[Freeipa-users] Automatic client enrollment
Dmitri Pal
dpal at redhat.com
Sat Mar 21 17:50:49 UTC 2015
On 03/21/2015 05:53 AM, Prasun Gera wrote:
> Is it possible to completely automate the client enrollment process
> similar to securenets in NIS? I'm trying to migrate NIS to IDM, and
> hoping that it runs largely in auto-pilot mode. The kickstarter method
> suggests adding host entries with a one time kerberos password to
> launch unattended client installs. That, however, needs the admin's
> involvement every time a new host has to be added. Securenets works
> pretty well in our case since we can authenticate based on the IP
> address. User addition is still manual, but that's all right since
> that is infrequent. Is it possible to do something similar using IP
> masks or fqdn regex in ipa ?
>
>
No but if you trust your network you can create a host admin that would
have the host add privilege and host enroll privilege and nothing else
and use this admin.
IMO it would be a nice enhancement to have a way to restrict such
enrollments to specific subnets. The logic on the server would be
something like this:
Enrollment request comes in
If host entry there?
Yes - follow the current logic
Check user privileges
<Check that the client is coming from one of the given IPA ranges> <-new
Enroll
Would you mind filing an RFE if this approach would work for you?
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150321/0fd78313/attachment.htm>
More information about the Freeipa-users
mailing list