freeipa
: Manages IPA masters, replicas and clients.freeipa::helpers::flushcache
: Flushcache sss for Debian and RedHat only
freeipa::install
: Installs the packages needed for servers and clientsfreeipa::install::client
: Install freeipa clientfreeipa::install::server
: This class mainly defines options for the ipa install command, then install master or replica regarding the role set.freeipa::install::server::master
: Installs freeipa server as masterfreeipa::install::server::replica
: Installs freeipa server as replica
manage_admin
: Manage (create or delete) a FreeIPA admin account
class {'freeipa':
ipa_role => 'master',
domain => 'example.lan',
ipa_server_fqdn => 'ipa-server-1.example.lan',
puppet_admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
install_ipa_server => true,
ip_address => '10.10.10.35',
enable_ip_address => true,
enable_hostname => true,
manage_host_entry => true,
install_epel => true,
ipa_master_fqdn => 'ipa-server-1.example.lan',
}
The following parameters are available in the freeipa
class:
domain
ipa_role
puppet_admin_password
directory_services_password
autofs_package_name
client_install_ldaputils
configure_dns_server
configure_ntp
custom_dns_forwarders
principal_usedto_joindomain
password_usedto_joindomain
enable_hostname
enable_ip_address
enable_random_serial_numbers
enable_zone_overlap
fixed_primary
idstart
install_autofs
install_epel
install_sssdtools
ipa_client_package_name
ipa_server_package_name
install_ipa_client
install_ipa_server
install_sssd
ip_address
ipa_server_fqdn
ldaputils_package_name
ipa_master_fqdn
manage_host_entry
mkhomedir
webui_redirect
realm
server_install_ldaputils
sssd_package_name
sssdtools_package_name
install_ca
external_ca
external_ca_type_ms_cs
external_ca_profile
ca_subject
Data type: Stdlib::Fqdn
The name of the IPA domain to create or join.
Data type: Enum['master','replica','client']
What role the node will be.
Data type: Variant[String[8],Sensitive[String[8]]]
Password which will be assigned to the IPA account named admin
and used by Puppet.
Data type: Variant[String[8],Sensitive[String[8]]]
Password which will be passed into the ipa setup's parameter named --ds-password
.
Data type: String
Name of the autofs package to install if enabled.
Default value: 'autofs'
Data type: Boolean
If true, then the ldaputils packages are installed if ipa_role is set to client.
Default value: false
Data type: Boolean
If true, then install and configure an integrated DNS server, create DNS zone specified by domain
,
and fill it with service records necessary for IPA deployment.
Default value: true
Data type: Boolean
If false, then do not configure NTP.
Default value: true
Data type: Array[String]
Each element in this array is prefixed with --forwarder
and passed to the IPA server installer.
Default value: []
Data type: String
The principal (usually username) used to join a client or replica to the IPA domain.
Default value: 'admin'
Data type: Variant[String,Sensitive[String]]
The password for the domain_join_principal.
Default value: $puppet_admin_password
Data type: Boolean
If true, then the installer flag --hostname
is populated with the parameter ipa_server_fqdn
and passed to the IPA installer.
Default value: true
Data type: Boolean
If true, then the installer flag --ip-address
is populated with the parameter ip_address
and passed to the IPA installer.
Default value: false
Data type: Boolean
If true, then the installer flag --random-serial-numbers
is added during installation
Only valid on IPA >= 4.10
Default value: false
Data type: Boolean
If true, then the installer flag --allow-zone-overlap
is defined and passed to the IPA installer
Default value: false
Data type: Boolean
If true, on client it configure SSSD to use a fixed server as the primary IPA server. The default behavior of client is to use DNS SRV records to determine the primary server to use.
Default value: false
Data type: Integer[10000]
From the IPA man pages: "The starting user and group id number".
Default value: 60000
Data type: Boolean
If true, then the autofs packages are installed.
Default value: false
Data type: Boolean
If true, then the epel repo is installed. The epel repo is usually required for sssd packages.
Default value: true
Data type: Boolean
If true, then the sssdtools packages are installed.
Default value: true
Data type: String
Name of the IPA client package.
Default value:
$facts['os']['family'] ? {
'Debian' => 'freeipa-client',
default => 'ipa-client'
Data type: String
Name of the IPA server package.
Default value: 'ipa-server'
Data type: Boolean
If true, then the IPA client packages are installed if the parameter ipa_role
is set to client
.
Default value: true
Data type: Boolean
If true, then the IPA server packages are installed if the parameter ipa_role
is not set to client
.
Default value: true
Data type: Boolean
If true, then the sssd packages are installed.
Default value: true
Data type: Stdlib::IP::Address
The IP address of this server.
If this address does not match the address the host resolves to and configure_dns_server
is not true
, the installation will fail.
Data type: Stdlib::Fqdn
Actual fqdn of the IPA server being configured.
Default value: $facts['networking']['fqdn']
Data type: String
Name of the ldaputils package.
Default value:
$facts['os']['family'] ? {
'Debian' => 'ldap-utils',
default => 'openldap-clients'
Data type: Stdlib::Fqdn
FQDN of the server to use for a client or replica domain join.
Data type: Boolean
If true, then a host entry is created using the parameters ipa_server_fqdn
and ip_address
.
Default value: false
Data type: Boolean
If true, on client configure PAM to create a users home directory if it does not exist.
Default value: true
Data type: Boolean
If true, then web requests to URL root / will be redirected to webui https://example.com/ipa/ui.
Default value: true
Data type: Stdlib::Fqdn
The name of the IPA realm to create or join.
Default value: upcase($domain)
Data type: Boolean
If true, then the ldaputils packages are installed if ipa_role is not set to client.
Default value: true
Data type: String
Name of the sssd package.
Default value: 'sssd-common'
Data type: String
Name of the sssdtools package.
Default value: 'sssd-tools'
Data type: Boolean
If true, install and configure a CA even on replica.
Default value: true
Data type: Boolean
If true, generate csr to be signed
Default value: false
Data type: Boolean
If true, add option to csr to be signed by Microsoft AD CA
Default value: false
Data type: Array[String]
Array of profiles to define (OID) in the csr to generate
Default value: []
Data type: String
The CA certificate subject DN. (default CN=Certificate Authority,O=). RDNs are in LDAP order (most specific RDN first).
Default value: "CN=Certificate Authority,O=${realm}"
Flushcache sss for Debian and RedHat only
include freeipa::helpers::flushcache
Manage (create or delete) a FreeIPA admin account
Supports noop? false
Data type: String[1]
FreeIPA login of operator running the task
Data type: String[1]
Password of operator running the task
Data type: String[1]
Login name of managed administrator account
Data type: Enum['present','absent']
Ensure the login account should exist or not
Data type: Optional[String[1]]
First name of managed administrator account
Data type: Optional[String[1]]
Last name of managed administrator account
Data type: Optional[String[8]]
Password of managed administrator account