Seems like a decent alternative would be to just have a second webservice/on top of puppet that allows agents to authenticate with their kerberos token and authorize their SSL certificate request that way. That should be fairly easy to build with just some fiddling with mod auth kerb, apache configs and puppet auth.conf.
On 17 June 2013 23:44, <[email protected]> wrote: > > > On Tuesday, June 11, 2013 6:38:59 PM UTC-7, Trevor Vaughan wrote: >> >> If you're already joining a machine to a Kerberos realm, then you're >> probably either doing it at install time using a first layer authorization >> subsystem (razor type install), or you're hopping on after the fact to >> register the system, or you're using Puppet to do it. >> >> Right. The step where a privileged operation adds a machine to the domain > is something that already has to happen. By using Kerberos authentication > of agents to the puppet master we eliminate a second privileged operation > to register the machine to puppet, and also avoid deploying PKI for agents. > We still need PKI for puppet masters -- but that infrastructure is already > in place. > > I hope that makes sense. I think these are important justification points > for the armature. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Developers" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > Visit this group at http://groups.google.com/group/puppet-dev. > > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Erik Dalén -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-dev. For more options, visit https://groups.google.com/groups/opt_out.
