On ti, 27 maalis 2018, David Harvey via FreeIPA-users wrote:
Dear list,
I'm currently tinkering with adding host attributes (As custom attrs, or
for the moment into the description field). My intention is to then read
these from the host in order to define some local behaviour for scripts or
puppet.
Example - a concept of machine ownership, or device class for local scripts
or puppet to know about.
The two ways I've thought of so far entail
- having the CLI tools installed to run IPA commands, or
- kinit -kt /etc/krb5.keytab followed by ldapsearch to read in the parts
I'm interested in.
It occurred to me that sssd or some other components I understand less well
might already be able to trivially read the host data IPA holds, or that
the kinit might not be needed given the machine can already read out getent
aprts direct from LDAP/IPA values with a non network account in use.
Any ideas or suggestion around this so I don't reinvent the wheel?
While SSSD
can be taught to read user-specific attributes by adding them
in the configuration, the same cannot be done for host-specific
attributes. So you are back to those two methods you outline above.
One note is that you'd need to add permissions to be able to read the
attributes we don't explicitly allow for services/host principals. See
https://vda.li/en/posts/2016/08/30/Creating-permissions-in-FreeIPA/ for
details on how to achieve that. For plugin examples look at my
github.com/abbra/ page for freeipa-* plugin repos.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland