RH362 - ch03s09

Ensure that you recreate your classroom environment before starting the IdM installation with the Ansible method. The IdM installation process requires clean systems to work properly.

As the student user on the workstation machine, use the lab command to prepare your environment for this exercise, and to ensure that all required resources are available.

[student@workstation ~]$ lab start install-review

Instructions

Review the Ansible inventory and playbooks in the student home directory. Compare the current IdM topology to the Ansible inventory.

Note

If your classroom environment does not have Internet connectivity, then do not configure DNS forwarders during IdM server or replica installation. The following example tests if your classroom has Internet connectivity by querying a public DNS server:

[student@workstation ~]$ dig @8.8.8.8 A www.google.com

Review the ipareplicas host group in the inventory file and verify that it uses the correct credentials. Verify that the DNS forwarder is set to the 172.25.250.254 IP address.

[student@workstation ~]$ cat hosts
[ipaserver]
idm.lab.example.com ansible_become_password=student

...output omitted...
[ipareplicas]
replica1.lab.example.com ansible_become_password=student

[ipareplicas:vars]
ipareplica_setup_dns=yes
ipareplica_forwarders=172.25.250.254
ipaadmin_principal=admin
ipaadmin_password=RedHat123^

Copy the /usr/share/doc/ansible-freeipa/playbooks/install-cluster.yml playbook template to the student home directory. Change the playbook ownership to the student user and group. Ensure that the playbook has the tasks to install replicas.

[student@workstation ~]$ cd /usr/share/doc/ansible-freeipa/playbooks/
[student@workstation playbooks]$ cp install-cluster.yml ~/
[student@workstation playbooks]$ cd ~/
[student@workstation ~]$ cat install-cluster.yml
---
...output omitted...
- name: Install IPA replicas
  hosts: ipareplicas
  become: true

  roles:
  - role: ipareplica
    state: present
...output omitted...

Log in to the idm machine as the student user and authenticate to IdM as the admin user. Review the IdM servers and replicas.

[student@workstation ~]$ ssh idm
[student@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
[student@idm ~]$ ipa server-find
---------------------
2 IPA servers matched
---------------------
  Server name: idm.lab.example.com
  Min domain level: 1
  Max domain level: 1

  Server name: replica1.lab.example.com
  Min domain level: 1
  Max domain level: 1
----------------------------
Number of entries returned 2

Review the hosts registered in the IdM topology.

[student@idm ~]$ ipa host-find
---------------
3 hosts matched
---------------
  Host name: client.lab.example.com
...output omitted...
  Principal name: host/client.lab.example.com@LAB.EXAMPLE.COM
...output omitted...
  Host name: idm.lab.example.com
  Principal name: host/idm.lab.example.com@LAB.EXAMPLE.COM
...output omitted...
  Host name: replica1.lab.example.com
...output omitted...
  Principal name: host/replica1.lab.example.com@LAB.EXAMPLE.COM
...output omitted...

Exit the idm machine.

[student@idm ~]$ logout
Connection to idm closed.

Install the replica2 machine with the same properties as the replica1 machine.

Add the replica2 machine to the ipareplicas host group in the hosts inventory file.

...output omitted...
[ipareplicas]
replica1.lab.example.com ansible_become_password=student
replica2.lab.example.com ansible_become_password=student

[ipareplicas:vars]
...output omitted...

Review the targeted hosts that would be affected by the install-cluster.yml playbook.

[student@workstation ~]$ ansible-playbook -i hosts \
  install-cluster.yml --list-hosts

playbook: install-cluster.yml

  play #1 (ipaserver): Install IPA servers	TAGS: []
    pattern: ['ipaserver']
    hosts (1):
      idm.lab.example.com

  play #2 (ipareplicas): Install IPA replicas	TAGS: []
    pattern: ['ipareplicas']
    hosts (2):
      replica1.lab.example.com
      replica2.lab.example.com

  play #3 (ipaclients): Install IPA clients	TAGS: []
    pattern: ['ipaclients']
    hosts (1):
      client.lab.example.com

Install the replica2 machine by running the install-cluster.yml playbook. You can limit the Ansible playbook execution to the replica2 machine.

[student@workstation ~]$ ansible-playbook -i hosts install-cluster.yml \
  --limit replica2.lab.example.com

PLAY [Install IPA servers] ***************************************************
skipping: no hosts matched
...outout omitted...

TASK [ipareplica : Uninstall IPA replica] ************************************
skipping: [replica2.lab.example.com]

PLAY [Install IPA clients] ***************************************************
skipping: no hosts matched

PLAY RECAP *******************************************************************
replica2.lab.example.com : ok=55  changed=37  unreachable=0  failed=0  skipped=29
rescued=0  ignored=0

Verify that the replica2 machine is part of the topology.

Log in to the idm machine as the student user and authenticate to IdM as the admin user. Review the properties of the replica2 machine.

[student@workstation ~]$ ssh idm
[student@idm ~]$ kinit admin
Password for admin@LAB.EXAMPLE.COM: RedHat123^
[student@idm ~]$ ipa server-show replica2.lab.example.com
  Server name: replica2.lab.example.com
  Managed suffixes: domain
  Min domain level: 1
  Max domain level: 1
  Enabled server roles: DNS server, IPA master

Review the DNS records of the replica2 machine.

[student@idm ~]$ ipa dnsrecord-show lab.example.com replica2
  Record name: replica2
  A record: 172.25.250.13
  SSHFP record: 1 1 BBA0F9F1215D5F8E4E17091B177BF0766912FEBF, 1 2 EC2BABA79444DA2326039F99A0F5ED6CD7CDF118E00B2724DB22445B D765E69D, 3 1
                E41E5141E4B91281476E9BA2B41F08CBEBE39C6A, 3 2 39E91E408F3046ADDD91E0AF76EE2F4977598E5E975F2406E4E61F52 304FC7D8, 4 1
                8095ECA215E64052ED9468F6CBF5641366695C99, 4 2 35CA12B989B9F7BA32BA68A2C448DF5957344953B0D70A758510C376 535ADEF9

Exit from the idm machine. Log in to the replica2 machine and review the IdM services.

[student@idm ~]$ logout
Connection to idm closed.
[student@workstation ~]$ ssh replica2
[student@replica2 ~]$ sudo ipactl status
[sudo] password for student: student
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Exit the replica2 machine.

[student@replica2 ~]$ logout
Connection to replica2 closed.
[student@workstation ~]$

Evaluation

On the workstation machine, change to the student user home directory and use the lab command to grade your work.

[student@workstation ~]$ lab grade install-review

Finish

On the workstation machine, change to the student user home directory and use the lab command to complete this exercise. This step is important to ensure that resources from previous exercises do not impact upcoming exercises.

[student@workstation ~]$ lab finish install-review

Discuss Red Hat Security: Identity Management and Authentication

Go to community

Welcome to the Red Hat Security: Identity Management and Active Directory Integration group!

Syed

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Identity Management and Active Directory Integration! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH362.Read more about Red Hat Security: Identity Management and Active Directory Integration here.

215

Revision: rh362-9.1-4c6fdb8