Skip to content

Workshop ansible freeipa

Jump to bottom
Thomas Woerner edited this page Jun 29, 2018 · 3 revisions

Reqiurements

  • Test machines for IPA server, clients and replica
    • For cluster tests at least 1 server, 1 replica and 2 clients
  • Client test machine(s) installed
    • Possible distributions: RHEL-7.4+, Fedora-26+)
    • FQDN hostname(s)
    • Per realm in different environments (libvirt, lab, cluster, ..)
  • Ansible host with ansible-2.3+
    • ansible-2.4:
      • Please ignore the import deprecation messages
      • Set deprecation_warnings=False in ansible.cfg - Turns off all deprecation warnings, though.
  • ssh key copied to the client(s)
    • ssh-copy-id -i ~/.ssh/id_rsa.pub
  • Clone https://github.com/freeipa/ansible-freeipa/ on the ansible host

Test Proposals

Server

  1. Install server with admin and dirman password

Client

  1. Full auto-discovery with admin principal and password

  2. Full auto-discovery using vault file for admin password

  3. Full auto-discovery using OTP with vault file for admin password

  4. Auto-discovery using specified server name with OTP and vault file for admin password

  5. Full specified settings

  6. Use ipaadmin keytab with OTP

  7. Repair existing configuration with ipaadmin keytab and OTP

Replica

  1. Install replica

Cluster

  1. Install server and clients using admin and dirman passwords using existing DNS server

  2. Install server and clients using admin and dirman passwords with enabling DNS server

  3. Install server, replicas and clients using admin and dirman password using existing DNS server

Server Files

install-server.yml

---
- name: Playbook to configure IPA servers
  hosts: ipaserver
  become: true

  roles:
  - role: ipaserver
    state: present

uninstall-server.yml

---
- name: Playbook to configure IPA servers
  hosts: ipaserver
  become: true

  roles:
  - role: ipaserver
    state: absent

Server Test 1

Create hosts.server file to install server with admin and dirman password

[ipaserver]
ipaserver.test.local

[ipaserver:vars]
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
ipaadmin_password=MyAdminPassword
ipadm_password=MyDmPassword

ipaserver_setup_dns=yes
ipaserver_auto_forwarders=yes

 Run playbook

$ ansible-playbook -vv -i hosts.server install-server.yml

Verify IPA server installation

Client Files

install-client.yml

---
- name: Playbook to configure IPA clients with username/password
  hosts: ipaclients
  become: true

  roles:
  - role: ipaclient
    state: present

uninstall-client.yml

---
- name: Playbook to configure IPA clients with username/password
  hosts: ipaclients
  become: true

  roles:
  - role: ipaclient
    state: absent

Client Test 1

Create hosts.client file for full auto-discovery with admin principal and password

[ipaclients]
ipaclient1.test.local

[ipaclients:vars]
ipaadmin_principal=admin
ipaadmin_password=MyAdminPassword

Run playbook

$ ansible-playbook -vv -i hosts.client install-client.yml

Client Test 2

Create hosts.client file for full auto-discovery using vault file for admin password

[ipaclients]
ipaclient1.test.local

Edit install-client.yml

    become: true
+   vars_files:
+   - playbook_sensitive_data.client.yml

Create vault file playbook_sensitive_data.client.yml

ipaadmin_password: MyAdminPassword

Encrypt vault file

$ ansible-vault encrypt playbook_sensitive_data.client.yml
New Vault password: 
Confirm New Vault password: 
Encryption successful
$

 Run playbook

$ ansible-playbook -vv -i hosts.client --vault-password-file t_pass.txt install-client.yml

Client Test 3

Create hosts.client file for full auto-discovery using vault file for admin password

[ipaclients]
ipaclient1.test.local

[ipaclient:vars]
ipaclient_use_otp=yes

Run playbook

$ ansible-playbook -vv -i hosts.client --vault-password-file t_pass.txt install-client.yml

Excerpt from output

TASK [ipaclient : Install - Get a One-Time Password for client enrollment] ************
task path: /root/ansible/ansible-freeip/roles/ipaclient/tasks/install.yml:61
changed: [ipaclient1.test.local -> ipa.test.local] => {"censored": "the output has been 
hidden due to the fact that 'no_log: true' was specified for this result"}

Client Test 4

Create hosts.client file for full auto-discovery using vault file for admin password

[ipaclients]
ipaclient1.test.local

[ipaservers]
ipa.test.local

[ipaclient:vars]
ipaclient_use_otp=yes

Run playbook

$ ansible-playbook -vv -i hosts.client --vault-password-file t_pass.txt install-client.yml

Client Test 5

Create hosts.client file for full auto-discovery using vault file for admin password

[ipaclients]
ipaclient1.test.local

[ipaservers]
ipa.test.local

[ipaclient:vars]
ipaclient_domain=test.local
ipaclient_realm=TEST.LOCAL
ipaadmin_principal=admin
ipaclient_use_otp=yes
ipaclient_kinit_attempts=3
ipaclient_mkhomedir=yes

