[Freeipa-users] Automatic client enrollment

Dmitri Pal dpal at redhat.com
Sun Mar 22 19:21:14 UTC 2015 

On 03/21/2015 08:57 PM, Prasun Gera wrote:
> Yes, this approach would work, and it would be a good enhancement. It 
> would make migration from NIS easier with very little impact to users. 
> Are you saying that something like this can be implemented right now? 
> Or do you mean that this is how it could be done in future ?

In future. I suggested opnenning and RFE.

> How does a host submit a request to the host admin? Is there a host 
> admin daemon that listens for these requests ?

No. And I am not sure it is needed.
To be fair what you are looking for can be accomplished using Foreman or 
Satellite 6 right now.
This is why the RFE would probably be a low priority.

Integrating with Foreman/Satellite a person provisioning a system (or 
systems) will just click a button to provision a system and it will be 
enrolled automatically.
The RFE will be useful when you try to use kickstart in a manual fashion.
In this case you will use a special admin account as I suggested with 
password baked into the kickstart (not ideal). But IP range checking 
will reduce the risk of adding a rogue system if the kiskstart is stolen.

But IMO it is better to go the Foreman path right away.
http://theforeman.org/manuals/1.5/index.html#4.3.11FreeIPARealm

>
>
>
> On Sat, Mar 21, 2015 at 1:50 PM, Dmitri Pal <dpal at redhat.com 
> <mailto:dpal at redhat.com>> wrote:
>
>     On 03/21/2015 05:53 AM, Prasun Gera wrote:
>>     Is it possible to completely automate the client enrollment
>>     process similar to securenets in NIS? I'm trying to migrate NIS
>>     to IDM, and hoping that it runs largely in auto-pilot mode. The
>>     kickstarter method suggests adding host entries with a one time
>>     kerberos password to launch unattended client installs. That,
>>     however, needs the admin's involvement every time a new host has
>>     to be added. Securenets works pretty well in our case since we
>>     can authenticate based on the IP address. User addition is still
>>     manual, but that's all right since that is infrequent. Is it
>>     possible to do something similar using IP masks or fqdn regex in
>>     ipa ?
>>
>>
>     No but if you trust your network you can create a host admin that
>     would have the host add privilege and host enroll privilege and
>     nothing else and use this admin.
>
>     IMO it would be a nice enhancement to have a way to restrict such
>     enrollments to specific subnets. The logic on the server would be
>     something like this:
>
>     Enrollment request comes in
>     If host entry there?
>     Yes - follow the current logic
>     Check user privileges
>     <Check that the client is coming from one of the given IPA ranges>
>     <-new
>     Enroll
>
>     Would you mind filing an RFE if this approach would work for you?
>
>     -- 
>     Thank you,
>     Dmitri Pal
>
>     Sr. Engineering Manager IdM portfolio
>     Red Hat, Inc.
>
>
>     --
>     Manage your subscription for the Freeipa-users mailing list:
>     https://www.redhat.com/mailman/listinfo/freeipa-users
>     Go to http://freeipa.org for more info on the project
>
>


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150322/e645949e/attachment.htm>

More information about the Freeipa-users mailing list