README.md 8.34 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227
# easy_ipa Puppet module
[![Build Status](https://travis-ci.org/jpuskar/puppet-ipa.svg?branch=master)](https://travis-ci.org/jpuskar/puppet-ipa)

## Overview

This module will install and configure IPA servers, replicas, and clients. This module was forked from huit-ipa, 
and refactored with a focus on simplicity and ease of use.

The following features work great:
- Creating a domain.
- Adding IPA server replicas.
- Joining clients.
- WebUI proxy to https://localhost:8440 (for vagrant testing).

The following features were stripped out and are currently unavailable:
- Autofs configuration.
- Sudo rule management.
- Host management (beyond simple clinet domain joins).
- Host joins via one time passwords.
- Dns zone management (beyond creating an initial zone).

## Dependencies
This module requires [puppetlabs/stdlib](https://forge.puppetlabs.com/puppetlabs/stdlib) >= 4.13.0.

## Usage

### Example usage:

Creating an IPA master, with the WebUI proxied to `https://localhost:8440`.
```puppet
class {'easy_ipa':
    ipa_role                    => 'master',
    domain                      => 'vagrant.example.lan',
    ipa_server_fqdn             => 'ipa-server-1.vagrant.example.lan',
    admin_password              => 'vagrant123',
    directory_services_password => 'vagrant123',
    install_ipa_server          => true,
    ip_address                  => '192.168.44.35',
    enable_ip_address           => true,
    enable_hostname             => true,
    manage_host_entry           => true,
    install_epel                => true,
    webui_disable_kerberos      => true,
    webui_enable_proxy          => true,
    webui_force_https           => true,
}
```

Adding a replica:
```puppet
class {'::easy_ipa':
    ipa_role             => 'replica',
    domain               => 'vagrant.example.lan',
    ipa_server_fqdn      => 'ipa-server-2.vagrant.example.lan',
    domain_join_password => 'vagrant123',
    install_ipa_server   => true,
    ip_address           => '192.168.44.36',
    enable_ip_address    => true,
    enable_hostname      => true,
    manage_host_entry    => true,
    install_epel         => true,
    ipa_master_fqdn      => 'ipa-server-1.vagrant.example.lan',
}
```

Adding a client:
```puppet
class {'::easy_ipa':
ipa_role             => 'client',
domain               => 'vagrant.example.lan',
domain_join_password => 'vagrant123',
install_epel         => true,
ipa_master_fqdn      => 'ipa-server-1.vagrant.example.lan',
}
```

### Mandatory Parameters

#### `domain`
Mandatory. The name of the IPA domain to create or join.

#### `ipa_role`
Mandatory. What role the node will be. Options are 'master', 'replica', and 'client'.

#### `admin_password`
Mandatory if `ipa_role` is set as 'Master' or 'Replica'.
Password which will be assigned to the IPA account named 'admin'.

#### `directory_services_password`
Mandatory if `ipa_role` is set as 'Master'.
Password which will be passed into the ipa setup's parameter named "--ds-password".

### Optional Parameters

#### `autofs_package_name`
Name of the autofs package to install if enabled.

#### `configure_dns_server`
If true, then the parameter '--setup-dns' is passed to the IPA server installer.
Also, triggers the install of the required dns server packages.

#### `configure_ntp`
If false, then the parameter '--no-ntp' is passed to the IPA server installer.

#### `custom_dns_forwarders`
Each element in this array is prefixed with '--forwarder ' and passed to the IPA server installer.

#### `domain_join_principal`
The principal (usually username) used to join a client or replica to the IPA domain.

#### `domain_join_password`
The password for the domain_join_principal.

#### `enable_hostname`
If true, then the parameter '--hostname' is populated with the parameter 'ipa_server_fqdn'
and passed to the IPA installer.

#### `enable_ip_address`
If true, then the parameter '--ip-address' is populated with the parameter 'ip_address'
and passed to the IPA installer.

