#!/bin/bash # Creates an IPA user with the minimum set of permissions # needed for the Foreman FreeIPA Smart Proxy usage() { cat < Foreman prepare realm prepares a FreeIPA or Red Hat Identity Management server for use with the Foreman Smart Proxy. It creates a dedicated role with the permissions needed for Foreman, creates a user with that role, and retrieves the keytab file. EOF exit 1 } die() { echo "$@" 1>&2; exit 1; } [ -e /usr/bin/ipa ] || die "ipa-admintools not found." [ -e /etc/ipa/default.conf ] || die "/etc/ipa/default.conf not found: please register system using ipa-client-install" [ ! -z $1 ] || usage [ ! -z $2 ] || usage SERVER=$(grep '^server\s*=' /etc/ipa/default.conf | cut -f2 -d"=") if ipa --version 2>&1 | grep -q 'VERSION' then PERMISSION_SYSTEM=v2 else PERMISSION_SYSTEM=v1 fi if [ -z $SERVER ]; then SERVER=$(grep host /etc/ipa/default.conf | cut -f2 -d"=") fi kinit $1 || die "Could not get kerberos credentials" ipa privilege-add 'Smart Proxy Host Management' --desc='Smart Proxy Host Management' if [ "$PERMISSION_SYSTEM" == "v1" ]; then ipa permission-add 'modify host password' --permissions='write' --type='host' --attrs='userpassword' ipa permission-add 'write host certificate' --permissions='write' --type='host' --attrs='usercertificate' ipa permission-add 'modify host userclass' --permissions='write' --type='host' --attrs='userclass' ipa privilege-add-permission 'Smart Proxy Host Management' --permission='modify host password' --permission='write host certificate' \ --permission='modify host userclass' --permission='add hosts' --permission='remove hosts' --permission='modify host password' \ --permission='modify host userclass' --permission='modify hosts' --permission='revoke certificate' \ --permission='manage host keytab' --permission='write host certificate' --permission='retrieve certificates from the ca' \ --permission='modify services' --permission='manage service keytab' --permission='read dns entries' \ --permission='remove dns entries' --permission='add dns entries' --permission='update dns entries' else ipa permission-add 'Add Host Enrollment Password' --permission='add' --type='host' --attrs='userpassword' ipa privilege-add-permission 'Smart Proxy Host Management' --permission='System: Manage Host Enrollment Password' \ --permission='System: Manage Host Certificates' --permission='System: Modify Hosts' --permission='System: Remove Hosts' \ --permission='System: Manage Host Keytab' --permission='Retrieve Certificates from the CA' --permission='System: Modify Services' \ --permission='System: Manage Service Keytab' --permission='System: Add DNS Entries' --permission='System: Update DNS Entries' \ --permission='System: Remove DNS Entries' --permission='System: Read DNS Entries' --permission='Add Host Enrollment Password' fi ipa role-add 'Smart Proxy Host Manager' --desc='Smart Proxy management' ipa role-add-privilege 'Smart Proxy Host Manager' --privilege='Smart Proxy Host Management' ipa user-add $2 --first Smart --last Proxy ipa role-add-member 'Smart Proxy Host Manager' --users=$2 ipa-getkeytab -s $SERVER -p $2 -k freeipa.keytab echo "Realm Proxy User: $2" echo "Realm Proxy Keytab: `pwd`/freeipa.keytab"