<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 08/15/2014 11:25 AM, Michael
Lasevich wrote:<br>
</div>
<blockquote
cite="mid:CAAFs98UbJzPDRUewses--CGbkQHLEYNVdWwnCPd7h09gk3BcMQ@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>Sorry, I did not intend to belittle your efforts - just
misread the code (saw you pass in $admin and $password and
made wrong assumption that $admin was admin username) as
well as trying to avoid puppet as I find Salt much quicker
and much simpler (and already established in my setup)<br>
<br>
I sat down tonight and threw together a quick salt reactor
that does same thing as your module - creates the host
account in IPA with a generated OTP password and joins the
host to the domain using that generated OTP (and while at
it, validates the host against AWS and populates the
metadata into IPA) Ended up having to join the salt master
to the domain, which I was avoiding doing for security
reasons, but I can just disable IPA logins in PAM and call
it a day. The nice bit is that it is using the host's keytab
for authentication, so I do not need any extra credentials
sitting around. Seems to be working just fine. :-). I ended
up granting the salt-master host the "Host Administrators"
privilege. It seems that "Host Enrollment" privilege is not
sufficient to enroll hosts - go figure. <br>
<br>
The only thing that bugs me is that I am calling IPA python
code from my salt reactor python code via subprocess - there
has got to be a better, more direct way - but I found
documentation too confusing to follow at 1 am - will be a
project for another day.<br>
<br>
</div>
Thanks for your help.<br>
<br>
</div>
</div>
</blockquote>
<br>
Great that it is working for you! Would you mind may be putting
together a howto page based on your setup for others to benefit from
your sleepless night?<br>
<a class="moz-txt-link-freetext" href="http://www.freeipa.org/page/HowTos">http://www.freeipa.org/page/HowTos</a><br>
<br>
Thanks<br>
Dmitri<br>
<br>
<blockquote
cite="mid:CAAFs98UbJzPDRUewses--CGbkQHLEYNVdWwnCPd7h09gk3BcMQ@mail.gmail.com"
type="cite">
<div dir="ltr">-M<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Aug 14, 2014 at 6:50 PM, James
<span dir="ltr"><<a moz-do-not-send="true"
href="mailto:purpleidea@gmail.com" target="_blank">purpleidea@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="">On Thu, Aug 14, 2014 at 8:29 PM, Michael
Lasevich<br>
<<a moz-do-not-send="true"
href="mailto:mlasevich@lasevich.net">mlasevich@lasevich.net</a>>
wrote:<br>
> I appreciate it. Maybe I did not read it close
enough, but it seemed to send<br>
> the admin password to every client, which is what I
am trying to avoid.<br>
</div>
Oh no!! Definitely not :) I went to great pains to
specifically avoid<br>
this actually. If you're interested in how the DM and admin
passwords<br>
are managed, read:<br>
<a moz-do-not-send="true"
href="https://ttboj.wordpress.com/2014/06/06/securely-managing-secrets-for-freeipa-with-puppet/"
target="_blank">https://ttboj.wordpress.com/2014/06/06/securely-managing-secrets-for-freeipa-with-puppet/</a><br>
<br>
If you're interested in how the clients auth, they do so via<br>
getkeytab, and in order for that to work, puppet passes a
temporary<br>
one-time password to the client, uses it, and verifies that
_that_<br>
client auth-ed. If the password isn't used by that client,
then a new<br>
OTP is generated, and the original is discarded (as it was
probably<br>
used by the wrong client, or maliciously in that rare
scenario).<br>
<br>
All of this to say, that this was quite complex to write, so
I would<br>
consider using the module as is (and even extending it as
needed!).<br>
Secondly, I'd like to point out that I'm not doing any
orchestration,<br>
only config management. Which means this can actually scale!<br>
<div class=""><br>
<br>
><br>
> I will take a closer look, maybe I can bite the
bullet and implement the few<br>
> lines of code that are required to make this work in
Salt (it would take way<br>
> too much work and be generally counterproductive to
switch to Puppet).<br>
<br>
</div>
Of course I can only help with the puppet case, but if you
don't<br>
switch (this module is a winning module, in the same way
that rails<br>
saved ruby, so I would take a closer look) you can at least
use it as<br>
a reference architecture when writing a salt module. That;s
the beauty<br>
of Free Software!<br>
<br>
Good luck! HTH,<br>
James<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.</pre>
</body>
</html>