diff options
Diffstat (limited to 'roles/freeipa_server/tasks')
-rw-r--r-- | roles/freeipa_server/tasks/custom_schema.yml | 101 | ||||
-rw-r--r-- | roles/freeipa_server/tasks/main.yml | 77 | ||||
-rw-r--r-- | roles/freeipa_server/tasks/master.yml | 138 | ||||
-rw-r--r-- | roles/freeipa_server/tasks/replica.yml | 21 |
4 files changed, 337 insertions, 0 deletions
diff --git a/roles/freeipa_server/tasks/custom_schema.yml b/roles/freeipa_server/tasks/custom_schema.yml new file mode 100644 index 0000000..e5bca0d --- /dev/null +++ b/roles/freeipa_server/tasks/custom_schema.yml @@ -0,0 +1,101 @@ +- name: create custom schema directory + file: + path: '{{ freeipa_custom_schema_dir }}' + state: directory + recurse: yes + +- name: copy jid schema + copy: + src: '{{ freeipa_custom_schema_dir[1:] }}/jid.ldif' + dest: '{{ freeipa_custom_schema_dir }}/jid.ldif' + +- name: check if JIDObject exists in schema + shell: ldapsearch -QLLL -s base -b cn=schema objectclasses | grep -q JIDObject + changed_when: no + failed_when: no + register: ldapsearch_jidobject + +- block: + - name: extend freeipa schema for JIDs + command: ipa-ldap-updater --schema-file '{{ freeipa_custom_schema_dir }}/jid.ldif' + + - name: restart httpd + systemd: + name: httpd + state: restarted + when: ldapsearch_jidobject.rc != 0 + +- name: add index to jid attribute + ldap_entry: + dn: 'cn=jid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config' + objectClass: + - top + - nsIndex + attributes: + cn: jid + nsSystemIndex: false + nsIndexType: eq + bind_dn: cn=Directory Manager + bind_pw: '{{ freeipa_ds_password }}' + server_uri: ldaps://{{ ipa_host }} + register: jid_index + +- name: regenerate indexes for jid attribute + ldap_entry: + dn: cn=jidindex,cn=index,cn=tasks,cn=config + objectClass: + - top + - extensibleObject + attributes: + cn: jidindex + nsInstance: userRoot + nsIndexAttribute: 'jid:eq' + bind_dn: cn=Directory Manager + bind_pw: '{{ freeipa_ds_password }}' + server_uri: ldaps://{{ ipa_host }} + when: jid_index.changed + +- name: add default user object classes + ldap_attrs: + dn: cn=ipaConfig,cn=etc,{{ freeipa_basedn }} + attributes: + ipaUserObjectClasses: + - mailRecipient + - JIDObject + state: present + bind_dn: cn=Directory Manager + bind_pw: '{{ freeipa_ds_password }}' + server_uri: ldaps://{{ ipa_host }} + +- name: add default group object classes + ldap_attrs: + dn: cn=ipaConfig,cn=etc,{{ freeipa_basedn }} + attributes: + ipaGroupObjectClasses: + - mailRecipient + state: present + bind_dn: cn=Directory Manager + bind_pw: '{{ freeipa_ds_password }}' + server_uri: ldaps://{{ ipa_host }} + +- name: allow read access to custom user attributes + ipapermission: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: 'System: Read User Addressbook Attributes' + attrs: + - mailAlternateAddress + - jid + action: member + state: present + +- name: allow read access to custom group attributes + ipapermission: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: 'System: Read Groups' + attrs: + - mail + - mailAlternateAddress + action: member + state: present diff --git a/roles/freeipa_server/tasks/main.yml b/roles/freeipa_server/tasks/main.yml new file mode 100644 index 0000000..1dd6eaa --- /dev/null +++ b/roles/freeipa_server/tasks/main.yml @@ -0,0 +1,77 @@ +- name: install freeipa pacakges + dnf: + name: '{{ freeipa_packages }}' + state: present + +# Disabling this until they figure out this bug. I don't use containers, +# so the kernel KEYRING ccache is just fine. +# https://bugzilla.redhat.com/show_bug.cgi?id=2035496 +- name: uninstall sssd-kcm + dnf: + name: sssd-kcm + state: absent + notify: restart sssd + +- name: open firewall ports + firewalld: + service: '{{ item }}' + permanent: yes + immediate: yes + state: enabled + loop: + - dns + - freeipa-ldap + - freeipa-ldaps + - freeipa-trust + - freeipa-replication + tags: firewalld + +- include_tasks: + file: "{{ 'master' if (freeipa_master == inventory_hostname) else 'replica' }}.yml" + +- name: copy bind configuration + template: + src: etc/named/ipa-options-ext.conf.j2 + dest: /etc/named/ipa-options-ext.conf + notify: restart freeipa + +- name: send sssd logs to journald + lineinfile: + create: yes + path: /etc/sysconfig/sssd + regexp: ^DEBUG_LOGGER= + line: DEBUG_LOGGER=--logger=journald + notify: restart sssd + +- name: check if rsyslog is installed + stat: + path: /etc/rsyslog.d + register: rsyslog_conf_dir + +- name: log krb5 to rsyslog + lineinfile: + path: /etc/krb5.conf + insertafter: '^\[logging\]$' + firstmatch: yes + regexp: '^\s*{{ item }}\s*=' + line: ' {{ item }} = SYSLOG:INFO:DAEMON' + loop: + - kdc + - admin_server + notify: restart freeipa + +- name: log freeipa files to rsyslog + template: + src: etc/rsyslog.d/freeipa.conf.j2 + dest: /etc/rsyslog.d/freeipa.conf + notify: restart rsyslog + when: rsyslog_conf_dir.stat.exists + +- name: log samba to rsyslog + lineinfile: + path: /etc/samba/smb.conf + insertafter: '^\[global\]$' + firstmatch: yes + regexp: '^\s*logging\s*=' + line: 'logging = syslog@2' + notify: restart samba diff --git a/roles/freeipa_server/tasks/master.yml b/roles/freeipa_server/tasks/master.yml new file mode 100644 index 0000000..34d1442 --- /dev/null +++ b/roles/freeipa_server/tasks/master.yml @@ -0,0 +1,138 @@ +- name: initialize freeipa server + command: > + ipa-server-install + --unattended + --realm={{ freeipa_realm }} + --domain={{ freeipa_domain }} + --ds-password={{ freeipa_ds_password | quote }} + --admin={{ freeipa_admin_password | quote }} + --hostname={{ ansible_fqdn }} + --ip-address={{ ansible_default_ipv4.address }} + --no-host-dns + --idstart={{ freeipa_idstart }} + --idmax={{ freeipa_idmax }} + --setup-dns + {% for forwarder in freeipa_dns_forwarders %} + --forwarder {{ forwarder }} + {% endfor %} + --forward-policy=only + --no-ntp + --no-hbac-allow + args: + creates: /etc/ipa/default.conf + +- name: initialize AD trust (for smb) + command: > + ipa-adtrust-install + --unattended + --add-sids + --netbios-name={{ freeipa_workgroup }} + --admin-name=admin + --admin-password={{ freeipa_admin_password | quote }} + args: + creates: /etc/samba/samba.keytab + +- name: set default password policy + community.general.ipa_pwpolicy: + ipa_user: '{{ ipa_user }}' + ipa_pass: '{{ ipa_pass }}' + maxpwdlife: '{{ freeipa_maxpwdlife }}' + minpwdlife: '{{ freeipa_minpwdlife }}' + historylength: '{{ freeipa_historylength }}' + minclasses: '{{ freeipa_minclasses }}' + minlength: '{{ freeipa_minlength }}' + maxfailcount: '{{ freeipa_maxfailcount }}' + failinterval: '{{ freeipa_failinterval }}' + lockouttime: '{{ freeipa_lockouttime }}' + +- name: set admin user's password expiration date + ipauser: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: admin + passwordexpiration: '{{ freeipa_admin_password_expiration }}' + +- name: set global freeipa configuration + ipaconfig: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + emaildomain: '{{ freeipa_email_domain }}' + defaultshell: '{{ freeipa_default_login_shell }}' + +- name: create HBAC services for system-level services + ipahbacsvc: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ item }}' + description: '{{ item }}' + state: present + loop: '{{ freeipa_system_services }}' + +- name: create HBAC rule for system-level services + ipahbacrule: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: whitelisted_system_services + description: Always allow authentication to system-level services + usercategory: all + hostcategory: all + hbacsvc: '{{ freeipa_system_services }}' + +- name: get admin kerberos ticket + command: + cmd: kinit -fpa {{ ipa_user }} + stdin: '{{ ipa_pass }}' + changed_when: false + +- include_tasks: custom_schema.yml + +- name: generate clientAuth certificate profile + template: + src: etc/pki/caIPAclientAuth.cfg.j2 + dest: /etc/pki/caIPAclientAuth.cfg + register: freeipa_clientauth_config + +- name: import clientAuth certificate profile + shell: + cmd: > + ipa certprofile-import caIPAclientAuth + --file /etc/pki/caIPAclientAuth.cfg + --desc 'Profile for client authentication' + --store TRUE + when: freeipa_clientauth_config.changed + +- name: destroy kerberos ticket + command: + cmd: kdestroy + changed_when: false + +- name: create automount maps + ipaautomountmap: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ item }}' + location: default + state: present + loop: '{{ freeipa_automount_maps }}' + +- name: create automount keys + ipaautomountkey: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + location: default + mapname: '{{ item.map }}' + key: '{{ item.key }}' + info: '{{ item.info }}' + state: present + loop: '{{ freeipa_automount_keys }}' + +- name: create /home automount key + ipaautomountkey: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + location: default + mapname: auto.master + key: /home + info: auto.home + state: "{{ 'present' if freeipa_nfs_homedirs else 'absent' }}" + when: freeipa_nfs_homedirs diff --git a/roles/freeipa_server/tasks/replica.yml b/roles/freeipa_server/tasks/replica.yml new file mode 100644 index 0000000..5b6b296 --- /dev/null +++ b/roles/freeipa_server/tasks/replica.yml @@ -0,0 +1,21 @@ +- name: initialize freeipa replica + command: > + ipa-replica-install + --unattended + --realm={{ freeipa_realm }} + --domain={{ freeipa_domain }} + --principal=admin + --admin-password={{ freeipa_admin_password | quote }} + --hostname={{ ansible_fqdn }} + --ip-address={{ ansible_default_ipv4.address }} + --no-host-dns + --setup-ca + --setup-dns + --setup-adtrust + {% for forwarder in freeipa_dns_forwarders %} + --forwarder {{ forwarder }} + {% endfor %} + --no-ntp + args: + creates: /etc/ipa/default.conf + |