README.md

ipareplica role

Description

This role allows to configure a new IPA server that is a replica of the server. Once it has been created it is an exact copy of the original IPA server and is an equal master. Changes made to any master are automatically replicated to other masters.

This can be done in different ways using auto-discovery of the servers, domain and other settings or by specifying them.

Note: The ansible playbooks and role require a configured ansible environment where the ansible nodes are reachable and are properly set up to have an IP address and a working package manager.

Features

• Replica deployment

Supported FreeIPA Versions

FreeIPA versions 4.6 and up are supported by the replica role.

Supported Distributions

• RHEL/CentOS 7.6+
• Fedora 26+
• Ubuntu

Requirements

Controller

• Ansible version: 2.8+

Node

• Supported FreeIPA version (see above)
• Supported distribution (needed for package installation only, see above)

Usage

Example inventory file with fixed principal using auto-discovery with DNS records:

[ipareplicas]
ipareplica1.example.com
ipareplica2.example.com

[ipareplicas:vars]
ipaadmin_principal=admin

Example playbook to setup the IPA client(s) using principal from inventory file and password from an Ansible Vault file:

---
- name: Playbook to configure IPA replicas
  hosts: ipareplicas
  become: true
  vars_files:
  - playbook_sensitive_data.yml

  roles:
  - role: ipareplica
    state: present

Example playbook to unconfigure the IPA client(s) using principal and password from inventory file:

---
- name: Playbook to unconfigure IPA replicas
  hosts: ipareplicas
  become: true

  roles:
  - role: ipareplica
    state: absent

Example inventory file with fixed server, principal, password and domain:

[ipaserver]
ipaserver.example.com

[ipareplicas]
ipareplica1.example.com
ipareplica2.example.com

[ipareplicas:vars]
ipareplica_domain=example.com
ipaadmin_principal=admin
ipaadmin_password=MySecretPassword123
ipadm_password=MySecretPassword456

Example playbook to setup the IPA client(s) using principal and password from inventory file:

---
- name: Playbook to configure IPA replicas with username/password
  hosts: ipareplicas
  become: true

  roles:
  - role: ipareplica
    state: present

Playbooks

The playbooks needed to deploy or undeploy a replica are part of the repository in the playbooks folder. There are also playbooks to deploy and undeploy clusters.

install-replica.yml
uninstall-replica.yml

Please remember to link or copy the playbooks to the base directory of ansible-freeipa if you want to use the roles within the source archive.

How to setup replicas

ansible-playbook -v -i inventory/hosts install-replica.yml

This will deploy the replicas defined in the inventory file.

Variables

Base Variables

Variable	Description	Required
ipaservers	This group with the IPA master full qualified hostnames. (list of strings)	mostly
ipareplicas	Group of IPA replica hostnames. (list of strings)	yes
ipaadmin_password	The password for the IPA admin user (string)	mostly
ipareplica_ip_addresses	The list of master server IP addresses. (list of strings)	no
ipareplica_domain	The primary DNS domain of an existing IPA deployment. (string)	no
ipaserver_realm	The Kerberos realm of an existing IPA deployment. (string)	no
ipaserver_hostname	Fully qualified name of the server. (string)	no
ipaadmin_principal	The authorized kerberos principal used to join the IPA realm. (string)	no
ipareplica_no_host_dns	Do not use DNS for hostname lookup during installation. (bool, default: false)	no
ipareplica_skip_conncheck	Skip connection check to remote master. (bool, default: false)	no
ipareplica_pki_config_override	Path to ini file with config overrides. This is only usable with recent FreeIPA versions. (string)	no

Server Vaiables

Variable	Description	Required
ipadm_password	The password for the Directory Manager. (string)	mostly
ipareplica_setup_adtrust	Configure AD trust capability. (bool, default: false)	no
ipareplica_setup_ca	Configure a dogtag CA. (bool, default: false)	no
ipareplica_setup_kra	Configure a dogtag KRA. (bool, default: false)	no
ipareplica_setup_dns	Configure bind with our zone. (bool, default: false)	no
ipareplica_no_pkinit	Disables pkinit setup steps. (bool, default: false)	no
ipareplica_no_ui_redirect	Do not automatically redirect to the Web UI. (bool, default: false)	no
ipareplica_dirsrv_config_file	The path to LDIF file that will be used to modify configuration of dse.ldif during installation of the directory server instance. (string)	no

