25.3. Specifying the credentials for installing the IdM replica using an Ansible playbook

Prerequisites

• You have configured your Ansible control node to meet the following requirements:

  • You are using Ansible version 2.15 or later.
  • You have installed the ansible-freeipa package.
  • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
  • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
• The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

• Specify the password of a user authorized to deploy replicas, for example the IdM admin.

  • Use the Ansible Vault to store the password, and reference the Vault file from the playbook file, for example install-replica.yml:

    Example playbook file using principal from inventory file and password from an Ansible Vault file:

    - name: Playbook to configure IPA replicas
      hosts: ipareplicas
      become: true
      vars_files:
      - playbook_sensitive_data.yml
    
      roles:
      - role: freeipa.ansible_freeipa.ipareplica
        state: present

    For details how to use Ansible Vault, see the official Ansible Vault documentation.

  • Less securely, provide the credentials of admin directly in the inventory file. Use the ipaadmin_password option in the [ipareplicas:vars] section of the inventory file. The inventory file and the install-replica.yml playbook file can then look as follows:

    Example inventory hosts.replica file:

    [...]
    [ipareplicas:vars]
    ipaadmin_password=Secret123

    Example playbook using principal and password from inventory file:

    - name: Playbook to configure IPA replicas
      hosts: ipareplicas
      become: true
    
      roles:
      - role: freeipa.ansible_freeipa.ipareplica
        state: present

  • Alternatively but also less securely, provide the credentials of another user authorized to deploy a replica directly in the inventory file. To specify a different authorized user, use the ipaadmin_principal option for the user name, and the ipaadmin_password option for the password. The inventory file and the install-replica.yml playbook file can then look as follows:

    Example inventory hosts.replica file:

    [...]
    [ipareplicas:vars]
    ipaadmin_principal=my_admin
    ipaadmin_password=my_admin_secret123

    Example playbook using principal and password from inventory file:

    - name: Playbook to configure IPA replicas
      hosts: ipareplicas
      become: true
    
      roles:
      - role: freeipa.ansible_freeipa.ipareplica
        state: present

    注意

    During the installation of an IdM replica, checking if the provided Kerberos principal has the required privilege also extends to checking user ID overrides. As a result, you can deploy a replica using the credentials of an AD administrator that is configured to act as an IdM administrator.

  For details about all variables used in the playbook, see the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README.md file on the control node.