[Freeipa-users] FreeIPA + Foreman 1.5

Stephen Benjamin stbenjam at redhat.com
Wed Apr 23 21:07:58 UTC 2014 

Hi,

----- Original Message -----
> From: "Dmitri Pal" <dpal at redhat.com>
> To: freeipa-users at redhat.com, stbenjam at redhat.com
> Sent: Wednesday, April 23, 2014 10:16:16 PM
> Subject: Re: [Freeipa-users] FreeIPA + Foreman 1.5
> 
> On 04/23/2014 10:00 AM, Stephen Benjamin wrote:
> > Hi All,
> >
> > As part of the next release of Foreman, 1.5, realm join integration
> > is being introduced. The first provider is, of course, FreeIPA.  :-)
> >
> > The first release candidate of 1.5 is out now and I'd really
> > appreciate it if anyone wants to give the FreeIPA integration a good
> > workout.  You can see it in action during today's sprint demo starting
> > at about 36 minutes in:
> >
> >    https://www.youtube.com/watch?v=XliDyFFi-SI#t=36m00
> >
> > Docs about the FreeIPA stuff are here:
> >
> >    http://theforeman.org/manuals/1.5/index.html#4.3.11FreeIPARealm
> >
> > If you run into any problems, I'm happy to help, I'm stbenjam
> > over on #theforeman or #freeipa IRC channels.
> >
> > Note - There's at least one bug whose fix should be merged in RC2:
> > unenrolled hosts aren't deleted from IPA correctly.  Otherwise it
> > should all work as advertised!
> >
> > Thanks!!
> >
> > Stephen
> >
> >
> Very cool!
> 
> Several questions:
> - Is it using IPA smart proxy and if not when and how it will? We would
> probably need to add the instruction on how to set it up instead of the
> native one. I suspect there are some differences and the reason why one
> would be used over another.

It is using a provider built-in to the Foreman Smart Proxy.  However, Rob
and I collaborated to ensure the APIs are compatible.  You should be able
to swap out the Foreman proxy for the FreeIPA proxy when it's released. 

Having the proxy in your repos, and very easily configured is
brilliant, it makes the user experience so much better.  We do need to
make sure it gets SSL authentication enabled.  But over time, I expect
Foreman's proxy to be deprecated and most people to use FreeIPA's, but
we do need ours for older versions.

> - I think the setup script should probably be a part of IPA smart proxy
> project rather than a part of Foreman. IMO it is in the boat as mart
> proxy as it links IPA and Foreman together. What do you think? May be
> there should be spacial repo in IPA. As we move forward we would need to
> have more and more simple scripts to setup specific integration aspects
> with different projects. This is just the first one of them so we need
> to define what we want to do with the next one when it emerges.

The setup script in the video is just creating some permissions we
need, it's here:

  http://projects.theforeman.org/projects/foreman/wiki/IPASmartProxyUser

I would kind of like to see this added to FreeIPA as a role, or somehow
distributed with the FreeIPA proxy package.

I opened an issue about this a while back:
  https://fedorahosted.org/freeipa/ticket/4252

> - You have FreeIPA there as a realm type. Would it be possible to change
> this string because in RHEL it is called "Identity Management"?

"FreeIPA" is used pretty much everywhere, like config files.  Just the UI 
wouldn't be a big issue to alter, if you want to change it for Satellite.

> - Does this support a case when the machine needs to be re-provisioned?
> Does it do the right cleanup?

Yup, it disables the host if enrolled, and then requests a new OTP during
re-provision.

If you update the host group in Foreman, we also send that as a userclass
attribute for use with automembership, although automembership currently
works on initial creation.

> - Moving forward it might make sense to be able to pass other parameters
> to the realm join to pass to ipa client install. I think we need to
> explore this more. For example do you want to configure SUDO or
> automaint integration on the provisioned host? Do you want to generate
> and upload host fingerprint, etc. Where is the right place to track this
> work?

The OTP is accessible to any provisioning template or snippet, so you
can do things however you want.  

We ship some provisioning templates distributed with Foreman, which
use either 1 or 2 ways:

 Fedora 20+ (and RHEL 7+):
  - Built in Anaconda realm join, https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration

 < Fedora 20, RHEL 6, etc:
  - Kickstart snippet:  https://github.com/theforeman/community-templates/blob/master/snippets/freeipa_register.erb

For Anaconda realm join, I don't see where you can pass additional options
to the installer.  For the FreeIPA snippet, you can add a global
parameter to add arbitrary command line options to ipa-client-install.

The snippet and provisioning can be customized however, and special
cases may want to make use of foreman_hooks:

  https://github.com/theforeman/foreman_hooks

However, I specifically predicted the sudoers question, so I
have this blog post about it:

  https://bitbin.de/blog/2014/04/freeipa-sudoers-with-puppet-foreman/

I haven't investigated automount, maybe it's something I can
consider adding to the ipaclient puppet module.

Thanks for the e-mail! I'm definitely interested in feedback.
Feature requests, PR's, etc are all welcome too :-)

  http://projects.theforeman.org/projects/foreman/issues/new


- Stephen

More information about the Freeipa-users mailing list