On 11.1.2015 22:16, Dale Macartney wrote: > Morning folks > > I am currently working on a little pet project which I think some would > find useful. > > I would like to introduce some group policy like functionality into a > FreeIPA domain. > > For example: > In an environment running FreeIPA Server with Fedora or RHEL based > workstations, I would like to be able to introduce a few extra features > which initially may be pushed via a login script (maybe even configure a > dbus session as well, who knows?). > > My intentions here would be to be able to apply host specific policies as > well as have the option for user specific policies which would be applied > when the user logs in. > > Practically speaking, adding an attribute to LDAP to specify a login script > file name is easy enough, however actually fetching this is where I am > hoping for a bit of brain storming. My thoughts would be the local user > would fetch the name of the login script via ldap, and then perhaps fetch > the file from a shared resource on the FreeIPA masters in order to be > executed locally. > > LDAP is obviously replicated, however to my knowledge, there is no file > synchronization between masters. I am thinking something similar to the MS > equivalent of the SYSVOL data that replicates between MS Domain > Controllers. One option would be to store all data within LDAP, however > I've seen many scenarios where admins store CD ISO's in replicated domain > data, so I am not certain this would be the best option. > > With this replicated data folder, I would be able to store centrally > managed scripts which would be used for hosts or users, and then configure > the default user template on each workstation (/etc/skel/) to add the login > script file name which would be fetched from the users LDAP attributes. > > > Real world usability for what I am thinking of is a way to manage users who > can have their corporate email mailbox configured on login, automatically > setting the users session to point to an internal SSO enabled proxy server > or perhaps any other number of things which an admin may wish to achieve > without the need to manually do the work themselves. > > Has anyone undertaken a similar scenario in their environments or would > perhaps have any suggestions on how to manage the centrally accessible file > stores?
Personally I'm not sure if FreeIPA is the right tool for configuration management. IMHO you would end up re-implementing Puppet/Ansible/other configuration management system. IMHO FreeIPA is the right place to manage policy-kit policies because these are basically access control rules but I would not go much further. (BTW newer versions of policy-kit can express policy as normal javascript code which in theory could call/communicate with a wrapper around LDAP/SSSD.) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
