A set of useful tips for the effective use of FreeIPA

During the operation of FreeIPA, non-trivial tasks often arise that run into not-so-well-documented or incompletely implemented places. Therefore, I decided to supplement my previous article with some solutions that will save you some time.

Content:
')

1. FreeIPA agent in lxc containers
2. Library to use API in python
3. Some words about Ansible modules
4. FreeIPA agent in debian
5. Replica in Amazon

FreeIPA agent in lxc containers

We have for dev-environments in some places use such a thing as Proxmox and lxc-containers in it. The container template for the container was taken from the standard centos-7-default version 20170504, which we customized. But with the banal installation of the agent, he refused to work. After analysis, it turned out that there are no sudo packages in this build and no SELinux in the containers. So, the points that need to be done:

• yum install sudo
• install and configure
• in the /etc/sssd/sssd.conf file, in the [domain / $ DOMAINNAME] section add the line selinux_provider = none
• restart sssd systemctl restart sssd

If during installation and configuration of the agent everything was done without errors, then after restart everything will start working.

If configs are rolled out with Ansible, you can use variables:

ansible_virtualization_role == "guest" and ansible_virtualization_type == "lxc" 

Library to use API in Python

In modern versions of FreeIPA, a wonderful API appeared, but we could not find full Python libraries. There is a repository on the githaba, but the little implemented there turned out to be small. Since the solution is distributed under the MIT license, we decided to copy it and add it ourselves. Our implementation is available at this link .

It will still be finished as needed, but you can pick it up now, finish it and replace it. At the moment, only what we needed was implemented.

Some words about Ansible modules

I will make a reservation at once, it will be about the version of Ansible 2.3.1.0 installed via pip. In general, add user and group modules work fine. But when adding sudoroles some problems arose. The first and most unpleasant - they simply do not add. The error looks like this:

 get_sudorule_diff() takes exactly 2 arguments (3 given) 

Heal in haste, it is quite elementary. In the file of the ipa_sudorule.py module, we need line 307. Here it is:

 diff = get_sudorule_diff(client, ipa_sudorule, module_sudorule) 

We change it to this:

 diff = get_sudorule_diff(ipa_sudorule, module_sudorule) 

Adding starts to work. You can read about it here and here , but we have not yet verified.

The second problem is related to the addition of options for sudoroles, which we plan to find out soon.

FreeIPA agent in debian

Installing an agent in a debian like system for some reason causes some problems for some people. I want to present our version of the development of agents on debian-like systems:

 1.   wget -qO - http://apt.numeezy.fr/numeezy.asc | apt-key add - echo -e 'deb http://apt.numeezy.fr jessie main' >> /etc/apt/sources.list 2.   apt-get update apt-get install -y freeipa-client 3.   mkdir -p /etc/pki/nssdb certutil -N -d /etc/pki/nssdb mkdir -p /var/run/ipa 4.    mv /etc/ipa/default.conf ~/ 5.     ipa-client-install 6.    echo 'session required pam_mkhomedir.so' >> /etc/pam.d/common-session 7. ,   /etc/nsswitch.conf   sss  passwd: files sss group: files sss shadow: files sss 8.  sssd systemctl restart sssd 

Amazon Replica

As you know, in the Amazon external addresses are not listed directly on the hosts. And the installer does not like it very much. In general, this is relevant not only for Amazon, but for all options when the external address is not configured directly on the host.

To solve this problem during installation, it is enough to add an external IP to any interface during the installation. As an example, this can be done using ip addr add:

 ip addr add $ADDR dev $IFACE 

After successful installation and configuration using ip addr del:

 ip addr del $ADDR 

Also, do not forget to specify different DNS names for the external and internal addresses, otherwise there will be confusion.

As a result, we get that clients in lxc and debian-like systems are quite real and have no particular problems. All these solutions work for us without any noticeable problems for quite a long time. Managing full access via Ansible is not quite convenient, but you can speed up and automate part of the routine work. As for the library for Python, you need to implement quite a lot more, but all the basic functions are already there. However, new ideas are also welcome.