ipaserver role ============== Description ----------- This role allows to configure and IPA server. **Note**: The ansible playbooks and role require a configured ansible environment where the ansible nodes are reachable and are properly set up to have an IP address and a working package manager. Features -------- * Server deployment Supported FreeIPA Versions -------------------------- FreeIPA versions 4.5 and up are supported by the server role. Supported Distributions ----------------------- * RHEL/CentOS 7.6+ * Fedora 26+ * Ubuntu Requirements ------------ **Controller** * Ansible version: 2.8+ **Node** * Supported FreeIPA version (see above) * Supported distribution (needed for package installation only, see above) Limitations ----------- External CA External CA support is not supported or working. The currently needed two step process is an issue for the processing in the role. The configuration of the server is partly done already and needs to be continued after the CSR has been handled. This is for example breaking the deployment of a server with replicas or clients in one playbook. Work is planned to have a new method to handle CSR for external CAs in a separate step before starting the server installation. Usage ===== Example inventory file with fixed domain and realm, setting up of the DNS server and using forwarders from /etc/resolv.conf: [ipaserver] ipaserver2.example.com [ipaserver:vars] ipaserver_domain=example.com ipaserver_realm=EXAMPLE.COM ipaserver_setup_dns=yes ipaserver_auto_forwarders=yes Example playbook to setup the IPA server using admin and dirman passwords from an [Ansible Vault](http://docs.ansible.com/ansible/latest/playbooks_vault.html) file: - name: Playbook to configure IPA server hosts: ipaserver become: true vars_files: - playbook_sensitive_data.yml roles: - role: ipaserver state: present Example playbook to unconfigure the IPA client(s) using principal and password from inventory file: - name: Playbook to unconfigure IPA server hosts: ipaserver become: true roles: - role: ipaserver state: absent Example inventory file with fixed domain, realm, admin and dirman passwords: [ipaserver] ipaserver.example.com [ipaserver:vars] ipaserver_domain=example.com ipaserver_realm=EXAMPLE.COM ipaadmin_password=MySecretPassword123 ipadm_password=MySecretPassword234 Example playbook to setup the IPA server using admin and dirman passwords from inventory file: - name: Playbook to configure IPA server hosts: ipaserver become: true roles: - role: ipaserver state: present Playbooks ========= The playbooks needed to deploy or undeploy a server are part of the repository in the playbooks folder. There are also playbooks to deploy and undeploy clusters. ``` install-server.yml uninstall-server.yml ``` Please remember to link or copy the playbooks to the base directory of ansible-freeipa if you want to use the roles within the source archive. How to setup a server --------------------- ```bash ansible-playbook -v -i inventory/hosts install-server.yml ``` This will deploy the server defined in the inventory file. Variables ========= Base Variables -------------- Variable | Description | Required -------- | ----------- | -------- `ipaserver` | This group with the single IPA server full qualified hostname. (list of strings) | yes `ipadm_password` | The password for the Directory Manager. (string) | no `ipaadmin_password` | The password for the IPA admin user (string) | no `ipaserver_ip_addresses` | The list of master server IP addresses. (list of strings) | no `ipaserver_domain` | The primary DNS domain of an existing IPA deployment. (string) | no `ipaserver_realm` | The Kerberos realm of an existing IPA deployment. (string) | no `ipaserver_hostname` | Fully qualified name of the server. (string) | no `ipaserver_no_host_dns` | Do not use DNS for hostname lookup during installation. (bool, default: false) | no Server Variables ---------------- Variable | Description | Required -------- | ----------- | -------- `ipaserver_setup_adtrust` | Configure AD Trust capability. (bool, default: false) | no `ipaserver_setup_kra` | Install and configure a KRA on this server. (bool, default: false) | no `ipaserver_setup_dns` | Configure an integrated DNS server, create DNS zone specified by domain. (bool, default: false) | no `ipaserver_idstart` | The starting user and group id number. (integer, default: random) | no `ipaserver_idmax` | The maximum user and group id number. (integer, default: idstart+199999) | no `ipaserver_no_hbac_allow` | Do not install allow_all HBAC rule. (bool) | no `ipaserver_no_ui_redirect` | Do not automatically redirect to the Web UI. (bool) | no `ipaserver_dirsrv_config_file` | The path to LDIF file that will be used to modify configuration of dse.ldif during installation. (string) | no `ipaserver_pki_config_override` | Path to ini file with config overrides. This is only usable with recent FreeIPA versions. (string) | no SSL certificate Variables ------------------------- Variable | Description | Required -------- | ----------- | -------- `ipaserver_dirsrv_cert_files` | Files containing the Directory Server SSL certificate and