From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001 From: Stonewall Jackson Date: Sat, 4 Feb 2023 01:23:43 -0500 Subject: initial commit --- roles/freeipa_server/defaults/main.yml | 33 +++++ .../files/usr/local/share/dirsrv/schema/jid.ldif | 3 + roles/freeipa_server/handlers/main.yml | 19 +++ roles/freeipa_server/tasks/custom_schema.yml | 101 +++++++++++++++ roles/freeipa_server/tasks/main.yml | 77 ++++++++++++ roles/freeipa_server/tasks/master.yml | 138 +++++++++++++++++++++ roles/freeipa_server/tasks/replica.yml | 21 ++++ .../templates/etc/named/ipa-options-ext.conf.j2 | 7 ++ .../templates/etc/pki/caIPAclientAuth.cfg.j2 | 113 +++++++++++++++++ .../templates/etc/rsyslog.d/freeipa.conf.j2 | 8 ++ roles/freeipa_server/vars/main.yml | 65 ++++++++++ 11 files changed, 585 insertions(+) create mode 100644 roles/freeipa_server/defaults/main.yml create mode 100644 roles/freeipa_server/files/usr/local/share/dirsrv/schema/jid.ldif create mode 100644 roles/freeipa_server/handlers/main.yml create mode 100644 roles/freeipa_server/tasks/custom_schema.yml create mode 100644 roles/freeipa_server/tasks/main.yml create mode 100644 roles/freeipa_server/tasks/master.yml create mode 100644 roles/freeipa_server/tasks/replica.yml create mode 100644 roles/freeipa_server/templates/etc/named/ipa-options-ext.conf.j2 create mode 100644 roles/freeipa_server/templates/etc/pki/caIPAclientAuth.cfg.j2 create mode 100644 roles/freeipa_server/templates/etc/rsyslog.d/freeipa.conf.j2 create mode 100644 roles/freeipa_server/vars/main.yml (limited to 'roles/freeipa_server') diff --git a/roles/freeipa_server/defaults/main.yml b/roles/freeipa_server/defaults/main.yml new file mode 100644 index 0000000..209cd5f --- /dev/null +++ b/roles/freeipa_server/defaults/main.yml @@ -0,0 +1,33 @@ +freeipa_domain: '{{ ansible_domain }}' +freeipa_realm: '{{ ansible_domain | upper }}' +freeipa_email_domain: '{{ email_domain }}' +freeipa_workgroup: WORKGROUP + +freeipa_archive_on_calendar: 'Sat *-*-* 04:00:00' + +freeipa_dns_forwarders: + - 8.8.8.8 + - 8.8.4.4 + +freeipa_dns_max_negative_cache: 5 # seconds + +freeipa_nfs_homedirs: no + +freeipa_admin_password: ChangeMe123 +freeipa_ds_password: ChangeMe123 + +freeipa_idstart: 100000 +freeipa_idmax: 299999 + +freeipa_maxpwdlife: 3650 # 10 years +freeipa_minpwdlife: 1 # hours +freeipa_historylength: 0 +freeipa_minclasses: 0 +freeipa_minlength: 8 +freeipa_maxfailcount: 6 +freeipa_failinterval: 60 # seconds +freeipa_lockouttime: 600 # seconds + +freeipa_admin_password_expiration: 20310130235959 + +freeipa_default_login_shell: /bin/bash diff --git a/roles/freeipa_server/files/usr/local/share/dirsrv/schema/jid.ldif b/roles/freeipa_server/files/usr/local/share/dirsrv/schema/jid.ldif new file mode 100644 index 0000000..592059a --- /dev/null +++ b/roles/freeipa_server/files/usr/local/share/dirsrv/schema/jid.ldif @@ -0,0 +1,3 @@ +dn: cn=config +attributetypes: ( 1.3.6.1.1.23.2 NAME 'jid' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'Extending FreeIPA' ) +objectclasses: ( 1.3.6.1.1.23.1 NAME 'JIDObject' AUXILIARY MAY jid X-ORIGIN 'Extending FreeIPA' ) diff --git a/roles/freeipa_server/handlers/main.yml b/roles/freeipa_server/handlers/main.yml new file mode 100644 index 0000000..884f66d --- /dev/null +++ b/roles/freeipa_server/handlers/main.yml @@ -0,0 +1,19 @@ +- name: restart freeipa + systemd: + name: ipa + state: restarted + +- name: restart sssd + systemd: + name: sssd + state: restarted + +- name: restart rsyslog + systemd: + name: