Re: [Freeipa-users] Group Policy-like features in FreeIPA

2015-01-13 Thread Petr Spacek
On 12.1.2015 17:20, brendan kearney wrote:
> OpenAFS?

If you insist on a replicated FS then try Gluster.

Petr^2 Spacek

> On Jan 12, 2015 11:04 AM, "Craig White" 
> wrote:
> 
>>  *From:* freeipa-users-boun...@redhat.com [mailto:
>> freeipa-users-boun...@redhat.com] *On Behalf Of *Dale Macartney
>> *Sent:* Sunday, January 11, 2015 2:16 PM
>> *To:* freeipa-users@redhat.com
>> *Subject:* [Freeipa-users] Group Policy-like features in FreeIPA
>>
>>
>>
>> Morning folks
>>
>> I am currently working on a little pet project which I think some would
>> find useful.
>>
>> I would like to introduce some group policy like functionality into a
>> FreeIPA domain.
>>
>> For example:
>>
>> In an environment running FreeIPA Server with Fedora or RHEL based
>> workstations, I would like to be able to introduce a few extra features
>> which initially may be pushed via a login script (maybe even configure a
>> dbus session as well, who knows?).
>>
>> My intentions here would be to be able to apply host specific policies as
>> well as have the option for user specific policies which would be applied
>> when the user logs in.
>>
>> Practically speaking, adding an attribute to LDAP to specify a login
>> script file name is easy enough, however actually fetching this is where I
>> am hoping for a bit of brain storming. My thoughts would be the local user
>> would fetch the name of the login script via ldap, and then perhaps fetch
>> the file from a shared resource on the FreeIPA masters in order to be
>> executed locally.
>>
>> LDAP is obviously replicated, however to my knowledge, there is no file
>> synchronization between masters. I am thinking something similar to the MS
>> equivalent of the SYSVOL data that replicates between MS Domain
>> Controllers. One option would be to store all data within LDAP, however
>> I've seen many scenarios where admins store CD ISO's in replicated domain
>> data, so I am not certain this would be the best option.
>>
>> With this replicated data folder, I would be able to store centrally
>> managed scripts which would be used for hosts or users, and then configure
>> the default user template on each workstation (/etc/skel/) to add the login
>> script file name which would be fetched from the users LDAP attributes.
>>
>>  Real world usability for what I am thinking of is a way to manage users
>> who can have their corporate email mailbox configured on login,
>> automatically setting the users session to point to an internal SSO enabled
>> proxy server or perhaps any other number of things which an admin may wish
>> to achieve without the need to manually do the work themselves.
>>
>> Has anyone undertaken a similar scenario in their environments or would
>> perhaps have any suggestions on how to manage the centrally accessible file
>> stores?
>>
>> Many thanks
>> 
>>
>> Specifically, I haven’t fully implemented what you are asking but
>> obviously parts and pieces yes.
>>
>> One of the best features of Linux and all of its various toolsets is that
>> one are quite so overarching and the objectives are more focused. String
>> them together and you have a working tool set. As a system administrator,
>> you learn to pipe grep output to awk or sed or cut etc.
>>
>> SYSVOL ó NFS and if that doesn’t do it for you, check out Unison.
>>
>> I guess one of the temptations of FreeIPA is to try to make it exactly
>> like active directory. The FreeIPA developers are already doing an amazing
>> job without a ton of manpower.
>>
>> Craig
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go To http://freeipa.org for more info on the project
>>
> 
> 
> 


-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] Group Policy-like features in FreeIPA

2015-01-12 Thread brendan kearney
OpenAFS?
On Jan 12, 2015 11:04 AM, "Craig White" 
wrote:

