RH362 - ch03s08

Bookmark this page

Guided Exercise: Automating an Identity Management Installation

Install an IdM server, a client, and a replica by using Ansible Playbooks.

Outcomes

Install an IdM server, client, and replica by using Ansible Playbooks.

Important

Ensure that you recreate your classroom environment before starting the IdM installation with the Ansible method. The IdM installation process requires clean systems to work properly.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start install-ansible

Instructions

Install the ansible-freeipa package. Review the roles and playbooks to install IdM.

Review the available repositories in your subscription.

[student@workstation ~]$ sudo dnf repolist
...output omitted...
repo id                               repo name
rhel-9.1-for-x86_64-appstream-rpms    Red Hat Enterprise Linux 9.1 AppStream (dvd)
rhel-9.1-for-x86_64-baseos-rpms       Red Hat Enterprise Linux 9.1 BaseOS (dvd)

Install the ansible-freeipa package.

[student@workstation ~]$ sudo dnf install ansible-freeipa
...output omitted...

Review the installed roles in the /usr/share/ansible/roles/ directory.

[student@workstation ~]$ ls -ld /usr/share/ansible/roles/ipa*
drwxr-xr-x. 7 root root  91 Apr  5 15:26 /usr/share/ansible/roles/ipabackup
drwxr-xr-x. 9 root root 133 Apr  5 15:26 /usr/share/ansible/roles/ipaclient
drwxr-xr-x. 8 root root 111 Apr  5 15:26 /usr/share/ansible/roles/ipareplica
drwxr-xr-x. 8 root root 111 Apr  5 15:26 /usr/share/ansible/roles/ipaserver
...output omitted...

Create the hosts inventory file in the student home directory and add the idm machine as a member of the ipaserver host group. Add the variables to install IdM according to the following parameters:
Parameter Value
Domain lab.example.com
Realm LAB.EXAMPLE.COM
DNS forwarder 172.25.250.254
CA service Integrated
Admin password RedHat123^
Note
If your classroom environment does not have Internet connectivity, then do not configure DNS forwarders during IdM server or replica installation. You can use the ipaserver_no_forwarders=true parameter to avoid the configuration of DNS forwarders. The following example tests if your classroom has Internet connectivity by querying a public DNS server:
```
[student@workstation ~]$ dig @8.8.8.8 A www.google.com
```
1. Create the hosts inventory file and add the idm machine to the ipaserver host group. Add the ansible_become_password variable to the idm machine to set the student user password.
```
[ipaserver]
idm.lab.example.com ansible_become_password=student
```
2. Add the variables to the ipaserver host group in the hosts inventory file to customize the IdM installation.
```
...output omitted...

[ipaserver:vars]
ipaserver_domain=lab.example.com
ipaserver_realm=LAB.EXAMPLE.COM
ipaserver_setup_dns=yes
ipaserver_forwarders=172.25.250.254
ipaadmin_password=RedHat123^
ipadm_password=RedHat123^
```
  Note
  The integrated CA is installed by default. You do not need to explicitly specify it.

Parameter	Value
Domain	`lab.example.com`
Realm	`LAB.EXAMPLE.COM`
DNS forwarder	`172.25.250.254`
CA service	Integrated
Admin password	`RedHat123^`

Install the IdM server by using Ansible Playbooks.

Copy the /usr/share/doc/ansible-freeipa/playbooks/install-server.yml playbook template to the student home directory.
```
[student@workstation ~]$ cp \
  /usr/share/doc/ansible-freeipa/playbooks/install-server.yml ~/
```

Run the install-server.yml Ansible Playbook. Use the hosts file as the inventory.

This playbook might take several minutes to complete.

Note

If the installation fails, update the hosts file and ensure it has the correct values. Uninstall the failed server by using the uninstall-server.yml playbook and reboot the target machine before attempting to reinstall.

[student@workstation ~]$ ansible-playbook install-server.yml -i hosts
...output omitted...
TASK [ipaserver : Cleanup temporary files] ***********************************
ok: [idm.lab.example.com] => (item=/etc/ipa/.tmp_pkcs12_dirsrv)
ok: [idm.lab.example.com] => (item=/etc/ipa/.tmp_pkcs12_http)
ok: [idm.lab.example.com] => (item=/etc/ipa/.tmp_pkcs12_pkinit)

TASK [ipaserver : Uninstall IPA server] **************************************
skipping: [idm.lab.example.com]

PLAY RECAP *******************************************************************
idm.lab.example.com    : ok=41  changed=21  unreachable=0  failed=0  skipped=32
rescued=0  ignored=0

Verify that you can authenticate to IdM as the admin user.

