[Freeipa-users] Declarative configuration options?

Martin Basti mbasti at redhat.com
Thu Aug 11 12:18:39 UTC 2016 


On 10.08.2016 22:52, Mike LoSapio wrote:
> Something declarative which can be version controlled and considered a
> "source of truth" and driven from configuration management (chef,
> puppet, ansible - whatever your flavor)
>
> A scheme to reconcile account properties, group memberships,
> permissions, etc... I could see how this would be a slippery slope
> because of the depth of groupings/permissions/etc... but a
> version-controlled declarative user config gives a nice record for
> auditors (When did mike get an account, who granted access to him,
> when did he get access, what other access has he had over the last
> year... etc..)
>
> ~~ Pseudo declaraion
> ipa_user: mike
>    uid: mlosapio
>    first_name: mike
>    last_name: losapio
>
No, we don't have this declaractive way to import data.

You can create a script using python IPA API to process JSON/YAML file 
for example.
Or this RFE maybe is what you need 
https://fedorahosted.org/freeipa/ticket/5821, but it didn't get priority.

Martin
>
>
>
> On Wed, Aug 3, 2016 at 1:56 PM, Martin Basti <mbasti at redhat.com> wrote:
>>
>> On 01.08.2016 22:50, Mike LoSapio wrote:
>>> Hi there,
>>>
>>> Is there anyone out there with a good system for storing users,
>>> groups, hosts, etc.. in some sort of version controlled repo w/ flat
>>> files that could plug into "two-man" workflows for user-account
>>> creation and privilege/group membership changes, etc.
>>>
>>> There's some github projects out there to help installing FreeIPA
>>> server and a few to get clients up and running, but nothing (that I
>>> could find) for the on-going management of FreeIPA resources.
>>>
>>>
>>>
>>> So in puppet world (just as an example) - I'd be looking for something
>>> like a puppet-defined-type freeipa_user with all the attributes
>>> required and more-importantly all the code-glue that puts it all
>>> together...
>>>
>>>
>>> Figured I'd ask if there if there's anything already out there before
>>> I re-invent the wheel.
>>>
>>>
>>> TIA,
>>> --Mike
>>>
>> Hello,
>>
>> sorry but I don't understand what you exactly need, can you be more
>> specific? Do you need a script that provision users?
>>
>> Martin
>>
>>

More information about the Freeipa-users mailing list