Project

General

Profile

RealmJoinIntegration » History » Version 1

Dominic Cleal, 04/10/2013 07:31 AM
Draft design for joining hosts to realms

1 1 Dominic Cleal
h1. Realm Join Integration
2
3
*This is just sketching out some ideas, it doesn't exist, yet.*
4
5
This page covers ideas for joining hosts to FreeIPA realms or Active Directory domains when they're built, using a hypothetical foreman_realm plugin.
6
7
h2. DNS management
8
9
Related, but not actually realm joining.  Updates to DNS can be made via the normal smart proxy route, however for both FreeIPA and AD we require GSS-TSIG support for nsupdate.  This is in progress via #1685.
10
11
h2. Realm configuration
12
13
foreman_realm should add a realm model and associate them with domains, plus everything needed to manage them.
14
15
h2. Host/computer creation
16
17
h3. Proxy support
18
19
The proxy should provide an API for creating hosts in realms (or computer objects in AD domains).  This might depend on being able to define new APIs entirely through plugins.
20
21
For FreeIPA, this can either call the @ipa host-add@ command or the XMLRPC API that backs it.  A service account (with delegated hostadmin permission?) could probably be created so the XMLRPC API can be called with a keytab.
22
23
For AD, adcli can be used (available in F18+):
24
* http://fedoraproject.org/wiki/Features/ActiveDirectory
25
* https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration (has an adcli example)
26
27
h3. Foreman support
28
29
foreman_realm should add an orchestration step to create and destroy the host object via the proxy.  The OTP used when creating should be stored.
30
31
h2. Joining hosts
32
33
foreman_realm could add a new %25post snippet which uses the "realm" command (part of realmd) to join the host to the specified realm.
34
* http://www.freedesktop.org/software/realmd/docs/index.html (see joining sections)
35
36
For new anacondas, we could use this instead (maybe a second snippet):
37
* https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration
38
39
For older (EL5/6/F18), it should also support the ipa* client tools as realm is only just getting FreeIPA support:
40
* http://fedoraproject.org/wiki/Features/RealmdFreeIpaSupport