Foreman/puppet plugin for FreeIPA?


#1

Anyone have any experience with FreeIPA?
Is there a Foreman/Puppet module available? (Forge? GitHub? FreeIPA.org?)
I’ve found some docs about installing the FreeIPA server and client pieces,
but the Foreman integration info is a little thin. Any clues would be most appreciated!

Running on CentOS 7:
foreman 1.20.1
puppet 5.5.10
katello 3.10.0


#2

Did you find the realm part of the documentation? Foreman :: Manual
I did it once just for testing so no real experience but it worked fine.


#3

Hi,

We use FreeIPA integration with foreman for some years. That work really fine, and the documentation that Dirk pointed to you was sufficient for us to make it work. No need of puppet or anything more than foreman-installer with some options. For any host you create in foreman (and associate to the realm) on FreeIPA side it will create host, set an OTP, install client parts and register it automatically on provisioning (I talk for kickstart at least, we use only that provisioning method in with FreeIPA), and remove the host in FreeIPA (and its DNS if you want) when you remove your host from foreman. So you don’t have to do any action on FreeIPA side for these two actions. On the FreeIPA side, you can also add auto-member rules to add your new host to needed host groups to automate further your host creation/deletion workflow.

On the FreeIPA servers installation part, our instances are some years old now and this part was not automated, but the FreeIPA installation is really simple, even in multi-master deployment and its documentation is really good.

Cheers.


#4

I followed the instructions here to install freeipa-server

The IPA server requires an administrative user, named ‘admin’.
This user is a regular system account used for IPA server administration.

I am afraid that this conflicts with my foreman user “admin” when I installed foreman.

How should I proceed with their instructions for Creating LDAP Authentication Source?
Which user should I use? Should I create a new user, such as myself, and where? In LDAP or foreman?


#5

What is meant by:

4.3.8.2 FreeIPA Realm - Configuration of FreeIPA
Your Smart Proxy must be registered to the FreeIPA realm already


#6

Seems like there is a step missing, or they are out of sequence …

[root@foreman ~]# foreman-prepare-realm ipaadmin realm-proxy
/etc/ipa/default.conf not found: please register system using ipa-client-install


#7

Where is the repo for ipa-client-install ? (We do not have RHEL subscription service.)


#8

Never mind, it’s already installed:

ipa-client.x86_64 : IPA authentication for use on clients
ipa-client-common.noarch : Common files used by IPA client

[root@foreman ~]# which ipa-client-install
/sbin/ipa-client-install

Just need to know how to run it, and where? Clients?


#9

You’re probably best going to the IPA forums, nothing to do with foreman at this point. All you need to do is a standard IPA client config.

Tho, you can just run ipa-client-install and it will take you through a guided config. Assuming your freeipa server(s) are configured correctly.