Hide Forgot
Place all hosts joined to IPA in a default group like users have (ipausers) - This would be useful for other features such as Bug 753614 - Enable PAM Home Directory Module by host group from UI
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2114
Automembership plugin delivers the functionality of configuring this. Converting the bug into doc bug to cover the steps on how the requested functionality can be accomplished with this feature.
Note that this is fine but we discarded this solution with users because it basically eliminates the fallback/default automember group/hostgroup. The default/fallback gets used only when no rules match. If a rule is created that guarantees to match anything then the default/fallback no longer applies. automember was created with hosts in mind so you could automatically associate machine-generated hostnames with hostgroups. The fallback/default was created to catch any that might be missed because of a bad regex.
Rob, the hosts do not have a default group. One has to configure the plugin and then the hosts will be placed into the groups. If you configure the plugin in a way that any host would match you get the functionality requested by this BZ. And as I wrote the statement above I realized that we probably tried to solve the problem with users in not a correct way. I think we should remove the code that does automatic placement of the users into ipausers from IPA and have a default automember rule that would match any user to go into ipausers group. This way the experience with existing deployments will be consistent but the new deployments can stop placing users into ipausers group if they do not want. Would that work or I am missing something?
It just defeats the fallback/default in automember because we are guaranteeing that there will 100% of the time always be a match. So if you use automember for anything else and want a way to catch users/hosts that don't match existing criteria you're out of luck. I actually implemented this for users but we dropped it for this reason.
What I was requesting was a group that all hosts always belong to, that is not editable. If the group is a 'fall back group' then if a host is in any other group, it won't be in the all hosts group. For example put all hosts in a group called ipahosts. When you add host A to a new group, it should still stay in ipahosts. I might want to define automount rules for all hosts using the all hosts group, sudoers using the all hosts group, then use smaller groups to define more sudoers, ssh access control, etc. but I still need the host to belong to the 'all hosts' group
Here is how you can use automember to assign all hosts to a new hostgroup we create, allhosts. The magic here is in the inclusive regex we create that will match all new hosts. First create the hostgroup: # ipa hostgroup-add --desc="Default hostgroup" allhosts -------------------------- Added hostgroup "allhosts" -------------------------- Host-group: allhosts Description: Default hostgroup Create the automember rule: # ipa automember-add --type=hostgroup allhosts -------------------------------- Added automember rule "allhosts" -------------------------------- Automember Rule: allhosts Add a condition to match all hosts to the rule: # ipa automember-add-condition --type=hostgroup allhosts --inclusive-regex=^.* --key=fqdn -------------------------------- Added condition(s) to "allhosts" -------------------------------- Automember Rule: allhosts Inclusive Regex: fqdn=^.* ---------------------------- Number of conditions added 1 ---------------------------- Done, let's test: # ipa host-add test.example.com ----------------------------- Added host "test.greyoak.com" ----------------------------- Host name: test.example.com Principal name: host/test.example.com Password: False Keytab: False Managed by: test.example.com Make sure it got added: # ipa hostgroup-show allhosts Host-group: allhosts Description: Default hostgroup Member hosts: test.example.com
i think we should consider making this -automatic upon install -non-modifiable -have a unmodifiable name and any other sort of identifier host groups use so that other features and later add-ons should be able to expect that this group exists and always includes all hosts in the ipa domain.
Setting all priority and severity to medium.
I can't do comment #11 because that is a recommendation for engineering. I have the example from comment #10. http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/using-automembers-examples.html#creating-default-automembers
Checked in: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6-Beta/html/Identity_Management_Guide/using-automembers-examples.html#creating-default-automembers Red_Hat_Enterprise_Linux-Identity_Management_Guide-6-Beta-en-US-2.2.0-0.5 --- These strategies are mututally exclusive. [typo] s/mututally/mutually ----- [comment] Verified content from comment#10 visible in doc: 16.3.1. Setting an All Users/Hosts Rule To add all users or all hosts to a single group, use an inclusive regular expression for some attribute (such as cn or fqdn) which all entries will contain. A regular expression to match all entries is simply ^.*. For example, to add all hosts to the same host group: [jsmith@server ~]$ ipa automember-add-condition --type=hostgroup allhosts --inclusive-regex=^.* --key=fqdn -------------------------------- Added condition(s) to "allhosts" -------------------------------- Automember Rule: allhosts Inclusive Regex: fqdn=^.* ---------------------------- Number of conditions added 1 ---------------------------- Every host added after that is automatically added to the allhosts group: [jsmith@server ~]$ ipa host-add test.example.com ----------------------------- Added host "test.example.com" ----------------------------- Host name: test.example.com Principal name: host/test.example.com Password: False Keytab: False Managed by: test.example.com [jsmith@server ~]$ ipa hostgroup-show allhosts Host-group: allhosts Description: Default hostgroup Member hosts: test.example.com For more information on regular expression patterns, see the Java regex documentation. --------------
Closing.