[student@workstation ~]$ ssh idm
[student@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^

Verify the characteristics of the IdM installation.

Review the domain name, the IdM server roles, and the installed services.

[student@idm ~]$ ipa realmdomains-show
  Domain: lab.example.com
[student@idm ~]$ ipa server-show idm.lab.example.com
  Server name: idm.lab.example.com
...output omitted...
  Enabled server roles: CA server, DNS server, IPA master
[student@idm ~]$ sudo ipactl status
[sudo] password for student: student
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
...output omitted...

Log out of the idm machine.

[student@idm ~]$ logout
Connection to idm closed.
[student@workstation ~]$

Install an IdM client by using Ansible Playbooks.

Update the hosts inventory file to add the client machine. Provide the admin principal password to install the client.

...output omitted...

[ipaclients]
client.lab.example.com ansible_become_password=student

[ipaclients:vars]
ipaadmin_principal=admin
ipaadmin_password=RedHat123^
ipaclient_domain=lab.example.com

Copy the /usr/share/doc/ansible-freeipa/playbooks/install-client.yml playbook template to the student home directory.
```
[student@workstation ~]$ cp \
  /usr/share/doc/ansible-freeipa/playbooks/install-client.yml ~/
```

Run the install-client.yml Ansible Playbook. Use the hosts file as the inventory.

Wait for the playbook to complete.

[student@workstation ~]$ ansible-playbook install-client.yml -i hosts
...output omitted...
TASK [ipaclient : Uninstall IPA client] **************************************
skipping: [client.lab.example.com]

PLAY RECAP *******************************************************************
client.lab.example.com  : ok=19  changed=12  unreachable=0  failed=0  skipped=22
rescued=0  ignored=0

Verify that you can see the new client from the IdM server.

[student@workstation ~]$ ssh idm
[student@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
[student@idm ~]$ ipa host-find
---------------
2 hosts matched
---------------
  Host name: client.lab.example.com
...output omitted...
----------------------------
Number of entries returned 2
----------------------------

Log out of the idm machine.

[student@idm ~]$ logout
Connection to idm closed.
[student@workstation ~]$

Install an IdM replica by using Ansible Playbooks. Install the DNS service and set 172.25.250.254 as the DNS forwarder.

Update the hosts inventory file to add the replica1 machine entry. Provide the admin principal and password to install the replica.

...output omitted...

[ipareplicas]
replica1.lab.example.com ansible_become_password=student

[ipareplicas:vars]
ipareplica_setup_dns=yes
ipareplica_forwarders=172.25.250.254
ipaadmin_principal=admin
ipaadmin_password=RedHat123^

Copy the /usr/share/doc/ansible-freeipa/playbooks/install-replica.yml playbook template to the student home directory.
```
[student@workstation ~]$ cp \
  /usr/share/doc/ansible-freeipa/playbooks/install-replica.yml ~/
```

Install the replica1 machine.

[student@workstation ~]$ ansible-playbook install-replica.yml -i hosts

PLAY [Playbook to configure IPA replicas] ************************************
...output omitted...

TASK [ipareplica : Uninstall IPA replica] ************************************
skipping: [replica1.lab.example.com]

PLAY RECAP *******************************************************************
replica1.lab.example.com : ok=56  changed=38  unreachable=0  failed=0  skipped=28
rescued=0  ignored=0

[student@workstation ~]$ ssh idm
[student@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
[student@idm ~]$ ipa server-find
...output omitted...
  Server name: replica1.lab.example.com
  Min domain level: 1
  Max domain level: 1
----------------------------
Number of entries returned 2
----------------------------
[student@idm ~]$ ipa server-show replica1.lab.example.com
  Server name: replica1.lab.example.com
...output omitted...
  Enabled server roles: DNS server, IPA master

Log out of the idm machine.

[student@idm ~]$ logout
Connection to idm closed.
[student@workstation ~]$

Finish

On the workstation machine, use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish install-ansible

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8