freeipa installation using ansible freeipa
play

FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 - PowerPoint PPT Presentation

Dec 26, 2022 •237 likes •406 views

FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wrner Senior Software Engineer, Red Hat Inc. https://github.com/freeipa/ansible-freeipa/ AGENDA Project goals IPA installers vs. ansible-freeipa IPA client installation

  1. FREEIPA INSTALLATION USING ANSIBLE-FREEIPA FOSDEM - 2018-02-03 Thomas Wörner Senior Software Engineer, Red Hat Inc. https://github.com/freeipa/ansible-freeipa/

  2. AGENDA Project goals IPA installers vs. ansible-freeipa IPA client installation steps Enrollment workflow with ipa-client-install vs. with ansible-freeipa IPA client OTP use case IPA client domain configuration with ipa-client-install vs. with ansible-freeipa IPA server installation steps Examples of Ansible inventory files and playbooks

  3. PROJECT GOALS Allow automation of FreeIPA installations and configuration using ansible-freeipa Same results using normal FreeIPA installers or ansible-freeipa ansible-freeipa can provide additional features ​ Provide Ansible roles and modules for server, client and replica installations The replica installation is still work in progress and not part of the repository yet Support FreeIPA 4.5+ for ipaserver, ipareplica and ipaclient roles

  4. FREEIPA INSTALLER SCRIPTS VS. ANSIBLE-FREEIPA INSTALLATION USING FREEIPA INSTALLERS Log in to every machine, start installation process manually Use either principal/password or keytab Wait till installation is done INSTALLATION USING ANSIBLE-FREEIPA Simple installation on more than one machine One configuration file (inventory file) per domain or realm One place for configuration options Simple use of OTP for client installation and update, more secure: Admin password not transferred to the clients Advanced auto detection for clients Repair of broken client configurations with one known limitation: Missing /etc/krb5.keytab

  5. FREEIPA CLIENT INSTALLATION STEPS Domain discovery and validation of parameters Time synchronization (ntp, chrony) IPA enrollment (Creation of host entry and keytab) SSSD, PAM, NSS configuration Kerberos client configuration PKI configuration DNS configuration

  6. CLIENT CONFIGURATION WITH ANSIBLE-FREEIPA Full autodiscovery: No need to provide domain or realm Using DNS SRV/TXT records for ldap and kerberos ​ Autodiscovery of IPA servers: Provide IPA domain Enhanced discovery: Provide only server No discovery: Provide server and domain Realm is usually derived from upper-cased name of the IPA domain, or can be forced to a different value Supported enrollment types OTP Admin principal and password Existing host keytab

  7. CLIENT INVENTORY FILE # Example minimal inventory file using full auto-detection [ipaclients] ipaclient.ipadomain.com # ipaclient_password can be provided by a Vault-protected file ipaservers Group of IPA server hostnames ipaclients Group of IPA client hostnames ipaadmin_keytab The path to the admin keytab used for alternative authentication ipaadmin_password The password for the kerberos admin principal ipaadmin_principal The authorized kerberos principal used to join the IPA realm ipaclient_domain The primary DNS domain of an existing IPA deployment ipaclient_realm The Kerberos realm of an existing IPA deployment ipaclient_keytab The path to a backed-up host keytab from previous enrollment ipaclient_force_join Set force_join to yes to join the host even if it is already enrolled ipaclient_use_otp Generate a one-time-password ipaclient_allow_repair Allow repair of already joined hosts ipaclient_kinit_attempts Repeat the request for host Kerberos ticket ipaclient_ntp Set to no to not configure and enable NTP ipaclient_mkhomedir Create users home dir

  8. CLIENT PLAYBOOKS install-client.yml --- - name: Playbook to configure IPA clients with username/password hosts: ipaclients become: true vars_files: - playbook_sensitive_data.yml roles: - role: ipaclient state: present uninstall-client.yml --- - name: Playbook to configure IPA clients with username/password hosts: ipaclients become: true vars_files: - playbook_sensitive_data.yml roles: - role: ipaclient state: absent

  9. IPA SERVER INSTALLATION STEPS Domain discovery and validation of parameters (Configure firewall) Time synchronization and configuration (ntpd) Directory server configuration (dirsrv) Kerberos configuration (krb5kdc, kadmin) Certificate Server configuration (pki-tomcatd) Further directory server configuration (dirsrv) OTPD configuration (ipa-otpd) Custodia configuration (ipa-custodia) HTTP configuration (httpd) Kerberos KDC configuration (krb5kdc) KRA (Key Recovery Authority) configuration DNS configuration (named) AD trust configuration (smb, winbind) Client configuration on master Enable IPA service

