On Jan 12, 2015 11:04 AM, "Craig White" <>

>  *From:* [mailto:
>] *On Behalf Of *Dale Macartney
> *Sent:* Sunday, January 11, 2015 2:16 PM
> *To:*
> *Subject:* [Freeipa-users] Group Policy-like features in FreeIPA
> Morning folks
> I am currently working on a little pet project which I think some would
> find useful.
> I would like to introduce some group policy like functionality into a
> FreeIPA domain.
> For example:
> In an environment running FreeIPA Server with Fedora or RHEL based
> workstations, I would like to be able to introduce a few extra features
> which initially may be pushed via a login script (maybe even configure a
> dbus session as well, who knows?).
> My intentions here would be to be able to apply host specific policies as
> well as have the option for user specific policies which would be applied
> when the user logs in.
> Practically speaking, adding an attribute to LDAP to specify a login
> script file name is easy enough, however actually fetching this is where I
> am hoping for a bit of brain storming. My thoughts would be the local user
> would fetch the name of the login script via ldap, and then perhaps fetch
> the file from a shared resource on the FreeIPA masters in order to be
> executed locally.
> LDAP is obviously replicated, however to my knowledge, there is no file
> synchronization between masters. I am thinking something similar to the MS
> equivalent of the SYSVOL data that replicates between MS Domain
> Controllers. One option would be to store all data within LDAP, however
> I've seen many scenarios where admins store CD ISO's in replicated domain
> data, so I am not certain this would be the best option.
> With this replicated data folder, I would be able to store centrally
> managed scripts which would be used for hosts or users, and then configure
> the default user template on each workstation (/etc/skel/) to add the login
> script file name which would be fetched from the users LDAP attributes.
>  Real world usability for what I am thinking of is a way to manage users
> who can have their corporate email mailbox configured on login,
> automatically setting the users session to point to an internal SSO enabled
> proxy server or perhaps any other number of things which an admin may wish
> to achieve without the need to manually do the work themselves.
> Has anyone undertaken a similar scenario in their environments or would
> perhaps have any suggestions on how to manage the centrally accessible file
> stores?
> Many thanks
> ----
> Specifically, I haven’t fully implemented what you are asking but
> obviously parts and pieces yes.
> One of the best features of Linux and all of its various toolsets is that
> one are quite so overarching and the objectives are more focused. String
> them together and you have a working tool set. As a system administrator,
> you learn to pipe grep output to awk or sed or cut etc.
> SYSVOL ó NFS and if that doesn’t do it for you, check out Unison.
> I guess one of the temptations of FreeIPA is to try to make it exactly
> like active directory. The FreeIPA developers are already doing an amazing
> job without a ton of manpower.
> Craig
> --
> Manage your subscription for the Freeipa-users mailing list:
> Go To for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to