Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

29.9. Using Ansible to install an IdM server with integrated eDNS and an external root CA

You can use the ipaserver role available in the ansible-freeipa package to install an Identity Management (IdM) server with DNS-over-TLS (DoT) enabled.

重要

You can select either the enforced or relaxed policy. By default, the installer uses the relaxed policy, which attempts DoT but allows fallback to standard, unencrypted DNS if a secure connection cannot be established. To apply the enforced policy, set the ipaserver_dns_policy variable to enforced in the vars section of the Ansible playbook.

You can use a certificate issued by the integrated IdM Certificate Authority (CA) or provide a custom certificate issued by an external CA. If you do not provide a certificate, the IdM CA automatically issues a DoT certificate during the installation.

Prerequisites

Procedure

  1. Optional: To use a custom PEM-formatted certificate and key for DoT issued by an external certificate authority:

    1. SSH to the host where you are going to install the IdM server: 

      $ ssh root@server.idm.example.com

    2. Create the two files and assign ownership to the named daemon: 

      # openssl req \
  -newkey rsa:2048 \
  -nodes \
  -keyout /etc/pki/tls/certs/privkey.pem \
  -x509 \
  -days 36500 \
  -out /etc/pki/tls/certs/certificate.pem \
  -subj "/C=<country_code>/ST=<state>/L=<location>/O=<organization>/OU=<organizational_unit>/CN=<idm_server_fqdn>/emailAddress=<email>" && \
  chown named:named /etc/pki/tls/certs/privkey.pem /etc/pki/tls/certs/certificate.pem

    3. Exit the SSH session on the IdM server: 

      # exit

  2. On the Ansible controller, create a playbook file named install-server-external-ca-step1.yml with the instructions to install an IdM server with an external CA: 

    ---
- name: Playbook to configure IPA server Step 1: generate CSR for IdM external CA setup
  hosts: ipaserver
  become: true
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  vars:
    ipaserver_domain: idm.example.com
    ipaserver_realm: IDM.EXAMPLE.COM
    ipaserver_hostname: server.idm.example.com
    ipaadmin_password: "{{ vault_admin_password }}"
    ipadm_password: "{{ vault_dm_password }}"
    ipaserver_setup_dns: true
    ipaserver_dot_forwarders:
      - "<server_ip>#<dns_server_hostname>"
    ipaserver_external_ca: true
    ipaserver_dns_over_tls: true
    ipaserver_no_dnssec_validation: true
    ipaserver_auto_reverse: true

  roles:
    - role: freeipa.ansible_freeipa.ipaserver

  post_tasks:
  - name: Copy CSR /root/ipa.csr from node to "{{ groups.ipaserver[0] + '-ipa.csr' }}"
    fetch:
      src: /root/ipa.csr
      dest: "{{ groups.ipaserver[0] + '-ipa.csr' }}"
      flat: true

    If you are using a custom PEM-formatted certificate and key for DoT issued by an external certificate authority, add the following in the vars section: 

    ipaserver_dns_over_tls_cert: /etc/pki/tls/certs/certificate.pem
ipaserver_dns_over_tls_key: /etc/pki/tls/certs/privkey.pem

  3. Run the Ansible playbook with the instructions for the first step of the installation: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory ~/MyPlaybooks/install-server-external-ca-step1.yml
  4. Locate the ipa.csr certificate signing request file on the controller and submit it to the external CA.
  5. Place the IdM CA certificate signed by the external CA and the CA certificate chain in the controller file system so that the playbook in the next step can find it.

  6. Create a new Ansible playbook, for example install-server-external-ca-step2.yml, for the second step of IdM server installation with the following content: 

    ---
- name: Playbook to configure IdM server Step 2: import certificates and finalize installation
  hosts: ipaserver
  become: true
  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  vars:
    ipaserver_domain: idm.example.com
    ipaserver_realm: IDM.EXAMPLE.COM
    ipaserver_hostname: server.idm.example.com
    ipaadmin_password: "{{ vault_admin_password }}"
    ipadm_password: "{{ vault_dm_password }}"
    ipaserver_setup_dns: true
    ipaserver_dot_forwarders:
      - "<server_ip>#<dns_server_hostname>"
    ipaserver_external_ca: true
    ipaserver_dns_over_tls: true
    ipaserver_no_dnssec_validation: true
    ipaserver_auto_reverse: true
    ipaserver_external_cert_files:
      - servercert20240601.pem
      - cacert.pem

  pre_tasks:
  - name: Copy "{{ groups.ipaserver[0] }}-{{ item }}" to "/root/{{ item }}" on node
    ansible.builtin.copy:
      src: "{{ groups.ipaserver[0] }}-{{ item }}"
      dest: "/root/{{ item }}"
      force: true
    with_items:
    - servercert20240601.pem
    - cacert.pem

  roles:
  - role: freeipa.ansible_freeipa.ipaserver
    state: present

  7. Run the Ansible playbook with the instructions for the final step of the installation: 

    $ ansible-playbook --vault-password-file=password_file -v -i ~/MyPlaybooks/inventory ~/MyPlaybooks/install-server-external-ca-step2.yml

Troubleshooting

  1. SSH to the IdM server: 

    # ssh root@server.idm.example.com

  2. Enable detailed logging for the unbound service: 

    # unbound-control verbosity 3

  3. Restart the unbound service to apply the updated configuration: 

    # systemctl restart unbound

  4. Monitor real-time logs of the unbound service: 

    $ journalctl -u unbound -f
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

Legal Notice

Theme

© 2026 Red Hat返回顶部