Realm Join Integration¶

This is just sketching out some ideas, it doesn't exist, yet.

This page covers ideas for joining hosts to FreeIPA realms or Active Directory domains when they're built, using a hypothetical foreman_realm plugin.

DNS management¶

Related, but not actually realm joining. Updates to DNS can be made via the normal smart proxy route, however for both FreeIPA and AD we require GSS-TSIG support for nsupdate. This was completed for Foreman 1.2 via #1685.

Realm configuration¶

foreman_realm should add a realm model and associate them with domains, plus everything needed to manage them.

To support classes and hostgroups in IPA (see below), additional attributes could be added to Foreman's host groups (or whatever they get replaced with) to define the IPA classes that the host would have when created.

Host/computer creation¶

Proxy support¶

The proxy should provide an API for creating hosts in realms (or computer objects in AD domains). This might depend on being able to define new APIs entirely through plugins.

FreeIPA¶

For FreeIPA, this can either call the ipa host-add command or the XMLRPC API that backs it. Here's an example of creating a user with minimal privileges that can create new hosts:

# kinit admin
# ipa user-add --first=Host --last=Adder hadder

# ipa privilege-add "Add computers" --desc"Add computers" 
# ipa privilege-add-permission "Add computers" --permissions="add hosts" 

# ipa role-add "Host Adder" --desc="Can add new hosts" 
# ipa role-add-privilege "Computer creator" --privilege="Add computers" 
# ipa role-add-member "Computer creator" --user=hadder

# ipa-getkeytab -s `hostname` -p hadder@IDM.LAB.BOS.REDHAT.COM -k /root/hadder.keytab
# kinit -kt /root/hadder.keytab hadder@IDM.LAB.BOS.REDHAT.COM
# klist
Ticket cache: DIR::/run/user/0/krb5cc/tkt3GbmCZ
Default principal: hadder@IDM.LAB.BOS.REDHAT.COM    <<<<<

Valid starting       Expires              Service principal
06/14/2013 21:54:06  06/15/2013 21:54:06
krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM

System user is now privileged to add hosts to IPA:

# ipa host-add random.host.test --random --force
-----------------------------
Added host "random.host.test" 
-----------------------------
  Host name: random.host.test
  Random password: K8-5rr0U8vL,
  Password: True
  Keytab: False
  Managed by: random.host.test

He is unable to perform other administrative tasks as expected:

# ipa host-mod random.host.test --desc=foo
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'description' attribute of entry
'fqdn=random.host.test,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'.

As a later step, classes can be assigned to hosts in IPA that associate it with hostgroups (not to be confused with Foreman host groups).

The attribute is called "userClass" in IPA LDAP, it is available by default with host entries under "--class" option. This is how it works:

1. We create a hostgroups to demonstrate how the automatic assignment of hosts to host groups works

# ipa hostgroup-add webservers
Description: web servers
----------------------------
Added hostgroup "webservers" 
----------------------------
  Host-group: webservers
  Description: web servers

2. Create an automember rule for this hostgroup

# ipa automember-add --type=hostgroup webservers
----------------------------------
Added automember rule "webservers" 
----------------------------------
  Automember Rule: webservers

3. The automember condition is hooked to the host's userclass attribute

# ipa automember-add-condition --key=userclass --type=hostgroup
--inclusive-regex=^webserver webservers
----------------------------------
Added condition(s) to "webservers" 
----------------------------------
  Automember Rule: webservers
  Inclusive Regex: userclass=^webserver
----------------------------
Number of conditions added 1
----------------------------

Steps 1, 2 and 3 need to be done just once when the IPA is being configured.

4. Now this is the best part. When Foreman proxy adds a host, it can specify
the host class which will automatically triggers

# ipa host-add web.example.com --force --class=webserver --class=mailserver
----------------------------
Added host "web.example.com" 
----------------------------
  Host name: web.example.com
  Principal name: host/web.example.com@EXAMPLE.COM
  Class: webserver, mailserver                    <<<<<<<<<<
  Password: False
  Member of host-groups: webservers               <<<<<<<<<<
  Indirect Member of netgroup: webservers
  Keytab: False
  Managed by: web.example.com

You can have more these rules in parallel.

Active Directory¶

For AD, adcli can be used (available in F18+):

• http://fedoraproject.org/wiki/Features/ActiveDirectory
• https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration (has an adcli example)

Foreman support¶

foreman_realm should add an orchestration step to create and destroy the host object via the proxy. The OTP used when creating should be stored.

Joining hosts¶

foreman_realm could add a new %25post snippet which uses the "realm" command (part of realmd) to join the host to the specified realm.

• http://www.freedesktop.org/software/realmd/docs/index.html (see joining sections)

For new anacondas, we could use this instead (maybe a second snippet):

• https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration

For older (EL5/6/F18), it should also support the ipa* client tools as realm is only just getting FreeIPA support:

• http://fedoraproject.org/wiki/Features/RealmdFreeIpaSupport

Example: ipa-client-install --password K8-5rr0U8vL,