[Freeipa-users] Group Policy-like features in FreeIPA

Mon Jan 12 16:20:30 UTC 2015

OpenAFS?
On Jan 12, 2015 11:04 AM, "Craig White" <CWhite at skytouchtechnology.com>
wrote:

>  *From:* freeipa-users-bounces at redhat.com [mailto:
> freeipa-users-bounces at redhat.com] *On Behalf Of *Dale Macartney
> *Sent:* Sunday, January 11, 2015 2:16 PM
> *To:* freeipa-users at redhat.com
> *Subject:* [Freeipa-users] Group Policy-like features in FreeIPA
>
>
>
> Morning folks
>
> I am currently working on a little pet project which I think some would
> find useful.
>
> I would like to introduce some group policy like functionality into a
> FreeIPA domain.
>
> For example:
>
> In an environment running FreeIPA Server with Fedora or RHEL based
> workstations, I would like to be able to introduce a few extra features
> which initially may be pushed via a login script (maybe even configure a
> dbus session as well, who knows?).
>
> My intentions here would be to be able to apply host specific policies as
> well as have the option for user specific policies which would be applied
> when the user logs in.
>
> Practically speaking, adding an attribute to LDAP to specify a login
> script file name is easy enough, however actually fetching this is where I
> am hoping for a bit of brain storming. My thoughts would be the local user
> would fetch the name of the login script via ldap, and then perhaps fetch
> the file from a shared resource on the FreeIPA masters in order to be
> executed locally.
>
> LDAP is obviously replicated, however to my knowledge, there is no file
> synchronization between masters. I am thinking something similar to the MS
> equivalent of the SYSVOL data that replicates between MS Domain
> Controllers. One option would be to store all data within LDAP, however
> I've seen many scenarios where admins store CD ISO's in replicated domain
> data, so I am not certain this would be the best option.
>
> With this replicated data folder, I would be able to store centrally
> managed scripts which would be used for hosts or users, and then configure
> the default user template on each workstation (/etc/skel/) to add the login
> script file name which would be fetched from the users LDAP attributes.
>
>  Real world usability for what I am thinking of is a way to manage users
> who can have their corporate email mailbox configured on login,
> automatically setting the users session to point to an internal SSO enabled
> proxy server or perhaps any other number of things which an admin may wish
> to achieve without the need to manually do the work themselves.
>
> Has anyone undertaken a similar scenario in their environments or would
> perhaps have any suggestions on how to manage the centrally accessible file
> stores?
>
> Many thanks
> ----
>
> Specifically, I haven’t fully implemented what you are asking but
> obviously parts and pieces yes.
>
> One of the best features of Linux and all of its various toolsets is that
> one are quite so overarching and the objectives are more focused. String
> them together and you have a working tool set. As a system administrator,
> you learn to pipe grep output to awk or sed or cut etc.
>
> SYSVOL ó NFS and if that doesn’t do it for you, check out Unison.
>
> I guess one of the temptations of FreeIPA is to try to make it exactly
> like active directory. The FreeIPA developers are already doing an amazing
> job without a ton of manpower.
>
> Craig
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150112/749bee22/attachment.htm>