Huit/puppet-ipa. Huit/ipa. #2586 ([RFE] add support for storing puppet node information in IdM / freeIPA) – freeipa. [RFE] add support for storing puppet node information in IdM / freeIPA (Red Hat Enterprise Linux 7) Customers would like to leverage IPA to store puppet node information.
Change History Changed 2 years ago by dpal affects_cli set to 0 testsupdated set to 0 tests set to 0 Patch posted for review unset Affects Documentation unset Milestone changed from Backlog to 3.2 Backlog candidate_to_defer set to 0 Changed 2 years ago by dpal feature set to Puppet Integration Changed 11 months ago by lroot Status changed from new to assigned design_review set to 0 Owner changed from someone to lroot Cc lroot@… added Changed 3 months ago by mkosek. The Technical Blog of James. So I just rolled a new vm to hack around with FreeIPA.
Here are some things that I’ve come across so far. I was planning on configuring LDAP, and Kerberos manually, but the included webui looks like a lovely tool to have for the data entry, user administrator type who likes to click on things. Let’s explore… Using the FreeIPA PKI with Puppet. At my current employer, I’ve setup FreeIPA to deal with the whole DNS/LDAP/Kerberos/PKI kerfuffle.
At previous firms I’ve done a DIY setup for this: CentOS 5, tied into OpenLDAP, MIT Kerberos, and Cobbler—which required I backport OpenLDAP 2.4 and the version of MIT Kerberos that’s capable of using LDAP as a backend database to CentOS 5. On the SSL side, I let Puppet manage it’s own PKI and just used gnoMint for service certificates. It worked pretty well, but I never got around to writing a web GUI that was supposed to sit in front of all of it—mainly because FreeIPA already existed and I secretly wished it would use OpenLDAP rather than FedoraDS (since renamed to “389″).
Alas, three years later and it still hasn’t happened, and now I’m at another new financial industry startup. I could screw around for a few months getting OpenLDAP, Kerberos, Puppet, SSSD, and Foreman all talking together, or I could setup FreeIPA. Using IPA's CA for Puppet. Purpleidea/puppet-ipa. Plan: FreeIPA and OpenShift Enterprise integration with Puppet. This is a draft - the project is not yet complete - not even sure if it will work.
Problem Definition Currently, there is no easy way to implement an internal cloud with OpenShift Enterprise on RHEL/Fedora systems that can seemlessly integrate with IPA. Hope to Achieve Provide a way for current or potential enterprise RHEL/Fedora + IPA users to easily implement an internal cloud using OpenShift technology.
To make a Puppet module to configure and manage the state of an OpenShift cloud implentation that integrates with an IPA instance. Deliverables. Modules tagged freeipa. Playing with FreeIPA and puppet. So I just rolled a new vm to hack around with FreeIPA.
Here are some things that I’ve come across so far. I was planning on configuring LDAP, and Kerberos manually, but the included webui looks like a lovely tool to have for the data entry, user administrator type who likes to click on things. Let’s explore… /etc/hosts: FreeIPA is choosy about how your /etc/hosts is formatted. 192.168.123.7 ipa.example.com ipa Obviously replace with your own values. The host name ipa.example.com does not match the primary host name ipa.
I had to dive into the source to figure this one out! Webui: I’m in hack mode, and my laptop (hack station) is not participating in the domain that I’m pretending to manage. . $ ssh root@ipa -L 1443:localhost:443 but when attempting to try the webui: $ firefox I get redirected to the official fqdn, and at port 443. As user ab in #freeipa kindly pointed out: 01:21 < ab> primary authentication method of web ui is Kerberos.
Which is a good point. And run ssh as root (very bad!) James.