On Wed, Feb 2, 2011 at 5:10 PM, Daniel Pittman <dan...@puppetlabs.com> wrote: > On Wed, Feb 2, 2011 at 17:02, Nigel Kersten <ni...@puppetlabs.com> wrote: >> On Wed, Feb 2, 2011 at 10:52 AM, Ashley Gould <ago...@ucop.edu> wrote: >>> On Mon, Jan 31, 2011 at 06:27:20PM -0800, Daniel Pittman wrote: >>>> In the longer term I would hope to have that information pushed out >>>> from the puppet system, so that if a node *should* be joined with >>>> centrifyDC puppet will make it so, but until then what you have is >>>> great. >>> >>> I have considered that option, but I'll need to learn to walk first. >>> What makes it difficult for puppet to manage this task is that the >>> centrifyDC tools require authorization as AD admin user to join a >>> node to AD. This can be scripted, but I don't want to hardcode AD >>> admin passwords into puppet manifests. Again, suggestions are very >>> welcome. >> >> Are you ok with keeping these credentials on disk at all? If so, you >> could feed the relevant join exec the data from local disk. >> >> Another alternative would be to set up an out-of-band process where >> the clients reuse their SSL certificates to make client-authenticated >> requests to a host that returns the relevant credentials only during >> the times when the node needs them. > > For what it is worth, I "solved" a similar problem that we had by > doing it by hand. We had sufficiently few rollouts where this > mattered that it was just easier to document that step required hand > action than to automate it and solve these security issues.
I've done this a few times too. Have a single class that the relevant chunks of your manifests depend upon, and then have a cluster of Execs that just check for the existence of this data on the local client. I kept wanting to be able to notify a notify resource so you could get a nice human oriented error, but I don't think I worked out a good solution for that. > (Also, I went looking and found zero attempts to solve this in a > reusable, FOSS way, let alone working solutions.) Yep. I've been dreaming of a Puppet-integrated Password Safe for a while :) > > Regards, > Daniel > -- > ⎋ Puppet Labs Developer – http://puppetlabs.com > ✉ Daniel Pittman <dan...@puppetlabs.com> > ✆ Contact me via gtalk, email, or phone: +1 (877) 575-9775 > ♲ Made with 100 percent post-consumer electrons > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
