[Freeipa-users] Specific rights needed to enroll a new host
Rob Crittenden
rcritten at redhat.com
Fri Jun 12 13:39:45 UTC 2015
Martin Kosek wrote:
> On 06/12/2015 01:30 AM, Christopher Young wrote:
>> I'm trying to develop a process in Ansible to enroll new hosts (as
>> well as
>> check beforehand to see if the host is already enrolled). I was
>> wondering a
>> couple of things:
>>
>> #1. Has anyone else worked out a process for doing this using a non
>> 'admin'
>> account?
Create a role and add the privilege 'Host Enrollment'.
>>
>> #2. Is there a simple mechanism (preferably something that could be
>> automated
>> and thus not require any interactivity), that could be used to check
>> as to
>> whether a system is enrolled? I would hope that some type of simple LDAP
>> search or simple command that could be run to check with easy return
>> codes.
>>
>> In particular, I'm trying to avoid using the 'admin' user to enroll hosts
>> because I'd like to minimize the rights to just the enrollment of new
>> hosts as
>> well as checking for an existing enrollment.
>
> You can do the same check that "ipa host-show" does - see if the host
> has a keytab generated or not. AFAIK, all authenticated users can do
> this check (not retrieve the key itself, but check if it is there).
>
> See my test as non-authenticated user/host:
>
> # klist
> Ticket cache: KEYRING:persistent:0:krb_ccache_nXWwGw1
> Default principal: host/ipa.f22 at F22
>
> Valid starting Expires Service principal
> 06/12/2015 03:15:01 06/13/2015 03:15:01 krbtgt/F22 at F22
>
>
> 1. See all hosts
>
>
> [root at ipa freeipa]# ldapsearch -h `hostname` -Y GSSAPI -b
> "cn=computers,cn=accounts,dc=f22" fqdn
> SASL/GSSAPI authentication started
> SASL username: host/ipa.f22 at F22
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=computers,cn=accounts,dc=f22> with scope subtree
> # filter: (objectclass=*)
> # requesting: fqdn
> #
>
> # computers, accounts, f22
> dn: cn=computers,cn=accounts,dc=f22
>
> # ipa.f22, computers, accounts, f22
> dn: fqdn=ipa.f22,cn=computers,cn=accounts,dc=f22
> fqdn: ipa.f22
>
> # is.not.enrolled, computers, accounts, f22
> dn: fqdn=is.not.enrolled,cn=computers,cn=accounts,dc=f22
> fqdn: is.not.enrolled
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 4
> # numEntries: 3
>
>
> 2. See just the unenrolled hosts
>
> [root at ipa freeipa]# ldapsearch -h `hostname` -Y GSSAPI -b
> "cn=computers,cn=accounts,dc=f22" "(!(krbprincipalkey=*))" fqdn
> SASL/GSSAPI authentication started
> SASL username: host/ipa.f22 at F22
> SASL SSF: 56
> SASL data security layer installed.
> # extended LDIF
> #
> # LDAPv3
> # base <cn=computers,cn=accounts,dc=f22> with scope subtree
> # filter: (!(krbprincipalkey=*))
> # requesting: fqdn
> #
>
> # computers, accounts, f22
> dn: cn=computers,cn=accounts,dc=f22
>
> # is.not.enrolled, computers, accounts, f22
> dn: fqdn=is.not.enrolled,cn=computers,cn=accounts,dc=f22
> fqdn: is.not.enrolled
>
> # search result
> search: 4
> result: 0 Success
>
> # numResponses: 3
> # numEntries: 2
>
>
> HTH.
>
>>
>> Any thoughts of feedback that could point me in the best direction
>> would be
>> greatly appreciated!
>>
>> Thanks,
>>
>> Chris
>>
>>
>
More information about the Freeipa-users
mailing list