Hi,
I'm new to FreeIPA and the ansible-freeipa collection. I can successfully install IPA server using the role ipaserver. However, I want to setup a multi-master replication with failover.
As far as I know I need to install ipaserver on all of my masters/replication and then the replica role? How does the master nodes establish a relationship? Is this done using IPA client?
It might seem weird, but my goal is to setup the IPA server purely as a LDAP server using external CA. This is because we want to have the ability to have a user interface like the web gui.
Hello Finn,
On 4/14/23 10:10, Finn Fysj via FreeIPA-users wrote:
Hi,
I'm new to FreeIPA and the ansible-freeipa collection. I can successfully install IPA server using the role ipaserver. However, I want to setup a multi-master replication with failover.
As far as I know I need to install ipaserver on all of my masters/replication and then the replica role? How does the master nodes establish a relationship? Is this done using IPA client?
the first server is installed using ipaserver role, the following servers (replicas) using ipareplica role.
There are examples for a cluster deployment and also about topology segment management in https://github.com/freeipa/ansible-freeipa/blob/master/README.md
It might seem weird, but my goal is to setup the IPA server purely as a LDAP server using external CA. This is because we want to have the ability to have a user interface like the web gui. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Regards, Thomas
Yes, so I managed to successfully install IPA server and replica using the two roles. They're both master?
I know the replicas configuration is based on the Master, but one of my problem is that: - I use Idstart 6000 on my IPA server (master) and my replica does not follow this configuration, meaning when I try to create a user of both servers they start with different ID. On IPA server it'll have 6001 and on the replica it'll be 50001.
Hi,
On Sun, Apr 16, 2023 at 10:10 PM Finn Fysj via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Yes, so I managed to successfully install IPA server and replica using the two roles. They're both master?
I know the replicas configuration is based on the Master, but one of my problem is that:
- I use Idstart 6000 on my IPA server (master) and my replica does not
follow this configuration, meaning when I try to create a user of both servers they start with different ID. On IPA server it'll have 6001 and on the replica it'll be 50001.
How is the user created? If you want to create an IPA user, you need to use the "ipa user-add" command (or the ansible module ipauser), and the command needs to be executed only on one machine. The user will then be replicated to the other servers with the same uid/gid.
flo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
I tried to login into both IPA servers through web ui just to "test", and noticed this diff. Seems like "idstart" isn't replicated to the replica server?
Finn Fysj via FreeIPA-users wrote:
Yes, so I managed to successfully install IPA server and replica using the two roles. They're both master?
I know the replicas configuration is based on the Master, but one of my problem is that:
- I use Idstart 6000 on my IPA server (master) and my replica does not follow this configuration, meaning when I try to create a user of both servers they start with different ID. On IPA server it'll have 6001 and on the replica it'll be 50001.
This is expected. The IPA idrange is configured in the Distributed Numeric Assignment (DNA) plugin in 389-ds. This plugin is what issues UID and GID values. When a replica is added and a user or group is created on that replica then the DNA range is split and each server retains half.
This is to reduce potential conflicts if multiple servers are issuing from the same id range.
rob
Also... It's required to have IPA client installed on the replica?.. Would it still be considered a "master"? I had to manually join as I get the following error running ipareplica role:
FAILED! => {"changed": false, "msg": "Unable to find IPA Server to join"}
MANUALLY JOIN: $ sudo ipa-client-install --domain=EXAMPLE.COM--realm=EXAMPLE.COM--server=master.example.com This program will set up IPA client. Version 4.10.0
Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Do you want to configure chrony with NTP server or pool address? [no]: .... The ipa-client-install command was successful
On Mon, Apr 17, 2023 at 3:50 AM Finn Fysj via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Also... It's required to have IPA client installed on the replica?.. Would it still be considered a "master"? I had to manually join as I get the following error running ipareplica role:
FAILED! => {"changed": false, "msg": "Unable to find IPA Server to join"}
Do you have dns resolvers properly set on the replica?
You may want to use "ipaclient_configure_dns_resolver=yes", and properly set "ipaclient_dns_servers".
Rafael
MANUALLY JOIN: $ sudo ipa-client-install --domain=EXAMPLE.COM--realm=EXAMPLE.COM--server=master.example.com This program will set up IPA client. Version 4.10.0
Autodiscovery of servers for failover cannot work with this configuration. If you proceed with the installation, services will be configured to always access the discovered server for all operations and will not fail over to other servers in case of failure. Proceed with fixed values and no DNS discovery? [no]: yes Do you want to configure chrony with NTP server or pool address? [no]: .... The ipa-client-install command was successful _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
So... We're using dynamic-inventory... And when I tried creating a static inventory dividing my hosts into the groups [ipaserver] and [ipareplicas] this worked... Without using these groups specifically my vars got ignored..?
On 4/17/23 14:45, Finn Fysj via FreeIPA-users wrote:
So... We're using dynamic-inventory... And when I tried creating a static inventory dividing my hosts into the groups [ipaserver] and [ipareplicas] this worked... Without using these groups specifically my vars got ignored..?
How did you setup your inventory and which vars have been ignored?
Generally the ipaserver_* vars are used for the ipaserver role, the ipareplica_* vars for the replica role and the ipaclient_* vars for the ipaclient role. The ipaserver role is using the ipaclient role for the client deployment part on the server. The ipareplica role is at first deploying a client using the ipaclient role and then promoting this client to become a replica. Therefore also ipaclient_* vars are used for ipaserver and ipareplica roles. For simplification the ipareplica role can use some ipaserver vars if the matching ipareplica vars are not set.