#### `fixed_primary`
If true, then the parameter '--fixed-primary' is passed to the IPA installer.

#### `idstart`
From the IPA man pages: "The starting user and group id number".

#### `install_autofs`
If true, then the autofs packages are installed.

#### `install_epel`
If true, then the epel repo is installed. The epel repo is usually required for sssd packages.

#### `install_kstart`
If true, then the kstart packages are installed.

#### `install_ldaputils`
If true, then the ldaputils packages are installed.

#### `install_sssdtools`
If true, then the sssdtools packages are installed.

#### `ipa_client_package_name`
Name of the IPA client package.

#### `ipa_server_package_name`
Name of the IPA server package.

#### `install_ipa_client`
If true, then the IPA client packages are installed if the parameter 'ipa_role' is set to 'client'.

#### `install_ipa_server`
If true, then the IPA server packages are installed if the parameter 'ipa_role' is not set to 'client'.

#### `install_sssd`
If true, then the sssd packages are installed.

#### `ip_address`
IP address to pass to the IPA installer.

#### `ipa_server_fqdn`
Actual fqdn of the IPA server or client.

#### `kstart_package_name`
Name of the kstart package.

#### `ldaputils_package_name`
Name of the ldaputils package.

#### `ipa_master_fqdn`
FQDN of the server to use for a client or replica domain join.

#### `manage_host_entry`
If true, then a host entry is created using the parameters 'ipa_server_fqdn' and 'ip_address'.

#### `mkhomedir`
If true, then the parameter '--mkhomedir' is passed to the IPA client installer.

#### `no_ui_redirect`
If true, then the parameter '--no-ui-redirect' is passed to the IPA server installer.

#### `realm`
The name of the IPA realm to create or join.

#### `sssd_package_name`
Name of the sssd package.

#### `sssdtools_package_name`
Name of the sssdtools package.

#### `webui_disable_kerberos`
If true, then /etc/httpd/conf.d/ipa.conf is written to exclude kerberos support for
incoming requests whose HTTP_HOST variable match the parameter 'webio_proxy_external_fqdn'.
This allows the IPA Web UI to work on a proxied port, while allowing IPA client access to
function as normal.

#### `webui_enable_proxy`
If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows
for the Web UI to be accessed from different ports and hostnames than the default.

#### `webui_force_https`
If true, then /etc/httpd/conf.d/ipa-rewrite.conf is modified to force all connections to https.
This is necessary to allow the WebUI to be accessed behind a reverse proxy when using nonstandard
ports.

#### `webui_proxy_external_fqdn`
The public or external FQDN used to access the IPA Web UI behind the reverse proxy.

#### `webui_proxy_https_port`
The HTTPS port to use for the reverse proxy. Cannot be 443.


## Limitations

This module has only been tested on Centos 7.

## Testing
A vagrantfile is provided for easy testing.

Steps to get started:
 1. Install vagrant.
 1. Install virtualbox.
 1. Clone this repo.
 1. Run `vagrant up` in a terminal window from the root of the repo.
 1. Open a browser and navigate to `https://localhost:8440`.
 Log in with username `admin` and password `vagrant123`.

228 229 230
## Authors

Original work from Harvard University Information Technology, mainly written by Rob Ruma (https://github.com/huit/puppet-ipa)
231

232
then forked by John Puskar (https://github.com/jpuskar/puppet-easy_ipa)
233

234 235 236 237
then forked by ADULLACT (https://gitlab.adullact.net/adullact/puppet-freeipa) currently written by :
  * ADULLACT with Fabien Combernous
  * PHOSPHORE.si with Scott Barthelemy and Bertrand RETIF

238 239 240
## License

    Copyright (C) 2013 Harvard University Information Technology
241 242
    Copyright (C) 2018 Association des Développeurs et Utilisateurs de Logiciels Libres
                         pour les Administrations et Colléctivités Territoriales.
243 244 245 246 247 248 249 250 251 252 253 254 255
    
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
    
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.