Questo contenuto non è disponibile nella lingua selezionata.
Chapter 27. Installing an Identity Management replica using an Ansible playbook
Configuring a system as an IdM replica by using Ansible enrolls it into an IdM domain and enables the system to use IdM services on IdM servers in the domain.
			The deployment is managed by the ipareplica Ansible role. The role can use the autodiscovery mode for identifying the IdM servers, domain and other settings. However, if you deploy multiple replicas in a tier-like model, with different groups of replicas being deployed at different times, you must define specific servers or replicas for each group.
		
27.1. Prerequisites
- You have installed the ansible-freeipa package on the Ansible control node.
- You understand the general Ansible and IdM concepts.
- You have planned the replica topology in your deployment.
27.2. Specifying the base, server and client variables for installing the IdM replica
Complete this procedure to configure the inventory file for installing an IdM replica.
Prerequisites
- You have configured your Ansible control node to meet the following requirements: - You are using Ansible version 2.14 or later.
- 
								You have installed the freeipa.ansible_freeipacollection on the Ansible controller.
 
Procedure
- Open the inventory file for editing. Specify the fully-qualified domain names (FQDN) of the hosts to become IdM replicas. The FQDNs must be valid DNS names: - 
								Only numbers, alphabetic characters, and hyphens (-) are allowed. For example, underscores are not allowed and can cause DNS failures.
- The host name must be all lower-case. - Example of a simple inventory hosts file with only the replicas' FQDN defined - [ipareplicas] replica1.idm.example.com replica2.idm.example.com replica3.idm.example.com [...] - [ipareplicas] replica1.idm.example.com replica2.idm.example.com replica3.idm.example.com [...]- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - If the IdM server is already deployed and the SRV records are set properly in the IdM DNS zone, the script automatically discovers all the other required values. 
 
- 
								Only numbers, alphabetic characters, and hyphens (
- Optional: Provide additional information in the inventory file based on how you have designed your topology: - Scenario 1
- If you want to avoid autodiscovery and have all replicas listed in the - [ipareplicas]section use a specific IdM server, set the server in the- [ipaservers]section of the inventory file.- Example inventory hosts file with the FQDN of the IdM server and replicas defined - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Scenario 2
- Alternatively, if you want to avoid autodiscovery but want to deploy specific replicas with specific servers, set the servers for specific replicas individually in the - ipareplicassection in the inventory file.- Example inventory file with a specific IdM server defined for a specific replica - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - In the example above, - replica3.idm.example.comuses the already deployed- replica1.idm.example.comas its replication source.
- Scenario 3
- If you are deploying several replicas in one batch and time is a concern to you, multitier replica deployment can be useful for you. Define specific groups of replicas in the inventory file, for example - [ipareplicas_tier1]and- [ipareplicas_tier2], and design separate plays for each group in the- install-replica.ymlplaybook.- Example inventory file with replica tiers defined - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - The first entry in - ipareplica_serverswill be used. The second entry will be used as a fallback option. When using multiple tiers for deploying IdM replicas, you must have separate tasks in the playbook to first deploy replicas from tier1 and then replicas from tier2:- Example of a playbook file with different plays for different replica groups - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- Optional: Provide additional information regarding - firewalldand DNS:- Scenario 1
- If you want the replica to use a specified - firewalldzone, for example an internal one, you can specify it in the inventory file. If you do not set a custom zone, IdM will add its services to the default- firewalldzone. The predefined default zone is- public.Important- The specified - firewalldzone must exist and be permanent.- Example of a simple inventory hosts file with a custom - firewalldzone- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Scenario 2
- If you want the replica to host the IdM DNS service, add the ipareplica_setup_dns=true line to the - [ipareplicas:vars]section. Additionally, specify if you want to use per-server DNS forwarders:- 
											To configure per-server forwarders, add the ipareplica_forwardersvariable and a list of strings to the[ipareplicas:vars]section, for example: ipareplica_forwarders=192.0.2.1,192.0.2.2
- 
											To configure no per-server forwarders, add the following line to the [ipareplicas:vars]section: ipareplica_no_forwarders=true.
- To configure per-server forwarders based on the forwarders listed in the - /etc/resolv.conffile of the replica, add the- ipareplica_auto_forwardersvariable to the- [ipareplicas:vars]section.- Example inventory file with instructions to set up DNS and per-server forwarders on the replicas - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
 
