The new argument was introduced with the IPA change e6445b8 to disable
the previous Unbound configuration before setting up new configuration
for DNS over TLS.
Related: https://pagure.io/freeipa/issue/9814
This change adds support for DNS over TLS to the ipaclient role.
New variables
ipaclient_dns_over_tls
Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later.
(bool, default: false)
required: false
ipaclient_no_dnssec_validation
Disable DNSSEC validation for DNS over TLS. This turns off DNSSEC
validation for unbound. Only usable if `ipaserver_dns_over_tls` is
enabled. (bool, default: false)
reqiured: false
New distribution specific variable
ipaclient_packages_dot
List of IPA packages needed for DNS over TLS.
The resolver configuratoin for DNS over TLS is not part of this change
and will be added later on. Therefore it is needed to configure the
resolver for DNS over TLS before starting the deployment with ipaclient
role. This is essential for using an IPA DNS server with DoT and enforced
DNS policy so that only DoT is usable.
FreeIPA fix for https://pagure.io/freeipa/issue/9652 now produces five
elements tuple when iterating over CA certificate list, the last element
being the serial number. We do not need it, so extract only the first
four elements (certificate, nickname, trusted, EKU).
The regression was introduced by FreeIPA commit
f91b677ada376034b25d50e78475237c5976770e.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This is a hotfix to allow deployments of clients, replicas and servers
with the dns_over_tls PR for freeipa: https://github.com/freeipa/freeipa/pull/7343/
ipaclient: client.update_ssh_keys has changed parameters,
options.dns_over_tls needs to be set for ipaclient_setup_nss.
ipareplica, ipaserver: Set new parameters globally in module_utils so
far: options.dns_over_tls, options.dns_over_tls_key, options.dns_over_tls_cert,
options.dot_forwarders and options.dns_policy.
The enablement for DNS over TLS for the deployment roles will be done later on.
This is "ipa-client-install: enable SELinux for SSSD"
https://github.com/freeipa/freeipa/pull/6978 for ansible-freeipa:
For passkeys (FIDO2) support, SSSD uses libfido2 library which needs
access to USB devices. Add SELinux booleans handling to ipa-client-install
so that correct SELinux booleans can be enabled and disabled during
install and uninstall. Ignore and record a warning when SELinux policy
does not support the boolean.
Fixes: https://pagure.io/freeipa/issue/9434
With the fix to defer creating the final krb5.conf on clients a bug has
been introduced with ipaclient_setup_nss: The krb_name parameter that
points to the temporary krb5 configuration was not added to the module.
With a properly configured DNS (like for example IPA DNS) the krb TXT
records have been present in the DNS configuration. These have been used
automatically as a fallback and broke server affinity for the client.
Without the TXT records creating the IPA NSS database failed with
"Cannot find KDC for realm ..".
The krb_name parameter has been added to ipaclient_setup_nss and is also
properly set in tasks/install.yml.
This is an ansible-freeipa update for the freeipa RFE:
https://pagure.io/freeipa/issue/9159
"`ipa-client-install` should provide option to enable `subid: sss`
in `/etc/nsswitch.conf`".
This option allows to configure authselect with the sssd
profile + with-subid feature, in order to have SSSD setup as
a datasource for subid in /etc/nsswitch.conf.
The default behavior remains unchanged: without the option,
/etc/nsswitch.conf keeps the line subid: files
Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
A temporary krb5 configuration was used to join the domain in
ipaclient_join. After that the final krkb5 configuration was created
with enabled DNS discovery and used for the remainaing tasks, where also
a connection to the IPA API was done.
With several servers the DNS discovery could have picked up a different
server. If the client deployment was faster than the replication this
could have lead to an unknown host error.
The issue was seen in performance testing where many simultaneous client
enrollments have been done..
The goal is to keep server affinity as long as possible within the
deployment process:
The temporary krb5.conf that was used before in ipaclient_join was
pulled out into an own module. The generated temporary krb5.conf is now
used in ipaclient_join and also ipaclient_api.
The generation of the final krb5.conf is moved to the end of the
deployment process.
Same as: https://pagure.io/freeipa/issue/9228
The setup of certmonger has been pulled out of ipaclient_setup_nss and moved
to the end of the process after generating the final krb5.conf as it will
use t will only use /etc/krb5.conf.
Certificate issuance may fail during deployment due to using the final
krb5.conf, but certmonger will re-try the request in this case.
Same as: https://pagure.io/freeipa/issue/9246
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `required` tags need to be fixed according to the `argument_spec`
- `default` tag needs to match `argument_spec`
- `author` needs to be given with the github user also: `Name (@user)`
argument_spec
- `type='str'` needs to be set for string parameters
- `elements='str'` needs to be added to all list of string parameters
supports_check_mode is turned off as it is not supported.
A call to ansible_ipa_client.check_imports has been added to check for import
errors.
The `copyright` date is extended with `-2022`.
In case get_certs_from_ldap failed with errors.NoCertificateError the
code lead to a trace back as certstore.make_compat_ca_certs was using
with undefined ca_certs variable.
The code to generate ca_certs for this case was copied over from
ipaclient_api. This is loading the certificate list from paths.IPA_CA_CRT.
Before "short description" was used in most plugins, modules and also
in the new module templates.
ansible-doc was therefore not showing the short description. To fix the
issue the flag was renamed to short_description instead.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2121362
'ansible-doc' -l lists most idm modules as 'UNDOCUMENTED'
Python 3.11 dropped compat inspect.getargspec. As the roles and modules
need to support Python2 and Python3, the code for getargspec has been
copied from Python 3.10 and is added as a fallback as soon as getargspec
can not be imported from inspect. The copied getargspec is using
getfullargspec internally.
Fixes: #855 (Python's inspect.getargspec was removed in version 3.11)
ipaclient_setup_nss is using the nosssd_files dict if sssd is disabled
with no_sssd.
The nosssd_files dict is generated in ipaclient_test and used in
ipaclient_setup_nss. So far ipaclient_setup_nss was using nosssd_files
from ipaclient installer, which was always None.
ansible-doc is reporting several issues in modules. Most of them have benn
due to misspelled description key word or due to use of multi line text
without the | in the description line.
The import of ansible_ipa_server, ansible_ipa_replica and ansible_ipa_client
might result in a permission denied error for the log file. It seems that
for collections the module utils seem to be loaded before the needed
permissions are aquired now.
The fix simply adds a wrapper for standard_logging_setup that is called in
all the modules of the server, replica and client roles to do the loggin
setup as one of the first steps of the module execution and not before.
The documentation of the module paramaters have been updated. The parameter
list has been updated and all parameters are providing a description and
the required argument has been updated to reflect current setting in the
modules.
There have been several settings in ipaclient_setup_nss that have been
hard coded instead of using the settings from the role. This has been
fixed and the code in ipaclient_setup_nss has been updated to the latest
version of FreeIPA with compatibility changes for older FreeIPA versions.
Additionally the api is now properly configured so that the DNS SSHFP
records are now properly created if no_dns_sshfp is not enabled.
The installer logs have not been created using the ansible ipaclient,
ipareplica and ipaserver roles. This has been fixed and the installer
logs are created now. This is a new and fixed version of 2113c79 where
verbose mode is turned off.
The call of standard_logging_setup results in verbose and debug output in
the ansible modules. This needs to be done in an altenative way.
This reverts commit 2113c79111.
The installer logs have not been created using the ansible ipaclient,
ipareplica and ipaserver roles. This has been fixed and the installer
logs are created now.
The naming in the ipaclient role has not been following the naming scheme
and conventions used in the ipaserver and ipareplica roles. Also registered
results of modules and commands have not been unsing the result_ prefix as
in the other roles. All this has been fixed and the naming is consistent
now.
These are the renames:
ipahost -> ipaclient_get_otp
ipaapi -> ipaclient_api
ipaextras -> ipaclient_extras
ipafixca -> ipaclient_fix_ca
ipafstore -> ipaclient_fstore
ipa_facts -> ipaclient_get_facts
ipahost -> ipaclient_get_otp
ipajoin -> ipaclient_join
ipanss -> ipaclient_setup_nss
ipasssd -> ipaclient_setup_sssd
ipadiscovery -> ipaclient_test
ipatest -> ipaclient_test_keytab
