This Ansible Playbook configures an existing virtual machine in the European Weather Cloud (EWC) to disenroll from a IPA server.

IPA provides integrated identity management and DNS services for centralized user authentication, authorization, and resource discovery. This template safely removes a VM from a FreeIPA-managed environment, which is essential when decommissioning infrastructure to prevent stale entries in the IPA directory—such as obsolete host records, and DNS pointers—that could lead to management overhead, naming conflicts or security vulnerabilities from lingering credentials.

Suitable for both tenant admin and tenant users, this template streamlines client removal, ensuring a clean and efficient identity system. The end benefit for users is reduced administrative burden, improved security posture, and easier scaling or redeployment of resources. Follow the instructions below to disenroll your instance.

Functionality

The template is designed to:

• Configure a pre-existing virtual machine, previously enrolled (likely with help of the IPA client template) to disconnect from an IPA server.
• Disable user authentication and authorization (LDAP) for the target instance.
• Remove IPA server-internal DNS records referencing the target instance, if present.

Prerequisites

💡 Versions listed correspond to minimal prerequisites.

To successfully run this playbook, the following packages should be available in your work environment:

Usage

1. Download Ansible dependencies

💡 By default, Ansible Roles are installed under the ~/.ansible/roles directory within your working environment.

Download the correct version of the Ansible dependencies, if you haven't done so already:

ansible-galaxy role install -r requirements.yml

2. Specify the target host and SSH credentials

💡 To find out which is the default user for your chosen VM image, checkout the official EWC documentation.

Create an inventory file to specify address/credentials that Ansible should use to reach the virtual machine you wish to configure:

# inventory.yml
---
ewcloud:
  hosts:
    ipa_client:
      ansible_python_interpreter: /usr/bin/python3
      ansible_host: <add the IPV4 address of the target host>
      ansible_ssh_private_key_file: <add the path to local SSH private key file>
      ansible_user: <add the default user according to your chosen VM image>
      ansible_ssh_common_args: -o StrictHostKeyChecking=accept-new

3. Configure and apply the template

3.1. Interactive Mode

By running the following command, you can trigger an interactive session that prompts you for the necessary user inputs, and then applies changes to your target EWC environment:

ansible-playbook -i inventory.yml ipa-client-disenroll-flavour.yml

3.2. Non-Interactive Mode

💡 To learn more about defining variables at runtime, checkout the official Ansible documentation.

You can also run in non-interactive mode by passing the --extra-vars or -e flag, followed by a map of key-value pairs; one for each and every available input (see inputs section below). For example:

ansible-playbook \
  -i inventory.yml \
  -e '{
      "ipa_domain": "eumetsat.sandbox.ewc",
      "ipa_client_hostname": "ipa-client-1",
      "ipa_server_hostname": "ipa-server-1",
      "ipa_admin_username": "ipaadmin",
      "ipa_admin_password": "my-secret-password"
    }' \
  ipa-client-disenroll-flavour.yml

Inputs

Dependencies