On 11/2/19 6:04 AM, TomK via FreeIPA-users wrote:
Hey All,
Given a line like this:
ipa-client-install --force-join -p admin -w "*********" --fixed-primary
--server=idmipa01.nix.mds.xyz --server=idmipa02.nix.mds.xyz
--domain=nix.mds.xyz --realm=NIX.MDS.XYZ -U
1) Is there a way to pull the password from a safe store before passing
it in or pull from a safe store directly?
or
2) Can I specify an unprevilidged user to register with?
or
3) Register without the use of a password?
Hi,
there are multiple ways to authenticate when installing a client:
- using the admin user/pwd as you wrote above
- using a different user, with Enrollment Administrator Role.
- using a random one-time password pre-generated on the server
- using client principal from the previous enrollment
Please see the chapter "An overview of the Identity Management client
installation options" [1] for more details.
If you don't want to disclose the admin password, the preferred method
would be the one-time password:
1- pre-create the host entry with $ ipa host-add
client.domain.com --random
This command must be run on a machine already enrolled (for
instance the server) and needs an authenticated user with the IT
Specialist role or part of the admins group. The output of the command
provides the random password.
2- Use this random password in $ ipa-client-install --password pwd
This command can be run by any user on the machine to be enrolled,
provided he knows the random password.
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
Looking to register clients in ways that don't reveal any account
passwords with which the registration has occurred with.