5c028e5fefaf7394af00a555.tar.gz freeipa-14992a07fc7ea6bb5c028e5fefaf7394af00a555.tar.xz freeipa-14992a07fc7ea6bb5c028e5fefaf7394af00a555.zip |
ipa-adtrust-install: allow configuring of trust agents
Trust agents are IPA master without Samba which can serve
information about users from trusted forests. Such IPA masters
cannot be used to configure trust but they can resolve AD users and groups
for IPA clients enrolled to them.
Since support from both FreeIPA and SSSD is needed to enable
trust agent support, we currently only consider those IPA masters
which have been upgraded to FreeIPA 4.2 or later.
Part of https://fedorahosted.org/freeipa/ticket/4951
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Diffstat (limited to 'install/tools/man')
-rw-r--r-- | install/tools/man/ipa-adtrust-install.1 | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index a32eefb0e..2658f1957 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -76,7 +76,7 @@ are needed for the IPA domain which should point to all IPA servers: \(bu _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs .TP \fB\-\-add\-sids\fR -Add SIDs to existing users and groups as a final step of the +Add SIDs to existing users and groups as on of final steps of the ipa\-adtrust\-install run. If there a many existing users and groups and a couple of replicas in the environment this operation might lead to a high replication traffic and a performance degradation of all IPA servers in the @@ -85,6 +85,19 @@ ipa\-adtrust\-install is run and scheduled independently. To start this task you have to load an edited version of ipa-sidgen-task-run.ldif with the ldapmodify command info the directory server. .TP +\fB\-\-add\-agents\fR +Add IPA masters to the list that allows to serve information about +users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master +can provide this information to SSSD clients. IPA masters aren't added +to the list automatically as restart of the LDAP service on each of them +is required. The host where ipa\-adtrust\-install is being run is added +automatically. +.IP +Note that IPA masters where ipa\-adtrust\-install wasn't run, can serve +information about users from trusted forests only if they are enabled +via \ipa-adtrust\-install run on any other IPA master. At least SSSD +version 1.13 on IPA master is required to be able to perform as a trust agent. +.TP \fB\-U\fR, \fB\-\-unattended\fR An unattended installation that will never prompt for user input .TP |