internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-29 14:53:06 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: internet:v0.1.2
Branches Tags
internet:master internet:run_collection_playbooks internet:validate_emaildomain internet:0.4 internet:automember_verify_condition_keys internet:ipaautomember_documantation_fix internet:fix_image_build internet:t-woerner-permission-typo1 internet:fix-role-readme-title-1 internet:fix-role-readme-title internet:t-woerner-group-readme-external internet:fix_logger_info_calls
internet:v1.16.0 internet:v1.15.1 internet:v1.15.0 internet:v1.14.7 internet:v1.14.6 internet:v1.14.5 internet:v1.14.4 internet:v1.14.3 internet:v1.14.2 internet:v1.14.1 internet:v1.14.0 internet:v1.13.2 internet:v1.13.1 internet:v1.13.0 internet:v1.12.1 internet:v1.12.0 internet:v1.11.1 internet:v1.11.0 internet:v1.10.0 internet:v1.9.2 internet:v1.9.1 internet:v1.9.0 internet:v1.8.4 internet:v1.8.3 internet:v1.8.2 internet:v1.8.1 internet:v1.8.0 internet:v1.7.0 internet:v1.6.3 internet:v1.6.2 internet:v1.6.1 internet:v1.6.0 internet:v1.5.3 internet:v1.5.2 internet:v1.5.1 internet:v1.5.0 internet:v0.4.2 internet:v0.4.1 internet:v0.4.0 internet:v0.3.8 internet:v0.3.7 internet:v0.3.6 internet:v0.3.5 internet:v0.3.4 internet:v0.3.3 internet:v0.3.2 internet:v0.3.1 internet:v0.3.0 internet:v0.2.1 internet:v0.2.0 internet:v0.1.12 internet:v0.1.11 internet:v0.1.10 internet:v0.1.9 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0
...
compare: internet:v0.1.5
Branches Tags
internet:master internet:run_collection_playbooks internet:validate_emaildomain internet:0.4 internet:automember_verify_condition_keys internet:ipaautomember_documantation_fix internet:fix_image_build internet:t-woerner-permission-typo1 internet:fix-role-readme-title-1 internet:fix-role-readme-title internet:t-woerner-group-readme-external internet:fix_logger_info_calls
internet:v1.16.0 internet:v1.15.1 internet:v1.15.0 internet:v1.14.7 internet:v1.14.6 internet:v1.14.5 internet:v1.14.4 internet:v1.14.3 internet:v1.14.2 internet:v1.14.1 internet:v1.14.0 internet:v1.13.2 internet:v1.13.1 internet:v1.13.0 internet:v1.12.1 internet:v1.12.0 internet:v1.11.1 internet:v1.11.0 internet:v1.10.0 internet:v1.9.2 internet:v1.9.1 internet:v1.9.0 internet:v1.8.4 internet:v1.8.3 internet:v1.8.2 internet:v1.8.1 internet:v1.8.0 internet:v1.7.0 internet:v1.6.3 internet:v1.6.2 internet:v1.6.1 internet:v1.6.0 internet:v1.5.3 internet:v1.5.2 internet:v1.5.1 internet:v1.5.0 internet:v0.4.2 internet:v0.4.1 internet:v0.4.0 internet:v0.3.8 internet:v0.3.7 internet:v0.3.6 internet:v0.3.5 internet:v0.3.4 internet:v0.3.3 internet:v0.3.2 internet:v0.3.1 internet:v0.3.0 internet:v0.2.1 internet:v0.2.0 internet:v0.1.12 internet:v0.1.11 internet:v0.1.10 internet:v0.1.9 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0

50 Commits
v0.1.2 ... v0.1.5

Author SHA1 Message Date
Thomas Woerner
50611a042f galaxy.yml: Prepare for release 0.1.5 2019-07-09 10:13:55 +02:00
Thomas Woerner
cf01262b27 ipagroup playbooks: Add names for tasks 
ansible-lint does not like to have tasks without names. The comments have
been adapted and transformed into name tags.
 2019-07-09 10:05:53 +02:00
Thomas Woerner
0c3d35a577 ipauser playbooks: Add names for tasks 
ansible-lint does not like to have tasks without names. The comments have
been adapted and transformed into name tags.
 2019-07-09 10:05:41 +02:00
Thomas Woerner
771b0ba029 Update README-user.md: Fixed givenname highlighting 2019-07-09 09:33:38 +02:00
Thomas Woerner
364267f1ab README.md: Add references to new user and group management modules 2019-07-08 23:00:32 +02:00
Thomas Woerner
2afb8c6a2f New group management module 
There is a new group management module placed in the plugins folder:

  plugins/modules/ipagroup.py

The group module allows to add, remove, enable, disable, unlock und undelete
groups.

The group module is as compatible as possible to the Ansible upstream
`ipa_group` module, but addtionally offers to add users to a group and also
to remove users from a group.

Here is the documentation for the module:

  README-group.md

New example playbooks have been added:

  playbooks/user/add-groups-to-group.yml
  playbooks/user/add-user-to-group.yml
  playbooks/user/add-group.yml
  playbooks/user/delete-group.yml
 2019-07-08 22:55:49 +02:00
Thomas Woerner
a36e8e0876 New user management module 
There is a new user management module placed in the plugins folder:

  plugins/modules/ipauser.py

The user module allows to add, remove, enable, disable, unlock und undelete
users.

The user module is as compatible as possible to the Ansible upstream
`ipa_user` module, but addtionally offers to preserve delete, enable,
disable, unlock and undelete users.

Here is the documentation for the module:

  README-user.md

New example playbooks have been added:

  playbooks/user/add-user.yml
  playbooks/user/delete-user.yml
  playbooks/user/enable-user.yml
  playbooks/user/disable-user.yml
  playbooks/user/delete-preserve--user.yml
  playbooks/user/undelete-user.yml
 2019-07-08 22:43:09 +02:00
Thomas Woerner
1cb0ac67a2 ansible_freeipa_module: New functions date_format and compare_args_ipa 
date_format parses the supported date formats and creates a datetime object.

compare_args_ipa compares generated args with args returned by IPA command
find_ functions.
 2019-07-08 22:27:27 +02:00
Thomas Woerner
d2968b2611 ipaserver: Support sync_time changes of 4.8.0 
sync_time is not using options anymore, but has two new arguments. These
are ntp_servers and ntp_pool. The options argument is not used anymore.

This requires to use inspect on sync_time to be able to detect if the old
or the new function is available.

The call for get_time_source has been added, but is documented out as the
call is only useful in interactive mode.

ipaserver_test now returns ntp_servers and ntp_pool, which are then used
for ipaserver_setup_ntp.
 2019-07-05 17:56:38 +02:00
Thomas Woerner
03d904b7ea ipaclient: Support sync_time changes of 4.8.0 
sync_time is not using options anymore, but has two new arguments. These
are ntp_servers and ntp_pool. The options argument is not used anymore.

This requires to use inspect on sync_time to be able to detect if the old
or the new function is available.

The call for get_time_source has been added, but is documented out as the
call is only useful in interactive mode.

ipaclient_test now returns ntp_servers and ntp_pool, which are then used
for ipaclient_setup_ntp.
 2019-07-05 17:53:32 +02:00
Thomas Woerner
7a5fadfc8d ipaclient/action_plugins/ipaclient_get_otp: Enhanced error reporting 
If kinit_password call failed because of wrong password or even because
kinit was not found, there was a very unspecific error message. Now these
errors will be properly reported.

Fixes: RHBZ#1727277
 2019-07-05 13:05:04 +02:00
Thomas Woerner
45b2648af2 roles/ipaclient/README.md: OTP needs kinit on controller 
Add Information about needed /usr/bin/kinit on the controller when OTP is used
 2019-07-05 11:59:14 +02:00
Thomas Woerner
27fb3e1bb7 README.md: OTP needs kinit on controller 
Add Information about needed /usr/bin/kinit on the controller when OTP is used
 2019-07-05 11:57:11 +02:00
Thomas Woerner
115f96d0be ipaserver_prepare: Properly report error, do show trace back 
The raises of RuntimeError, ValueError and ScriptError are currently not
properly handled in ipaserver_prepare. This results in a trace back error
shown in Ansible instead of only showing the error message.

This happened for example if a nameserver is in /etc/resolv.conf that is
not reachable.
 2019-07-02 13:43:15 +02:00
Thomas Woerner
da2631d923 ipatopology modules: Use ipaadmin_ prefix for principal and password 
The use of password will conflict with the user password setting and is
not really descriptive. ipaadmin_principal and ipaadmin_password are also
used in the roles.
 2019-07-01 14:48:42 +02:00
Thomas Woerner
c708ef781e New tests folder 
There are currently only external signed CA tests:

external-signed-ca-with-automatic-copy
external-signed-ca-with-manual-copy
 2019-06-27 13:02:11 +02:00
Thomas Woerner
e7de098790 README: Update information about external signed CA 2019-06-27 12:45:25 +02:00
Thomas Woerner
45d8008033 ipaserver: Add support for external signed CA 
This adds support for the --external-ca option to ipaserver. Lots of
additional tests and checks from ServerInstallInterface.__init__ have
been added to ipaserver_test. Also duplicate tests cna checks have been
removed.

Installer settings in ansible_ipa_server module_util are now also set
to the defaults that are used in Installable, ServerInstallInterface,
ServerMasterInstall, ADTrustInstallInterface and Uninstall.

The /root/ipa.csr file generated on the node in ca.install_step_0 will
be copied to the controller as "{{ inventory_hostname }}-ipa.csr".

The new task file copy_external_cert.yml has been added to copy the
generated certificate defined in ipaserver_external_cert_files to the node
to continue with ca.install_step_1.

The tasks/install.yml file has been adapted to make sure that the steps
that will be done in step two will be skipped after step one has been
done.
 2019-06-27 12:06:56 +02:00
Thomas Woerner
5f580b5152 ipa[server,replica,client]: Remove tasks folder prefix for include_tasks 
This is not needed and will calm down ansible-lint, which is not able
to handle the extra tasks folder prefix.
 2019-06-26 18:20:41 +02:00
Thomas Woerner
7e42102aa5 ipa[server,replica,client]: RHEL-8 specific vars files 
These vars files are providing the module names used with the Ansible
package module to install the needed RPM packages.
 2019-06-26 16:03:54 +02:00
Thomas Woerner
3a3b4cb397 ansible_ipa_replica: installer.add_sids should default to False 
The general setting of installer.add_sids was not correct and has been
fixed.
 2019-06-25 16:01:42 +02:00
Thomas Woerner
5afd889023 ipareplica_krb_enable_ssl: Initialize krb.pkcs12_info and krb.master_fqdn 
These two settings are not set using the krb.init_info method, but used in
krb.enable_ssl.

The configuration of PKINIT fails in IPA 4.7.0 because of the issue
https://pagure.io/freeipa/issue/7655 where auto detection of the
master is not properly working. With the missing setting of krb.master_fqdn
the not workint auto detection has been triggered, which resulted in
failed PKINIT enablement.
 2019-06-25 15:52:54 +02:00
Thomas Woerner
5d881a9bf3 ipareplica: Set all needed settings for kra 
Some settings for kra have not been correct for kra with the change to
use single Custodia instance in the installer (freeipa 994f71ac8).

These modules have been adapted:

  ipareplica_custodia_import_dm_password
  ipareplica_enable_ipa
  ipareplica_setup_ca
  ipareplica_setup_custodia
  ipareplica_setup_kra
 2019-06-25 10:53:07 +02:00
Thomas Woerner
2092220634 ipareplica: Make sure that certmonger picks the right master 
This is related to freeipa#0f31564b35aac250456233f98730811560eda664

  During ipa-replica-install, http installation first creates a service
  principal for http/hostname (locally on the soon-to-be-replica), then
  waits for this entry to be replicated on the master picked for the
  install.
  In a later step, the installer requests a certificate for HTTPd. The local
  certmonger first tries the master defined in xmlrpc_uri (which is
  pointing to the soon-to-be-replica), but fails because the service is not
  up yet. Then certmonger tries to find a master by using the DNS and looking
  for a ldap service. This step can pick a different master, where the
  principal entry has not always be replicated yet.
  As the certificate request adds the principal if it does not exist, we can
  end by re-creating the principal and have a replication conflict.

  The replication conflict later causes kerberos issues, preventing
  from installing a new replica.

  The proposed fix forces xmlrpc_uri to point to the same master as the one
  picked for the installation, in order to make sure that the master already
  contains the principal entry.

  https://pagure.io/freeipa/issue/7041
 2019-06-21 12:26:01 +02:00
Thomas Woerner
ca4518a623 ansible_ipa_client: Always set options.unattended 
This has not been done so far in the ansible_ipa_client, but only in the
modules where it was really needed. But as these places are getting more
with 4.7.90, this setting makes it into the module_utils.
 2019-06-21 12:07:36 +02:00
Thomas Woerner
158fdb1876 ipatopologysegment: Use commands, not command 
command has been used instead of commands. command is not defined.
 2019-06-17 20:33:49 +02:00
Thomas Woerner
c905cdaf02 Update README-topology.md 2019-06-17 18:52:55 +02:00
Thomas Woerner
4378d161bc Update README.md 2019-06-17 18:35:42 +02:00
Thomas Woerner
1009c889b3 Update README.md 2019-06-17 18:34:01 +02:00
Thomas Woerner
56a8acedf0 ipatopologysegment: Allow domain+ca suffix, new state: checked 
It is now possible to use domain+ca as suffix, That means that the segment
will be handled for the suffixes domain and also ca.

The new state checked is returning two lists found and not-found. If a
segment exists, the ckecked suffix is added to the found list. If a segment
from suffix is not found, it is added to the not-found list.

New example playbooks have been added:
   playbooks/topology/add-topologysegments.yml
   playbooks/topology/check-topologysegments.yml
   playbooks/topology/delete-topologysegments.yml

The cluster playbook has been extended by the
 2019-06-17 18:23:44 +02:00
Thomas Woerner
8ac1a6e590 ipareplica: Add default(omit) for ipaclient role varaibles 
To make sure that there will be no issue with undefined output from
ipareplica_test, the default(omit) has been added.
 2019-06-17 16:49:14 +02:00
Thomas Woerner
76d436ec0b ipareplica: Use ipareplica_server if set. 
The variable has been ignored and was not used. The servers are now
properly set from ipareplica_servers now.
 2019-06-17 16:42:37 +02:00
Thomas Woerner
438f09bad9 ipareplica: The dm password is not needed for ipareplica_master_password 
The module ipareplica_master_password has been a copy from ipaserver role
and still contained code to read the cache file. This is not needed for
the replica. Therefore there is no need also to provide the dm password
to ipareplica_master_password any more.
 2019-06-17 16:40:14 +02:00
Thomas Woerner
0f73362ef5 Merge pull request #60 from dawud/feature/improve_package_installation_tasks 
Fixes #17 Improve how tasks manage package installation
 2019-06-17 15:49:33 +02:00
Thomas Woerner
2372e5b98d ipaclient: Report error message if ipaclient_get_otp failed 
Currently the error message of ipaclient_get_otp is not visble if it failed
due to the use of no_log. The no_log option is needed and useful if the
one-time password has successfully been generated, but is bad if there was
an error while generating the password, for example if a clock skew has been
detected.

There is now a new task to print the error message if ipaclient_get_otp. The
task for ipaclient_get_otp has been marked with "ignore_errors: yes" and
the new task "Install - Report error for OTP generation" will always fail
and only be used if result_ipaclient_get_otp is failed.
 2019-06-17 11:14:02 +02:00
Thomas Woerner
50046a7348 ipaclient: Fix test of newly supported ipaadmin_keytab use in ipaclient_join 
The check for the ipaadmin_keytab was not using "is defined". Because of this
the playbook processing failed if the variable was not defined.
 2019-06-17 10:25:02 +02:00
Thomas Woerner
79d0ac9d47 Update README.md 2019-06-17 09:39:59 +02:00
Thomas Woerner
ca43b427a8 Update README.md 2019-06-17 09:38:10 +02:00
Thomas Woerner
b89112cf81 Update README.md 
Fixes #87 (ipareplica README seems to have incorrect info)
 2019-06-14 20:13:22 +02:00
Thomas Woerner
215359e377 Update README.md 2019-06-14 19:28:51 +02:00
Thomas Woerner
a79437d39a Update README.md 2019-06-14 19:27:52 +02:00
Thomas Woerner
4829399ef3 Update README.md 2019-06-14 18:26:50 +02:00
Thomas Woerner
e218441c39 Update README.md 2019-06-14 18:18:33 +02:00
Thomas Woerner
8ffe818b7f Update README.md 2019-06-14 18:15:07 +02:00
Thomas Woerner
100b7eabaf ipaclient: Do not fail if ipaadmin_password is not used 
This is for example the case if ipaadmin_keytab is used instead without
ipaclient_use_otp.
 2019-06-14 17:34:04 +02:00
Thomas Woerner
ac24f9c067 ipaclient_join: Support to use ipaadmin_keytab without ipaclient_use_otp 
ipaadmin_keytab has been supported only with with ipaclient_use_otp. But
it can also be used without for ipa-join.

Important is that ipaadmin_keytab needs to be placed on the cliend node
and ipaadmin_keytab needs to be a full path. Otherwise the file will not
be found.
 2019-06-14 17:30:53 +02:00
Thomas Woerner
da14fa29bb ipaclient: Use omit (None) for password, keytab, no string length checks 
Password and keytab do not need to be set explicitely to an empty string
when they are not set. Also there is no need to have string length checks
in the role tasks.
 2019-06-14 17:26:12 +02:00
Thomas Woerner
813d5bbf97 ipaclient_get_otp: Remove ansible_python_interpreter handling 
With the deactivation of the Python2/3 test the handling of
ansible_python_interpreter needs to be removed as the setting might
not exist and is not changed in with the Python2/3 test any more.
 2019-06-12 11:06:38 +02:00
Thomas Woerner
3de056bc60 ipaclient_test: Fix Python2 decode use with Python3 
This is a remain of the Python2 version and has been fixed.

Fixed: #86 (AttributeError: 'str' object has no attribute 'decode')
 2019-06-12 11:00:59 +02:00
David Sastre Medina
20e5338ad5 Fixes #17 Improve how tasks manage package installation 
The use of squash_actions to invoke a package module, such as “yum”, to
only invoke the module once is deprecated, and will be removed in
Ansible 2.11.
Instead of relying on implicit squashing, tasks should instead supply
the list directly to the name, pkg or package parameter of the module.

See [1] for a reference to the upstream documentation.

The ipa-krb5 and ipa-sssd modules include *_packages variables in both
defaults/ and vars/, additionally, the list of packages in ipa-sssd differs
from one to the other.
Unify list of packages into vars/

[1]: https://docs.ansible.com/ansible/latest/porting_guides/porting_guide_2.7.html#using-a-loop-on-a-package-module-via-squash-actions
 2019-06-04 12:42:19 +02:00
73 changed files with 3417 additions and 846 deletions
Expand all files Collapse all files

153
README-group.md Normal file
View File

@@ -0,0 +1,153 @@
Group module
============
Description
-----------
The group module allows to add, remove, enable, disable, unlock und undelete groups.
The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but addtionally offers to add users to a group and also to remove users from a group.
Features
--------
* Group management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipagroup module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to add groups:
```yaml
---
- name: Playbook to handle groups
hosts: ipaserver
become: true
tasks:
# Create group ops with gid 1234
- ipagroup:
ipaadmin_password: MyPassword123
name: ops
gidnumber: 1234
# Create group sysops
- ipagroup:
ipaadmin_password: MyPassword123
name: sysops
user:
- pinky
# Create group appops
- ipagroup:
ipaadmin_password: MyPassword123
name: appops
```
Example playbook to add users to a group:
```yaml
---
- name: Playbook to handle groups
hosts: ipaserver
become: true
tasks:
# Add user member brain to group sysops
- ipagroup:
ipaadmin_password: MyPassword123
name: sysops
action: member
user:
- brain
```
`action` controls if a the group or member will be handled. To add or remove members, set `action` to `member`.
Example playbook to add group members to a group:
```yaml
---
- name: Playbook to handle groups
hosts: ipaserver
become: true
tasks:
# Add group members sysops and appops to group sysops
- ipagroup:
ipaadmin_password: MyPassword123
name: ops
group:
- sysops
- appops
```
Example playbook to remove groups:
```yaml
---
- name: Playbook to handle groups
hosts: ipaserver
become: true
tasks:
# Remove goups sysops, appops and ops
- ipagroup:
ipaadmin_password: MyPassword123
name: sysops,appops,ops
state: absent
```
Variables
=========
ipagroup
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | The list of group name strings. | no
`description` | The group description string. | no
`gid` \| `gidnumber` | The GID integer. | no
`nonposix` | Create as a non-POSIX group. (bool) | no
`external` | Allow adding external non-IPA members from trusted domains. (flag) | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`user` | List of user name strings assigned to this group. | no
`group` | List of group name strings assigned to this group. | no
`service` | List of service name strings assigned to this group | no
`action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, defauilt: `present`. | yes
Authors
=======
Thomas Woerner

