On 27/09/2023 22.00, Andrew Imeson via FreeIPA-users wrote:
The password can be stored in Ansible Vault, prompted for, or whatever preferred Ansible secret management strategy you employ.
I run it from the FreeIPA nodes, so it’s over an encrypted SSH session and then done via the loopback. It’s also using “ldaps” not “ldap,” so even a privileged used sniffing on the loopback wouldn’t see it (although a privileged user would have a hundred other ways to potentially gain access).
It may be easier to use ipa-ldap-updater as root. The command uses LDAP over Unix sockets for secure communication and authentication. You don't have to pass any additional options like shost, port, or password. The update syntax is based on LDIF, but shorter and IMO easier to read.
Create a file "rootdse.update" with content:
dn: cn=config only: nsslapd-allow-anonymous-access: rootdse
then run "ipa-ldap-updater rootdse.update" on every IPA server. Changes to cn=config are not replicated.
Christian