>  *From:* freeipa-users-boun...@redhat.com [mailto:
> freeipa-users-boun...@redhat.com] *On Behalf Of *Dale Macartney
> *Sent:* Sunday, January 11, 2015 2:16 PM
> *To:* freeipa-users@redhat.com
> *Subject:* [Freeipa-users] Group Policy-like features in FreeIPA
>
>
>
> Morning folks
>
> I am currently working on a little pet project which I think some would
> find useful.
>
> I would like to introduce some group policy like functionality into a
> FreeIPA domain.
>
> For example:
>
> In an environment running FreeIPA Server with Fedora or RHEL based
> workstations, I would like to be able to introduce a few extra features
> which initially may be pushed via a login script (maybe even configure a
> dbus session as well, who knows?).
>
> My intentions here would be to be able to apply host specific policies as
> well as have the option for user specific policies which would be applied
> when the user logs in.
>
> Practically speaking, adding an attribute to LDAP to specify a login
> script file name is easy enough, however actually fetching this is where I
> am hoping for a bit of brain storming. My thoughts would be the local user
> would fetch the name of the login script via ldap, and then perhaps fetch
> the file from a shared resource on the FreeIPA masters in order to be
> executed locally.
>
> LDAP is obviously replicated, however to my knowledge, there is no file
> synchronization between masters. I am thinking something similar to the MS
> equivalent of the SYSVOL data that replicates between MS Domain
> Controllers. One option would be to store all data within LDAP, however
> I've seen many scenarios where admins store CD ISO's in replicated domain
> data, so I am not certain this would be the best option.
>
> With this replicated data folder, I would be able to store centrally
> managed scripts which would be used for hosts or users, and then configure
> the default user template on each workstation (/etc/skel/) to add the login
> script file name which would be fetched from the users LDAP attributes.
>
>  Real world usability for what I am thinking of is a way to manage users
> who can have their corporate email mailbox configured on login,
> automatically setting the users session to point to an internal SSO enabled
> proxy server or perhaps any other number of things which an admin may wish
> to achieve without the need to manually do the work themselves.
>
> Has anyone undertaken a similar scenario in their environments or would
> perhaps have any suggestions on how to manage the centrally accessible file
> stores?
>
> Many thanks
> 
>
> Specifically, I haven’t fully implemented what you are asking but
> obviously parts and pieces yes.
>
> One of the best features of Linux and all of its various toolsets is that
> one are quite so overarching and the objectives are more focused. String
> them together and you have a working tool set. As a system administrator,
> you learn to pipe grep output to awk or sed or cut etc.
>
> SYSVOL ó NFS and if that doesn’t do it for you, check out Unison.
>
> I guess one of the temptations of FreeIPA is to try to make it exactly
> like active directory. The FreeIPA developers are already doing an amazing
> job without a ton of manpower.
>
> Craig
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Group Policy-like features in FreeIPA

2015-01-12 Thread Craig White
From: freeipa-users-boun...@redhat.com 
[mailto:freeipa-users-boun...@redhat.com] On Behalf Of Dale Macartney
Sent: Sunday, January 11, 2015 2:16 PM
To: freeipa-users@redhat.com
Subject: [Freeipa-users] Group Policy-like features in FreeIPA

Morning folks
I am currently working on a little pet project which I think some would find 
useful.

I would like to introduce some group policy like functionality into a FreeIPA 
domain.
For example:
In an environment running FreeIPA Server with Fedora or RHEL based 
workstations, I would like to be able to introduce a few extra features which 
initially may be pushed via a login script (maybe even configure a dbus session 
as well, who knows?).
My intentions here would be to be able to apply host specific policies as well 
as have the option for user specific policies which would be applied when the 
user logs in.
Practically speaking, adding an attribute to LDAP to specify a login script 
file name is easy enough, however actually fetching this is where I am hoping 
for a bit of brain storming. My thoughts would be the local user would fetch 
the name of the login script via ldap, and then perhaps fetch the file from a 
shared resource on the FreeIPA masters in order to be executed locally.
LDAP is obviously replicated, however to my knowledge, there is no file 
synchronization between masters. I am thinking something similar to the MS 
equivalent of the SYSVOL data that replicates between MS Domain Controllers. 
One option would be to store all data within LDAP, however I've seen many 
scenarios where admins store CD ISO's in replicated domain data, so I am not 
certain this would be the best option.
With this replicated data folder, I would be able to store centrally managed 
scripts which would be used for hosts or users, and then configure the default 
user template on each workstation (/etc/skel/) to add the login script file 
name which would be fetched from the users LDAP attributes.

Real world usability for what I am thinking of is a way to manage users who can 
have their corporate email mailbox configured on login, automatically setting 
the users session to point to an internal SSO enabled proxy server or perhaps 
any other number of things which an admin may wish to achieve without the need 
to manually do the work themselves.
Has anyone undertaken a similar scenario in their environments or would perhaps 
have any suggestions on how to manage the centrally accessible file stores?
Many thanks

Specifically, I haven’t fully implemented what you are asking but obviously 
parts and pieces yes.
One of the best features of Linux and all of its various toolsets is that one 
are quite so overarching and the objectives are more focused. String them 
together and you have a working tool set. As a system administrator, you learn 
to pipe grep output to awk or sed or cut etc.
SYSVOL <=> NFS and if that doesn’t do it for you, check out Unison.
I guess one of the temptations of FreeIPA is to try to make it exactly like 
active directory. The FreeIPA developers are already doing an amazing job 
without a ton of manpower.
Craig
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Re: [Freeipa-users] Group Policy-like features in FreeIPA

2015-01-12 Thread Dmitri Pal

On 01/12/2015 06:52 AM, Martin Kosek wrote:

On 01/12/2015 10:04 AM, Petr Spacek wrote:

On 11.1.2015 22:16, Dale Macartney wrote:

Morning folks

I am currently working on a little pet project which I think some would
find useful.

