On ma, 14 touko 2018, David Harvey wrote:
Thank you, that's a great help.
One follow up question. Is there some way of cajoling ipa host-show into
only displaying specific fields? Or is it better just to use ldapsearch
with a suitable search filter (given both need to use the host or a service
keytab if this is to be run by puppet).
If you only need them, just use ldapsearch. There is no way to control
what fields returned by IPA CLI -- it is a default set or everything
(--all).
The fields I'm interested in (descriptions, platform, OS, Class) are
thankfully available (at least using the host principal).
Good.
Kind regards,
David
On 14 May 2018 at 14:14, Alexander Bokovoy <aboko...@redhat.com> wrote:
On ti, 27 maalis 2018, David Harvey via FreeIPA-users wrote:
Dear list,
I'm currently tinkering with adding host attributes (As custom attrs, or
for the moment into the description field). My intention is to then read
these from the host in order to define some local behaviour for scripts or
puppet.
Example - a concept of machine ownership, or device class for local
scripts
or puppet to know about.
The two ways I've thought of so far entail
- having the CLI tools installed to run IPA commands, or
- kinit -kt /etc/krb5.keytab followed by ldapsearch to read in the parts
I'm interested in.
It occurred to me that sssd or some other components I understand less
well
might already be able to trivially read the host data IPA holds, or that
the kinit might not be needed given the machine can already read out
getent
aprts direct from LDAP/IPA values with a non network account in use.
Any ideas or suggestion around this so I don't reinvent the wheel?
While SSSD can be taught to read user-specific attributes by adding them
in the configuration, the same cannot be done for host-specific
attributes. So you are back to those two methods you outline above.
One note is that you'd need to add permissions to be able to read the
attributes we don't explicitly allow for services/host principals. See
https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/ for
details on how to achieve that. For plugin examples look at my
github.com/abbra/ page for freeipa-* plugin repos.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