  10. SERVER INVENTORY FILE # Example minimal server inventory file [ipaserver] ipaserver.ipadomain.com [ipaserver:vars] ipaserver_domain=ipadomain.com ipaserver_realm=IPADOMAIN.COM # Passwords can be provided by a Vault-protected file ipaadmin_password=SomePassword1 ipadm_password=SomePassword2 ipaserver Group with IPA server hostname ipaadmin_password The password for the kerberos admin principal ipaserver_domain The primary DNS domain for the IPA deployment ipaserver_realm The Kerberos realm for the IPA deployment ipaserver_setup_kra Install and configure a KRA on this server ipaserver_setup_dns Configure an integrated DNS server ipaserver_setup_adtrust Configure AD Trust capability ipaserver_auto_forwarders Add DNS forwarders configured in /etc/resolv.conf ipaserver_no_reverse Do not create reverse DNS zone ipaclient_no_ntp Set to no to not configure and enable NTP ipaclient_mkhomedir Create users home dir (excerpt)

  11. SERVER PLAYBOOKS install-server.yml --- - name: Playbook to configure IPA server with username/password hosts: ipaserver become: true roles: - role: ipaserver state: present uninstall-server.yml --- - name: Playbook to configure IPA clients with username/password hosts: ipaserver become: true roles: - role: ipaserver state: absent

  12. CLUSTER INVENTORY FILE [ipaserver] ipaserver.ipadomain.local [ipaserver:vars] ipadm_password=SomePassword123 #ipaserver_setup_dns=yes #ipaserver_auto_forwarders=yes [ipaclients] ipaclient1.ipadomain.local ipaclient2.ipadomain.local ipaclient3.ipadomain.local [ipaclients:vars] #ipaclient_use_otp=yes ipaclient_allow_repair=yes [ipa:children] ipaserver ipaclients [ipa:vars] ipaadmin_password=SomePassword456 ipaserver_domain=ipadomain.local ipaserver_realm=IPADOMAIN.LOCAL

  13. CLUSTER PLAYBOOKS (1) install-cluster.yml --- - name: Install IPA servers hosts: ipaserver become: true roles: - role: ipaserver state: present - name: Install IPA clients hosts: ipaclients become: true roles: - role: ipaclient state: present Note: Please remember to register the client IP addresses and names if DNS will be setup in the IPA server. This needs to be done before the clients are enrolled.

  14. CLUSTER PLAYBOOKS (2) uninstall-cluster.yml --- - name: Uninstall IPA clients hosts: ipaclients become: true roles: - role: ipaclient state: absent - name: Uninstall IPA servers hosts: ipaserver become: true roles: - role: ipaserver state: absent

  15. Q/A

  16. THANK YOU

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software

FreeIPA www.freeipa.org Identity Management in the FOSS World Simo Sorce Principal Software Engineer Red Hat, Inc. What is FreeIPA ? Acronym: Free Identity, Policy, Audit Purpose: Make it simpler to manage a complex problem

729 views • 28 slides
Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1

Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1

Identity and Directories with FreeIPA Simo Sorce Sr. Principal Sw. Eng., Red Hat 2015/01/21 1 Simo Sorce What is FreeIPA ? FreeIPA is a Directory and Authentication Server aka a Domain Controller Primarily targets at Linux servers.

487 views • 31 slides
Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander

Handling POSIX attributes for trusted Active Directory users and groups in FreeIPA Alexander Bokovoy <ab@samba.org> May 21th, 2015 Samba Team / Red Hat 0 A crisis of identity (solved?) FreeIPA What is FreeIPA? Cross Forest Trusts

298 views • 29 slides
GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017

GLOBAL CATALOG SERVICE IMPLEMENTATION IN FREEIPA Alexander Bokovoy Red Hat Inc. May 4th, 2017 ABOUT:ME Sr. Principal Software Engineer at Red Hat Samba Team member since 2003 Core FreeIPA developer since 2011 2 WHAT IS THIS TALK

669 views • 30 slides
Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software

Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software

Enhancements to FreeIPA Replication Topology Management Jan Pazdziora Sr. Principal Software Engineer Identity Management Special Projects, Red Hat 6 th October 2015 FreeIPA Integration of multiple identity-management tools. directory

