I''m assuming this is possible, but I can''t find a good starting point anywhere, so I''m hoping someone here can help. What I want to do is, somewhere in the cert approval process, run an extra check before saying yes. I have a puppet master running with auto sign turned on, I bring up a puppet agent, it connects, authenticates and all is good. What I''d like to do is intercept the request from the agent on the master and run a programmatic check against the calling agent''s IP addr before approving or denying the request. Is this even possible, and if so, how do I accomplish it? Even pointers to the code that gets executed would help, but I''d really like to avoid mucking with the ca code itself and just add something in the chain. Filtering on domain in autosign.conf is not sufficient. thanks, Lou -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/TRHdTAzsYtQJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Oct 29, 2012 at 04:36:44PM -0700, Lou wrote: Hi Lou,> I''m assuming this is possible, but I can''t find a good starting point > anywhere, so I''m hoping someone here can help. What I want to do is, > somewhere in the cert approval process, run an extra check before saying > yes.> Is this even possible, and if so, how do I accomplish it? Even pointers to > the code that gets executed would help, but I''d really like to avoid > mucking with the ca code itself and just add something in the chain. > Filtering on domain in autosign.conf is not sufficient.I''ve got some sample code to do this (in puppet 2.6) that might be helpful https://groups.google.com/forum/?fromgroups=#!topic/puppet-dev/FR0KCOCIrrE It''s an intrusive change to the code base so it might not be a good fit but it might give you some hints. Dean -- Dean Wilson http://www.unixdaemon.net @unixdaemon http://www.puppetcookbook.com @puppetcookbook -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.