SSL certificate Variables

Variable	Description	Required
ipareplica_dirsrv_cert_files	Files containing the Directory Server SSL certificate and private keys. (list of strings)	no
ipareplica_http_cert_files	Files containing the Apache Server SSL certificate and private key. (list of string)	no
ipareplica_pkinit_cert_files	Files containing the Kerberos KDC SSL certificate and private key. (list of string)	no
ipareplica_dirsrv_pin	The password to unlock the Directory Server private key. (string)	no
ipareplica_http_pin	The password to unlock the Apache Server private key. (string)	no
ipareplica_pkinit_pin	The password to unlock the Kerberos KDC private key. (string)	no
ipareplica_dirsrv_cert_name	Name of the Directory Server SSL certificate to install. (string)	no
ipareplica_http_cert_name	Name of the Apache Server SSL certificate to install. (string)	no
ipareplica_pkinit_cert_name	Name of the Kerberos KDC SSL certificate to install. (string)	no

Client Variables

Variable	Description	Required
ipaclient_keytab	Path to backed up keytab from previous enrollment. (string)	no
ipaclient_mkhomedir	Set to yes to configure PAM to create a users home directory if it does not exist. (string)	no
ipaclient_force_join	Force client enrollment even if already enrolled. (bool, default: false)	no
ipaclient_ntp_servers	The list defines the NTP servers to be used. (list of strings)	no
ipaclient_ntp_pool	The string value defines the ntp server pool to be used. (string)	no
ipaclient_no_ntp	The bool value defines if NTP will not be configured and enabled. (bool, default: false)	no
ipaclient_ssh_trust_dns	The bool value defines if OpenSSH client will be configured to trust DNS SSHFP records. (bool, default: false)	no
ipaclient_no_ssh	The bool value defines if OpenSSH client will be configured. (bool, default: false)	no
ipaclient_no_sshd	The bool value defines if OpenSSH server will be configured. (bool, default: false)	no
ipaclient_no_sudo	The bool value defines if SSSD will be configured as a data source for sudo. (bool, default: false)	no
ipaclient_no_dns_sshfp	The bool value defines if DNS SSHFP records will not be created automatically. (bool, default: false)	no

Certificate system Variables

Variable	Description	Required
ipareplica_skip_schema_check	Skip check for updated CA DS schema on the remote master. (bool, default: false)	no

DNS Variables

Variable	Description	Required
ipareplica_allow_zone_overlap	Allow creation of (reverse) zone even if the zone is already resolvable. (bool, default: false)	no
ipareplica_reverse_zones	The reverse DNS zones to use. (list of strings)	no
ipareplica_no_reverse	Do not create reverse DNS zone. (bool, default: false)	no
ipareplica_auto_reverse	Try to resolve reverse records and reverse zones for server IP addresses. (bool, default: false)	no
ipareplica_zonemgr	The e-mail address of the DNS zone manager. (string, default: hostmaster@DOMAIN.)	no
ipareplica_forwarders	Add DNS forwarders to the DNS configuration. (list of strings)	no
ipareplica_no_forwarders	Do not add any DNS forwarders. Root DNS servers will be used instead. (bool, default: false)	no
ipareplica_auto_forwarders	Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS. (bool, default: false)	no
ipareplica_forward_policy	DNS forwarding policy for global forwarders specified using other options. (choice: first,only)	no
ipareplica_no_dnssec_validation	Disable DNSSEC validation on this server. (bool, default: false)	no

AD trust Variables

Variable	Description	Required
ipareplica_add_sids	Add SIDs for existing users and groups as the final step. (bool, default: false)	no
ipareplica_add_agents	Add IPA masters to a list of hosts allowed to serve information about users from trusted forests. (bool, default: false)	no
ipareplica_enable_compat	Enables support for trusted domains users for old clients through Schema Compatibility plugin. (bool, default: false)	no
ipareplica_netbios_name	The NetBIOS name for the IPA domain. (string)	no
ipareplica_rid_base	First RID value of the local domain. (integer)	no
ipareplica_secondary_rid_base	Start value of the secondary RID range. (integer)	no

Cluster Specific Variables

Variable	Description	Required
ipareplica_servers	Manually override list of servers for example in a cluster environment on a per replica basis. The list of servers is normally taken from from groups.ipaserver in cluster environments. (list of strings)	no
ipaserver_domain	Used if set in a cluster environment to overload ipareplica_domain	no

Special Variables

Variable	Description	Required
ipareplica_install_packages	The bool value defines if the needed packages are installed on the node. (bool, default: true)	no
ipareplica_setup_firewalld	The value defines if the needed services will automatically be openen in the firewall managed by firewalld. (bool, default: true)	no
ipareplica_firewalld_zone	The value defines the firewall zone that will be used. This needs to be an existing runtime and permanent zone. (string)	no

Authors

Thomas Woerner