private keys. (list of strings) | no `ipaserver_http_cert_file` | File containing the Apache Server SSL certificate and private key. (string) | no `ipaserver_pkinit_cert_file` | File containing the Kerberos KDC SSL certificate and private key. (string) | no `ipaserver_dirsrv_pin` | The password to unlock the Directory Server private key. (string) | no `ipaserver_http_pin` | The password to unlock the Apache Server private key. (string) | no `ipaserver_pkinit_pin` | The password to unlock the Kerberos KDC private key. (string) | no `ipaserver_dirsrv_cert_name` | Name of the Directory Server SSL certificate to install. (string) | no `ipaserver_http_cert_name` | Name of the Apache Server SSL certificate to install. (string) | no `ipaserver_pkinit_cert_name` | Name of the Kerberos KDC SSL certificate to install. (string) | no Client Variables ---------------- Variable | Description | Required -------- | ----------- | -------- `ipaclient_ntp_servers` | The list defines the NTP servers to be used. | no `ipaclient_ntp_pool` | The string value defines the ntp server pool to be used. | no `ipaclient_no_ntp` | The bool value defines if NTP will not be configured and enabled. `ipaclient_no_ntp` defaults to `no`. | no `ipaclient_ssh_trust_dns` | The bool value defines if OpenSSH client will be configured to trust DNS SSHFP records. `ipaclient_ssh_trust_dns` defaults to `no`. | no `ipaclient_no_ssh` | The bool value defines if OpenSSH client will be configured. `ipaclient_no_ssh` defaults to `no`. | no `ipaclient_no_sshd` | The bool value defines if OpenSSH server will be configured. `ipaclient_no_sshd` defaults to `no`. | no `ipaclient_no_sudo` | The bool value defines if SSSD will be configured as a data source for sudo. `ipaclient_no_sudo` defaults to `no`. | no `ipaclient_no_dns_sshfp` | The bool value defines if DNS SSHFP records will not be created automatically. `ipaclient_no_dns_sshfp` defaults to `no`. | no Certificate system Variables ---------------------------- Variable | Description | Required -------- | ----------- | -------- ~~`ipaserver_external_ca`~~ | ~~Generate a CSR for the IPA CA certificate to be signed by an external CA. (bool, default: false)~~ | ~~no~~ ~~`ipaserver_external_ca_type`~~ | ~~Type of the external CA. (choice: generic,ms-cs)~~ | ~~no~~ ~~`ipaserver_external_ca_profile`~~ | ~~Specify the certificate profile/template to use at the external CA. (string)~~ | ~~no~~ ~~`ipaserver_external_cert_files`~~ | ~~Files containing the IPA CA certificates and the external CA certificate chains (list of string)~~ | ~~no~~ `ipaserver_subject_base` | The certificate subject base (default O=). RDNs are in LDAP order (most specific RDN first). (string) | no `ipaserver_ca_subject` | The CA certificate subject DN (default CN=Certificate Authority,O=). RDNs are in LDAP order (most specific RDN first). (string) | no ~~`ipaserver_ca_signing_algorithm`~~ | ~~Signing algorithm of the IPA CA certificate. (choice: SHA1withRSA,SHA256withRSA,SHA512withRSA)~~ | ~~no~~ DNS Variables ------------- Variable | Description | Required -------- | ----------- | -------- `ipaserver_allow_zone_overlap` | Allow creation of (reverse) zone even if the zone is already resolvable. (bool, default: false) | no `ipaserver_reverse_zones` | The reverse DNS zones to use. (list of strings) | no `ipaserver_no_reverse` | Do not create reverse DNS zone. (bool, default: false) | no `ipaserver_auto_reverse` | Try to resolve reverse records and reverse zones for server IP addresses. (bool, default: false) | no `ipaserver_zonemgr` | The e-mail address of the DNS zone manager. (string, default: hostmaster@DOMAIN.) | no `ipaserver_forwarders` | Add DNS forwarders to the DNS configuration. (list of strings) | no `ipaserver_no_forwarders` | Do not add any DNS forwarders. Root DNS servers will be used instead. (bool, default: false) | no `ipaserver_auto_forwarders` | Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS. (bool, default: false) | no `ipaserver_forward_policy` | DNS forwarding policy for global forwarders specified using other options. (choice: first|only) | no `ipaserver_no_dnssec_validation` | Disable DNSSEC validation on this server. (bool, default: false) | no AD trust Variables ------------------ Variable | Description | Required -------- | ----------- | -------- `ipaserver_enable_compat`| Enables support for trusted domains users for old clients through Schema Compatibility plugin. (bool, default: false) | no `ipaserver_netbios_name` | The NetBIOS name for the IPA domain. (string) | no `ipaserver_rid_base` | First RID value of the local domain. (integer) | no `ipaserver_secondary_rid_base` | Start value of the secondary RID range. (integer) | no Special Variables ----------------- Variable | Description | Required -------- | ----------- | -------- `ipaserver_install_packages` | The bool value defines if the needed packages are installed on the node. (bool, default: true) | no `ipaserver_setup_firewalld` | The value defines if the needed services will automatically be openen in the firewall managed by firewalld. (bool, default: true) | no Authors ======= Thomas Woerner