|
Packit Service |
0a38ef |
ipareplica role
|
|
Packit Service |
0a38ef |
==============
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Description
|
|
Packit Service |
0a38ef |
-----------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
This role allows to configure a new IPA server that is a replica of the server. Once it has been created it is an exact copy of the original IPA server and is an equal master.
|
|
Packit Service |
0a38ef |
Changes made to any master are automatically replicated to other masters.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
This can be done in different ways using auto-discovery of the servers, domain and other settings or by specifying them.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
**Note**: The ansible playbooks and role require a configured ansible environment where the ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Features
|
|
Packit Service |
0a38ef |
--------
|
|
Packit Service |
0a38ef |
* Replica deployment
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Supported FreeIPA Versions
|
|
Packit Service |
0a38ef |
--------------------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
FreeIPA versions 4.6 and up are supported by the replica role.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Supported Distributions
|
|
Packit Service |
0a38ef |
-----------------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
* RHEL/CentOS 7.6+
|
|
Packit Service |
0a38ef |
* Fedora 26+
|
|
Packit Service |
0a38ef |
* Ubuntu
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Requirements
|
|
Packit Service |
0a38ef |
------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
**Controller**
|
|
Packit Service |
0a38ef |
* Ansible version: 2.8+
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
**Node**
|
|
Packit Service |
0a38ef |
* Supported FreeIPA version (see above)
|
|
Packit Service |
0a38ef |
* Supported distribution (needed for package installation only, see above)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Usage
|
|
Packit Service |
0a38ef |
=====
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example inventory file with fixed principal using auto-discovery with DNS records:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```ini
|
|
Packit Service |
0a38ef |
[ipareplicas]
|
|
Packit Service |
0a38ef |
ipareplica1.example.com
|
|
Packit Service |
0a38ef |
ipareplica2.example.com
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
[ipareplicas:vars]
|
|
Packit Service |
0a38ef |
ipaadmin_principal=admin
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to setup the IPA client(s) using principal from inventory file and password from an [Ansible Vault](http://docs.ansible.com/ansible/latest/playbooks_vault.html) file:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to configure IPA replicas
|
|
Packit Service |
0a38ef |
hosts: ipareplicas
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
vars_files:
|
|
Packit Service |
0a38ef |
- playbook_sensitive_data.yml
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
roles:
|
|
Packit Service |
0a38ef |
- role: ipareplica
|
|
Packit Service |
0a38ef |
state: present
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to unconfigure the IPA client(s) using principal and password from inventory file:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to unconfigure IPA replicas
|
|
Packit Service |
0a38ef |
hosts: ipareplicas
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
roles:
|
|
Packit Service |
0a38ef |
- role: ipareplica
|
|
Packit Service |
0a38ef |
state: absent
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example inventory file with fixed server, principal, password and domain:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```ini
|
|
Packit Service |
0a38ef |
[ipaserver]
|
|
Packit Service |
0a38ef |
ipaserver.example.com
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
[ipareplicas]
|
|
Packit Service |
0a38ef |
ipareplica1.example.com
|
|
Packit Service |
0a38ef |
ipareplica2.example.com
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
[ipareplicas:vars]
|
|
Packit Service |
a166ed |
ipareplica_domain=example.com
|
|
Packit Service |
0a38ef |
ipaadmin_principal=admin
|
|
Packit Service |
0a38ef |
ipaadmin_password=MySecretPassword123
|
|
Packit Service |
0a38ef |
ipadm_password=MySecretPassword456
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to setup the IPA client(s) using principal and password from inventory file:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to configure IPA replicas with username/password
|
|
Packit Service |
0a38ef |
hosts: ipareplicas
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
roles:
|
|
Packit Service |
0a38ef |
- role: ipareplica
|
|
Packit Service |
0a38ef |
state: present
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Playbooks
|
|
Packit Service |
0a38ef |
=========
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
The playbooks needed to deploy or undeploy a replica are part of the repository in the playbooks folder. There are also playbooks to deploy and undeploy clusters.
