[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dale Macartney
Sent: Sunday, January 11, 2015 2:16 PM
Subject: [Freeipa-users] Group Policy-like features in FreeIPA
I am currently working on a little pet project which I think some would find
I would like to introduce some group policy like functionality into a FreeIPA
In an environment running FreeIPA Server with Fedora or RHEL based
workstations, I would like to be able to introduce a few extra features which
initially may be pushed via a login script (maybe even configure a dbus session
as well, who knows?).
My intentions here would be to be able to apply host specific policies as well
as have the option for user specific policies which would be applied when the
user logs in.
Practically speaking, adding an attribute to LDAP to specify a login script
file name is easy enough, however actually fetching this is where I am hoping
for a bit of brain storming. My thoughts would be the local user would fetch
the name of the login script via ldap, and then perhaps fetch the file from a
shared resource on the FreeIPA masters in order to be executed locally.
LDAP is obviously replicated, however to my knowledge, there is no file
synchronization between masters. I am thinking something similar to the MS
equivalent of the SYSVOL data that replicates between MS Domain Controllers.
One option would be to store all data within LDAP, however I've seen many
scenarios where admins store CD ISO's in replicated domain data, so I am not
certain this would be the best option.
With this replicated data folder, I would be able to store centrally managed
scripts which would be used for hosts or users, and then configure the default
user template on each workstation (/etc/skel/) to add the login script file
name which would be fetched from the users LDAP attributes.
Real world usability for what I am thinking of is a way to manage users who can
have their corporate email mailbox configured on login, automatically setting
the users session to point to an internal SSO enabled proxy server or perhaps
any other number of things which an admin may wish to achieve without the need
to manually do the work themselves.
Has anyone undertaken a similar scenario in their environments or would perhaps
have any suggestions on how to manage the centrally accessible file stores?
Specifically, I haven’t fully implemented what you are asking but obviously
parts and pieces yes.
One of the best features of Linux and all of its various toolsets is that one
are quite so overarching and the objectives are more focused. String them
together and you have a working tool set. As a system administrator, you learn
to pipe grep output to awk or sed or cut etc.
SYSVOL <=> NFS and if that doesn’t do it for you, check out Unison.
I guess one of the temptations of FreeIPA is to try to make it exactly like
active directory. The FreeIPA developers are already doing an amazing job
without a ton of manpower.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project