internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-05-07 13:53:23 +00:00
Code Issues Projects Releases Wiki Activity

ipaclient role: Fix naming of modules, action_plugins and registered vars

Browse Source 
The naming in the ipaclient role has not been following the naming scheme
and conventions used in the ipaserver and ipareplica roles. Also registered
results of modules and commands have not been unsing the result_ prefix as
in the other roles. All this has been fixed and the naming is consistent
now.

These are the renames:

ipahost -> ipaclient_get_otp
ipaapi -> ipaclient_api
ipaextras -> ipaclient_extras
ipafixca -> ipaclient_fix_ca
ipafstore -> ipaclient_fstore
ipa_facts -> ipaclient_get_facts
ipahost -> ipaclient_get_otp
ipajoin -> ipaclient_join
ipanss -> ipaclient_setup_nss
ipasssd -> ipaclient_setup_sssd
ipadiscovery -> ipaclient_test
ipatest -> ipaclient_test_keytab
This commit is contained in:
Thomas Woerner
2019-03-21 13:11:40 +01:00
parent 0a67c03116
commit 7c378d9c4d
15 changed files with 146 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
roles/ipa-krb5/tasks/main.yml
View File

@@ -8,7 +8,7 @@
failed_when: false
- name: Install - Backup krb5.conf
ipafstore:
ipaclient_fstore:
backup: "{{ krb5_conf }}"
- name: Template krb5.conf

2
roles/ipaclient/action_plugins/ipahost.py → roles/ipaclient/action_plugins/ipaclient_get_otp.py
View File

@@ -162,7 +162,7 @@ class ActionModule(ActionBase):
result['msg'] = "principal is required"
return result
data = self._execute_module(module_name='ipa_facts', module_args=dict(),
data = self._execute_module(module_name='ipaclient_get_facts', module_args=dict(),
task_vars={ "ansible_python_interpreter": ansible_python_interpreter })
try:
domain = data['ansible_facts']['ipa']['domain']

6
roles/ipaclient/library/ipaapi.py → roles/ipaclient/library/ipaclient_api.py
View File

@@ -28,7 +28,7 @@ ANSIBLE_METADATA = {'metadata_version': '1.0',
DOCUMENTATION = '''
---
module: ipaapi
module: ipaclient_api
short description: Create temporary NSS database, call IPA API for remaining enrollment parts
description:
Create temporary NSS database, call IPA API for remaining enrollment parts
@@ -50,11 +50,11 @@ author:
EXAMPLES = '''
- name: IPA API calls for remaining enrollment parts
ipaapi:
ipaclient_api:
servers: ["server1.example.com","server2.example.com"]
domain: example.com
hostname: client1.example.com
register: ipaapi
register: result_ipaclient_api
'''
RETURN = '''

4
roles/ipaclient/library/ipaextras.py → roles/ipaclient/library/ipaclient_extras.py
View File

@@ -30,7 +30,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipaextras
module: ipaclient_extras
short description: Configure IPA extras
description:
Configure IPA extras
@@ -106,7 +106,7 @@ author:
EXAMPLES = '''
- name: IPA extras configurations
ipaextras:
ipaclient_extras:
servers: ["server1.example.com","server2.example.com"]
domain: example.com
'''

4
roles/ipaclient/library/ipafixca.py → roles/ipaclient/library/ipaclient_fix_ca.py
View File

@@ -28,7 +28,7 @@ ANSIBLE_METADATA = {'metadata_version': '1.0',
DOCUMENTATION = '''
---
module: ipafixca
module: ipaclient_fix_ca
short description: Fix IPA ca certificate
description:
Repair Fix IPA ca certificate
@@ -54,7 +54,7 @@ author:
EXAMPLES = '''
- name: Fix IPA ca certificate
ipafixca:
ipaclient_fix_ca:
servers: ["server1.example.com","server2.example.com"]
realm: EXAMPLE.COM
basedn: dc=example,dc=com

4
roles/ipaclient/library/ipafstore.py → roles/ipaclient/library/ipaclient_fstore.py
View File

