internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-06-23 09:14:43 +00:00
Code Issues Projects Releases Wiki Activity

Add support for on_master flag

Browse Source 
This is needed to be able to use ipaclient role in the server role
This commit is contained in:
Thomas Woerner
2017-12-06 12:46:57 +01:00
parent d2d4d95a5a
commit a7e78597c6
2 changed files with 10 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
roles/ipaclient/defaults/main.yml
View File

@@ -7,3 +7,4 @@ ipaclient_mkhomedir: no
ipaclient_kinit_attempts: 5 ipaclient_kinit_attempts: 5
ipaclient_use_otp: no ipaclient_use_otp: no
ipaclient_allow_repair: no ipaclient_allow_repair: no
ipaclient_on_master: no

16
roles/ipaclient/tasks/install.yml
View File

@@ -41,6 +41,7 @@
kdc: "{{ ipadiscovery.kdc }}" kdc: "{{ ipadiscovery.kdc }}"
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}" kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
register: ipatest register: ipatest
when: not ipaclient_on_master | bool
- name: Install - Disable One-Time Password for client with working krb5.keytab - name: Install - Disable One-Time Password for client with working krb5.keytab
set_fact: set_fact:
@@ -116,7 +117,7 @@
#ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}" #ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}" kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
register: ipajoin register: ipajoin
when: not ipatest.krb5_keytab_ok or ipaclient_force_join when: not ipaclient_on_master | bool and (not ipatest.krb5_keytab_ok or ipaclient_force_join)
- block: - block:
- name: Install - End playbook processing - name: Install - End playbook processing
@@ -133,7 +134,7 @@
msg: "The ca.crt file is missing, please enable allow_repair to fix this." msg: "The ca.crt file is missing, please enable allow_repair to fix this."
when: not ipatest.ca_crt_exists when: not ipatest.ca_crt_exists
- meta: end_play - meta: end_play
when: not ipajoin.changed and not ipaclient_allow_repair | bool and (ipatest.krb5_keytab_ok or ipajoin.already_joined) when: not ipaclient_on_master | bool and not ipajoin.changed and not ipaclient_allow_repair | bool and (ipatest.krb5_keytab_ok or ipajoin.already_joined)
- name: Install - Configure IPA default.conf - name: Install - Configure IPA default.conf
include_role: include_role:
@@ -144,6 +145,7 @@
ipaconf_realm: "{{ ipadiscovery.realm }}" ipaconf_realm: "{{ ipadiscovery.realm }}"
ipaconf_hostname: "{{ ipadiscovery.hostname }}" ipaconf_hostname: "{{ ipadiscovery.hostname }}"
ipaconf_basedn: "{{ ipadiscovery.basedn }}" ipaconf_basedn: "{{ ipadiscovery.basedn }}"
when: not ipaclient_on_master | bool
- name: Install - Configure SSSD - name: Install - Configure SSSD
ipasssd: ipasssd:
@@ -153,7 +155,7 @@
hostname: "{{ ipadiscovery.hostname }}" hostname: "{{ ipadiscovery.hostname }}"
services: ["ssh", "sudo"] services: ["ssh", "sudo"]
krb5_offline_passwords: yes krb5_offline_passwords: yes
#on_master: no on_master: "{{ ipaclient_on_master }}"
#primary: no #primary: no
#permit: no #permit: no
#dns_updates: no #dns_updates: no
@@ -169,7 +171,7 @@
krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}" krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}" krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt" krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
when: ipadiscovery.ipa_python_version <= 40400 when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version <= 40400
- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} > 4.4" - name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} > 4.4"
include_role: include_role:
@@ -183,7 +185,7 @@
krb5_dns_canonicalize_hostname: "false" krb5_dns_canonicalize_hostname: "false"
krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem" krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem" krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
when: ipadiscovery.ipa_python_version > 40400 when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version > 40400
- name: Install - IPA API calls for remaining enrollment parts - name: Install - IPA API calls for remaining enrollment parts
ipaapi: ipaapi:
@@ -212,7 +214,7 @@
principal: "{{ ipaadmin_principal | default(omit) }}" principal: "{{ ipaadmin_principal | default(omit) }}"
mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}" mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}"
ca_enabled: "{{ ipaapi.ca_enabled | default(omit) }}" ca_enabled: "{{ ipaapi.ca_enabled | default(omit) }}"
#on_master: no on_master: "{{ ipaclient_on_master }}"
- name: Install - IPA extras configuration - name: Install - IPA extras configuration
ipaextras: ipaextras:
@@ -220,6 +222,7 @@
domain: "{{ ipadiscovery.domain }}" domain: "{{ ipadiscovery.domain }}"
ntp_servers: "{{ ipadiscovery.ntp_servers }}" ntp_servers: "{{ ipadiscovery.ntp_servers }}"
ntp: "{{ ipaclient_ntp | default(omit) }}" ntp: "{{ ipaclient_ntp | default(omit) }}"
on_master: "{{ ipaclient_on_master }}"
#force_ntpd: no #force_ntpd: no
#sssd: yes #sssd: yes
#ssh: yes #ssh: yes
@@ -230,7 +233,6 @@
#firefox_dir: #firefox_dir:
#no_nisdomain: no #no_nisdomain: no
#nisdomain: #nisdomain:
#on_master: no
always: always:
- name: Cleanup leftover ccache - name: Cleanup leftover ccache