- 
											To configure per-server forwarders, add the 
- Scenario 3
- Specify the DNS resolver using the - ipaclient_configure_dns_resolveand- ipaclient_dns_serversoptions (if available) to simplify cluster deployments. This is especially useful if your IdM deployment is using integrated DNS:- An inventory file snippet specifying a DNS resolver: - [...] [ipaclient:vars] ipaclient_configure_dns_resolver=true ipaclient_dns_servers=192.168.100.1 - [...] [ipaclient:vars] ipaclient_configure_dns_resolver=true ipaclient_dns_servers=192.168.100.1- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- The - ipaclient_dns_serverslist must contain only IP addresses. Host names are not allowed.
 - For details about all variables used in the playbook, see the - /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README.mdfile on the control node.
27.3. Specifying the credentials for installing the IdM replica using an Ansible playbook
Complete this procedure to configure the authorization for installing the IdM replica.
Prerequisites
- You have configured your Ansible control node to meet the following requirements: - You are using Ansible version 2.15 or later.
- 
								You have installed the freeipa.ansible_freeipacollection.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
- 
								The example assumes that the secret.yml Ansible vault stores your ipaadmin_passwordand that you have access to a file that stores the password protecting the secret.yml file.
 
- 
						The target node, that is the node on which the freeipa.ansible_freeipamodule is executed, is part of the IdM domain as an IdM client, server or replica.
Procedure
- Specify the password of a user authorized to deploy replicas, for example the IdM - admin.- Use the Ansible Vault to store the password, and reference the Vault file from the playbook file, for example - install-replica.yml:- Example playbook file using principal from inventory file and password from an Ansible Vault file: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - For details how to use Ansible Vault, see the official Ansible Vault documentation. 
- Less securely, provide the credentials of - admindirectly in the inventory file. Use the- ipaadmin_passwordoption in the- [ipareplicas:vars]section of the inventory file. The inventory file and the- install-replica.ymlplaybook file can then look as follows:- Example inventory - hosts.replicafile:- [...] [ipareplicas:vars] ipaadmin_password=Secret123 - [...] [ipareplicas:vars] ipaadmin_password=Secret123- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example playbook using principal and password from inventory file: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
- Alternatively but also less securely, provide the credentials of another user authorized to deploy a replica directly in the inventory file. To specify a different authorized user, use the - ipaadmin_principaloption for the user name, and the- ipaadmin_passwordoption for the password. The inventory file and the- install-replica.ymlplaybook file can then look as follows:- Example inventory hosts.replica file: - [...] [ipareplicas:vars] ipaadmin_principal=my_admin ipaadmin_password=my_admin_secret123 - [...] [ipareplicas:vars] ipaadmin_principal=my_admin ipaadmin_password=my_admin_secret123- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow - Example playbook using principal and password from inventory file: - Copy to Clipboard Copied! - Toggle word wrap Toggle overflow Note- During the installation of an IdM replica, checking if the provided Kerberos principal has the required privilege also extends to checking user ID overrides. As a result, you can deploy a replica using the credentials of an AD administrator that is configured to act as an IdM administrator. 
 - For details about all variables used in the playbook, see the - /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README.mdfile on the control node.
27.4. Deploying an IdM replica using an Ansible playbook
Complete this procedure to use an Ansible playbook to deploy an IdM replica.
Prerequisites
- The managed node is a Red Hat Enterprise Linux 10 system with a static IP address and a working package manager.
- You have configured the inventory file for installing an IdM replica.
- You have configured the authorization for installing the IdM replica.
Procedure
- Run the Ansible playbook: - ansible-playbook -i ~/MyPlaybooks/inventory ~/MyPlaybooks/install-replica.yml - $ ansible-playbook -i ~/MyPlaybooks/inventory ~/MyPlaybooks/install-replica.yml- Copy to Clipboard Copied! - Toggle word wrap Toggle overflow 
Next steps
- In large deployments, you can tune specific parameters of IdM replicas for better performance. Consult the Tuning Performance in Identity Management title to find tuning instructions to best suit your scenario.
27.5. Uninstalling an IdM replica using an Ansible playbook
In an existing Identity Management (IdM) deployment, replica and server are interchangeable terms. For information on how to uninstall an IdM server, see Uninstalling an IdM server using an Ansible playbook or Using an Ansible playbook to uninstall an IdM server even if this leads to a disconnected topology.