Início
Produtos
Red Hat Enterprise Linux
10
Using Ansible to install and manage Identity Management in RHEL
Chapter 17. Managing IdM servers by using Ansible

Este conteúdo não está disponível no idioma selecionado.

Chapter 17. Managing IdM servers by using Ansible

Manage Identity Management (IdM) servers in your topology using the server module in the ansible-freeipa package, including checking server presence, hiding replicas, and assigning DNS locations.

17.1. Checking that an IdM server is present by using Ansible
Copiar o link

Verify that an Identity Management (IdM) server exists in your topology using Ansible to validate infrastructure state before running dependent automation.

Note

The ipaserver Ansible module does not install the IdM server.

Prerequisites

On the control node:
- You are using Ansible version 2.15 or later.
- You have installed the ansible-freeipa package.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
- The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

Navigate to your ~/MyPlaybooks/ directory:
```
$ cd ~/MyPlaybooks/
```
Copy the server-present.yml Ansible playbook file located in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server/ directory:
```
$ cp /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server/server-present.yml server-present-copy.yml
```
Open the server-present-copy.yml file for editing.

In the freeipa.ansible_freeipa.ipaserver task section, set the name variable to the FQDN of the server. The FQDN of the example server is server123.idm.example.com.

---
- name: Server present example
  hosts: ipaserver
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure server server123.idm.example.com is present
    freeipa.ansible_freeipa.ipaserver:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: server123.idm.example.com

Save the file.
For details about variables and example playbooks in the FreeIPA Ansible collection, see the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README-server.md file and the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server directory on the control node.

Run the Ansible playbook and specify the playbook file and the inventory file:

$ ansible-playbook --vault-password-file=password_file -v -i inventory server-present-copy.yml

17.2. Ensuring that an IdM server is absent from an IdM topology by using Ansible
Copiar o link

Remove an Identity Management (IdM) server and the host on which it is running from the topology using Ansible to decommission infrastructure while maintaining a consistent domain configuration.

In contrast to the ansible-freeipa ipaserver role, the ipaserver module used in this playbook does not uninstall IdM services from the server.

Prerequisites

On the control node:
- You are using Ansible version 2.15 or later.
- You have installed the ansible-freeipa package.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
- The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

Navigate to your ~/MyPlaybooks/ directory:
```
$ cd ~/MyPlaybooks/
```
Copy the server-absent.yml Ansible playbook file located in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server/ directory:
```
$ cp /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server/server-absent.yml server-absent-copy.yml
```
Open the server-absent-copy.yml file for editing.
Adapt the file by setting the following variables in the freeipa.ansible_freeipa.ipaserver task section and save the file:
- Set the ipaadmin_password variable to the password of the IdM admin.
- Set the name variable to the FQDN of the server. The FQDN of the example server is server123.idm.example.com.
- Ensure that the state variable is set to absent.
  --- - name: Server absent example hosts: ipaserver vars_files: - /home/user_name/MyPlaybooks/secret.yml tasks: - name: Ensure server server123.idm.example.com is absent freeipa.ansible_freeipa.ipaserver: ipaadmin_password: "{{ ipaadmin_password }}" name: server123.idm.example.com state: absent
For details about variables and example playbooks in the FreeIPA Ansible collection, see the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README-server.md file and the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server directory on the control node.

Run the Ansible playbook and specify the playbook file and the inventory file:

$ ansible-playbook --vault-password-file=password_file -v -i inventory server-absent-copy.yml

Make sure all name server (NS) DNS records pointing to server123.idm.example.com are deleted from your DNS zones. This applies regardless of whether you use integrated DNS managed by IdM or external DNS.

17.3. Ensuring the absence of an IdM server despite hosting a last IdM server role
Copiar o link

Force remove an Identity Management (IdM) server using Ansible even when it hosts the last instance of a CA, KRA, or DNS service.

Warning

If you remove the last server that serves as a CA, KRA, or DNS server, you disrupt IdM functionality seriously. You can manually check which services are running on which IdM servers with the ipa service-find command. The principal name of a CA server is dogtag/server_name/REALM_NAME.

In contrast to the ansible-freeipa ipaserver role, the ipaserver module used in this playbook does not uninstall IdM services from the server.

Prerequisites

On the control node:
- You are using Ansible version 2.15 or later.
- You have installed the ansible-freeipa package.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
- The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
The SSH connection from the control node to the IdM server defined in the inventory file is working correctly.

