On 03/21/2015 08:57 PM, Prasun Gera wrote:
Yes, this approach would work, and it would be a good enhancement. It would make migration from NIS easier with very little impact to users. Are you saying that something like this can be implemented right now? Or do you mean that this is how it could be done in future ?


In future. I suggested opnenning and RFE.

How does a host submit a request to the host admin? Is there a host admin daemon that listens for these requests ?

No. And I am not sure it is needed.
To be fair what you are looking for can be accomplished using Foreman or Satellite 6 right now.
This is why the RFE would probably be a low priority.

Integrating with Foreman/Satellite a person provisioning a system (or systems) will just click a button to provision a system and it will be enrolled automatically.
The RFE will be useful when you try to use kickstart in a manual fashion.
In this case you will use a special admin account as I suggested with password baked into the kickstart (not ideal). But IP range checking will reduce the risk of adding a rogue system if the kiskstart is stolen.

But IMO it is better to go the Foreman path right away.
http://theforeman.org/manuals/1.5/index.html#4.3.11FreeIPARealm




On Sat, Mar 21, 2015 at 1:50 PM, Dmitri Pal <d...@redhat.com <mailto:d...@redhat.com>> wrote:

    On 03/21/2015 05:53 AM, Prasun Gera wrote:
    Is it possible to completely automate the client enrollment
    process similar to securenets in NIS? I'm trying to migrate NIS
    to IDM, and hoping that it runs largely in auto-pilot mode. The
    kickstarter method suggests adding host entries with a one time
    kerberos password to launch unattended client installs. That,
    however, needs the admin's involvement every time a new host has
    to be added. Securenets works pretty well in our case since we
    can authenticate based on the IP address. User addition is still
    manual, but that's all right since that is infrequent. Is it
    possible to do something similar using IP masks or fqdn regex in
    ipa ?


    No but if you trust your network you can create a host admin that
    would have the host add privilege and host enroll privilege and
    nothing else and use this admin.

    IMO it would be a nice enhancement to have a way to restrict such
    enrollments to specific subnets. The logic on the server would be
    something like this:

    Enrollment request comes in
    If host entry there?
    Yes - follow the current logic
    Check user privileges
    <Check that the client is coming from one of the given IPA ranges>
    <-new
    Enroll

    Would you mind filing an RFE if this approach would work for you?

-- Thank you,
    Dmitri Pal

    Sr. Engineering Manager IdM portfolio
    Red Hat, Inc.


    --
    Manage your subscription for the Freeipa-users mailing list:
    https://www.redhat.com/mailman/listinfo/freeipa-users
    Go to http://freeipa.org for more info on the project




--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to