Menu Close

Chapter 14. Removing the trust using Ansible

This section describes how to remove the Identity Management (IdM)/Active Directory (AD) trust on the IdM side by using an Ansible playbook.

Prerequisites

  • You have obtained a Kerberos ticket as an IdM administrator. For details, see Logging in to IdM in the Web UI: Using a Kerberos ticket.
  • You have configured an Ansible control node that meets the following requirements:

    • You are using Ansible version 2.8 or later.
    • You have installed the ansible-freeipa package.
    • In the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server on which you are removing the trust.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory:

    $ cd ~/MyPlaybooks/
  2. Create an del-trust.yml playbook with the following content:

    ---
    - name: Playbook to delete trust
      hosts: ipaserver
      become: true
    
      tasks:
        - name: ensure the trust is absent
          ipatrust:
            ipaadmin_password: SomeADMINpassword
            realm: ad.example.com
            state: absent

    In the example, realm defines the AD realm name string.

  3. Save the file.
  4. Run the Ansible playbook specifying the playbook file and the inventory file:

    $ ansible-playbook -v -i inventory del-trust.yml

Verification steps

  • Use the ipa trust-show command to confirm that the trust has been removed.

    [root@server ~]# ipa trust-show ad.example.com
    ipa: ERROR: ad.example.com: trust not found

Additional resources

  • /usr/share/doc/ansible-freeipa/README-trust.md
  • /usr/share/doc/ansible-freeipa/playbooks/trust