h1. Realm Join Integration

*This is just sketching out some ideas, it doesn't exist, yet.*

This page covers ideas for joining hosts to FreeIPA realms or Active Directory domains when they're built, using a hypothetical foreman_realm plugin.

h2. DNS management

Related, but not actually realm joining.  Updates to DNS can be made via the normal smart proxy route, however for both FreeIPA and AD we require GSS-TSIG support for nsupdate.  This was completed for Foreman 1.2 via #1685.

h2. Realm configuration

foreman_realm should add a realm model and associate them with domains, plus everything needed to manage them.

h2. Host/computer creation

h3. Proxy support

The proxy should provide an API for creating hosts in realms (or computer objects in AD domains).  This might depend on being able to define new APIs entirely through plugins.

For FreeIPA, this can either call the @ipa host-add@ command or the XMLRPC API that backs it.  A service account (with delegated hostadmin permission?) could probably be created so the XMLRPC API can be called with a keytab.

For AD, adcli can be used (available in F18+):

* http://fedoraproject.org/wiki/Features/ActiveDirectory

* https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration (has an adcli example)

h3. Foreman support

foreman_realm should add an orchestration step to create and destroy the host object via the proxy.  The OTP used when creating should be stored.

h2. Joining hosts

foreman_realm could add a new %25post snippet which uses the "realm" command (part of realmd) to join the host to the specified realm.

* http://www.freedesktop.org/software/realmd/docs/index.html (see joining sections)

For new anacondas, we could use this instead (maybe a second snippet):

* https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration

For older (EL5/6/F18), it should also support the ipa* client tools as realm is only just getting FreeIPA support:

* http://fedoraproject.org/wiki/Features/RealmdFreeIpaSupport