52
README-topology.md
View File

@@ -50,7 +50,7 @@ Example playbook to add a topology segment wiht default name (cn):
tasks:
- name: Add topology segment
ipatopologysegment:
password: MyPassword123
ipaadmin_password: MyPassword123
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -70,7 +70,7 @@ Example playbook to delete a topology segment:
tasks:
- name: Delete topology segment
ipatopologysegment:
password: MyPassword123
ipaadmin_password: MyPassword123
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -90,7 +90,7 @@ Example playbook to reinitialize a topology segment:
tasks:
- name: Reinitialize topology segment
ipatopologysegment:
password: MyPassword123
ipaadmin_password: MyPassword123
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -111,11 +111,43 @@ Example playbook to verify a topology suffix:
tasks:
- name: Verify topology suffix
ipatopologysuffix:
password: MyPassword123
ipaadmin_password: MyPassword123
suffix: domain
state: verified
```
Example playbook to add a list of topology segments:
```yaml
---
- name: Add topology segments
hosts: ipaserver
become: true
gather_facts: false
vars:
ipaadmin_password: password1
ipatopology_segments:
- {suffix: domain, left: replica1.test.local, right: replica2.test.local}
- {suffix: domain, left: replica2.test.local, right: replica3.test.local}
- {suffix: domain, left: replica3.test.local, right: replica4.test.local}
- {suffix: domain+ca, left: replica4.test.local, right: replica1.test.local}
tasks:
- name: Add topology segment
ipatopologysegment:
ipaadmin_password: "{{ ipaadmin_password }}"
suffix: "{{ item.suffix }}"
name: "{{ item.name | default(omit) }}"
left: "{{ item.left }}"
right: "{{ item.right }}"
#state: present
#state: absent
#state: checked
state: reinitialized
loop: "{{ ipatopology_segments | default([]) }}"
```
Variables
=========
@@ -125,14 +157,14 @@ ipatopologysegment
Variable | Description | Required
-------- | ----------- | --------
`principal` | The admin principal is a string and defaults to `admin` | no
`password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`suffix` | The topology suffix to be used, this can either be `domain` or `ca` | yes
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`suffix` | The topology suffix to be used, this can either be `domain`, `ca` or `domain+ca` | yes
`name` \| `cn` | The topology segment name (cn) is the unique identifier for a segment. | no
`left` \| `leftnode` | The left replication node string - an IPA server | no
`right` \| `rightnode` | The right replication node string - an IPA server | no
`direction` | The direction a segment will be reinitialized. It can either be `left-to-right` or `right-to-left` and only used with `state: reinitialized` |
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled` or `reinitialized` | yes
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `checked` or `reinitialized` | yes
ipatopologysuffix
@@ -142,8 +174,8 @@ Verify FreeIPA topology suffix
Variable | Description | Required
-------- | ----------- | --------
`principal` | The admin principal is a string and defaults to `admin` | no
`password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`suffix` | The topology suffix to be used, this can either be `domain` or `ca` | yes
`state` | The state to ensure. It can only be `verified` | yes

197
README-user.md Normal file
View File

@@ -0,0 +1,197 @@
User module
===========
Description
-----------
The user module allows to add, remove, enable, disable, unlock und undelete users.
The user module is as compatible as possible to the Ansible upstream `ipa_user` module, but addtionally offers to preserve delete, enable, disable, unlock and undelete users.
Features
--------
* User management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipauser module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to add users:
```yaml
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
# Create user pinky
- ipauser:
ipaadmin_password: MyPassword123
name: pinky
first: pinky
last: Acme
uid: 10001
gid: 100
phone: "+555123457"
email: pinky@acme.com
passwordexpiration: "2023-01-19 23:59:59"
password: "no-brain"
update_password: on_create
# Create user brain
- ipauser:
ipaadmin_password: MyPassword123
name: brain
first: brain
last: Acme
```
`update_password` controls if a password for a user will be set in present state only on creation or every time (always).
Example playbook to delete a user, but preserve it:
```yaml
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
# Remove user pinky and brain
- ipauser:
ipaadmin_password: MyPassword123
name: pinky
preserve: yes
state: disabled
```
Example playbook to undelete a user.
```yaml
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
# Remove user pinky and brain
- ipauser:
ipaadmin_password: MyPassword123
name: pinky
state: undeleted
```
Example playbook to disable a user:
```yaml
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
# Remove user pinky and brain
- ipauser:
ipaadmin_password: MyPassword123
name: pinky
state: disabled
```
Example playbook to enable a users:
```yaml
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
# Remove user pinky and brain
- ipauser:
ipaadmin_password: MyPassword123
name: pinky,brain
state: disabled
```
Example playbook to delete users:
```yaml
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
# Remove user pinky and brain
- ipauser:
ipaadmin_password: MyPassword123
name: pinky,brain
state: disabled
```
Variables
=========
ipauser
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` | The list of user name strings. | no
`first` \| `givenname` | The first name string. | no
`last` | The last name | no
`fullname` \| `cn` | The full name string. | no
`displayname` | The display name string. | no
`homedir` | The home directory string. | no
`shell` \| `loginshell` | The login shell string. | no
`email` | List of email address strings. | no
`principalname` \| `krbprincipalname` | The kerberos principal sptring. | no
`passwordexpiration` \| `krbpasswordexpiration` | The kerberos password expiration date. Possible formats: `YYYYMMddHHmmssZ`, `YYYY-MM-ddTHH:mm:ssZ`, `YYYY-MM-ddTHH:mmZ`, `YYYY-MM-ddZ`, `YYYY-MM-dd HH:mm:ssZ` or `YYYY-MM-dd HH:mmZ`. The trailing 'Z' can be skipped. | no
`password` | The user password string. | no
`uid` \| `uidnumber` | The UID integer. | no
`gid` \| `gidnumber` | The GID integer. | no
`phone` \| `telephonenumber` | List of telephone number strings, | no
`title` | The job title string. | no
~~`sshpubkey` \| `ipasshpubkey`~~ | ~~List of SSH public keys.~~ | ~~no~~
`update_password` | Set password for a user in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
`preserve` | Delete a user, keeping the entry available for future use. (bool) | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `unlocked` or `undeleted`, default: `present`. | yes
Authors
=======
Thomas Woerner

53
README.md
View File

@@ -1,7 +1,7 @@
FreeIPA Ansible roles
=====================
This repository contains [Ansible](https://www.ansible.com/) roles and playbooks to install and uninstall [FreeIPA](https://www.freeipa.org/) `servers`, `replicas` and `clients`.
This repository contains [Ansible](https://www.ansible.com/) roles and playbooks to install and uninstall [FreeIPA](https://www.freeipa.org/) `servers`, `replicas` and `clients`. Also modules for group, topology and user management.
**Note**: The ansible playbooks and roles require a configured ansible environment where the ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
@@ -11,7 +11,9 @@ Features
* Cluster deployments: Server, replicas and clients in one playbook
* One-time-password (OTP) support for client installation
* Repair mode for clients
* Modules for group management
* Modules for topology management
* Modules for user management
Supported FreeIPA Versions
--------------------------
@@ -32,6 +34,7 @@ Requirements
**Controller**
* Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)
* /usr/bin/kinit is required on the controller if a one time password (OTP) is used
* python3-gssapi is required on the controller if a one time password (OTP) is used with keytab to install the client.
**Node**
@@ -41,11 +44,11 @@ Requirements
Limitations
-----------
**External CA**
**External signed CA**
External CA support is not supported or working. The currently needed two step process is an issue for the processing in the role. The configuration of the server is partly done already and needs to be continued after the CSR has been handled. This is for example breaking the deployment of a server with replicas or clients in one playbook.
External signed CA is now supported. But the currently needed two step process is an issue for the processing in a simple playbook.
Work is planned to have a new method to handle CSR for external CAs in a separate step before starting the server installation.
Work is planned to have a new method to handle CSR for external signed CAs in a separate step before starting the server installation.
Usage
@@ -66,7 +69,7 @@ The roles provided by ansible-freeipa are not available in ansible galaxy so far
Ansible inventory file
----------------------
The most important parts of the inventory file is the definition of the nodes, settings and the topology. Please remember to use [Ansible vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) for passwords. The examples here are not using vault for better readability.
The most important parts of the inventory file is the definition of the nodes, settings and the management modules. Please remember to use [Ansible vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) for passwords. The examples here are not using vault for better readability.
**Master server**
@@ -234,6 +237,42 @@ ipaserver_realm=TEST.LOCAL
```
All these settings will be available in the ```[ipaserver]```, ```[ipareplicas]``` and ```[ipaclient]``` groups.
**Topology**
With this playbook it is possible to add a list of topology segments using the `ipatopologysegment` module.
```yaml
---
- name: Add topology segments
hosts: ipaserver
become: true
gather_facts: false
vars:
ipaadmin_password: password1
ipatopology_segments:
- {suffix: domain, left: replica1.test.local, right: replica2.test.local}
- {suffix: domain, left: replica2.test.local, right: replica3.test.local}
- {suffix: domain, left: replica3.test.local, right: replica4.test.local}
- {suffix: domain+ca, left: replica4.test.local, right: replica1.test.local}
tasks:
- name: Add topology segment
ipatopologysegment:
password: "{{ ipaadmin_password }}"
suffix: "{{ item.suffix }}"
name: "{{ item.name | default(omit) }}"
left: "{{ item.left }}"
right: "{{ item.right }}"
#state: present
#state: absent
#state: checked
state: reinitialized
loop: "{{ ipatopology_segments | default([]) }}"
```
Playbooks
=========
@@ -309,8 +348,10 @@ Roles
* [Replica](roles/ipareplica/README.md)
* [Client](roles/ipaclient/README.md)
Plugins in plugin/modules
Modules in plugin/modules
=========================
* [ipagroup](README-group.md)
* [ipatopologysegment](README-topology.md)
* [ipatopologysuffix](README-topology.md)
* [ipauser](README-user.md)

2
galaxy.yml
View File

@@ -1,6 +1,6 @@
namespace: "freeipa"
name: "ansible_freeipa"
version: "0.1.1"
version: "0.1.5-1"
description: ""
authors:

2
playbooks/topology/add-topologysegment.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Add topology segment
ipatopologysegment:
password: MyPassword123
ipaadmin_password: MyPassword123
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local

23
playbooks/topology/add-topologysegments.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Add topology segments
hosts: ipaserver
become: true
gather_facts: false
vars:
ipatopology_segments:
- {suffix: domain, left: replica1.test.local, right: replica2.test.local}
- {suffix: domain, left: replica2.test.local, right: replica3.test.local}
- {suffix: domain, left: replica3.test.local, right: replica4.test.local}
- {suffix: domain+ca, left: replica4.test.local, right: replica1.test.local}
tasks:
- name: Add topology segment
ipatopologysegment:
ipaadmin_password: "{{ ipaadmin_password }}"
suffix: "{{ item.suffix }}"
name: "{{ item.name | default(omit) }}"
left: "{{ item.left }}"
right: "{{ item.right }}"
state: present
loop: "{{ ipatopology_segments | default([]) }}"

23
playbooks/topology/check-topologysegments.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Add topology segments
hosts: ipaserver
become: true
gather_facts: false
vars:
ipatopology_segments:
- {suffix: domain, left: replica1.test.local, right: replica2.test.local}
- {suffix: domain, left: replica2.test.local, right: replica3.test.local}
- {suffix: domain, left: replica3.test.local, right: replica4.test.local}
- {suffix: domain+ca, left: replica4.test.local, right: replica1.test.local}
tasks:
- name: Add topology segment
ipatopologysegment:
ipaadmin_password: "{{ ipaadmin_password }}"
suffix: "{{ item.suffix }}"
name: "{{ item.name | default(omit) }}"
left: "{{ item.left }}"
right: "{{ item.right }}"
state: checked
loop: "{{ ipatopology_segments | default([]) }}"

2
playbooks/topology/delete-topologysegment.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Delete topology segment
ipatopologysegment:
password: MyPassword123
ipaadmin_password: MyPassword123
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local

23
playbooks/topology/delete-topologysegments.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Add topology segments
hosts: ipaserver
become: true
gather_facts: false
vars:
ipatopology_segments:
- {suffix: domain, left: replica1.test.local, right: replica2.test.local}
- {suffix: domain, left: replica2.test.local, right: replica3.test.local}
- {suffix: domain, left: replica3.test.local, right: replica4.test.local}
- {suffix: domain+ca, left: replica4.test.local, right: replica1.test.local}
tasks:
- name: Add topology segment
ipatopologysegment:
ipaadmin_password: "{{ ipaadmin_password }}"
suffix: "{{ item.suffix }}"
name: "{{ item.name | default(omit) }}"
left: "{{ item.left }}"
right: "{{ item.right }}"
state: absent
loop: "{{ ipatopology_segments | default([]) }}"

2
playbooks/topology/reinitialize-topologysegment.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Reinitialize topology segment
ipatopologysegment:
password: MyPassword123
ipaadmin_password: MyPassword123
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local

2
playbooks/topology/verify-topologysuffix.yml
View File

@@ -6,6 +6,6 @@
tasks:
- name: Verify topology suffix
ipatopologysuffix:
password: MyPassword123
ipaadmin_password: MyPassword123
suffix: domain
state: verified

24
playbooks/user/add-group.yml Normal file
View File

@@ -0,0 +1,24 @@
---
- name: Playbook to handle groups
hosts: ipaserver
become: true
tasks:
- name: Create group ops with gid 1234
ipagroup:
ipaadmin_password: MyPassword123
name: ops
gidnumber: 1234
- name: Create group sysops
ipagroup:
ipaadmin_password: MyPassword123
name: sysops
user:
- pinky
- name: Create group appops
ipagroup:
ipaadmin_password: MyPassword123
name: appops

13
playbooks/user/add-groups-to-group.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Playbook to handle groups
hosts: ipaserver
become: true
tasks:
- name: Add group members sysops and appops to group sysops
ipagroup:
ipaadmin_password: MyPassword123
name: ops
group:
- sysops
- appops

13
playbooks/user/add-user-to-group.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Playbook to handle groups
hosts: ipaserver
become: true
tasks:
- name: Add user member brain to group sysops
ipagroup:
ipaadmin_password: MyPassword123
name: sysops
action: member
user:
- brain

20
playbooks/user/add-user.yml Normal file
View File

@@ -0,0 +1,20 @@
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
- name: Create user pinky
ipauser:
ipaadmin_password: MyPassword123
name: pinky
first: pinky
last: Acme
uid: 10001
gid: 100
phone: "+555123457"
email: pinky@acme.com
passwordexpiration: "2023-01-19 23:59:59"
password: "no-brain"
update_password: on_create

11
playbooks/user/delete-group.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Playbook to handle groups
hosts: ipaserver
become: true
tasks:
- name: Remove goups sysops, appops and ops
ipagroup:
ipaadmin_password: MyPassword123
name: sysops,appops,ops
state: absent

12
playbooks/user/delete-preserve-user.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
- name: Delete and preserve user pinky
ipauser:
ipaadmin_password: MyPassword123
name: pinky
preserve: yes
state: disabled

11
playbooks/user/delete-user.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
- name: Remove user pinky and brain
ipauser:
ipaadmin_password: MyPassword123
name: pinky
state: disabled

11
playbooks/user/disable-user.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
- name: Disable user pinky
ipauser:
ipaadmin_password: MyPassword123
name: pinky
state: disabled

11
playbooks/user/enable-user.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
- name: Enable user pinky
ipauser:
ipaadmin_password: MyPassword123
name: pinky
state: disabled

11
playbooks/user/undelete-user.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
- name: Undelete preserved user pinky
ipauser:
ipaadmin_password: MyPassword123
name: pinky
state: undeleted

41
plugins/module_utils/ansible_freeipa_module.py
View File

@@ -25,9 +25,10 @@ import os
import sys
import tempfile
import shutil
from datetime import datetime
from ipalib import api, errors
from ipalib.config import Env
from ipalib.constants import DEFAULT_CONFIG
from ipalib.constants import DEFAULT_CONFIG, LDAP_GENERALIZED_TIME_FORMAT
try:
from ipalib.install.kinit import kinit_password
except ImportError:
@@ -36,7 +37,6 @@ from ipapython.ipautil import run
from ipaplatform.paths import paths
from ipalib.krb_utils import get_credentials_if_valid
def valid_creds(principal):
"""
Get valid credintials matching the princial
@@ -120,3 +120,40 @@ def execute_api_command(module, principal, password, command, name, args):
finally:
temp_kdestroy(ccache_dir, ccache_name)
def date_format(value):
accepted_date_formats = [
LDAP_GENERALIZED_TIME_FORMAT, # generalized time
'%Y-%m-%dT%H:%M:%SZ', # ISO 8601, second precision
'%Y-%m-%dT%H:%MZ', # ISO 8601, minute precision
'%Y-%m-%dZ', # ISO 8601, date only
'%Y-%m-%d %H:%M:%SZ', # non-ISO 8601, second precision
'%Y-%m-%d %H:%MZ', # non-ISO 8601, minute precision
]
for date_format in accepted_date_formats:
try:
return datetime.strptime(value, date_format)
except ValueError:
pass
raise ValueError("Invalid date '%s'" % value)
def compare_args_ipa(module, args, ipa):
for key in args.keys():
if key not in ipa:
return False
else:
arg = args[key]
ipa_arg = ipa[key]
# If ipa_arg is a list and arg is not, replace arg
# with list containing arg. Most args in a find result
# are lists, but not all.
if isinstance(ipa_arg, list) and not isinstance(arg, list):
arg = [arg]
#module.warn("%s <=> %s" % (arg, ipa_arg))
if arg != ipa_arg:
return False
return True

422
plugins/modules/ipagroup.py Normal file
View File

@@ -0,0 +1,422 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Copyright (C) 2019 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
ANSIBLE_METADATA = {
"metadata_version": "1.0",
"supported_by": "community",
"status": ["preview"],
}
DOCUMENTATION = """
---
module: ipagroup
short description: Manage FreeIPA groups
description: Manage FreeIPA groups
options:
ipaadmin_principal:
description: The admin principal
default: admin
ipaadmin_password:
description: The admin password
required: false
name:
description: The group name
required: false
aliases: ["cn"]
description:
description: The group description
required: false
gid:
description: The GID
required: false
aliases: ["gidnumber"]
nonposix:
description: Create as a non-POSIX group
required: false
type: bool
external:
description: Allow adding external non-IPA members from trusted domains
required: false
type: bool
nomembers:
description: Suppress processing of membership attributes
required: false
type: bool
user:
description: List of user names assigned to this group.
required: false
type: list
group:
description: List of group names assigned to this group.
required: false
type: list
service:
description: List of service names assigned to this group.
required: false
type: list
action:
description: Work on group or member level
default: group
choices: ["member", "group"]
state:
description: State to ensure
default: present
choices: ["present", "absent"]
author:
- Thomas Woerner
"""
EXAMPLES = """
# Create group ops with gid 1234
- ipagroup:
ipaadmin_password: MyPassword123
name: ops
gidnumber: 1234
# Create group sysops
- ipagroup:
ipaadmin_password: MyPassword123
name: sysops
# Create group appops
- ipagroup:
ipaadmin_password: MyPassword123
name: appops
# Add user member pinky to group sysops
- ipagroup:
ipaadmin_password: MyPassword123
name: sysops
action: member
user:
- pinky
# Add user member brain to group sysops
- ipagroup:
ipaadmin_password: MyPassword123
name: sysops
action: member
user:
- brain
# Add group members sysops and appops to group sysops
- ipagroup:
ipaadmin_password: MyPassword123
name: ops
group:
- sysops
- appops
# Remove goups sysops, appops and ops
- ipagroup:
ipaadmin_password: MyPassword123
name: sysops,appops,ops
state: absent
"""
RETURN = """
"""
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils._text import to_bytes, to_native, to_text
from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
temp_kdestroy, valid_creds, api_connect, api_command, date_format, \
compare_args_ipa
def find_group(module, name):
#module.warn("find_group(.., %s)" % to_text(name))
_args = {
"all": True,
"cn": to_text(name),
}
_result = api_command(module, "group_find", to_text(name), _args)
if len(_result["result"]) > 1:
module.fail_json(
msg="There is more than one group '%s'" % (name))
elif len(_result["result"]) == 1:
return _result["result"][0]
else:
return None
def gen_args(description, gid, nonposix, external, nomembers):
_args = {}
if description is not None:
_args["description"] = description
if gid is not None:
_args["gidnumber"] = str(gid)
if nonposix is not None:
_args["nonposix"] = nonposix
if external is not None:
_args["external"] = external
if nomembers is not None:
_args["nomembers"] = nomembers
return _args
def gen_member_args(user, group, service):
_args = {}
if user is not None:
_args["member_user"] = user
if group is not None:
_args["member_group"] = group
if service is not None:
_args["member_service"] = service
return _args
def main():
ansible_module = AnsibleModule(
argument_spec=dict(
# general
ipaadmin_principal=dict(type="str", default="admin"),
ipaadmin_password=dict(type="str", required=False, no_log=True),
name=dict(type="list", aliases=["cn"], default=None,
required=True),
# present
description=dict(type="str", default=None),
gid=dict(type="int", aliases=["gidnumber"], default=None),
nonposix=dict(required=False, type='bool', default=None),
external=dict(required=False, type='bool', default=None),
nomembers=dict(required=False, type='bool', default=None),
user=dict(required=False, type='list', default=None),
group=dict(required=False, type='list', default=None),
service=dict(required=False, type='list', default=None),
action=dict(type="str", default="group",
choices=["member", "group"]),
# state
state=dict(type="str", default="present",
choices=["present", "absent",
"member_present", "member_absent"]),
),
supports_check_mode=True,
)
ansible_module._ansible_debug = True
# Get parameters
# general
ipaadmin_principal = ansible_module.params.get("ipaadmin_principal")
ipaadmin_password = ansible_module.params.get("ipaadmin_password")
names = ansible_module.params.get("name")
# present
description = ansible_module.params.get("description")
gid = ansible_module.params.get("gid")
nonposix = ansible_module.params.get("nonposix")
external = ansible_module.params.get("external")
nomembers = ansible_module.params.get("nomembers")
user = ansible_module.params.get("user")
group = ansible_module.params.get("group")
service = ansible_module.params.get("service")
action = ansible_module.params.get("action")
# state
state = ansible_module.params.get("state")
# Check parameters
if state == "present":
if len(names) != 1:
ansible_module.fail_json(
msg="Onle one group can be added at a time.")
if action == "member":
invalid = [ "description", "gid", "nonposix", "external",
"nomembers" ]
for x in invalid:
if vars()[x] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with action "
"'%s'" % (x, action))
if state == "absent":
if len(names) < 1:
ansible_module.fail_json(
msg="No name given.")
invalid = [ "description", "gid", "nonposix", "external", "nomembers" ]
if action == "group":
invalid.extend(["user", "group", "service"])
for x in invalid:
if vars()[x] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with state '%s'" % \
(x, state))
# Init
changed = False
exit_args = { }
ccache_dir = None
ccache_name = None
try:
if not valid_creds(ipaadmin_principal):
ccache_dir, ccache_name = temp_kinit(ipaadmin_principal,
ipaadmin_password)
api_connect()
commands = []
for name in names:
# Make sure group exists
res_find = find_group(ansible_module, name)
#ansible_module.warn("res_find: %s" % repr(res_find))
# Create command
if state == "present":
# Generate args
args = gen_args(description, gid, nonposix, external,
nomembers)
if action == "group":
# Found the group
if res_find is not None:
# For all settings is args, check if there are
# different settings in the find result.
# If yes: modify
if not compare_args_ipa(ansible_module, args,
res_find):
commands.append([name, "group_mod", args])
else:
commands.append([name, "group_add", args])
# Set res_find to empty dict for next step
res_find = {}
member_args = gen_member_args(user, group, service)
if not compare_args_ipa(ansible_module, member_args,
res_find):
# Generate addition and removal lists
user_add = list(
set(user or []) -
set(res_find.get("member_user", [])))
user_del = list(
set(res_find.get("member_user", [])) -
set(user or []))
group_add = list(
set(group or []) -
set(res_find.get("member_group", [])))
group_del = list(
set(res_find.get("member_group", [])) -
set(group or []))
service_add = list(
set(service or []) -
set(res_find.get("member_service", [])))
service_del = list(
set(res_find.get("member_service", [])) -
set(service or []))
# Add members
if len(user_add) > 0 or len(group_add) > 0 or \
len(service_add) > 0:
commands.append([name, "group_add_member",
{
"user": user_add,
"group": group_add,
"service": service_add,
}])
# Remove members
if len(user_del) > 0 or len(group_del) > 0 or \
len(service_del) > 0:
commands.append([name, "group_remove_member",
{
"user": user_del,
"group": group_del,
"service": service_del,
}])
elif action == "member":
user_add = list(
set(user or []) -
set(res_find.get("member_user", [])))
group_add = list(
set(group or []) -
set(res_find.get("member_group", [])))
service_add = list(
set(service or []) -
set(res_find.get("member_service", [])))
# Add members
if len(user_add) > 0 or len(group_add) > 0 or \
len(service_add) > 0:
commands.append([name, "group_add_member",
{
"user": user,
"group": group,
"service": service,
}])
elif state == "absent":
if action == "group":
if res_find is not None:
commands.append([name, "group_del", {}])
elif action == "member":
# Remove intersection member
user_del = list(
set(user or []) &
set(res_find.get("member_user", [])))
group_del = list(
set(group or []) &
set(res_find.get("member_group", [])))
service_del = list(
set(service or []) &
set(res_find.get("member_service", [])))
# Remove members
if len(user_del) > 0 or len(group_del) > 0 or \
len(service_del) > 0:
commands.append([name, "group_remove_member",
{
"user": user,
"group": group,
"service": service,
}])
else:
ansible_module.fail_json(msg="Unkown state '%s'" % state)
# Execute commands
for name, command, args in commands:
try:
result = api_command(ansible_module, command,
to_text(name), args)
changed = True
except Exception as e:
ansible_module.fail_json(msg="%s: %s: %s" % (command, name,
str(e)))
#except Exception as e:
# ansible_module.fail_json(msg=str(e))
finally:
temp_kdestroy(ccache_dir, ccache_name)
# Done
ansible_module.exit_json(changed=changed, **exit_args)
if __name__ == "__main__":
main()

