On Fri, Jun 06, 2014 at 06:38:10AM -0400, James wrote: > > I've just announced the first sane implementation for secret handling > in puppet. Since everyone does this wrong, I thought I'd do it right, > by pioneering a new technique. You can read about it here: > > https://ttboj.wordpress.com/2014/06/06/securely-managing-secrets-for-freeipa-with-puppet/ > > In short, the dm_password and admin_password never get touched by > puppet, and are generated locally on the freeipa server. What this > means is that puppet doesn't know what they are, and as a result, > can't use them to accomplish admin tasks.
Could we make this functionality part of the ipa-server-install script itself? It could be useful outside of puppet as well? Do you have any proposal how to go about ipa-client-install in puppet, without having the password stored/exposed there? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat _______________________________________________ Freeipa-devel mailing list Freeipafirstname.lastname@example.org https://www.redhat.com/mailman/listinfo/freeipa-devel