On 27/09/2023 22.00, Andrew Imeson via FreeIPA-users wrote:
The password can be stored in Ansible Vault, prompted for, or
whatever preferred Ansible secret management strategy you employ.
I run it from the FreeIPA nodes, so it’s over an encrypted SSH session and then done via
the loopback. It’s also using “ldaps” not “ldap,” so even a privileged used sniffing on
the loopback wouldn’t see it (although a privileged user would have a hundred other ways
to potentially gain access).
It may be easier to use ipa-ldap-updater as root. The command uses LDAP
over Unix sockets for secure communication and authentication. You don't
have to pass any additional options like shost, port, or password. The
update syntax is based on LDIF, but shorter and IMO easier to read.
Create a file "rootdse.update" with content:
dn: cn=config
only: nsslapd-allow-anonymous-access: rootdse
then run "ipa-ldap-updater rootdse.update" on every IPA server. Changes
to cn=config are not replicated.
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH,
https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill