ipaclient: Make krb5 DNS lookup possible in cluster environments

krb5 DNS discovery was not possible in cluster environments as the server
list from groups.ipaserver was used all the time. DNS discovery is though
only used if no servers are given.

The new setting ipaclient_no_dns_lookup has been added to make sure that
DNS lookup is used in the first place and can be disabled easily with this
setting. There is also a new way to override servers per client in the
inventory file with ipaclient_servers.

Two new settings have been added:

ipaclient_no_dns_lookup (bool, default: no)
  Set to 'yes' to use groups.ipaserver in cluster environments as servers
  for the clients. This deactivates DNS lookup in krb5.

ipaclient_servers (list of strings, default: undefined)
  Manually override list of servers for example in a cluster environment on
  a per client basis. The list of servers is normally taken from from
  groups.ipaserver in cluster environments.

CLIENT.md

@@ -109,6 +109,15 @@ Variables
 **ipaclient_mkhomedir** - Set to yes to configure PAM to create a users home directory if it does not exist.
  (string, optional)
 
+Cluster Specific Variables
+--------------------------
+
+**ipaclient_no_dns_lookup** - Set to 'yes' to use groups.ipaserver in cluster environments as servers for the clients. This deactivates DNS lookup in krb5.
+ (bool, optional, default: 'no')
+
+**ipaclient_servers** - Manually override list of servers for example in a cluster environment on a per client basis. The list of servers is normally taken from from groups.ipaserver in cluster environments.
+ (list of strings, optional)
+
 Requirements
 ------------
 

roles/ipaclient/defaults/main.yml

@@ -9,3 +9,4 @@ ipaclient_use_otp: no
 ipaclient_allow_repair: no
 ipaclient_on_master: no
 ipaclient_no_ntp: no
+ipaclient_no_dns_lookup: no

roles/ipaclient/tasks/install.yml

@@ -11,10 +11,20 @@
   include: "{{role_path}}/tasks/python_2_3_test.yml"
   static: yes
 
+- name: Install - Set ipaclient_servers
+  set_fact:
+    ipaclient_servers: "{{ groups['ipaservers'] | list }}"
+  when: groups.ipaservers is defined and ipaclient_servers is not defined
+
+- name: Install - Set ipaclient_servers from cluster inventory
+  set_fact:
+    ipaclient_servers: "{{ groups['ipaserver'] | list }}"
+  when: ipaclient_no_dns_lookup | bool and groups.ipaserver is defined and ipaclient_servers is not defined
+
 - name: Install - IPA discovery
   ipadiscovery:
     domain: "{{ ipaserver_domain | default(ipaclient_domain) | default(omit) }}"
-    servers: "{{ groups.ipaserver | default(groups.ipaservers) | default(omit) }}"
+    servers: "{{ ipaclient_servers | default(omit) }}"
     realm: "{{ ipaserver_realm | default(ipaclient_realm) | default(omit) }}"
     hostname: "{{ ipaclient_hostname | default(ansible_fqdn) }}"
     ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"