Chapter 8. Configuring global IdM settings using Ansible playbooks

Using the Ansible config module, you can retrieve and set global configuration parameters for Identity Management (IdM).

This chapter includes the following sections:

8.1. Retrieving IdM configuration using an Ansible playbook

The following procedure describes how you can use an Ansible playbook to retrieve information about the current global IdM configuration.

Prerequisites

  • You know the IdM administrator password.
  • You have installed the ansible-freeipa package on the Ansible controller.

Procedure

  1. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com

  2. Open the /usr/share/doc/ansible-freeipa/playbooks/config/retrieve-config.yml Ansible playbook file for editing: 

    ---
- name: Playbook to handle global IdM configuration
  hosts: ipaserver
  become: no
  gather_facts: no

  tasks:
  - name: Query IPA global configuration
    ipaconfig:
      ipaadmin_password: Secret123
    register: serverconfig

  - debug:
      msg: "{{ serverconfig }}"

  3. Adapt the file by changing the following:

    • The password of IdM administrator.
    • Other values, if necessary.
  4. Save the file.

  5. Run the Ansible playbook specifying the playbook file and the inventory file: 

    $ ansible-playbook -v -i path_to_inventory_directory/inventory.file /usr/share/doc/ansible-freeipa/playbooks/config/retrieve-config.yml
[...]
TASK [debug]
ok: [server.idm.example.com] => {
    "msg": {
        "ansible_facts": {
            "discovered_interpreter_
        },
        "changed": false,
        "config": {
            "ca_renewal_master_server": "server.idm.example.com",
            "configstring": [
                "AllowNThash",
                "KDC:Disable Last Success"
            ],
            "defaultgroup": "ipausers",
            "defaultshell": "/bin/bash",
            "emaildomain": "idm.example.com",
            "enable_migration": false,
            "groupsearch": [
                "cn",
                "description"
            ],
            "homedirectory": "/home",
            "maxhostname": "64",
            "maxusername": "64",
            "pac_type": [
                "MS-PAC",
                "nfs:NONE"
            ],
            "pwdexpnotify": "4",
            "searchrecordslimit": "100",
            "searchtimelimit": "2",
            "selinuxusermapdefault": "unconfined_u:s0-s0:c0.c1023",
            "selinuxusermaporder": [
                "guest_u:s0$xguest_u:s0$user_
            ],
            "usersearch": [
                "uid",
                "givenname",
                "sn",
                "telephonenumber",
                "ou",
                "title"
            ]
        },
        "failed": false
    }
}

8.2. Configuring the IdM CA renewal master server using an Ansible playbook

In an Identity Management (IdM) deployment that uses an embedded certificate authority (CA), the CA renewal master server maintains and renews IdM system certificates. It ensures nondisruptive IdM deployments.

For more details on the role of the IdM CA renewal master, see Using IdM CA renewal master.

The following procedure describes how you can use an Ansible playbook to configure the IdM CA renewal master server.

Prerequisites

  • You know the IdM administrator password.
  • You have installed the ansible-freeipa package on the Ansible controller.

Procedure

  1. Optional: Identify the current IdM CA renewal master: 

    $ ipa config-show | grep 'CA renewal master'
  IPA CA renewal master: server.idm.example.com

  2. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com

  3. Open the /usr/share/doc/ansible-freeipa/playbooks/config/set-ca-renewal-master-server.yml Ansible playbook file for editing: 

    ---
- name: Playbook to handle global DNS configuration
  hosts: ipaserver
  become: no
  gather_facts: no

  tasks:
  - name: set ca_renewal_master_server
    ipaconfig:
      ipaadmin_password: SomeADMINpassword
      ca_renewal_master_server: carenewal.idm.example.com

  4. Adapt the file by changing:

    • The password of IdM administrator set by the ipaadmin_password variable.
    • The name of the master CA server set by the ca_renewal_master_server variable.
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file and the inventory file: 

    $ ansible-playbook -v -i path_to_inventory_directory/inventory.file /usr/share/doc/ansible-freeipa/playbooks/config/set-ca-renewal-master-server.yml

Verification steps

You can verify that the CA renewal master has been changed:

  1. Log into ipaserver as IdM administrator: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$

  2. Request the identity of the IdM master CA server: 

    $ ipa config-show | grep ‘CA renewal master’
IPA CA renewal master:  carenewal.idm.example.com

    The output shows the carenewal.idm.example.com server is the new CA renewal master.

8.3. Configuring the default shell for IdM users using an Ansible playbook

The shell is a program that accepts and interprets commands. Several shells are available in Red Hat Enterprise Linux (RHEL), such as bash, sh, ksh, zsh, fish, and others. Bash, or /bin/bash, is a popular shell on most Linux systems, and it is normally the default shell for user accounts on RHEL.

The following procedure describes how you can use an Ansible playbook to configure sh, an alternative shell, as the default shell for IdM users.

Prerequisites

  • You know the IdM administrator password.
  • You have installed the ansible-freeipa package on the Ansible controller.

Procedure

  1. Optional: Use the retrieve-config.yml Ansible playbook to identify the current shell for IdM users. See Retrieving IdM configuration using an Ansible playbook for details.

  2. Create an inventory file, for example inventory.file, and define ipaserver in it: 

    [ipaserver]
server.idm.example.com

  3. Open the /usr/share/doc/ansible-freeipa/playbooks/config/ensure-config-options-are-set.yml Ansible playbook file for editing: 

    ---
- name: Playbook to ensure some config options are set
  hosts: ipaserver
  become: true

  tasks:
  # Set defaultlogin and maxusername
  - ipaconfig:
      ipaadmin_password: Secret123
      defaultshell: /bin/bash
      maxusername: 64

  4. Adapt the file by changing the following:

    • The password of IdM administrator set by the ipaadmin_password variable.
    • The default shell of the IdM users set by the defaultshell variable into /bin/sh.
  5. Save the file.

  6. Run the Ansible playbook. Specify the playbook file and the inventory file: 

    $ ansible-playbook -v -i path_to_inventory_directory/inventory.file /usr/share/doc/ansible-freeipa/playbooks/config/ensure-config-options-are-set.yml

Verification steps

You can verify that the default user shell has been changed by starting a new session in IdM:

  1. Log into ipaserver as IdM administrator: 

    $ ssh admin@server.idm.example.com
Password:
[admin@server /]$

  2. Display the current shell: 

    [admin@server /]$ echo "$SHELL"
/bin/sh

    The logged-in user is using the sh shell.

Additional resources

  • You can see sample Ansible playbooks for configuring global IdM settings and a list of possible variables in the README-config.md Markdown file available in the /usr/share/doc/ansible-freeipa/ directory.
  • You can see sample Ansible playbooks for various IdM configuration-related operations in the /usr/share/doc/ansible-freeipa/playbooks/config directory.