Hi,
I’m wondering if there has been any thought of making a FreeIPA plugin for Ansible where one would be able to administrate IPA with Ansible? Add and remove servers, groups, users etc etc. Would such a plugin make sense?
Regards,
/Johan
the IPA itself has a good cli abstraction, hiding the different components behind it
So would you mean a series of modules to configure things?
I’d be open to it.
I know a lot of the FreeIPA guys from Red Hat days and they are good folks.
it’s also a bit of an interesting story to use it to manage access to Ansible via sssd.
Yes, I’m thinking of one or more modules that gives the system administrator the ability to do the most basic tasks directly from Ansible. My vision is to automate the whole life cycle chain of a server, from deployment, configuration, administation to decomission. In my environment we are using cobbler and ansible, these two applications together provides most of the necessary information to be used by our IPA installation. IP numbers, DNS names, group belongings etc etc. I imagine this wouldn’t be unique for my environment.
As Wildi Shaari mentioned the IPA has a pretty good cli, One can of course write scripts that gets executed by Ansible, but I think that a much cleaner way would be to use Ansible directly since Ansible in itself can provide all necessary details to IPA. IPA, at least in my environment, is largely a mirror of the information available in Cobbler and Ansible.
Here is an example of a task where Ansible might be able help, the task adds an entry to IPA, exports the server kerberos keytab, adds the new host entry to the kerberos keytab, transfer the new keytab to the target host:
-
kinit admin
-
SERVER=server1 ; ipa host-add $SERVER-adm.domain.com ; ipa-getkeytab -s ipa01.domain.com -p host/$SERVER.domain.com -k /tmp/$SERVER.keytab ; ipa-getkeytab -s ipa01.domian.com -p host/$SERVER-adm.domain.com -k /tmp/$SERVER.keytab
-
transfer they new keytab to the target server, server1:/tmp/server1.keytab
-
backup the existing keytab on the target server
-
mv /etc/krb5.keytab /tmp/krb5.keytab.$(date +%Y%m%d)
-
replace the existing keytab
-
mv /tmp/fourier.keytab /etc/krb5.keytab
/Johan
Interesting, and timely. Funnily enough I started looking at FreeIPA at the weekend, as part of a proposal for a current client project (where I’m building out an infra with Ansible). Naturally I’d done the initial setup with Ansible (the easy bit - ‘yum’ :-)) and was progressing to looking at what else could be done.
Can’t chip in anything else useful, at the moment, but I’m keen to follow this topic closely (and hopefully contribute then!)
–Mark
I’m just curious is there was any progress on this? I’m looking to do very similar work.
Not what I’m aware of. I ended up using the command module and it turned out quite ok.
/Johan
Hi All,
i’ve started an Ansible Module to manage IPA entries like users, groups, sudo rules, … . Feel free to contribute:
https://github.com/Nosmoht/ansible-module-ipa.git
Thomas
Awesome! Thank you!
Yes. Thank you so much. I’ve been needing this! Where’s the Amazon wish list? Lol
Awesome, been looking for something like this. You should make a pull request to ansible-modules-extras!
Awesome, been looking for something like this. You should make a pull
request to ansible-modules-extras!
+1, since you clearly have reviewers already lined up. 
I’m happy to open a PR to ansible-extra-modules but first of all i would like to implement some more modules. Please let my know what you need by creating an issue and i’ll implement missing functionality/modules.
Thomas
Hi All,
i implement modules to manage users, groups, roles, hosts, hostgroups, HBAC rule and sudo rules.
Now i need your feedback and support. If everybody is happy and there are no major bugs i’ll open a PR to ansible-extra-modules.
Thomas
Excellent news, Thomas. Do you have a link to these modules so people
can provide feedback?
Hi Greg,
thats where you can find the modules: https://github.com/Nosmoht/ansible-module-ipa
Hi All,
i’m happy to announce that i’ve open a PR for ansible-modules-extras.
https://github.com/ansible/ansible-modules-extras/pull/3247
Feel free to test it and provide feedback. If things are good, the modules would be in Ansible 2.3.
Thomas
Hi Thomas,
First of all, thank you for great work you did on this ansible playbook for FreeIPA.
I am using IPA on daily basis, and sometimes its somewhat difficult using its web interfaces as its slow and confusing…
I would like to use Rundeck with your ansible playbook as a backend for user/groups/hosts management…
few questions:
-
how you are managing actual access from “playbook” to IPA server (how ansible is able to talk with IPA Server? cleartext password in .yml file?)
-
any chance you have some live demo video of how it actualy works? (would be REALLY nice to see it live, especially for beginners with ansible and freeipa)
thanx.