timorunge.freeipa_server

Panoramica Versioni Approfondimenti

freeipa_server

This role installs and sets up the FreeIPA Server based on your requirements.

This playbook helps to create the Kerberos admin user (username: admin, password as defined in freeipa_server_admin_password).

You can use this role together with freeipa (GitHub), which has been tested with the latest FreeIPA versions on Ubuntu 18.04 or newer. Check the example section.

Note: Ubuntu 20.04 Not Supported

Ubuntu 20.04 does not have the freeipa-server package.

Requirements

You need Ansible 2.5.0 or newer.

Install a stable version with pip:

pip install ansible==2.7.7

All platform requirements can be found in the metadata file.

Installation

ansible-galaxy install timorunge.freeipa_server

Role Variables

You must set the following variables to get this role working without customization. These variables do not have default values:

# Admin user kerberos password - at least 8 characters
freeipa_server_admin_password: Passw0rd
# Primary DNS domain of the IPA deployment
freeipa_server_domain: example.com
# Directory Manager password - at least 8 characters
freeipa_server_ds_password: Passw0rd
# The hostname of this machine (FQDN)
freeipa_server_fqdn: ipa.example.com
# Master Server IP Address
freeipa_server_ip: 172.20.0.2
# Kerberos realm name of the IPA deployment
freeipa_server_realm: EXAMPLE.COM

Here are some additional variables you can set with brief descriptions (see defaults/main.yml for all variables):

# Enable/Disable RedHat EPEL repository management
freeipa_server_enable_epel_repo: true

# Automatically add an entry in /etc/hosts
freeipa_server_manage_host: true

# Specify FreeIPA server type (master/replica)
freeipa_server_type: master

# The FQDN of the master FreeIPA server
freeipa_server_master_fqdn: ''

# Base command for FreeIPA installation
freeipa_server_install_base_command: ipa-{{ 'server' if freeipa_server_type == 'master' else 'replica' }}-install --unattended {{ '--server=' + freeipa_server_master_fqdn if freeipa_server_type == 'replica' }}

# Default FreeIPA installation options
freeipa_server_install_options:
  - "--realm={{ freeipa_server_realm }}"
  - "--domain={{ freeipa_server_domain }}"
  - "--setup-dns"
  - "--ds-password={{ freeipa_server_ds_password }}"
  - "--admin-password={{ freeipa_server_admin_password }}"
  - "--mkhomedir"
  - "--hostname={{ freeipa_server_fqdn | default(ansible_fqdn) }}"
  - "--ip-address={{ freeipa_server_ip }}"
  - "--no-host-dns"
  - "--no-ntp"
  - "--idstart=5000"
  - "--ssh-trust-dns"
  - "--forwarder=8.8.8.8"
  - "--auto-forwarders"

Examples

To keep the document concise, the install options are abbreviated. You can find full install options in this document or in the ipa-server-install man pages.

1) Install FreeIPA server as master with default settings

- hosts: freeipa-server
  vars:
    freeipa_server_admin_password: Passw0rd
    freeipa_server_domain: example.com
    freeipa_server_ds_password: Passw0rd
    freeipa_server_fqdn: ipa-master.example.com
    freeipa_server_ip: 172.20.0.2
    freeipa_server_realm: EXAMPLE.COM
  roles:
    - timorunge.freeipa_server

2) Install FreeIPA server as replica with default settings

- hosts: freeipa-server
  vars:
    freeipa_server_type: replica
    freeipa_server_master_fqdn: ipa-master.example.com
    freeipa_server_admin_password: Passw0rd
    freeipa_server_domain: example.com
    freeipa_server_ds_password: Passw0rd
    freeipa_server_fqdn: ipa-replica.example.com
    freeipa_server_ip: 172.20.0.3
    freeipa_server_realm: EXAMPLE.COM
  roles:
    - timorunge.freeipa_server

3) Install FreeIPA server and enable it on all IPv4 network interfaces

Set freeipa_server_ip if using freeipa_server_manage_host.

- hosts: freeipa-server
  vars:
    freeipa_server_admin_password: Passw0rd
    freeipa_server_domain: example.com
    freeipa_server_ds_password: Passw0rd
    freeipa_server_fqdn: ipa.example.com
    freeipa_server_ip: 172.20.0.3
    freeipa_server_realm: EXAMPLE.COM
    freeipa_server_install_options:
      - "--ip-address={{ ansible_all_ipv4_addresses | join(' --ip-address=') }}"
  roles:
    - timorunge.freeipa_server

4) Install FreeIPA server with custom install options

- hosts: freeipa-server
  vars:
    freeipa_server_admin_password: Passw0rd
    freeipa_server_domain: example.com
    freeipa_server_ds_password: Passw0rd
    freeipa_server_fqdn: ipa.example.com
    freeipa_server_ip: 172.20.0.2
    freeipa_server_realm: EXAMPLE.COM
    freeipa_server_install_options:
      - "--realm={{ freeipa_server_realm }}"
      - "--domain={{ freeipa_server_domain }}"
      - "--setup-dns"
      - "--ds-password {{ freeipa_server_ds_password }}"
      - "--admin-password {{ freeipa_server_admin_password }}"
      - "--mkhomedir"
      - "--hostname={{ freeipa_server_fqdn | default(ansible_fqdn) }}"
      - "--ip-address={{ freeipa_server_ip }}"
      - "--ip-address=10.0.0.2"
      - "--ip-address=192.168.20.2"
      - "--no-host-dns"
      - "--no-ntp"
      - "--idstart=5000"
      - "--ssh-trust-dns"
      - "--forwarder=8.8.8.8"
      - "--auto-forwarders"
      - "--no-ui-redirect"
      - "--no-ssh"
      - "--no-sshd"
  roles:
    - timorunge.freeipa_server

FreeIPA server install options

Overview of install options for ipa-server-install (4.6.4).