rsyslog + state: restarted + +- name: restart samba + systemd: + name: smb + state: restarted diff --git a/roles/freeipa_server/tasks/custom_schema.yml b/roles/freeipa_server/tasks/custom_schema.yml new file mode 100644 index 0000000..e5bca0d --- /dev/null +++ b/roles/freeipa_server/tasks/custom_schema.yml @@ -0,0 +1,101 @@ +- name: create custom schema directory + file: + path: '{{ freeipa_custom_schema_dir }}' + state: directory + recurse: yes + +- name: copy jid schema + copy: + src: '{{ freeipa_custom_schema_dir[1:] }}/jid.ldif' + dest: '{{ freeipa_custom_schema_dir }}/jid.ldif' + +- name: check if JIDObject exists in schema + shell: ldapsearch -QLLL -s base -b cn=schema objectclasses | grep -q JIDObject + changed_when: no + failed_when: no + register: ldapsearch_jidobject + +- block: + - name: extend freeipa schema for JIDs + command: ipa-ldap-updater --schema-file '{{ freeipa_custom_schema_dir }}/jid.ldif' + + - name: restart httpd + systemd: + name: httpd + state: restarted + when: ldapsearch_jidobject.rc != 0 + +- name: add index to jid attribute + ldap_entry: + dn: 'cn=jid,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config' + objectClass: + - top + - nsIndex + attributes: + cn: jid + nsSystemIndex: false + nsIndexType: eq + bind_dn: cn=Directory Manager + bind_pw: '{{ freeipa_ds_password }}' + server_uri: ldaps://{{ ipa_host }} + register: jid_index + +- name: regenerate indexes for jid attribute + ldap_entry: + dn: cn=jidindex,cn=index,cn=tasks,cn=config + objectClass: + - top + - extensibleObject + attributes: + cn: jidindex + nsInstance: userRoot + nsIndexAttribute: 'jid:eq' + bind_dn: cn=Directory Manager + bind_pw: '{{ freeipa_ds_password }}' + server_uri: ldaps://{{ ipa_host }} + when: jid_index.changed + +- name: add default user object classes + ldap_attrs: + dn: cn=ipaConfig,cn=etc,{{ freeipa_basedn }} + attributes: + ipaUserObjectClasses: + - mailRecipient + - JIDObject + state: present + bind_dn: cn=Directory Manager + bind_pw: '{{ freeipa_ds_password }}' + server_uri: ldaps://{{ ipa_host }} + +- name: add default group object classes + ldap_attrs: + dn: cn=ipaConfig,cn=etc,{{ freeipa_basedn }} + attributes: + ipaGroupObjectClasses: + - mailRecipient + state: present + bind_dn: cn=Directory Manager + bind_pw: '{{ freeipa_ds_password }}' + server_uri: ldaps://{{ ipa_host }} + +- name: allow read access to custom user attributes + ipapermission: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: 'System: Read User Addressbook Attributes' + attrs: + - mailAlternateAddress + - jid + action: member + state: present + +- name: allow read access to custom group attributes + ipapermission: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: 'System: Read Groups' + attrs: + - mail + - mailAlternateAddress + action: member + state: present diff --git a/roles/freeipa_server/tasks/main.yml b/roles/freeipa_server/tasks/main.yml new file mode 100644 index 0000000..1dd6eaa --- /dev/null +++ b/roles/freeipa_server/tasks/main.yml @@ -0,0 +1,77 @@ +- name: install freeipa pacakges + dnf: + name: '{{ freeipa_packages }}' + state: present + +# Disabling this until they figure out this bug. I don't use containers, +# so the kernel KEYRING ccache is just fine. +# https://bugzilla.redhat.com/show_bug.cgi?id=2035496 +- name: uninstall sssd-kcm + dnf: + name: sssd-kcm + state: absent + notify: restart sssd + +- name: open firewall ports + firewalld: + service: '{{ item }}' + permanent: yes + immediate: yes + state: enabled + loop: + - dns + - freeipa-ldap + - freeipa-ldaps + - freeipa-trust + - freeipa-replication + tags: firewalld + +- include_tasks: + file: "{{ 'master' if (freeipa_master == inventory_hostname) else 'replica' }}.yml" + +- name: copy bind configuration + template: + src: etc/named/ipa-options-ext.conf.j2 + dest: /etc/named/ipa-options-ext.conf + notify: restart freeipa + +- name: send sssd logs to journald + lineinfile: + create: yes + path: /etc/sysconfig/sssd + regexp: ^DEBUG_LOGGER= + line: DEBUG_LOGGER=--logger=journald + notify: restart sssd + +- name: check if rsyslog is installed + stat: + path: /etc/rsyslog.d + register: rsyslog_conf_dir + +- name: log krb5 to rsyslog + lineinfile: + path: /etc/krb5.conf + insertafter: '^\[logging\]$' + firstmatch: yes + regexp: '^\s*{{ item }}\s*=' + line: ' {{ item }} = SYSLOG:INFO:DAEMON' + loop: + - kdc + - admin_server + notify: restart freeipa + +- name: log freeipa files to rsyslog + template: + src: etc/rsyslog.d/freeipa.conf.j2 + dest: /etc/rsyslog.d/freeipa.conf + notify: restart rsyslog + when: rsyslog_conf_dir.stat.exists + +- name: log samba to rsyslog + lineinfile: + path: /etc/samba/smb.conf + insertafter: '^\[global\]$' + firstmatch: yes + regexp: '^\s*logging\s*=' + line: 'logging = syslog@2' + notify: restart samba diff --git a/roles/freeipa_server/tasks/master.yml b/roles/freeipa_server/tasks/master.yml new file mode 100644 index 0000000..34d1442 --- /dev/null +++ b/roles/freeipa_server/tasks/master.yml @@ -0,0 +1,138 @@ +- name: initialize freeipa server + command: > + ipa-server-install + --unattended + --realm={{ freeipa_realm }} + --domain={{ freeipa_domain }} + --ds-password={{ freeipa_ds_password | quote }} + --admin={{ freeipa_admin_password | quote }} + --hostname={{ ansible_fqdn }} + --ip-address={{ ansible_default_ipv4.address }} + --no-host-dns + --idstart={{ freeipa_idstart }} + --idmax={{ freeipa_idmax }} + --setup-dns + {% for forwarder in freeipa_dns_forwarders %} + --forwarder {{ forwarder }} + {% endfor %} + --forward-policy=only + --no-ntp + --no-hbac-allow + args: + creates: /etc/ipa/default.conf + +- name: initialize AD trust (for smb) + command: > + ipa-adtrust-install + --unattended + --add-sids + --netbios-name={{ freeipa_workgroup }} + --admin-name=admin + --admin-password={{ freeipa_admin_password | quote }} + args: + creates: /etc/samba/samba.keytab + +- name: set default password policy + community.general.ipa_pwpolicy: + ipa_user: '{{ ipa_user }}' + ipa_pass: '{{ ipa_pass }}' + maxpwdlife: '{{ freeipa_maxpwdlife }}' + minpwdlife: '{{ freeipa_minpwdlife }}' + historylength: '{{ freeipa_historylength }}' + minclasses: '{{ freeipa_minclasses }}' + minlength: '{{ freeipa_minlength }}' + maxfailcount: '{{ freeipa_maxfailcount }}' + failinterval: '{{ freeipa_failinterval }}' + lockouttime: '{{ freeipa_lockouttime }}' + +- name: set admin user's password expiration date + ipauser: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: admin + passwordexpiration: '{{ freeipa_admin_password_expiration }}' + +- name: set global freeipa configuration + ipaconfig: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + emaildomain: '{{ freeipa_email_domain }}' + defaultshell: '{{ freeipa_default_login_shell }}' + +- name: create HBAC services for system-level services + ipahbacsvc: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ item }}' + description: '{{ item }}' + state: present + loop: '{{ freeipa_system_services }}' + +- name: create HBAC rule for