Red Hat Summit29.11. Using Ansible to install an IdM replica configured to use eDNS
Learn how to use Ansible to install an IdM replica with eDNS in an environment where the IdM server has DoT enabled.
When you install the replica with the integrated DNS service, the replica uses the same configuration as the IdM server. It runs BIND to handle incoming DNS queries, including encrypted queries, and uses unbound for outgoing encrypted DNS traffic.
When you install the replica without the integrated DNS service, the replica inherits the client-side configuration. It uses unbound with a DoT forwarder to send encrypted DNS queries to the IdM DNS server.
Prerequisites
- You are using Ansible version 2.15 or later.
-
You have installed the
ansible-freeipapackage. -
The example assumes that the
secret.ymlAnsible vault stores youripaadmin_passwordand that you have access to a file that stores the password protecting thesecret.ymlfile.
Procedure
On the controller, create a playbook named
install-replica-edns.ymlthat includes a task to install an IdM replica with eDNS enabled:--- - name: Playbook to configure an IdM replica with eDNS enabled hosts: ipareplicas become: true vars_files: - /home/user_name/MyPlaybooks/secret.yml vars: ipaadmin_password: "{{ ipaadmin_password }}" ipareplica_domain=idm.example.com ipareplica_dns_over_tls=true roles: - role: freeipa.ansible_freeipa.ipareplicaIf DNSSEC validation is turned off on the IdM server that the replica is communicating with, you must also disable it on the replica by setting
ipaclient_no_dnssec_validation = truein thevarssection of the playbook. Otherwise, DNS over TLS will not function correctly for the replica.To install integrated IdM DNS on the IdM replica, add
ipareplica_setup_dns=trueandipareplica_dot_forwarders="<server_ip>#<dns_server_hostname>"to the list of variables.Run the Ansible playbook:
$ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory ~/MyPlaybooks/install-replica-edns.yml
Verification
On the IdM server, list all replicas in the topology:
# ipa-replica-manage list-ruv
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}