Name : freeipa Category : service Type : docker Channel : community

Installs FreeIPA LDAP server and Web UI. LDAP service is later on used in WAF to authentificate and authorize users. LDAP users and groups can be managed via Web UI available via https://ipa-<owner>-<env>.route53domain (for example: https://ipa-athena-nft.athenapaas.com) or via athena-users command

Command

athena-services freeipa

Infrastructure requirements

Preconditions

athena-infrastructure backoffice

Postconditions

athena-infrastructure vpc

Service Requirements

Preconditions

athena-services common,gitolite

Postconditions

athena-services gateway

Parameters

  • vpc_name,vpc_env,route53_domain - will create realm IPA-{{vpc_name|upper}}-{{vpc_env|upper}}.{{route53_domain|upper}}

Secrets

Please see platform secrets for more details.

  • passwords/users/<owner>-<env>-ipa.admin - IPA admin user password (for example ~/git/athena/ansible-data-nft/passwords/users/athena-nft-ipa.admin)
  • passwords/users/<owner>-<env>-ipa.ds - Directory Manager user password (for example ~/git/athena/ansible-data-nft/passwords/users/athena-nft-ipa.ds)

Integration

Service user

Create LDAP user for a particular consumer (for example: gateway) via ldap-sysaccount role

Service endpoint

  • host - ldap.service.consul
  • port - {{ipa_ldap_port}} variable (20389 by default)
  • bind DN - directory name of LDAP system user uid={{<service>_ldap_user}},cn=sysaccounts,cn=etc,dc={{route53_domain.split('.')[0]}},dc={{route53_domain.split('.')[1]}}, where <service> is actual service name (for example: gateway)
  • bind password - LDAP service password {{lookup('password' ,lookup('env','ANSIBLE_DATA')+'/passwords/users/'+vpc_name|lower+'-'+vpc_env|lower+'-'+<service>_ldap_user|lower)}}, where <service> is actual service name (for example: gateway)

Search path

  • user search - directory, where users are cn=users,cn=accounts,dc={{route53_domain.split('.')[0]}},dc={{route53_domain.split('.')[1]}}
  • group matching - directory, where user groups are cn=<group_name>,cn=groups,cn=accounts,dc={{route53_domain.split('.')[0]}},dc={{route53_domain.split('.')[1]}}, where <group_name> is dynamically inserted group to match