detail the steps of domain profile creation for a PacketFence cluster…

… v14.0
inverse-inc · Jan 10, 2025 · 8a273ff · 8a273ff
1 parent ca50af7
commit 8a273ff
Showing 1 changed file with 51 additions and 9 deletions.
diff --git a/docs/installation/authentication_mechanisms.asciidoc b/docs/installation/authentication_mechanisms.asciidoc
@@ -61,24 +61,66 @@ NOTE: If you are using PacketFence in cluster mode, you must save the domain set
 
 NOTE: after version 14.0, the PacketFence domain.conf will be updated, domain identifier is changed from previously single identifier to "hostname + identifier". If you are running PacketFence in a cluster, please check the corresponding sections for each node.
 
-==== Domain Joining on A PacketFence cluster
+==== Domain Joining on A PacketFence cluster (v14.x)
 
 We've updated the structure of `domain.conf` file since v14.0,
 the section name stored in `domain.conf` file has been changed from `domain identifier` to `hostname + domain identifier` combination.
 This change causes a node in a cluster to read domain settings from its own individual section identified by its unique hostname.
-Therefore, it is not required to use `%h` as (or as a prefix / suffix of) the machine account anymore and
-it's technically possible to have customized settings for a specific node.
+Therefore, it is not required to use `%h` as (or as a prefix / suffix of) the machine account anymore.
+Now it's technically possible to have fully customized domain settings for a specific node.
 
-If you are running a PacketFence cluster of v14.0 and need a domain profile, you'll have to repeat the profile creation on each of the node because
-the domain profile creation will *only* create a profile (and add a machine account) for the node that you are working on (the node that handles the request).
+===== Setting up a new cluster
+There's a difference in domain profile creation for PacketFence cluster running PacketFence v14.x: +
+When you create the domain profile from Admin UI for a PacketFence cluster, The profile is actually created *only* on the node that handles the API request.
+Therefore, you'll have to go through all the nodes and create a domain profile for each of them.
+
+During the domain profile creation, a machine account used for NTLM authentication is also created in Windows domain controller.
+Due to the limitation of secure connection binding, we are not able to establish multiple secure connections using a shared machine account.
+Please make sure the machine account names are unique if you are not using `%h` as (or as part of) the machine account name.
+
+There are 2 ways of creating the domain profile on a selected node:
+
+. Using API Redirect
+. Login into Admin Panel using real IP
+
+To use API Redirect, login into *PacketFence Admin Panel*, navigate to *"Status"* -> *"Services"* -> *"API redirect"*, choose a node that handles the API request.
+And you will create the domain profile for the node you selected.
+
+Login into Admin Panel using real IP is also simple: Login into *PacketFence Admin Panel* using the node's real management IP instead of virtual IP.
+For example, a cluster consists of 3 nodes with a VIP = 192.168.4.70, and real IP = 192.168.4.71, 192.168.4.72, 192.168.4.73.
+simply iterate the 3 real IPs, login into Admin Panel from https://real_ip:1443.
+
+
+===== Upgrade from a version prior to v14.0
+If you are doing an upgrade, please refer to the upgrade guide section for v14,
+you might need to manually combine the domain configuration file and sync them to all cluster members.
 
 NOTE: It is required to use individual machine account for each node to avoid secure connection binding issues.
 
-Here is the steps you'll need to follow to create a domain profile in cluster after v14.0:
-Assuming that we have a PacketFence cluster of 3 nodes, and we are about to join "domain.com"
 
- . Open PacketFence Admin UI, and navigate to "Status" -> "Services" -> "API redirect" or
- . Access the Admin UI form "https://node_ip:1443" directly.
+===== Domain config file structure and example
+Assuming that we have a PacketFence cluster of 3 nodes with hostnames of `pf-node1`, `pf-node2` and `pf-node3` and we joined "domainA"
+an example of `domain.conf` for a cluster looks like this:
+
+----
+[pf-node1 domainA]
+ntlm_auth_port=5000
+server_name=node1
+dns_name=a.com
+....
+
+[pf-node2 domainA]
+ntlm_auth_port=5000
+server_name=node2
+dns_name=a.com
+....
+
+[pf-node3 domainA]
+ntlm_auth_port=5000
+server_name=node3
+dns_name=a.com
+....
+----
 
 image::api-redirect.jpg[scaledwidth="100%",alt="API redirect in configuration"]