roles/ipaclient: New ipaclient_use_otp setting to force otp usage

The use of otp can be forced to not transfer the admin password while setting up the ipa client. Only the one-time-password will be transferred to the client machine. ipaclient_password will be overwritten by the otp password.
2026-06-23 09:14:43 +00:00 · 2017-09-15 12:49:22 +02:00
parent c088e3f9a6
commit 2d95d0df95
2 changed files with 6 additions and 3 deletions
--- a/roles/ipaclient/defaults/main.yml
+++ b/roles/ipaclient/defaults/main.yml
@@ -5,3 +5,4 @@ ipaclient_force_join: no
 ipaclient_ntp: no
 ipaclient_mkhomedir: no
 ipaclient_kinit_attempts: 5
 ipaclient_use_otp: "false"
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -17,9 +17,11 @@
  register: ipadiscovery
 # The following block is executed when using OTP to enroll IPA client
-# ie when neither ipaclient_password not ipaclient_keytab is set
+# ie when ipaclient_use_otp is set.
 # It connects to ipaserver and add the host with --random option in order
 # to create a OneTime Password
 # If a keytab is specified in the hostent, then the hostent will be disabled
 # if ipaclient_use_otp is set.
 - block:
  - name: Install - Get a One-Time Password for client enrollment
    ipahost:
@@ -38,9 +40,9 @@
  - name: Install - Store the previously obtained OTP
    set_fact:
-      ipaclient_otp: "{{ipahost_output.host.randompassword if ipahost_output.host is defined else 'dummyotp' }}"
+      ipaclient_password: "{{ ipahost_output.host.randompassword if ipahost_output.host is defined }}"
-  when: ipaclient_password is not defined and ipaclient_keytab is not defined
+  when: ipaclient_use_otp | bool
 - fail: msg="At least one of password, keytab or otp must be specified"
  when: ipaclient_password is undefined and ipaclient_keytab is undefined and ipaclient_otp is undefined