8.4. Using Ansible to configure IdM clients for smart card authentication

Procedure

1. If your CA certificates are stored in files of a different format, such as DER, convert them to PEM format:

   # openssl x509 -in <filename>.der -inform DER -out <filename>.pem -outform PEM

   The IdM CA certificate is in PEM format and is located in the /etc/ipa/ca.crt file.

2. Optional: Use the openssl x509 utility to view the contents of the files in the PEM format to check that the Issuer and Subject values are correct:

   # openssl x509 -noout -text -in root-ca.pem | more

3. On your Ansible control node, navigate to your ~/MyPlaybooks/ directory:

   $ cd ~/MyPlaybooks/

4. Create a subdirectory dedicated to the CA certificates:

   $ mkdir SmartCard/

5. For convenience, copy all the required certificates to the ~/MyPlaybooks/SmartCard/ directory, for example:

   # cp /tmp/root-ca.pem ~/MyPlaybooks/SmartCard/
   # cp /tmp/intermediate-ca.pem ~/MyPlaybooks/SmartCard/
   # cp /etc/ipa/ca.crt ~/MyPlaybooks/SmartCard/ipa-ca.crt

6. In your Ansible inventory file, specify the following:

   • The IdM clients that you want to configure for smart card authentication.
   • The IdM administrator password.

   • The paths to the certificates of the CAs in the following order:

     • The root CA certificate file
     • The intermediate CA certificates files
     • The IdM CA certificate file

   The file can look as follows:

   [ipaclients]
   ipaclient1.example.com
   ipaclient2.example.com
   
   [ipaclients:vars]
   ipaadmin_password=SomeADMINpassword
   ipasmartcard_client_ca_certs=/home/<user_name>/MyPlaybooks/SmartCard/root-ca.pem,/home/<user_name>/MyPlaybooks/SmartCard/intermediate-ca.pem,/home/<user_name>/MyPlaybooks/SmartCard/ipa-ca.crt

7. Create an install-smartcard-clients.yml playbook with the following content:

   ---
   - name: Playbook to set up smart card authentication for an IdM client
     hosts: ipaclients
     become: true
   
     roles:
     - role: ipasmartcard_client
       state: present

8. Save the file.

   For example playbooks in the FreeIPA Ansible collection, see the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/ directory on the control node.

9. Run the Ansible playbook. Specify the playbook and inventory files:

   $ ansible-playbook --vault-password-file=password_file -v -i inventory install-smartcard-clients.yml

   The ipasmartcard_client Ansible role performs the following actions:

   • It configures the smart card daemon.
   • It sets the system-wide truststore.

   • It configures the System Security Services Daemon (SSSD) to allow users to authenticate with either their user name and password or their smart card. For more details on SSSD profile options for smart card authentication, see Smart card authentication options in RHEL.

     The clients listed in the ipaclients section of the inventory file are now configured for smart card authentication.

   注意

   If you have installed the IdM clients with the --mkhomedir option, remote users will be able to log in to their home directories. Otherwise, the default login location is the root of the directory structure, /.