I would like to introduce some group policy like functionality into a
FreeIPA domain.

For example:
In an environment running FreeIPA Server with Fedora or RHEL based
workstations, I would like to be able to introduce a few extra features
which initially may be pushed via a login script (maybe even configure a
dbus session as well, who knows?).

My intentions here would be to be able to apply host specific policies as
well as have the option for user specific policies which would be applied
when the user logs in.

Practically speaking, adding an attribute to LDAP to specify a login script
file name is easy enough, however actually fetching this is where I am
hoping for a bit of brain storming. My thoughts would be the local user
would fetch the name of the login script via ldap, and then perhaps fetch
the file from a shared resource on the FreeIPA masters in order to be
executed locally.

LDAP is obviously replicated, however to my knowledge, there is no file
synchronization between masters. I am thinking something similar to the MS
equivalent of the SYSVOL data that replicates between MS Domain
Controllers. One option would be to store all data within LDAP, however
I've seen many scenarios where admins store CD ISO's in replicated domain
data, so I am not certain this would be the best option.

With this replicated data folder, I would be able to store centrally
managed scripts which would be used for hosts or users, and then configure
the default user template on each workstation (/etc/skel/) to add the login
script file name which would be fetched from the users LDAP attributes.


Real world usability for what I am thinking of is a way to manage users who
can have their corporate email mailbox configured on login, automatically
setting the users session to point to an internal SSO enabled proxy server
or perhaps any other number of things which an admin may wish to achieve
without the need to manually do the work themselves.

Has anyone undertaken a similar scenario in their environments or would
perhaps have any suggestions on how to manage the centrally accessible file
stores?

Personally I'm not sure if FreeIPA is the right tool for configuration
management. IMHO you would end up re-implementing Puppet/Ansible/other
configuration management system.

Maybe. Though note that this not the first attempt to add a file storage to
FreeIPA. It is currently tracked in
https://fedorahosted.org/freeipa/ticket/1225, free for takers.

I at least added a link to this proposal when the RFE is revisited.

Martin


I would say there are two parts:
- The scripts that need to be delivered and run
- Information which scripts to run and parameters of the script

Storing scripts in IPA is IMO a bad idea.
However IPA is a reasonable place for storing information related to a 
script invocation.


Scripts can be delivered with Puppet/Chef/Salt/Ansible or just live on a 
mount point.
IPA can be a good place to store this mount point and identify the 
script and arguments to run on login from that mount point.


2c.

--
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] Group Policy-like features in FreeIPA

2015-01-12 Thread Martin Kosek
On 01/12/2015 10:04 AM, Petr Spacek wrote:
> On 11.1.2015 22:16, Dale Macartney wrote:
>> Morning folks
>>
>> I am currently working on a little pet project which I think some would
>> find useful.
>>
>> I would like to introduce some group policy like functionality into a
>> FreeIPA domain.
>>
>> For example:
>> In an environment running FreeIPA Server with Fedora or RHEL based
>> workstations, I would like to be able to introduce a few extra features
>> which initially may be pushed via a login script (maybe even configure a
>> dbus session as well, who knows?).
>>
>> My intentions here would be to be able to apply host specific policies as
>> well as have the option for user specific policies which would be applied
>> when the user logs in.
>>
>> Practically speaking, adding an attribute to LDAP to specify a login script
>> file name is easy enough, however actually fetching this is where I am
>> hoping for a bit of brain storming. My thoughts would be the local user
>> would fetch the name of the login script via ldap, and then perhaps fetch
>> the file from a shared resource on the FreeIPA masters in order to be
>> executed locally.
>>
>> LDAP is obviously replicated, however to my knowledge, there is no file
>> synchronization between masters. I am thinking something similar to the MS
>> equivalent of the SYSVOL data that replicates between MS Domain
>> Controllers. One option would be to store all data within LDAP, however
>> I've seen many scenarios where admins store CD ISO's in replicated domain
>> data, so I am not certain this would be the best option.
>>
>> With this replicated data folder, I would be able to store centrally
>> managed scripts which would be used for hosts or users, and then configure
>> the default user template on each workstation (/etc/skel/) to add the login
>> script file name which would be fetched from the users LDAP attributes.
>>
>>
>> Real world usability for what I am thinking of is a way to manage users who
>> can have their corporate email mailbox configured on login, automatically
>> setting the users session to point to an internal SSO enabled proxy server
>> or perhaps any other number of things which an admin may wish to achieve
>> without the need to manually do the work themselves.
>>
>> Has anyone undertaken a similar scenario in their environments or would
>> perhaps have any suggestions on how to manage the centrally accessible file
>> stores?
> 
> Personally I'm not sure if FreeIPA is the right tool for configuration
> management. IMHO you would end up re-implementing Puppet/Ansible/other
> configuration management system.

