Two projects that I'm really loving at the moment are The Foreman and FreeIPA. The Foreman is lifecycle management tool for physical and virtual servers (think Cobbler on PCP), and FreeIPA provides central authentication: directory services, kerberos, policy enforcement, and a PKI infrastructure. Why not glue them together? This is my first attempt, and it's all a bit manual and unpolished. There's an effort to get this integration into the Foreman Smart Proxy itself.
All of the scripts here are in a Github Gist.The goals here are:
- Foreman authenticates against FreeIPA
- Signed Certificates for Foreman, Puppetmaster, and Clients
- New Hosts automatically register to IPA and get a signed certificate
- A host gets deleted from IPA when it is deleted from Foreman
- Installed Foreman Server on a Red Hat-based distro (RHEL, CentOS, Fedora, et al).
- Foreman server is registered to FreeIPA
- Installed FreeIPA (or Red Hat IdM) Server
Foreman LDAP AuthenticationEnd Goal: Users can login to the Foreman using FreeIPA credentials. Individual access rights still need to be granted in the Foreman GUI itself, though. Based on the FreeIPA Ejabberd Integration Guide
- Create a foreman.ldif file, replacing dc=bitbin,dc=de with your DN, and providing an appropriately secure password:
- Import the LDIF (change localhost to an IPA server if needed), you'll be prompted for your Directory Manager password:
- Add an IPA group for foreman_users (optional):
- Now login to the Foreman as an Admin, click on "LDAP Authentication" under More/Users. Then click New LDAP Source and fill in the details, changing dn's where appropriate to your own domain:
- Server: astriaporta.bitbin.de
- Port: 636
- TLS: checked
- Account username: uid=foreman,cn=sysaccounts,cn=etc,dc=bitbin,dc=de
- Account password: 8j926SEpcOvM0WLI
- Base DN: cn=accounts,dc=bitbin,dc=de
- Filter (optional): (memberOf=cn=foreman_users,cn=groups,cn=accounts,dc=bitbin,dc=de)
- Automatically create accounts in the Foreman: checked
- LDAP mappings are as the examples given.
FreeIPA Certs for Foreman + PuppetEnd Goal: Foreman and the Puppetmaster use certificates from the FreeIPA server.
- Backup the existing SSL directory:
- Make the appropriate directory structure:
- For the next steps you need to have a Kerberos ticket for a user with sufficient privileges (e.g. admin)
- Create the service principal:
- Request certificates from the IPA server
- Check on the request, you should see the status as MONITORING if successful:
- Copy the IPA CA.cert:
- Take a peek in the SSL directories, and you'll see our new certs:
- Make sure permissions are sensible:
- Edit /etc/puppet/puppet.conf:
- Add to [main]:
- In [master], change:
- Restart httpd (Foreman-configured Puppet runs in Passenger):
- Browse to the Foreman, and you should see it using the new SSL certificates signed by your IPA CA. Ideally you should import the IPA CA.crt on your local box and trust it. </ol>
- Create the user:
- Grant host enrollment privileges:
- We need to modify the Host Enrollment role to actually allow the Foreman user to add brand new hosts and delete them too -- so Foreman can completely manage the machine lifecycle.
- Change foreman password after first time:
Configuring the Create/Destroy HookGrab the scripts from the Github Gist.
- On Foreman, install the hooks gem:
- And make the directory structure we need:
- Put foreman-ipa into /etc/sysconfig/ with the right permissions
- Configure /etc/sysconfig/foreman-ipa
- Put 10_integrate_freeipa.sh into /usr/share/foreman/config/hooks/host/managed/create and create a symlink to destroy and after_commit:
- Restart foreman to get it to notice the new hooks:
- Take a look at the logs to make sure the hooks were registered, look in /var/log/foreman/production.log:
- The last step in this is integrating into your provisioning template. You'll need to get ipa-client installed in your packages list, and remove the other puppet registration thingy from the Foreman. I have a snippet that looks like this:
- When the machine boots it will use one-time password authentication with FreeIPA and grab an SSL certificate for use with Puppet. And you get the bonus of when you delete the machine in Foreman, it gets deleted in IPA too. </ol>
Registration at Provision-TimeThe idea here is that our machines when foreman creates them are automatically registered to FreeIPA with a one-time password, and if later deleted in the Foreman, they are removed from FreeIPA too. Hosts also get an SSL certificate signed by the FreeIPA server to talk to puppet. The flow looks like this:
Creating IPA User with Right PermissionsA previous version of this guide called this user "foreman" - don't do that, it'll interfere with upgrading later, as the RPM packaging expects to use a local user named "foreman."