237
plugins/modules/ipatopologysegment.py
View File

@@ -32,16 +32,16 @@ module: ipatopologysegment
short description: Manage FreeIPA topology segments
description: Manage FreeIPA topology segments
options:
principal:
ipaadmin_principal:
description: The admin principal
default: admin
password:
ipaadmin_password:
description: The admin password
required: false
suffix:
description: Topology suffix
required: true
choices: ["domain", "ca"]
choices: ["domain", "ca", "domain+ca"]
name:
description: Topology segment name, unique identifier.
required: false
@@ -59,7 +59,8 @@ options:
state:
description: State to ensure
default: present
choices: ["present", "absent", "enabled", "disabled", "reinitialized"]
choices: ["present", "absent", "enabled", "disabled", "reinitialized"
"checked" ]
author:
- Thomas Woerner
"""
@@ -87,9 +88,29 @@ EXAMPLES = """
name: ipaserver.test.local-to-replica1.test.local
direction: left-to-right
state: reinitialized
- ipatopologysegment:
suffix: domain+ca
left: ipaserver.test.local
right: ipareplica1.test.local
state: absent
- ipatopologysegment:
suffix: domain+ca
left: ipaserver.test.local
right: ipareplica1.test.local
state: checked
"""
RETURN = """
found:
description: List of found segments
returned: if state is checked
type: list
not-found:
description: List of not found segments
returned: if state is checked
type: list
"""
from ansible.module_utils.basic import AnsibleModule
@@ -128,13 +149,33 @@ def find_cn(module, suffix, name):
else:
return None
def find_left_right_cn(module, suffix, left, right, name):
if left is not None and right is not None:
left_right = find_left_right(module, suffix, left, right)
if left_right is not None:
if name is not None and \
left_right["cn"][0] != to_text(name):
module.fail_json(
msg="Left and right nodes do not match "
"given name name (cn) '%s'" % name)
return left_right
# else: Nothing to change
elif name is not None:
cn = find_cn(module, suffix, name)
if cn is not None:
return cn
# else: Nothing to change
else:
module.fail_json(
msg="Either left and right or name need to be set.")
return None
def main():
ansible_module = AnsibleModule(
argument_spec=dict(
principal=dict(type="str", default="admin"),
password=dict(type="str", required=False, no_log=True),
suffix=dict(choices=["domain", "ca"], required=True),
ipaadmin_principal=dict(type="str", default="admin"),
ipaadmin_password=dict(type="str", required=False, no_log=True),
suffix=dict(choices=["domain", "ca", "domain+ca"], required=True),
name=dict(type="str", aliases=["cn"], default=None),
left=dict(type="str", aliases=["leftnode"], default=None),
right=dict(type="str", aliases=["rightnode"], default=None),
@@ -142,7 +183,7 @@ def main():
choices=["left-to-right", "right-to-left"]),
state=dict(type="str", default="present",
choices=["present", "absent", "enabled", "disabled",
"reinitialized"]),
"reinitialized", "checked"]),
),
supports_check_mode=True,
)
@@ -151,9 +192,9 @@ def main():
# Get parameters
principal = ansible_module.params.get("principal")
password = ansible_module.params.get("password")
suffix = ansible_module.params.get("suffix")
ipaadmin_principal = ansible_module.params.get("ipaadmin_principal")
ipaadmin_password = ansible_module.params.get("ipaadmin_password")
suffixes = ansible_module.params.get("suffix")
name = ansible_module.params.get("name")
left = ansible_module.params.get("left")
right = ansible_module.params.get("right")
@@ -169,107 +210,109 @@ def main():
# Init
changed = False
exit_args = { }
ccache_dir = None
ccache_name = None
try:
if not valid_creds(principal):
ccache_dir, ccache_name = temp_kinit(principal, password)
if not valid_creds(ipaadmin_principal):
ccache_dir, ccache_name = temp_kinit(ipaadmin_principal,
ipaadmin_password)
api_connect()
command = None
commands = []
# Get name (cn) from left and right node if set for absent, disabled
# or reinitialized.
if state in ["absent", "disabled", "reinitialized"]:
if left is not None and right is not None:
left_right = find_left_right(ansible_module, suffix,
left, right)
if left_right is not None:
if name is not None and \
left_right["cn"][0] != to_text(name):
ansible_module.fail_json(
msg="Left and right nodes do not match "
"given name name (cn) '%s'" % name)
args = {
"cn": left_right["cn"][0]
}
# else: Nothing to change
elif name is not None:
result = find_cn(ansible_module, suffix, name)
if result is not None:
args = {
"cn": result["cn"][0]
}
# else: Nothing to change
else:
ansible_module.fail_json(
msg="Either left and right or name need to be set.")
for suffix in suffixes.split("+"):
# Create command
if state in ["present", "enabled"]:
# Make sure topology segment exists
# Create command
if state in ["present", "enabled"]:
# Make sure topology segment exists
if left is None or right is None:
ansible_module.fail_json(
msg="Left and right need to be set.")
args = {
"iparepltoposegmentleftnode": to_text(left),
"iparepltoposegmentrightnode": to_text(right),
}
if name is not None:
args["cn"] = to_text(name)
res_left_right = find_left_right(ansible_module, suffix,
left, right)
if res_left_right is not None:
if name is not None and \
res_left_right["cn"][0] != to_text(name):
if left is None or right is None:
ansible_module.fail_json(
msg="Left and right nodes already used with "
"different name (cn) '%s'" % res_left_right["cn"])
msg="Left and right need to be set.")
args = {
"iparepltoposegmentleftnode": to_text(left),
"iparepltoposegmentrightnode": to_text(right),
}
if name is not None:
args["cn"] = to_text(name)
# Left and right nodes and also the name can not be
# changed
for key in [ "iparepltoposegmentleftnode",
"iparepltoposegmentrightnode" ]:
if key in args:
del args[key]
if len(args) > 1:
# cn needs to be in args always
command = "topologysegment_mod"
# else: Nothing to change
else:
if name is None:
args["cn"] = to_text("%s-to-%s" % (left, right))
command = "topologysegment_add"
res_left_right = find_left_right(ansible_module, suffix,
left, right)
if res_left_right is not None:
if name is not None and \
res_left_right["cn"][0] != to_text(name):
ansible_module.fail_json(
msg="Left and right nodes already used with "
"different name (cn) '%s'" % res_left_right["cn"])
elif state in ["absent", "disabled"]:
# Make sure topology segment does not exist
if len(args) > 0:
# Either name defined or found name from left and right node
command = "topologysegment_del"
elif state == "reinitialized":
# Reinitialize segment
if len(args) > 0:
# Either name defined or found name from left and right node
command = "topologysegment_reinitialize"
if direction == "left-to-right":
args["left"] = True
elif direction == "right-to-left":
args["right"] = True
# Left and right nodes and also the name can not be
# changed
for key in [ "iparepltoposegmentleftnode",
"iparepltoposegmentrightnode" ]:
if key in args:
del args[key]
if len(args) > 1:
# cn needs to be in args always
commands.append(["topologysegment_mod", args])
# else: Nothing to change
else:
if name is None:
args["cn"] = to_text("%s-to-%s" % (left, right))
commands.append(["topologysegment_add", args])
elif state in ["absent", "disabled"]:
# Make sure topology segment does not exist
res_find = find_left_right_cn(ansible_module, suffix,
left, right, name)
if res_find is not None:
# Found either given name or found name from left and right
# node
args = {
"cn": res_find["cn"][0]
}
commands.append(["topologysegment_del", args])
elif state == "checked":
# Check if topology segment does exists
res_find = find_left_right_cn(ansible_module, suffix,
left, right, name)
if res_find is not None:
# Found either given name or found name from left and right
# node
exit_args.setdefault("found", []).append(suffix)
else:
# Not found
exit_args.setdefault("not-found", []).append(suffix)
elif state == "reinitialized":
# Reinitialize segment
if direction not in [ "left-to-right", "right-to-left" ]:
ansible_module.fail_json(msg="Unknown direction '%s'" %
direction)
else:
ansible_module.fail_json(msg="Unkown state '%s'" % state)
res_find = find_left_right_cn(ansible_module, suffix,
left, right, name)
if res_find is not None:
# Found either given name or found name from left and right
# node
args = {
"cn": res_find["cn"][0]
}
if direction == "left-to-right":
args["left"] = True
elif direction == "right-to-left":
args["right"] = True
commands.append(["topologysegment_reinitialize", args])
else:
ansible_module.fail_json(msg="Unkown state '%s'" % state)
# Execute command
if command is not None:
for command, args in commands:
result = api_command(ansible_module, command,
to_text(suffix), args)
changed = True
@@ -282,7 +325,7 @@ def main():
# Done
ansible_module.exit_json(changed=changed)
ansible_module.exit_json(changed=changed, **exit_args)
if __name__ == "__main__":
main()

14
plugins/modules/ipatopologysuffix.py
View File

@@ -32,10 +32,10 @@ module: ipatopologysuffix
short description: Verify FreeIPA topology suffix
description: Verify FreeIPA topology suffix
options:
principal:
ipaadmin_principal:
description: The admin principal
default: admin
password:
ipaadmin_password:
description: The admin password
required: false
suffix:
@@ -66,8 +66,8 @@ from ansible.module_utils.ansible_freeipa_module import execute_api_command
def main():
ansible_module = AnsibleModule(
argument_spec=dict(
principal=dict(type="str", default="admin"),
password=dict(type="str", required=False, no_log=True),
ipaadmin_principal=dict(type="str", default="admin"),
ipaadmin_password=dict(type="str", required=False, no_log=True),
suffix=dict(choices=["domain", "ca"], required=True),
state=dict(type="str", default="verified",
choices=["verified"]),
@@ -79,8 +79,8 @@ def main():
# Get parameters
principal = ansible_module.params.get("principal")
password = ansible_module.params.get("password")
ipaadmin_principal = ansible_module.params.get("ipaadmin_principal")
ipaadmin_password = ansible_module.params.get("ipaadmin_password")
suffix = ansible_module.params.get("suffix")
state = ansible_module.params.get("state")
@@ -98,7 +98,7 @@ def main():
# Execute command
execute_api_command(ansible_module, principal, password,
execute_api_command(ansible_module, ipaadmin_principal, ipaadmin_password,
command, to_text(suffix), args)
# Done

457
plugins/modules/ipauser.py Normal file
View File

@@ -0,0 +1,457 @@
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# Copyright (C) 2019 Red Hat
# see file 'COPYING' for use and warranty information
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
ANSIBLE_METADATA = {
"metadata_version": "1.0",
"supported_by": "community",
"status": ["preview"],
}
DOCUMENTATION = """
---
module: ipauser
short description: Manage FreeIPA users
description: Manage FreeIPA users
options:
ipaadmin_principal:
description: The admin principal
default: admin
ipaadmin_password:
description: The admin password
required: false
name:
description: The list of users (internally uid).
required: false
first:
description: The first name
required: false
aliases: ["givenname"]
last:
description: The last name
required: false
fullname:
description: The full name
required: false
aliases: ["cn"]
displayname:
description: The display name
required: false
homedir:
description: The home directory
required: false
shell:
description: The login shell
required: false
aliases: ["loginshell"]
email:
description: List of email addresses
required: false
principalname:
description: The kerberos principal
required: false
aliases: ["krbprincipalname"]
passwordexpiration:
description:
- The kerberos password expiration date
- (possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ,
- YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,
- YYYY-MM-dd HH:mmZ) The trailing 'Z' can be skipped.
required: false
aliases: ["krbpasswordexpiration"]
password:
description: The user password
required: false
uid:
description: The UID
required: false
aliases: ["uidnumber"]
gid:
description: The GID
required: false
aliases: ["gidnumber"]
phone:
description: List of telephone numbers
required: false
aliases: ["telephonenumber"]
title:
description: The job title
required: false
#sshpubkey:
# description: List of SSH public keys
# required: false
# aliases: ["ipasshpubkey"]
# ..
update_password:
description: Set password for a user in present state only on creation or always
default: 'always'
choices: ["always", "on_create"]
preserve:
description: Delete a user, keeping the entry available for future use
required: false
state:
description: State to ensure
default: present
choices: ["present", "absent",
"enabled", "disabled",
"unlocked", "undeleted"]
author:
- Thomas Woerner
"""
EXAMPLES = """
# Create user pinky
- ipauser:
ipaadmin_password: MyPassword123
name: pinky
first: pinky
last: Acme
uid: 10001
gid: 100
phone: "+555123457"
email: pinky@acme.com
passwordexpiration: "2023-01-19 23:59:59"
password: "no-brain"
update_password: on_create
# Create user brain
- ipauser:
ipaadmin_password: MyPassword123
name: brain
first: brain
last: Acme
# Delete user pinky, but preserved
- ipauser:
ipaadmin_password: MyPassword123
name: pinky
preserve: yes
state: absent
# Undelete user pinky
- ipauser:
ipaadmin_password: MyPassword123
name: pinky
state: undeleted
# Disable user pinky
- ipauser:
ipaadmin_password: MyPassword123
name: pinky,brain
state: disabled
# Enable user pinky and brain
- ipauser:
ipaadmin_password: MyPassword123
name: pinky,brain
state: enabled
# Remove user pinky and brain
- ipauser:
ipaadmin_password: MyPassword123
name: pinky,brain
state: disabled
"""
RETURN = """
"""
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils._text import to_bytes, to_native, to_text
from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
temp_kdestroy, valid_creds, api_connect, api_command, date_format, \
compare_args_ipa
def find_user(module, name, preserved=False):
#module.warn("find_user(.., %s)" % to_text(name))
_args = {
"all": True,
"uid": to_text(name),
}
if preserved:
_args["preserved"] = preserved
_result = api_command(module, "user_find", to_text(name), _args)
if len(_result["result"]) > 1:
module.fail_json(
msg="There is more than one user '%s'" % (name))
elif len(_result["result"]) == 1:
return _result["result"][0]
else:
return None
def gen_args(first, last, fullname, displayname, homedir, shell, emails,
principalname, passwordexpiration, password, uid, gid,
phones, title, sshpubkey):
_args = {}
if first is not None:
_args["givenname"] = first
if last is not None:
_args["sn"] = last
if fullname is not None:
_args["cn"] = fullname
if displayname is not None:
_args["displayname"] = displayname
if homedir is not None:
_args["homedirectory"] = homedir
if shell is not None:
_args["loginshell"] = shell
if emails is not None and len(emails) > 0:
_args["mail"] = emails
if principalname is not None:
_args["krbprincipalname"] = principalname
if passwordexpiration is not None:
_args["krbpasswordexpiration"] = passwordexpiration
if password is not None:
_args["userpassword"] = password
if uid is not None:
_args["uidnumber"] = str(uid)
if gid is not None:
_args["gidnumber"] = str(gid)
if phones is not None and len(phones) > 0:
_args["telephonenumber"] = phones
if title is not None:
_args["title"] = title
if sshpubkey is not None:
_args["ipasshpubkey"] = sshpubkey
return _args
def main():
ansible_module = AnsibleModule(
argument_spec=dict(
# general
ipaadmin_principal=dict(type="str", default="admin"),
ipaadmin_password=dict(type="str", required=False, no_log=True),
name=dict(type="list", aliases=["login"], default=None,
required=True),
# present
first=dict(type="str", aliases=["givenname"], default=None),
last=dict(type="str", default=None),
fullname=dict(type="str", aliases=["cn"], default=None),
displayname=dict(type="str", default=None),
homedir=dict(type="str", default=None),
shell=dict(type="str", aliases=["loginshell"], default=None),
email=dict(type="list", default=None),
principalname=dict(type="str", aliases=["krbprincipalname"],
default=None),
passwordexpiration=dict(type="str",
aliases=["krbpasswordexpiration"],
default=None),
password=dict(type="str", default=None, no_log=True),
uid=dict(type="int", aliases=["uidnumber"], default=None),
gid=dict(type="int", aliases=["gidnumber"], default=None),
phone=dict(type="list", aliases=["telephonenumber"], default=None),
title=dict(type="str", default=None),
#sshpubkey=dict(type="list", aliases=["ipasshpubkey"],
# default=None),
update_password=dict(type='str', default=None,
choices=['always', 'on_create']),
# deleted
preserve=dict(required=False, type='bool', default=None),
# state
state=dict(type="str", default="present",
choices=["present", "absent", "enabled", "disabled",
"unlocked", "undeleted"]),
),
supports_check_mode=True,
)
ansible_module._ansible_debug = True
# Get parameters
# general
ipaadmin_principal = ansible_module.params.get("ipaadmin_principal")
ipaadmin_password = ansible_module.params.get("ipaadmin_password")
names = ansible_module.params.get("name")
# present
first = ansible_module.params.get("first")
last = ansible_module.params.get("last")
fullname = ansible_module.params.get("fullname")
displayname = ansible_module.params.get("displayname")
homedir = ansible_module.params.get("homedir")
shell = ansible_module.params.get("shell")
emails = ansible_module.params.get("email")
principalname = ansible_module.params.get("principalname")
passwordexpiration = ansible_module.params.get("passwordexpiration")
if passwordexpiration is not None:
if passwordexpiration[:-1] != "Z":
passwordexpiration = "%sZ" % passwordexpiration
passwordexpiration = date_format(passwordexpiration)
password = ansible_module.params.get("password")
uid = ansible_module.params.get("uid")
gid = ansible_module.params.get("gid")
phones = ansible_module.params.get("phone")
title = ansible_module.params.get("title")
sshpubkey = ansible_module.params.get("sshpubkey")
update_password = ansible_module.params.get("update_password")
# deleted
preserve = ansible_module.params.get("preserve")
# state
state = ansible_module.params.get("state")
# Check parameters
if state == "present":
if len(names) != 1:
ansible_module.fail_json(
msg="Onle one user can be added at a time.")
if first is None:
ansible_module.fail_json(msg="First name is needed")
if last is None:
ansible_module.fail_json(msg="Last name is needed")
if state == "absent":
if len(names) < 1:
ansible_module.fail_json(
msg="No name given.")
for x in [ "first", "last", "fullname", "displayname", "homedir",
"shell", "emails", "principalname", "passwordexpiration",
"password", "uid", "gid", "phones", "title", "sshpubkey",
"update_password" ]:
if vars()[x] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with state '%s'" % \
(x, state))
else:
if preserve is not None:
ansible_module.fail_json(
msg="Preserve is only possible for state=absent")
if update_password is None:
update_password = "always"
# Init
changed = False
exit_args = { }
ccache_dir = None
ccache_name = None
try:
if not valid_creds(ipaadmin_principal):
ccache_dir, ccache_name = temp_kinit(ipaadmin_principal,
ipaadmin_password)
api_connect()
commands = []
for name in names:
# Make sure user exists
res_find = find_user(ansible_module, name)
# Also search for preserved user
res_find_preserved = find_user(ansible_module, name,
preserved=True)
#ansible_module.warn("res_find: %s" % repr(res_find))
# Create command
if state == "present":
# Generate args
args = gen_args(
first, last, fullname, displayname, homedir, shell, emails,
principalname, passwordexpiration, password, uid, gid,
phones, title, sshpubkey)
# Also check preserved users
if res_find is None and res_find_preserved is not None:
res_find = res_find_preserved
# Found the user
if res_find is not None:
# Ignore password with update_password == on_create
if update_password == "on_create" and \
"userpassword" in args:
del args["userpassword"]
# For all settings is args, check if there are
# different settings in the find result.
# If yes: modify
if not compare_args_ipa(ansible_module, args, res_find):
commands.append([name, "user_mod", args])
else:
commands.append([name, "user_add", args])
elif state == "absent":
# Also check preserved users
if res_find is None and res_find_preserved is not None:
res_find = res_find_preserved
if res_find is not None:
args = {}
if preserve is not None:
args["preserve"] = preserve
commands.append([name, "user_del", args])
elif state == "undeleted":
if res_find_preserved is not None:
commands.append([name, "user_undel", {}])
else:
raise ValueError("No preserved user '%s'" % name)
elif state == "enabled":
if res_find is not None:
if res_find["nsaccountlock"] == True:
commands.append([name, "user_enable", {}])
else:
raise ValueError("No disabled user '%s'" % name)
elif state == "disabled":
if res_find is not None:
if res_find["nsaccountlock"] == False:
commands.append([name, "user_disable", {}])
else:
raise ValueError("No user '%s'" % name)
elif state == "unlocked":
if res_find is not None:
commands.append([name, "user_unlock", {}])
else:
ansible_module.fail_json(msg="Unkown state '%s'" % state)
# Execute commands
for name, command, args in commands:
try:
result = api_command(ansible_module, command,
to_text(name), args)
changed = True
except Exception as e:
ansible_module.fail_json(msg="%s: %s: %s" % (command, name,
str(e)))
except Exception as e:
ansible_module.fail_json(msg=str(e))
finally:
temp_kdestroy(ccache_dir, ccache_name)
# Done
ansible_module.exit_json(changed=changed, **exit_args)
if __name__ == "__main__":
main()