352 views • 17 slides
Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com )

January 30th, 2016 FOSDEM16 Enterprise desktop at home with FreeIPA and GNOME Alexander Bokovoy ( abokovoy@redhat.com ) Enterprise desktop at home with FreeIPA and GNOME 2 Enterprise? Enterprise desktop at home with FreeIPA and GNOME 3 *

978 views • 71 slides
FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander

FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander

FOSDEM 2019 Distributions devroom FreeIPA and cross-distribution packaging experience Alexander Bokovoy FreeIPA and cross-distribution packaging experience about:me Red Hat Sr. Principal software engineer at Red Hat Identity

792 views • 31 slides
Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy

Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy

Principal Software Engineer, Red Hat // Samba Team SambaXP16 Enterprise desktop: improving client side in the age of Samba AD and FreeIPA Alexander Bokovoy Enterprise desktop: improving client side in the age of Samba AD and FreeIPA 2

1.33k views • 106 slides
Contributing to Ansible Developing Ansible Modules ....wait a min....what the heck is Ansible?

Contributing to Ansible Developing Ansible Modules ....wait a min....what the heck is Ansible?

Contributing to Ansible Developing Ansible Modules ....wait a min....what the heck is Ansible? software platform for CM systems Agentless Secure Scalable ....so what can we do with ansible? package installation

497 views • 16 slides
Infrastructure Automation Infrastructure Automation 2 Ansible Ansible What is Ansible?

Infrastructure Automation Infrastructure Automation 2 Ansible Ansible What is Ansible?

Infrastructure Automation Infrastructure Automation 2 Ansible Ansible What is Ansible? Ansible is an open source automation engine Why Ansible? Modular Idempotent Huge support/community Agentless Simple to learn

709 views • 29 slides
Ansible Wechat Account Ansible Meetup Shanghai August 17th ansible.com wiredcraft.com

Ansible Wechat Account Ansible Meetup Shanghai August 17th ansible.com wiredcraft.com

Ansible Wechat Account Ansible Meetup Shanghai August 17th ansible.com wiredcraft.com Introduction What is Ansible? Ansible.com Gaining momentum Ansible on GitHub Very fast learning curve Python based Easy to get

375 views • 18 slides
SECURITY AUTOMATION WITH ANSIBLE Michelle Perz, Associate Manager-Ansible Support, Ansible by Red

SECURITY AUTOMATION WITH ANSIBLE Michelle Perz, Associate Manager-Ansible Support, Ansible by Red

SECURITY AUTOMATION WITH ANSIBLE Michelle Perz, Associate Manager-Ansible Support, Ansible by Red Hat whoami ? 2 AGENDA Ansible use cases Information security Why Ansible? Examples Get involved 3 FreeImages.com/kovik COMMON ANSIBLE USE

495 views • 22 slides
SECURITY AUTOMATION WITH ANSIBLE Michelle Perz, Associate Manager-Ansible Support, Ansible by Red

SECURITY AUTOMATION WITH ANSIBLE Michelle Perz, Associate Manager-Ansible Support, Ansible by Red

SECURITY AUTOMATION WITH ANSIBLE Michelle Perz, Associate Manager-Ansible Support, Ansible by Red Hat whoami ? 2 AGENDA Ansible use cases Information security Why Ansible? Examples Get involved 3 FreeImages.com/kovik COMMON ANSIBLE USE

513 views • 29 slides
Ansible weithenn.org Agenda Infrastructure as Code

Ansible weithenn.org Agenda Infrastructure as Code

Ansible AWX Ansible weithenn.org Agenda Infrastructure as Code (IaC) Why Ansible Ansible Engine vs Tower vs AWX Ansible AWX Features Use Case Demo 3 Infrastructure as Code (IaC)

622 views • 23 slides
Whats New With Ansible Collections Diving into the How to use Collections with Ansible

Whats New With Ansible Collections Diving into the How to use Collections with Ansible

INSERT CONFIDENTIAL designator Whats New With Ansible Collections Diving into the How to use Collections with Ansible 2.9.10+ and beyond Andrius Benokraitis Iftikhar Khan Bradley Thornton Sr. Principal Product Manager Sr. Manager,

423 views • 19 slides
ANSIBLE BEST PRACTICES: THE ESSENTIALS Timothy Appnel Senior Product Manager, Ansible GitHub:

ANSIBLE BEST PRACTICES: THE ESSENTIALS Timothy Appnel Senior Product Manager, Ansible GitHub:

ANSIBLE BEST PRACTICES: THE ESSENTIALS Timothy Appnel Senior Product Manager, Ansible GitHub: tima Twitter: appnelgroup THE ANSIBLE WAY 2 COMPLEXITY KILLS PRODUCTIVITY That's not just a marketing slogan. We really mean it and believe that.

