Ansible plugin for FreeIPA

[Johan Söderberg]

Hi,

I'm wondering if there has been any thought of making a FreeIPA plugin for Ansible where one would be able to administrate IPA with Ansible? Add and remove servers, groups, users etc etc. Would such a plugin make sense?

Regards,

/Johan

[Walid]

the IPA itself has a good cli abstraction, hiding the different components behind it

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/f716d283-3421-4b99-bcb0-113074fb4f30%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Michael DeHaan]

So would you mean a series of modules to configure things?

I'd be open to it.

I know a lot of the FreeIPA guys from Red Hat days and they are good folks.

it's also a bit of an interesting story to use it to manage access to Ansible via sssd.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAN4dctofR8%3DGSo62OmRhBQn_0%3Dn9hFUwjnCZ68cRKvktKGuqAA%40mail.gmail.com.

[Johan Söderberg]

Yes, I'm thinking of one or more modules that gives the system administrator the ability to do the most basic tasks directly from Ansible. My vision is to automate the whole life cycle chain of a server, from deployment, configuration, administation to decomission. In my environment we are using cobbler and ansible, these two applications together provides most of the necessary information to be used by our IPA installation. IP numbers, DNS names, group belongings etc etc. I imagine this wouldn't be unique for my environment.

As Wildi Shaari mentioned the IPA has a pretty good cli, One can of course write scripts that gets executed by Ansible, but I think that a much cleaner way would be to use Ansible directly since Ansible in itself can provide all necessary details to IPA. IPA, at least in my environment, is largely a mirror of the information available in Cobbler and Ansible.

Here is an example of a task where Ansible might be able help, the task adds an entry to IPA, exports the server kerberos keytab, adds the new host entry to the kerberos keytab, transfer the new keytab to the target host:

* kinit admin
* SERVER=server1 ; ipa host-add $SERVER-adm.domain.com ; ipa-getkeytab -s ipa01.domain.com -p host/$SERVER.domain.com -k /tmp/$SERVER.keytab ; ipa-getkeytab -s ipa01.domian.com -p host/$SERVER-adm.domain.com -k /tmp/$SERVER.keytab

* transfer they new keytab to the target server, server1:/tmp/server1.keytab
* backup the existing keytab on the target server
    * mv /etc/krb5.keytab  /tmp/krb5.keytab.$(date +%Y%m%d)

* replace the existing keytab
    * mv /tmp/fourier.keytab /etc/krb5.keytab

/Johan

[Mark Phillips]

Interesting, and timely. Funnily enough I started looking at FreeIPA at the weekend, as part of a proposal for a current client project (where I'm building out an infra with Ansible). Naturally I'd done the initial setup with Ansible (the easy bit - 'yum' :-)) and was progressing to looking at what else could be done.

Can't chip in anything else useful, at the moment, but I'm keen to follow this topic closely (and hopefully contribute then!)

--Mark

[Christopher Young]

I'm just curious is there was any progress on this?  I'm looking to do very similar work.

[Johan Söderberg]

Not what I'm aware of. I ended up using the command module and it turned out quite ok.

/Johan

[Thomas Krahn]

Hi All,

i've started an Ansible Module to manage IPA entries like users, groups, sudo rules, ... . Feel free to contribute:

https://github.com/Nosmoht/ansible-module-ipa.git 

Thomas

[Joanna Delaporte]

Awesome! Thank you!

Sent from Joanna's Android

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/uxcZ_PSYURA/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1ace4fa4-f7b3-46a1-8c45-fde68d35d7eb%40googlegroups.com.

[Christopher Young]

Yes.  Thank you so much.  I've been needing this!  Where's the Amazon wish list? Lol

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAG5EncKOy%2BBU6VyAqJFHyNbnfg6GxjC_-dXc9JpwqdW%3DfFwh3Q%40mail.gmail.com.

[Ryan Groten]

Awesome, been looking for something like this.  You should make a pull request to ansible-modules-extras!

[Greg DeKoenigsberg]

On Wed, Aug 3, 2016 at 12:07 PM, Ryan Groten <rgr...@gmail.com> wrote:
> Awesome, been looking for something like this. You should make a pull
> request to ansible-modules-extras!

+1, since you clearly have reviewers already lined up. :)

> On Wednesday, 3 August 2016 04:00:40 UTC-6, Thomas Krahn wrote:
>>>
>>> Hi All,
>>
>>
>> i've started an Ansible Module to manage IPA entries like users, groups,
>> sudo rules, ... . Feel free to contribute:
>>
>> https://github.com/Nosmoht/ansible-module-ipa.git
>>
>> Thomas
>

> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an

> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/ansible-project/25ca14c8-d21d-455f-8ba2-a8dc99c8fc1a%40googlegroups.com.

>
> For more options, visit https://groups.google.com/d/optout.



--

Greg DeKoenigsberg
Ansible Community Guy

[Thomas Krahn]

I'm happy to open a PR to ansible-extra-modules but first of all i would like to implement some more modules. Please let my know what you need by creating an issue and i'll implement missing functionality/modules.

Thomas

[Thomas Krahn]

Hi All,

i implement modules to manage users, groups, roles, hosts, hostgroups, HBAC rule and sudo rules.

Now i need your feedback and support. If everybody is happy and there are no major bugs i'll open a PR to ansible-extra-modules. 

Thomas

[Greg DeKoenigsberg]

Excellent news, Thomas. Do you have a link to these modules so people
can provide feedback?

> --
> You received this message because you are subscribed to the Google Groups
> "Ansible Project" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to ansible-proje...@googlegroups.com.
> To post to this group, send email to ansible...@googlegroups.com.
> To view this discussion on the web visit

> https://groups.google.com/d/msgid/ansible-project/a5b70ad0-be2f-426e-9804-c80695322407%40googlegroups.com.

[Thomas Krahn]

Hi Greg,

thats where you can find the modules: https://github.com/Nosmoht/ansible-module-ipa

[Thomas Krahn]

Hi All,

i'm happy to announce that i've open a PR for ansible-modules-extras. 

https://github.com/ansible/ansible-modules-extras/pull/3247

Feel free to test it and provide feedback. If things are good, the modules would be in Ansible 2.3.

Thomas

[benny....@credorax.com]

Hi Thomas,

First of all, thank you for great work you did on this ansible playbook for FreeIPA.

I am using IPA on daily basis, and sometimes its somewhat difficult using its web interfaces as its slow and confusing..

I would like to use Rundeck with your ansible playbook as a backend for user/groups/hosts management..

few questions:

1. how you are managing actual access from "playbook" to IPA server (how ansible is able to talk with IPA Server? cleartext password in .yml file?)

2. any chance you have some live demo video of how it actualy works? (would be REALLY nice to see it live, especially for beginners with ansible and freeipa)

thanx.