188
roles/ipaclient/README.md
View File

@@ -1,13 +1,47 @@
ipaclient role
==============
Description
-----------
This [Ansible](https://www.ansible.com/) role allows to join hosts as clients to an IPA domain. This can be done in differnt ways using auto-discovery of the servers, domain and other settings or by specifying them.
**Note**: The ansible playbooks and role require a configured ansible environment where the ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
Features
--------
* Client deployment
* One-time-password (OTP) support
* Repair mode
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.5 and up are supported by the client role. There is also limited support for verison 4.4.
Supported Distributions
-----------------------
* RHEL/CentOS 7.4+
* Fedora 26+
* Ubuntu
Requirements
------------
**Controller**
* Ansible version: 2.8+
* /usr/bin/kinit is required on the controller if a one time password (OTP) is used
* python3-gssapi is required on the controller if a one time password (OTP) is used to install the client.
**Node**
* Supported FreeIPA version (see above)
* Supported distribution (needed for package installation only, see above)
This role allows to join hosts as clients to an IPA domain. This can be done in differnt ways using auto-discovery of the servers, domain and other settings or by specifying them.
Usage
-----
=====
Example inventory file with fixed principal using auto-discovery with DNS records:
@@ -74,78 +108,74 @@ Example playbook to setup the IPA client(s) using principal and password from in
state: present
```
Playbooks
=========
The playbooks needed to deploy or undeploy a client are part of the repository in the playbooks folder. There are also playbooks to deploy and undeploy clusters.
```
install-client.yml
uninstall-client.yml
```
Please remember to link or copy the playbooks to the base directory of ansible-freeipa if you want to use the roles within the source archive.
How to setup a client
---------------------
```bash
ansible-playbook -v -i inventory/hosts install-client.yml
```
This will deploy the clients defined in the inventory file.
Variables
---------
=========
### `ipaclients`
Base Variables
--------------
The mandatory `ipaclients` group is a list of the names of the IPA clients in FQDN form. All these clients will be installed or configured using the playbook.
Variable | Description | Required
-------- | ----------- | --------
`ipaclients` | This group is a list of the names of the IPA clients in FQDN form. All these clients will be installed or configured using the playbook. | yes
`ipaclient_domain` | This string value sets the DNS domain that will be used for client installation. Usually the DNS domain is a lower-cased name of the Kerberos realm. If the role is for example used in a cluster inventory and `ipaserver_domain` is set, then it will be used. | no
`ipaclient_realm` | This string value sets the Kerberos realm that will be used for client installation. Usually the Kerberos realm is an upper-cased name of the DNS domain. If the role is for example used in a cluster inventory and `ipaserver_realm` is set, then it will be used. If `ipaclient_realm` is not set, then it will be generated from `ipaclient_domain` if this is set. | no
`ipaclient_mkhomedir` | This bool value defines if PAM will be configured to create a users home directory if it does not exist. `ipaclient_mkhomedir` defaults to `no`. | no
`ipaclient_force_join` | This bool value defines if an already enrolled host can join again. `ipaclient_force_join` defaults to `no`. | no
`ipaclient_kinit_attempts` | The int value defines the number of tries to repeat the request for a failed host Kerberos ticket. `ipaclient_kinit_attempts` defaults to 5.| no
`ipaclient_ntp_servers` | The list defines the NTP servers to be used. | no
`ipaclient_ntp_pool` | The string value defines the ntp server pool to be used. | no
`ipaclient_no_ntp` | The bool value defines if NTP will not be configured and enabled. `ipaclient_no_ntp` defaults to `no`. | no
`ipaclient_ssh_trust_dns` | The bool value defines if OpenSSH client will be configured to trust DNS SSHFP records. `ipaclient_ssh_trust_dns` defaults to `no`. | no
`ipaclient_no_ssh` | The bool value defines if OpenSSH client will be configured. `ipaclient_no_ssh` defaults to `no`. | no
`ipaclient_no_sshd` | The bool value defines if OpenSSH server will be configured. `ipaclient_no_sshd` defaults to `no`. | no
`ipaclient_no_sudo` | The bool value defines if SSSD will be configured as a data source for sudo. `ipaclient_no_sudo` defaults to `no`. | no
`ipaclient_no_dns_sshfp` | The bool value defines if DNS SSHFP records will not be created automatically. `ipaclient_no_dns_sshfp` defaults to `no`. | no
`ipaclient_force` | The bool value defines if settings will be forced even in the error case. `ipaclient_force` defaults to `no`. | no
`ipaclient_force_ntpd` | The bool value defines if ntpd usage will be forced. This is not supported anymore and leads to a warning. `ipaclient_force_ntpd` defaults to `no`. | no
`ipaclient_nisdomain` | This string value defines the NIS domain name. | no
`ipaclient_no_nisdomain` | The bool value defines if the NIS domain name will not be configured. `ipaclient_no_nisdomain` defaults to `no`. | no
`ipaclient_configure_firefox` | The bool value defines if Firefox will be configured to use IPA domain credentials. `ipaclient_configure_firefox` defaults to `no`. | no
`ipaclient_firefox_dir` | The string value defines the Firefox installation directory. For example: '/usr/lib/firefox'. | no
`ipaclient_all_ip_addresses` | The bool value defines if DNS A/AAAA records for each IP address on the client will be created. `ipaclient_all_ip_addresses` defaults to `no`. | no
`ipasssd_fixed_primary` | The bool value defines if SSSD will be configured to use a fixed server as the primary IPA server. `ipasssd_fixed_primary` defaults to `no`. | no
`ipasssd_permit` | The bool value defines if SSSD will be configured to permit all access. Otherwise the machine will be controlled by the Host-based Access Controls (HBAC) on the IPA server. `ipasssd_permit` defaults to `no`. | no
`ipasssd_enable_dns_updates` | The bool value tells SSSD to automatically update DNS with the IP address of this client. `ipasssd_enable_dns_updates` defaults to `no`. | no
`ipasssd_no_krb5_offline_passwords` | The bool value defines if SSSD will be configured not to store user password when the server is offline . `ipasssd_no_krb5_offline_passwords` defaults to `no`. | no
`ipasssd_preserve_sssd` | The bool value defines if the old SSSD configuration will be preserved if it is not possible to merge it with a new one. `ipasssd_preserve_sssd` defaults to `no`. | no
`ipaclient_request_cert` | The bool value defines if the certificate for the machine wil be requested. The certificate will be stored in /etc/ipa/nssdb under the nickname "Local IPA host". . `ipaclient_request_cert` defaults to `no`. The option is deprecated and will be removed in a future release. | no
`ipaclient_keytab` | The string value contains the path on the node of a backup host keytab from a previous enrollment. | no
### `ipaclient_domain`
The optional `ipaclient_domain` variable sets the DNS domain that will be used for client installation. Usually the DNS domain is a lower-cased name of the Kerberos realm.
If `ipaclient_domain` is not set, then it will be generated from the domain part of the first entry from the `ipaservers` FQDN group if the group is defined and contains at least one entry. If `ipaservers` is not defined, then the domain will be tried to gather using DNS autodiscovery. `ipaclient_domain` needs to be set if the primary DNS domain is different from domain part of the server FQDN.
### `ipaclient_realm`
The optional `ipaclient_realm` sets the Kerberos realm that will be used for client installation. Usually the Kerberos realm is an upper-cased name of the DNS domain.
If `ipaclient_realm` is not set, then it will be generated from `ipaclient_domain` if this is set. If both are not set, then this
### `ipaclient_keytab`
The optional `ipaclient_keytab` contains the path of a backup host keytab from a previous enrollment.
### `ipaclient_force_join`
The `ipaclient_force_join` bool value defines if an already enrolled host can join again. `ipaclient_force_join` defaults to `no`.
### `ipaclient_use_otp`
The `ipaclient_use_otp` bool value defines if a one-time password will be generated to join a new or existing host. `ipaclient_use_otp` defaults to `no`.
The enforcement on an existing host is not done if there is a working krb5.keytab on the host. If the generation of an otp is enforced for an existing host entry, then the host gets diabled and the containing keytab gets removed.
### `ipaclient_allow_repair`
The `ipaclient_allow_repair` bool value defines if an already joined or partly set-up client can be repaired. `ipaclient_allow_repair` defaults to `no`.
Contrary to `ipaclient_force_join=yes` the host entry will not be changed on the server.
### `ipaclient_kinit_attempts`
The optional `ipaclient_kinit_attempts` defines the number of tries to repeat the request for a failed host Kerberos ticket. `ipaclient_kinit_attempts` defaults to 3.
### `ipaclient_no_ntp`
The `ipaclient_no_ntp` bool value defines if NTP will not be configured and enabled. `ipaclient_no_ntp` defaults to `no`.
### `ipaclient_mkhomedir`
The `ipaclient_mkhomedir` bool value defines if PAM will be configured to create a users home directory if it does not exist. `ipaclient_mkhomedir` defaults to `no`.
Server Variables
----------------
### `ipaservers`
The optional `ipaservers` group is a list of the IPA server full qualified host names. In a topology with a chain of servers and replicas, it is important to use the right server or replica as the server for the client. If there is a need to overwrite the setting for a client in the `ipaclients` group, please use the list `ipaclient_servers` explained below.
If no `ipaservers` group is defined than the installation preparation step will try to use DNS autodiscovery to identify the the IPA server using DNS txt records.
### `ipaadmin_keytab`
The `ipaadmin_keytab` variable enables the use of an admin keytab as an alternativce authentication method. The variable needs to contain the local path to the keytab file. If `ipaadmin_keytab` is used, then `ipaadmin_password` does not need to be set.
### `ipaadmin_principal`
The optional `ipaadmin_principal` variable only needs to be set if the name of the Kerberos admin principal is not "admin". If `ipaadmin_principal` is not set it will be set internally to "admin".
### `ipaadmin_password`
The `ipaadmin_password` variable contains the Kerberos password of the Kerberos admin principal. If `ipaadmin_keytab` is used, then `ipaadmin_password` does not need to be set.
Variable | Description | Required
-------- | ----------- | --------
`ipaservers` | This group is a list of the IPA server full qualified host names. In a topology with a chain of servers and replicas, it is important to use the right server or replica as the server for the client. If there is a need to overwrite the setting for a client in the `ipaclients` group, please use the list `ipaclient_servers` explained below. If no `ipaservers` group is defined than the installation preparation step will try to use DNS autodiscovery to identify the the IPA server using DNS txt records. | mostly
`ipaadmin_keytab` | The string variable enables the use of an admin keytab as an alternativce authentication method. The variable needs to contain the local path to the keytab file. If `ipaadmin_keytab` is used, then `ipaadmin_password` does not need to be set. If `ipaadmin_keytab` is used with `ipaclient_use_otp: yes` then the keytab needs to be available on the contoller, else on the client node. The use of full path names is recommended. | no
`ipaadmin_principal` | The string variable only needs to be set if the name of the Kerberos admin principal is not "admin". If `ipaadmin_principal` is not set it will be set internally to "admin". | no
`ipaadmin_password` | The string variable contains the Kerberos password of the Kerberos admin principal. If `ipaadmin_keytab` is used, then `ipaadmin_password` does not need to be set. | mostly
Topology Variables
@@ -153,21 +183,25 @@ Topology Variables
These variables can be used to define or change how clients are arranged within a cluster for example.
### `ipaclient_no_dns_lookup`
Variable | Description | Required
-------- | ----------- | --------
`ipaclient_no_dns_lookup` | The bool value defines if the `ipaservers` group will be used as servers for the clients automatically. If enabled this deactivates DNS lookup in Kerberos in client installations. `ipaclient_no_dns_lookup` defauults to `no`. | no
`ipaclient_servers` | The optional list can be used to manually override list of servers on a per client basis. The list of servers is normally taken from from `ipaservers` group. | no
The `ipaclient_no_dns_lookup` bool value defines if the `ipaservers` group will be used as servers for the clients automatically. If enabled this deactivates DNS lookup in Kerberos in client installations. `ipaclient_no_dns_lookup` defauults to `no`.
### `ipaclient_servers`
Special Variables
-----------------
The optional `ipaclient_servers` varaible can be used to manually override list of servers on a per client basis. The list of servers is normally taken from from `ipaservers` group.
Variable | Description | Required
-------- | ----------- | --------
`ipaclient_use_otp` | The bool value defines if a one-time password will be generated to join a new or existing host. `ipaclient_use_otp` defaults to `no`. The enforcement on an existing host is not done if there is a working krb5.keytab on the host. If the generation of an otp is enforced for an existing host entry, then the host gets diabled and the containing keytab gets removed. | no
`ipaclient_allow_repair` | The bool value defines if an already joined or partly set-up client can be repaired. `ipaclient_allow_repair` defaults to `no`. Contrary to `ipaclient_force_join=yes` the host entry will not be changed on the server. | no
`ipaclient_install_packages` | The bool value defines if the needed packages are installed on the node. `ipaclient_install_packages` defaults to `yes`. | no
`ipaclient_on_master` | The bool value is only used in the server and replica installation process to install the client part. It should not be set otherwise. `ipaclient_on_master` defaults to `no`. | no
Requirements
------------
freeipa-client v4.4 or later
Authors
-------
=======
Florence Blanc-Renaud

19
roles/ipaclient/action_plugins/ipaclient_get_otp.py
View File

@@ -52,7 +52,8 @@ def run_cmd(args, stdin=None):
close_fds=True)
stdout, stderr = p.communicate(stdin)
return p.returncode
if p.returncode != 0:
raise RuntimeError(stderr)
def kinit_password(principal, password, ccache_name, config):
@@ -155,8 +156,6 @@ class ActionModule(ActionBase):
keytab = self._task.args.get('keytab', None)
password = self._task.args.get('password', None)
lifetime = self._task.args.get('lifetime', '1h')
ansible_python_interpreter = self._task.args.get('ansible_python_interpreter', None)
task_vars["ansible_python_interpreter"] = ansible_python_interpreter
if (not keytab and not password):
result['failed'] = True
@@ -169,7 +168,7 @@ class ActionModule(ActionBase):
return result
data = self._execute_module(module_name='ipaclient_get_facts', module_args=dict(),
task_vars={ "ansible_python_interpreter": ansible_python_interpreter })
task_vars=None)
try:
domain = data['ansible_facts']['ipa']['domain']
realm = data['ansible_facts']['ipa']['realm']
@@ -199,12 +198,14 @@ class ActionModule(ActionBase):
f.write(content)
if password:
# perform kinit -c ccache_name -l 1h principal
res = kinit_password(principal, password, ccache_name,
krb5conf_name)
if res:
try:
# perform kinit -c ccache_name -l 1h principal
kinit_password(principal, password, ccache_name,
krb5conf_name)
except Exception as e:
result['failed'] = True
result['msg'] = 'kinit %s with password failed' % principal
result['msg'] = 'kinit %s with password failed: %s' % \
(principal, to_native(e))
return result
else:

1
roles/ipaclient/library/ipaclient_fix_ca.py
View File

@@ -90,7 +90,6 @@ def main():
os.environ['KRB5CCNAME'] = paths.IPA_DNS_CCACHE
options.ca_cert_file = None
options.unattended = True
options.principal = None
options.force = False
options.password = None

4
roles/ipaclient/library/ipaclient_get_otp.py
View File

@@ -71,9 +71,6 @@ options:
ipaddress:
description: the IP address for the host
required: false
ansible_python_interpreter:
desciption: The ansible python interpreter used in the action plugin part, ignored here
required: false
requirements:
- gssapi on the Ansible controller
@@ -318,7 +315,6 @@ def main():
ipaddress = dict(required=False),
random = dict(default=False, type='bool'),
state = dict(default='present', choices=[ 'present', 'absent' ]),
ansible_python_interpreter = dict(required=False),
),
supports_check_mode=True,
)

45
roles/ipaclient/library/ipaclient_join.py
View File

@@ -60,6 +60,9 @@ options:
password:
description: The password to use if not using Kerberos to authenticate.
required: false
admin_keytab:
description: The path to a local admin keytab.
required: false
keytab:
description: The path to a backed-up host keytab from previous enrollment.
required: false
@@ -138,6 +141,7 @@ def main():
principal=dict(required=False),
password=dict(required=False, no_log=True),
keytab=dict(required=False),
admin_keytab=dict(required=False),
ca_cert_file=dict(required=False),
force_join=dict(required=False, type='bool'),
kinit_attempts=dict(required=False, type='int', default=5),
@@ -157,14 +161,17 @@ def main():
principal = module.params.get('principal')
password = module.params.get('password')
keytab = module.params.get('keytab')
admin_keytab = module.params.get('admin_keytab')
ca_cert_file = module.params.get('ca_cert_file')
kinit_attempts = module.params.get('kinit_attempts')
debug = module.params.get('debug')
if password is not None and password != "" and \
keytab is not None and keytab != "":
if password is not None and keytab is not None:
module.fail_json(msg="Password and keytab cannot be used together")
if password is None and admin_keytab is None:
module.fail_json(msg="Password or admin_keytab is needed")
client_domain = hostname[hostname.find(".")+1:]
nolog = tuple()
env = {'PATH': SECURE_PATH}
@@ -173,8 +180,7 @@ def main():
sssd = True
options.ca_cert_file = ca_cert_file
options.unattended = True
options.principal = principal if principal != "" else None
options.principal = principal
options.force = False
options.password = password
@@ -207,15 +213,32 @@ def main():
env['XMLRPC_TRACE_CURL'] = 'yes'
if force_join:
join_args.append("-f")
if principal:
if principal is not None:
if principal.find('@') == -1:
principal = '%s@%s' % (principal, realm)
try:
kinit_password(principal, password, ccache_name,
config=krb_name)
except RuntimeError as e:
module.fail_json(
msg="Kerberos authentication failed: {}".format(e))
if admin_keytab:
join_args.append("-f")
if not os.path.exists(admin_keytab):
module.fail_json(
msg="Keytab file could not be found: %s" % \
admin_keytab)
try:
kinit_keytab(principal,
admin_keytab,
ccache_name,
config=krb_name,
attempts=kinit_attempts)
except GSSError as e:
module.fail_json(
msg="Kerberos authentication failed: %s" % str(e))
else:
try:
kinit_password(principal, password, ccache_name,
config=krb_name)
except RuntimeError as e:
module.fail_json(
msg="Kerberos authentication failed: {}".format(e))
elif keytab:
join_args.append("-f")
if os.path.exists(keytab):

7
roles/ipaclient/library/ipaclient_setup_ntp.py
View File

@@ -124,7 +124,12 @@ def main():
if sync_time is not None:
if options.conf_ntp:
# Attempt to configure and sync time with NTP server (chrony).
synced_ntp = sync_time(options, fstore, statestore)
argspec = inspect.getargspec(sync_time)
if "options" not in argspec.args:
synced_ntp = sync_time(options.ntp_servers, options.ntp_pool,
fstore, statestore)
else:
synced_ntp = sync_time(options, fstore, statestore)
elif options.on_master:
# If we're on master skipping the time sync here because it was done
# in ipa-server-install

25
roles/ipaclient/library/ipaclient_test.py
View File

@@ -413,7 +413,6 @@ def main():
# root_logger
options.debug = False
options.unattended = not installer.interactive
if options.domain_name:
options.domain = normalize_hostname(installer.domain_name)
else:
@@ -493,9 +492,10 @@ def main():
try:
timeconf.check_timedate_services()
except timeconf.NTPConflictingService as e:
logger.info("WARNING: conflicting time&date synchronization service '{}'"
" will be disabled".format(e.conflicting_service))
logger.info("in favor of chronyd")
logger.info(
"WARNING: conflicting time&date synchronization service "
"'%s' will be disabled in favor of chronyd" % \
e.conflicting_service)
logger.info("")
except timeconf.NTPConfigurationError:
pass
@@ -801,6 +801,13 @@ def main():
# "Proceed with fixed values and no DNS discovery?", False):
# raise ScriptError(rval=CLIENT_INSTALL_ERROR)
# Do not ask for time source
#if options.conf_ntp:
# if not options.on_master and not options.unattended and not (
# options.ntp_servers or options.ntp_pool):
# options.ntp_servers, options.ntp_pool = \
# timeconf.get_time_source()
cli_realm = ds.realm
cli_realm_source = ds.realm_source
logger.debug("will use discovered realm: %s", cli_realm)
@@ -830,6 +837,14 @@ def main():
logger.info("BaseDN: %s", cli_basedn)
logger.debug("BaseDN source: %s", cli_basedn_source)
if not options.on_master:
if options.ntp_servers:
for server in options.ntp_servers:
logger.info("NTP server: %s", server)
if options.ntp_pool:
logger.info("NTP pool: %s", options.ntp_pool)
# ipa-join would fail with IP address instead of a FQDN
for srv in cli_server:
try:
@@ -895,6 +910,8 @@ def main():
client_domain=client_domain,
dnsok=dnsok,
sssd=options.sssd,
ntp_servers=options.ntp_servers,
ntp_pool=options.ntp_pool,
client_already_configured=client_already_configured,
ipa_python_version=IPA_PYTHON_VERSION)

1
roles/ipaclient/module_utils/ansible_ipa_client.py
View File

@@ -64,6 +64,7 @@ installer = installer_obj()
# Create options
options = installer
options.interactive = False
options.unattended = not options.interactive
if NUM_VERSION >= 40400:
# IPA version >= 4.4

44
roles/ipaclient/tasks/install.yml
View File

@@ -3,9 +3,8 @@
- name: Install - Ensure that IPA client packages are installed
package:
name: "{{ item }}"
name: "{{ ipaclient_packages }}"
state: present
with_items: "{{ ipaclient_packages }}"
when: ipaclient_install_packages | bool
#- name: Install - Include Python2/3 import test
@@ -64,8 +63,8 @@
- name: Install - Configure NTP
ipaclient_setup_ntp:
### basic ###
ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}"
ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
ntp_servers: "{{ result_ipaclient_test.ntp_servers | default(omit) }}"
ntp_pool: "{{ result_ipaclient_test.ntp_pool | default(omit) }}"
no_ntp: "{{ ipaclient_no_ntp }}"
# force_ntpd: "{{ ipaclient_force_ntpd }}"
on_master: "{{ ipaclient_on_master }}"
@@ -107,10 +106,6 @@
fail: msg="Keytab or password is required for otp"
when: ipaadmin_keytab is undefined and ipaadmin_password is undefined
- name: Install - Save client ansible_python_interpreter setting
set_fact:
ipaclient_ansible_python_interpreter: "{{ ansible_python_interpreter }}"
#- name: Install - Include Python2/3 import test
# import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"
# delegate_to: "{{ result_ipaclient_test.servers[0] }}"
@@ -119,13 +114,12 @@
no_log: yes
ipaclient_get_otp:
state: present
principal: "{{ ipaadmin_principal | default('admin') }}"
principal: "{{ ipaadmin_principal | default(omit) }}"
password: "{{ ipaadmin_password | default(omit) }}"
keytab: "{{ ipaadmin_keytab | default(omit) }}"
fqdn: "{{ result_ipaclient_test.hostname }}"
lifetime: "{{ ipaclient_lifetime | default(omit) }}"
random: True
ansible_python_interpreter: "{{ ansible_python_interpreter }}"
register: result_ipaclient_get_otp
# If the host is already enrolled, this command will exit on error
# The error can be ignored
@@ -134,18 +128,21 @@
in result_ipaclient_get_otp.msg
delegate_to: "{{ result_ipaclient_test.servers[0] }}"
delegate_facts: yes
ignore_errors: yes
- name: Install - Report error for OTP generation
debug:
msg: "{{ result_ipaclient_get_otp.msg }}"
when: result_ipaclient_get_otp is failed
failed_when: yes
- name: Install - Store the previously obtained OTP
no_log: yes
set_fact:
ipaadmin_orig_password: "{{ ipaadmin_password }}"
ipaadmin_orig_password: "{{ ipaadmin_password | default(omit) }}"
ipaadmin_password: "{{ result_ipaclient_get_otp.host.randompassword
if result_ipaclient_get_otp.host is defined }}"
- name: Install - Restore client ansible_python_interpreter setting
set_fact:
ansible_python_interpreter: "{{ ipaclient_ansible_python_interpreter }}"
when: ipaclient_use_otp | bool
- block:
@@ -159,14 +156,14 @@
- name: Install - Check if principal and keytab are set
fail: msg="Principal and keytab cannot be used together"
when: ipaadmin_principal is defined and ipaadmin_principal|length > 0
and ipaclient_keytab is defined and ipaclient_keytab|length > 0
when: ipaadmin_principal is defined and ipaclient_keytab is defined
- name: Install - Check if one of password and keytab are set
