The use of zone_overlay_check for the domain name validation is not good
for a repeated execution of the server deployment where setup_dns is
enabled. The zone overlay check will fail with "DNS zone X already exists
in DNS". zone_overlay_check is later on used in dns.install_check so it is
not needed to do it here also.
Fixes issues #164 (domain option validator should not call zone overlap..)
These settings are file descriptors if external certificates are used and
are not used later in the roles. Therefore these settings have been removed.
Fixes: #110 (Ansible error with external certificates)
The documentation of the module paramaters have been updated. The parameter
list has been updated and all parameters are providing a description and
the required argument has been updated to reflect current setting in the
modules.
All module_utils are now providing the __all__ structure. Alse the imports
in the modules have been updated to only import freeipa sturctures from
module_utils.
Use and generation of dirsrv_pkcs12_info, http_pkcs12_info and
pkinit_pkcs12_info has been fixed in:
- ipaserver_setup_ds
- ipaserver_setup_http
- ipaserver_test
Since 4.7.1 it is needed to use CustodiaModes.FIRST_MASTER instead of
CustodiaModes.MASTER_PEER for the get_custodia_instance.
This has been fixed already in ipaserver_setup_ca and also
ipaserver_setup_custodia, but was missed in ipaserver_setup_kra.
Fixes: #92 (KRA install fails in tasks: [ipaserver : Install - Setup KRA])
sync_time is not using options anymore, but has two new arguments. These
are ntp_servers and ntp_pool. The options argument is not used anymore.
This requires to use inspect on sync_time to be able to detect if the old
or the new function is available.
The call for get_time_source has been added, but is documented out as the
call is only useful in interactive mode.
ipaserver_test now returns ntp_servers and ntp_pool, which are then used
for ipaserver_setup_ntp.
The raises of RuntimeError, ValueError and ScriptError are currently not
properly handled in ipaserver_prepare. This results in a trace back error
shown in Ansible instead of only showing the error message.
This happened for example if a nameserver is in /etc/resolv.conf that is
not reachable.
This adds support for the --external-ca option to ipaserver. Lots of
additional tests and checks from ServerInstallInterface.__init__ have
been added to ipaserver_test. Also duplicate tests cna checks have been
removed.
Installer settings in ansible_ipa_server module_util are now also set
to the defaults that are used in Installable, ServerInstallInterface,
ServerMasterInstall, ADTrustInstallInterface and Uninstall.
The /root/ipa.csr file generated on the node in ca.install_step_0 will
be copied to the controller as "{{ inventory_hostname }}-ipa.csr".
The new task file copy_external_cert.yml has been added to copy the
generated certificate defined in ipaserver_external_cert_files to the node
to continue with ca.install_step_1.
The tasks/install.yml file has been adapted to make sure that the steps
that will be done in step two will be skipped after step one has been
done.
The code for host_name, the domain_name and also the realm_name has been
adapted to the code in the command line installer. The _hostname_overridden
setting is now only true if the hostname has been changed.
The install checks have been done temporarily in _test and finally also
in _prepare. This is not needed and also not done this way in the command
line installers.
The addtion is not oly adding the config setting, but also fixing the
deployment without the setting as functions and methods have been changed
for pki_config_override.
There is a new setting for the ipaserver role:
ipaserver_pki_config_override
tasks.restore_context is only used in old releases. The existence of
paths.CACHE_IPA_SESSIONS is used to determine if the call needs to be
done or not.
There have been missing settings that have not been provided to
ipaserver_setup_adtrust. These are: enable_compat, rid_base and
secondary_rid_base.
The settings rid_base and secondary_rid_base are now initialized in
ipaserver_test and propagated in the results.
The two settings netbios_name and reset_netbios_name are placed in the
adtrust binding in the adtrust.install_check call. These are now saved
when ipaserver_test finishes and are written back in the fist steps of
ipaserver_setup_adtrust to make adtrust.install working.
The settings add_sids and add_agents are now initialized in
ansible_ipa_server in the same way as in ServerMasterInstall. These
settings are fixed in the server deployment.
The entity argument for validate_domain_name is only available in
FreeIPA 4.7 and later. This has been fixed using inspect to be able to
detect if entity is a valid argument. If not the whole realm name check
is skipped.
Related: #61 (ipaserver role - Fails on ipaclient install)
Fixes: #66 (Python 2 error with validate_domain)
Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer
created as enabled. Instead they are flagged as configuredService. At
the very end of the installer, the service entries are switched from
configured to enabled service.
This is related to freeipa upstream commit:
Delay enabling services until end of installer:
https://github.com/freeipa/freeipa/commit/7284097
Tee message for a domain and realm name mismatch should be a warning and
not a fail in the ipaserver test. It is also a warning in the normal
installer.
The use of IPA versions to determine if get_custodia_instance should be
used was not optimal as the patch that introduced this has been back-ported
to the EL-7 package with verion 4.5.4. As get_custodia_instance was not
available before we can simply check if get_custodia_instance exists in
custodiainstance.
Lowered version check to be compatible with CentOS 7.5
Added missing attributes to setup_kra to be compatible with latest python2-ipaserver librarty on CentOS 7.5 (python2-ipaserver-4.5.4-10.el7.centos.3.noarch)
With IPA 4.7 bigger changes have been introduced
Changes:
- Use of timeconf and chrony instead of ntpconf and ntpd.
- New IPAChangeConf (not used in ipaserver modules)
- New check_ldap_conf form ipaclient.install.client
- custodia instance needed for ca and kra
- no_ntp defaults to yes for client installation part
- A new option ntp_pool has been introduced (set to None).
tasks.create_tmpfiles_dirs only needs IPAAPI_USER as an argument for
version 4.5.4. For 4.5 there is no support for arguments.
IPAAPI_USER is therefore only needed for 4.5.4 in
module_utils/ansible_ipa_server.py
b29db07c3b3d8937f53684fdbba985fec525d69d by Christian Heimes
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.
The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565
options.kasp_db_file is used in dns.install_check if options.dnssec_master
is enabled. kasp_db_file defauts to None and is only a supported option in
the post deployment ipa-dns-install script. Therefore it is suffient to
set it to None.
forward_policy needs to be None for the DNS check for proper initialization
if the user is not providing another forward_policy value. forward_policy will
be set in the DNS check.
no_dnssec_validation is enabled in the DNS check if the forwarders do not
provide DNSSEC validation. Therefore this needs to be handed over to the dns
installation later on.
New return values for forward_policy and no_dnssec_validation have been added
to the ipaserver_test module.
