ipa-client-install offers an option, --password, to specify a password. However, passwords are visible to all local users via /proc, so this is slightly insecure. Using an environment variable instead would be more secure.
ipa-client-install
--password
/proc
The realmd package would use this functionality instead of the --password option.
This should be done on the server too. And when it is done we should also support the password in file.
See related Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1119218
When the new option is ready, please create a Bugzilla for authconfig so that it can consume the new mean to pass the password.
Replying to [comment:1 dpal]:
And or from file descriptor. Any password option should have also -env, -file, and -fd variant: --admin-password-file, --ds-password-fd.
Alexander suggests to use a single {{{--credentials}}} option and pass variables in that one:
ipa-server-install --credentials=[-|/path/to/file]
where content of the file (or stdin) would be
admin_password=<value> ds_password=<value>
and we can do the same with ipa-client-install and use
password=<value>
This gives us flexibility to extend the scheme later.
As I replied elsewhere, we should be more general than that. ipa-server-install should be able to accept all it's configuration options via config file, like dogtag is.
ipa-server-install
During 4.2, the actual IPA server installation functionality should run with options passed by function parameters. Then different invocations would use different UI to get the values from user.
ipa-server-install would get it from argparse or config files. OpenLMI deployment daemon would get it from OpenLMI/DBUS etc.
I will close this request as duplicate of #4517, which is now being worked in FreeIPA 4.2.x milestone. Please track that ticket to receive updates to your request.
Metadata Update from @fweimer: - Issue assigned to someone - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.