<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 03/21/2015 08:57 PM, Prasun Gera
wrote:<br>
</div>
<blockquote
cite="mid:CAFLz+Bmer1L0byPuZ3zOKB74Cb2m4zVXGKOACN0ispHEu1cZhA@mail.gmail.com"
type="cite">
<div dir="ltr">Yes, this approach would work, and it would be a
good enhancement. It would make migration from NIS easier with
very little impact to users. Are you saying that something like
this can be implemented right now? Or do you mean that this is
how it could be done in future ?</div>
</blockquote>
<br>
In future. I suggested opnenning and RFE.<br>
<br>
<blockquote
cite="mid:CAFLz+Bmer1L0byPuZ3zOKB74Cb2m4zVXGKOACN0ispHEu1cZhA@mail.gmail.com"
type="cite">
<div dir="ltr"> How does a host submit a request to the host
admin? Is there a host admin daemon that listens for these
requests ?</div>
</blockquote>
<br>
No. And I am not sure it is needed.<br>
To be fair what you are looking for can be accomplished using
Foreman or Satellite 6 right now.<br>
This is why the RFE would probably be a low priority.<br>
<br>
Integrating with Foreman/Satellite a person provisioning a system
(or systems) will just click a button to provision a system and it
will be enrolled automatically.<br>
The RFE will be useful when you try to use kickstart in a manual
fashion. <br>
In this case you will use a special admin account as I suggested
with password baked into the kickstart (not ideal). But IP range
checking will reduce the risk of adding a rogue system if the
kiskstart is stolen.<br>
<br>
But IMO it is better to go the Foreman path right away.<br>
<a class="moz-txt-link-freetext" href="http://theforeman.org/manuals/1.5/index.html#4.3.11FreeIPARealm">http://theforeman.org/manuals/1.5/index.html#4.3.11FreeIPARealm</a><br>
<br>
<blockquote
cite="mid:CAFLz+Bmer1L0byPuZ3zOKB74Cb2m4zVXGKOACN0ispHEu1cZhA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sat, Mar 21, 2015 at 1:50 PM, Dmitri
Pal <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:dpal@redhat.com" target="_blank">dpal@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><span class="">
<div>On 03/21/2015 05:53 AM, Prasun Gera wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Is it possible to completely automate
the client enrollment process similar to securenets
in NIS? I'm trying to migrate NIS to IDM, and hoping
that it runs largely in auto-pilot mode. The
kickstarter method suggests adding host entries with
a one time kerberos password to launch unattended
client installs. That, however, needs the admin's
involvement every time a new host has to be added.
Securenets works pretty well in our case since we
can authenticate based on the IP address. User
addition is still manual, but that's all right since
that is infrequent. Is it possible to do something
similar using IP masks or fqdn regex in ipa ? </div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
</span> No but if you trust your network you can create a
host admin that would have the host add privilege and host
enroll privilege and nothing else and use this admin.<br>
<br>
IMO it would be a nice enhancement to have a way to
restrict such enrollments to specific subnets. The logic
on the server would be something like this:<br>
<br>
Enrollment request comes in<br>
If host entry there?<br>
Yes - follow the current logic <br>
Check user privileges<br>
<Check that the client is coming from one of the given
IPA ranges> <-new<br>
Enroll<br>
<br>
Would you mind filing an RFE if this approach would work
for you?<span class="HOEnZb"><font color="#888888"><br>
<pre cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</font></span></div>
<br>
--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a moz-do-not-send="true"
href="https://www.redhat.com/mailman/listinfo/freeipa-users"
target="_blank">https://www.redhat.com/mailman/listinfo/freeipa-users</a><br>
Go to <a moz-do-not-send="true" href="http://freeipa.org"
target="_blank">http://freeipa.org</a> for more info on
the project<br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>