[Freeipa-users] Re: Installing FreeIPA server + replica using Ansible Role FreeIPA

[Finn Fysj via FreeIPA-users]

> On Thu, Sep 14, 2023 at 8:10 AM Finn Fysj via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org&gt; wrote:
> 
> Most of the role variables are not replicated.
> 
> In the example you show the vars as set in the role call, not in an
> inventory file.
> The same variables (ipaclient_*) should be replicated in the ipareplica
> role (and
> on ipaclient) for the settings to be the same on all hosts.
> 
> How are you executing the ipareplica code?
> 
> Rafael
Thank you for taking your time.

It's important to note a "Cloud" dynamic-inventory is being used to reach all 
of the servers involved.

server.yml
- hosts:
    - server
  become: true
  pre_tasks:
    - name: Replace default UID/GID_MAX
      ansible.builtin.replace:
        dest: /etc/login.defs
        regexp: "^{{ item }}.*"
        replace: "{{ item }} 6999"
      loop:
        - "UID_MAX"
        - "GID_MAX"
- role: freeipa.ansible_freeipa.ipaserver
vars:
ipaserver: "{{ ansible_hostname }}.example"
ipaserver_hostname: "{{ ansible_hostname }}.example"
ipaadmin_password: "test123"
ipadm_password: "test321"
ipaserver_domain: "example.com"
ipaserver_realm: "EXAMPLE.COM"
ipaserver_no_host_dns: true
ipaserver_mem_check: true
ipaserver_install_packages: true
ipaserver_setup_dns: false
ipaserver_no_pkinit: true
ipaserver_no_hbac_allow: true
ipaserver_no_ui_redirect: false
ipaclient_no_ntp: true
ipaclient_mkhomedir: true
ipaclient_no_sudo: false

replica.yml
---
- hosts:
    - replica
  become: true
  roles:
    - role: freeipa.ansible_freeipa.ipareplica
      vars:
        # IPA Replica
        ipareplica_servers: ["server01.example.com"]
        ipareplicas: ["{{ ansible_play_hosts_all | join(', ') }}"]
        ipareplica_domain: "example"
        ipaadmin_principal: "admin"
        ipaadmin_password: "test123"
        ipadm_password: "test321"
        ipareplica_install_packages: true
        ipareplica_setup_firewalld: false
        ipareplica_setup_dns: false
        ipaclient_no_ntp: true
        ipaclient_mkhomedir: true
        ipaclient_no_sudo: false


site.yml
---
- import_playbook: server.yml
- import_playbook: replica.yml

ansible-playbook --ask-become-pass -i dynamic-inventory site.yml 


Authselect output:
$ authselect current
Profile ID: sssd
Enabled features:
- with-mkhomedir
- with-sudo

Turns out now it works great.


I also then apply SUDO and HBAC rules to my MASTER server using playbooks. The 
sync of rules takes a lot of time. 
Could a SSSD restart trigger this?


After this is migrate existing USERS and GROUPS from an old IPA server (RHEL 7) 
which is going to be destroyed.
DS migration:
ipa migrate-ds --with-compat --user-container='cn=users,cn=accounts' 
--group-container='cn=groups,cn=accounts' ldap://old.ipa.example

I've later realized private groups are not being migrated. Any way of 
"regenerate" these?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue