Thanks for clarifying that. Satellite would be restricted to RHEL clients I think. Foreman would be a good solution, but could be an overkill for accomplishing just this. I'll have a look and decide. I'll open the RFE too.
On Sun, Mar 22, 2015 at 3:21 PM, Dmitri Pal <[email protected]> wrote: > On 03/21/2015 08:57 PM, Prasun Gera wrote: > > Yes, this approach would work, and it would be a good enhancement. It > would make migration from NIS easier with very little impact to users. Are > you saying that something like this can be implemented right now? Or do you > mean that this is how it could be done in future ? > > > In future. I suggested opnenning and RFE. > > How does a host submit a request to the host admin? Is there a host > admin daemon that listens for these requests ? > > > No. And I am not sure it is needed. > To be fair what you are looking for can be accomplished using Foreman or > Satellite 6 right now. > This is why the RFE would probably be a low priority. > > Integrating with Foreman/Satellite a person provisioning a system (or > systems) will just click a button to provision a system and it will be > enrolled automatically. > The RFE will be useful when you try to use kickstart in a manual fashion. > In this case you will use a special admin account as I suggested with > password baked into the kickstart (not ideal). But IP range checking will > reduce the risk of adding a rogue system if the kiskstart is stolen. > > But IMO it is better to go the Foreman path right away. > http://theforeman.org/manuals/1.5/index.html#4.3.11FreeIPARealm > > > > > > On Sat, Mar 21, 2015 at 1:50 PM, Dmitri Pal <[email protected]> wrote: > >> On 03/21/2015 05:53 AM, Prasun Gera wrote: >> >> Is it possible to completely automate the client enrollment process >> similar to securenets in NIS? I'm trying to migrate NIS to IDM, and hoping >> that it runs largely in auto-pilot mode. The kickstarter method suggests >> adding host entries with a one time kerberos password to launch unattended >> client installs. That, however, needs the admin's involvement every time a >> new host has to be added. Securenets works pretty well in our case since we >> can authenticate based on the IP address. User addition is still manual, >> but that's all right since that is infrequent. Is it possible to do >> something similar using IP masks or fqdn regex in ipa ? >> >> >> No but if you trust your network you can create a host admin that would >> have the host add privilege and host enroll privilege and nothing else and >> use this admin. >> >> IMO it would be a nice enhancement to have a way to restrict such >> enrollments to specific subnets. The logic on the server would be something >> like this: >> >> Enrollment request comes in >> If host entry there? >> Yes - follow the current logic >> Check user privileges >> <Check that the client is coming from one of the given IPA ranges> <-new >> Enroll >> >> Would you mind filing an RFE if this approach would work for you? >> >> -- >> Thank you, >> Dmitri Pal >> >> Sr. Engineering Manager IdM portfolio >> Red Hat, Inc. >> >> >> -- >> Manage your subscription for the Freeipa-users mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-users >> Go to http://freeipa.org for more info on the project >> > > > > -- > Thank you, > Dmitri Pal > > Sr. Engineering Manager IdM portfolio > Red Hat, Inc. > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
