| Parameter | Choices/Defaults | Comments |
|---|---|---|
| description - | ||
| force |
| Force host name even if not in DNS. |
| fqdn - / required | Can not be changed as it is the unique identifier. | |
| ip_address | Add the host to DNS with this IP address. | |
| ipa_host string | Default: | IP or hostname of IPA server. If the value is not specified in the task, the value of environment variable IPA_HOST will be used instead.If both the environment variable IPA_HOST and the value are not specified in the task, then DNS will be used to try to discover the FreeIPA server.The relevant entry needed in FreeIPA is the 'ipa-ca' entry. If neither the DNS entry, nor the environment IPA_HOST, nor the value are available in the task, then the default value will be used.Environment variable fallback mechanism is added in Ansible 2.5. |
| ipa_pass string / required | If the value is not specified in the task, the value of environment variable IPA_PASS will be used instead.Note that if the 'urllib_gssapi' library is available, it is possible to use GSSAPI to authenticate to FreeIPA. If the environment variable KRB5CCNAME is available, the module will use this kerberos credentials cache to authenticate to the FreeIPA server.If the environment variable KRB5_CLIENT_KTNAME is available, and KRB5CCNAME is not; the module will use this kerberos keytab to authenticate.If GSSAPI is not available, the usage of 'ipa_pass' is required. Environment variable fallback mechanism is added in Ansible 2.5. | |
| ipa_port integer | Default: | Port of FreeIPA / IPA server. If the value is not specified in the task, the value of environment variable IPA_PORT will be used instead.If both the environment variable IPA_PORT and the value are not specified in the task, then default value is set.Environment variable fallback mechanism is added in Ansible 2.5. |
| ipa_prot string |
| Protocol used by IPA server. If the value is not specified in the task, the value of environment variable IPA_PROT will be used instead.If both the environment variable IPA_PROT and the value are not specified in the task, then default value is set.Environment variable fallback mechanism is added in Ansible 2.5. |
| ipa_timeout integer | Default: 10 | Specifies idle timeout (in seconds) for the connection. For bulk operations, you may want to increase this in order to avoid timeout from IPA server. If the value is not specified in the task, the value of environment variable IPA_TIMEOUT will be used instead.If both the environment variable IPA_TIMEOUT and the value are not specified in the task, then default value is set. |
| ipa_user string | Default: | Administrative account used on IPA server. If the value is not specified in the task, the value of environment variable IPA_USER will be used instead.If both the environment variable IPA_USER and the value are not specified in the task, then default value is set.Environment variable fallback mechanism is added in Ansible 2.5. |
| mac_address - | If option is omitted MAC addresses will not be checked or changed. If an empty list is passed all assigned MAC addresses will be removed. MAC addresses that are already assigned but not passed will be removed. | |
| ns_hardware_platform | Host hardware platform (e.g. 'Lenovo T61') | |
| ns_host_location | Host location (e.g. 'Lab 2') | |
| ns_os_version | Host operating system and version (e.g. 'Fedora 9') | |
| random_password added in 2.5 |
| Generate a random password to be used in bulk enrollment |
| state - |
| State to ensure |
| update_dns boolean |
| If set 'True' with state as 'absent', then removes DNS records of the host managed by FreeIPA DNS.This option has no effect for states other than 'absent'. |
| user_certificate - | If option is omitted certificates will not be checked or changed. If an empty list is passed all assigned certificates will be removed. Certificates already assigned but not passed will be removed. | |
| validate_certs |
| If set to no, the SSL certificates will not be validated.This should only set to no used on personally controlled sites using self-signed certificates. |
Common return values are documented here, the following are the fields unique to this module:
The page instructs that the ipa-getkeytab command be run on the FreeIPA server to generate a keytab (which I assume contains a new host principal key) for a Windows machine being kerberized. At no point in the instructions does it say anything about copying that generated keytab over to.
| Key | Returned | Description |
|---|---|---|
| host dictionary | always | |
| host_diff | if check mode and a difference is found | List of options that differ and would be changed |
/putty-private-key-generator-download.html. Hint
https://treeever882.weebly.com/blog/datev-unternehmen-online-download-mac. If you notice any issues in this documentation, you can edit this document to improve it.
Prerequisites:
In this module you will explore how to use FreeIPA as a backendprovider for SSH keys. Instead of distributing authorized_keysand known_hosts files, SSH keys are uploaded to theircorresponding user and host entries in FreeIPA.
OpenSSH can use public-private key pairs to authenticate users. Auser wanting to access a host can get her public key added to anauthorized_keys file on the target host. When the user attemptsto log in, she presents her public key and the host grants access ifher key is in an authorized_keys file. There are system-wideand per-user authorized_keys files, but if the target systems donot mount a network-backed home directory (e.g. NFS), then the usermust copy her public key to every system she intends to log in to.
On FreeIPA-enrolled systems, SSSD can be configured to cache andretrieve user SSH keys so that applications and services only haveto look in one location for user public keys. FreeIPA provides thecentralized repository of keys, which users can manage themselves.Administrators do not need to worry about distributing, updating orverifying user SSH keys.
Generate a user keypair on the client system:
The public key is stored in /home/alice/.ssh/id_rsa.pub in anOpenSSH-specific format. alice can now upload it to her userentry in FreeIPA:
During enrolment of the systems, SSSD has been configured to useFreeIPA as one of its identity domains and OpenSSH has beenconfigured to use SSSD for managing user keys.
If you have disabled the allow_all HBAC rule, add a new rulethat will allow ``alice`` to access the ``sshd`` service on anyhost.
Logging in to the server using SSH public key authentication shouldnow work:
To verify that the SSH public key was used for authentication, youcan check the sshd log on the server:
OpenSSH uses public keys to authenticate hosts. When a clientattempts to log in over SSH, the target host presents its publickey. The first time the host authenticates, the user may have toexamine the target host's public key and manually authenticate it.The client then stores the host's public key in a known_hostsfile. On subsequent attempts to log in, the client checks itsknown_hosts files. If the presented host key does not match thestored host key, the OpenSSH client refuses to continue.
Based on the last exercise, try to figure out how to upload SSH hostkeys to the FreeIPA server.
Note: OpenSSH has already been configured to look up known hostson the FreeIPA server, so no manual configuration is required forthis section.
Congratulations! This was the final topic in the workshop.If you skipped any units, you can reach them from thecurriculum overview.