[Freeipa-users] Automatic client enrollment
Prasun Gera
prasun.gera at gmail.com
Sun Mar 22 00:57:59 UTC 2015
Yes, this approach would work, and it would be a good enhancement. It would
make migration from NIS easier with very little impact to users. Are you
saying that something like this can be implemented right now? Or do you
mean that this is how it could be done in future ? How does a host submit a
request to the host admin? Is there a host admin daemon that listens for
these requests ?
On Sat, Mar 21, 2015 at 1:50 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 03/21/2015 05:53 AM, Prasun Gera wrote:
>
> Is it possible to completely automate the client enrollment process
> similar to securenets in NIS? I'm trying to migrate NIS to IDM, and hoping
> that it runs largely in auto-pilot mode. The kickstarter method suggests
> adding host entries with a one time kerberos password to launch unattended
> client installs. That, however, needs the admin's involvement every time a
> new host has to be added. Securenets works pretty well in our case since we
> can authenticate based on the IP address. User addition is still manual,
> but that's all right since that is infrequent. Is it possible to do
> something similar using IP masks or fqdn regex in ipa ?
>
>
> No but if you trust your network you can create a host admin that would
> have the host add privilege and host enroll privilege and nothing else and
> use this admin.
>
> IMO it would be a nice enhancement to have a way to restrict such
> enrollments to specific subnets. The logic on the server would be something
> like this:
>
> Enrollment request comes in
> If host entry there?
> Yes - follow the current logic
> Check user privileges
> <Check that the client is coming from one of the given IPA ranges> <-new
> Enroll
>
> Would you mind filing an RFE if this approach would work for you?
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150321/a022c9ea/attachment.htm>
More information about the Freeipa-users
mailing list