Procedure

Navigate to your ~/MyPlaybooks/ directory:
```
$ cd ~/MyPlaybooks/
```
Copy the server-absent-ignore-last-of-role.yml Ansible playbook file located in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/server/ directory:
```
$ cp /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/server/server-absent-ignore-last-of-role.yml server-absent-ignore-last-of-role-copy.yml
```
Open the server-absent-ignore-last-of-role-copy.yml file for editing.
Adapt the file by setting the following variables in the ipaserver task section and save the file:
- Set the ipaadmin_password variable to the password of the IdM admin.
- Set the name variable to the FQDN of the server. The FQDN of the example server is server123.idm.example.com.
- Ensure that the ignore_last_of_role variable is set to true.
- Set the state variable to absent.
  --- - name: Server absent with last of role skip example hosts: ipaserver vars_files: - /home/user_name/MyPlaybooks/secret.yml tasks: - name: Ensure server "server123.idm.example.com" is absent with last of role skip freeipa.ansible_freeipa.ipaserver: ipaadmin_password: "{{ ipaadmin_password }}" name: server123.idm.example.com ignore_last_of_role: true state: absent
For details about variables and example playbooks in the FreeIPA Ansible collection, see the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README-server.md file and the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server directory on the control node.

Run the Ansible playbook and specify the playbook file and the inventory file:

$ ansible-playbook --vault-password-file=password_file -v -i inventory server-absent-ignore-last-of-role-copy.yml

Make sure all name server (NS) DNS records that point to server123.idm.example.com are deleted from your DNS zones. This applies regardless of whether you use integrated DNS managed by IdM or external DNS.

17.4. Ensuring that an IdM server is absent but not necessarily disconnected from other IdM servers
Copiar o link

Remove an Identity Management (IdM) server using Ansible while preserving replication agreements, useful when removing dysfunctional servers you plan to delete.

The playbook also ensures that the IdM server does not exist in IdM, even as a host.

Important

Ignoring a server’s replication agreements when removing it is only recommended when the other servers are dysfunctional servers that you are planning to remove anyway. Removing a server that serves as a central point in the topology can split your topology into two disconnected clusters.

You can remove a dysfunctional server from the topology with the ipa server-del command.

Note

If you remove the last server that serves as a certificate authority (CA), key recovery authority (KRA), or DNS server, you seriously disrupt the Identity Management (IdM) functionality. To prevent this problem, the playbook makes sure these services are running on another server in the domain before it uninstalls a server that serves as a CA, KRA, or DNS server.

In contrast to the ansible-freeipa ipaserver role, the ipaserver module used in this playbook does not uninstall IdM services from the server.

Prerequisites

On the control node:
- You are using Ansible version 2.15 or later.
- You have installed the ansible-freeipa package.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
- The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
- The SSH connection from the control node to the IdM server defined in the inventory file is working correctly.

Procedure

Navigate to your ~/MyPlaybooks/ directory:
```
$ cd ~/MyPlaybooks/
```

Copy the server-absent-ignore_topology_disconnect.yml Ansible playbook file located in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server/ directory:

$ cp /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server/server-absent-ignore_topology_disconnect.yml server-absent-ignore_topology_disconnect-copy.yml

Open the server-absent-ignore_topology_disconnect-copy.yml file for editing.
Adapt the file by setting the following variables in the ipaserver task section and save the file:
- Set the ipaadmin_password variable to the password of the IdM admin.
- Set the name variable to the FQDN of the server. The FQDN of the example server is server123.idm.example.com.
- Ensure that the ignore_topology_disconnect variable is set to true.
- Ensure that the state variable is set to absent.
  --- - name: Server absent with ignoring topology disconnects example hosts: ipaserver vars_files: - /home/user_name/MyPlaybooks/secret.yml tasks: - name: Ensure server "server123.idm.example.com" with ignoring topology disconnects ipaserver: ipaadmin_password: "{{ ipaadmin_password }}" name: server123.idm.example.com ignore_topology_disconnect: true state: absent
For details about variables and example playbooks in the FreeIPA Ansible collection, see the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README-server.md file and the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server directory on the control node.

Run the Ansible playbook and specify the playbook file and the inventory file:

$ ansible-playbook --vault-password-file=password_file -v -i inventory server-absent-ignore_topology_disconnect-copy.yml

Optional: Make sure all name server (NS) DNS records pointing to server123.idm.example.com are deleted from your DNS zones. This applies regardless of whether you use integrated DNS managed by IdM or external DNS.

17.5. Ensuring that an existing IdM server is hidden using an Ansible playbook
Copiar o link

Configure an Identity Management (IdM) server as hidden using Ansible to exclude it from client discovery, enabling dedicated backup or maintenance scenarios.

