On Wed, Feb 2, 2011 at 17:02, Nigel Kersten <ni...@puppetlabs.com> wrote:
> On Wed, Feb 2, 2011 at 10:52 AM, Ashley Gould <ago...@ucop.edu> wrote:
>> On Mon, Jan 31, 2011 at 06:27:20PM -0800, Daniel Pittman wrote:
>>> In the longer term I would hope to have that information pushed out
>>> from the puppet system, so that if a node *should* be joined with
>>> centrifyDC puppet will make it so, but until then what you have is
>>> great.
>>
>> I have considered that option, but I'll need to learn to walk first.
>> What makes it difficult for puppet to manage this task is that the
>> centrifyDC tools require authorization as AD admin user to join a
>> node to AD. This can be scripted, but I don't want to hardcode AD
>> admin passwords into puppet manifests. Again, suggestions are very
>> welcome.
>
> Are you ok with keeping these credentials on disk at all? If so, you
> could feed the relevant join exec the data from local disk.
>
> Another alternative would be to set up an out-of-band process where
> the clients reuse their SSL certificates to make client-authenticated
> requests to a host that returns the relevant credentials only during
> the times when the node needs them.
For what it is worth, I "solved" a similar problem that we had by
doing it by hand. We had sufficiently few rollouts where this
mattered that it was just easier to document that step required hand
action than to automate it and solve these security issues.
(Also, I went looking and found zero attempts to solve this in a
reusable, FOSS way, let alone working solutions.)
Regards,
Daniel
--
⎋ Puppet Labs Developer – http://puppetlabs.com
✉ Daniel Pittman <dan...@puppetlabs.com>
✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775
♲ Made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