Maybe. Though note that this not the first attempt to add a file storage to
FreeIPA. It is currently tracked in
https://fedorahosted.org/freeipa/ticket/1225, free for takers.

I at least added a link to this proposal when the RFE is revisited.

Martin

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


Re: [Freeipa-users] Group Policy-like features in FreeIPA

2015-01-12 Thread Petr Spacek
On 11.1.2015 22:16, Dale Macartney wrote:
> Morning folks
> 
> I am currently working on a little pet project which I think some would
> find useful.
> 
> I would like to introduce some group policy like functionality into a
> FreeIPA domain.
> 
> For example:
> In an environment running FreeIPA Server with Fedora or RHEL based
> workstations, I would like to be able to introduce a few extra features
> which initially may be pushed via a login script (maybe even configure a
> dbus session as well, who knows?).
> 
> My intentions here would be to be able to apply host specific policies as
> well as have the option for user specific policies which would be applied
> when the user logs in.
> 
> Practically speaking, adding an attribute to LDAP to specify a login script
> file name is easy enough, however actually fetching this is where I am
> hoping for a bit of brain storming. My thoughts would be the local user
> would fetch the name of the login script via ldap, and then perhaps fetch
> the file from a shared resource on the FreeIPA masters in order to be
> executed locally.
> 
> LDAP is obviously replicated, however to my knowledge, there is no file
> synchronization between masters. I am thinking something similar to the MS
> equivalent of the SYSVOL data that replicates between MS Domain
> Controllers. One option would be to store all data within LDAP, however
> I've seen many scenarios where admins store CD ISO's in replicated domain
> data, so I am not certain this would be the best option.
> 
> With this replicated data folder, I would be able to store centrally
> managed scripts which would be used for hosts or users, and then configure
> the default user template on each workstation (/etc/skel/) to add the login
> script file name which would be fetched from the users LDAP attributes.
> 
> 
> Real world usability for what I am thinking of is a way to manage users who
> can have their corporate email mailbox configured on login, automatically
> setting the users session to point to an internal SSO enabled proxy server
> or perhaps any other number of things which an admin may wish to achieve
> without the need to manually do the work themselves.
> 
> Has anyone undertaken a similar scenario in their environments or would
> perhaps have any suggestions on how to manage the centrally accessible file
> stores?

Personally I'm not sure if FreeIPA is the right tool for configuration
management. IMHO you would end up re-implementing Puppet/Ansible/other
configuration management system.

IMHO FreeIPA is the right place to manage policy-kit policies because these
are basically access control rules but I would not go much further.

(BTW newer versions of policy-kit can express policy as normal javascript code
which in theory could call/communicate with a wrapper around LDAP/SSSD.)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project


[Freeipa-users] Group Policy-like features in FreeIPA

2015-01-11 Thread Dale Macartney
Morning folks

I am currently working on a little pet project which I think some would
find useful.

I would like to introduce some group policy like functionality into a
FreeIPA domain.

For example:
In an environment running FreeIPA Server with Fedora or RHEL based
workstations, I would like to be able to introduce a few extra features
which initially may be pushed via a login script (maybe even configure a
dbus session as well, who knows?).

My intentions here would be to be able to apply host specific policies as
well as have the option for user specific policies which would be applied
when the user logs in.

Practically speaking, adding an attribute to LDAP to specify a login script
file name is easy enough, however actually fetching this is where I am
hoping for a bit of brain storming. My thoughts would be the local user
would fetch the name of the login script via ldap, and then perhaps fetch
the file from a shared resource on the FreeIPA masters in order to be
executed locally.

LDAP is obviously replicated, however to my knowledge, there is no file
synchronization between masters. I am thinking something similar to the MS
equivalent of the SYSVOL data that replicates between MS Domain
Controllers. One option would be to store all data within LDAP, however
I've seen many scenarios where admins store CD ISO's in replicated domain
data, so I am not certain this would be the best option.

With this replicated data folder, I would be able to store centrally
managed scripts which would be used for hosts or users, and then configure
the default user template on each workstation (/etc/skel/) to add the login
script file name which would be fetched from the users LDAP attributes.


Real world usability for what I am thinking of is a way to manage users who
can have their corporate email mailbox configured on login, automatically
setting the users session to point to an internal SSO enabled proxy server
or perhaps any other number of things which an admin may wish to achieve
without the need to manually do the work themselves.

Has anyone undertaken a similar scenario in their environments or would
perhaps have any suggestions on how to manage the centrally accessible file
stores?

Many thanks

Dale
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project