[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] ipa-getkeytab automation



Doug Chapman wrote:
Can anyone give me some tips or document links on client deployment automation (I'm using puppet) to update the /etc/krb5.keytab file?

I'm using IPA 1.2.2 on Centos5 and it seems the direct approach is to script the creation of the service principles (ipa-addservice) and extract all of the keytabs into puppet deployed files. Is there anything I'm missing?

The ipa-addservice would require a human to login with a valid ticket in order to work; is there any way I could create a service account with limited permissions to allow an application to populate the Directory with new hosts from an external source (eg: cobbler, or a database of hosts) ?


As Dmitri said, we're addressing this in v2. It requires a fair bit of work to get this done, mostly in the area of writing 389-ds ACIs.

Off the top of my head I guess the way I'd approach is create a service principal used for creating other principals. You need an ACI granting add access to this principal to create other principals. And you'd need an ACI granting write privileges to the krb* attributes so you can use ipa-getkeytab to generate and retrieve a keytab.

But you're probably better off giving v2 a look-see.

rob


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]