[Freeipa-users] Automatic client enrollment
Prasun Gera
prasun.gera at gmail.com
Sun Mar 22 20:02:51 UTC 2015
Thanks for clarifying that. Satellite would be restricted to RHEL clients
I think. Foreman would be a good solution, but could be an overkill for
accomplishing just this. I'll have a look and decide. I'll open the RFE too.
On Sun, Mar 22, 2015 at 3:21 PM, Dmitri Pal <dpal at redhat.com> wrote:
> On 03/21/2015 08:57 PM, Prasun Gera wrote:
>
> Yes, this approach would work, and it would be a good enhancement. It
> would make migration from NIS easier with very little impact to users. Are
> you saying that something like this can be implemented right now? Or do you
> mean that this is how it could be done in future ?
>
>
> In future. I suggested opnenning and RFE.
>
> How does a host submit a request to the host admin? Is there a host
> admin daemon that listens for these requests ?
>
>
> No. And I am not sure it is needed.
> To be fair what you are looking for can be accomplished using Foreman or
> Satellite 6 right now.
> This is why the RFE would probably be a low priority.
>
> Integrating with Foreman/Satellite a person provisioning a system (or
> systems) will just click a button to provision a system and it will be
> enrolled automatically.
> The RFE will be useful when you try to use kickstart in a manual fashion.
> In this case you will use a special admin account as I suggested with
> password baked into the kickstart (not ideal). But IP range checking will
> reduce the risk of adding a rogue system if the kiskstart is stolen.
>
> But IMO it is better to go the Foreman path right away.
> http://theforeman.org/manuals/1.5/index.html#4.3.11FreeIPARealm
>
>
>
>
>
> On Sat, Mar 21, 2015 at 1:50 PM, Dmitri Pal <dpal at redhat.com> wrote:
>
>> On 03/21/2015 05:53 AM, Prasun Gera wrote:
>>
>> Is it possible to completely automate the client enrollment process
>> similar to securenets in NIS? I'm trying to migrate NIS to IDM, and hoping
>> that it runs largely in auto-pilot mode. The kickstarter method suggests
>> adding host entries with a one time kerberos password to launch unattended
>> client installs. That, however, needs the admin's involvement every time a
>> new host has to be added. Securenets works pretty well in our case since we
>> can authenticate based on the IP address. User addition is still manual,
>> but that's all right since that is infrequent. Is it possible to do
>> something similar using IP masks or fqdn regex in ipa ?
>>
>>
>> No but if you trust your network you can create a host admin that would
>> have the host add privilege and host enroll privilege and nothing else and
>> use this admin.
>>
>> IMO it would be a nice enhancement to have a way to restrict such
>> enrollments to specific subnets. The logic on the server would be something
>> like this:
>>
>> Enrollment request comes in
>> If host entry there?
>> Yes - follow the current logic
>> Check user privileges
>> <Check that the client is coming from one of the given IPA ranges> <-new
>> Enroll
>>
>> Would you mind filing an RFE if this approach would work for you?
>>
>> --
>> Thank you,
>> Dmitri Pal
>>
>> Sr. Engineering Manager IdM portfolio
>> Red Hat, Inc.
>>
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>>
>
>
>
> --
> Thank you,
> Dmitri Pal
>
> Sr. Engineering Manager IdM portfolio
> Red Hat, Inc.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150322/76b7f3ff/attachment.htm>
More information about the Freeipa-users
mailing list