@@ -30,7 +30,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: fstore
module: ipaclient_fstore
short description: Backup files using IPA client sysrestore
description:
Backup files using IPA client sysrestore
@@ -44,7 +44,7 @@ author:
EXAMPLES = '''
- name: Backup /etc/krb5.conf
ipafstore:
ipaclient_fstore:
backup: "/etc/krb5.conf"
'''

20
roles/ipaclient/library/ipa_facts.py → roles/ipaclient/library/ipaclient_get_facts.py
View File

@@ -136,7 +136,7 @@ def main():
# The module does not change anything, meaning that
# check mode is supported
ipa_facts = dict(
facts = dict(
packages= dict(
ipalib=HAS_IPALIB,
ipaserver=HAS_IPASERVER,
@@ -153,23 +153,23 @@ def main():
if HAS_IPALIB:
if is_client_configured():
ipa_facts['configured']['client'] = True
facts['configured']['client'] = True
ipa_facts['version'] = get_ipa_version()
facts['version'] = get_ipa_version()
for key,value in six.iteritems(get_ipa_conf()):
ipa_facts[key] = value
facts[key] = value
if HAS_IPASERVER:
if is_server_configured():
ipa_facts['configured']['server'] = True
ipa_facts['configured']['dns'] = is_dns_configured()
ipa_facts['configured']['ca'] = is_ca_configured()
ipa_facts['configured']['kra'] = is_kra_configured()
ipa_facts['configured']['ntpd'] = is_ntpd_configured()
facts['configured']['server'] = True
facts['configured']['dns'] = is_dns_configured()
facts['configured']['ca'] = is_ca_configured()
facts['configured']['kra'] = is_kra_configured()
facts['configured']['ntpd'] = is_ntpd_configured()
module.exit_json(
changed=False,
ansible_facts=dict(ipa=ipa_facts)
ansible_facts=dict(ipa=facts)
)
if __name__ == '__main__':

14
roles/ipaclient/library/ipahost.py → roles/ipaclient/library/ipaclient_get_otp.py
View File

@@ -26,7 +26,7 @@ ANSIBLE_METADATA = {'metadata_version': '1.0',
DOCUMENTATION = '''
---
module: ipahost
module: ipaclient_get_otp
short description: Manage IPA hosts
description:
Manage hosts in a IPA domain.
@@ -84,28 +84,28 @@ author:
EXAMPLES = '''
# Example from Ansible Playbooks
# Add a new host with a random OTP, authenticate using principal/password
- ipahost:
- ipaclient_get_otp:
principal: admin
password: MySecretPassword
fqdn: ipaclient.ipa.domain.com
ipaddress: 192.168.100.23
random: True
register: ipahost
register: result_ipaclient_get_otp
# Add a new host, authenticate with a keytab stored on the controller node
- ipahost:
- ipaclient_get_otp:
keytab: admin.keytab
fqdn: ipaclient.ipa.domain.com
# Remove a host, authenticate using principal/password
- ipahost:
- ipaclient_get_otp:
principal: admin
password: MySecretPassword
fqdn: ipaclient.ipa.domain.com
state: absent
# Modify a host, add ssh public key:
- ipahost:
- ipaclient_get_otp:
principal: admin
password: MySecretPassword
fqdn: ipaclient.ipa.domain.com
@@ -355,7 +355,7 @@ def main():
changed = ensure_host_absent(module, api, host)
except Exception as e:
module.fail_json(msg="ipahost module failed : %s" % str(e))
module.fail_json(msg="ipaclient_get_otp module failed : %s" % str(e))
finally:
run([paths.KDESTROY], raiseonerr=False, env=os.environ)

6
roles/ipaclient/library/ipajoin.py → roles/ipaclient/library/ipaclient_join.py
View File

@@ -30,7 +30,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipajoin
module: ipaclient_join
short description: Join a machine to an IPA realm and get a keytab for the host service principal
description:
Join a machine to an IPA realm and get a keytab for the host service principal
@@ -88,7 +88,7 @@ author:
EXAMPLES = '''
# Join IPA to get the keytab
- name: Join IPA in force mode with maximum 5 kinit attempts
ipajoin:
ipaclient_join:
servers: ["server1.example.com","server2.example.com"]
domain: example.com
realm: EXAMPLE.COM
@@ -102,7 +102,7 @@ EXAMPLES = '''
# Join IPA to get the keytab using ipadiscovery return values
- name: Join IPA
ipajoin:
ipaclient_join:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
realm: "{{ ipadiscovery.realm }}"

