On Fri, 2014-06-06 at 14:03 +0200, Jan Pazdziora wrote: > On Fri, Jun 06, 2014 at 06:38:10AM -0400, James wrote: > > > > I've just announced the first sane implementation for secret handling > > in puppet. Since everyone does this wrong, I thought I'd do it right, > > by pioneering a new technique. You can read about it here: > > > > https://ttboj.wordpress.com/2014/06/06/securely-managing-secrets-for-freeipa-with-puppet/ > > > > In short, the dm_password and admin_password never get touched by > > puppet, and are generated locally on the freeipa server. What this > > means is that puppet doesn't know what they are, and as a result, > > can't use them to accomplish admin tasks. > > Could we make this functionality part of the ipa-server-install script > itself? It could be useful outside of puppet as well?
Actually, that is an interesting question! You could for certain use cases, although the amount of different use cases I am currently supporting in the code makes it probably not useful. So I would probably not recommend this. I would wait six months for puppet-ipa to stabilize, and then see what common functionality can be merged into FreeIPA. I already have a few items that could if you're interested in specifics (we can talk offline). > > Do you have any proposal how to go about ipa-client-install in puppet, > without having the password stored/exposed there? Actually Yes! This is a tricky operation in puppet, but it all fully works. It automatically uses an exported one time password from the host. I should probably write up an article on this process. It has more features too. If you want to play in the code, ping me offline or on IRC, and I can orient you on the steps. >
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
