Hello,
Is it possible to use Foreman to configure RHEL hosts as IPA (Redhat IdM)
clients?
Hello,
Absolutely - my environment has FreeIPA built into the kickstart. Works a charm.
HTH
LukeK
···
On Oct 22, 2013, at 10:53 PM, Krist van Besien wrote:Hello,
Is it possible to use Foreman to configure RHEL hosts as IPA (Redhat IdM) clients?
–
You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/groups/opt_out.
Could you maybe explain a bit more how you did this? The issue I'm having
trouble with is the need to have it fully automated, but without having any
admin user passwords in the kickstart file.
So I would need to have somehow Foreman add new hosts to the IPA's own DNS,
and add the host with a one time password to IPA, and then kickstart the
host, with the OTP passed to the kickstart script.
Krist
···
On Tuesday, October 22, 2013 3:57:16 PM UTC+2, lu...@kearney.jp wrote: > > Hello, > > Absolutely - my environment has FreeIPA built into the kickstart. Works a > charm. > >If you get this working through foreman_hooks, please do share the
script(s) if possible, it could be really useful for others.
We've got a couple of people from the FreeIPA team beginning to work on
better integration with Foreman and this is one of the areas. Here's
the plan, which lines up with what you're doing:
http://projects.theforeman.org/projects/foreman/wiki/RealmJoinIntegration
The idea is to just store the OTP into a host parameter or similar, then
it's easily accessible from the kickstart.
···
On 22/10/13 15:24, Krist van Besien wrote: > > > On Tuesday, October 22, 2013 3:57:16 PM UTC+2, lu...@kearney.jp wrote: > > Hello, > > Absolutely - my environment has FreeIPA built into the kickstart. > Works a charm. > > > Could you maybe explain a bit more how you did this? The issue I'm > having trouble with is the need to have it fully automated, but without > having any admin user passwords in the kickstart file. > So I would need to have somehow Foreman add new hosts to the IPA's own > DNS, and add the host with a one time password to IPA, and then > kickstart the host, with the OTP passed to the kickstart script.–
Dominic Cleal
Red Hat Engineering
Hello,
I apologise - my answer was somewhat lacking in the detail - at my install we use FreeIPA and Foreman. At this time we are
manually adding the host to FreeIPA then using unattended provisioning for the actual associating a new host with FreeIPA.
Actually we have two scenarios, We did create a special account which has only the permissions to add hosts to the
realm not even remove and try that - it works but I suspect there have to be better ways to do it as we do DNS separately
for now from FreeIPA.
The password in the KS does not need to be an issue if you are careful about what that account can do in FreeIPA. But it seems you have
even better ways to do this from subsequent posts.
Kind regards
···
On Oct 22, 2013, at 11:24 PM, Krist van Besien wrote:On Tuesday, October 22, 2013 3:57:16 PM UTC+2, lu...@kearney.jp wrote:
Hello,Absolutely - my environment has FreeIPA built into the kickstart. Works a charm.
Could you maybe explain a bit more how you did this? The issue I’m having trouble with is the need to have it fully automated, but without having any admin user passwords in the kickstart file.
So I would need to have somehow Foreman add new hosts to the IPA’s own DNS, and add the host with a one time password to IPA, and then kickstart the host, with the OTP passed to the kickstart script.Krist
–
You received this message because you are subscribed to the Google Groups “Foreman users” group.
To unsubscribe from this group and stop receiving emails from it, send an email to foreman-users+unsubscribe@googlegroups.com.
To post to this group, send email to foreman-users@googlegroups.com.
Visit this group at http://groups.google.com/group/foreman-users.
For more options, visit https://groups.google.com/groups/opt_out.
I've gotten a bit further now. I had already found that page (and
discovered some issues as well…) The "host adder" user seems to need
"read dns" and "add dns" privileges.
Is there already a way to pass a parameter from a hook script back up to
foreman?
Krist
···
On Wednesday, October 23, 2013 3:36:17 PM UTC+2, Dominic Cleal wrote: > > > > If you get this working through foreman_hooks, please do share the > script(s) if possible, it could be really useful for others. > > We've got a couple of people from the FreeIPA team beginning to work on > better integration with Foreman and this is one of the areas. Here's > the plan, which lines up with what you're doing: > > http://projects.theforeman.org/projects/foreman/wiki/RealmJoinIntegration > > The idea is to just store the OTP into a host parameter or similar, then > it's easily accessible from the kickstart. > >Not directly, you need to call the API which has host parameter support
in APIv2. Here's a curl example:
$ curl -u admin:changeme -d '{"name":"ipa-otp","value":"123456"}' -H
"Content-Type: application/json" -H "Accept: application/json;
version=2" http://foreman.example.com/api/hosts/host.example.com/parameters
···
On 23/10/13 15:37, Krist van Besien wrote: > > > On Wednesday, October 23, 2013 3:36:17 PM UTC+2, Dominic Cleal wrote: > > > > If you get this working through foreman_hooks, please do share the > script(s) if possible, it could be really useful for others. > > We've got a couple of people from the FreeIPA team beginning to work on > better integration with Foreman and this is one of the areas. Here's > the plan, which lines up with what you're doing: > > http://projects.theforeman.org/projects/foreman/wiki/RealmJoinIntegration > > > > The idea is to just store the OTP into a host parameter or similar, > then > it's easily accessible from the kickstart. > > > I've gotten a bit further now. I had already found that page (and > discovered some issues as well...) The "host adder" user seems to need > "read dns" and "add dns" privileges. > > Is there already a way to pass a parameter from a hook script back up to > foreman?–
Dominic Cleal
Red Hat Engineering