Prerequisites

On the control node:
- You are using Ansible version 2.15 or later.
- You have installed the ansible-freeipa package.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
- The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

Navigate to your ~/MyPlaybooks/ directory:
```
$ cd ~/MyPlaybooks/
```
Copy the server-hidden.yml Ansible playbook file located in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server/ directory:
```
$ cp /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server/server-hidden.yml server-hidden-copy.yml
```
Open the server-hidden-copy.yml file for editing.
Adapt the file by setting the following variables in the freeipa.ansible_freeipa.ipaserver task section and save the file:
- Indicate that the value of the ipaadmin_password variable is defined in the secret.yml Ansible vault file.
- Set the name variable to the FQDN of the server. The FQDN of the example server is server123.idm.example.com.
- Ensure that the hidden variable is set to True.
  --- - name: Server hidden example hosts: ipaserver vars_files: - /home/user_name/MyPlaybooks/secret.yml tasks: - name: Ensure server server123.idm.example.com is hidden freeipa.ansible_freeipa.ipaserver: ipaadmin_password: "{{ ipaadmin_password }}" name: server123.idm.example.com hidden: True
For details about variables and example playbooks in the FreeIPA Ansible collection, see the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README-server.md file and the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server directory on the control node.

Run the Ansible playbook and specify the playbook file and the inventory file:

$ ansible-playbook --vault-password-file=password_file -v -i inventory server-hidden-copy.yml

17.6. Ensuring that an existing IdM server is visible by using an Ansible playbook
Copiar o link

Make a hidden Identity Management (IdM) server visible again using Ansible so that clients and other servers can discover and use it for authentication.

Prerequisites

On the control node:
- You are using Ansible version 2.15 or later.
- You have installed the ansible-freeipa package.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
- The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
- The SSH connection from the control node to the IdM server defined in the inventory file is working correctly.

Procedure

Navigate to your ~/MyPlaybooks/ directory:
```
$ cd ~/MyPlaybooks/
```
Copy the server-not-hidden.yml Ansible playbook file located in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server/ directory:
```
$ cp /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server/server-not-hidden.yml server-not-hidden-copy.yml
```
Open the server-not-hidden-copy.yml file for editing.
Adapt the file by setting the following variables in the ipaserver task section and save the file:
- Set the ipaadmin_password variable to the password of the IdM admin.
- Set the name variable to the FQDN of the server. The FQDN of the example server is server123.idm.example.com.
- Ensure that the hidden variable is set to no.
  --- - name: Server not hidden example hosts: ipaserver vars_files: - /home/user_name/MyPlaybooks/secret.yml tasks: - name: Ensure server server123.idm.example.com is not hidden freeipa.ansible_freeipa.ipaserver: ipaadmin_password: "{{ ipaadmin_password }}" name: server123.idm.example.com hidden: no
For details about variables and example playbooks in the FreeIPA Ansible collection, see the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README-server.md file and the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server directory on the control node.

Run the Ansible playbook and specify the playbook file and the inventory file:

$ ansible-playbook --vault-password-file=password_file -v -i inventory server-not-hidden-copy.yml

17.7. Ensuring that an existing IdM server has an IdM DNS location assigned
Copiar o link

Assign a DNS location to an Identity Management (IdM) server using Ansible so that clients in that location receive SRV records pointing to nearby servers.

Note that the ipaserver Ansible module does not install the IdM server.

Prerequisites

You know the IdM admin password.
The IdM DNS location exists. The example location is germany.
You have root access to the server. The example server is server123.idm.example.com.
You have configured your Ansible control node to meet the following requirements:
- You are using Ansible version 2.15 or later.
- You have installed the ansible-freeipa package.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
- The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
- The SSH connection from the control node to the IdM server defined in the inventory file is working correctly.

Procedure

Navigate to your ~/MyPlaybooks/ directory:
```
$ cd ~/MyPlaybooks/
```
Copy the server-location.yml Ansible playbook file located in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server/ directory:
```
$ cp /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server/server-location.yml server-location-copy.yml
```
Open the server-location-copy.yml file for editing.
Adapt the file by setting the following variables in the ipaserver task section and save the file:
- Set the ipaadmin_password variable to the password of the IdM admin.
- Set the name variable to server123.idm.example.com.
- Set the location variable to germany.
  This is the modified Ansible playbook file for the current example:
  --- - name: Server enabled example hosts: ipaserver vars_files: - /home/user_name/MyPlaybooks/secret.yml tasks: - name: Ensure server server123.idm.example.com with location "germany" is present ipaserver: ipaadmin_password: "{{ ipaadmin_password }}" name: server123.idm.example.com location: germany
For details about variables and example playbooks in the FreeIPA Ansible collection, see the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README-server.md file and the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server directory on the control node.

Run the Ansible playbook and specify the playbook file and the inventory file:

$ ansible-playbook --vault-password-file=password_file -v -i inventory server-location-copy.yml

Connect to server123.idm.example.com as root using SSH:
```
ssh root@server123.idm.example.com
```
Restart the named service on the server for the updates to take effect immediately:
```
[root@server123.idm.example.com ~]# systemctl restart named
```

17.8. Ensuring that an existing IdM server has no IdM DNS location assigned
Copiar o link

Remove the DNS location assignment from an Identity Management (IdM) server using Ansible, useful for servers that frequently change geographical locations.

