[Freeipa-users] Group Policy-like features in FreeIPA

Petr Spacek pspacek at redhat.com
Tue Jan 13 09:10:23 UTC 2015 

On 12.1.2015 17:20, brendan kearney wrote:
> OpenAFS?

If you insist on a replicated FS then try Gluster.

Petr^2 Spacek

> On Jan 12, 2015 11:04 AM, "Craig White" <CWhite at skytouchtechnology.com>
> wrote:
> 
>>  *From:* freeipa-users-bounces at redhat.com [mailto:
>> freeipa-users-bounces at redhat.com] *On Behalf Of *Dale Macartney
>> *Sent:* Sunday, January 11, 2015 2:16 PM
>> *To:* freeipa-users at redhat.com
>> *Subject:* [Freeipa-users] Group Policy-like features in FreeIPA
>>
>>
>>
>> Morning folks
>>
>> I am currently working on a little pet project which I think some would
>> find useful.
>>
>> I would like to introduce some group policy like functionality into a
>> FreeIPA domain.
>>
>> For example:
>>
>> In an environment running FreeIPA Server with Fedora or RHEL based
>> workstations, I would like to be able to introduce a few extra features
>> which initially may be pushed via a login script (maybe even configure a
>> dbus session as well, who knows?).
>>
>> My intentions here would be to be able to apply host specific policies as
>> well as have the option for user specific policies which would be applied
>> when the user logs in.
>>
>> Practically speaking, adding an attribute to LDAP to specify a login
>> script file name is easy enough, however actually fetching this is where I
>> am hoping for a bit of brain storming. My thoughts would be the local user
>> would fetch the name of the login script via ldap, and then perhaps fetch
>> the file from a shared resource on the FreeIPA masters in order to be
>> executed locally.
>>
>> LDAP is obviously replicated, however to my knowledge, there is no file
>> synchronization between masters. I am thinking something similar to the MS
>> equivalent of the SYSVOL data that replicates between MS Domain
>> Controllers. One option would be to store all data within LDAP, however
>> I've seen many scenarios where admins store CD ISO's in replicated domain
>> data, so I am not certain this would be the best option.
>>
>> With this replicated data folder, I would be able to store centrally
>> managed scripts which would be used for hosts or users, and then configure
>> the default user template on each workstation (/etc/skel/) to add the login
>> script file name which would be fetched from the users LDAP attributes.
>>
>>  Real world usability for what I am thinking of is a way to manage users
>> who can have their corporate email mailbox configured on login,
>> automatically setting the users session to point to an internal SSO enabled
>> proxy server or perhaps any other number of things which an admin may wish
>> to achieve without the need to manually do the work themselves.
>>
>> Has anyone undertaken a similar scenario in their environments or would
>> perhaps have any suggestions on how to manage the centrally accessible file
>> stores?
>>
>> Many thanks
>> ----
>>
>> Specifically, I haven’t fully implemented what you are asking but
>> obviously parts and pieces yes.
>>
>> One of the best features of Linux and all of its various toolsets is that
>> one are quite so overarching and the objectives are more focused. String
>> them together and you have a working tool set. As a system administrator,
>> you learn to pipe grep output to awk or sed or cut etc.
>>
>> SYSVOL ó NFS and if that doesn’t do it for you, check out Unison.
>>
>> I guess one of the temptations of FreeIPA is to try to make it exactly
>> like active directory. The FreeIPA developers are already doing an amazing
>> job without a ton of manpower.
>>
>> Craig
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
> 
> 
> 


-- 
Petr^2 Spacek

More information about the Freeipa-users mailing list