[Freeipa-users] FreeIPA + Foreman 1.5

Dmitri Pal dpal at redhat.com
Wed Apr 23 20:16:16 UTC 2014 

On 04/23/2014 10:00 AM, Stephen Benjamin wrote:
> Hi All,
>
> As part of the next release of Foreman, 1.5, realm join integration
> is being introduced. The first provider is, of course, FreeIPA.  :-)
>
> The first release candidate of 1.5 is out now and I'd really
> appreciate it if anyone wants to give the FreeIPA integration a good
> workout.  You can see it in action during today's sprint demo starting
> at about 36 minutes in:
>
>    https://www.youtube.com/watch?v=XliDyFFi-SI#t=36m00
>
> Docs about the FreeIPA stuff are here:
>
>    http://theforeman.org/manuals/1.5/index.html#4.3.11FreeIPARealm
>
> If you run into any problems, I'm happy to help, I'm stbenjam
> over on #theforeman or #freeipa IRC channels.
>
> Note - There's at least one bug whose fix should be merged in RC2:
> unenrolled hosts aren't deleted from IPA correctly.  Otherwise it
> should all work as advertised!
>
> Thanks!!
>
> Stephen
>
>
Very cool!

Several questions:
- Is it using IPA smart proxy and if not when and how it will? We would 
probably need to add the instruction on how to set it up instead of the 
native one. I suspect there are some differences and the reason why one 
would be used over another.
- I think the setup script should probably be a part of IPA smart proxy 
project rather than a part of Foreman. IMO it is in the boat as mart 
proxy as it links IPA and Foreman together. What do you think? May be 
there should be spacial repo in IPA. As we move forward we would need to 
have more and more simple scripts to setup specific integration aspects 
with different projects. This is just the first one of them so we need 
to define what we want to do with the next one when it emerges.
- You have FreeIPA there as a realm type. Would it be possible to change 
this string because in RHEL it is called "Identity Management"?
- Does this support a case when the machine needs to be re-provisioned? 
Does it do the right cleanup?
- Moving forward it might make sense to be able to pass other parameters 
to the realm join to pass to ipa client install. I think we need to 
explore this more. For example do you want to configure SUDO or 
automaint integration on the provisioned host? Do you want to generate 
and upload host fingerprint, etc. Where is the right place to track this 
work?

This is all that comes to mind so far.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list