-
Notifications
You must be signed in to change notification settings - Fork 1
/
satellite-configure-LDAPS.yml
52 lines (38 loc) · 2.82 KB
/
satellite-configure-LDAPS.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
---
- hosts: all
tasks:
In IDM:
User Group:
'developer-admin' (Group for developer infrastructure administration)
'developer' (Group of developers)
'ansible-admin' (Group for Ansible Tower admins and */ansible* commands through sudo)... this is a nested group
'operations-admin' (Group for Operations Leads)
'operations-jr-admin' (Group for Junior Admins in Operations, limited control)
'lob' (Group for Line of Business end users)
User:
Tammy Larsen ... uid 'dev-admin' and add 'developer-admin' Group
Jimmy Pesto ... uid 'dev' and add 'developer' Group
Turd Ferguson ... uid 'ops-admin' and add 'operations-admin' Group
Randy Flanders ... uid 'ops-jr' and add 'operations-jr-admin' Group
Louise Belcher ... uid 'lobuser' and add 'lob' Group
Host Group, development-servers.
Create Automember role for development-servers, ipa automember-add --type=hostgroup development-servers
--- need to find out what the regex should be --- Create Automember role condition, ipa automember-add-condition –-key=userclass --type=hostgroup --inclusive-regex=^Development_Servers development-servers
In Satellite:
Create User Group that includes an external user group from IdM. 'developer-admin' (Group for developer infrastructure administration). Assign admin-like role for only the developer environment
Create User Group that includes an external user group from IdM. 'developers' (Group for developers). Assign limited role for developers to view only the systems they own and only have access to Developer environment.
Create User Group that includes an external user group from IdM. 'lob' (Group for Line of Business end users). Assign role to only allow viewing of systemss they own.
- name: Copy ca.crt from IdM server to Satellite
# scp /etc/ipa/ca.crt satellite.rnelson-demo.com:/root/
- name: Use 'install' to install the certificate into /etc/pki/tls/certs/ directory with the correct permissions.
command: /usr/bin/install /root/ca.crt /etc/pki/tls/certs/
- name: Enter the following command as root to trust the ca.crt certificate obtained from the LDAP server
command: ln -s ca.crt /etc/pki/tls/certs/$(openssl x509 -noout -hash -in /etc/pki/tls/certs/ca.crt).0
- name: Restart httpd
service:
name: httpd
state: restarted
- name: Add IdM as Authentication Source
command: hammer auth-source ldap create --name IdM --host {{ idm_hostname }} --port 636 --server-type free_ipa --account {{ idm_register_username }} --account-password {{ idm_register_password }} --base-dn {{ idm_base_suffix }} --organizations {{ satellite_organization }} --locations {{ satellite_location }} --usergroup-sync yes --attr-firstname givenName --attr-lastname sn --attr-login uid --attr-mail mail
#api call to check box for LDAPS
#api call to check box for automatically creating accounts in Satellite the first time someone logs in