Excellent! Many thanks. I was looking at cloud-init but haven't had the study time to really dig into it. Your method makes perfect sense to me. I never considered using the first boot process. That really is the key.
Many thanks!!

On Nov 2, 2014 9:16 AM, "Amedeo Salvati" <amedeo@oscert.net> wrote:
Hi Jim,

I use ovirt template and freeipa for authentication, and on template i put a simple script "setup-freeipa-client.sh" to run on first boot, specifically for first boot I use cloud-init functions on ovirt, via web UI or via python sdk, and with cloud-init you can pass **evethings** you need -> new hostname, new ssh keys, new network configurations, new root password, new content on configuration files, or simply executing a new script.

If you are interested on cloud-init functions on python sdk have a look on a simple script that i wrote for our disaster recovery automation where on function buildYamlFile(line 124-137) by using cloud-init execution program/script, I change our freeipa server (lines 132-136) avoiding sssd timeout on contacting first two production freeipa server.

https://github.com/amedeos/ovirt-scripts-dr/blob/master/StartAllVM.py

HTH
Amedeo Salvati

Il 31/10/2014 20:01, users-request@ovirt.org ha scritto:
Date: Fri, 31 Oct 2014 14:55:46 -0400
From: Jim Kinney<jim.kinney@gmail.com>
To:"users@ovirt.org"  <users@ovirt.org>
Subject: [ovirt-users] templates and freeipa
Message-ID:
        <CAEo=5PwfhT=cvvahCuj4GsxkufD-UFUNbsN0q5Mi9ee76eg3ug@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Ovirt 3.5 is running well for me and I have freeIPA controlling access to
the user portal. I would like to provide templates of various linux setups
that all have freeipa for user authentication in the VM for my developers
to be able to create a new VM from and then log in using their freeIPA
access and sudo control. I'm wanting to group developers by project and use
freeIPA to set sudo commands as needed (group A get oracle, group B get
postgresql, etc). Wanting to maximize developer ability while minimizing my
clean up time:-)  They will be able to delete VMs they create.

It's possible to do a kickstart deploy with freeIPA registration but a
template from that will be a problem as it will have the same keys for all
VMs.

Is there a post-creation scripting process I can attach to in ovirt or
should I look at a default root user  and script that personalizes the new
VM?