No better way to learn some more details of Ansible than to automate a task I need to do on a regular basis: ipa-server-install.
Category Archives: FreeIPA
Adding an LDAP backed domain to a Packstack install
I’ve been meaning to put all the steps together to do this for a while:
Got an IPA server running on Centos7
Got a Packstack all in one install on Centos 7. I registered this host as a FreeIPA client, though that is not strictly required.
Continue reading
Who Signed that Token?
The specification For multiple signers requires a mechanism to determine who signed the token and then determine I’d the signer had the authority to issue a token for the scope of the token. These are the steps he he necessary to perform that validation.
Ansible Hostgroups from FreeIPA
Ansible provides management for a large array of servers using ssh as the access mechanism. This is a good match for FreeIPA. However, by default Ansible uses a flat file to store groups of hosts. How can we get that info from FreeIPA? Continue reading
Getting Service Users out of LDAP
Most people cannot write to the LDAP servers except to manage their own data. Thus, OpenStack requiring the Service users in LDAP is a burden that many IT organizations cannot assume. In Juno we have support for Multiple backends for domains.
Continue reading
Unattended Install of a FreeIPA Server
As a developer, I install and uninstall the application I’m working on all the time. Back when I was working on FreeIPA full time, I had a couple of functions that I used to do an unattended install with some simple defaults. I recently cleaned them up a little. Since a few people have asked me for them, I’m posting them here.
Testing S4U2Proxy
S4U2Proxy for Horizon
I’ve got a packstack install, and a Kerberos-capable Keystone. Time to call it from Horizon. Time to set up S4U2Proxy.
Continue reading
running the freeipa CLI from a non-client machine
A developer does things that are at odds with a production deployment. Case in point: the FreeIPA assumes that it should be run on an ipa-client machine. But as a developer, I need to talk to remote FreeIPA servers. Here’s how to make the CLI work without performing a client install.
Continue reading
Keeping DHCP from changing the Nameserver
I’m running FreeIPA in an OpenStack lab. I don’t control the DHCP server. When a host renews its lease, the dhclient code overwrites the nameserver values in /etc/resolv.conf. To avoid this, I modified /etc/dhcp/dhclient.conf
interface "eth0" { prepend domain-name-servers 192.168.187.12; }
This makes sure my custom nameserver stays at the top of the list. Its a small hack that is perfect for developer work.