Prerequisites

You know the IdM admin password.
You have root access to the server. The example server is server123.idm.example.com.
You have configured your Ansible control node to meet the following requirements:
- You are using Ansible version 2.15 or later.
- You have installed the ansible-freeipa package.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
- The example assumes that the secret.yml Ansible vault stores your ipaadmin_password.
The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
- The SSH connection from the control node to the IdM server defined in the inventory file is working correctly.

Procedure

Navigate to your ~/MyPlaybooks/ directory:
```
$ cd ~/MyPlaybooks/
```
Copy the server-no-location.yml Ansible playbook file located in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server/ directory:
```
$ cp /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server/server-no-location.yml server-no-location-copy.yml
```
Open the server-no-location-copy.yml file for editing.
Adapt the file by setting the following variables in the ipaserver task section and save the file:
- Set the ipaadmin_password variable to the password of the IdM admin.
- Set the name variable to server123.idm.example.com.
- Ensure that the location variable is set to "”.
  --- - name: Server no location example hosts: ipaserver vars_files: - /home/user_name/MyPlaybooks/secret.yml tasks: - name: Ensure server server123.idm.example.com is present with no location ipaserver: ipaadmin_password: "{{ ipaadmin_password }}" name: server123.idm.example.com location: ""
For details about variables and example playbooks in the FreeIPA Ansible collection, see the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README-server.md file and the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/server directory on the control node.

Run the Ansible playbook and specify the playbook file and the inventory file:

$ ansible-playbook --vault-password-file=password_file -v -i inventory server-no-location-copy.yml

Connect to server123.idm.example.com as root using SSH:
```
ssh root@server123.idm.example.com
```
Restart the named service on the server for the updates to take effect immediately:
```
[root@server123.idm.example.com ~]# systemctl restart named
```

Este conteúdo não está disponível no idioma selecionado.

Chapter 17. Managing IdM servers by using Ansible

17.1. Checking that an IdM server is present by using Ansible
Copiar o link

17.2. Ensuring that an IdM server is absent from an IdM topology by using Ansible
Copiar o link

17.3. Ensuring the absence of an IdM server despite hosting a last IdM server role
Copiar o link

17.4. Ensuring that an IdM server is absent but not necessarily disconnected from other IdM servers
Copiar o link

17.5. Ensuring that an existing IdM server is hidden using an Ansible playbook
Copiar o link

17.6. Ensuring that an existing IdM server is visible by using an Ansible playbook
Copiar o link

17.7. Ensuring that an existing IdM server has an IdM DNS location assigned
Copiar o link

17.8. Ensuring that an existing IdM server has no IdM DNS location assigned
Copiar o link

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Tornando o open source mais inclusivo

Sobre a Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

Este conteúdo não está disponível no idioma selecionado.

Chapter 17. Managing IdM servers by using Ansible

17.1. Checking that an IdM server is present by using AnsibleCopiar o linkLink copiado para a área de transferência!

17.2. Ensuring that an IdM server is absent from an IdM topology by using AnsibleCopiar o linkLink copiado para a área de transferência!

17.3. Ensuring the absence of an IdM server despite hosting a last IdM server roleCopiar o linkLink copiado para a área de transferência!

17.4. Ensuring that an IdM server is absent but not necessarily disconnected from other IdM serversCopiar o linkLink copiado para a área de transferência!

17.5. Ensuring that an existing IdM server is hidden using an Ansible playbookCopiar o linkLink copiado para a área de transferência!

17.6. Ensuring that an existing IdM server is visible by using an Ansible playbookCopiar o linkLink copiado para a área de transferência!

17.7. Ensuring that an existing IdM server has an IdM DNS location assignedCopiar o linkLink copiado para a área de transferência!

17.8. Ensuring that an existing IdM server has no IdM DNS location assignedCopiar o linkLink copiado para a área de transferência!

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Tornando o open source mais inclusivo

Sobre a Red Hat

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links

17.1. Checking that an IdM server is present by using Ansible
Copiar o link

17.2. Ensuring that an IdM server is absent from an IdM topology by using Ansible
Copiar o link

17.3. Ensuring the absence of an IdM server despite hosting a last IdM server role
Copiar o link

17.4. Ensuring that an IdM server is absent but not necessarily disconnected from other IdM servers
Copiar o link

17.5. Ensuring that an existing IdM server is hidden using an Ansible playbook
Copiar o link

17.6. Ensuring that an existing IdM server is visible by using an Ansible playbook
Copiar o link

17.7. Ensuring that an existing IdM server has an IdM DNS location assigned
Copiar o link

17.8. Ensuring that an existing IdM server has no IdM DNS location assigned
Copiar o link