[Freeipa-users] Group Policy-like features in FreeIPA

Mon Jan 12 09:04:20 UTC 2015

On 11.1.2015 22:16, Dale Macartney wrote:
> Morning folks
> 
> I am currently working on a little pet project which I think some would
> find useful.
> 
> I would like to introduce some group policy like functionality into a
> FreeIPA domain.
> 
> For example:
> In an environment running FreeIPA Server with Fedora or RHEL based
> workstations, I would like to be able to introduce a few extra features
> which initially may be pushed via a login script (maybe even configure a
> dbus session as well, who knows?).
> 
> My intentions here would be to be able to apply host specific policies as
> well as have the option for user specific policies which would be applied
> when the user logs in.
> 
> Practically speaking, adding an attribute to LDAP to specify a login script
> file name is easy enough, however actually fetching this is where I am
> hoping for a bit of brain storming. My thoughts would be the local user
> would fetch the name of the login script via ldap, and then perhaps fetch
> the file from a shared resource on the FreeIPA masters in order to be
> executed locally.
> 
> LDAP is obviously replicated, however to my knowledge, there is no file
> synchronization between masters. I am thinking something similar to the MS
> equivalent of the SYSVOL data that replicates between MS Domain
> Controllers. One option would be to store all data within LDAP, however
> I've seen many scenarios where admins store CD ISO's in replicated domain
> data, so I am not certain this would be the best option.
> 
> With this replicated data folder, I would be able to store centrally
> managed scripts which would be used for hosts or users, and then configure
> the default user template on each workstation (/etc/skel/) to add the login
> script file name which would be fetched from the users LDAP attributes.
> 
> 
> Real world usability for what I am thinking of is a way to manage users who
> can have their corporate email mailbox configured on login, automatically
> setting the users session to point to an internal SSO enabled proxy server
> or perhaps any other number of things which an admin may wish to achieve
> without the need to manually do the work themselves.
> 
> Has anyone undertaken a similar scenario in their environments or would
> perhaps have any suggestions on how to manage the centrally accessible file
> stores?

Personally I'm not sure if FreeIPA is the right tool for configuration
management. IMHO you would end up re-implementing Puppet/Ansible/other
configuration management system.

IMHO FreeIPA is the right place to manage policy-kit policies because these
are basically access control rules but I would not go much further.

(BTW newer versions of policy-kit can express policy as normal javascript code
which in theory could call/communicate with a wrapper around LDAP/SSSD.)

-- 
Petr^2 Spacek