[Freeipa-users] Automatic client enrollment
Dmitri Pal
dpal at redhat.com
Sun Mar 22 19:21:14 UTC 2015
On 03/21/2015 08:57 PM, Prasun Gera wrote:
> Yes, this approach would work, and it would be a good enhancement. It
> would make migration from NIS easier with very little impact to users.
> Are you saying that something like this can be implemented right now?
> Or do you mean that this is how it could be done in future ?
In future. I suggested opnenning and RFE.
> How does a host submit a request to the host admin? Is there a host
> admin daemon that listens for these requests ?
No. And I am not sure it is needed.
To be fair what you are looking for can be accomplished using Foreman or
Satellite 6 right now.
This is why the RFE would probably be a low priority.
Integrating with Foreman/Satellite a person provisioning a system (or
systems) will just click a button to provision a system and it will be
enrolled automatically.
The RFE will be useful when you try to use kickstart in a manual fashion.
In this case you will use a special admin account as I suggested with
password baked into the kickstart (not ideal). But IP range checking
will reduce the risk of adding a rogue system if the kiskstart is stolen.
But IMO it is better to go the Foreman path right away.
http://theforeman.org/manuals/1.5/index.html#4.3.11FreeIPARealm
>
>
>
> On Sat, Mar 21, 2015 at 1:50 PM, Dmitri Pal <dpal at redhat.com
> <mailto:dpal at redhat.com>> wrote:
>
> On 03/21/2015 05:53 AM, Prasun Gera wrote:
>> Is it possible to completely automate the client enrollment
>> process similar to securenets in NIS? I'm trying to migrate NIS
>> to IDM, and hoping that it runs largely in auto-pilot mode. The
>> kickstarter method suggests adding host entries with a one time
>> kerberos password to launch unattended client installs. That,
>> however, needs the admin's involvement every time a new host has
>> to be added. Securenets works pretty well in our case since we
>> can authenticate based on the IP address. User addition is still
>> manual, but that's all right since that is infrequent. Is it
>> possible to do something similar using IP masks or fqdn regex in
>> ipa ?
>>
>>
> No but if you trust your network you can create a host admin that
> would have the host add privilege and host enroll privilege and
> nothing else and use this admin.
>
> IMO it would be a nice enhancement to have a way to restrict such
> enrollments to specific subnets. The logic on the server would be
> something like this:
>
> Enrollment request comes in
> If host entry there?
> Yes - follow the current logic
> Check user privileges
> <Check that the client is coming from one of the given IPA ranges>
> <-new
> Enroll
>
> Would you mind filing an RFE if this approach would work for you?
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150322/e645949e/attachment.htm>
More information about the Freeipa-users
mailing list