Back to the main page
Using Ansible to convert IPA into DSEE client on OL
Intro
This is ansible playbook how to convert FreeIPA client into DSEE, .
This explains how to use ansible playbook to convert FreeIPA into DSEE (Directory Server Enterprise Edition)
client on OL6 and 7, hence you'll need to know IPA Directory Manager password.
But this playbook can also be used for configure DSEE client on freshly installed OL system.
Design
- Use dedicated inventory files here, and specify them with '-i' while running playbook
- Consider having this in the inventory, since host's key can change:
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
- For disabling SELinux (most likely you want this), use playbook disable-selinux.yml , change requires reboot.
- For DSEE client install, there is main playbook install_dsee_ol_client.yml
- The main playbook determines remote host distribution (OracleLinux) and version (6, 7), and depending of that, imports additional playbook dedicated for OL6 or 7. Hence no need to worry about OL version in the inventory file.
- Since here we assume that remote host is IPA client, before DSEE setup, the playbook first try removing a host from IPA domain and un-configuring ipa-client.
Hence IPA Directory Manager password has to be passed to playbook with '-e ipa_dm_passwd=<password>'
- At the end of run, playbook also does quick DSEE verification, like query for LDAP group membership and automount check.
Implementation
- Playbook and other needed files are below on this page
- Go to folder where you have 'top' files, and two sub folders, OL6, OL7
- The 'secondary' playbooks (imported by master one) for ol6 and ol7 are in directories OL6 and OL7
- Review inventory files relevant for selinux and dsee client
- You know IPA directory manager password?
- You can review tasks to be run (without running them) with the command:
[you@ansible-run-host] ansible-playbook install_dsee_ol_client.yml --list-tasks
tasks:
Can I ping a server? TAGS: []
Remove host from IPA server TAGS: []
Uninstall IPA client TAGS: []
ensure needed rpms are installed TAGS: []
Stop, Disable sssd TAGS: []
Verify NTPD is enabled, started TAGS: []
Edit /etc/nsswitch.conf TAGS: []
Backup /etc/ysconfig/authconfig first TAGS: []
... ETC ....
- Run the main playbook install_dsee_ol_client.yml (use -vvv for lots of verbosity)
ansible-playbook -i INVENTORY_DSEE_CLIENTS.TXT -e ipa_dm_passwd=<password> install_dsee_ol_client.yml
- At the end, the playbook verifies configuration by listing members of some LDAP group
and reading how many directories are in some automount location like /workspace
TASK [Check, list group 'crm' members]
"dn: cn=crm,ou=groups,dc=oracle,dc=com",
"memberUid: miland",
"memberUid: alisad",
"memberUid: vojislavd",
"memberUid: lukad",
"memberUid: aleksad",
... etc
TASK [Check /workspace NFS share]
Total directories: 1668
Known problem
These are situation that may happen on a target system.
- Know root password on target host, likely you have sudo privileges in IPA, but not on DSEE client, quick resolution is adding "%<admin_group> ALL=(ALL) NOPASSWD: ALL " into /etc/sudoers
- Check your yum repo (internal for company or external), and check http_proxy env, so you can access repo.
- Not properly configured /etc/resolv.conf most likely causes problems
- Some firewall settings may cause problems
Files
List files here (name in blue, content in red) in the top folder and see folders OL6, OL7 and files:
disable-selinux.yml
---
- name : Playbook to disable selinux
# make sure you know root's password on target host
hosts: disable_selinux
gather_facts: False
tasks:
# ----------------------------------------------
# Is server alive, it's also check if FQDN valid
# ----------------------------------------------
- name: Can I ping a server?
