Hi! I am using FreeIPA which requires that hosts get added to its LDAP
before the host can request to join the domain and get configured,
obtain a kerberos keytab, etc. This addition to the LDAP directory
seems like it should happen when the host is created in the foreman UI,
as is done with DNS, etc. . . . is this sort of functionality best
done with a proxy? Is there some other way?
I hope that's clear . . . Any advice is appreciated!
Thanks a lot,
Guy
It's clear and I really want to see this working. The way I see it
working is via a proxy which calls either the IPA CLI tool or the
XML-RPC API, and then we add the concept of realms into Foreman (or
better, a plugin). I wrote down my thoughts here:
In the meantime, I suspect you could do it with foreman_hooks, by adding
a "create" hook which runs a script on the Foreman host itself:
The trouble is you need to get the one time password back to the host
when you create the host object, so you could make it either a well
known password, one that both the hook and the host could compute (e.g.
a hash of its hostname) or you do an API call back to Foreman from the
hook and set a parameter on the host object with the OTP.
I haven't got round to trying the hook idea myself yet, or implementing
any of this. I'd love to hear if you manage it 
–
Dominic Cleal
Red Hat Engineering
Ooh! Ooh!! Can I work on this one!? I'd love to finally be able to
contribute!
Thanks,
Guy
Hello! I read about your foreman_hooks. Cool! Is that the way to go
with a host-add, though? It looks like foreman_hooks run on the foreman
server, and the ipa host-add needs to run on the IPA server . . .
In any event, are the hooks called by which directory they are in? so
that a script in:
~foreman/config/hooks/host/destroy/44_add_to_ipa would get called when a
host is created,
and
~foreman/config/hooks/host/create/44_remove_from_ipa would get called
when a host is destroyed ?
Thanks a lot!!
Guy
> Ooh! Ooh!! Can I work on this one!? I'd love to finally be able to
> contribute!
>
of course you can, we are all open 
thank you!
Ohad
Thanks,
GuyOn 05/21/2013 12:40 PM, Dominic Cleal wrote:
On 21/05/13 17:32, Guy Matz wrote:
Hi! I am using FreeIPA which requires that hosts get added to its LDAP
before the host can request to join the domain and get configured,
obtain a kerberos keytab, etc. This addition to the LDAP directory
seems like it should happen when the host is created in the foreman UI,
as is done with DNS, etc. . . . is this sort of functionality best
done with a proxy? Is there some other way?I hope that’s clear . . . Any advice is appreciated!
It’s clear and I really want to see this working. The way I see it
working is via a proxy which calls either the IPA CLI tool or the
XML-RPC API, and then we add the concept of realms into Foreman (or
better, a plugin). I wrote down my thoughts here:RealmJoinIntegration - Foreman
In the meantime, I suspect you could do it with foreman_hooks, by adding
a “create” hook which runs a script on the Foreman host itself:http://m0dlx.com/blog/Extending_Foreman_quickly_with_hook_scripts.html
https://github.com/domcleal/foreman_hooksThe trouble is you need to get the one time password back to the host
when you create the host object, so you could make it either a well
known password, one that both the hook and the host could compute (e.g.
a hash of its hostname) or you do an API call back to Foreman from the
hook and set a parameter on the host object with the OTP.I haven’t got round to trying the hook idea myself yet, or implementing
any of this. I’d love to hear if you manage it–
You received this message because you are subscribed to the Google Groups
"foreman-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
> Hello! I read about your foreman_hooks. Cool! Is that the way to go
> with a host-add, though? It looks like foreman_hooks run on the foreman
> server, and the ipa host-add needs to run on the IPA server . . .
Indeed, that's the problem that the proxy solves… calling SSH with keys
might be a solution?
> In any event, are the hooks called by which directory they are in? so
> that a script in:
> ~foreman/config/hooks/host/destroy/44_add_to_ipa would get called when a
> host is created,
> and
> ~foreman/config/hooks/host/create/44_remove_from_ipa would get called
> when a host is destroyed ?
Yes, but your example paths are muddled, the first should be host/create
and the second host/destroy.
–
Dominic Cleal
Red Hat Engineering
>> Hello! I read about your foreman_hooks. Cool! Is that the way to go
>> with a host-add, though? It looks like foreman_hooks run on the foreman
>> server, and the ipa host-add needs to run on the IPA server . . .
> Indeed, that's the problem that the proxy solves… calling SSH with keys
> might be a solution?
I think I prefer the proxy route . . . OK if I go that way?
>> In any event, are the hooks called by which directory they are in? so
>> that a script in:
>> ~foreman/config/hooks/host/destroy/44_add_to_ipa would get called when a
>> host is created,
>> and
>> ~foreman/config/hooks/host/create/44_remove_from_ipa would get called
>> when a host is destroyed ?
> Yes, but your example paths are muddled, the first should be host/create
> and the second host/destroy.
Right! Bad copy/paste job
Sure, that's definitely the first step for getting this into Foreman
core or a plugin too, so it's a great place to start.
–
Dominic Cleal
Red Hat Engineering
Great! Any tips for beginning started? Should I just fork puppet-foreman_proxy<https://github.com/theforeman/puppet-foreman_proxy> ?
On 22/05/13 17:46, Guy Matz wrote:
On 05/22/2013 12:15 PM, Dominic Cleal wrote:
On 22/05/13 17:03, Guy Matz wrote:
Hello! I read about your foreman_hooks. Cool! Is that the way to go
with a host-add, though? It looks like foreman_hooks run on the foreman
server, and the ipa host-add needs to run on the IPA server . . .
Indeed, that’s the problem that the proxy solves… calling SSH with keys
might be a solution?
I think I prefer the proxy route . . . OK if I go that way?
Sure, that’s definitely the first step for getting this into Foreman
core or a plugin too, so it’s a great place to start.
> Great! Any tips for beginning started? Should I just fork
> puppet-foreman_proxy<https://github.com/theforeman/puppet-foreman_proxy>?
Actually, puppet-foreman_proxy is the puppet module to manage
foreman_proxy. I think you're looking for the smart-proxy which is
https://github.com/theforeman/smart-proxy. Once you have completed the
feature, it requires settings and you want it handled by the installer,
you should have a look at puppet-foreman_proxy.
On 05/22/2013 12:52 PM, Dominic Cleal wrote:
On 22/05/13 17:46, Guy Matz wrote:
On 05/22/2013 12:15 PM, Dominic Cleal wrote:
On 22/05/13 17:03, Guy Matz wrote:
Hello! I read about your foreman_hooks. Cool! Is that the way to go
with a host-add, though? It looks like foreman_hooks run on the foreman
server, and the ipa host-add needs to run on the IPA server . . .Indeed, that’s the problem that the proxy solves… calling SSH with keys
might be a solution?I think I prefer the proxy route . . . OK if I go that way?
Sure, that’s definitely the first step for getting this into Foreman
core or a plugin too, so it’s a great place to start.–
You received this message because you are subscribed to the Google Groups “foreman-dev” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-dev+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.