8
roles/ipaclient/library/ipanss.py → roles/ipaclient/library/ipaclient_setup_nss.py
View File

@@ -30,8 +30,8 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipanss
short description: Create IPA NSS database
module: ipaclient_setup_nss
short description: Create IPA client NSS database
description:
Create IPA NSS database
options:
@@ -77,8 +77,8 @@ author:
'''
EXAMPLES = '''
- name: Create IPA NSS database
ipanss:
- name: Create IPA client NSS database
ipaclient_setup_nss:
servers: ["server1.example.com","server2.example.com"]
domain: example.com
realm: EXAMPLE.COM

8
roles/ipaclient/library/ipasssd.py → roles/ipaclient/library/ipaclient_setup_sssd.py
View File

@@ -30,10 +30,10 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: sssd_conf
short description: Configure sssd
module: ipaclient_setup_sssd
short description: Configure sssd for IPA client
description:
Configure sssd
Configure sssd for IPA client
options:
servers:
description: The FQDN of the IPA servers to connect to.
@@ -93,7 +93,7 @@ author:
EXAMPLES = '''
- name: Configure SSSD
sssd:
ipaclient_setup_sssd:
servers: ["server1.example.com","server2.example.com"]
domain: example.com
realm: EXAMPLE.COM

32
roles/ipaclient/library/ipadiscovery.py → roles/ipaclient/library/ipaclient_test.py
View File

@@ -30,7 +30,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipadiscovery
module: ipaclient_test
short description: Tries to discover IPA server
description:
Tries to discover IPA server using DNS or host name
@@ -85,34 +85,34 @@ author:
'''
EXAMPLES = '''
# Complete autodiscovery, register return values as ipadiscovery
# Complete autodiscovery, register return values as ipaclient_test
- name: IPA discovery
ipadiscovery:
register: ipadiscovery
ipaclient_test:
register: register_ipaclient_test
# Discovery using servers, register return values as ipadiscovery
# Discovery using servers, register return values as ipaclient_test
- name: IPA discovery
ipadiscovery:
ipaclient_test:
servers: server1.domain.com,server2.domain.com
register: ipadiscovery
register: register_ipaclient_test
# Discovery using domain name, register return values as ipadiscovery
# Discovery using domain name, register return values as ipaclient_test
- name: IPA discovery
ipadiscovery:
ipaclient_test:
domain: domain.com
register: ipadiscovery
register: register_ipaclient_test
# Discovery using realm, register return values as ipadiscovery
# Discovery using realm, register return values as ipaclient_test
- name: IPA discovery
ipadiscovery:
ipaclient_test:
realm: DOMAIN.COM
register: ipadiscovery
register: register_ipaclient_test
# Discovery using hostname, register return values as ipadiscovery
# Discovery using hostname, register return values as ipaclient_test
- name: IPA discovery
ipadiscovery:
ipaclient_test:
hostname: host.domain.com
register: ipadiscovery
register: register_ipaclient_test
'''
RETURN = '''

16
roles/ipaclient/library/ipatest.py → roles/ipaclient/library/ipaclient_test_keytab.py
View File

