mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-03-26 21:33:05 +00:00
10 KiB
10 KiB
ipaserver role
Description
This role allows to configure and IPA server.
Note: The ansible playbooks and role require a configured ansible environment where the ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
Features
- Server deployment
Supported FreeIPA Versions
FreeIPA versions 4.5 and up are supported by the server role.
Supported Distributions
- RHEL/CentOS 7.6+
- Fedora 26+
- Ubuntu
Requirements
Controller
- Ansible version: 2.8+
Node
- Supported FreeIPA version (see above)
- Supported distribution (needed for package installation only, see above)
Limitations
External CA
External CA support is not supported or working. The currently needed two step process is an issue for the processing in the role. The configuration of the server is partly done already and needs to be continued after the CSR has been handled. This is for example breaking the deployment of a server with replicas or clients in one playbook.
Work is planned to have a new method to handle CSR for external CAs in a separate step before starting the server installation.
Usage
Example inventory file with fixed domain and realm, setting up of the DNS server and using forwarders from /etc/resolv.conf:
[ipaserver]
ipaserver2.example.com
[ipaserver:vars]
ipaserver_domain=example.com
ipaserver_realm=EXAMPLE.COM
ipaserver_setup_dns=yes
ipaserver_auto_forwarders=yes
Example playbook to setup the IPA server using admin and dirman passwords from an Ansible Vault file:
- name: Playbook to configure IPA server
hosts: ipaserver
become: true
vars_files:
- playbook_sensitive_data.yml
roles:
- role: ipaserver
state: present
Example playbook to unconfigure the IPA client(s) using principal and password from inventory file:
- name: Playbook to unconfigure IPA server
hosts: ipaserver
become: true
roles:
- role: ipaserver
state: absent
Example inventory file with fixed domain, realm, admin and dirman passwords:
[ipaserver]
ipaserver.example.com
[ipaserver:vars]
ipaserver_domain=example.com
ipaserver_realm=EXAMPLE.COM
ipaadmin_password=MySecretPassword123
ipadm_password=MySecretPassword234
Example playbook to setup the IPA server using admin and dirman passwords from inventory file:
- name: Playbook to configure IPA server
hosts: ipaserver
become: true
roles:
- role: ipaserver
state: present
Playbooks
The playbooks needed to deploy or undeploy a server are part of the repository in the playbooks folder. There are also playbooks to deploy and undeploy clusters.
install-server.yml
uninstall-server.yml
Please remember to link or copy the playbooks to the base directory of ansible-freeipa if you want to use the roles within the source archive.
How to setup a server
ansible-playbook -v -i inventory/hosts install-server.yml
This will deploy the server defined in the inventory file.
Variables
Base Variables
| Variable | Description | Required |
|---|---|---|
ipaserver |
This group with the single IPA server full qualified hostname. (list of strings) | yes |
ipadm_password |
The password for the Directory Manager. (string) | no |
ipaadmin_password |
The password for the IPA admin user (string) | no |
ipaserver_ip_addresses |
The list of master server IP addresses. (list of strings) | no |
ipaserver_domain |
The primary DNS domain of an existing IPA deployment. (string) | no |
ipaserver_realm |
The Kerberos realm of an existing IPA deployment. (string) | no |
ipaserver_hostname |
Fully qualified name of the server. (string) | no |
ipaserver_no_host_dns |
Do not use DNS for hostname lookup during installation. (bool, default: false) | no |
Server Variables
| Variable | Description | Required |
|---|---|---|
ipaserver_setup_adtrust |
Configure AD Trust capability. (bool, default: false) | no |
ipaserver_setup_kra |
Install and configure a KRA on this server. (bool, default: false) | no |
ipaserver_setup_dns |
Configure an integrated DNS server, create DNS zone specified by domain. (bool, default: false) | no |
ipaserver_idstart |
The starting user and group id number. (integer, default: random) | no |
ipaserver_idmax |
The maximum user and group id number. (integer, default: idstart+199999) | no |
ipaserver_no_hbac_allow |
Do not install allow_all HBAC rule. (bool) | no |
ipaserver_no_ui_redirect |
Do not automatically redirect to the Web UI. (bool) | no |
ipaserver_dirsrv_config_file |
The path to LDIF file that will be used to modify configuration of dse.ldif during installation. (string) | no |
ipaserver_pki_config_override |
Path to ini file with config overrides. This is only usable with recent FreeIPA versions. (string) | no |