fail: msg="At least one of password or keytab must be specified"
when: not result_ipaclient_test_keytab.krb5_keytab_ok and
(ipaadmin_password is undefined or ipaadmin_password|length == 0)
and (ipaclient_keytab is undefined or ipaclient_keytab|length == 0)
- name: Install - Check if one of password or keytabs are set
fail: msg="At least one of password or keytabs must be specified"
when: not result_ipaclient_test_keytab.krb5_keytab_ok
and ipaadmin_password is undefined
and ipaadmin_keytab is undefined
and ipaclient_keytab is undefined
when: not ipaclient_on_master | bool
- name: Install - Purge {{ result_ipaclient_test.realm }} from host keytab
@@ -197,9 +194,10 @@
hostname: "{{ result_ipaclient_test.hostname }}"
force_join: "{{ ipaclient_force_join | default(omit) }}"
principal: "{{ ipaadmin_principal if not ipaclient_use_otp | bool and
ipaclient_keytab is not defined else '' }}"
ipaclient_keytab is not defined else omit }}"
password: "{{ ipaadmin_password | default(omit) }}"
keytab: "{{ ipaclient_keytab | default(omit) }}"
admin_keytab: "{{ ipaadmin_keytab if ipaadmin_keytab is defined and not ipaclient_use_otp | bool else omit }}"
# ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
register: result_ipaclient_join

4
roles/ipaclient/tasks/main.yml
View File

@@ -10,9 +10,9 @@
- "{{ role_path }}/vars/default.yml"
- name: Install IPA client
include_tasks: tasks/install.yml
include_tasks: install.yml
when: state|default('present') == 'present'
- name: Uninstall IPA client
include_tasks: tasks/uninstall.yml
include_tasks: uninstall.yml
when: state|default('present') == 'absent'

9
roles/ipaclient/tasks/uninstall.yml
View File

@@ -14,8 +14,7 @@
failed_when: uninstall.rc != 0 and uninstall.rc != 2
changed_when: uninstall.rc == 0
# - name: Remove IPA client package
# package:
# name: "{{ item }}"
# state: absent
# with_items: "{{ ipaclient_packages }}"
#- name: Remove IPA client package
# package:
# name: "{{ ipaclient_packages }}"
# state: absent

3
roles/ipaclient/vars/RedHat-8.yml Normal file
View File

@@ -0,0 +1,3 @@
# defaults file for ipaclient
# vars/RedHat-8.yml
ipaclient_packages: [ "@idm:DL1/client" ]

192
roles/ipareplica/README.md
View File

@@ -9,8 +9,41 @@ Changes made to any master are automatically replicated to other masters.
This can be done in differnt ways using auto-discovery of the servers, domain and other settings or by specifying them.
**Note**: The ansible playbooks and role require a configured ansible environment where the ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
Features
--------
* Replica deployment
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.6 and up are supported by the replica role.
Supported Distributions
-----------------------
* RHEL/CentOS 7.6+
* Fedora 26+
* Ubuntu
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
* Supported distribution (needed for package installation only, see above)
Usage
-----
=====
Example inventory file with fixed principal using auto-discovery with DNS records:
@@ -68,68 +101,145 @@ Example playbook to setup the IPA client(s) using principal and password from in
- role: ipareplica
state: present
Playbooks
=========
The playbooks needed to deploy or undeploy a replica are part of the repository in the playbooks folder. There are also playbooks to deploy and undeploy clusters.
```
install-replica.yml
uninstall-replica.yml
```
Please remember to link or copy the playbooks to the base directory of ansible-freeipa if you want to use the roles within the source archive.
How to setup replicas
---------------------
```bash
ansible-playbook -v -i inventory/hosts install-replica.yml
```
This will deploy the replicas defined in the inventory file.
Variables
---------
=========
**ipaserver** - Group with IPA server hostname.
(list of strings, optional)
Base Variables
--------------
**ipaclients** - Group of IPA client hostnames.
(list of strings)
Variable | Description | Required
-------- | ----------- | --------
`ipaservers` | This group with the IPA master full qualified hostnames. (list of strings) | mostly
`ipareplicas` | Group of IPA replica hostnames. (list of strings) | yes
`ipaadmin_password` | The password for the IPA admin user (string) | mostly
`ipareplica_ip_addresses` | The list of master server IP addresses. (list of strings) | no
`ipareplica_domain` | The primary DNS domain of an existing IPA deployment. (string) | no
`ipaserver_realm` | The Kerberos realm of an existing IPA deployment. (string) | no
`ipaserver_hostname` | Fully qualified name of the server. (string) | no
`ipaadmin_principal` | The authorized kerberos principal used to join the IPA realm. (string) | no
`ipareplica_no_host_dns` | Do not use DNS for hostname lookup during installation. (bool, default: false) | no
`ipareplica_skip_conncheck` | Skip connection check to remote master. (bool, default: false) | no
**ipaadmin_keytab** - The path to the admin keytab used for alternative authentication.
(string, optional)
Server Vaiables
---------------
**ipaadmin_principal** - The authorized kerberos principal used to join the IPA realm.
(string, optional)
Variable | Description | Required
-------- | ----------- | --------
`ipadm_password` | The password for the Directory Manager. (string) | mostly
`ipareplica_setup_adtrust` | Configure AD trust capability. (bool, default: false) | no
`ipareplica_setup_ca` | Configure a dogtag CA. (bool, default: false) | no
`ipareplica_setup_kra` | Configure a dogtag KRA. (bool, default: false) | no
`ipareplica_setup_dns` | Configure bind with our zone. (bool, default: false) | no
`ipareplica_no_pkinit` | Disables pkinit setup steps. (bool, default: false) | no
`ipareplica_no_ui_redirect` | Do not automatically redirect to the Web UI. (bool, default: false) | no
`ipareplica_dirsrv_config_file` | The path to LDIF file that will be used to modify configuration of dse.ldif during installation of the directory server instance. (string)| no
**ipaadmin_password** - The password for the kerberos principal.
(string, optional)
**ipaclient_domain** - The primary DNS domain of an existing IPA deployment.
(string, optional)
SSL certificate Variables
-------------------------
**ipaclient_realm** - The Kerberos realm of an existing IPA deployment.
(string, optional)
Variable | Description | Required
-------- | ----------- | --------
`ipareplica_dirsrv_cert_files` | Files containing the Directory Server SSL certificate and private keys. (list of strings) | no
`ipareplica_http_cert_file` | File containing the Apache Server SSL certificate and private key. (string) | no
`ipareplica_pkinit_cert_file` | File containing the Kerberos KDC SSL certificate and private key. (string) | no
`ipareplica_dirsrv_pin` | The password to unlock the Directory Server private key. (string) | no
`ipareplica_http_pin` | The password to unlock the Apache Server private key. (string) | no
`ipareplica_pkinit_pin` | The password to unlock the Kerberos KDC private key. (string) | no
`ipareplica_dirsrv_cert_name` | Name of the Directory Server SSL certificate to install. (string) | no
`ipareplica_http_cert_name` | Name of the Apache Server SSL certificate to install. (string) | no
`ipareplica_pkinit_cert_name` | Name of the Kerberos KDC SSL certificate to install. (string) | no
**ipaclient_keytab** - The path to a backed-up host keytab from previous enrollment.
(string, optional)
Client Variables
----------------
**ipaclient_force_join** - Set force_join to yes to join the host even if it is already enrolled.
(bool, optional)
Variable | Description | Required
-------- | ----------- | --------
`ipaclient_keytab` | Path to backed up keytab from previous enrollment. (string) | no
`ipaclient_mkhomedir` | Set to yes to configure PAM to create a users home directory if it does not exist. (string) | no
`ipaclient_force_join` | Force client enrollment even if already enrolled. (bool, default: false) | no
`ipaclient_ntp_servers` | The list defines the NTP servers to be used. (list of strings) | no
`ipaclient_ntp_pool` | The string value defines the ntp server pool to be used. (string) | no
`ipaclient_no_ntp` | The bool value defines if NTP will not be configured and enabled. (bool, default: false) | no
`ipaclient_ssh_trust_dns` | The bool value defines if OpenSSH client will be configured to trust DNS SSHFP records. (bool, default: false) | no
`ipaclient_no_ssh` | The bool value defines if OpenSSH client will be configured. (bool, default: false) | no
`ipaclient_no_sshd` | The bool value defines if OpenSSH server will be configured. (bool, default: false) | no
`ipaclient_no_sudo` | The bool value defines if SSSD will be configured as a data source for sudo. (bool, default: false) | no
`ipaclient_no_dns_sshfp` | The bool value defines if DNS SSHFP records will not be created automatically. (bool, default: false) | no
**ipaclient_use_otp** - Enforce the generation of a one time password to configure new and existing hosts. The enforcement on an existing host is not done if there is a working krb5.keytab on the host. If the generation of an otp is enforced for an existing host entry, then the host gets diabled and the containing keytab gets removed.
(bool, optional)
Certificate system Variables
----------------------------
**ipaclient_allow_repair** - Allow repair of already joined hosts. Contrary to ipaclient_force_join the host entry will not be changed on the server.
(bool, optional)
Variable | Description | Required
-------- | ----------- | --------
~~`ipareplica_skip_schema_check`~~ | ~~Skip check for updated CA DS schema on the remote master. (bool, default: false)~~ | ~~no~~
**ipaclient_kinit_attempts** - Repeat the request for host Kerberos ticket X times if it fails.
(int, optional)
DNS Variables
-------------
**ipaclient_no_ntp** - Set to yes to not configure and enable NTP
(bool, optional)
Variable | Description | Required
-------- | ----------- | --------
`ipareplica_allow_zone_overlap` | Allow creation of (reverse) zone even if the zone is already resolvable. (bool, default: false) | no
`ipareplica_reverse_zones` | The reverse DNS zones to use. (list of strings) | no
`ipareplica_no_reverse` | Do not create reverse DNS zone. (bool, default: false) | no
`ipareplica_auto_reverse` | Try to resolve reverse records and reverse zones for server IP addresses. (bool, default: false) | no
`ipareplica_zonemgr` | The e-mail address of the DNS zone manager. (string, default: hostmaster@DOMAIN.) | no
`ipareplica_forwarders` | Add DNS forwarders to the DNS configuration. (list of strings) | no
`ipareplica_no_forwarders` | Do not add any DNS forwarders. Root DNS servers will be used instead. (bool, default: false) | no
`ipareplica_auto_forwarders` | Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS. (bool, default: false) | no
`ipareplica_forward_policy` | DNS forwarding policy for global forwarders specified using other options. (choice: first,only) | no
`ipareplica_no_dnssec_validation` | Disable DNSSEC validation on this server. (bool, default: false) | no
**ipaclient_mkhomedir** - Set to yes to configure PAM to create a users home directory if it does not exist.
(string, optional)
AD trust Variables
------------------
Variable | Description | Required
-------- | ----------- | --------
~~`ipareplica_add_sids`~~ | ~~Add SIDs for existing users and groups as the final step. (bool, default: false)~~ | ~~no~~
~~`ipareplica_add_agents`~~ | ~~Add IPA masters to a list of hosts allowed to serve information about users from trusted forests. (bool, default: false)~~ | ~~no~~
`ipareplica_enable_compat`| Enables support for trusted domains users for old clients through Schema Compatibility plugin. (bool, default: false) | no
`ipareplica_netbios_name` | The NetBIOS name for the IPA domain. (string) | no
`ipareplica_rid_base` | First RID value of the local domain. (integer) | no
`ipareplica_secondary_rid_base` | Start value of the secondary RID range. (integer) | no
Cluster Specific Variables
--------------------------
**ipaclient_no_dns_lookup** - Set to 'yes' to use groups.ipaserver in cluster environments as servers for the clients. This deactivates DNS lookup in krb5.
(bool, optional, default: 'no')
Variable | Description | Required
-------- | ----------- | --------
`ipareplica_servers` | Manually override list of servers for example in a cluster environment on a per replica basis. The list of servers is normally taken from from groups.ipaserver in cluster environments. (list of strings) | no
`ipaserver_domain` | Used if set in a cliuster environment to overload `ipareplica_domain` | no
**ipareplica_servers** - Manually override list of servers for example in a cluster environment on a per client basis. The list of servers is normally taken from from groups.ipaserver in cluster environments.
(list of strings, optional)
Special Variables
-----------------
Requirements
------------
Variable | Description | Required
-------- | ----------- | --------
`ipareplica_install_packages` | The bool value defines if the needed packages are installed on the node. (bool, default: true) | no
`ipareplica_setup_firewalld` | The value defines if the needed services will automatically be openen in the firewall managed by firewalld. (bool, default: true) | no
freeipa-server v4.6 or later
Authors
-------
Florence Blanc-Renaud
=======
Thomas Woerner

7
roles/ipareplica/library/ipareplica_create_ipa_conf.py
View File

@@ -172,6 +172,7 @@ def main():
### additional ###
server=dict(required=True),
config_master_host_name=dict(required=True),
config_ca_host_name=dict(required=True),
ccache=dict(required=True),
installer_ccache=dict(required=True),
_ca_enabled=dict(required=False, type='bool'),
@@ -183,6 +184,7 @@ def main():
_add_to_ipaservers = dict(required=True, type='bool'),
_ca_subject=dict(required=True),
_subject_base=dict(required=True),
master=dict(required=False, default=None),
dirman_password=dict(required=True, no_log=True),
),
@@ -227,6 +229,7 @@ def main():
# '_hostname_overridden')
options.server = ansible_module.params.get('server')
master_host_name = ansible_module.params.get('config_master_host_name')
ca_host_name = ansible_module.params.get('config_ca_host_name')
ccache = ansible_module.params.get('ccache')
os.environ['KRB5CCNAME'] = ccache
#os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
@@ -246,6 +249,7 @@ def main():
options._ca_subject = ansible_module.params.get('_ca_subject')
options._subject_base = ansible_module.params.get('_subject_base')
master = ansible_module.params.get('master')
dirman_password = ansible_module.params.get('dirman_password')
@@ -267,6 +271,7 @@ def main():
config = gen_ReplicaConfig()
config.subject_base = options.subject_base
config.dirman_password = dirman_password
config.ca_host_name = ca_host_name
remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
installer._remote_api = remote_api
@@ -284,7 +289,7 @@ def main():
# successful uninstallation
# The configuration creation has to be here otherwise previous call
# To config certmonger would try to connect to local server
create_ipa_conf(fstore, config, ca_enabled)
create_ipa_conf(fstore, config, ca_enabled, master)
# done #

12
roles/ipareplica/library/ipareplica_custodia_import_dm_password.py
View File

@@ -64,6 +64,12 @@ options:
_ca_file:
description:
required: yes
_kra_enabled:
description:
required: yes
_kra_host_name:
description:
required: yes
_dirsrv_pkcs12_info:
description:
required: yes
@@ -103,6 +109,8 @@ def main():
ccache=dict(required=True),
_ca_enabled=dict(required=False, type='bool'),
_ca_file=dict(required=False),
_kra_enabled=dict(required=False, type='bool'),
_kra_host_name=dict(required=False),
_dirsrv_pkcs12_info = dict(required=False),
_pkinit_pkcs12_info = dict(required=False),
_top_dir = dict(required=True),
@@ -135,6 +143,8 @@ def main():
#os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
#installer._ccache = ansible_module.params.get('installer_ccache')
ca_enabled = ansible_module.params.get('_ca_enabled')
kra_enabled = ansible_module.params.get('_kra_enabled')
kra_host_name = ansible_module.params.get('_kra_host_name')
dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info')
options._top_dir = ansible_module.params.get('_top_dir')
@@ -161,6 +171,8 @@ def main():
config.ca_host_name = config_ca_host_name
config.subject_base = options.subject_base
config.promote = installer.promote
config.kra_enabled = kra_enabled
config.kra_host_name = kra_host_name
remote_api = gen_remote_api(config.master_host_name, paths.ETC_IPA)
installer._remote_api = remote_api

5
roles/ipareplica/library/ipareplica_enable_ipa.py
View File

@@ -49,6 +49,9 @@ options:
setup_ca:
description: Configure a dogtag CA
required: yes
setup_kra:
description: Configure KRA
required: yes
config_master_host_name:
description: The master host name
required: yes
@@ -77,6 +80,7 @@ def main():
ccache=dict(required=True),
_top_dir = dict(required=True),
setup_ca=dict(required=True, type='bool'),
setup_kra=dict(required=True, type='bool'),
config_master_host_name=dict(required=True),
),
supports_check_mode = True,
@@ -100,6 +104,7 @@ def main():
os.environ['KRB5CCNAME'] = ccache
options._top_dir = ansible_module.params.get('_top_dir')
options.setup_ca = ansible_module.params.get('setup_ca')
options.setup_kra = ansible_module.params.get('setup_kra')
config_master_host_name = ansible_module.params.get('config_master_host_name')
# init #

2
roles/ipareplica/library/ipareplica_krb_enable_ssl.py
View File

@@ -133,6 +133,8 @@ def main():
krb.init_info(api.env.realm, api.env.host,
setup_pkinit=not options.no_pkinit,
subject_base=options.subject_base)
krb.pkcs12_info = options._pkinit_pkcs12_info
krb.master_fqdn = master_host_name
ansible_log.debug("-- KRB ENABLE_SSL --")

11
roles/ipareplica/library/ipareplica_master_password.py
View File

@@ -60,7 +60,6 @@ def main():
module = AnsibleModule(
argument_spec = dict(
#basic
dm_password=dict(required=True, no_log=True),
master_password=dict(required=False, no_log=True),
),
supports_check_mode = True,
@@ -68,21 +67,11 @@ def main():
module._ansible_debug = True
options.dm_password = module.params.get('dm_password')
options.master_password = module.params.get('master_password')
fstore = sysrestore.FileStore(paths.SYSRESTORE)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
# This will override any settings passed in on the cmdline
if os.path.isfile(paths.ROOT_IPA_CACHE):
# dm_password check removed, checked already
try:
cache_vars = read_cache(options.dm_password)
options.__dict__.update(cache_vars)
except Exception as e:
module.fail_json(msg="Cannot process the cache file: %s" % str(e))
if not options.master_password:
options.master_password = ipa_generate_password()

1
roles/ipareplica/library/ipareplica_prepare.py
View File

@@ -728,6 +728,7 @@ def main():
config_setup_ca=config.setup_ca,
config_master_host_name=config.master_host_name,
config_ca_host_name=config.ca_host_name,
config_kra_host_name=config.kra_host_name,
config_ips=[ str(ip) for ip in config.ips ],
### ad trust ###
rid_base=options.rid_base,

17
roles/ipareplica/library/ipareplica_setup_ca.py
View File

@@ -61,6 +61,12 @@ options:
_ca_file:
description:
required: yes
_kra_enabled:
description:
required: yes
_kra_host_name:
description:
required: yes
_dirsrv_pkcs12_info:
description:
required: yes
@@ -118,6 +124,8 @@ def main():
ccache=dict(required=True),
_ca_enabled=dict(required=False, type='bool'),
_ca_file=dict(required=False),
_kra_enabled=dict(required=False, type='bool'),
_kra_host_name=dict(required=False),
_dirsrv_pkcs12_info = dict(required=False),
_pkinit_pkcs12_info = dict(required=False),
_top_dir = dict(required=True),
@@ -152,6 +160,8 @@ def main():
#os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
#installer._ccache = ansible_module.params.get('installer_ccache')
ca_enabled = ansible_module.params.get('_ca_enabled')
kra_enabled = ansible_module.params.get('_kra_enabled')
kra_host_name = ansible_module.params.get('_kra_host_name')
installer._dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
installer._pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info')
options._top_dir = ansible_module.params.get('_top_dir')
@@ -190,6 +200,8 @@ def main():
config.ca_host_name = config_ca_host_name
config.ips = config_ips
config.promote = options.promote
config.kra_enabled = kra_enabled
config.kra_host_name = kra_host_name
remote_api = gen_remote_api(config.master_host_name, paths.ETC_IPA)
options._remote_api = remote_api
@@ -213,7 +225,10 @@ def main():
if not hasattr(custodiainstance, "get_custodia_instance"):
ca.install(False, config, options)
else:
if ca_enabled:
if kra_enabled:
# A KRA peer always provides a CA, too.
mode = custodiainstance.CustodiaModes.KRA_PEER
elif ca_enabled:
mode = custodiainstance.CustodiaModes.CA_PEER
else:
mode = custodiainstance.CustodiaModes.MASTER_PEER

17
roles/ipareplica/library/ipareplica_setup_custodia.py
View File

@@ -64,6 +64,12 @@ options:
_ca_file:
description:
required: yes
_kra_enabled:
description:
required: yes
_kra_host_name:
description:
required: yes
_top_dir:
description:
required: yes
@@ -98,6 +104,8 @@ def main():
ccache=dict(required=True),
_ca_enabled=dict(required=False, type='bool'),
_ca_file=dict(required=False),
_kra_enabled=dict(required=False, type='bool'),
_kra_host_name=dict(required=False),
_dirsrv_pkcs12_info = dict(required=False),
_pkinit_pkcs12_info = dict(required=False),
_top_dir = dict(required=True),
@@ -127,6 +135,8 @@ def main():
#os.environ['KRB5CCNAME'] = ansible_module.params.get('installer_ccache')
#installer._ccache = ansible_module.params.get('installer_ccache')
ca_enabled = ansible_module.params.get('_ca_enabled')
kra_enabled = ansible_module.params.get('_kra_enabled')
kra_host_name = ansible_module.params.get('_kra_host_name')
dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
options._pkinit_pkcs12_info = ansible_module.params.get('_pkinit_pkcs12_info')
options._top_dir = ansible_module.params.get('_top_dir')
@@ -149,6 +159,8 @@ def main():
config = gen_ReplicaConfig()
config.dirman_password = dirman_password
config.promote = installer.promote
config.kra_enabled = kra_enabled
config.kra_host_name = kra_host_name
remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
#installer._remote_api = remote_api
@@ -174,7 +186,10 @@ def main():
ansible_log.debug("-- CUSTODIA CREATE_INSTANCE --")
custodia.create_instance()
else:
if ca_enabled:
if kra_enabled:
# A KRA peer always provides a CA, too.
mode = custodiainstance.CustodiaModes.KRA_PEER
elif ca_enabled:
mode = custodiainstance.CustodiaModes.CA_PEER
else:
mode = custodiainstance.CustodiaModes.MASTER_PEER

4
roles/ipareplica/library/ipareplica_setup_kra.py
View File

@@ -115,6 +115,7 @@ def main():
installer_ccache=dict(required=True),
_ca_enabled=dict(required=False, type='bool'),
_kra_enabled=dict(required=False, type='bool'),
_kra_host_name=dict(required=False),
_dirsrv_pkcs12_info = dict(required=False),
_http_pkcs12_info = dict(required=False),
_pkinit_pkcs12_info = dict(required=False),
@@ -176,6 +177,7 @@ def main():
installer._ccache = ansible_module.params.get('installer_ccache')
ca_enabled = ansible_module.params.get('_ca_enabled')
kra_enabled = ansible_module.params.get('_kra_enabled')
kra_host_name = ansible_module.params.get('_kra_host_name')
dirsrv_pkcs12_info = ansible_module.params.get('_dirsrv_pkcs12_info')
http_pkcs12_info = ansible_module.params.get('_http_pkcs12_info')
@@ -206,6 +208,8 @@ def main():
config = gen_ReplicaConfig()
config.subject_base = options.subject_base
config.promote = installer.promote
config.kra_enabled = kra_enabled
config.kra_host_name = kra_host_name
remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
installer._remote_api = remote_api

34
roles/ipareplica/library/ipareplica_test.py
View File

@@ -179,6 +179,14 @@ def main():
ansible_module.fail_json(
msg="Hidden replica is not supported in this version.")
# We need to point to the master in ipa default conf when certmonger
# asks for HTTP certificate in newer ipa versions. In these versions
# create_ipa_conf has the additional master argument.
change_master_for_certmonger = False
argspec = inspect.getargspec(create_ipa_conf)
if "master" in argspec.args:
change_master_for_certmonger = True
# From ipa installer classes
# pkinit is not supported on DL0, don't allow related options
@@ -332,18 +340,20 @@ def main():
# done #
ansible_module.exit_json(changed=False,
ipa_python_version=IPA_PYTHON_VERSION,
### basic ###
domain=options.domain_name,
realm=options.realm_name,
hostname=options.host_name,
### server ###
setup_adtrust=options.setup_adtrust,
setup_kra=options.setup_kra,
server=options.server,
### additional ###
client_enrolled=client_enrolled,
ansible_module.exit_json(
changed=False,
ipa_python_version=IPA_PYTHON_VERSION,
### basic ###
domain=options.domain_name,
realm=options.realm_name,
hostname=options.host_name,
### server ###
setup_adtrust=options.setup_adtrust,
setup_kra=options.setup_kra,
server=options.server,
### additional ###
client_enrolled=client_enrolled,
change_master_for_certmonger=change_master_for_certmonger,
)
if __name__ == '__main__':

2
roles/ipareplica/module_utils/ansible_ipa_replica.py
View File

@@ -240,7 +240,7 @@ options.kasp_db_file = None
options.force = False
# ServerMasterInstall
options.add_sids = True
options.add_sids = False
options.add_agents = False
# ServerReplicaInstall

126
roles/ipareplica/tasks/install.yml
View File

@@ -5,22 +5,19 @@
- name: Install - Ensure IPA replica packages are installed
