On 01/12/2015 10:04 AM, Petr Spacek wrote: > On 11.1.2015 22:16, Dale Macartney wrote: >> Morning folks >> >> I am currently working on a little pet project which I think some would >> find useful. >> >> I would like to introduce some group policy like functionality into a >> FreeIPA domain. >> >> For example: >> In an environment running FreeIPA Server with Fedora or RHEL based >> workstations, I would like to be able to introduce a few extra features >> which initially may be pushed via a login script (maybe even configure a >> dbus session as well, who knows?). >> >> My intentions here would be to be able to apply host specific policies as >> well as have the option for user specific policies which would be applied >> when the user logs in. >> >> Practically speaking, adding an attribute to LDAP to specify a login script >> file name is easy enough, however actually fetching this is where I am >> hoping for a bit of brain storming. My thoughts would be the local user >> would fetch the name of the login script via ldap, and then perhaps fetch >> the file from a shared resource on the FreeIPA masters in order to be >> executed locally. >> >> LDAP is obviously replicated, however to my knowledge, there is no file >> synchronization between masters. I am thinking something similar to the MS >> equivalent of the SYSVOL data that replicates between MS Domain >> Controllers. One option would be to store all data within LDAP, however >> I've seen many scenarios where admins store CD ISO's in replicated domain >> data, so I am not certain this would be the best option. >> >> With this replicated data folder, I would be able to store centrally >> managed scripts which would be used for hosts or users, and then configure >> the default user template on each workstation (/etc/skel/) to add the login >> script file name which would be fetched from the users LDAP attributes. >> >> >> Real world usability for what I am thinking of is a way to manage users who >> can have their corporate email mailbox configured on login, automatically >> setting the users session to point to an internal SSO enabled proxy server >> or perhaps any other number of things which an admin may wish to achieve >> without the need to manually do the work themselves. >> >> Has anyone undertaken a similar scenario in their environments or would >> perhaps have any suggestions on how to manage the centrally accessible file >> stores? > > Personally I'm not sure if FreeIPA is the right tool for configuration > management. IMHO you would end up re-implementing Puppet/Ansible/other > configuration management system.
Maybe. Though note that this not the first attempt to add a file storage to FreeIPA. It is currently tracked in https://fedorahosted.org/freeipa/ticket/1225, free for takers. I at least added a link to this proposal when the RFE is revisited. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project