Usage: ipa-server-install [options]

Options:
  --version             show the program's version and exit
  -h, --help            show this help message and exit
  -U, --unattended      uninstall/install without prompting the user
  --uninstall           uninstall an existing installation. The uninstall can
                        run with --unattended option

  Basic options:
    -p DM_PASSWORD, --ds-password=DM_PASSWORD
                        Directory Manager password
    -a ADMIN_PASSWORD, --admin-password=ADMIN_PASSWORD
                        Admin user kerberos password
    --ip-address=IP_ADDRESS
                        Master Server IP Address, can be used multiple times
    -n DOMAIN_NAME, --domain=DOMAIN_NAME
                        Primary DNS domain for the IPA deployment
    -r REALM_NAME, --realm=REALM_NAME
                        Kerberos realm name for the IPA deployment
    --hostname=HOST_NAME
                        Fully qualified name of this host
    --no-host-dns       Avoid using DNS for hostname lookup during installation

  Server options:
    --setup-adtrust     Configure AD trust capability
    --setup-kra         Configure a dogtag KRA
    --setup-dns         Configure bind with our zone
    --idstart=IDSTART   Starting value for the IDs range
    --idmax=IDMAX       Max value for the IDs range
    --no-hbac-allow     Don't install allow_all HBAC rule
    --no-pkinit         Disable pkinit setup steps
    --no-ui-redirect    Avoid automatic redirect to the Web UI

  SSL certificate options:
    --dirsrv-cert-file=FILE
                        Directory Server SSL certificate file
    --http-cert-file=FILE
                        Apache Server SSL certificate file
    --pkinit-cert-file=FILE
                        Kerberos KDC SSL certificate file

  Client options:
    --mkhomedir         Create home directories for users on their first login
    -N, --no-ntp        Do not configure ntp

  DNS options:
    --allow-zone-overlap
                        Create DNS zone even if it already exists
    --reverse-zone=REVERSE_ZONE
                        The reverse DNS zone to use

  Logging and output options:
    -v, --verbose       Print debugging information
    -q, --quiet         Output only errors

Testing

Build Status

Tests are done using Vagrant with these virtual machines:

  • EL 7
  • Fedora 26, 27
  • Ubuntu 16.04 LTS, 17.10, 18.04 LTS

The latest Ansible version is installed on all VMs, running a test playbook locally.

For more details, check the Vagrant entrypoint.

# Test in all Vagrant machines:
# This will take some time. Grab a coffee.
cd tests
vagrant up --parallel && vagrant halt
for h in $(vagrant global-status --prune | grep freeipa_server | awk '{print $2}') ; do
    echo ${h}
    vagrant up --provision ${h}
    vagrant ssh ${h} -c "sudo /vagrant/vagrant-entrypoint.sh" && (echo "$(date): ${h}: pass" >> tests/results.log) || (echo "$(date): ${h}: fail" >> tests/results.log)
    vagrant halt ${h}
done
vagrant destroy -f

If Vagrant can't mount directories, make sure you have VirtualBox Guest Additions.

Travis tests use Docker and docker_test_runner. Travis tests check for linting and syntax errors.

You can test locally with:

curl https://raw.githubusercontent.com/timorunge/docker-test-runner/master/install.sh | sh
./docker_test_runner.py -f tests/docker_test_runner.yml

Security

This playbook does not secure the FreeIPA Server. You can use tools like firewalld or iptables for this.

Open the following ports based on your setup:

TCP ports:

  • 80, 443: HTTP/HTTPS
  • 389, 636: LDAP/LDAPS
  • 88, 464: kerberos
  • 53: bind

UDP Ports:

  • 88, 464: kerberos
  • 53: bind

Backup

Make sure to back up CA certificates stored in /root/cacert.p12. These files are needed to create replicas. The password for these files is the Directory Manager (freeipa_server_ds_password) password.

You can find a general Backup and Restore guide on FreeIPA covering essential topics.

There is also an Ansible role for basic backups: FreeIPA Server Backup (GitHub Repo).

Dependencies

None

License

BSD 3-Clause "New" or "Revised" License

Author Information

  • Timo Runge
Informazioni sul progetto

FreeIPA Identity Management Server provisioning.

role dns freeipa identity idm kerberos ldap ntp sso sssd system
Installa
ansible-galaxy install timorunge.freeipa_server
GitHub repository
18 stelle
6 fork
6 problemi aperti
Licenza
bsd-3-clause
Download
12.5k
Proprietario