On Wed, Feb 2, 2011 at 1:52 PM, Ashley Gould <ago...@ucop.edu> wrote: > On Mon, Jan 31, 2011 at 06:27:20PM -0800, Daniel Pittman wrote: >> In the longer term I would hope to have that information pushed out >> from the puppet system, so that if a node *should* be joined with >> centrifyDC puppet will make it so, but until then what you have is >> great. > > I have considered that option, but I'll need to learn to walk first. > What makes it difficult for puppet to manage this task is that the > centrifyDC tools require authorization as AD admin user to join a > node to AD. This can be scripted, but I don't want to hardcode AD > admin passwords into puppet manifests. Again, suggestions are very > welcome.
In my previous life, we created a special account in AD with only the permission to create a computer account in the directory. The special account didn't have login rights or anything. It should be well documented in your centrifyDC tools how to create such a limited account. Once you have this account in place, you can lock it. You can then unlock the account when you need to build a machine and have it automatically lock again after 15 minutes or so, if you want. Hope this helps, -- Jeff McCune http://www.puppetlabs.com/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
