Hi! I am using FreeIPA which requires that hosts get added to its LDAP
before the host can request to join the domain and get configured,
obtain a kerberos keytab, etc. This addition to the LDAP directory
seems like it should happen when the host is created in the foreman UI,
as is done with DNS, etc. . . . is this sort of functionality best
done with a proxy? Is there some other way?
I hope that's clear . . . Any advice is appreciated!
It's clear and I really want to see this working. The way I see it
working is via a proxy which calls either the IPA CLI tool or the
XML-RPC API, and then we add the concept of realms into Foreman (or
better, a plugin). I wrote down my thoughts here:
In the meantime, I suspect you could do it with foreman_hooks, by adding
a "create" hook which runs a script on the Foreman host itself:
The trouble is you need to get the one time password back to the host
when you create the host object, so you could make it either a well
known password, one that both the hook and the host could compute (e.g.
a hash of its hostname) or you do an API call back to Foreman from the
hook and set a parameter on the host object with the OTP.
I haven't got round to trying the hook idea myself yet, or implementing
any of this. I'd love to hear if you manage it
···
On 21/05/13 17:32, Guy Matz wrote:
> Hi! I am using FreeIPA which requires that hosts get added to its LDAP
> before the host can request to join the domain and get configured,
> obtain a kerberos keytab, etc. This addition to the LDAP directory
> seems like it should happen when the host is created in the foreman UI,
> as is done with DNS, etc. . . . is this sort of functionality best
> done with a proxy? Is there some other way?
>
> I hope that's clear . . . Any advice is appreciated!
Ooh! Ooh!! Can I work on this one!? I'd love to finally be able to
contribute!
Thanks,
Guy
···
On 05/21/2013 12:40 PM, Dominic Cleal wrote:
> On 21/05/13 17:32, Guy Matz wrote:
>> Hi! I am using FreeIPA which requires that hosts get added to its LDAP
>> before the host can request to join the domain and get configured,
>> obtain a kerberos keytab, etc. This addition to the LDAP directory
>> seems like it should happen when the host is created in the foreman UI,
>> as is done with DNS, etc. . . . is this sort of functionality best
>> done with a proxy? Is there some other way?
>>
>> I hope that's clear . . . Any advice is appreciated!
> It's clear and I really want to see this working. The way I see it
> working is via a proxy which calls either the IPA CLI tool or the
> XML-RPC API, and then we add the concept of realms into Foreman (or
> better, a plugin). I wrote down my thoughts here:
>
> http://projects.theforeman.org/projects/foreman/wiki/RealmJoinIntegration
>
> In the meantime, I suspect you could do it with foreman_hooks, by adding
> a "create" hook which runs a script on the Foreman host itself:
>
> http://m0dlx.com/blog/Extending_Foreman_quickly_with_hook_scripts.html
> https://github.com/domcleal/foreman_hooks
>
> The trouble is you need to get the one time password back to the host
> when you create the host object, so you could make it either a well
> known password, one that both the hook and the host could compute (e.g.
> a hash of its hostname) or you do an API call back to Foreman from the
> hook and set a parameter on the host object with the OTP.
>
> I haven't got round to trying the hook idea myself yet, or implementing
> any of this. I'd love to hear if you manage it :)
>
Hello! I read about your foreman_hooks. Cool! Is that the way to go
with a host-add, though? It looks like foreman_hooks run on the foreman
server, and the ipa host-add needs to run on the IPA server . . .
In any event, are the hooks called by which directory they are in? so
that a script in:
~foreman/config/hooks/host/destroy/44_add_to_ipa would get called when a
host is created,
and
~foreman/config/hooks/host/create/44_remove_from_ipa would get called
when a host is destroyed ?
Thanks a lot!!
Guy
···
On 05/21/2013 12:40 PM, Dominic Cleal wrote:
> On 21/05/13 17:32, Guy Matz wrote:
>> Hi! I am using FreeIPA which requires that hosts get added to its LDAP
>> before the host can request to join the domain and get configured,
>> obtain a kerberos keytab, etc. This addition to the LDAP directory
>> seems like it should happen when the host is created in the foreman UI,
>> as is done with DNS, etc. . . . is this sort of functionality best
>> done with a proxy? Is there some other way?
>>
>> I hope that's clear . . . Any advice is appreciated!
> It's clear and I really want to see this working. The way I see it
> working is via a proxy which calls either the IPA CLI tool or the
> XML-RPC API, and then we add the concept of realms into Foreman (or
> better, a plugin). I wrote down my thoughts here:
>
> http://projects.theforeman.org/projects/foreman/wiki/RealmJoinIntegration
>
> In the meantime, I suspect you could do it with foreman_hooks, by adding
> a "create" hook which runs a script on the Foreman host itself:
>
> http://m0dlx.com/blog/Extending_Foreman_quickly_with_hook_scripts.html
> https://github.com/domcleal/foreman_hooks
>
> The trouble is you need to get the one time password back to the host
> when you create the host object, so you could make it either a well
> known password, one that both the hook and the host could compute (e.g.
> a hash of its hostname) or you do an API call back to Foreman from the
> hook and set a parameter on the host object with the OTP.
