On 06/12/2015 01:30 AM, Christopher Young wrote:
I'm trying to develop a process in Ansible to enroll new hosts (as well as
check beforehand to see if the host is already enrolled). I was wondering a
couple of things:
#1. Has anyone else worked out a process for doing this using a non 'admin'
account?
#2. Is there a simple mechanism (preferably something that could be automated
and thus not require any interactivity), that could be used to check as to
whether a system is enrolled? I would hope that some type of simple LDAP
search or simple command that could be run to check with easy return codes.
In particular, I'm trying to avoid using the 'admin' user to enroll hosts
because I'd like to minimize the rights to just the enrollment of new hosts as
well as checking for an existing enrollment.
You can do the same check that "ipa host-show" does - see if the host has a
keytab generated or not. AFAIK, all authenticated users can do this check (not
retrieve the key itself, but check if it is there).
See my test as non-authenticated user/host:
# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_nXWwGw1
Default principal: host/ipa.f22@F22
Valid starting Expires Service principal
06/12/2015 03:15:01 06/13/2015 03:15:01 krbtgt/F22@F22
1. See all hosts
[root@ipa freeipa]# ldapsearch -h `hostname` -Y GSSAPI -b
"cn=computers,cn=accounts,dc=f22" fqdn
SASL/GSSAPI authentication started
SASL username: host/ipa.f22@F22
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=computers,cn=accounts,dc=f22> with scope subtree
# filter: (objectclass=*)
# requesting: fqdn
#
# computers, accounts, f22
dn: cn=computers,cn=accounts,dc=f22
# ipa.f22, computers, accounts, f22
dn: fqdn=ipa.f22,cn=computers,cn=accounts,dc=f22
fqdn: ipa.f22
# is.not.enrolled, computers, accounts, f22
dn: fqdn=is.not.enrolled,cn=computers,cn=accounts,dc=f22
fqdn: is.not.enrolled
# search result
search: 4
result: 0 Success
# numResponses: 4
# numEntries: 3
2. See just the unenrolled hosts
[root@ipa freeipa]# ldapsearch -h `hostname` -Y GSSAPI -b
"cn=computers,cn=accounts,dc=f22" "(!(krbprincipalkey=*))" fqdn
SASL/GSSAPI authentication started
SASL username: host/ipa.f22@F22
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=computers,cn=accounts,dc=f22> with scope subtree
# filter: (!(krbprincipalkey=*))
# requesting: fqdn
#
# computers, accounts, f22
dn: cn=computers,cn=accounts,dc=f22
# is.not.enrolled, computers, accounts, f22
dn: fqdn=is.not.enrolled,cn=computers,cn=accounts,dc=f22
fqdn: is.not.enrolled
# search result
search: 4
result: 0 Success
# numResponses: 3
# numEntries: 2
HTH.
Any thoughts of feedback that could point me in the best direction would be
greatly appreciated!
Thanks,
Chris
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
