Add support for on_master flag

This is needed to be able to use ipaclient role in the server role
2026-03-26 21:33:05 +00:00 · 2017-12-06 12:46:57 +01:00
parent d2d4d95a5a
commit a7e78597c6
2 changed files with 10 additions and 7 deletions
--- a/roles/ipaclient/defaults/main.yml
+++ b/roles/ipaclient/defaults/main.yml
@@ -7,3 +7,4 @@ ipaclient_mkhomedir: no
 ipaclient_kinit_attempts: 5
 ipaclient_use_otp: no
 ipaclient_allow_repair: no
+ipaclient_on_master: no
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -41,6 +41,7 @@
      kdc: "{{ ipadiscovery.kdc }}"
      kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
    register: ipatest
+    when: not ipaclient_on_master | bool

  - name: Install - Disable One-Time Password for client with working krb5.keytab
    set_fact:
@@ -116,7 +117,7 @@
      #ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
      kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
    register: ipajoin
-    when: not ipatest.krb5_keytab_ok or ipaclient_force_join
+    when: not ipaclient_on_master | bool and (not ipatest.krb5_keytab_ok or ipaclient_force_join)

  - block:
    - name: Install - End playbook processing
@@ -133,7 +134,7 @@
        msg: "The ca.crt file is missing, please enable allow_repair to fix this."
      when: not ipatest.ca_crt_exists
    - meta: end_play
-    when: not ipajoin.changed and not ipaclient_allow_repair | bool and (ipatest.krb5_keytab_ok or ipajoin.already_joined)
+    when: not ipaclient_on_master | bool and not ipajoin.changed and not ipaclient_allow_repair | bool and (ipatest.krb5_keytab_ok or ipajoin.already_joined)

  - name: Install - Configure IPA default.conf
    include_role:
@@ -144,6 +145,7 @@
      ipaconf_realm: "{{ ipadiscovery.realm }}"
      ipaconf_hostname: "{{ ipadiscovery.hostname }}"
      ipaconf_basedn: "{{ ipadiscovery.basedn }}"
+    when: not ipaclient_on_master | bool

  - name: Install - Configure SSSD
    ipasssd:
@@ -153,7 +155,7 @@
      hostname: "{{ ipadiscovery.hostname }}"
      services: ["ssh", "sudo"]
      krb5_offline_passwords: yes
-      #on_master: no
+      on_master: "{{ ipaclient_on_master }}"
      #primary: no
      #permit: no
      #dns_updates: no
@@ -169,7 +171,7 @@
      krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
      krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
      krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
-    when: ipadiscovery.ipa_python_version <= 40400
+    when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version <= 40400

  - name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} > 4.4"
    include_role:
@@ -183,7 +185,7 @@
      krb5_dns_canonicalize_hostname: "false"
      krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
      krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
-    when: ipadiscovery.ipa_python_version > 40400
+    when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version > 40400

  - name: Install - IPA API calls for remaining enrollment parts
    ipaapi:
@@ -212,7 +214,7 @@
      principal: "{{ ipaadmin_principal | default(omit) }}"
      mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}"
      ca_enabled: "{{ ipaapi.ca_enabled | default(omit) }}"
-      #on_master: no
+      on_master: "{{ ipaclient_on_master }}"

  - name: Install - IPA extras configuration
    ipaextras:
@@ -220,6 +222,7 @@
      domain: "{{ ipadiscovery.domain }}"
      ntp_servers: "{{ ipadiscovery.ntp_servers }}"
      ntp: "{{ ipaclient_ntp | default(omit) }}"
+      on_master: "{{ ipaclient_on_master }}"
      #force_ntpd: no
      #sssd: yes
      #ssh: yes
@@ -230,7 +233,6 @@
      #firefox_dir:
      #no_nisdomain: no
      #nisdomain:
-      #on_master: no

  always:
  - name: Cleanup leftover ccache