<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/21/2015 05:53 AM, Prasun Gera
wrote:<br>
</div>
<blockquote
cite="mid:CAFLz+BmyXaqa9CKLR46Zk6_auyBoS55i3W7VJ6afDOaRqGCy2g@mail.gmail.com"
type="cite">
<div dir="ltr">Is it possible to completely automate the client
enrollment process similar to securenets in NIS? I'm trying to
migrate NIS to IDM, and hoping that it runs largely in
auto-pilot mode. The kickstarter method suggests adding host
entries with a one time kerberos password to launch unattended
client installs. That, however, needs the admin's involvement
every time a new host has to be added. Securenets works pretty
well in our case since we can authenticate based on the IP
address. User addition is still manual, but that's all right
since that is infrequent. Is it possible to do something similar
using IP masks or fqdn regex in ipa ? </div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
No but if you trust your network you can create a host admin that
would have the host add privilege and host enroll privilege and
nothing else and use this admin.<br>
<br>
IMO it would be a nice enhancement to have a way to restrict such
enrollments to specific subnets. The logic on the server would be
something like this:<br>
<br>
Enrollment request comes in<br>
If host entry there?<br>
Yes - follow the current logic <br>
Check user privileges<br>
<Check that the client is coming from one of the given IPA
ranges> <-new<br>
Enroll<br>
<br>
Would you mind filing an RFE if this approach would work for you?<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>