FreeIPA - draft¶
freeIPA will provide an interface to manage host and hostgroups in an identity management server. This will be used during provisioning to create a host in IPA, get a random password and generate a snippet which can be used in a kickstart to enroll the client machine in IPA.
The IPA smart proxy lives outside of Foreman so is configured differently than a typical proxy.
The proxy needs to be installed locally on the Foreman server. The RESTful API is not authenticated so requests need to be secured in some way, running locally should be adequate.
The Foreman server will need to be enrolled as an IPA client.
An IPA role for the proxy needs to be created in order to grant access to create hosts and hostgroups. In this example a special user is created:
$ kinit admin $ ipa privilege-add 'REST host management' --desc='REST host management' $ ipa privilege-add-permission 'REST host management' --permission='add hosts' --permission='remove hosts' $ ipa role-add 'REST management' --desc='REST management' $ ipa role-add-privilege 'REST management' --privilege='REST host management' --privilege='Host Group Administrators' $ ipa user-add --first=REST --last=Server rest $ ipa role-add-member --users=rest 'REST management'
A keytab is needed for this user in order to make authenticated requests:
# kinit admin # ipa-getkeytab -s ipa.example.com -p rest@EXAMPLE.COM -k /etc/ipa/ipa-rest.keytab
GSS-Proxy is used to manage this keytab. These lines should be added to the top of /etc/gssproxy/gssproxy.conf
[service/rest] mechs = krb5 cred_store = client_keytab:/etc/ipa/ipa-rest.keytab cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U cred_usage = initiate euid = 48 (where 48 is the apache user uid)
The proxy service runs as the Apache user.
An overview of the API used can be found at http://www.freeipa.org/page/V3/Smart_Proxy
How this ties together with Foreman can be found at http://projects.theforeman.org/projects/foreman/wiki/RealmJoinIntegration