system-level services + ipahbacrule: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: whitelisted_system_services + description: Always allow authentication to system-level services + usercategory: all + hostcategory: all + hbacsvc: '{{ freeipa_system_services }}' + +- name: get admin kerberos ticket + command: + cmd: kinit -fpa {{ ipa_user }} + stdin: '{{ ipa_pass }}' + changed_when: false + +- include_tasks: custom_schema.yml + +- name: generate clientAuth certificate profile + template: + src: etc/pki/caIPAclientAuth.cfg.j2 + dest: /etc/pki/caIPAclientAuth.cfg + register: freeipa_clientauth_config + +- name: import clientAuth certificate profile + shell: + cmd: > + ipa certprofile-import caIPAclientAuth + --file /etc/pki/caIPAclientAuth.cfg + --desc 'Profile for client authentication' + --store TRUE + when: freeipa_clientauth_config.changed + +- name: destroy kerberos ticket + command: + cmd: kdestroy + changed_when: false + +- name: create automount maps + ipaautomountmap: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + name: '{{ item }}' + location: default + state: present + loop: '{{ freeipa_automount_maps }}' + +- name: create automount keys + ipaautomountkey: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + location: default + mapname: '{{ item.map }}' + key: '{{ item.key }}' + info: '{{ item.info }}' + state: present + loop: '{{ freeipa_automount_keys }}' + +- name: create /home automount key + ipaautomountkey: + ipaadmin_principal: '{{ ipa_user }}' + ipaadmin_password: '{{ ipa_pass }}' + location: default + mapname: auto.master + key: /home + info: auto.home + state: "{{ 'present' if freeipa_nfs_homedirs else 'absent' }}" + when: freeipa_nfs_homedirs diff --git a/roles/freeipa_server/tasks/replica.yml b/roles/freeipa_server/tasks/replica.yml new file mode 100644 index 0000000..5b6b296 --- /dev/null +++ b/roles/freeipa_server/tasks/replica.yml @@ -0,0 +1,21 @@ +- name: initialize freeipa replica + command: > + ipa-replica-install + --unattended + --realm={{ freeipa_realm }} + --domain={{ freeipa_domain }} + --principal=admin + --admin-password={{ freeipa_admin_password | quote }} + --hostname={{ ansible_fqdn }} + --ip-address={{ ansible_default_ipv4.address }} + --no-host-dns + --setup-ca + --setup-dns + --setup-adtrust + {% for forwarder in freeipa_dns_forwarders %} + --forwarder {{ forwarder }} + {% endfor %} + --no-ntp + args: + creates: /etc/ipa/default.conf + diff --git a/roles/freeipa_server/templates/etc/named/ipa-options-ext.conf.j2 b/roles/freeipa_server/templates/etc/named/ipa-options-ext.conf.j2 new file mode 100644 index 0000000..9c37805 --- /dev/null +++ b/roles/freeipa_server/templates/etc/named/ipa-options-ext.conf.j2 @@ -0,0 +1,7 @@ +allow-recursion { any; }; +allow-query-cache { any; }; + +max-ncache-ttl {{ freeipa_dns_max_negative_cache }}; + +/* turns on IPv6 for port 53, IPv4 is on by default for all ifaces */ +listen-on-v6 { any; }; diff --git a/roles/freeipa_server/templates/etc/pki/caIPAclientAuth.cfg.j2 b/roles/freeipa_server/templates/etc/pki/caIPAclientAuth.cfg.j2 new file mode 100644 index 0000000..0b03615 --- /dev/null +++ b/roles/freeipa_server/templates/etc/pki/caIPAclientAuth.cfg.j2 @@ -0,0 +1,113 @@ +auth.instance_id=raCertAuth +classId=caEnrollImpl +desc=This certificate profile is for client authentication certificates. +enable=true +enableBy=ipara +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +input.list=i1,i2 +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$request.req_subject_name.cn$, O={{ freeipa_realm }} +policyset.serverCertSet.10.constraint.class_id=noConstraintImpl +policyset.serverCertSet.10.constraint.name=No Constraint +policyset.serverCertSet.10.default.class_id=subjectKeyIdentifierExtDefaultImpl +policyset.serverCertSet.10.default.name=Subject Key Identifier Extension Default +policyset.serverCertSet.10.default.params.critical=false +policyset.serverCertSet.11.constraint.class_id=noConstraintImpl +policyset.serverCertSet.11.constraint.name=No Constraint +policyset.serverCertSet.11.default.class_id=userExtensionDefaultImpl +policyset.serverCertSet.11.default.name=User Supplied Extension Default +policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17 +policyset.serverCertSet.12.constraint.class_id=noConstraintImpl +policyset.serverCertSet.12.constraint.name=No Constraint +policyset.serverCertSet.12.default.class_id=commonNameToSANDefaultImpl +policyset.serverCertSet.12.default.name=Copy Common Name to Subject Alternative Name +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyParameters=1024,2048,3072,4096,8192 +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.default.name=AIA Extension Default +policyset.serverCertSet.5.default.params.authInfoAccessADEnable_0=true +policyset.serverCertSet.5.default.params.authInfoAccessADLocationType_0=URIName +policyset.serverCertSet.5.default.params.authInfoAccessADLocation_0=http://ipa-ca.{{ freeipa_domain }}/ca/ocsp +policyset.serverCertSet.5.default.params.authInfoAccessADMethod_0=1.3.6.1.5.5.7.48.1 +policyset.serverCertSet.5.default.params.authInfoAccessCritical=false +policyset.serverCertSet.5.default.params.authInfoAccessNumADs=1 +policyset.serverCertSet.6.constraint.class_id=keyUsageExtConstraintImpl +policyset.serverCertSet.6.constraint.name=Key Usage Extension Constraint +policyset.serverCertSet.6.constraint.params.keyUsageCritical=true +policyset.serverCertSet.6.constraint.params.keyUsageCrlSign=false +policyset.serverCertSet.6.constraint.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.constraint.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.constraint.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.constraint.params.keyUsageNonRepudiation=true +policyset.serverCertSet.6.default.class_id=keyUsageExtDefaultImpl +policyset.serverCertSet.6.default.name=Key Usage Default +policyset.serverCertSet.6.default.params.keyUsageCritical=true +policyset.serverCertSet.6.default.params.keyUsageCrlSign=false +policyset.serverCertSet.6.default.params.keyUsageDataEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageDecipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageDigitalSignature=true +policyset.serverCertSet.6.default.params.keyUsageEncipherOnly=false +policyset.serverCertSet.6.default.params.keyUsageKeyAgreement=false +policyset.serverCertSet.6.default.params.keyUsageKeyCertSign=false +policyset.serverCertSet.6.default.params.keyUsageKeyEncipherment=true +policyset.serverCertSet.6.default.params.keyUsageNonRepudiation=true +policyset.serverCertSet.7.constraint.class_id=noConstraintImpl +policyset.serverCertSet.7.constraint.name=No Constraint +policyset.serverCertSet.7.default.class_id=extendedKeyUsageExtDefaultImpl +policyset.serverCertSet.7.default.name=Extended Key Usage Extension Default +policyset.serverCertSet.7.default.params.exKeyUsageCritical=false +policyset.serverCertSet.7.default.params.exKeyUsageOIDs=1.3.6.1.5.5.7.3.2 +policyset.serverCertSet.8.constraint.class_id=signingAlgConstraintImpl +policyset.serverCertSet.8.constraint.name=No Constraint +policyset.serverCertSet.8.constraint.params.signingAlgsAllowed=SHA1withRSA,SHA256withRSA,SHA384withRSA,SHA512withRSA,MD5withRSA,MD2withRSA,SHA1withDSA,SHA1withEC,SHA256withEC,SHA384withEC,SHA512withEC +policyset.serverCertSet.8.default.class_id=signingAlgDefaultImpl +policyset.serverCertSet.8.default.name=Signing Alg +policyset.serverCertSet.8.default.params.signingAlg=- +policyset.serverCertSet.9.constraint.class_id=noConstraintImpl +policyset.serverCertSet.9.constraint.name=No Constraint +policyset.serverCertSet.9.default.class_id=crlDistributionPointsExtDefaultImpl +policyset.serverCertSet.9.default.name=CRL Distribution Points Extension Default +policyset.serverCertSet.9.default.params.crlDistPointsCritical=false +policyset.serverCertSet.9.default.params.crlDistPointsEnable_0=true +policyset.serverCertSet.9.default.params.crlDistPointsIssuerName_0=CN=Certificate Authority,o=ipaca +policyset.serverCertSet.9.default.params.crlDistPointsIssuerType_0=DirectoryName +policyset.serverCertSet.9.default.params.crlDistPointsNum=1 +policyset.serverCertSet.9.default.params.crlDistPointsPointName_0=http://ipa-ca.{{ freeipa_domain }}/ipa/crl/MasterCRL.bin +policyset.serverCertSet.9.default.params.crlDistPointsPointType_0=URIName +policyset.serverCertSet.9.default.params.crlDistPointsReasons_0= +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11,12 +profileId=caIPAclientAuth +visible=true diff --git a/roles/freeipa_server/templates/etc/rsyslog.d/freeipa.conf.j2 b/roles/freeipa_server/templates/etc/rsyslog.d/freeipa.conf.j2 new file mode 100644 index 0000000..6ef8a1c --- /dev/null +++ b/roles/freeipa_server/templates/etc/rsyslog.d/freeipa.conf.j2 @@ -0,0 +1,8 @@ +{% for file in freeipa_log_files %} +input(type="imfile" + addMetadata="on" + file="{{ file.path }}" + tag="{{ file.tag }}" + severity="{{ file.severity | default('info') }}") + +{% endfor %} diff --git a/roles/freeipa_server/vars/main.yml b/roles/freeipa_server/vars/main.yml new file mode 100644 index 0000000..89657e7 --- /dev/null +++ b/roles/freeipa_server/vars/main.yml @@ -0,0 +1,65 @@ +freeipa_packages: + - ipa-server + - ipa-server-trust-ad + - ipa-server-dns + +freeipa_backup_dir: /var/lib/ipa/backup + +# These services must be explicitly allowed if the default HBAC-allow-all policy +# is not used. See https://pagure.io/freeipa/issue/7831 +freeipa_system_services: + - systemd-user + - sudo + - sudo-i + - polkit-1 + +freeipa_automount_maps: + - auto.nfs + - auto.home + - auto.nfs_user + - auto.nfs_group + - auto.nfs_media + +freeipa_automount_keys: + - map: auto.master + key: /net + info: -hosts + + - map: auto.master + key: /nfs + info: auto.nfs -browse + + - map: auto.nfs + key: user + info: -fstype=autofs auto.nfs_user + + - map: auto.nfs + key: group + info: -fstype=autofs auto.nfs_group + + - map: auto.nfs + key: media + info: -fstype=autofs auto.nfs_media + +freeipa_log_files: + - path: /var/log/pki/pki-tomcat/ca/transactions + tag: ipa-ca + + - path: /var/log/dirsrv/slapd-{{ freeipa_realm | replace('.', '-') }}/access + tag: slapd + + - path: /var/log/dirsrv/slapd-{{ freeipa_realm | replace('.', '-') }}/audit + tag: slapd + + - path: /var/log/dirsrv/slapd-{{ freeipa_realm | replace('.', '-') }}/errors + tag: slapd + severity: error + + - path: /var/log/httpd/access_log + tag: httpd + + - path: /var/log/httpd/error_log + tag: httpd + severity: error + +freeipa_custom_schema_dir: /usr/local/share/dirsrv/schema -- cgit