There are examples for cluster deployments in the main and also the replica role README on the ansible-freeipa github page and also as part of the collection.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Maybe I'm mistaken, however:
Playbook: - hosts: - master2.example.com roles: - role: freeipa.ansible_freeipa.ipaserver vars: ipaserver: "{{ inventory_hostname }}" ipaserver_hostname: "{{ inventory_hostname }}" ipadm_password: SuperSecret123 ipaadmin_password: SuperSecret123 ipaserver_ip_addresses: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}" ipaserver_domain: "example.com" ipaserver_realm: "EXAMPLE.COM" ipaserver_no_host_dns: true ipaserver_mem_check: true ipaserver_idstart: 6000 ipaserver_setup_dns: false ipaserver_no_pkinit: true
- hosts: - master2.example.com become: true roles: - role: freeipa.ansible_freeipa.ipareplica vars: ipaservers: master1.example.com ipaserver_hostname: master1.example.com ipareplicas: master2.example.com ipareplica_domain: example.com ipaclient_force_join: true ipaadmin_principal: admin ipareplica_setup_dns: false
As mentioned when running using a cloud dynamic inventory this playbook does not work, however, as preivously mentioned, when creating a static inventory, it works:
[ipaservers] master1.example.com
[ipareplicas] master2.example.com
On Mon, Apr 17, 2023 at 1:14 PM Finn Fysj via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Maybe I'm mistaken, however:
Playbook:
- hosts: - master2.example.com
Is it a typo, or you are using the same host for both ipaserver and ipareplica?
roles: - role: freeipa.ansible_freeipa.ipaserver vars: ipaserver: "{{ inventory_hostname }}" ipaserver_hostname: "{{ inventory_hostname }}" ipadm_password: SuperSecret123 ipaadmin_password: SuperSecret123 ipaserver_ip_addresses: "{{ hostvars[inventory_hostname]['ansible_default_ipv4']['address'] }}" ipaserver_domain: "example.com" ipaserver_realm: "EXAMPLE.COM" ipaserver_no_host_dns: true ipaserver_mem_check: true ipaserver_idstart: 6000 ipaserver_setup_dns: false ipaserver_no_pkinit: true
- hosts: - master2.example.com become: true roles:
- role: freeipa.ansible_freeipa.ipareplica vars: ipaservers: master1.example.com ipaserver_hostname: master1.example.com ipareplicas: master2.example.com ipareplica_domain: example.com ipaclient_force_join: true ipaadmin_principal: admin ipareplica_setup_dns: false
FreeIPA relies, a lot, on DNS, and it must be correctly configured. From what you have shown so far, it seems like you do not have a proper DNS configuration.
Since you are not using FreeIPA's embedded DNS server, you must add the proper records on the external DNS server. On the first server, run the command:
ipa dns-update-system-records --dry-run
This will show you a list of records that must be available.
More information can be found at:
FreeIPA Quick Start: https://www.freeipa.org/page/Quick_Start_Guide
FreeIPA Deployment Recommendations: https://www.freeipa.org/page/Deployment_Recommendations
RHEL IdM First Server installation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
RHEL IdM Replica installation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/htm...
Rafael
As mentioned when running using a cloud dynamic inventory this playbook does not work, however, as preivously mentioned, when creating a static inventory, it works:
[ipaservers] master1.example.com
[ipareplicas] master2.example.com _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Yes, so I do not want to use FreeIPA as DNS, since the cloud provider already fix this when I provision the machines + the dyanmic inventory. I've tried to modify the /etc/hosts on both machines to include each other as I remember this was somewhat "good practice" from an earlier colleague.
On Mon, Apr 17, 2023 at 2:08 PM Finn Fysj via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Yes, so I do not want to use FreeIPA as DNS, since the cloud provider already fix this when I provision the machines + the dyanmic inventory. I've tried to modify the /etc/hosts on both machines to include each other as I remember this was somewhat "good practice" from an earlier colleague.
I don't think setting /etc/hosts will scale later, as you will need DNS for usage.
It is possible to use a cloud DNS server, but you must handle it as any other external DNS. Take a look at the documentation links I provided earlier.
Rafael
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
I will take a look at the documentation. However, I don't really understand why it works as soon as I get it in a static inventory, as all of the machines (including controller) are using same DNS.
Error when using dynamic inventory:
fatal: [master2.example.com]: FAILED! => { "changed": false, "invocation": { "module_args": { "all_ip_addresses": false, "ca_cert_files": null, "configure_firefox": false, "domain": "example.com", "enable_dns_updates": false, "firefox_dir": null, "force_ntpd": false, "hostname": "master2.example.com", "ip_addresses": null, "kinit_attempts": 5, "nisdomain": null, "no_nisdomain": false, "no_ntp": false, "ntp_pool": null, "ntp_servers": null, "on_master": false, "realm": "EXAMPLE.COM", "servers": null } }, "msg": "Unable to find IPA Server to join" }
freeipa-users@lists.fedorahosted.org
-
Finn Fysj -
Florence Blanc-Renaud -
Rafael Jeffman -
Rob Crittenden -
twoerner@redhat.com