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
install-replica.yml
|
|
Packit Service |
0a38ef |
uninstall-replica.yml
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
Please remember to link or copy the playbooks to the base directory of ansible-freeipa if you want to use the roles within the source archive.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
How to setup replicas
|
|
Packit Service |
0a38ef |
---------------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```bash
|
|
Packit Service |
0a38ef |
ansible-playbook -v -i inventory/hosts install-replica.yml
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
This will deploy the replicas defined in the inventory file.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variables
|
|
Packit Service |
0a38ef |
=========
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Base Variables
|
|
Packit Service |
0a38ef |
--------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variable | Description | Required
|
|
Packit Service |
0a38ef |
-------- | ----------- | --------
|
|
Packit Service |
0a38ef |
`ipaservers` | This group with the IPA master full qualified hostnames. (list of strings) | mostly
|
|
Packit Service |
0a38ef |
`ipareplicas` | Group of IPA replica hostnames. (list of strings) | yes
|
|
Packit Service |
0a38ef |
`ipaadmin_password` | The password for the IPA admin user (string) | mostly
|
|
Packit Service |
0a38ef |
`ipareplica_ip_addresses` | The list of master server IP addresses. (list of strings) | no
|
|
Packit Service |
0a38ef |
`ipareplica_domain` | The primary DNS domain of an existing IPA deployment. (string) | no
|
|
Packit Service |
0a38ef |
`ipaserver_realm` | The Kerberos realm of an existing IPA deployment. (string) | no
|
|
Packit Service |
0a38ef |
`ipaserver_hostname` | Fully qualified name of the server. (string) | no
|
|
Packit Service |
0a38ef |
`ipaadmin_principal` | The authorized kerberos principal used to join the IPA realm. (string) | no
|
|
Packit Service |
0a38ef |
`ipareplica_no_host_dns` | Do not use DNS for hostname lookup during installation. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_skip_conncheck` | Skip connection check to remote master. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_pki_config_override` | Path to ini file with config overrides. This is only usable with recent FreeIPA versions. (string) | no
|
|
Packit Service |
a166ed |
`ipareplica_mem_check` | Checking for minimum required memory for the deployment. This is only usable with recent FreeIPA versions (4.8.10+) else ignored. (bool, default: yes) | no
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
a166ed |
Server Variables
|
|
Packit Service |
a166ed |
----------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variable | Description | Required
|
|
Packit Service |
0a38ef |
-------- | ----------- | --------
|
|
Packit Service |
0a38ef |
`ipadm_password` | The password for the Directory Manager. (string) | mostly
|
|
Packit Service |
a166ed |
`ipareplica_hidden_replica` | Install a hidden replica. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_setup_adtrust` | Configure AD trust capability. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_setup_ca` | Configure a dogtag CA. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_setup_kra` | Configure a dogtag KRA. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_setup_dns` | Configure bind with our zone. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_no_pkinit` | Disables pkinit setup steps. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_no_ui_redirect` | Do not automatically redirect to the Web UI. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_dirsrv_config_file` | The path to LDIF file that will be used to modify configuration of dse.ldif during installation of the directory server instance. (string)| no
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
SSL certificate Variables
|
|
Packit Service |
0a38ef |
-------------------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variable | Description | Required
|
|
Packit Service |
0a38ef |
-------- | ----------- | --------
|
|
Packit Service |
0a38ef |
`ipareplica_dirsrv_cert_files` | Files containing the Directory Server SSL certificate and private keys. (list of strings) | no
|
|
Packit Service |
0a38ef |
`ipareplica_http_cert_files` | Files containing the Apache Server SSL certificate and private key. (list of string) | no
|
|
Packit Service |
0a38ef |
`ipareplica_pkinit_cert_files` | Files containing the Kerberos KDC SSL certificate and private key. (list of string) | no
|
|
Packit Service |
0a38ef |
`ipareplica_dirsrv_pin` | The password to unlock the Directory Server private key. (string) | no
|
|
Packit Service |
0a38ef |
`ipareplica_http_pin` | The password to unlock the Apache Server private key. (string) | no
|
|
Packit Service |
0a38ef |
`ipareplica_pkinit_pin` | The password to unlock the Kerberos KDC private key. (string) | no
|
|
Packit Service |
0a38ef |
`ipareplica_dirsrv_cert_name` | Name of the Directory Server SSL certificate to install. (string) | no
|
|
Packit Service |
0a38ef |
`ipareplica_http_cert_name` | Name of the Apache Server SSL certificate to install. (string) | no
|
|
Packit Service |
0a38ef |
`ipareplica_pkinit_cert_name` | Name of the Kerberos KDC SSL certificate to install. (string) | no
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Client Variables
|
|
Packit Service |
0a38ef |
----------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variable | Description | Required
|
|
Packit Service |
0a38ef |
-------- | ----------- | --------
|
|
Packit Service |
0a38ef |
`ipaclient_keytab` | Path to backed up keytab from previous enrollment. (string) | no
|
|
Packit Service |
0a38ef |
`ipaclient_mkhomedir` | Set to yes to configure PAM to create a users home directory if it does not exist. (string) | no
|
|
Packit Service |
