Red Hat Summit29.8. Using Ansible to install an IdM server with integrated eDNS and an integrated root CA
You can use the ipaserver role available in the ansible-freeipa package to install an Identity Management (IdM) server with DNS-over-TLS (DoT) enabled.
You can select either the enforced or relaxed policy. By default, the installer uses the relaxed policy, which attempts DoT but allows fallback to standard, unencrypted DNS if a secure connection cannot be established. To apply the enforced policy, set the ipaserver_dns_policy variable to enforced in the vars section of the Ansible playbook.
For the configuration of DoT, you can use a certificate issued by the integrated IdM Certificate Authority (CA) or provide a custom certificate issued by an external CA. If you do not provide a certificate, the IdM CA automatically issues a DoT certificate during the installation.
Prerequisites
- You are using Ansible version 2.15 or later.
-
You have installed the
ansible-freeipapackage. -
The example assumes that the
secret.ymlAnsible vault stores youripaadmin_passwordand that you have access to a file that stores the password protecting thesecret.ymlfile. - Review the steps outlined in Preparing the system for IdM server installation.
-
For
enforcedDoT, complete the steps in Configuring client and replica systems to use DoT exclusively.
Procedure
Optional: To use a custom PEM-formatted certificate and key for DoT issued by an external certificate authority:
SSH to the host where you are going to install the IdM server:
$ ssh root@server.idm.example.comCreate the two files and assign ownership to the
nameddaemon:# openssl req \ -newkey rsa:2048 \ -nodes \ -keyout /etc/pki/tls/certs/privkey.pem \ -x509 \ -days 36500 \ -out /etc/pki/tls/certs/certificate.pem \ -subj "/C=<country_code>/ST=<state>/L=<location>/O=<organization>/OU=<organizational_unit>/CN=<idm_server_fqdn>/emailAddress=<email>" && \ chown named:named /etc/pki/tls/certs/privkey.pem /etc/pki/tls/certs/certificate.pemExit the SSH session on the IdM server:
# exit
On the Ansible controller, create a playbook file named
install-server-integrated-ca.ymlwith the instructions to install an IdM server with an integrated IdM CA:--- - name: Playbook to configure IPA server hosts: ipaserver become: true vars_files: - /home/user_name/MyPlaybooks/secret.yml vars: ipaserver_domain: idm.example.com ipaserver_realm: IDM.EXAMPLE.COM ipaserver_hostname: server.idm.example.com ipa_admin_password: "{{ vault_admin_password }}" ipadm_password: "{{ vault_dm_password }}" ipaserver_setup_dns: true ipaserver_dot_forwarders: - "<server_ip>#<dns_server_hostname>" ipaserver_dns_over_tls: true ipaserver_auto_reverse: true roles: - role: freeipa.ansible_freeipa.ipaserverIf you are using a custom PEM-formatted certificate and key for DoT issued by an external certificate authority, add the following in the
varssection:ipaserver_dns_over_tls_cert: /etc/pki/tls/certs/certificate.pem ipaserver_dns_over_tls_key: /etc/pki/tls/certs/privkey.pemRun the Ansible playbook:
$ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory ~/MyPlaybooks/install-server-integrated-ca.yml
Troubleshooting
SSHto the IdM server:# ssh root@server.idm.example.comEnable detailed logging for the
unboundservice:# unbound-control verbosity 3Restart the
unboundservice to apply the updated configuration:# systemctl restart unboundMonitor real-time logs of the
unboundservice:$ journalctl -u unbound -f
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}