package:
name: "{{ item }}"
name: "{{ ipareplica_packages }}"
state: present
with_items: "{{ ipareplica_packages }}"
- name: Install - Ensure IPA replica packages for dns are installed
package:
name: "{{ item }}"
name: "{{ ipareplica_packages_dns }}"
state: present
with_items: "{{ ipareplica_packages_dns }}"
when: ipareplica_setup_dns | bool
- name: Install - Ensure IPA replica packages for adtrust are installed
package:
name: "{{ item }}"
name: "{{ ipareplica_packages_adtrust }}"
state: present
with_items: "{{ ipareplica_packages_adtrust }}"
when: ipareplica_setup_adtrust | bool
when: ipareplica_install_packages | bool
@@ -28,6 +25,11 @@
#- name: Install - Include Python2/3 import test
# import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"
- name: Install - Set ipareplica_servers
set_fact:
ipareplica_servers: "{{ groups['ipaservers'] | list }}"
when: groups.ipaservers is defined and ipareplica_servers is not defined
- name: Install - Set default principal if no keytab is given
set_fact:
ipaadmin_principal: admin
@@ -41,8 +43,7 @@
ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"
domain: "{{ ipareplica_domain | default(ipaserver_domain) |
default(omit) }}"
servers: "{{ groups.ipaservers | default(groups.ipaserver) |
default(omit) }}"
servers: "{{ ipareplica_servers | default(omit) }}"
realm: "{{ ipareplica_realm | default(omit) }}"
hostname: "{{ ipareplica_hostname | default(ansible_fqdn) }}"
ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"
@@ -82,9 +83,9 @@
name: ipaclient
vars:
state: present
ipaclient_domain: "{{ result_ipareplica_test.domain }}"
ipaclient_realm: "{{ result_ipareplica_test.realm }}"
ipaclient_servers: ["{{ result_ipareplica_test.server }}"]
ipaclient_domain: "{{ result_ipareplica_test.domain | default(omit) }}"
ipaclient_realm: "{{ result_ipareplica_test.realm | default(omit) }}"
ipaclient_servers: "{{ ipareplica_servers | default(omit) }}"
ipaclient_hostname: "{{ result_ipareplica_test.hostname }}"
ipaclient_no_ntp: "{{ result_ipareplica_test.ipa_python_version
< 40690 }}"
@@ -181,7 +182,6 @@
- name: Install - Create dirman password
no_log: yes
ipareplica_master_password:
dm_password: "{{ ipadm_password }}"
master_password: "{{ ipareplica_master_password | default(omit) }}"
register: result_ipareplica_master_password
@@ -314,6 +314,7 @@
server: "{{ result_ipareplica_test.server }}"
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
@@ -343,6 +344,54 @@
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
# We need to point to the master in ipa default conf when certmonger
# asks for HTTP certificate in newer ipa versions. In these versions
# create_ipa_conf has the additional master argument.
- name: Install - Create override IPA conf
ipareplica_create_ipa_conf:
### basic ###
dm_password: "{{ ipadm_password | default(omit) }}"
password: "{{ ipaadmin_password | default(omit) }}"
ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"
domain: "{{ result_ipareplica_test.domain }}"
realm: "{{ result_ipareplica_test.realm }}"
hostname: "{{ result_ipareplica_test.hostname }}"
ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"
no_host_dns: "{{ ipareplica_no_host_dns }}"
### replica ###
setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"
setup_kra: "{{ result_ipareplica_test.setup_kra }}"
setup_dns: "{{ ipareplica_setup_dns }}"
### ssl certificate ###
dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}"
### client ###
force_join: "{{ ipaclient_force_join }}"
### ad trust ###
netbios_name: "{{ ipareplica_netbios_name | default(omit) }}"
rid_base: "{{ ipareplica_rid_base | default(omit) }}"
secondary_rid_base: "{{ ipareplica_secondary_rid_base | default(omit) }}"
### additional ###
server: "{{ result_ipareplica_test.server }}"
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
_dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info }}"
_http_pkcs12_info: "{{ result_ipareplica_prepare._http_pkcs12_info }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
_add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}"
_ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"
_subject_base: "{{ result_ipareplica_prepare._subject_base }}"
dirman_password: "{{ ipareplica_dirman_password }}"
master:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
when: result_ipareplica_test.change_master_for_certmonger
- name: Install - DS enable SSL
ipareplica_ds_enable_ssl:
### server ###
@@ -383,6 +432,50 @@
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
dirman_password: "{{ ipareplica_dirman_password }}"
# Need to point back to ourself after the cert for HTTP is obtained
- name: Install - Create original IPA conf again
ipareplica_create_ipa_conf:
### basic ###
dm_password: "{{ ipadm_password | default(omit) }}"
password: "{{ ipaadmin_password | default(omit) }}"
ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"
domain: "{{ result_ipareplica_test.domain }}"
realm: "{{ result_ipareplica_test.realm }}"
hostname: "{{ result_ipareplica_test.hostname }}"
ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"
no_host_dns: "{{ ipareplica_no_host_dns }}"
### replica ###
setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"
setup_kra: "{{ result_ipareplica_test.setup_kra }}"
setup_dns: "{{ ipareplica_setup_dns }}"
### ssl certificate ###
dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}"
### client ###
force_join: "{{ ipaclient_force_join }}"
### ad trust ###
netbios_name: "{{ ipareplica_netbios_name | default(omit) }}"
rid_base: "{{ ipareplica_rid_base | default(omit) }}"
secondary_rid_base: "{{ ipareplica_secondary_rid_base | default(omit) }}"
### additional ###
server: "{{ result_ipareplica_test.server }}"
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
_dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info }}"
_http_pkcs12_info: "{{ result_ipareplica_prepare._http_pkcs12_info }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
_add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}"
_ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"
_subject_base: "{{ result_ipareplica_prepare._subject_base }}"
dirman_password: "{{ ipareplica_dirman_password }}"
when: result_ipareplica_test.change_master_for_certmonger
- name: Install - Setup otpd
ipareplica_setup_otpd:
### server ###
@@ -415,6 +508,8 @@
"{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
_kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
@@ -434,6 +529,8 @@
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
_ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"
_kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
_kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
_subject_base: "{{ result_ipareplica_prepare._subject_base }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
@@ -516,6 +613,7 @@
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
_kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
_dirsrv_pkcs12_info: "{{ result_ipareplica_prepare._dirsrv_pkcs12_info }}"
_http_pkcs12_info: "{{ result_ipareplica_prepare._http_pkcs12_info }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
@@ -560,6 +658,8 @@
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
_kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
_kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
dirman_password: "{{ ipareplica_dirman_password }}"
@@ -640,6 +740,8 @@
hostname: "{{ result_ipareplica_test.hostname }}"
hidden_replica: "{{ ipareplica_hidden_replica }}"
### server ###
### replica ###
setup_kra: "{{ result_ipareplica_test.setup_kra }}"
### certificate system ###
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###

4
roles/ipareplica/tasks/main.yml
View File

@@ -10,9 +10,9 @@
- "vars/default.yml"
- name: Install IPA replica
include_tasks: tasks/install.yml
include_tasks: install.yml
when: state|default('present') == 'present'
- name: Uninstall IPA replica
include_tasks: tasks/uninstall.yml
include_tasks: uninstall.yml
when: state|default('present') == 'absent'

9
roles/ipareplica/tasks/uninstall.yml
View File

@@ -34,8 +34,7 @@
# failed_when: False
# delegate_to: "{{ groups.ipaserver[0] | default(fail) }}"
# - name: Remove IPA replica packages
# package:
# name: "{{ item }}"
# state: absent
# with_items: "{{ ipareplica_packages }}"
#- name: Remove IPA replica packages
# package:
# name: "{{ ipareplica_packages }}"
# state: absent

5
roles/ipareplica/vars/RedHat-8.yml Normal file
View File

@@ -0,0 +1,5 @@
# defaults file for ipareplica
# vars/RedHat-8.yml
ipareplica_packages: [ "@idm:DL1/server" ]
ipareplica_packages_dns: [ "@idm:DL1/dns" ]
ipareplica_packages_adtrust: [ "@idm:DL1/adtrust" ]

295
roles/ipaserver/README.md
View File

@@ -6,8 +6,51 @@ Description
This role allows to configure and IPA server.
**Note**: The ansible playbooks and role require a configured ansible environment where the ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
Features
--------
* Server deployment
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.5 and up are supported by the server role.
Supported Distributions
-----------------------
* RHEL/CentOS 7.6+
* Fedora 26+
* Ubuntu
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
* Supported distribution (needed for package installation only, see above)
Limitations
-----------
External signed CA
External signed CA is now supported. But the currently needed two step process is an issue for the processing in a simple playbook.
Work is planned to have a new method to handle CSR for external signed CAs in a separate step before starting the server installation.
Usage
-----
=====
Example inventory file with fixed domain and realm, setting up of the DNS server and using forwarders from /etc/resolv.conf:
@@ -63,111 +106,187 @@ Example playbook to setup the IPA server using admin and dirman passwords from i
- role: ipaserver
state: present
Example playbook to setup the IPA primary with external signed CA using the previous inventory file:
Server installation step 1: Generate CSR, copy to controller as `<ipaserver hostname>-ipa.csr`
```yaml
---
- name: Playbook to configure IPA server step1
hosts: ipaserver
become: true
vars:
ipaserver_external_ca: yes
roles:
- role: ipaserver
state: present
post_tasks:
- name: Copy CSR /root/ipa.csr from node to "{{ groups.ipaserver[0] + '-ipa.csr' }}"
fetch:
src: /root/ipa.csr
dest: "{{ groups.ipaserver[0] + '-ipa.csr' }}"
flat: yes
```
Sign with CA: This is up to you
Server installatin step 2: Copy `<ipaserver hostname>-chain.crt` to the IPA server and continue with installation of the primary.
```yaml
- name: Playbook to configure IPA server step3
hosts: ipaserver
become: true
vars:
ipaserver_external_cert_files: "/root/chain.crt"
pre_tasks:
- name: Copy "{{ groups.ipaserver[0] + '-chain.crt' }}" to /root/chain.crt on node
copy:
src: "{{ groups.ipaserver[0] + '-chain.crt' }}"
dest: "/root/chain.crt"
force: yes
roles:
- role: ipaserver
state: present
```
The files can also be copied automatically: Set `ipaserver_copy_csr_to_controller` to true in the server installation step 1 and set `ipaserver_external_cert_files_from_controller` to point to the `chain.crt` file in the server installatin step 2.
Playbooks
=========
The playbooks needed to deploy or undeploy a server are part of the repository in the playbooks folder. There are also playbooks to deploy and undeploy clusters.
```
install-server.yml
uninstall-server.yml
```
Please remember to link or copy the playbooks to the base directory of ansible-freeipa if you want to use the roles within the source archive.
How to setup a server
---------------------
```bash
ansible-playbook -v -i inventory/hosts install-server.yml
```
This will deploy the server defined in the inventory file.
Variables
---------
=========
**ipaserver** - Group with the IPA server hostname
(list of strings)
Base Variables
--------------
**ipaadmin_password** - The password for the IPA admin user.
(string, optional)
**ipadm_password** - The password for the Directory Manager.
(string, optional)
**ipaserver_domain** - The primary DNS domain of an existing IPA deployment.
(string)
Variable | Description | Required
-------- | ----------- | --------
`ipaserver` | This group with the single IPA server full qualified hostname. (list of strings) | yes
`ipadm_password` | The password for the Directory Manager. (string) | no
`ipaadmin_password` | The password for the IPA admin user (string) | no
`ipaserver_ip_addresses` | The list of master server IP addresses. (list of strings) | no
`ipaserver_domain` | The primary DNS domain of an existing IPA deployment. (string) | no
`ipaserver_realm` | The Kerberos realm of an existing IPA deployment. (string) | no
`ipaserver_hostname` | Fully qualified name of the server. (string) | no
`ipaserver_no_host_dns` | Do not use DNS for hostname lookup during installation. (bool, default: false) | no
**ipaserver_realm** - The Kerberos realm of an existing IPA deployment.
(string)
Server Variables
----------------
**ipaserver_idstart** - The starting user and group id number (default random).
(integer, optional)
Variable | Description | Required
-------- | ----------- | --------
`ipaserver_setup_adtrust` | Configure AD Trust capability. (bool, default: false) | no
`ipaserver_setup_kra` | Install and configure a KRA on this server. (bool, default: false) | no
`ipaserver_setup_dns` | Configure an integrated DNS server, create DNS zone specified by domain. (bool, default: false) | no
`ipaserver_idstart` | The starting user and group id number. (integer, default: random) | no
`ipaserver_idmax` | The maximum user and group id number. (integer, default: idstart+199999) | no
`ipaserver_no_hbac_allow` | Do not install allow_all HBAC rule. (bool) | no
`ipaserver_no_ui_redirect` | Do not automatically redirect to the Web UI. (bool) | no
`ipaserver_dirsrv_config_file` | The path to LDIF file that will be used to modify configuration of dse.ldif during installation. (string) | no
`ipaserver_pki_config_override` | Path to ini file with config overrides. This is only usable with recent FreeIPA versions. (string) | no
**ipaserver_idmax** - The maximum user and group id number (default: idstart+199999).
(integer, optional)
SSL certificate Variables
-------------------------
**ipaserver_no_hbac_allow** - Do not install allow_all HBAC rule.
(bool, optional)
Variable | Description | Required
-------- | ----------- | --------
`ipaserver_dirsrv_cert_files` | Files containing the Directory Server SSL certificate and private keys. (list of strings) | no
`ipaserver_http_cert_file` | File containing the Apache Server SSL certificate and private key. (string) | no
`ipaserver_pkinit_cert_file` | File containing the Kerberos KDC SSL certificate and private key. (string) | no
`ipaserver_dirsrv_pin` | The password to unlock the Directory Server private key. (string) | no
`ipaserver_http_pin` | The password to unlock the Apache Server private key. (string) | no
`ipaserver_pkinit_pin` | The password to unlock the Kerberos KDC private key. (string) | no
`ipaserver_dirsrv_cert_name` | Name of the Directory Server SSL certificate to install. (string) | no
`ipaserver_http_cert_name` | Name of the Apache Server SSL certificate to install. (string) | no
`ipaserver_pkinit_cert_name` | Name of the Kerberos KDC SSL certificate to install. (string) | no
**ipaserver_no_ui_redirect** - Do not automatically redirect to the Web UI.
(bool, optional)
Client Variables
----------------
**ipaserver_dirsrv_config_file** - The path to LDIF file that will be used to modify configuration of dse.ldif during installation.
(string, optional)
Variable | Description | Required
-------- | ----------- | --------
`ipaclient_ntp_servers` | The list defines the NTP servers to be used. | no
`ipaclient_ntp_pool` | The string value defines the ntp server pool to be used. | no
`ipaclient_no_ntp` | The bool value defines if NTP will not be configured and enabled. `ipaclient_no_ntp` defaults to `no`. | no
`ipaclient_ssh_trust_dns` | The bool value defines if OpenSSH client will be configured to trust DNS SSHFP records. `ipaclient_ssh_trust_dns` defaults to `no`. | no
`ipaclient_no_ssh` | The bool value defines if OpenSSH client will be configured. `ipaclient_no_ssh` defaults to `no`. | no
`ipaclient_no_sshd` | The bool value defines if OpenSSH server will be configured. `ipaclient_no_sshd` defaults to `no`. | no
`ipaclient_no_sudo` | The bool value defines if SSSD will be configured as a data source for sudo. `ipaclient_no_sudo` defaults to `no`. | no
`ipaclient_no_dns_sshfp` | The bool value defines if DNS SSHFP records will not be created automatically. `ipaclient_no_dns_sshfp` defaults to `no`. | no
**ipaserver_setup_kra** - Install and configure a KRA on this server.
(bool, optional)
Certificate system Variables
----------------------------
**ipaserver_setup_dns** - Configure an integrated DNS server, create DNS zone specified by domain
(string, optional)
Variable | Description | Required
-------- | ----------- | --------
`ipaserver_external_ca` | Generate a CSR for the IPA CA certificate to be signed by an external CA. (bool, default: false) | no
`ipaserver_external_ca_type` | Type of the external CA. (choice: generic,ms-cs) | no
`ipaserver_external_ca_profile` | Specify the certificate profile/template to use at the external CA. (string) | no
`ipaserver_external_cert_files` | Files containing the IPA CA certificates and the external CA certificate chains (list of string) | no
`ipaserver_subject_base` | The certificate subject base (default O=<realm-name>). RDNs are in LDAP order (most specific RDN first). (string) | no
`ipaserver_ca_subject` | The CA certificate subject DN (default CN=Certificate Authority,O=<realm-name>). RDNs are in LDAP order (most specific RDN first). (string) | no
`ipaserver_ca_signing_algorithm` | Signing algorithm of the IPA CA certificate. (choice: SHA1withRSA,SHA256withRSA,SHA512withRSA) | no
**ipaserver_forwarders** - Add DNS forwarders to the DNS configuration.
(list of strings, optional)
DNS Variables
-------------
**ipaserver_no_forwarders** - Do not add any DNS forwarders. Root DNS servers will be used instead.
(bool, optional)
Variable | Description | Required
-------- | ----------- | --------
`ipaserver_allow_zone_overlap` | Allow creation of (reverse) zone even if the zone is already resolvable. (bool, default: false) | no
`ipaserver_reverse_zones` | The reverse DNS zones to use. (list of strings) | no
`ipaserver_no_reverse` | Do not create reverse DNS zone. (bool, default: false) | no
`ipaserver_auto_reverse` | Try to resolve reverse records and reverse zones for server IP addresses. (bool, default: false) | no
`ipaserver_zonemgr` | The e-mail address of the DNS zone manager. (string, default: hostmaster@DOMAIN.) | no
`ipaserver_forwarders` | Add DNS forwarders to the DNS configuration. (list of strings) | no
`ipaserver_no_forwarders` | Do not add any DNS forwarders. Root DNS servers will be used instead. (bool, default: false) | no
`ipaserver_auto_forwarders` | Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS. (bool, default: false) | no
`ipaserver_forward_policy` | DNS forwarding policy for global forwarders specified using other options. (choice: first|only) | no
`ipaserver_no_dnssec_validation` | Disable DNSSEC validation on this server. (bool, default: false) | no
**ipaserver_auto_forwarders** - Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS.
(bool, optional)
AD trust Variables
------------------
**ipaserver_forward_policy** - DNS forwarding policy for global forwarders specified using other options. first|only
(choice, optional)
Variable | Description | Required
-------- | ----------- | --------
`ipaserver_enable_compat`| Enables support for trusted domains users for old clients through Schema Compatibility plugin. (bool, default: false) | no
`ipaserver_netbios_name` | The NetBIOS name for the IPA domain. (string) | no
`ipaserver_rid_base` | First RID value of the local domain. (integer) | no
`ipaserver_secondary_rid_base` | Start value of the secondary RID range. (integer) | no
**ipaserver_reverse_zones** - The reverse DNS zones to use.
(list of strings, optional)
Special Variables
-----------------
**ipaserver_no_reverse** - Do not create reverse DNS zone.
(bool, optional)
**ipaserver_auto_reverse** - Try to resolve reverse records and reverse zones for server IP addresses.
(bool, optional)
**ipaserver_zonemgr** - The e-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN.
(string, optional)
**ipaserver_no_host_dns** - Do not use DNS for hostname lookup during installation.
(bool, optional)
**ipaserver_pki_config_override** - Path to ini file with config overrides.
(string, optional)
**ipaserver_no_dnssec_validation** - Disable DNSSEC validation on this server.
(bool, optional)
**ipaserver_allow_zone_overlap** - Allow creation of (reverse) zone even if the zone is already resolvable.
(bool, optional)
**ipaserver_setup_adtrust** - Configure AD Trust capability.
(bool, optional)
**ipaserver_netbios_name** - The NetBIOS name for the IPA domain.
(string, optional)
**ipaserver_rid_base** - First RID value of the local domain.
(integer, optional)
**ipaserver_secondary_rid_base** - Start value of the secondary RID range.
(integer, optional)
**ipaserver_enable_compat** - Enables support for trusted domains users for old clients through Schema Compatibility plugin.
(bool, optional)
**ipaclient_force_join** - Set force_join to yes to join the host even if it is already enrolled.
(bool, optional)
**ipaclient_no_ntp** - Set to no to not configure and enable NTP
(bool, optional)
**ipaclient_mkhomedir** - Set to yes to configure PAM to create a users home directory if it does not exist.
(string, optional)
Requirements
------------
freeipa-server v4.5 or later
Variable | Description | Required
-------- | ----------- | --------
`ipaserver_install_packages` | The bool value defines if the needed packages are installed on the node. (bool, default: true) | no
`ipaserver_setup_firewalld` | The value defines if the needed services will automatically be openen in the firewall managed by firewalld. (bool, default: true) | no
`ipaserver_external_cert_files_from_controller` | Files containing the IPA CA certificates and the external CA certificate chains on the controller that will be copied to the ipaserver host to `/root` folder. (list of string) | no
`ipaserver_copy_csr_to_controller` | Copy the generated CSR from the ipaserver to the controller as `"{{ inventory_hostname }}-ipa.csr"`. (bool) | no
Authors
-------
=======
Thomas Woerner

2
roles/ipaserver/defaults/main.yml
View File

@@ -36,7 +36,7 @@ ipaserver_install_packages: yes
ipaserver_setup_firewalld: yes
### additional ###
ipaserver_allow_missing: [ ]
ipaserver_copy_csr_to_controller: no
### uninstall ###
ipaserver_ignore_topology_disconnect: no

169
roles/ipaserver/library/ipaserver_prepare.py
View File

@@ -97,7 +97,9 @@ def main():
### ssl certificate ###
### client ###
### certificate system ###
external_ca=dict(required=False),
external_ca=dict(required=False, type='bool'),
external_ca_type=dict(required=False),
external_ca_profile=dict(required=False),
external_cert_files=dict(required=False, type='list', default=[]),
subject_base=dict(required=False),
ca_subject=dict(required=False),
@@ -152,6 +154,9 @@ def main():
#options.no_ntp = ansible_module.params.get('no_ntp')
### certificate system ###
options.external_ca = ansible_module.params.get('external_ca')
options.external_ca_type = ansible_module.params.get('external_ca_type')
options.external_ca_profile = ansible_module.params.get(
'external_ca_profile')
options.external_cert_files = ansible_module.params.get(
'external_cert_files')
options.subject_base = ansible_module.params.get('subject_base')
@@ -190,96 +195,102 @@ def main():
if not options.ca_subject:
options.ca_subject = str(default_ca_subject_dn(options.subject_base))
# Configuration for ipalib, we will bootstrap and finalize later, after
# we are sure we have the configuration file ready.
cfg = dict(
context='installer',
confdir=paths.ETC_IPA,
in_server=True,
# make sure host name specified by user is used instead of default
host=options.host_name,
)
if options.setup_ca:
# we have an IPA-integrated CA
cfg['ca_host'] = options.host_name
try:
# Create the management framework config file and finalize api
target_fname = paths.IPA_DEFAULT_CONF
fd = open(target_fname, "w")
fd.write("[global]\n")
fd.write("host=%s\n" % options.host_name)
fd.write("basedn=%s\n" % ipautil.realm_to_suffix(options.realm_name))
fd.write("realm=%s\n" % options.realm_name)
fd.write("domain=%s\n" % options.domain_name)
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % \
ipautil.format_netloc(options.host_name))
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % \
installutils.realm_to_serverid(options.realm_name))
if options.setup_ca:
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=10\n")
else:
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
fd.write("mode=production\n")
fd.close()
# Configuration for ipalib, we will bootstrap and finalize later, after
# we are sure we have the configuration file ready.
cfg = dict(
context='installer',
confdir=paths.ETC_IPA,
in_server=True,
# make sure host name specified by user is used instead of default
host=options.host_name,
)
if options.setup_ca:
# we have an IPA-integrated CA
cfg['ca_host'] = options.host_name
# Must be readable for everyone
os.chmod(target_fname, 0o644)
