Ansible Vars for PAM Automation

The vars file is one of three input files needed to deploy PAM with Ansible:

• Inventory File (mypam.ini or similar name)
• Vars File (mypam.vars or similar name)
• Vault File (mypam.vault or similar name)

The vars file is a YAML file typically named mypam.vars or other similar name. The PAM CDM package includes an example vars file example.vars that may be used as a template or starting point.

The vars file is unencrypted and should only be used to store non-secret input values. Secret input values should be stored in the vault file instead.

Passing Vars to Ansible Playbooks

The vars file should be formatted as a simple YAML dictionary of name/value pairs:

name1: value1
name2: value2
name3: value3

Vars may be set individually on the ansible-playbook command line:

ansible-playbook -e name1=value1 -e name2=value2 -e name3=value3

But it is often more convenient to pass a vars file instead:

  ansible-playbook -e @mypam.vars

Supported Vars for Ansible PAM Deployments

The following vars are recognized by the PAM deployment playbooks. Both secret and non-secret vars are included. Variables marked secret should stored in the vault file, not the vars file.

Some vars are required, some are optional, and some are only needed for specific PAM deployment scenarios. The recommended process is to go through the list and decide if your PAM deployment needs each variable. If so, set the variable in your vars file (or vault file if it is a secret).

ansible_linux_username

• The SSH username that Ansible will use to connect to all Linux hosts in the inventory.
• It is assumed that Ansible will use the same SSH username and password for all Linux hosts.
• This is a required input.

ansible_linux_password (secret)

• The SSH password that Ansible will use to connect to all Linux hosts in the inventory.
• This is a required input.

pam_admin_username

• The PAM system administrator login account name.
• Default value is pamadmin.
• This is an optional input.

pam_admin_password (secret)

• The initial PAM system administrator login password.
• This is a required input.

pam_crypt_password (secret)

• The password used to encrypt the master password after PAM installation.
• This password should be long and strong (24 characters or more).
• Recommend to use a password generator to generate a strong random password.
• This is a required input.

pam_database_type

• Database type for PAM external database integration.
• Supported values: MSSQL|PostgreSql|MySQL|Oracle
• Required for external database integration.
• Leave unset for Ansible-managed PostgreSQL or embedded Apache Derby.

pam_database_server

• Database server for PAM external database integration.
• Required for external database integration.
• Leave unset for Ansible-managed PostgreSQL or embedded Apache Derby.

pam_database_username

• Database username for PAM database integration.
• For external database integration, this is a required input. Use the database username provided by the database administrator.
• For Ansible-managed PostgreSQL, this is a required input. Recommended value is pam. Ansible will automatically create this account after installing PostgreSQL.
• For Ansible-managed PostgreSQL, do not use the default postgres account.
• For embedded Apache Derby, leave this var unset.

pam_database_password (secret)

• Database password for PAM database integration.
• For external database integration, this is a required input. Use the database password provided by the database administrator.
• For Ansible-managed PostgreSQL, this is a required input. Ansible will create the database account with this password.
• For embedded Apache Derby, leave this var unset.

pam_frontend_hostname

• Frontend hostname for PAM external load balancer.
• For PAM deployments with an external load balancer, this is a required var.
• For PAM deployments with Ansible-managed Apache load balancer, leave this var unset.
• For single-master PAM deployments without a load balancer, leave this var unset.

pam_frontend_port

• Frontend port for the PAM external load balancer.
• Default value is 6443.
• Ignored unless pam_frontend_hostname is set.

pam_install_folder

• PAM installation folder. Default value is /pam.
• Ansible will create the folder before installing PAM. It must not exist before running the Ansible playbooks.

pam_ldap_server

• Optional server for PAM LDAP integration.
• Recommended format is hostname:port to get the correct connection type (SSL vs. non-SSL).
• If unset, LDAP will not be configured during PAM installation (can be setup manually as a post-install action).

pam_ldap_user

• Username for PAM LDAP integration.
• Required if pam_ldap_server is set. Ignored otherwise.

pam_ldap_password (secret)

• Password for PAM LDAP integration.
• Required if pam_ldap_server is set. Ignored otherwise.

pam_master_password (secret)

• The PAM master password.
• By default, the PAM installers will generate a new random master password.
• This var may be set in the Ansible vault to set a specific master password instead.
• For most PAM deployment scenarios this should be left unset.
• If set, it should be 32 characters, alphanumeric, no special characters.