ipaclient/action_plugins/ipaclient_get_otp: Only require gssapi for keytab

gssapi is only needed for OTP if keytab is used. The common case with password does not require gssapi. This change also fixes the new ansible 2.8 failure if gssapi is not installed on the controller. Ansible 2.8 seems to also transfer and load action plugins to the node if they are not used.
2026-05-06 13:23:14 +00:00 · 2019-05-31 17:14:19 +02:00
parent 1b1198a091
commit 5bdaa9aa6f
2 changed files with 8 additions and 2 deletions
--- a/README.md
+++ b/README.md
@@ -31,7 +31,7 @@ Requirements

 **Controller**
 * Ansible version: 2.5+
-* python3-gssapi is required on the controller if a one time password (OTP) is used to install the client.
+* python3-gssapi is required on the controller if a one time password (OTP) is used with keytab to install the client.

 **Node**
 * Supported FreeIPA version (see above)
--- a/roles/ipaclient/action_plugins/ipaclient_get_otp.py
+++ b/roles/ipaclient/action_plugins/ipaclient_get_otp.py
@@ -17,7 +17,10 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

-import gssapi
+try:
+    import gssapi
+except ImportError:
+    gssapi = None
 import os
 import shutil
 import subprocess
@@ -76,6 +79,9 @@ def kinit_keytab(principal, keytab, ccache_name, config):
    Perform kinit using principal/keytab, with the specified config file
    and store the TGT in ccache_name.
    """
+    if gssapi is None:
+        raise ImportError("gssapi is not available")
+
    old_config = os.environ.get('KRB5_CONFIG')
    os.environ['KRB5_CONFIG'] = config
    try: