On pe, 08 marras 2019, Ronald Wimmer via FreeIPA-users wrote:
On 08.11.19 11:08, Alexander Bokovoy via FreeIPA-users wrote:
[...]
Are these assumptions true:
- ipaA became a trust controller by issuing the "ipa trust-add" command
- ipaB will have to be configured as trust agent
Correct. By running ipa-adtrust-install --add-agents on ipaA, you can add ipaB to the set of trust agents.
Thank you very much. Now I have a working setup.
Just two remaining questions...
If I wanted another server to be a trust controller I would run "ipa-adtrust-install" on that server?
Correct.
In order to add all remaining IPA servers as a trust agent I could run "ipa-adtrust-install --add-agents" on any trust controller in my setup?
Correct.
One catch that is not fixed yet is promotion of the compat tree configurations on trust agents. There is a need to update cn=config entries to add special attributes. We do it in ipa-adtrust-install so they are always correct on the trust controllers but since ipa-adtrust-install isn't run on trust agents themselves, no changes done to cn=config there. We need to solve this somehow, via some kind of a remote call similar how replica connectivity check is done.