[Freeipa-devel] Multi-master replication with puppet
Jan Pazdziora
jpazdziora at redhat.com
Fri Jun 6 12:03:31 UTC 2014
On Fri, Jun 06, 2014 at 06:38:10AM -0400, James wrote:
>
> I've just announced the first sane implementation for secret handling
> in puppet. Since everyone does this wrong, I thought I'd do it right,
> by pioneering a new technique. You can read about it here:
>
> https://ttboj.wordpress.com/2014/06/06/securely-managing-secrets-for-freeipa-with-puppet/
>
> In short, the dm_password and admin_password never get touched by
> puppet, and are generated locally on the freeipa server. What this
> means is that puppet doesn't know what they are, and as a result,
> can't use them to accomplish admin tasks.
Could we make this functionality part of the ipa-server-install script
itself? It could be useful outside of puppet as well?
Do you have any proposal how to go about ipa-client-install in puppet,
without having the password stored/exposed there?
--
Jan Pazdziora
Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-devel
mailing list