@@ -30,7 +30,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = '''
---
module: ipatest
module: ipaclient_test_keytab
short description: Test if the krb5.keytab on the machine is valid and can be used.
description:
Test if the krb5.keytab on the machine is valid and can be used.
@@ -64,7 +64,7 @@ author:
EXAMPLES = '''
# Test IPA with local keytab
- name: Test IPA in force mode with maximum 5 kinit attempts
ipatest:
ipaclient_test_keytab:
servers: ["server1.example.com","server2.example.com"]
domain: example.com
realm: EXAMPLE.COM
@@ -74,7 +74,7 @@ EXAMPLES = '''
# Test IPA with ipadiscovery return values
- name: Join IPA
ipajoin:
ipaclient_test_keytab:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
realm: "{{ ipadiscovery.realm }}"
@@ -94,7 +94,7 @@ krb5_conf_ok:
description: The flag describes if krb5.conf on the host is usable.
returned: always
type: bool
ipa_test_ok:
ping_test_ok:
description: The flag describes if ipa ping test succeded.
returned: always
type: bool
@@ -143,7 +143,7 @@ def main():
krb5_keytab_ok = False
krb5_conf_ok = False
ipa_test_ok = False
ping_test_ok = False
ca_crt_exists = os.path.exists(paths.IPA_CA_CRT)
env = {'PATH': SECURE_PATH, 'KRB5CCNAME': paths.IPA_DNS_CCACHE}
@@ -160,7 +160,7 @@ def main():
try:
result = run(["/usr/bin/ipa", "ping"], raiseonerr=False, env=env)
if result.returncode == 0:
ipa_test_ok = True
ping_test_ok = True
except OSError:
pass
except GSSError as e:
@@ -197,7 +197,7 @@ def main():
result = run(["/usr/bin/ipa", "ping"], raiseonerr=False,
env=env)
if result.returncode == 0:
ipa_test_ok = True
ping_test_ok = True
except OSError:
pass
@@ -214,7 +214,7 @@ def main():
krb5_keytab_ok=krb5_keytab_ok,
krb5_conf_ok=krb5_conf_ok,
ca_crt_exists=ca_crt_exists,
ipa_test_ok=ipa_test_ok)
ping_test_ok=ping_test_ok)
if __name__ == '__main__':
main()

