h1. Realm Join Integration

*This is just sketching out some ideas, it doesn't exist, yet.*

This page covers ideas for joining hosts to FreeIPA realms or Active Directory domains when they're built, using a hypothetical foreman_realm plugin.

h2. DNS management

Related, but not actually realm joining.  Updates to DNS can be made via the normal smart proxy route, however for both FreeIPA and AD we require GSS-TSIG support for nsupdate.  This was completed for Foreman 1.2 via #1685.

h2. Realm configuration

foreman_realm should add a realm model and associate them with domains, plus everything needed to manage them.

To support classes and hostgroups in IPA (see below), additional attributes could be added to Foreman's host groups (or whatever they get replaced with) to define the IPA classes that the host would have when created.

h2. Host/computer creation

h3. Proxy support

The proxy should provide an API for creating hosts in realms (or computer objects in AD domains).  This might depend on being able to define new APIs entirely through plugins.

h4. FreeIPA

For FreeIPA, this can either call the @ipa host-add@ command or the XMLRPC API that backs it.  Here's an example of creating a user with minimal privileges that can create new hosts:

<pre>

# kinit admin

# ipa user-add --first=Host --last=Adder hadder

# ipa privilege-add "Add computers" --desc"Add computers"

# ipa privilege-add-permission "Add computers" --permissions="add hosts"

# ipa role-add "Host Adder" --desc="Can add new hosts"

# ipa role-add-privilege "Computer creator" --privilege="Add computers"

# ipa role-add-member "Computer creator" --user=hadder

# ipa-getkeytab -s `hostname` -p hadder@IDM.LAB.BOS.REDHAT.COM -k /root/hadder.keytab

# kinit -kt /root/hadder.keytab hadder@IDM.LAB.BOS.REDHAT.COM

# klist

Ticket cache: DIR::/run/user/0/krb5cc/tkt3GbmCZ

Default principal: hadder@IDM.LAB.BOS.REDHAT.COM    <<<<<

Valid starting       Expires              Service principal

06/14/2013 21:54:06  06/15/2013 21:54:06

krbtgt/IDM.LAB.BOS.REDHAT.COM@IDM.LAB.BOS.REDHAT.COM

</pre>

System user is now privileged to add hosts to IPA:

<pre>

# ipa host-add random.host.test --random --force

-----------------------------

Added host "random.host.test"

-----------------------------

  Host name: random.host.test

  Random password: K8-5rr0U8vL,

  Password: True

  Keytab: False

  Managed by: random.host.test

</pre>

He is unable to perform other administrative tasks as expected:

<pre>

# ipa host-mod random.host.test --desc=foo

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the

'description' attribute of entry

'fqdn=random.host.test,cn=computers,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com'.

</pre>

As a later step, classes can be assigned to hosts in IPA that associate it with hostgroups (not to be confused with Foreman host groups).

The attribute is called "userClass" in IPA LDAP, it is available by default with host entries under "--class" option. This is how it works:

1. We create a hostgroups to demonstrate how the automatic assignment of hosts to host groups works

<pre>

# ipa hostgroup-add webservers

Description: web servers

----------------------------

Added hostgroup "webservers"

----------------------------

  Host-group: webservers

  Description: web servers

</pre>

2. Create an automember rule for this hostgroup

<pre>

# ipa automember-add --type=hostgroup webservers

----------------------------------

Added automember rule "webservers"

----------------------------------

  Automember Rule: webservers

</pre>

3. The automember condition is hooked to the host's userclass attribute

<pre>

# ipa automember-add-condition --key=userclass --type=hostgroup

--inclusive-regex=^webserver webservers

----------------------------------

Added condition(s) to "webservers"

----------------------------------

  Automember Rule: webservers

  Inclusive Regex: userclass=^webserver

----------------------------

Number of conditions added 1

----------------------------

</pre>

Steps 1, 2 and 3 need to be done just once when the IPA is being configured.

4. Now this is the best part. When Foreman proxy adds a host, it can specify

the host class which will automatically triggers

<pre>

# ipa host-add web.example.com --force --class=webserver --class=mailserver

----------------------------

Added host "web.example.com"

----------------------------

  Host name: web.example.com

  Principal name: host/web.example.com@EXAMPLE.COM

  Class: webserver, mailserver                    <<<<<<<<<<

  Password: False

  Member of host-groups: webservers               <<<<<<<<<<

  Indirect Member of netgroup: webservers

  Keytab: False

  Managed by: web.example.com

</pre>

You can have more these rules in parallel.

h4. Active Directory

For AD, adcli can be used (available in F18+):

* http://fedoraproject.org/wiki/Features/ActiveDirectory

* https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration (has an adcli example)

h3. Foreman support

foreman_realm should add an orchestration step to create and destroy the host object via the proxy.  The OTP used when creating should be stored.

h2. Joining hosts

foreman_realm could add a new %25post snippet which uses the "realm" command (part of realmd) to join the host to the specified realm.

* http://www.freedesktop.org/software/realmd/docs/index.html (see joining sections)

For new anacondas, we could use this instead (maybe a second snippet):

* https://fedoraproject.org/wiki/Features/AnacondaRealmIntegration

For older (EL5/6/F18), it should also support the ipa* client tools as realm is only just getting FreeIPA support:

* http://fedoraproject.org/wiki/Features/RealmdFreeIpaSupport

Example: @ipa-client-install --password K8-5rr0U8vL,@