[Freeipa-users] Group Policy-like features in FreeIPA

Martin Kosek mkosek at redhat.com
Mon Jan 12 11:52:51 UTC 2015 

On 01/12/2015 10:04 AM, Petr Spacek wrote:
> On 11.1.2015 22:16, Dale Macartney wrote:
>> Morning folks
>>
>> I am currently working on a little pet project which I think some would
>> find useful.
>>
>> I would like to introduce some group policy like functionality into a
>> FreeIPA domain.
>>
>> For example:
>> In an environment running FreeIPA Server with Fedora or RHEL based
>> workstations, I would like to be able to introduce a few extra features
>> which initially may be pushed via a login script (maybe even configure a
>> dbus session as well, who knows?).
>>
>> My intentions here would be to be able to apply host specific policies as
>> well as have the option for user specific policies which would be applied
>> when the user logs in.
>>
>> Practically speaking, adding an attribute to LDAP to specify a login script
>> file name is easy enough, however actually fetching this is where I am
>> hoping for a bit of brain storming. My thoughts would be the local user
>> would fetch the name of the login script via ldap, and then perhaps fetch
>> the file from a shared resource on the FreeIPA masters in order to be
>> executed locally.
>>
>> LDAP is obviously replicated, however to my knowledge, there is no file
>> synchronization between masters. I am thinking something similar to the MS
>> equivalent of the SYSVOL data that replicates between MS Domain
>> Controllers. One option would be to store all data within LDAP, however
>> I've seen many scenarios where admins store CD ISO's in replicated domain
>> data, so I am not certain this would be the best option.
>>
>> With this replicated data folder, I would be able to store centrally
>> managed scripts which would be used for hosts or users, and then configure
>> the default user template on each workstation (/etc/skel/) to add the login
>> script file name which would be fetched from the users LDAP attributes.
>>
>>
>> Real world usability for what I am thinking of is a way to manage users who
>> can have their corporate email mailbox configured on login, automatically
>> setting the users session to point to an internal SSO enabled proxy server
>> or perhaps any other number of things which an admin may wish to achieve
>> without the need to manually do the work themselves.
>>
>> Has anyone undertaken a similar scenario in their environments or would
>> perhaps have any suggestions on how to manage the centrally accessible file
>> stores?
> 
> Personally I'm not sure if FreeIPA is the right tool for configuration
> management. IMHO you would end up re-implementing Puppet/Ansible/other
> configuration management system.

Maybe. Though note that this not the first attempt to add a file storage to
FreeIPA. It is currently tracked in
https://fedorahosted.org/freeipa/ticket/1225, free for takers.

I at least added a link to this proposal when the RFE is revisited.

Martin

More information about the Freeipa-users mailing list