164
roles/ipaclient/tasks/install.yml
View File

@@ -22,7 +22,7 @@
when: ipaclient_no_dns_lookup | bool and groups.ipaserver is defined and ipaclient_servers is not defined
- name: Install - IPA discovery
ipadiscovery:
ipaclient_test:
domain: "{{ ipaserver_domain | default(ipaclient_domain) | default(omit) }}"
servers: "{{ ipaclient_servers | default(omit) }}"
realm: "{{ ipaserver_realm | default(ipaclient_realm) | default(omit) }}"
@@ -32,7 +32,7 @@
ntp_servers: "{{ ipaclient_ntp_servers | default([]) }}"
ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
no_ntp: "{{ ipaclient_no_ntp }}"
register: ipadiscovery
register: result_ipaclient_test
- name: Install - Set default principal if no keytab is given
set_fact:
@@ -46,19 +46,19 @@
- block:
- name: Install - Test if IPA client has working krb5.keytab
ipatest:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
realm: "{{ ipadiscovery.realm }}"
hostname: "{{ ipadiscovery.hostname }}"
kdc: "{{ ipadiscovery.kdc }}"
ipaclient_test_keytab:
servers: "{{ result_ipaclient_test.servers }}"
domain: "{{ result_ipaclient_test.domain }}"
realm: "{{ result_ipaclient_test.realm }}"
hostname: "{{ result_ipaclient_test.hostname }}"
kdc: "{{ result_ipaclient_test.kdc }}"
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
register: ipatest
register: result_ipaclient_test_keytab
- name: Install - Disable One-Time Password for client with working krb5.keytab
set_fact:
ipaclient_use_otp: "no"
when: ipaclient_use_otp | bool and ipatest.krb5_keytab_ok and not ipaclient_force_join | bool
when: ipaclient_use_otp | bool and result_ipaclient_test_keytab.krb5_keytab_ok and not ipaclient_force_join | bool
# The following block is executed when using OTP to enroll IPA client
@@ -77,30 +77,30 @@
- name: Install - Include Python2/3 import test
import_tasks: "{{role_path}}/tasks/python_2_3_test.yml"
delegate_to: "{{ ipadiscovery.servers[0] }}"
delegate_to: "{{ result_ipaclient_test.servers[0] }}"
- name: Install - Get One-Time Password for client enrollment
#no_log: yes
ipahost:
ipaclient_get_otp:
state: present
principal: "{{ ipaadmin_principal | default('admin') }}"
password: "{{ ipaadmin_password | default(omit) }}"
keytab: "{{ ipaadmin_keytab | default(omit) }}"
fqdn: "{{ ipadiscovery.hostname }}"
fqdn: "{{ result_ipaclient_test.hostname }}"
lifetime: "{{ ipaclient_lifetime | default(omit) }}"
random: True
ansible_python_interpreter: "{{ ansible_python_interpreter }}"
register: ipahost_output
register: result_ipaclient_get_otp
# If the host is already enrolled, this command will exit on error
# The error can be ignored
failed_when: ipahost_output is failed and "Password cannot be set on enrolled host" not in ipahost_output.msg
delegate_to: "{{ ipadiscovery.servers[0] }}"
failed_when: result_ipaclient_get_otp is failed and "Password cannot be set on enrolled host" not in result_ipaclient_get_otp.msg
delegate_to: "{{ result_ipaclient_test.servers[0] }}"
delegate_facts: True
- name: Install - Store the previously obtained OTP
no_log: yes
set_fact:
ipaadmin_password: "{{ ipahost_output.host.randompassword if ipahost_output.host is defined }}"
ipaadmin_password: "{{ result_ipaclient_get_otp.host.randompassword if result_ipaclient_get_otp.host is defined }}"
- name: Install - Restore client ansible_python_interpreter setting
set_fact:
@@ -115,42 +115,42 @@
- name: Install - Check if one of password and keytab are set
fail: msg="At least one of password or keytab must be specified"
when: not ipatest.krb5_keytab_ok and (ipaadmin_password is undefined or ipaadmin_password == "") and (ipaclient_keytab is undefined or ipaclient_keytab == "")
when: not result_ipaclient_test_keytab.krb5_keytab_ok and (ipaadmin_password is undefined or ipaadmin_password == "") and (ipaclient_keytab is undefined or ipaclient_keytab == "")
when: not ipaclient_on_master | bool
- name: Install - Purge {{ ipadiscovery.realm }} from host keytab
- name: Install - Purge {{ result_ipaclient_test.realm }} from host keytab
command: >
/usr/sbin/ipa-rmkeytab
-k /etc/krb5.keytab
-r "{{ ipadiscovery.realm }}"
register: iparmkeytab
-r "{{ result_ipaclient_test.realm }}"
register: result_ipa_rmkeytab
# Do not fail on error codes 3 and 5:
# 3 - Unable to open keytab
# 5 - Principal name or realm not found in keytab
failed_when: iparmkeytab.rc != 0 and iparmkeytab.rc != 3 and iparmkeytab.rc != 5
