Active Directory supports various OU containers for organizing computer and user objects. When enrolling realmd should support creating the computer account in a specific OU. * This will be an optional parameter. * Many user interfaces will not support specifying this through the interface. * We can make a section in the config file so admins can deploy a default OU to use for various realms.
After discussion on #sssd, we plan to use real LDAP DN's for representing the OU. I don't think we should necessarily require that the entire DN is specified, just the part above the base DN. As it stands we use samba's net to join the domain, so we need to convert to their strange OU format. This will be an optional 'computer-ou' argument passed in the @options directory of the Join() method: http://www.freedesktop.org/software/realmd/docs/gdbus-org.freedesktop.realmd.KerberosMembership.html#gdbus-method-org-freedesktop-realmd-KerberosMembership.Join
Created attachment 65945 [details] [review] Pass join/leave options to various kerberos membership implementations
Created attachment 65946 [details] [review] Add support for specifying a computer OU LDAP DN when joining * Now requires the openldap client libraries * Add new --computer-ou argument to 'realm join' * Support 'computer-ou' option passed to o.f.r.KerberosMembership.Join() * Format is in full LDAP DN format. * An administrator can include a section like this to specify a default computer-ou to join to: [the.example.com] join-computer-ou = OU=Workstations
Created attachment 65948 [details] [review] Add documentation for computer-ou Join() option
Merged these patches into master.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.