ping:
# -------------------
# disable selinux
# requirement: libselinux-python on target host
# -----------------
- selinux:
state: disabled
become: yes
become_user: root
install_dsee_ol_client.yml
---
- name: Install DSEE client on OL
#
# install DSEE client on oracle linux
# check if it's ol6 or ol7
# and import apropriate playbook
# ------------------------------------
hosts: new_dsee_clients
gather_facts: True
tasks:
- import_playbook: OL6/ol6_client.yml
when: ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "6"
- import_playbook: OL7/ol7_client.yml
when: ansible_facts['distribution'] == "OracleLinux" and ansible_facts['distribution_major_version'] == "7"
INVENTORY_DISABLE_SELINUX.TXT and/or INVENTORY_DSEE_CLIENTS.TXT
[disable_selinux:vars]
ansible_ssh_common_args='-o StrictHostKeyChecking=no'
[disable_selinux]
ca-zdudic1.company.com ansible_user=root ansible_ssh_pass=some-passwd
ca-zdudic2.company.com ansible_user=root ansible_ssh_pass=some-passwd
OL6
ol6_client.yml
---
- name : PLAYBOOK TO CONFIGURE DSEE CLIENT ON ORACLE LINUX 6
# make sure you know root's password on target host
hosts: new_dsee_clients
gather_facts: True
vars:
dsee_server: dsee-ldap-server.company.com
dsee_base_dn: dc=company,dc=com
tasks:
# ----------------------------------------------
# Is server alive, it's also check if FQDN valid
# ----------------------------------------------
- name: Can I ping a server?
ping:
# -------------------
# unconfigure IPA client
# -----------------
- name: Remove host from IPA server
ipa_host:
name: "{{ inventory_hostname }}"
state: absent
ipa_host: freeipa-server-ldap01.company.com
ipa_user: admin
ipa_pass: "{{ipa_dm_passwd}}"
register: result
failed_when:
- "result is failed and 'login: HTTP Error 401: Unauthorized' in result.msg"
- name: Uninstall IPA client
raw: ipa-client-install --uninstall --unattended
register: result
failed_when:
- "result is failed and not 'bash: ipa-client-install: command not found' in result.stdout"
- "result is failed and not 'IPA client is not configured on this system' in result.stdout"
# -------------------
# required RPMs
# -----------------
- name: ensure needed rpms are installed
yum:
name: "{{ rpms }}"
vars:
rpms:
- nss-pam-ldapd
- pam_ldap
- apr-util-ldap
- openldap
- nscd
- openldap-clients
- autofs
- ntp
- authconfig
state: present
become: yes
become_user: root
# -------------------
# stop, disable sssd, maybe unconfigure ipa client
# -----------------
- name: Stop, Disable sssd
service:
name: sssd
state: stopped
enabled: no
register: result
failed_when: "result is failed and not 'Could not find the requested service' in result.msg"
become: yes
become_user: root
# -------------------
# ntp config
# -----------------
- name: Verify NTPD is enabled, started
service:
name: ntpd
state: started
enabled: yes
become: yes
become_user: root
# -------------------
# /etc/nsswitch.conf
# nsswitch.conf located in same place as playbook
# -----------------
- name: Edit /etc/nsswitch.conf
copy:
src: nsswitch.conf
dest: /etc/nsswitch.conf
owner: root
group: root
mode: 0644
backup: yes
become: yes
become_user: root
# -------------------
# basic config
# backup /etc/sysconfig/authconfig to authconfig.not_dsee_client
# is authconfig.not_dsee_client exists, it'll be overwrite
# ------------------------------------------------------
- name: Backup /etc/sysconfig/authconfig first
copy:
src: /etc/sysconfig/authconfig
dest: /etc/sysconfig/authconfig.{{ansible_date_time.date}}.{{ansible_date_time.time}}
delegate_to: "{{ inventory_hostname }}"
- name: Configure system authentication resources
raw: authconfig --disablenis --passalgo=md5 --enableldapauth --enableldaptls --enableforcelegacy --enableldap --ldapserver="{{dsee_server}}" --ldapbasedn="{{dsee_base_dn}}" --update --kickstart
become: yes
become_user: root
# -------------------
# /etc/pam_ldap.conf
# ------------------------------------------------------
- name: Edit /etc/pam_ldap.conf
copy:
src: pam_ldap.conf
dest: /etc/pam_ldap.conf
owner: root
group: root
mode: 0644
backup: yes
- replace:
path: /etc/pam_ldap.conf
regexp: '^uri ldaps.*'
replace: 'uri ldaps://{{dsee_server}}'
become: yes
become_user: root
# -------------------
# /etc/nslcd.conf
# nslcd.conf located in same place as playbook
# configuration file for LDAP nameservice daemon
# -----------------
- name: Copy /etc/nslcd.conf (config for LDAP nameservice daemon)
copy:
src: nslcd.conf
dest: /etc/nslcd.conf
owner: root
group: root
mode: 0640
backup: yes
- replace:
path: /etc/nslcd.conf
regexp: '^uri ldaps.*'
replace: 'uri ldaps://{{dsee_server}}'
become: yes
become_user: root
# -------------------
# /etc/openldap/ldap.conf
# -----------------
- name: Verify/Edit /etc/openldap/ldap.conf part 1
replace:
path: /etc/openldap/ldap.conf
regexp: '^URI ldaps://.*'
replace: 'URI ldaps://{{dsee_server}}'
regexp: '^BASE .*'
replace: 'BASE {{dsee_base_dn}}'
backup: yes
become: yes
become_user: root
- name: Verify/Edit /etc/openldap/ldap.conf part 2
blockinfile:
path: /etc/openldap/ldap.conf
block: |
TLS_REQCERT allow
REFERRALS no
state: present
backup: yes
become: yes
become_user: root
# -------------------
# /etc/sysconfig/autofs
# -----------------
- name: Copy /etc/sysconfig/autofs
copy:
src: autofs
dest: /etc/sysconfig/autofs
owner: root
group: root
mode: 0644
backup: yes
- replace:
path: /etc/sysconfig/autofs
regexp: '^LDAP_URI=.*'
replace: 'LDAP_URI="ldap://{{dsee_server}}"'
become: yes
become_user: root
# -------------------
# /etc/autofs_ldap_auth.conf
# -----------------
- name: Change usetlsd to no
replace:
path: /etc/autofs_ldap_auth.conf
regexp: 'usetls=.*'
replace: 'usetls="no"'
- name: Change tlsrequired to no
replace:
path: /etc/autofs_ldap_auth.conf
regexp: 'tlsrequired=.*'
replace: 'tlsrequired="no"'
- name: Change authrequired to no
replace:
path: /etc/autofs_ldap_auth.conf
regexp: 'authrequired=.*'
replace: 'authrequired="no"'
become: yes
become_user: root
# -------------------
# /etc/auto.master
# -----------------
- name: Copy /etc/auto.master
copy:
src: auto.master
dest: /etc/auto.master
owner: root
group: root
mode: 0644
backup: yes
# -------------------
# restart services
# -----------------
- name: Restart nslcd, nscd, autofs
service:
name: "{{ item }}"
state: restarted
enabled: yes
with_list:
- nslcd
- nscd
- autofs
become: yes
become_user: root
# -------------------
# clear NSCD cache
# -----------------
- name: Clear Name Service Cache Daemon
raw: "nscd -i group ; nscd -i passwd"
become: yes
become_user: root
# -------------------
# Check , change group name
# -----------------
- name: Check, list group 'crm' members
raw: "ldapsearch -x -LLL -s sub \"(cn=crm)\" memberUid"
register: result
- debug:
msg: "{{ result }}"
- name: Check /workspace NFS share
raw: "ls /workspace/ |wc -l"
register: result
- debug:
msg: "Total directories: {{ result.stdout }}"
autofs
LDAP_URI="ldap://dsee-ldap-server.company.com" #changeme
TIMEOUT=300
BROWSE_MODE="yes"
MOUNT_NFS_DEFAULT_PROTOCOL=3
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"
SEARCH_BASE="ou=it.sfbay.sun.com,o=nl,dc=company,dc=com"
USE_MISC_DEVICE="yes"
auto.master
/misc /etc/auto.misc
/net -hosts
/- ldap:automountMapName=auto_direct,ou=storage,ou=sfbay,ou=systems,o=nl,dc=company,dc=com
/home ldap:automountMapName=auto_home,ou=it.sfbay.sun.com,o=nl,dc=company,dc=com
/import ldap:automountMapName=auto_import,ou=it.sfbay.sun.com,o=nl,dc=company,dc=com
/workspace ldap:automountMapName=auto_workspace,ou=sunit.company.com,o=nl,dc=company,dc=com
nslcd.conf
#uid nslcd
#gid ldap
uri ldaps://dsee-ldap-server.company.com #changeme
binddn cn=myadmin,ou=adminusers,dc=company,dc=com #changeme
bindpw mypassword #changeme
ssl on
tls_reqcert allow
base dc=company,dc=com
scope sub
referrals no
base passwd dc=company,dc=com
scope passwd sub
base shadow dc=company,dc=com
scope shadow sub
base group ou=groups,dc=company,dc=com
scope group one
base netgroup ou=netgroup,dc=company,dc=com
scope netgroup one
base aliases ou=aliases,ou=sunit.oraclecorp.com,o=nl,dc=company,dc=com
scope aliases one
nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: files
automount: files ldap
aliases: files ldap
pam_ldap.conf
uri ldaps://dsee-ldap-server.company.com # changeme
binddn cn=myadmin,ou=adminusers,dc=company,dc=com # changeme
bindpw mypassword #changeme
ssl on
tls_checkpeer no
base dc=company,dc=com
scope sub
referrals no
pam_password crypt
OL7
ol7_client.yml
---
- name : PLAYBOOK TO CONFIGURE DSEE CLIENT ON ORACLE LINUX 7
# make sure you know root's password on target host
hosts: new_dsee_clients
gather_facts: True
vars:
dsee_server: dsee-ldap-server.company.com
dsee_base_dn: dc=company,dc=com
tasks:
# ----------------------------------------------
# Is server alive, it's also check if FQDN valid
# ----------------------------------------------
- name: Can I ping a server?
