On Fri, Aug 15, 2014 at 5:25 AM, Michael Lasevich <[email protected]> wrote: > Sorry, I did not intend to belittle your efforts - just misread the code Didn't take it that way, no worries :)
> (saw you pass in $admin and $password and made wrong assumption that $admin > was admin username) as well as trying to avoid puppet as I find Salt much > quicker and much simpler (and already established in my setup) > > I sat down tonight and threw together a quick salt reactor that does same > thing as your module - creates the host account in IPA with a generated OTP > password and joins the host to the domain using that generated OTP (and > while at it, validates the host against AWS and populates the metadata into > IPA) Ended up having to join the salt master to the domain, which I was > avoiding doing for security reasons, but I can just disable IPA logins in > PAM and call it a day. The nice bit is that it is using the host's keytab > for authentication, so I do not need any extra credentials sitting around. > Seems to be working just fine. :-). I ended up granting the salt-master host > the "Host Administrators" privilege. It seems that "Host Enrollment" > privilege is not sufficient to enroll hosts - go figure. Great! > > The only thing that bugs me is that I am calling IPA python code from my > salt reactor python code via subprocess - there has got to be a better, more > direct way - but I found documentation too confusing to follow at 1 am - > will be a project for another day. There is the python ipa API, not sure how stable or official it is, but if you look in my code I use it occasionally. > > Thanks for your help. Cheers, James -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
