|
Packit Service |
a166ed |
Trust module
|
|
Packit Service |
a166ed |
============
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Description
|
|
Packit Service |
a166ed |
-----------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
The trust module allows to ensure presence and absence of a domain trust.
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Features
|
|
Packit Service |
a166ed |
--------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
* Trust management
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Supported FreeIPA Versions
|
|
Packit Service |
a166ed |
--------------------------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
FreeIPA versions 4.4.0 and up are supported by the ipatrust module.
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Requirements
|
|
Packit Service |
a166ed |
------------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
**Controller**
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
* Ansible version: 2.8+
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
**Node**
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
* Supported FreeIPA version (see above)
|
|
Packit Service |
a166ed |
* samba-4
|
|
Packit Service |
a166ed |
* ipa-server-trust-ad
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Usage
|
|
Packit Service |
a166ed |
=====
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example inventory file
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```ini
|
|
Packit Service |
a166ed |
[ipaserver]
|
|
Packit Service |
a166ed |
ipaserver.test.local
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to ensure a one-way trust is present:
|
|
Packit Service |
a166ed |
Omitting the two_way option implies the default of one-way
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to ensure a one-way trust is present
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: true
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- name: ensure the one-way trust present
|
|
Packit Service |
a166ed |
ipatrust:
|
|
Packit Service |
a166ed |
realm: ad.example.test
|
|
Packit Service |
a166ed |
admin: Administrator
|
|
Packit Service |
a166ed |
password: secret_password
|
|
Packit Service |
a166ed |
state: present
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to ensure a two-way trust is present using a shared-secret:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to ensure a two-way trust is present
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: true
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- name: ensure the two-way trust is present
|
|
Packit Service |
a166ed |
ipatrust:
|
|
Packit Service |
a166ed |
realm: ad.example.test
|
|
Packit Service |
a166ed |
trust_secret: my_share_Secret
|
|
Packit Service |
a166ed |
two_way: True
|
|
Packit Service |
a166ed |
state: present
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to ensure a trust is absent:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to ensure a trust is absent
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: true
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- name: ensure the trust is absent
|
|
Packit Service |
a166ed |
ipatrust:
|
|
Packit Service |
a166ed |
realm: ad.example.test
|
|
Packit Service |
a166ed |
state: absent
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
This will only delete the ipa-side of the trust and it does NOT delete the id-range that matches the trust,
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Variables
|
|
Packit Service |
a166ed |
=========
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
ipatrust
|
|
Packit Service |
a166ed |
-------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Variable | Description | Required
|
|
Packit Service |
a166ed |
-------- | ----------- | --------
|
|
Packit Service |
a166ed |
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
|
|
Packit Service |
a166ed |
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
|
|
Packit Service |
a166ed |
`realm` | The realm name string. | yes
|
|
Packit Service |
a166ed |
`admin` | Active Directory domain administrator string. | no
|
|
Packit Service |
a166ed |
`password` | Active Directory domain administrator's password string. | no
|
|
Packit Service |
a166ed |
`server` | Domain controller for the Active Directory domain string. | no
|
|
Packit Service |
a166ed |
`trust_secret` | Shared secret for the trust string. | no
|
|
Packit Service |
a166ed |
`base_id` | First posix id for the trusted domain integer. | no
|
|
Packit Service |
a166ed |
`range_size` | Size of the ID range reserved for the trusted domain integer. | no
|
|
Packit Service |
a166ed |
`range_type` | Type of trusted domain ID range, It can be one of `ipa-ad-trust` or `ipa-ad-trust-posix`and defaults to `ipa-ad-trust`. | no
|
|
Packit Service |
a166ed |
`two_way` | Establish bi-directional trust. By default trust is inbound one-way only. (bool) | no
|
|
Packit Service |
a166ed |
`external` | Establish external trust to a domain in another forest. The trust is not transitive beyond the domain. (bool) | no
|
|
Packit Service |
a166ed |
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Authors
|
|
Packit Service |
a166ed |
=======
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Rob Verduijn
|