failed_when: result_ipa_rmkeytab.rc != 0 and result_ipa_rmkeytab.rc != 3 and result_ipa_rmkeytab.rc != 5
when: ipaclient_use_otp | bool or ipaclient_force_join | bool
- name: Install - Backup and set hostname
ipaclient_set_hostname:
hostname: "{{ ipadiscovery.hostname }}"
hostname: "{{ result_ipaclient_test.hostname }}"
when: not ipaclient_on_master | bool
- name: Install - Join IPA
ipajoin:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
realm: "{{ ipadiscovery.realm }}"
kdc: "{{ ipadiscovery.kdc }}"
basedn: "{{ ipadiscovery.basedn }}"
hostname: "{{ ipadiscovery.hostname }}"
ipaclient_join:
servers: "{{ result_ipaclient_test.servers }}"
domain: "{{ result_ipaclient_test.domain }}"
realm: "{{ result_ipaclient_test.realm }}"
kdc: "{{ result_ipaclient_test.kdc }}"
basedn: "{{ result_ipaclient_test.basedn }}"
hostname: "{{ result_ipaclient_test.hostname }}"
force_join: "{{ ipaclient_force_join | default(omit) }}"
principal: "{{ ipaadmin_principal if not ipaclient_use_otp | bool and ipaclient_keytab is not defined else '' }}"
password: "{{ ipaadmin_password | default(omit) }}"
keytab: "{{ ipaclient_keytab | default(omit) }}"
#ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
register: ipajoin
when: not ipaclient_on_master | bool and (not ipatest.krb5_keytab_ok or ipaclient_force_join)
register: result_ipaclient_join
when: not ipaclient_on_master | bool and (not result_ipaclient_test_keytab.krb5_keytab_ok or ipaclient_force_join)
- block:
- name: Install - End playbook processing
@@ -159,33 +159,33 @@
state: absent
- fail:
msg: "The krb5 configuration is not correct, please enable allow_repair to fix this."
when: not ipatest.krb5_conf_ok
when: not result_ipaclient_test_keytab.krb5_conf_ok
- fail:
msg: "The IPA test failed, please enable allow_repair to fix this."
when: not ipatest.ipa_test_ok
when: not result_ipaclient_test_keytab.ping_test_ok
- fail:
msg: "The ca.crt file is missing, please enable allow_repair to fix this."
when: not ipatest.ca_crt_exists
when: not result_ipaclient_test_keytab.ca_crt_exists
- meta: end_play
when: not ipaclient_on_master | bool and not ipajoin.changed and not ipaclient_allow_repair | bool and (ipatest.krb5_keytab_ok or (ipajoin.already_joined is defined and ipajoin.already_joined))
when: not ipaclient_on_master | bool and not result_ipaclient_join.changed and not ipaclient_allow_repair | bool and (result_ipaclient_test_keytab.krb5_keytab_ok or (result_ipaclient_join.already_joined is defined and result_ipaclient_join.already_joined))
- name: Install - Configure IPA default.conf
include_role:
name: ipaconf
vars:
ipaconf_server: "{{ ipadiscovery.servers[0] }}"
ipaconf_domain: "{{ ipadiscovery.domain }}"
ipaconf_realm: "{{ ipadiscovery.realm }}"
ipaconf_hostname: "{{ ipadiscovery.hostname }}"
ipaconf_basedn: "{{ ipadiscovery.basedn }}"
ipaconf_server: "{{ result_ipaclient_test.servers[0] }}"
ipaconf_domain: "{{ result_ipaclient_test.domain }}"
ipaconf_realm: "{{ result_ipaclient_test.realm }}"
ipaconf_hostname: "{{ result_ipaclient_test.hostname }}"
ipaconf_basedn: "{{ result_ipaclient_test.basedn }}"
when: not ipaclient_on_master | bool
- name: Install - Configure SSSD
ipasssd:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
realm: "{{ ipadiscovery.realm }}"
hostname: "{{ ipadiscovery.hostname }}"
ipaclient_setup_sssd:
servers: "{{ result_ipaclient_test.servers }}"
domain: "{{ result_ipaclient_test.domain }}"
realm: "{{ result_ipaclient_test.realm }}"
hostname: "{{ result_ipaclient_test.hostname }}"
services: ["ssh", "sudo"]
krb5_offline_passwords: yes
on_master: "{{ ipaclient_on_master }}"
@@ -194,66 +194,66 @@
#dns_updates: no
#all_ip_addresses: no
- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} <= 4.4"
- name: Install - Configure krb5 for IPA realm "{{ result_ipaclient_test.realm }} <= 4.4"
include_role:
name: ipa-krb5
vars:
krb5_servers: "{{ ipadiscovery.servers if not ipadiscovery.dnsok or not ipadiscovery.kdc else [ ] }}"
krb5_realm: "{{ ipadiscovery.realm }}"
krb5_dns_lookup_realm: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
krb5_dns_lookup_kdc: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
krb5_default_domain: "{{ 'true' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'false' }}"
