forked from theforeman/smart-proxy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathforeman-prepare-realm
executable file
·74 lines (56 loc) · 3.24 KB
/
foreman-prepare-realm
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/bin/bash
# Creates an IPA user with the minimum set of permissions
# needed for the Foreman FreeIPA Smart Proxy
usage() { cat <<EOF
Usage: $0 <admin username> <realm proxy user>
Foreman prepare realm prepares a FreeIPA or Red Hat Identity Management server
for use with the Foreman Smart Proxy. It creates a dedicated role with the
permissions needed for Foreman, creates a user with that role, and retrieves
the keytab file.
EOF
exit 1
}
die() { echo "$@" 1>&2; exit 1; }
[ -e /usr/bin/ipa ] || die "ipa-admintools not found."
[ -e /etc/ipa/default.conf ] || die "/etc/ipa/default.conf not found: please register system using ipa-client-install"
[ ! -z $1 ] || usage
[ ! -z $2 ] || usage
SERVER=$(grep '^server\s*=' /etc/ipa/default.conf | cut -f2 -d"=")
if ipa --version 2>&1 | grep -q 'VERSION'
then
PERMISSION_SYSTEM=v2
else
PERMISSION_SYSTEM=v1
fi
if [ -z $SERVER ];
then
SERVER=$(grep host /etc/ipa/default.conf | cut -f2 -d"=")
fi
kinit $1 || die "Could not get kerberos credentials"
ipa privilege-add 'Smart Proxy Host Management' --desc='Smart Proxy Host Management'
if [ "$PERMISSION_SYSTEM" == "v1" ];
then
ipa permission-add 'modify host password' --permissions='write' --type='host' --attrs='userpassword'
ipa permission-add 'write host certificate' --permissions='write' --type='host' --attrs='usercertificate'
ipa permission-add 'modify host userclass' --permissions='write' --type='host' --attrs='userclass'
ipa privilege-add-permission 'Smart Proxy Host Management' --permission='modify host password' --permission='write host certificate' \
--permission='modify host userclass' --permission='add hosts' --permission='remove hosts' --permission='modify host password' \
--permission='modify host userclass' --permission='modify hosts' --permission='revoke certificate' \
--permission='manage host keytab' --permission='write host certificate' --permission='retrieve certificates from the ca' \
--permission='modify services' --permission='manage service keytab' --permission='read dns entries' \
--permission='remove dns entries' --permission='add dns entries' --permission='update dns entries'
else
ipa permission-add 'Add Host Enrollment Password' --permission='add' --type='host' --attrs='userpassword'
ipa privilege-add-permission 'Smart Proxy Host Management' --permission='System: Manage Host Enrollment Password' \
--permission='System: Manage Host Certificates' --permission='System: Modify Hosts' --permission='System: Remove Hosts' \
--permission='System: Manage Host Keytab' --permission='Retrieve Certificates from the CA' --permission='System: Modify Services' \
--permission='System: Manage Service Keytab' --permission='System: Add DNS Entries' --permission='System: Update DNS Entries' \
--permission='System: Remove DNS Entries' --permission='System: Read DNS Entries' --permission='Add Host Enrollment Password'
fi
ipa role-add 'Smart Proxy Host Manager' --desc='Smart Proxy management'
ipa role-add-privilege 'Smart Proxy Host Manager' --privilege='Smart Proxy Host Management'
ipa user-add $2 --first Smart --last Proxy
ipa role-add-member 'Smart Proxy Host Manager' --users=$2
ipa-getkeytab -s $SERVER -p $2 -k freeipa.keytab
echo "Realm Proxy User: $2"
echo "Realm Proxy Keytab: `pwd`/freeipa.keytab"