Ronald Wimmer via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
> Jochen already provided you the required commands. They can be
> automated
> easily.
I was still thinking about how to do that from the AIX side. I'm
sorry... Obviously I could need more coffee. ;-)
A lot of what can be done depends on what you use as AIX automation. If
you still use shell scripts - ssh to a linux host is your most likely
solution. If you use something like ansible, you might want to check
"delegate_to" in the ansible documentation. In the unlikely event you
use SALT, have a look at orchestration. For other tool I declare total
ignorance.
There are lots and lots of possible solutions.
Just a hint how you might handle authentication for IPA commands: Add a
user to IPA that has the role "Enrollment Administrator". Get a keytab
for that user and store it at a save place on your IPA client. You
should be able to run "ipa" and other commands with and not giving
name/password on the command line:
env KRB5_CLIENT_KTNAME=/path/to/key.tab ipa ...
(you might need to install urllib-gssapi or python3-urllib-gssapi)
That would still need some experimenting, but I'm sure it will work in
the end.
Remember that the AIX host and freeipa need to agree what's the last
kvno is - That might be a problem while experimenting.
Jochen
--
This space is intentionally left blank.