20.2. Adding Hosts to an IDM Host Group
Identity Management (IDM) supports the ability to set up automatic membership rules based on a system's attributes. Red Hat Satellite's realm feature provides administrators with the ability to map the Red Hat Satellite host groups to the IDM parameter "userclass" which allow administrators to configure automembership.
When nested host groups are used, they are sent to the IDM server as they are displayed in the Red Hat Satellite User Interface. For example, "Parent/Child/Child".
Note
The Satellite Server or Capsule Server sends updates to the IDM server, however automembership rules are only applied at initial registration.
- On the IDM server, create a host group:
# ipa hostgroup-add hostgroup_name Description: hostgroup_description ---------------------------- Added hostgroup "hostgroup_name" ---------------------------- Host-group: hostgroup_name Description: hostgroup_description
Where:- hostgroup_name is the hostgroup's name.
- hostgroup_description is the hostgroup's description.
- Create an automembership rule:
# ipa automember-add --type=hostgroup automember_rule ---------------------------------- Added automember rule "automember_rule" ---------------------------------- Automember Rule: automember_rule
Where:automember-add
flags the group as an automember group.--type=hostgroup
identifies that the target group is a host group, not a user group.- automember_rule is the name you wish to identify the automember rule by.
- Define an automembership condition based on the userclass attribute:
# ipa automember-add-condition --key=userclass --type=hostgroup --inclusive-regex=^webserver hostgroup_name ---------------------------------- Added condition(s) to "hostgroup_name" ---------------------------------- Automember Rule: automember_rule Inclusive Regex: userclass=^webserver ---------------------------- Number of conditions added 1 ----------------------------
Where:automember-add-condition
allows you to add regular expression conditions to identify group members.--key=userclass
specifies the key attribute as userclass.--type=hostgroup
identifies that the target group is a host group, not a user group.--inclusive-regex=
^webserver is a regular expression pattern to identify matching values.- hostgroup_name is the target hostgroup's name.
When a system is added to the Satellite Server's hostgroup_name host group, it will now automatically be added to the Identity Management server's "hostgroup_name" host group as well. IDM host groups allow for Host-Based Access Controls (HBAC), sudo policies and other IDM functions.