0a38ef |
`ipaclient_force_join` | Force client enrollment even if already enrolled. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipaclient_ntp_servers` | The list defines the NTP servers to be used. (list of strings) | no
|
|
Packit Service |
0a38ef |
`ipaclient_ntp_pool` | The string value defines the ntp server pool to be used. (string) | no
|
|
Packit Service |
0a38ef |
`ipaclient_no_ntp` | The bool value defines if NTP will not be configured and enabled. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipaclient_ssh_trust_dns` | The bool value defines if OpenSSH client will be configured to trust DNS SSHFP records. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipaclient_no_ssh` | The bool value defines if OpenSSH client will be configured. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipaclient_no_sshd` | The bool value defines if OpenSSH server will be configured. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipaclient_no_sudo` | The bool value defines if SSSD will be configured as a data source for sudo. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipaclient_no_dns_sshfp` | The bool value defines if DNS SSHFP records will not be created automatically. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Certificate system Variables
|
|
Packit Service |
0a38ef |
----------------------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variable | Description | Required
|
|
Packit Service |
0a38ef |
-------- | ----------- | --------
|
|
Packit Service |
0a38ef |
~~`ipareplica_skip_schema_check`~~ | ~~Skip check for updated CA DS schema on the remote master. (bool, default: false)~~ | ~~no~~
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
DNS Variables
|
|
Packit Service |
0a38ef |
-------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variable | Description | Required
|
|
Packit Service |
0a38ef |
-------- | ----------- | --------
|
|
Packit Service |
0a38ef |
`ipareplica_allow_zone_overlap` | Allow creation of (reverse) zone even if the zone is already resolvable. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_reverse_zones` | The reverse DNS zones to use. (list of strings) | no
|
|
Packit Service |
0a38ef |
`ipareplica_no_reverse` | Do not create reverse DNS zone. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_auto_reverse` | Try to resolve reverse records and reverse zones for server IP addresses. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_zonemgr` | The e-mail address of the DNS zone manager. (string, default: hostmaster@DOMAIN.) | no
|
|
Packit Service |
0a38ef |
`ipareplica_forwarders` | Add DNS forwarders to the DNS configuration. (list of strings) | no
|
|
Packit Service |
0a38ef |
`ipareplica_no_forwarders` | Do not add any DNS forwarders. Root DNS servers will be used instead. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_auto_forwarders` | Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_forward_policy` | DNS forwarding policy for global forwarders specified using other options. (choice: first,only) | no
|
|
Packit Service |
0a38ef |
`ipareplica_no_dnssec_validation` | Disable DNSSEC validation on this server. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
AD trust Variables
|
|
Packit Service |
0a38ef |
------------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variable | Description | Required
|
|
Packit Service |
0a38ef |
-------- | ----------- | --------
|
|
Packit Service |
0a38ef |
~~`ipareplica_add_sids`~~ | ~~Add SIDs for existing users and groups as the final step. (bool, default: false)~~ | ~~no~~
|
|
Packit Service |
0a38ef |
~~`ipareplica_add_agents`~~ | ~~Add IPA masters to a list of hosts allowed to serve information about users from trusted forests. (bool, default: false)~~ | ~~no~~
|
|
Packit Service |
0a38ef |
`ipareplica_enable_compat`| Enables support for trusted domains users for old clients through Schema Compatibility plugin. (bool, default: false) | no
|
|
Packit Service |
0a38ef |
`ipareplica_netbios_name` | The NetBIOS name for the IPA domain. (string) | no
|
|
Packit Service |
0a38ef |
`ipareplica_rid_base` | First RID value of the local domain. (integer) | no
|
|
Packit Service |
0a38ef |
`ipareplica_secondary_rid_base` | Start value of the secondary RID range. (integer) | no
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Cluster Specific Variables
|
|
Packit Service |
0a38ef |
--------------------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variable | Description | Required
|
|
Packit Service |
0a38ef |
-------- | ----------- | --------
|
|
Packit Service |
0a38ef |
`ipareplica_servers` | Manually override list of servers for example in a cluster environment on a per replica basis. The list of servers is normally taken from from groups.ipaserver in cluster environments. (list of strings) | no
|
|
Packit Service |
0a38ef |
`ipaserver_domain` | Used if set in a cluster environment to overload `ipareplica_domain` | no
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Special Variables
|
|
Packit Service |
0a38ef |
-----------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variable | Description | Required
|
|
Packit Service |
0a38ef |
-------- | ----------- | --------
|
|
Packit Service |
0a38ef |
`ipareplica_install_packages` | The bool value defines if the needed packages are installed on the node. (bool, default: true) | no
|
|
Packit Service |
0a38ef |
`ipareplica_setup_firewalld` | The value defines if the needed services will automatically be openen in the firewall managed by firewalld. (bool, default: true) | no
|
|
Packit Service |
a166ed |
`ipareplica_firewalld_zone` | The value defines the firewall zone that will be used. This needs to be an existing runtime and permanent zone. (string) | no
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Authors
|
|
Packit Service |
0a38ef |
=======
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Thomas Woerner
|