# Create the management framework config file and finalize api
target_fname = paths.IPA_DEFAULT_CONF
fd = open(target_fname, "w")
fd.write("[global]\n")
fd.write("host=%s\n" % options.host_name)
fd.write("basedn=%s\n" % ipautil.realm_to_suffix(options.realm_name))
fd.write("realm=%s\n" % options.realm_name)
fd.write("domain=%s\n" % options.domain_name)
fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % \
ipautil.format_netloc(options.host_name))
fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % \
installutils.realm_to_serverid(options.realm_name))
if options.setup_ca:
fd.write("enable_ra=True\n")
fd.write("ra_plugin=dogtag\n")
fd.write("dogtag_version=10\n")
else:
fd.write("enable_ra=False\n")
fd.write("ra_plugin=none\n")
fd.write("mode=production\n")
fd.close()
api.bootstrap(**cfg)
api.finalize()
# Must be readable for everyone
os.chmod(target_fname, 0o644)
if options.setup_ca:
with redirect_stdout(ansible_log):
ca.install_check(False, None, options)
if options.setup_kra:
with redirect_stdout(ansible_log):
kra.install_check(api, None, options)
api.bootstrap(**cfg)
api.finalize()
if options.setup_dns:
with redirect_stdout(ansible_log):
dns.install_check(False, api, False, options, options.host_name)
ip_addresses = dns.ip_addresses
else:
ip_addresses = get_server_ip_address(options.host_name,
not options.interactive, False,
options.ip_addresses)
if options.setup_ca:
with redirect_stdout(ansible_log):
ca.install_check(False, None, options)
if options.setup_kra:
with redirect_stdout(ansible_log):
kra.install_check(api, None, options)
# check addresses here, dns module is doing own check
no_matching_interface_for_ip_address_warning(ip_addresses)
options.ip_addresses = ip_addresses
options.reverse_zones = dns.reverse_zones
if options.setup_dns:
with redirect_stdout(ansible_log):
dns.install_check(False, api, False, options, options.host_name)
ip_addresses = dns.ip_addresses
else:
ip_addresses = get_server_ip_address(options.host_name,
not options.interactive, False,
options.ip_addresses)
instance_name = "-".join(options.realm_name.split("."))
dirsrv = services.knownservices.dirsrv
if (options.external_cert_files
and dirsrv.is_installed(instance_name)
and not dirsrv.is_running(instance_name)):
logger.debug('Starting Directory Server')
services.knownservices.dirsrv.start(instance_name)
# check addresses here, dns module is doing own check
no_matching_interface_for_ip_address_warning(ip_addresses)
options.ip_addresses = ip_addresses
options.reverse_zones = dns.reverse_zones
if options.setup_adtrust:
with redirect_stdout(ansible_log):
adtrust.install_check(False, options, api)
instance_name = "-".join(options.realm_name.split("."))
dirsrv = services.knownservices.dirsrv
if (options.external_cert_files
and dirsrv.is_installed(instance_name)
and not dirsrv.is_running(instance_name)):
logger.debug('Starting Directory Server')
services.knownservices.dirsrv.start(instance_name)
_update_hosts_file = False
# options needs to update hosts file when DNS subsystem will be
# installed or custom addresses are used
if options.ip_addresses or options.setup_dns:
_update_hosts_file = True
if options.setup_adtrust:
with redirect_stdout(ansible_log):
adtrust.install_check(False, options, api)
if options._host_name_overridden:
tasks.backup_hostname(fstore, sstore)
tasks.set_hostname(options.host_name)
_update_hosts_file = False
# options needs to update hosts file when DNS subsystem will be
# installed or custom addresses are used
if options.ip_addresses or options.setup_dns:
_update_hosts_file = True
if _update_hosts_file:
update_hosts_file(ip_addresses, options.host_name, fstore)
if options._host_name_overridden:
tasks.backup_hostname(fstore, sstore)
tasks.set_hostname(options.host_name)
if hasattr(tasks, "configure_pkcs11_modules"):
if tasks.configure_pkcs11_modules(fstore):
ansible_log.info("Disabled p11-kit-proxy")
if _update_hosts_file:
update_hosts_file(ip_addresses, options.host_name, fstore)
if hasattr(tasks, "configure_pkcs11_modules"):
if tasks.configure_pkcs11_modules(fstore):
ansible_log.info("Disabled p11-kit-proxy")
except (RuntimeError, ValueError, ScriptError,
ipautil.CalledProcessError) as e:
ansible_module.fail_json(msg=str(e))
ansible_module.exit_json(changed=True,
### basic ###

96
roles/ipaserver/library/ipaserver_setup_ca.py
View File

@@ -106,7 +106,9 @@ def main():
_dirsrv_pkcs12_info=dict(required=False),
### certificate system ###
external_ca=dict(required=False, type='bool', default=False),
external_cert_files=dict(required=False, type='list', default=[]),
external_ca_type=dict(required=False),
external_ca_profile=dict(required=False),
external_cert_files=dict(required=False, type='list', default=None),
subject_base=dict(required=False),
_subject_base=dict(required=False),
ca_subject=dict(required=False),
@@ -154,6 +156,9 @@ def main():
'_dirsrv_pkcs12_info')
### certificate system ###
options.external_ca = ansible_module.params.get('external_ca')
options.external_ca_type = ansible_module.params.get('external_ca_type')
options.external_ca_profile = ansible_module.params.get(
'external_ca_profile')
options.external_cert_files = ansible_module.params.get(
'external_cert_files')
options.subject_base = ansible_module.params.get('subject_base')
@@ -175,6 +180,13 @@ def main():
options.promote = False # first master, no promotion
# Repeat from ca.install_check
# ca.external_cert_file and ca.external_ca_file need to be set
if options.external_cert_files:
ca.external_cert_file, ca.external_ca_file = \
installutils.load_external_cert(
options.external_cert_files, options._ca_subject)
fstore = sysrestore.FileStore(paths.SYSRESTORE)
api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
@@ -190,53 +202,61 @@ def main():
# setup CA ##############################################################
with redirect_stdout(ansible_log):
if hasattr(custodiainstance, "get_custodia_instance"):
if hasattr(custodiainstance.CustodiaModes, "FIRST_MASTER"):
mode = custodiainstance.CustodiaModes.FIRST_MASTER
else:
mode = custodiainstance.CustodiaModes.MASTER_PEER
custodia = custodiainstance.get_custodia_instance(options, mode)
if hasattr(custodiainstance, "get_custodia_instance"):
if hasattr(custodiainstance.CustodiaModes, "FIRST_MASTER"):
mode = custodiainstance.CustodiaModes.FIRST_MASTER
else:
mode = custodiainstance.CustodiaModes.MASTER_PEER
custodia = custodiainstance.get_custodia_instance(options, mode)
custodia.set_output(ansible_log)
with redirect_stdout(ansible_log):
custodia.create_instance()
if options.setup_ca:
if not options.external_cert_files and options.external_ca:
# stage 1 of external CA installation
cache_vars = {n: options.__dict__[n] for o, n in options.knobs()
if n in options.__dict__}
write_cache(cache_vars)
if options.setup_ca:
if not options.external_cert_files and options.external_ca:
# stage 1 of external CA installation
cache_vars = {n: options.__dict__[n] for o, n in options.knobs()
if n in options.__dict__}
write_cache(cache_vars)
if hasattr(custodiainstance, "get_custodia_instance"):
ca.install_step_0(False, None, options, custodia=custodia)
else:
ca.install_step_0(False, None, options)
try:
with redirect_stdout(ansible_log):
if hasattr(custodiainstance, "get_custodia_instance"):
ca.install_step_0(False, None, options, custodia=custodia)
else:
ca.install_step_0(False, None, options)
except SystemExit:
ansible_module.exit_json(changed=True,
csr_generated=True)
else:
# Put the CA cert where other instances expect it
x509.write_certificate(options._http_ca_cert, paths.IPA_CA_CRT)
os.chmod(paths.IPA_CA_CRT, 0o444)
if not options.no_pkinit:
x509.write_certificate(options._http_ca_cert,
paths.KDC_CA_BUNDLE_PEM)
else:
# Put the CA cert where other instances expect it
x509.write_certificate(options._http_ca_cert, paths.IPA_CA_CRT)
os.chmod(paths.IPA_CA_CRT, 0o444)
with open(paths.KDC_CA_BUNDLE_PEM, 'w'):
pass
os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444)
if not options.no_pkinit:
x509.write_certificate(options._http_ca_cert,
paths.KDC_CA_BUNDLE_PEM)
else:
with open(paths.KDC_CA_BUNDLE_PEM, 'w'):
pass
os.chmod(paths.KDC_CA_BUNDLE_PEM, 0o444)
x509.write_certificate(options._http_ca_cert, paths.CA_BUNDLE_PEM)
os.chmod(paths.CA_BUNDLE_PEM, 0o444)
x509.write_certificate(options._http_ca_cert, paths.CA_BUNDLE_PEM)
os.chmod(paths.CA_BUNDLE_PEM, 0o444)
with redirect_stdout(ansible_log):
# we now need to enable ssl on the ds
ds.enable_ssl()
if options.setup_ca:
with redirect_stdout(ansible_log):
if hasattr(custodiainstance, "get_custodia_instance"):
ca.install_step_1(False, None, options, custodia=custodia)
else:
ca.install_step_1(False, None, options)
if options.setup_ca:
with redirect_stdout(ansible_log):
if hasattr(custodiainstance, "get_custodia_instance"):
ca.install_step_1(False, None, options, custodia=custodia)
else:
ca.install_step_1(False, None, options)
ansible_module.exit_json(changed=True)
ansible_module.exit_json(changed=True,
csr_generated=False)
if __name__ == '__main__':
main()

29
roles/ipaserver/library/ipaserver_setup_ntp.py
View File

@@ -51,12 +51,20 @@ from ansible.module_utils.ansible_ipa_server import *
def main():
ansible_module = AnsibleModule(
argument_spec = dict(),
argument_spec = dict(
ntp_servers=dict(required=False, type='list', default=None),
ntp_pool=dict(required=False, default=None),
),
)
ansible_module._ansible_debug = True
ansible_log = AnsibleModuleLog(ansible_module)
# set values ############################################################
options.ntp_servers = ansible_module.params.get('ntp_servers')
options.ntp_pool = ansible_module.params.get('ntp_pool')
# init ##########################################################
fstore = sysrestore.FileStore(paths.SYSRESTORE)
@@ -70,14 +78,19 @@ def main():
# chrony will be handled here in uninstall() method as well by invoking
# the ipa-server-install --uninstall
ansible_module.log("Synchronizing time")
options.ntp_servers = None
options.ntp_pool = None
if sync_time(options, fstore, sstore):
ansible_module.log("Time synchronization was successful.")
argspec = inspect.getargspec(sync_time)
if "options" not in argspec.args:
synced_ntp = sync_time(options.ntp_servers, options.ntp_pool,
fstore, sstore)
else:
ansible_module.warn("IPA was unable to sync time with chrony!")
ansible_module.warn("Time synchronization is required for IPA "
"to work correctly")
synced_ntp = sync_time(options, fstore, sstore)
if not synced_ntp:
ansible_module.log(
"Warning: IPA was unable to sync time with chrony!")
ansible_module.log(
" Time synchronization is required for IPA "
"to work correctly")
else:
# Configure ntpd
timeconf.force_ntpd(sstore)

439
roles/ipaserver/library/ipaserver_test.py
View File

@@ -77,17 +77,19 @@ def main():
# no_ui_redirect
dirsrv_config_file=dict(required=False),
### ssl certificate ###
dirsrv_cert_files=dict(required=False, type='list', default=[]),
http_cert_files=dict(required=False, type='list', default=[]),
pkinit_cert_files=dict(required=False, type='list', default=[]),
# dirsrv_pin
# http_pin
# pkinit_pin
# dirsrv_name
# http_name
# pkinit_name
dirsrv_cert_files=dict(required=False, type='list', default=None),
http_cert_files=dict(required=False, type='list', defaullt=None),
pkinit_cert_files=dict(required=False, type='list', default=None),
dirsrv_pin=dict(required=False),
http_pin=dict(required=False),
pkinit_pin=dict(required=False),
dirsrv_cert_name=dict(required=False),
http_cert_name=dict(required=False),
pkinit_cert_name=dict(required=False),
### client ###
# mkhomedir
ntp_servers=dict(required=False, type='list', default=None),
ntp_pool=dict(required=False, default=None),
no_ntp=dict(required=False, type='bool', default=False),
# ssh_trust_dns
# no_ssh
@@ -96,7 +98,8 @@ def main():
### certificate system ###
external_ca=dict(required=False, type='bool', default=False),
external_ca_type=dict(required=False),
external_cert_files=dict(required=False, type='list', default=[]),
external_ca_profile=dict(required=False),
external_cert_files=dict(required=False, type='list', default=None),
subject_base=dict(required=False),
ca_subject=dict(required=False),
# ca_signing_algorithm
@@ -155,14 +158,16 @@ def main():
options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
options.http_cert_files = ansible_module.params.get('http_cert_files')
options.pkinit_cert_files = ansible_module.params.get('pkinit_cert_files')
# dirsrv_pin
# http_pin
# pkinit_pin
# dirsrv_name
# http_name
# pkinit_name
options.dirsrv_pin = ansible_module.params.get('dirsrv_pin'),
options.http_pin = ansible_module.params.get('http_pin'),
options.pkinit_pin = ansible_module.params.get('pkinit_pin'),
options.dirsrv_cert_name = ansible_module.params.get('dirsrv_cert_name'),
options.http_cert_name = ansible_module.params.get('http_cert_name'),
options.pkinit_cert_name = ansible_module.params.get('pkinit_cert_name'),
### client ###
# mkhomedir
options.ntp_servers = ansible_module.params.get('ntp_servers')
options.ntp_pool = ansible_module.params.get('ntp_pool')
options.no_ntp = ansible_module.params.get('no_ntp')
# ssh_trust_dns
# no_ssh
@@ -171,6 +176,8 @@ def main():
### certificate system ###
options.external_ca = ansible_module.params.get('external_ca')
options.external_ca_type = ansible_module.params.get('external_ca_type')
options.external_ca_profile = ansible_module.params.get(
'external_ca_profile')
options.external_cert_files = ansible_module.params.get(
'external_cert_files')
options.subject_base = ansible_module.params.get('subject_base')
@@ -226,25 +233,6 @@ def main():
ansible_module.fail_json(
msg="pki_config_override: %s" % str(e))
# validation #############################################################
if options.dm_password is None:
ansible_module.fail_json(msg="Directory Manager password required")
if options.admin_password is None:
ansible_module.fail_json(msg="IPA admin password required")
# This will override any settings passed in on the cmdline
if os.path.isfile(paths.ROOT_IPA_CACHE):
# dm_password check removed, checked already
try:
cache_vars = read_cache(options.dm_password)
options.__dict__.update(cache_vars)
if cache_vars.get('external_ca', False):
options.external_ca = False
options.interactive = False
except Exception as e:
ansible_module.fail_json(msg="Cannot process the cache file: %s" % str(e))
# default values ########################################################
# idstart and idmax
@@ -253,50 +241,190 @@ def main():
if options.idmax is None or options.idmax == 0:
options.idmax = options.idstart + 199999
# validation ############################################################
#class ServerInstallInterface(ServerCertificateInstallInterface,
# client.ClientInstallInterface,
# ca.CAInstallInterface,
# kra.KRAInstallInterface,
# dns.DNSInstallInterface,
# adtrust.ADTrustInstallInterface,
# conncheck.ConnCheckInterface,
# ServerUninstallInterface):
# domain_level
if options.domain_level < MIN_DOMAIN_LEVEL:
ansible_module.fail_json(
msg="Domain Level cannot be lower than %d" % MIN_DOMAIN_LEVEL)
elif options.domain_level > MAX_DOMAIN_LEVEL:
ansible_module.fail_json(
msg="Domain Level cannot be higher than %d" % MAX_DOMAIN_LEVEL)
# ServerInstallInterface.__init__ #######################################
try:
self = options
# dirsrv_config_file
if options.dirsrv_config_file is not None:
if not os.path.exists(options.dirsrv_config_file):
ansible_module.fail_json(
msg="File %s does not exist." % options.dirsrv_config_file)
# If any of the key file options are selected, all are required.
cert_file_req = (self.dirsrv_cert_files, self.http_cert_files)
cert_file_opt = (self.pkinit_cert_files,)
if not self.no_pkinit:
cert_file_req += cert_file_opt
if self.no_pkinit and self.pkinit_cert_files:
raise RuntimeError(
"--no-pkinit and --pkinit-cert-file cannot be specified "
"together"
)
if any(cert_file_req + cert_file_opt) and not all(cert_file_req):
raise RuntimeError(
"--dirsrv-cert-file, --http-cert-file, and --pkinit-cert-file "
"or --no-pkinit are required if any key file options are used."
)
# domain_name
if (options.setup_dns and not options.allow_zone_overlap and \
options.domain_name is not None):
try:
check_zone_overlap(options.domain_name, False)
except ValueError as e:
ansible_module.fail_json(msg=str(e))
if not self.interactive:
if self.dirsrv_cert_files and self.dirsrv_pin is None:
raise RuntimeError(
"You must specify --dirsrv-pin with --dirsrv-cert-file")
if self.http_cert_files and self.http_pin is None:
raise RuntimeError(
"You must specify --http-pin with --http-cert-file")
if self.pkinit_cert_files and self.pkinit_pin is None:
raise RuntimeError(
"You must specify --pkinit-pin with --pkinit-cert-file")
# dm_password
with redirect_stdout(ansible_log):
validate_dm_password(options.dm_password)
if not self.setup_dns:
if self.forwarders:
raise RuntimeError(
"You cannot specify a --forwarder option without the "
"--setup-dns option")
if self.auto_forwarders:
raise RuntimeError(
"You cannot specify a --auto-forwarders option without "
"the --setup-dns option")
if self.no_forwarders:
raise RuntimeError(
"You cannot specify a --no-forwarders option without the "
"--setup-dns option")
if self.forward_policy:
raise RuntimeError(
"You cannot specify a --forward-policy option without the "
"--setup-dns option")
if self.reverse_zones:
raise RuntimeError(
"You cannot specify a --reverse-zone option without the "
"--setup-dns option")
if self.auto_reverse:
raise RuntimeError(
"You cannot specify a --auto-reverse option without the "
"--setup-dns option")
if self.no_reverse:
raise RuntimeError(
"You cannot specify a --no-reverse option without the "
"--setup-dns option")
if self.no_dnssec_validation:
raise RuntimeError(
"You cannot specify a --no-dnssec-validation option "
"without the --setup-dns option")
elif self.forwarders and self.no_forwarders:
raise RuntimeError(
"You cannot specify a --forwarder option together with "
"--no-forwarders")
elif self.auto_forwarders and self.no_forwarders:
raise RuntimeError(
"You cannot specify a --auto-forwarders option together with "
"--no-forwarders")
elif self.reverse_zones and self.no_reverse:
raise RuntimeError(
"You cannot specify a --reverse-zone option together with "
"--no-reverse")
elif self.auto_reverse and self.no_reverse:
raise RuntimeError(
"You cannot specify a --auto-reverse option together with "
"--no-reverse")
# admin_password
with redirect_stdout(ansible_log):
validate_admin_password(options.admin_password)
if not self.setup_adtrust:
if self.add_agents:
raise RuntimeError(
"You cannot specify an --add-agents option without the "
"--setup-adtrust option")
# pkinit is not supported on DL0, don't allow related options
if self.enable_compat:
raise RuntimeError(
"You cannot specify an --enable-compat option without the "
"--setup-adtrust option")
# replica install: if not self.replica_file is None:
if (not options._replica_install and \
not options.domain_level > DOMAIN_LEVEL_0) or \
(options._replica_install and self.replica_file is not None):
if (options.no_pkinit or options.pkinit_cert_files is not None or
options.pkinit_pin is not None):
ansible_module.fail_json(
msg="pkinit on domain level 0 is not supported. Please "
"don't use any pkinit-related options.")
options.no_pkinit = True
if self.netbios_name:
raise RuntimeError(
"You cannot specify a --netbios-name option without the "
"--setup-adtrust option")
if self.no_msdcs:
raise RuntimeError(
"You cannot specify a --no-msdcs option without the "
"--setup-adtrust option")
if not hasattr(self, 'replica_install'):
if self.external_cert_files and self.dirsrv_cert_files:
raise RuntimeError(
"Service certificate file options cannot be used with the "
"external CA options.")
if self.external_ca_type and not self.external_ca:
raise RuntimeError(
"You cannot specify --external-ca-type without "
"--external-ca")
if self.external_ca_profile and not self.external_ca:
raise RuntimeError(
"You cannot specify --external-ca-profile without "
"--external-ca")
if self.uninstalling:
if (self.realm_name or self.admin_password or
self.master_password):
raise RuntimeError(
"In uninstall mode, -a, -r and -P options are not "
"allowed")
elif not self.interactive:
if (not self.realm_name or not self.dm_password or
not self.admin_password):
raise RuntimeError(
"In unattended mode you need to provide at least -r, "
"-p and -a options")
if self.setup_dns:
if (not self.forwarders and
not self.no_forwarders and
not self.auto_forwarders):
raise RuntimeError(
"You must specify at least one of --forwarder, "
"--auto-forwarders, or --no-forwarders options")
any_ignore_option_true = any(
[self.ignore_topology_disconnect, self.ignore_last_of_role])
if any_ignore_option_true and not self.uninstalling:
raise RuntimeError(
"'--ignore-topology-disconnect/--ignore-last-of-role' "
"options can be used only during uninstallation")
if self.idmax < self.idstart:
raise RuntimeError(
"idmax (%s) cannot be smaller than idstart (%s)" %
(self.idmax, self.idstart))
else:
# replica installers
if self.servers and not self.domain_name:
raise RuntimeError(
"The --server option cannot be used without providing "
"domain via the --domain option")
if self.setup_dns:
if (not self.forwarders and
not self.no_forwarders and
not self.auto_forwarders):
raise RuntimeError(
"You must specify at least one of --forwarder, "
"--auto-forwarders, or --no-forwarders options")
except RuntimeError as e:
ansible_module.fail_json(msg=e)
# #######################################################################
# If any of the key file options are selected, all are required.
cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
@@ -351,7 +479,7 @@ def main():
ansible_module.fail_json(
msg="You cannot specify auto-reverse together with no-reverse")
if not options._replica_install:
if not hasattr(self, 'replica_install'):
if options.external_cert_files and options.dirsrv_cert_files:
ansible_module.fail_json(
msg="Service certificate file options cannot be used with the "
@@ -403,34 +531,63 @@ def main():
ansible_module.fail_json(
msg="idmax (%s) cannot be smaller than idstart (%s)" %
(options.idmax, options.idstart))
else:
# replica install
if options.replica_file is None:
if options.servers and not options.domain_name:
ansible_module.fail_json(
msg="servers cannot be used without providing domain")
else:
if not os.path.isfile(options.replica_file):
ansible_module.fail_json(
msg="Replica file %s does not exist" % options.replica_file)
# validation #############################################################
if options.dm_password is None:
ansible_module.fail_json(msg="Directory Manager password required")
if options.admin_password is None:
ansible_module.fail_json(msg="IPA admin password required")
# validation ############################################################
# domain_level
if options.domain_level < MIN_DOMAIN_LEVEL:
ansible_module.fail_json(
msg="Domain Level cannot be lower than %d" % MIN_DOMAIN_LEVEL)
elif options.domain_level > MAX_DOMAIN_LEVEL:
ansible_module.fail_json(
msg="Domain Level cannot be higher than %d" % MAX_DOMAIN_LEVEL)
# dirsrv_config_file
if options.dirsrv_config_file is not None:
if not os.path.exists(options.dirsrv_config_file):
ansible_module.fail_json(
msg="File %s does not exist." % options.dirsrv_config_file)
# domain_name
if (options.setup_dns and not options.allow_zone_overlap and \
options.domain_name is not None):
try:
check_zone_overlap(options.domain_name, False)
except ValueError as e:
ansible_module.fail_json(str(e))
# dm_password
with redirect_stdout(ansible_log):
validate_dm_password(options.dm_password)
# admin_password
with redirect_stdout(ansible_log):
validate_admin_password(options.admin_password)
# pkinit is not supported on DL0, don't allow related options
"""
# replica install: if not options.replica_file is None:
if (not options._replica_install and \
not options.domain_level > DOMAIN_LEVEL_0) or \
(options._replica_install and options.replica_file is not None):
if (options.no_pkinit or options.pkinit_cert_files is not None or
options.pkinit_pin is not None):
ansible_module.fail_json(
msg="pkinit on domain level 0 is not supported. Please "
"don't use any pkinit-related options.")
options.no_pkinit = True
"""
if any(cert_file_req + cert_file_opt):
ansible_module.fail_json(
msg="You cannot specify dirsrv-cert-file, http-cert-file, "
"or pkinit-cert-file together with replica file")
conflicting = { "realm": options.realm_name,
"domain": options.domain_name,
"hostname": options.host_name,
"servers": options.servers,
"principal": options.principal }
conflicting_names = [ name for name in conflicting
if conflicting[name] is not None ]
if len(conflicting_names) > 0:
ansible_module.fail_json(
msg="You cannot specify %s option(s) with replica file." % \
", ".join(conflicting_names))
if options.setup_dns:
if len(options.forwarders) < 1 and not options.no_forwarders and \
@@ -439,11 +596,12 @@ def main():
msg="You must specify at least one of forwarders, "
"auto-forwarders or no-forwarders")
if NUM_VERSION >= 40200 and options.master_password:
ansible_module.warn("Specifying master-password is deprecated")
if NUM_VERSION >= 40200 and options.master_password and \
not options.external_cert_files:
ansible_module.warn("Specifying kerberos master-password is deprecated")
options._installation_cleanup = True
if not options.external_ca and len(options.external_cert_files) < 1 and \
if not options.external_ca and not options.external_cert_files and \
is_ipa_configured():
options._installation_cleanup = False
ansible_module.log(
