Authors: Christian Heimes [email protected]
The playbook is partly inspired by and based on Adam Young's rippowam https://github.com/admiyo/rippowam.
The FreeIPA setup needs about 3 to 3.5 GB of free RAM and 6 to 7 GB disk space.
sudo dnf install ansible libvirt vagrant vagrant-libvirt vagrant-hostmanager libselinux-python nss-tools krb5-pkinit
sudo systemctl enable libvirtd
sudo systemctl start libvirtd
sudo usermod -G libvirt -a YOUR_USER
Either restart your session or use newgrp to join the new user group (current shell only).
$ newgrp libvirt
The default password for the users root and vagrant, FreeIPA's admin user, 389-DS, PKI CA and PKI KRA is Secret123. The Directory Manager password is DMSecret456.
$ cd ipa
$ ./setup.sh
Vagrant's multi-machine setup can run into a race condition and starts
provisioning before all machines have a new SSH key.
vagrant up --no-provision
followed by vagrant provision
is more stable.
Sometimes the initial provision fails to configure the client or
replica. A second provisioning run with vagrant provision
fixes most issues.
The FreeIPA playbook deploys six machines:
- ipamaster (master.ipa.example) with CA and KRA
- ipareplica1 (replica1.ipa.example)
- ipaclient1 (client1.ipa.example)
- ipafilesserver (fileserver.ipa.example) for NFS, Samba and Apache demos
- ipavpnserver (vpn.ipa.example) for ocserv VPN
- ipaidpserver (idp.ipa.example) for Ipsilon IdP
When the machines are up, you can acquire a Kerberos ticket and start a local instance of Firefox to explore the WebUI. The admin password is Secret123.
$ bin/ipa_kinit admin
$ bin/ipa_firefox
$ bin/ipa_ssh [email protected]
$ cd ipatests
$ ./setup.sh
One test machine:
- ipatestmaster (master.ipatests.local) with CA and KRA
$ cd pki
$ vagrant up
The playbook for Dogtag PKI deploys 389-DS, a CA and a KRA in one VM.
- pki_server (dogtag.pki.example)
There is a shell script in pki/rpms that will download some dependencies.
rm -rf /var/lib/pki/ /var/log/pki/ /etc/sysconfig/pki-tomcat/ /etc/sysconfig/pki/tomcat/pki-tomcat/ /root/.dogtag/pki-tomcat /etc/pki/pki-tomcat/
$ cd pki
$ vagrant up
For example to update RPMs
$ vagrant provision
$ vagrant ssh <machine>
$ vagrant destroy
Copy or symlink files or directories with RPMs into pki/rpms or ipa/rpms and set custom_rpms to True. The Ansible playbook will pick up all RPMs (even in symlinked and nested directory structures) and install them.
$ sudo systemctl restart libvirtd.service
$ vagrant provision
Create an inventory.cfg
[ipaserver_master]
master.domain.example
[ipaserver_replica]
replica1.domain.example
replica2.domain.example
[ipa_client]
client1.domain.example
client2.domain.example
client3.domain.example
and shell script
#!/bin/sh
set -ex
PKI_VAGANS="/path/to/pki-vagans"
IPA_DOMAIN="domain.example"
export ANSIBLE_CONFIG=${PKI_VAGANS}/ansible/ansible.cfg
ansible-playbook \
-i inventory.cfg \
${PKI_VAGANS}/ansible/ipa-playbook.yml \
-vv \
--extra-vars='{"package_install":true,"package_upgrade":true,"coprs_enabled":[],"ipa_replica_kra":false,"ipa_domain": "'${IPA_DOMAIN}'"}'
General bootstrapping tasks to set up networking and Ansible dependecies (Python 2).
Common tasks for FreeIPA and Dogtag:
- firewalld
- SELinux
- rngd
- time zones
- hosts
FreeIPA base package and common facts
Configure host as FreeIPA client
Prepare Apache HTTPD for Ipsilon IdP, GSSAPI and SAML2 service point example
GSSAPI + mod_lookup_identity example
Create local configuration files and scripts for kinit, ssh and Firefox
Set up Ipsilon IdP with SAML2, Persona and OpenID
Kerberized NFS server and auto.fs for home directories
Install FreeIPA server packages
Set up FreeIPA master
Set up FreeIPA replica
Kerberized Samba/CIFS server
SAML2 service point example with mod_auth_mellon
Kerberized occserv (OpenConnect) VPN server with MS-KKDCP support.
Install Dogtag PKI base packages for stand-alone CA
Configure 389-DS LDAP server for Dogtag
Configure Dogtag CA instance
Configure Dogtag KRA instance