 Run playbook

$ ansible-playbook -vv -i hosts.client --vault-password-file t_pass.txt install-client.yml

Client Test 6

Get IPA admin keytab on IPA server, copy to ansible host

$ ipa-getkeytab --retrieve -k ipaadmin.keytab -D 'cn=directory manager' -p admin -w <password>

Use admin keytab in hosts file for OTP generation

  [ipaclients]
- ipaclient1.test.local
+ ipaclient1.test.local ipaadmin_keytab=ipaadmin.keytab
  
  [ipaclient:vars]
+ ipaclient_use_otp=yes

Run playbook

$ ansible-playbook -vv -i hosts.client install-client.yml

Client Test 7

Use IPA admin keytab with OTP to repair existing configuration

  [ipaclient:vars]
  ipaclient_use_otp=yes
+ ipaclient_allow_repair=yes

Example: Move krb5.conf to /tmp

$ mv /etc/krb5.conf /tmp

Run playbook

$ ansible-playbook -vv -i hosts.client install-client.yml

Example: Check krb5.conf

$ diff /tmp/krb5.conf /etc/krb5.conf

Replica Files

install-replica.yml

---
- name: Playbook to configure IPA replicas
  hosts: ipareplicas
  become: true

  roles:
  - role: ipareplica
    state: present

 uninstall-replica.yml

---
- name: Playbook to unconfigure IPA replicas
  hosts: ipareplicas
  become: true
 
  roles:
  - role: ipareplica
    state: absent

Replica Test 1

Create hosts.replica file to install replica

[ipaservers]
ipa.test.local

[ipareplicas]
ipareplica1.test.local

[ipareplicas:vars]
ipaadmin_password=MyAdminPassword1
ipadm_password=MyDmPassword
#ipaclient_force_join=yes

Run playbook

$ ansible-playbook -vv -i hosts.replica install-replica.yml

Cluster Files

install-cluster.yml

---
- name: Install IPA servers
  hosts: ipaserver
  become: true

  roles:
  - role: ipaserver
    state: present

- name: Install IPA replicas
  hosts: ipareplicas
  become: true

  roles:
  - role: ipareplica
    state: present

- name: Install IPA clients
  hosts: ipaclients
  become: true

  roles:
  - role: ipaclient
    state: present

uninstall-cluster.yml

---
- name: Uninstall IPA clients
  hosts: ipaclients
  become: true

  roles:
  - role: ipaclient
    state: absent

- name: Uninstall IPA replicas
  hosts: ipareplicas
  become: true

  roles:
  - role: ipareplica
    state: absent

- name: Uninstall IPA servers
  hosts: ipaserver
  become: true

  roles:
  - role: ipaserver
    state: absent

Cluster Test 1

Create hosts.cluster file to install server and clients with admin and dirman password using existing DNS server

[ipaserver]
ipaserver.test.local

[ipaserver:vars]
ipadm_password=MyDmPassword

[ipaclients]
ipaclient1.test.local
ipaclient2.test.local
ipaclient3.test.local

[ipaclients:vars]
#ipaclient_use_otp=yes

[ipa:children]
ipaserver
ipaclients

[ipa:vars]
ipaadmin_password=MyAdminPassword
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL

Run playbook

$ ansible-playbook -vv -i hosts.cluster install-cluster.yml

Cluster Test 2

Create hosts.cluster file to install server and clients with admin and dirman password with enabling DNS server

[ipaserver]
ipaserver.test.local

[ipaserver:vars]
ipadm_password=MyDmPassword
ipaserver_setup_dns=yes
ipaserver_auto_forwarders=yes
ipaserver_auto_reverse=yes

[ipaclients]
ipaclient1.test.local
ipaclient2.test.local
ipaclient3.test.local

[ipaclients:vars]
ipaclient_use_otp=yes

[ipa:children]
ipaserver
ipaclients

[ipa:vars]
ipaadmin_password=MyAdminPassword
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL

Run playbook

$ ansible-playbook -vv -i hosts.cluster install-cluster.yml

Cluster Test 3

Create hosts.cluster file to install server, replicas and clients with admin and dirman password using existing DNS server

[ipaserver]
ipaserver.test.local

[ipaserver:vars]
ipadm_password=MyDmPassword

[ipareplicas]
ipareplica.test.local

[ipareplicas:vars]
ipaclient_use_otp=yes

[ipaclients]
ipaclient1.test.local
ipaclient2.test.local
ipaclient3.test.local

[ipaclients:vars]
ipaclient_use_otp=yes

[ipa:children]
ipaserver
ipareplicas
ipaclients

[ipa:vars]
ipaadmin_password=MyAdminPassword
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL

Run playbook

$ ansible-playbook -vv -i hosts.cluster install-cluster.yml
Clone this wiki locally