Project

General

Profile

FreeIPA » History » Version 2

Ohad Levy, 01/25/2014 07:35 PM

1 1 Rob Crittenden
h1. FreeIPA - _draft_
2
3
freeIPA will provide an interface to manage host and hostgroups in an identity management server. This will be used during provisioning to create a host in IPA, get a random password and generate a snippet which can be used in a kickstart to enroll the client machine in IPA.
4
5
h2. Configuration
6
7
The IPA smart proxy lives outside of Foreman so is configured differently than a typical proxy.
8
9
The proxy needs to be installed locally on the Foreman server. The RESTful API is not authenticated so requests need to be secured in some way, running locally should be adequate.
10
11
The Foreman server will need to be enrolled as an IPA client.
12
13
An IPA role for the proxy needs to be created in order to grant access to create hosts and hostgroups. In this example a special user is created:
14
15
<pre>
16
$ kinit admin
17
$ ipa privilege-add 'REST host management' --desc='REST host management'
18
$ ipa privilege-add-permission 'REST host management' --permission='add hosts' --permission='remove hosts'
19
$ ipa role-add 'REST management' --desc='REST management'
20
$ ipa role-add-privilege 'REST management' --privilege='REST host management' --privilege='Host Group Administrators'
21
22
$ ipa user-add --first=REST --last=Server rest
23
$ ipa role-add-member --users=rest 'REST management'
24
</pre>
25
26
A keytab is needed for this user in order to make authenticated requests:
27
28
<pre>
29
# kinit admin
30
# ipa-getkeytab -s ipa.example.com -p rest@EXAMPLE.COM -k /etc/ipa/ipa-rest.keytab
31
</pre>
32
33
GSS-Proxy is used to manage this keytab. These lines should be added to the top of /etc/gssproxy/gssproxy.conf
34
35
<pre>
36
  [service/rest]
37
    mechs = krb5
38
    cred_store = client_keytab:/etc/ipa/ipa-rest.keytab
39
    cred_store = ccache:/var/lib/gssproxy/clients/krb5cc_%U
40
    cred_usage = initiate
41
    euid = 48  (where 48 is the apache user uid)
42
</pre>
43
44
The proxy service runs as the Apache user.
45
46
An overview of the API used can be found at http://www.freeipa.org/page/V3/Smart_Proxy
47
48 2 Ohad Levy
How this ties together with Foreman can be found at [[Foreman:RealmJoinIntegration]]