OpenAFS? On Jan 12, 2015 11:04 AM, "Craig White" <[email protected]> wrote:
> *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Dale Macartney > *Sent:* Sunday, January 11, 2015 2:16 PM > *To:* [email protected] > *Subject:* [Freeipa-users] Group Policy-like features in FreeIPA > > > > Morning folks > > I am currently working on a little pet project which I think some would > find useful. > > I would like to introduce some group policy like functionality into a > FreeIPA domain. > > For example: > > In an environment running FreeIPA Server with Fedora or RHEL based > workstations, I would like to be able to introduce a few extra features > which initially may be pushed via a login script (maybe even configure a > dbus session as well, who knows?). > > My intentions here would be to be able to apply host specific policies as > well as have the option for user specific policies which would be applied > when the user logs in. > > Practically speaking, adding an attribute to LDAP to specify a login > script file name is easy enough, however actually fetching this is where I > am hoping for a bit of brain storming. My thoughts would be the local user > would fetch the name of the login script via ldap, and then perhaps fetch > the file from a shared resource on the FreeIPA masters in order to be > executed locally. > > LDAP is obviously replicated, however to my knowledge, there is no file > synchronization between masters. I am thinking something similar to the MS > equivalent of the SYSVOL data that replicates between MS Domain > Controllers. One option would be to store all data within LDAP, however > I've seen many scenarios where admins store CD ISO's in replicated domain > data, so I am not certain this would be the best option. > > With this replicated data folder, I would be able to store centrally > managed scripts which would be used for hosts or users, and then configure > the default user template on each workstation (/etc/skel/) to add the login > script file name which would be fetched from the users LDAP attributes. > > Real world usability for what I am thinking of is a way to manage users > who can have their corporate email mailbox configured on login, > automatically setting the users session to point to an internal SSO enabled > proxy server or perhaps any other number of things which an admin may wish > to achieve without the need to manually do the work themselves. > > Has anyone undertaken a similar scenario in their environments or would > perhaps have any suggestions on how to manage the centrally accessible file > stores? > > Many thanks > ---- > > Specifically, I haven’t fully implemented what you are asking but > obviously parts and pieces yes. > > One of the best features of Linux and all of its various toolsets is that > one are quite so overarching and the objectives are more focused. String > them together and you have a working tool set. As a system administrator, > you learn to pipe grep output to awk or sed or cut etc. > > SYSVOL ó NFS and if that doesn’t do it for you, check out Unison. > > I guess one of the temptations of FreeIPA is to try to make it exactly > like active directory. The FreeIPA developers are already doing an amazing > job without a ton of manpower. > > Craig > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go To http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
