[Freeipa-users] Group Policy-like features in FreeIPA

[Dmitri Pal]

On 01/12/2015 06:52 AM, Martin Kosek wrote:
> On 01/12/2015 10:04 AM, Petr Spacek wrote:
>> On 11.1.2015 22:16, Dale Macartney wrote:
>>> Morning folks
>>>
>>> I am currently working on a little pet project which I think some would
>>> find useful.
>>>
>>> I would like to introduce some group policy like functionality into a
>>> FreeIPA domain.
>>>
>>> For example:
>>> In an environment running FreeIPA Server with Fedora or RHEL based
>>> workstations, I would like to be able to introduce a few extra features
>>> which initially may be pushed via a login script (maybe even configure a
>>> dbus session as well, who knows?).
>>>
>>> My intentions here would be to be able to apply host specific policies as
>>> well as have the option for user specific policies which would be applied
>>> when the user logs in.
>>>
>>> Practically speaking, adding an attribute to LDAP to specify a login script
>>> file name is easy enough, however actually fetching this is where I am
>>> hoping for a bit of brain storming. My thoughts would be the local user
>>> would fetch the name of the login script via ldap, and then perhaps fetch
>>> the file from a shared resource on the FreeIPA masters in order to be
>>> executed locally.
>>>
>>> LDAP is obviously replicated, however to my knowledge, there is no file
>>> synchronization between masters. I am thinking something similar to the MS
>>> equivalent of the SYSVOL data that replicates between MS Domain
>>> Controllers. One option would be to store all data within LDAP, however
>>> I've seen many scenarios where admins store CD ISO's in replicated domain
>>> data, so I am not certain this would be the best option.
>>>
>>> With this replicated data folder, I would be able to store centrally
>>> managed scripts which would be used for hosts or users, and then configure
>>> the default user template on each workstation (/etc/skel/) to add the login
>>> script file name which would be fetched from the users LDAP attributes.
>>>
>>>
>>> Real world usability for what I am thinking of is a way to manage users who
>>> can have their corporate email mailbox configured on login, automatically
>>> setting the users session to point to an internal SSO enabled proxy server
>>> or perhaps any other number of things which an admin may wish to achieve
>>> without the need to manually do the work themselves.
>>>
>>> Has anyone undertaken a similar scenario in their environments or would
>>> perhaps have any suggestions on how to manage the centrally accessible file
>>> stores?
>> Personally I'm not sure if FreeIPA is the right tool for configuration
>> management. IMHO you would end up re-implementing Puppet/Ansible/other
>> configuration management system.
> Maybe. Though note that this not the first attempt to add a file storage to
> FreeIPA. It is currently tracked in
> https://fedorahosted.org/freeipa/ticket/1225, free for takers.
>
> I at least added a link to this proposal when the RFE is revisited.
>
> Martin
>
I would say there are two parts:
- The scripts that need to be delivered and run
- Information which scripts to run and parameters of the script

Storing scripts in IPA is IMO a bad idea.
However IPA is a reasonable place for storing information related to a 
script invocation.

Scripts can be delivered with Puppet/Chef/Salt/Ansible or just live on a 
mount point.
IPA can be a good place to store this mount point and identify the 
script and arguments to run on login from that mount point.

2c.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.