主页
产品
Red Hat Enterprise Linux
10
Installing Identity Management
26.6. Using the one-time password method in Ansible to install an IdM client

26.6. Using the one-time password method in Ansible to install an IdM client

You can generate a one-time password (OTP) for a new host in Identity Management (IdM) and use it to enroll a system into the IdM domain. This procedure describes how to use Ansible to install an IdM client after generating an OTP for it on another IdM host.

This method of installing an IdM client is convenient if two system administrators with different privileges exist in your organisation:

One that has the credentials of an IdM administrator.
Another that has the required Ansible credentials, including root access to the host to become an IdM client.

The IdM administrator performs the first part of the procedure in which the OTP password is generated. The Ansible administrator performs the remaining part of the procedure in which the OTP is used to install an IdM client.

Prerequisites

You have the IdM admin credentials or at least the Host Enrollment privilege and a permission to add DNS records in IdM.
You have configured a user escalation method on the Ansible managed node to allow you to install an IdM client.
If your Ansible control node is running on RHEL 8.7 or earlier, you must be able to install packages on your Ansible control node.
You have configured your Ansible control node to meet the following requirements:
- You are using Ansible version 2.15 or later.
- You have installed the ansible-freeipa package.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
- The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
The managed node is a Red Hat Enterprise Linux 10 system with a static IP address and a working package manager.

Procedure

SSH to an IdM host as an IdM user with a role that has the Host Enrollment privilege and a permission to add DNS records:
```
$ ssh admin@server.idm.example.com
```

Generate an OTP for the new client:

[admin@server ~]$ ipa host-add client.idm.example.com --ip-address=172.25.250.11 --random
 --------------------------------------------------
 Added host "client.idm.example.com"
 --------------------------------------------------
  Host name: client.idm.example.com
  Random password: W5YpARl=7M.n
  Password: True
  Keytab: False
  Managed by: server.idm.example.com

The --ip-address=<your_host_ip_address> option adds the host to IdM DNS with the specified IP address.

Exit the IdM host:

$ exit
logout
Connection to server.idm.example.com closed.

On the ansible controller, update the inventory file to include the random password:

[...]
[ipaclients]
client.idm.example.com

[ipaclients:vars]
ipaclient_domain=idm.example.com
ipaclient_otp=W5YpARl=7M.n
[...]

Run the playbook to install the client:

$ ansible-playbook -i inventory install-client.yml

26.6. Using the one-time password method in Ansible to install an IdM client

学习

尝试、购买和销售

社区

關於紅帽

让开源更具包容性

关于红帽文档

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links