922 views • 38 slides
Image Segmentation with Gated Shape CNN for Autonomous Driving Jeanine Liebold Intelligent

Image Segmentation with Gated Shape CNN for Autonomous Driving Jeanine Liebold Intelligent

Image Segmentation with Gated Shape CNN for Autonomous Driving Jeanine Liebold Intelligent Robotics - 02.12.2019 Outline Motivation Fundamentals Gated Shape CNN Experiments Results Conclusion References 2

432 views • 32 slides
Arxiv, 8 dec 2018 Main question How does a GAN represent our visual world internally? How do

Arxiv, 8 dec 2018 Main question How does a GAN represent our visual world internally? How do

Arxiv, 8 dec 2018 Main question How does a GAN represent our visual world internally? How do activations in the generator correlate with concepts in the output image? Dissection Results In the dining room dataset, a unit emerges to match

387 views • 12 slides
Satellite Imagery Semantic Segmentation Razieh Kaviani Baghbaderani, Hairong Qi University of

Satellite Imagery Semantic Segmentation Razieh Kaviani Baghbaderani, Hairong Qi University of

Incorporating Spectral Unmixing in Satellite Imagery Semantic Segmentation Razieh Kaviani Baghbaderani, Hairong Qi University of Tennessee, Department of EECS Motivation: Deep learning-based networks need a large dataset for training due to a

128 views • 9 slides
Detection and Segmentation CS60010: Deep Learning Abir Das IIT Kharagpur Feb 28, 2020

Detection and Segmentation CS60010: Deep Learning Abir Das IIT Kharagpur Feb 28, 2020

Detection and Segmentation CS60010: Deep Learning Abir Das IIT Kharagpur Feb 28, 2020 Introduction Datasets Localization Agenda To get introduced to two important tasks of computer vision - detection and segmentation along with deep neural

755 views • 38 slides
Major Projects Leadership Academy Supplier Engagement Event 20 May 2020 - 10:30-12:40

Major Projects Leadership Academy Supplier Engagement Event 20 May 2020 - 10:30-12:40

Major Projects Leadership Academy Supplier Engagement Event 20 May 2020 - 10:30-12:40 Infrastructure & Projects Authority 1 Agenda Time Agenda Item Presenters 10:15 - Login 10:30 10:30 - Welcome and Introductions Sam Dooley (IPA)

709 views • 42 slides
InGaSb p-Channel Self-Aligned FinFETs with 10 nm Fin-Width Using Sb-Compatible Digital Etch W. Lu

InGaSb p-Channel Self-Aligned FinFETs with 10 nm Fin-Width Using Sb-Compatible Digital Etch W. Lu

InGaSb p-Channel Self-Aligned FinFETs with 10 nm Fin-Width Using Sb-Compatible Digital Etch W. Lu 1 , I. P. Roh 2 , D.-M. Geum 2 , S.-H. Kim 2 , J. D. Song 2 , L. Kong 1 , and J. A. del Alamo 1 1 Microsystems Technology Laboratories, MIT

966 views • 45 slides
Link Time Optimization Mechanism in GCC-4.7.2 Uday Khedker (www.cse.iitb.ac.in/uday) GCC

Link Time Optimization Mechanism in GCC-4.7.2 Uday Khedker (www.cse.iitb.ac.in/uday) GCC

Link Time Optimization Mechanism in GCC-4.7.2 Uday Khedker (www.cse.iitb.ac.in/uday) GCC Resource Center, Department of Computer Science and Engineering, Indian Institute of Technology, Bombay 13 June 2014 EAGCC-PLDI-14 LTO in GCC-4.7.2:

1.44k views • 86 slides
Un Understanding an and Im Impac act on HR Organ

Un Understanding an and Im Impac act on HR Organ

Un Understanding an and Im Impac act on HR Organ anis isat atio ional al De Develo lopment Azrinah Rahman, CSPS Co Content Understanding Industrial Revolution 4.0

666 views • 30 slides

More recommend