ping:
# -------------------
# unconfigure IPA client
# -----------------
- name: Remove host from IPA server
ipa_host:
name: "{{ inventory_hostname }}"
state: absent
ipa_host: freeipa-server-ldap01.company.com
ipa_user: admin
ipa_pass: "{{ipa_dm_passwd}}"
register: result
failed_when:
- "result is failed and 'login: HTTP Error 401: Unauthorized' in result.msg"
- name: Uninstall IPA client
raw: ipa-client-install --uninstall --unattended
register: result
failed_when:
- "result is failed and not 'bash: ipa-client-install: command not found' in result.stdout"
- "result is failed and not 'IPA client is not configured on this system' in result.stdout"
# -------------------
# required RPMs
# -----------------
- name: ensure needed rpms are installed
yum:
name: "{{ rpms }}"
vars:
rpms:
- nss-pam-ldapd
- openldap
- nscd
- openldap-clients
- autofs
- ntp
- authconfig
state: present
become: yes
become_user: root
# -------------------
# stop, disable sssd, maybe unconfigure ipa client
# -----------------
- name: Stop, Disable sssd
systemd:
name: sssd
state: stopped
enabled: no
register: result
failed_when: "result is failed and not 'Could not find the requested service' in result.msg"
become: yes
become_user: root
# -------------------
# ntp config
# -----------------
- name: Verify NTPD is enabled, started
systemd:
name: ntpd
state: started
enabled: yes
become: yes
become_user: root
# -------------------
# /etc/nsswitch.conf
# nsswitch.conf located in same place as playbook
# -----------------
- name: Edit /etc/nsswitch.conf
copy:
src: nsswitch.conf
dest: /etc/nsswitch.conf
owner: root
group: root
mode: 0644
backup: yes
become: yes
become_user: root
# -------------------
# basic config
# backup /etc/sysconfig/authconfig to authconfig.not_dsee_client
# is authconfig.not_dsee_client exists, it'll be overwrite
# ------------------------------------------------------
- name: Backup /etc/sysconfig/authconfig first
copy:
src: /etc/sysconfig/authconfig
dest: /etc/sysconfig/authconfig.{{ansible_date_time.date}}.{{ansible_date_time.time}}
delegate_to: "{{ inventory_hostname }}"
- name: Configure system authentication resources
raw: authconfig --disablenis --passalgo=md5 --enableldapauth --enableldaptls --enableforcelegacy --enableldap --disablesssd --ldapserver="{{dsee_server}}" --ldapbasedn="{{dsee_base_dn}}" --update --kickstart
become: yes
become_user: root
# -------------------
# /etc/nslcd.conf
# nslcd.conf located in same place as playbook
# configuration file for LDAP nameservice daemon
# -----------------
- name: Copy /etc/nslcd.conf (config for LDAP nameservice daemon)
copy:
src: nslcd.conf
dest: /etc/nslcd.conf
owner: root
group: root
mode: 0640
backup: yes
- replace:
path: /etc/nslcd.conf
regexp: '^uri ldaps.*'
replace: 'uri ldaps://{{dsee_server}}'
become: yes
become_user: root
# -------------------
# /etc/openldap/ldap.conf
# -----------------
- name: Verify/Edit /etc/openldap/ldap.conf part 1
replace:
path: /etc/openldap/ldap.conf
regexp: '^URI ldaps://.*'
replace: 'URI ldaps://{{dsee_server}}'
regexp: '^BASE .*'
replace: 'BASE {{dsee_base_dn}}'
backup: yes
become: yes
become_user: root
- name: Verify/Edit /etc/openldap/ldap.conf part 2
blockinfile:
path: /etc/openldap/ldap.conf
block: |
SASL_NOCANON on