@@ -469,29 +627,37 @@ def main():
# validate zonemgr
if options.zonemgr:
try:
# IDNA support requires unicode
encoding = getattr(sys.stdin, 'encoding', None)
if encoding is None:
encoding = 'utf-8'
value = options.zonemgr.decode(encoding)
if six.PY3:
with redirect_stdout(ansible_log):
bindinstance.validate_zonemgr_str(value)
except ValueError as e:
# FIXME we can do this in better way
# https://fedorahosted.org/freeipa/ticket/4804
# decode to proper stderr encoding
stderr_encoding = getattr(sys.stderr, 'encoding', None)
if stderr_encoding is None:
stderr_encoding = 'utf-8'
error = unicode(e).encode(stderr_encoding)
ansible_module.fail_json(msg=error)
bindinstance.validate_zonemgr_str(options.zonemgr)
else:
try:
# IDNA support requires unicode
encoding = getattr(sys.stdin, 'encoding', None)
if encoding is None:
encoding = 'utf-8'
if not isinstance(value, unicode):
value = options.zonemgr.decode(encoding)
else:
value = options.zonemgr
with redirect_stdout(ansible_log):
bindinstance.validate_zonemgr_str(value)
except ValueError as e:
# FIXME we can do this in better way
# https://fedorahosted.org/freeipa/ticket/4804
# decode to proper stderr encoding
stderr_encoding = getattr(sys.stderr, 'encoding', None)
if stderr_encoding is None:
stderr_encoding = 'utf-8'
error = unicode(e).encode(stderr_encoding)
ansible_module.fail_json(msg=error)
# external cert file paths are absolute
for path in options.external_cert_files:
if not os.path.isabs(path):
ansible_module.fail_json(
msg="External cert file '%s' must use an absolute path" % path)
if options.external_cert_files:
for path in options.external_cert_files:
if not os.path.isabs(path):
ansible_module.fail_json(
msg="External cert file '%s' must use an absolute path" % path)
options.setup_ca = True
# We only set up the CA if the PKCS#12 options are not given.
@@ -510,6 +676,18 @@ def main():
ansible_module.fail_json(msg=
"--setup-kra cannot be used with CA-less installation")
# This will override any settings passed in on the cmdline
if os.path.isfile(paths.ROOT_IPA_CACHE):
# dm_password check removed, checked already
try:
cache_vars = read_cache(options.dm_password)
options.__dict__.update(cache_vars)
if cache_vars.get('external_ca', False):
options.external_ca = False
options.interactive = False
except Exception as e:
ansible_module.fail_json(msg="Cannot process the cache file: %s" % str(e))
# ca_subject
if options.ca_subject:
ca.subject_validator(ca.VALID_SUBJECT_ATTRS, options.ca_subject)
@@ -531,9 +709,10 @@ def main():
try:
timeconf.check_timedate_services()
except timeconf.NTPConflictingService as e:
ansible_module.log("Conflicting time&date synchronization service '%s'"
" will be disabled in favor of %s" % \
(e.conflicting_service, time_service))
ansible_module.log(
"WARNING: conflicting time&date synchronization service "
"'%s' will be disabled in favor of chronyd" % \
e.conflicting_service)
except timeconf.NTPConfigurationError:
pass
@@ -603,6 +782,11 @@ def main():
"You will not be able to establish trusts with Active "
"Directory.")
# Do not ask for time source
#if not options.no_ntp and not options.unattended and not (
# options.ntp_servers or options.ntp_pool):
# options.ntp_servers, options.ntp_pool = timeconf.get_time_source()
#########################################################################
http_pkcs12_file = None
@@ -690,9 +874,16 @@ def main():
_pkinit_pkcs12_file=pkinit_pkcs12_file,
_pkinit_pkcs12_info=pkinit_pkcs12_info,
_pkinit_ca_cert=pkinit_ca_cert,
### certificate system ###
external_ca=options.external_ca,
external_ca_type=options.external_ca_type,
external_ca_profile=options.external_ca_profile,
### ad trust ###
rid_base=options.rid_base,
secondary_rid_base=options.secondary_rid_base,
### client ###
ntp_servers=options.ntp_servers,
ntp_pool=options.ntp_pool,
### additional ###
_installation_cleanup=_installation_cleanup,
domainlevel=options.domainlevel)

35
roles/ipaserver/module_utils/ansible_ipa_server.py
View File

@@ -100,7 +100,7 @@ if NUM_VERSION >= 40500:
update_hosts_file)
from ipaserver.install.server.install import (
check_dirsrv, validate_admin_password, validate_dm_password,
write_cache)
read_cache, write_cache)
try:
from ipaserver.install.dogtaginstance import PKIIniLoader
except ImportError:
@@ -218,6 +218,39 @@ options.add_sids = True
options.add_agents = False
# Installable
options.uninstalling = False
# ServerInstallInterface
options.description = "Server"
options.kinit_attempts = 1
options.fixed_primary = True
options.permit = False
options.enable_dns_updates = False
options.no_krb5_offline_passwords = False
options.preserve_sssd = False
options.no_sssd = False
# ServerMasterInstall
options.force_join = False
options.servers = None
options.no_wait_for_dns = True
options.host_password = None
options.keytab = None
options.setup_ca = True
# always run sidgen task and do not allow adding agents on first master
options.add_sids = True
options.add_agents = False
# ADTrustInstallInterface
# no_msdcs is deprecated
options.no_msdcs = False
# Uninstall
options.ignore_topology_disconnect = False
options.ignore_last_of_role = False
def api_Backend_ldap2(host_name, setup_ca, connect=False):
# we are sure we have the configuration file ready.
cfg = dict(context='installer', confdir=paths.ETC_IPA, in_server=True,

12
roles/ipaserver/tasks/copy_external_cert.yml Normal file
View File

@@ -0,0 +1,12 @@
- name: Install - Initialize ipaserver_external_cert_files
set_fact:
ipaserver_external_cert_files: []
when: ipaserver_external_cert_files is undefined
- name: Install - Copy "{{ item }}" "{{ inventory_hostname }}':/root/'{{ item }}"
copy:
src: "{{ item }}"
dest: "/root/{{ item }}"
force: yes
- name: Install - Extend ipaserver_external_cert_files with "/root/{{ item }}"
set_fact:
ipaserver_external_cert_files: "{{ ipaserver_external_cert_files }} + [ '/root/{{ item }}' ]"

329
roles/ipaserver/tasks/install.yml
View File

@@ -4,22 +4,19 @@
- block:
- name: Install - Ensure that IPA server packages are installed
package:
name: "{{ item }}"
name: "{{ ipaserver_packages }}"
state: present
with_items: "{{ ipaserver_packages }}"
- name: Install - Ensure that IPA server packages for dns are installed
package:
name: "{{ item }}"
name: "{{ ipaserver_packages_dns }}"
state: present
with_items: "{{ ipaserver_packages_dns }}"
when: ipaserver_setup_dns | bool
- name: Install - Ensure that IPA server packages for adtrust are installed
package:
name: "{{ item }}"
name: "{{ ipaserver_packages_adtrust }}"
state: present
with_items: "{{ ipaserver_packages_adtrust }}"
when: ipaserver_setup_adtrust | bool
when: ipaserver_install_packages | bool
@@ -27,6 +24,12 @@
#- name: Install - Include Python2/3 import test
# import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"
- include_tasks: "{{ role_path }}/tasks/copy_external_cert.yml"
with_items: "{{ ipaserver_external_cert_files_from_controller }}"
when: ipaserver_external_cert_files_from_controller is defined and
ipaserver_external_cert_files_from_controller|length > 0 and
not ipaserver_external_cert_files is defined
- name: Install - Server installation test
ipaserver_test:
### basic ###
@@ -50,9 +53,9 @@
# no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
### ssl certificate ###
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
http_cert_files: "{{ ipaserver_http_cert_files | default([]) }}"
pkinit_cert_files: "{{ ipaserver_pkinit_cert_files | default([]) }}"
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default(omit) }}"
http_cert_files: "{{ ipaserver_http_cert_files | default(omit) }}"
pkinit_cert_files: "{{ ipaserver_pkinit_cert_files | default(omit) }}"
# dirsrv_pin
# http_pin
# pkinit_pin
@@ -61,6 +64,8 @@
# pkinit_name
### client ###
# mkhomedir
ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}"
ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
no_ntp: "{{ ipaclient_no_ntp }}"
# ssh_trust_dns
# no_ssh
@@ -69,7 +74,8 @@
### certificate system ###
external_ca: "{{ ipaserver_external_ca }}"
external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
external_ca_profile: "{{ ipaserver_external_ca_profile | default(omit) }}"
external_cert_files: "{{ ipaserver_external_cert_files | default(omit) }}"
subject_base: "{{ ipaserver_subject_base | default(omit) }}"
ca_subject: "{{ ipaserver_ca_subject | default(omit) }}"
# ca_signing_algorithm
@@ -131,8 +137,12 @@
setup_kra: "{{ ipaserver_setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
### certificate system ###
# external_ca
# external_cert_files
external_ca: "{{ ipaserver_external_ca }}"
external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"
external_ca_profile:
"{{ ipaserver_external_ca_profile | default(omit) }}"
external_cert_files:
"{{ ipaserver_external_cert_files | default(omit) }}"
subject_base: "{{ ipaserver_subject_base | default(omit) }}"
ca_subject: "{{ ipaserver_ca_subject | default(omit) }}"
### dns ###
@@ -158,6 +168,8 @@
- name: Install - Setup NTP
ipaserver_setup_ntp:
ntp_servers: "{{ result_ipaserver_test.ntp_servers | default(omit) }}"
ntp_pool: "{{ result_ipaserver_test.ntp_pool | default(omit) }}"
when: not ipaclient_no_ntp | bool and (ipaserver_external_cert_files
is undefined or ipaserver_external_cert_files|length < 1)
@@ -177,8 +189,9 @@
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
# no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default(omit) }}"
external_cert_files:
"{{ ipaserver_external_cert_files | default(omit) }}"
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
# no_reverse: "{{ ipaserver_no_reverse }}"
@@ -203,7 +216,8 @@
setup_dns: "{{ ipaserver_setup_dns }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
external_cert_files:
"{{ ipaserver_external_cert_files | default(omit) }}"
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
no_reverse: "{{ ipaserver_no_reverse }}"
@@ -244,7 +258,11 @@
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info }}"
external_ca: "{{ ipaserver_external_ca }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"
external_ca_profile:
"{{ ipaserver_external_ca_profile | default(omit) }}"
external_cert_files:
"{{ ipaserver_external_cert_files | default(omit) }}"
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
_subject_base: "{{ result_ipaserver_prepare._subject_base }}"
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
@@ -254,150 +272,163 @@
reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
register: result_ipaserver_setup_ca
- name: Install - Setup otpd
ipaserver_setup_otpd:
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
- name: Copy /root/ipa.csr to "{{ inventory_hostname }}-ipa.csr"
fetch:
src: /root/ipa.csr
dest: "{{ inventory_hostname }}-ipa.csr"
flat: yes
when: result_ipaserver_setup_ca.csr_generated | bool and
ipaserver_copy_csr_to_controller | bool
- name: Install - Setup HTTP
ipaserver_setup_http:
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
master_password: "{{ ipaserver_master_password }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
# ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
_subject_base: "{{ result_ipaserver_prepare._subject_base }}"
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
_ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
idstart: "{{ result_ipaserver_test.idstart }}"
idmax: "{{ result_ipaserver_test.idmax }}"
http_cert_files: "{{ ipaserver_http_cert_files | default([]) }}"
no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"
- block:
- name: Install - Setup otpd
ipaserver_setup_otpd:
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
- name: Install - Setup KRA
ipaserver_setup_kra:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
dm_password: "{{ ipadm_password }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
realm: "{{ result_ipaserver_test.realm }}"
pki_config_override: "{{ ipaserver_pki_config_override |
default(omit) }}"
when: result_ipaserver_test.setup_kra | bool
- name: Install - Setup HTTP
ipaserver_setup_http:
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
master_password: "{{ ipaserver_master_password }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
# ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
external_cert_files:
"{{ ipaserver_external_cert_files | default(omit) }}"
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
_subject_base: "{{ result_ipaserver_prepare._subject_base }}"
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
_ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
idstart: "{{ result_ipaserver_test.idstart }}"
idmax: "{{ result_ipaserver_test.idmax }}"
http_cert_files: "{{ ipaserver_http_cert_files | default([]) }}"
no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"
- name: Install - Setup DNS
ipaserver_setup_dns:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
setup_dns: "{{ ipaserver_setup_dns }}"
forwarders: "{{ result_ipaserver_prepare.forwarders }}"
forward_policy: "{{ result_ipaserver_prepare.forward_policy }}"
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
no_dnssec_validation: "{{ result_ipaserver_prepare.no_dnssec_validation }}"
### additional ###
dns_ip_addresses: "{{ result_ipaserver_prepare.dns_ip_addresses }}"
dns_reverse_zones: "{{ result_ipaserver_prepare.dns_reverse_zones }}"
when: ipaserver_setup_dns | bool
- name: Install - Setup KRA
ipaserver_setup_kra:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
dm_password: "{{ ipadm_password }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
realm: "{{ result_ipaserver_test.realm }}"
pki_config_override: "{{ ipaserver_pki_config_override |
default(omit) }}"
when: result_ipaserver_test.setup_kra | bool
- name: Install - Setup ADTRUST
ipaserver_setup_adtrust:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
### ad trust ###
enable_compat: "{{ ipaserver_enable_compat }}"
rid_base: "{{ result_ipaserver_test.rid_base }}"
secondary_rid_base: "{{ result_ipaserver_test.secondary_rid_base }}"
### additional ###
adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}"
adtrust_reset_netbios_name:
"{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}"
when: result_ipaserver_test.setup_adtrust
- name: Install - Setup DNS
ipaserver_setup_dns:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
setup_dns: "{{ ipaserver_setup_dns }}"
forwarders: "{{ result_ipaserver_prepare.forwarders }}"
forward_policy: "{{ result_ipaserver_prepare.forward_policy }}"
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
no_dnssec_validation: "{{ result_ipaserver_prepare.no_dnssec_validation }}"
### additional ###
dns_ip_addresses: "{{ result_ipaserver_prepare.dns_ip_addresses }}"
dns_reverse_zones: "{{ result_ipaserver_prepare.dns_reverse_zones }}"
when: ipaserver_setup_dns | bool
- name: Install - Set DS password
ipaserver_set_ds_password:
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
idstart: "{{ result_ipaserver_test.idstart }}"
idmax: "{{ result_ipaserver_test.idmax }}"
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info }}"
- name: Install - Setup ADTRUST
ipaserver_setup_adtrust:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
### ad trust ###
enable_compat: "{{ ipaserver_enable_compat }}"
rid_base: "{{ result_ipaserver_test.rid_base }}"
secondary_rid_base: "{{ result_ipaserver_test.secondary_rid_base }}"
### additional ###
adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}"
adtrust_reset_netbios_name:
"{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}"
when: result_ipaserver_test.setup_adtrust
- name: Install - Setup client
include_role:
name: ipaclient
vars:
state: present
ipaclient_on_master: yes
ipaclient_domain: "{{ result_ipaserver_test.domain }}"
ipaclient_realm: "{{ result_ipaserver_test.realm }}"
ipaclient_servers: ["{{ result_ipaserver_test.hostname }}"]
ipaclient_hostname: "{{ result_ipaserver_test.hostname }}"
ipaclient_no_ntp:
"{{ 'true' if result_ipaserver_test.ipa_python_version >= 40690
else 'false' }}"
ipaclient_install_packages: "{{ ipaserver_install_packages }}"
- name: Install - Set DS password
ipaserver_set_ds_password:
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
subject_base: "{{ result_ipaserver_prepare.subject_base }}"
ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
idstart: "{{ result_ipaserver_test.idstart }}"
idmax: "{{ result_ipaserver_test.idmax }}"
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info }}"
- name: Install - Enable IPA
ipaserver_enable_ipa:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_dns: "{{ ipaserver_setup_dns }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
register: result_ipaserver_enable_ipa
- name: Install - Setup client
include_role:
name: ipaclient
vars:
state: present
ipaclient_on_master: yes
ipaclient_domain: "{{ result_ipaserver_test.domain }}"
ipaclient_realm: "{{ result_ipaserver_test.realm }}"
ipaclient_servers: ["{{ result_ipaserver_test.hostname }}"]
ipaclient_hostname: "{{ result_ipaserver_test.hostname }}"
ipaclient_no_ntp:
"{{ 'true' if result_ipaserver_test.ipa_python_version >= 40690
else 'false' }}"
ipaclient_install_packages: "{{ ipaserver_install_packages }}"
- name: Install - Cleanup root IPA cache
file:
path: "/root/.ipa_cache"
state: absent
when: result_ipaserver_enable_ipa.changed
- name: Install - Enable IPA
ipaserver_enable_ipa:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_dns: "{{ ipaserver_setup_dns }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
register: result_ipaserver_enable_ipa
- name: Install - Configure firewalld
command: >
firewall-cmd
--permanent
--add-service=freeipa-ldap
--add-service=freeipa-ldaps
{{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
else "" }}
{{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
when: ipaserver_setup_firewalld | bool
- name: Install - Cleanup root IPA cache
file:
path: "/root/.ipa_cache"
state: absent
when: result_ipaserver_enable_ipa.changed
- name: Install - Configure firewalld runtime
command: >
firewall-cmd
--add-service=freeipa-ldap
--add-service=freeipa-ldaps
{{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
else "" }}
{{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
when: ipaserver_setup_firewalld | bool
- name: Install - Configure firewalld
command: >
firewall-cmd
--permanent
--add-service=freeipa-ldap
--add-service=freeipa-ldaps
{{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
else "" }}
{{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
when: ipaserver_setup_firewalld | bool
- name: Install - Configure firewalld runtime
command: >
firewall-cmd
--add-service=freeipa-ldap
--add-service=freeipa-ldaps
{{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
else "" }}
{{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
when: ipaserver_setup_firewalld | bool
when: not result_ipaserver_setup_ca.csr_generated | bool
when: not ansible_check_mode and not
(not result_ipaserver_test.changed and

4
roles/ipaserver/tasks/main.yml
View File

@@ -10,9 +10,9 @@
- "vars/default.yml"
- name: Install IPA server
include_tasks: tasks/install.yml
include_tasks: install.yml
when: state|default('present') == 'present'
- name: Uninstall IPA server
include_tasks: tasks/uninstall.yml
include_tasks: uninstall.yml
when: state|default('present') == 'absent'

9
roles/ipaserver/tasks/uninstall.yml
View File

@@ -17,8 +17,7 @@
failed_when: uninstall.rc != 0 and uninstall.rc != 1
changed_when: uninstall.rc == 0
# - name: Remove IPA server packages
# package:
# name: "{{ item }}"
# state: absent
# with_items: "{{ ipaserver_packages }}"
#- name: Remove IPA server packages
# package:
# name: "{{ ipaserver_packages }}"
# state: absent

5
roles/ipaserver/vars/RedHat-8.yml Normal file
View File

@@ -0,0 +1,5 @@
# defaults file for ipaserver
# vars/RedHat-8.yml
ipaserver_packages: [ "@idm:DL1/server" ]
ipaserver_packages_dns: [ "@idm:DL1/dns" ]
ipaserver_packages_adtrust: [ "@idm:DL1/adtrust" ]

49
tests/external-signed-ca-with-automatic-copy/external-ca.sh Normal file
View File

@@ -0,0 +1,49 @@
#!/bin/bash
master=$1
if [ -z "$master" ]; then
echo "ERROR: master is not set"
echo
echo "usage: $0 master-fqdn domain"
exit 0;
fi
PASSWORD="SomeCApassword"
DBDIR="${master}-nssdb"
PWDFILE="$DBDIR/pwdfile.txt"
NOISE="/etc/passwd"
domain=$2
if [ -z "$domain" ]; then
echo "ERROR: domain is not set"
echo
echo "usage: $0 master-fqdn domain"
exit 0;
fi
if [ ! -f "${master}-ipa.csr" ]; then
echo "ERROR: ${master}-ipa.csr missing"
exit 1;
fi
ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
IPA_CA_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
rm -rf "$DBDIR"
mkdir "$DBDIR"
echo "$PASSWORD" > "$PWDFILE"
certutil -N -d "$DBDIR" -f "$PWDFILE"
echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \
| certutil -d "$DBDIR" -f "$PWDFILE" -S -z "$NOISE" -n ca -x -t C,C,C \
-s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID
openssl req -outform der -in "${master}-ipa.csr" -out "$DBDIR/req.csr"
echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\ny\n${ROOT_KEY_ID}\n\n\nn\n${IPA_CA_KEY_ID}\nn\n" \
| certutil -d "$DBDIR" -f "$PWDFILE" -C -z "$NOISE" -c ca \
-i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID
openssl x509 -inform der -in "$DBDIR/external.cer" -out "$DBDIR/external.pem"
certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt"
cat "$DBDIR/external.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt"
cp "$DBDIR/chain.crt" "${master}-chain.crt"

36
tests/external-signed-ca-with-automatic-copy/install-server-with-external-ca-with-automatic-copy.yml Normal file
View File

@@ -0,0 +1,36 @@
---
- name: Playbook to configure IPA server step1
hosts: ipaserver
become: true
vars:
ipaserver_external_ca: yes
ipaserver_copy_csr_to_controller: yes
roles:
- role: ipaserver
state: present
- name: Create CA, get /root/ipa.csr signed by your CA, ..
hosts: localhost
gather_facts: false
tasks:
- name: Run external-ca.sh
command: >
/bin/bash
external-ca.sh
"{{ groups.ipaserver[0] }}"
"{{ ipaserver_domain | default(groups.ipaserver[0].split('.')[1:] | join ('.')) }}"
args:
chdir: "{{ playbook_dir }}"
- name: Playbook to configure IPA server step2
hosts: ipaserver
become: true
vars:
ipaserver_external_cert_files_from_controller: "{{ groups.ipaserver[0] + '-chain.crt' }}"
#ipaserver_external_ca_file: "{{ groups.ipaserver[0] + '-cacert.asc' }}"
roles:
- role: ipaserver
state: present

8
tests/external-signed-ca-with-automatic-copy/inventory Normal file
View File

@@ -0,0 +1,8 @@
[ipaserver]
ipaserver.test.local
[ipaservcer:vars]
ipaadmin_password=SomeADMINpassword
ipadm_password=SomeDMpassword
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL

49
tests/external-signed-ca-with-manual-copy/external-ca.sh Normal file
View File

@@ -0,0 +1,49 @@
#!/bin/bash
master=$1
if [ -z "$master" ]; then
echo "ERROR: master is not set"
echo
echo "usage: $0 master-fqdn domain"
exit 0;
fi
PASSWORD="SomeCApassword"
DBDIR="${master}-nssdb"
PWDFILE="$DBDIR/pwdfile.txt"
NOISE="/etc/passwd"
domain=$2
if [ -z "$domain" ]; then
echo "ERROR: domain is not set"
echo
echo "usage: $0 master-fqdn domain"
exit 0;
fi
if [ ! -f "${master}-ipa.csr" ]; then
echo "ERROR: ${master}-ipa.csr missing"
exit 1;
fi
ROOT_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
IPA_CA_KEY_ID=0x$(dd if=/dev/urandom bs=20 count=1 | xxd -p)
rm -rf "$DBDIR"
mkdir "$DBDIR"
echo "$PASSWORD" > "$PWDFILE"
certutil -N -d "$DBDIR" -f "$PWDFILE"
echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\n${ROOT_KEY_ID}\nn\n" \
| certutil -d "$DBDIR" -f "$PWDFILE" -S -z "$NOISE" -n ca -x -t C,C,C \
-s "CN=PRIMARY,O=$domain" -x -1 -2 --extSKID
openssl req -outform der -in "${master}-ipa.csr" -out "$DBDIR/req.csr"
echo -e "0\n1\n5\n6\n9\ny\ny\n\ny\ny\n${ROOT_KEY_ID}\n\n\nn\n${IPA_CA_KEY_ID}\nn\n" \
| certutil -d "$DBDIR" -f "$PWDFILE" -C -z "$NOISE" -c ca \
-i "$DBDIR/req.csr" -o "$DBDIR/external.cer" -1 -2 -3 --extSKID
openssl x509 -inform der -in "$DBDIR/external.cer" -out "$DBDIR/external.pem"
certutil -L -n ca -d "$DBDIR" -a > "$DBDIR/ca.crt"
cat "$DBDIR/external.pem" "$DBDIR/ca.crt" > "$DBDIR/chain.crt"
cp "$DBDIR/chain.crt" "${master}-chain.crt"

49
tests/external-signed-ca-with-manual-copy/install-server-with-external-ca-with-manual-copy.yml Normal file
View File

@@ -0,0 +1,49 @@
---
- name: Playbook to configure IPA server step1
hosts: ipaserver
become: true
vars:
ipaserver_external_ca: yes
roles:
- role: ipaserver
state: present
post_tasks:
- name: Copy CSR /root/ipa.csr from node to "{{ groups.ipaserver[0] + '-ipa.csr' }}"
fetch:
src: /root/ipa.csr
dest: "{{ groups.ipaserver[0] + '-ipa.csr' }}"
flat: yes
- name: Get /root/ipa.csr, create CA, sign with our CA and copy to node
hosts: localhost
gather_facts: false
tasks:
- name: Run external-ca.sh
command: >
/bin/bash
external-ca.sh
"{{ groups.ipaserver[0] }}"
"{{ ipaserver_domain | default(groups.ipaserver[0].split('.')[1:] | join ('.')) }}"
args:
chdir: "{{ playbook_dir }}"
- name: Playbook to configure IPA server step2
hosts: ipaserver
become: true
vars:
ipaserver_external_cert_files: "/root/chain.crt"
#ipaserver_external_ca_file: "cacert.asc"
pre_tasks:
- name: Copy "{{ groups.ipaserver[0] + '-chain.crt' }}" to /root/chain.crt on node
copy:
src: "{{ groups.ipaserver[0] + '-chain.crt' }}"
dest: "/root/chain.crt"
force: yes
roles:
- role: ipaserver
state: present

8
tests/external-signed-ca-with-manual-copy/inventory Normal file
View File

@@ -0,0 +1,8 @@
[ipaserver]
ipaserver.test.local
[ipaservcer:vars]
ipaadmin_password=SomeADMINpassword
ipadm_password=SomeDMpassword
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL