With ansible 2.3.1 it is possible to have one place as an additional utils
module to do all the needed steps to be able to generate the environment for
new and older ipa versions.
The library modules are now a lot smaller.
The minimal ansible version has been increased to 2.3.1.
In the future it might now also be possible to have a special
ansible_ipa_client version for ipa < 4.4 in this utils module.
If the client name is not resolvable, the call of client_dns will internally
result in a logger.error call for the failed update of the DNS records.
The call to standard_logging_setup is fixing the behaviour to bremore like
a debug call.
Currently ipaclient role is using the module ipaclient only for uninstallation,
and this module contains a lot of unused code.
It is simpler to directly call the command-line
ipa-client-install --uninstall -U
and remove the ipaclient module.
When the client already has a working keytab, use_otp is disabled. This creates
an issue when ipaclient_force_join is set, because the join module is called
with ipaadmin_principal and ipaadmin_password, but these variables may be
undefined if ipaadmin_keytab is used instead.
We should not disable OTP when force-join is specified.
With the test it is not needed to pin down the python interpreter for ansible
modules. It is therefore possible to use a Python2 version on Fedora-27 and
a Python3 version on Fedora-26.
In the client krb5.conf setup, a pkinit_anchors entry
was being added for pki-ca-bundle. This should instead
be kdc-ca-bundle.
Signed-off-by: Scott Poore <spoore@redhat.com>
The new results from ipatest (krb5_conf_ok and ipa_test_ok) are now used for
additional fails to suggest to enable allow_repair.
The playbook is not ended anymore if ipajoin changed something.
The rename was needed to be able to have more than one package in the list
of required packages.
For RHEL-7.3 it has been needed to add ipa-admintools to have /usr/bin/ipa
available. libselinux-python has been added for all.
The first validation test of the krb5.keytab is now done using the system
krb5.conf file. If this test failed, then the validation will be done with
the temporary krb5.conf file.
An additionally IPA test has been added. For now this is "ipa ping" as there
seems not to be a more comprehensive validation test for proper IPA
configuration.
Add big block has been added that contains all steps where the ccache is
created an used. With the block it is possible to add an always clause to
remove the ccachae also in the error case. The cleanup of the ccache is
also done in the beginning to make sure that no ccache leftover will be
used.
The subject base generated in discovery is only a guess and might have been
changed by the admin at installation process. Therefore it is needed to
get this from the server - done in ipaapi as we are authenticaed there already
to use the api.
The subject base generated in discovery is only a guess and might have been
changed by the admin at installation process. Therefore it is needed to
get this from the server.
subject_base has been added as a new return value.
Use subject base form ipaapi in roles/ipaclient/tasks/install.yml instead of
guessed value from ipadiscovery.