TLS_REQCERT allow
REFERRALS no
state: present
backup: yes
become: yes
become_user: root
# -------------------
# /etc/sysconfig/autofs
# -----------------
- name: Copy /etc/sysconfig/autofs
copy:
src: autofs
dest: /etc/sysconfig/autofs
owner: root
group: root
mode: 0644
backup: yes
- replace:
path: /etc/sysconfig/autofs
regexp: '^LDAP_URI=.*'
replace: 'LDAP_URI="ldap://{{dsee_server}}"'
become: yes
become_user: root
# -------------------
# /etc/autofs_ldap_auth.conf
# -----------------
- name: Change usetlsd to no
replace:
path: /etc/autofs_ldap_auth.conf
regexp: 'usetls=.*'
replace: 'usetls="no"'
- name: Change tlsrequired to no
replace:
path: /etc/autofs_ldap_auth.conf
regexp: 'tlsrequired=.*'
replace: 'tlsrequired="no"'
- name: Change authrequired to no
replace:
path: /etc/autofs_ldap_auth.conf
regexp: 'authrequired=.*'
replace: 'authrequired="no"'
become: yes
become_user: root
# -------------------
# /etc/auto.master
# -----------------
- name: Copy /etc/auto.master
copy:
src: auto.master
dest: /etc/auto.master
owner: root
group: root
mode: 0644
backup: yes
# -------------------
# restart services
# -----------------
- name: Restart nslcd, nscd, autofs
systemd:
name: "{{ item }}"
state: restarted
enabled: yes
with_list:
- nslcd
- nscd
- autofs
become: yes
become_user: root
# -------------------
# clear NSCD cache
# -----------------
- name: Clear Name Service Cache Daemon
raw: "nscd -i group ; nscd -i passwd"
become: yes
become_user: root
# -------------------
# Check
# -----------------
- name: Check, list group 'crm' members
raw: "ldapsearch -x -LLL -s sub \"(cn=crm)\" memberUid"
register: result
- debug:
msg: "{{ result }}"
- name: Check /workspace NFS share
raw: "ls /workspace/ |wc -l"
register: result
- debug:
msg: "Total directories: {{ result.stdout }}"
autofs
LDAP_URI="ldap://dsee-server.company.com" #change me
TIMEOUT=300
BROWSE_MODE="yes"
MOUNT_NFS_DEFAULT_PROTOCOL=3
MAP_OBJECT_CLASS="automountMap"
ENTRY_OBJECT_CLASS="automount"
MAP_ATTRIBUTE="automountMapName"
ENTRY_ATTRIBUTE="automountKey"
VALUE_ATTRIBUTE="automountInformation"
SEARCH_BASE="ou=it.sfbay.com,o=nl,dc=company,dc=com" # change me
USE_MISC_DEVICE="yes"
auto.master
/misc /etc/auto.misc
/net -hosts
/- ldap:automountMapName=auto_direct,ou=storage,ou=sfbay,ou=systems,o=nl,dc=company,dc=com
/home ldap:automountMapName=auto_home,ou=it.sfbay.sun.com,o=nl,dc=company,dc=com
/import ldap:automountMapName=auto_import,ou=it.sfbay.sun.com,o=nl,dc=company,dc=com
/workspace ldap:automountMapName=auto_workspace,ou=sunit.company.com,o=nl,dc=company,dc=com
nslcd.conf
#uid nslcd
#gid ldap
uri ldaps://dsee-server.company.com" #change me
binddn cn=myadmin,ou=adminusers,dc=company,dc=com # changeme
bindpw mypassword # changeme
ssl on
tls_reqcert allow
base dc=company,dc=com
scope sub
referrals no
base passwd dc=company,dc=com
scope passwd sub
base shadow dc=company,dc=com
scope shadow sub
base group ou=groups,dc=company,dc=com
scope group one
base netgroup ou=netgroup,dc=company,dc=com
scope netgroup one
base aliases ou=aliases,ou=sunit.company.com,o=nl,dc=company,dc=com #changeme
scope aliases one
nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files ldap
publickey: files
automount: files ldap
aliases: files ldap
Back to the main page