On 04.11.22 17:47, Jochen Kellner wrote:
Ronald Wimmer via FreeIPA-users <[email protected]>
writes:
Jochen already provided you the required commands. They can be
automated
easily.
I was still thinking about how to do that from the AIX side. I'm
sorry... Obviously I could need more coffee. ;-)
A lot of what can be done depends on what you use as AIX automation. If
you still use shell scripts - ssh to a linux host is your most likely
solution. If you use something like ansible, you might want to check
"delegate_to" in the ansible documentation. In the unlikely event you
use SALT, have a look at orchestration. For other tool I declare total
ignorance.
We will go the shell script way as not many AIX hosts look the same and
Ansible might be a problem. The IPA client host will most likely be a
K8s pod - maybe even without persistent storage. I'll have to check with
the IPA developers if a ephemeral IPA clients will eat up id ranges or
else over time.
There are lots and lots of possible solutions.
Just a hint how you might handle authentication for IPA commands: Add a
user to IPA that has the role "Enrollment Administrator". Get a keytab
for that user and store it at a save place on your IPA client. You
should be able to run "ipa" and other commands with and not giving
name/password on the command line:
env KRB5_CLIENT_KTNAME=/path/to/key.tab ipa ...
Thanks. I am using this already somewhere else.
(you might need to install urllib-gssapi or python3-urllib-gssapi)
That would still need some experimenting, but I'm sure it will work in
the end.
The first idea is to ssh to the Linux machine to call a python script
doing all the magic and scp the keytab over to the AIX host.
Remember that the AIX host and freeipa need to agree what's the last
kvno is - That might be a problem while experimenting.
Thanks! I'll keep that in mind!
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