krb5_servers: "{{ result_ipaclient_test.servers if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else [ ] }}"
krb5_realm: "{{ result_ipaclient_test.realm }}"
krb5_dns_lookup_realm: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
krb5_dns_lookup_kdc: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
krb5_default_domain: "{{ 'true' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'false' }}"
krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version <= 40400
when: not ipaclient_on_master | bool and result_ipaclient_test.ipa_python_version <= 40400
- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} > 4.4"
- name: Install - Configure krb5 for IPA realm "{{ result_ipaclient_test.realm }} > 4.4"
include_role:
name: ipa-krb5
vars:
krb5_servers: "{{ ipadiscovery.servers if not ipadiscovery.dnsok or not ipadiscovery.kdc else [ ] }}"
krb5_realm: "{{ ipadiscovery.realm }}"
krb5_dns_lookup_realm: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
krb5_dns_lookup_kdc: "{{ 'false' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'true' }}"
krb5_default_domain: "{{ 'true' if not ipadiscovery.dnsok or not ipadiscovery.kdc else 'false' }}"
krb5_servers: "{{ result_ipaclient_test.servers if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else [ ] }}"
krb5_realm: "{{ result_ipaclient_test.realm }}"
krb5_dns_lookup_realm: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
krb5_dns_lookup_kdc: "{{ 'false' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'true' }}"
krb5_default_domain: "{{ 'true' if not result_ipaclient_test.dnsok or not result_ipaclient_test.kdc else 'false' }}"
krb5_dns_canonicalize_hostname: "false"
krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version > 40400
when: not ipaclient_on_master | bool and result_ipaclient_test.ipa_python_version > 40400
- name: Install - IPA API calls for remaining enrollment parts
ipaapi:
servers: "{{ ipadiscovery.servers }}"
realm: "{{ ipadiscovery.realm }}"
hostname: "{{ ipadiscovery.hostname }}"
ipaclient_api:
servers: "{{ result_ipaclient_test.servers }}"
realm: "{{ result_ipaclient_test.realm }}"
hostname: "{{ result_ipaclient_test.hostname }}"
#debug: yes
register: ipaapi
register: result_ipaclient_api
- name: Install - Fix IPA ca
ipafixca:
servers: "{{ ipadiscovery.servers }}"
realm: "{{ ipadiscovery.realm }}"
basedn: "{{ ipadiscovery.basedn }}"
ipaclient_fix_ca:
servers: "{{ result_ipaclient_test.servers }}"
realm: "{{ result_ipaclient_test.realm }}"
basedn: "{{ result_ipaclient_test.basedn }}"
allow_repair: "{{ ipaclient_allow_repair }}"
when: not ipaclient_on_master | bool and ipatest.krb5_keytab_ok and not ipatest.ca_crt_exists
when: not ipaclient_on_master | bool and result_ipaclient_test_keytab.krb5_keytab_ok and not result_ipaclient_test_keytab.ca_crt_exists
- name: Install - Create IPA NSS database
ipanss:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
realm: "{{ ipadiscovery.realm }}"
basedn: "{{ ipadiscovery.basedn }}"
hostname: "{{ ipadiscovery.hostname }}"
subject_base: "{{ ipaapi.subject_base }}"
ipaclient_setup_nss:
servers: "{{ result_ipaclient_test.servers }}"
domain: "{{ result_ipaclient_test.domain }}"
realm: "{{ result_ipaclient_test.realm }}"
basedn: "{{ result_ipaclient_test.basedn }}"
hostname: "{{ result_ipaclient_test.hostname }}"
subject_base: "{{ result_ipaclient_api.subject_base }}"
principal: "{{ ipaadmin_principal | default(omit) }}"
mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}"
ca_enabled: "{{ ipaapi.ca_enabled | default(omit) }}"
ca_enabled: "{{ result_ipaclient_api.ca_enabled | default(omit) }}"
on_master: "{{ ipaclient_on_master }}"
- name: Install - IPA extras configuration
ipaextras:
servers: "{{ ipadiscovery.servers }}"
domain: "{{ ipadiscovery.domain }}"
ntp_servers: "{{ ipadiscovery.ntp_servers }}"
ipaclient_extras:
servers: "{{ result_ipaclient_test.servers }}"
domain: "{{ result_ipaclient_test.domain }}"
ntp_servers: "{{ result_ipaclient_test.ntp_servers }}"
ntp: "{{ ipaclient_ntp | default(omit) }}"
on_master: "{{ ipaclient_on_master }}"
#force_ntpd: no

2
roles/ipaconf/tasks/main.yml
View File

@@ -1,6 +1,6 @@
---
- name: Backup IPA default.conf
ipafstore:
ipaclient_fstore:
backup: "{{ ipaconf_default_conf }}"
- name: Template IPA default.conf