>
> I haven't got round to trying the hook idea myself yet, or implementing
> any of this. I'd love to hear if you manage it :)
>
> Ooh! Ooh!! Can I work on this one!? I'd love to finally be able to
> contribute!
>
of course you can, we are all open
thank you!
Ohad
···
On Tue, May 21, 2013 at 8:50 PM, Guy Matz wrote:
Thanks,
Guy
On 05/21/2013 12:40 PM, Dominic Cleal wrote:
On 21/05/13 17:32, Guy Matz wrote:
Hi! I am using FreeIPA which requires that hosts get added to its LDAP
before the host can request to join the domain and get configured,
obtain a kerberos keytab, etc. This addition to the LDAP directory
seems like it should happen when the host is created in the foreman UI,
as is done with DNS, etc. . . . is this sort of functionality best
done with a proxy? Is there some other way?
I hope that’s clear . . . Any advice is appreciated!
It’s clear and I really want to see this working. The way I see it
working is via a proxy which calls either the IPA CLI tool or the
XML-RPC API, and then we add the concept of realms into Foreman (or
better, a plugin). I wrote down my thoughts here:
The trouble is you need to get the one time password back to the host
when you create the host object, so you could make it either a well
known password, one that both the hook and the host could compute (e.g.
a hash of its hostname) or you do an API call back to Foreman from the
hook and set a parameter on the host object with the OTP.
I haven’t got round to trying the hook idea myself yet, or implementing
any of this. I’d love to hear if you manage it
> Hello! I read about your foreman_hooks. Cool! Is that the way to go
> with a host-add, though? It looks like foreman_hooks run on the foreman
> server, and the ipa host-add needs to run on the IPA server . . .
Indeed, that's the problem that the proxy solves… calling SSH with keys
might be a solution?
> In any event, are the hooks called by which directory they are in? so
> that a script in:
> ~foreman/config/hooks/host/destroy/44_add_to_ipa would get called when a
> host is created,
> and
> ~foreman/config/hooks/host/create/44_remove_from_ipa would get called
> when a host is destroyed ?
Yes, but your example paths are muddled, the first should be host/create
and the second host/destroy.
>> Hello! I read about your foreman_hooks. Cool! Is that the way to go
>> with a host-add, though? It looks like foreman_hooks run on the foreman
>> server, and the ipa host-add needs to run on the IPA server . . .
> Indeed, that's the problem that the proxy solves… calling SSH with keys
> might be a solution?
I think I prefer the proxy route . . . OK if I go that way?
>> In any event, are the hooks called by which directory they are in? so
>> that a script in:
>> ~foreman/config/hooks/host/destroy/44_add_to_ipa would get called when a
>> host is created,
>> and
>> ~foreman/config/hooks/host/create/44_remove_from_ipa would get called
>> when a host is destroyed ?
> Yes, but your example paths are muddled, the first should be host/create
> and the second host/destroy.
Right! Bad copy/paste job
···
On 05/22/2013 12:15 PM, Dominic Cleal wrote:
> On 22/05/13 17:03, Guy Matz wrote:
Sure, that's definitely the first step for getting this into Foreman
core or a plugin too, so it's a great place to start.
···
On 22/05/13 17:46, Guy Matz wrote:
> On 05/22/2013 12:15 PM, Dominic Cleal wrote:
>> On 22/05/13 17:03, Guy Matz wrote:
>>> Hello! I read about your foreman_hooks. Cool! Is that the way to go
>>> with a host-add, though? It looks like foreman_hooks run on the foreman
>>> server, and the ipa host-add needs to run on the IPA server . . .
>> Indeed, that's the problem that the proxy solves.. calling SSH with keys
>> might be a solution?
> I think I prefer the proxy route . . . OK if I go that way?
Hello! I read about your foreman_hooks. Cool! Is that the way to go
with a host-add, though? It looks like foreman_hooks run on the foreman
server, and the ipa host-add needs to run on the IPA server . . .
Indeed, that’s the problem that the proxy solves… calling SSH with keys
might be a solution?
I think I prefer the proxy route . . . OK if I go that way?
Sure, that’s definitely the first step for getting this into Foreman
core or a plugin too, so it’s a great place to start.
Actually, puppet-foreman_proxy is the puppet module to manage
foreman_proxy. I think you're looking for the smart-proxy which is https://github.com/theforeman/smart-proxy. Once you have completed the
feature, it requires settings and you want it handled by the installer,
you should have a look at puppet-foreman_proxy.
···
On Wed, May 22, 2013 at 05:02:32PM +0000, Guy Matz wrote:
On 05/22/2013 12:52 PM, Dominic Cleal wrote:
On 22/05/13 17:46, Guy Matz wrote:
On 05/22/2013 12:15 PM, Dominic Cleal wrote:
On 22/05/13 17:03, Guy Matz wrote:
Hello! I read about your foreman_hooks. Cool! Is that the way to go
with a host-add, though? It looks like foreman_hooks run on the foreman
server, and the ipa host-add needs to run on the IPA server . . .
Indeed, that’s the problem that the proxy solves… calling SSH with keys
might be a solution?
I think I prefer the proxy route . . . OK if I go that way?
Sure, that’s definitely the first step for getting this into Foreman
core or a plugin too, so it’s a great place to start.