SSL certificate Variables
| Variable | Description | Required |
|---|---|---|
ipaserver_dirsrv_cert_files |
Files containing the Directory Server SSL certificate and private keys. (list of strings) | no |
ipaserver_http_cert_file |
File containing the Apache Server SSL certificate and private key. (string) | no |
ipaserver_pkinit_cert_file |
File containing the Kerberos KDC SSL certificate and private key. (string) | no |
ipaserver_dirsrv_pin |
The password to unlock the Directory Server private key. (string) | no |
ipaserver_http_pin |
The password to unlock the Apache Server private key. (string) | no |
ipaserver_pkinit_pin |
The password to unlock the Kerberos KDC private key. (string) | no |
ipaserver_dirsrv_cert_name |
Name of the Directory Server SSL certificate to install. (string) | no |
ipaserver_http_cert_name |
Name of the Apache Server SSL certificate to install. (string) | no |
ipaserver_pkinit_cert_name |
Name of the Kerberos KDC SSL certificate to install. (string) | no |
Client Variables
| Variable | Description | Required |
|---|---|---|
ipaclient_ntp_servers |
The list defines the NTP servers to be used. | no |
ipaclient_ntp_pool |
The string value defines the ntp server pool to be used. | no |
ipaclient_no_ntp |
The bool value defines if NTP will not be configured and enabled. ipaclient_no_ntp defaults to no. |
no |
ipaclient_ssh_trust_dns |
The bool value defines if OpenSSH client will be configured to trust DNS SSHFP records. ipaclient_ssh_trust_dns defaults to no. |
no |
ipaclient_no_ssh |
The bool value defines if OpenSSH client will be configured. ipaclient_no_ssh defaults to no. |
no |
ipaclient_no_sshd |
The bool value defines if OpenSSH server will be configured. ipaclient_no_sshd defaults to no. |
no |
ipaclient_no_sudo |
The bool value defines if SSSD will be configured as a data source for sudo. ipaclient_no_sudo defaults to no. |
no |
ipaclient_no_dns_sshfp |
The bool value defines if DNS SSHFP records will not be created automatically. ipaclient_no_dns_sshfp defaults to no. |
no |
Certificate system Variables
| Variable | Description | Required |
|---|---|---|
ipaserver_external_ca |
||
ipaserver_external_ca_type |
||
ipaserver_external_ca_profile |
||
ipaserver_external_cert_files |
||
ipaserver_subject_base |
The certificate subject base (default O=). RDNs are in LDAP order (most specific RDN first). (string) | no |
ipaserver_ca_subject |
The CA certificate subject DN (default CN=Certificate Authority,O=). RDNs are in LDAP order (most specific RDN first). (string) | no |
ipaserver_ca_signing_algorithm |
DNS Variables
| Variable | Description | Required |
|---|---|---|
ipaserver_allow_zone_overlap |
Allow creation of (reverse) zone even if the zone is already resolvable. (bool, default: false) | no |
ipaserver_reverse_zones |
The reverse DNS zones to use. (list of strings) | no |
ipaserver_no_reverse |
Do not create reverse DNS zone. (bool, default: false) | no |
ipaserver_auto_reverse |
Try to resolve reverse records and reverse zones for server IP addresses. (bool, default: false) | no |
ipaserver_zonemgr |
The e-mail address of the DNS zone manager. (string, default: hostmaster@DOMAIN.) | no |
ipaserver_forwarders |
Add DNS forwarders to the DNS configuration. (list of strings) | no |
ipaserver_no_forwarders |
Do not add any DNS forwarders. Root DNS servers will be used instead. (bool, default: false) | no |
ipaserver_auto_forwarders |
Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS. (bool, default: false) | no |
ipaserver_forward_policy |
DNS forwarding policy for global forwarders specified using other options. (choice: first | only) |
ipaserver_no_dnssec_validation |
Disable DNSSEC validation on this server. (bool, default: false) | no |
AD trust Variables
| Variable | Description | Required |
|---|---|---|
ipaserver_enable_compat |
Enables support for trusted domains users for old clients through Schema Compatibility plugin. (bool, default: false) | no |
ipaserver_netbios_name |
The NetBIOS name for the IPA domain. (string) | no |
ipaserver_rid_base |
First RID value of the local domain. (integer) | no |
ipaserver_secondary_rid_base |
Start value of the secondary RID range. (integer) | no |
Special Variables
| Variable | Description | Required |
|---|---|---|
ipaserver_install_packages |
The bool value defines if the needed packages are installed on the node. (bool, default: true) | no |
ipaserver_setup_firewalld |
The value defines if the needed services will automatically be openen in the firewall managed by firewalld. (bool, default: true) | no |
Authors
Thomas Woerner