[Freeipa-devel] Multi-master replication with puppet
James
purpleidea at gmail.com
Fri Jun 6 18:12:14 UTC 2014
On Fri, 2014-06-06 at 14:03 +0200, Jan Pazdziora wrote:
> On Fri, Jun 06, 2014 at 06:38:10AM -0400, James wrote:
> >
> > I've just announced the first sane implementation for secret handling
> > in puppet. Since everyone does this wrong, I thought I'd do it right,
> > by pioneering a new technique. You can read about it here:
> >
> > https://ttboj.wordpress.com/2014/06/06/securely-managing-secrets-for-freeipa-with-puppet/
> >
> > In short, the dm_password and admin_password never get touched by
> > puppet, and are generated locally on the freeipa server. What this
> > means is that puppet doesn't know what they are, and as a result,
> > can't use them to accomplish admin tasks.
>
> Could we make this functionality part of the ipa-server-install script
> itself? It could be useful outside of puppet as well?
Actually, that is an interesting question! You could for certain use
cases, although the amount of different use cases I am currently
supporting in the code makes it probably not useful. So I would probably
not recommend this. I would wait six months for puppet-ipa to stabilize,
and then see what common functionality can be merged into FreeIPA. I
already have a few items that could if you're interested in specifics
(we can talk offline).
>
> Do you have any proposal how to go about ipa-client-install in puppet,
> without having the password stored/exposed there?
Actually Yes! This is a tricky operation in puppet, but it all fully
works. It automatically uses an exported one time password from the
host. I should probably write up an article on this process. It has more
features too. If you want to play in the code, ping me offline or on
IRC, and I can orient you on the steps.
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20140606/a2c3f89e/attachment.sig>
More information about the Freeipa-devel
mailing list