There have been missing settings that have not been provided to
ipareplica_setup_adtrust. These are: enable_compat, rid_base and
secondary_rid_base.
The settings rid_base and secondary_rid_base are now initialized in
ipareplica_prepare and propagated in the results.
The two settings netbios_name and reset_netbios_name are placed in the
adtrust binding in the adtrust.install_check call. These are now saved
when ipareplica_prepare finishes and are written back in the fist steps of
ipareplica_setup_adtrust to make adtrust.install working.
The settings add_sids and add_agents are now initialized in
ansible_ipa_replica in the same way as in ServerMasterInstall. These
settings are fixed in the replica deployment.
Related: #73 (ipaserver_setup_adtrust fails on default smb.conf)
Meta end_play has been used as a simple solution to end the playbook
processing in special conditions, like for example when the deployment
was already done before.
meta end_play has been replaced with blocks and conditions for these
blocks.
Fixes: #70 (Avoid using meta end_play)
The ansible_fqdn hostname has been enforced to be set and used in
ipaserver, ipareplica and also ipaclient role. This has been removed as
the hostname should only be set if specified explicitly with
ipa[server,replica,client]_hostname.
The installer logs have not been created using the ansible ipaclient,
ipareplica and ipaserver roles. This has been fixed and the installer
logs are created now. This is a new and fixed version of 2113c79 where
verbose mode is turned off.
The call of standard_logging_setup results in verbose and debug output in
the ansible modules. This needs to be done in an altenative way.
This reverts commit 2113c79111.
The configuration of DNS failed because of missing DNS settings in the
ipareplica_prepare and ipareplica_setup_dns.
Some fixed settings for use with DNSInstallInterface have been added
to ansible_ipa_replica:
options.dnssec_master = False
options.disable_dnssec_master = False
options.kasp_db_file = None
options.force = False
Fixes: #58 (install-replica fails: reverse_zones seems to be empty)
Fixes: #63 (ipareplica_setup_dns fails)
ipaserver_master_password and ipaserver_setup_ntp have been linked from
the ipaserver role before. With the move of the module_utils parts to the
specific role locations the use of ipaserver modules leads to the missing
dependency ansible_ipa_server, that is now only available in the server
role.
The ipaserver_master_password module has been replaced by the ipareplica
specific ipareplica_master_password module. The ipaserver_setup_ntp module
has been removed as the time related changes for replica are done in the
client install part.
Fixes: #59 (Module is missing interpreter line)
The installer logs have not been created using the ansible ipaclient,
ipareplica and ipaserver roles. This has been fixed and the installer
logs are created now.
The role test is executed in the ipa[server,replica,client] roles first.
These tests are usable in the Ansible test mode, but the folllowing steps
in the task list are not. Therefore the blocks following the tests are
limited to not being executed in test mode.
python_2_3_test needs to be executed also in test mode to make sure that the
follwing ipa[server,replica,client]_test modules could be executed also in
test mode.
With the changes for IPA enablement in the replica installer it is not
possible anymore to enable the IPA server in the same way as in the
server deployment.
The new module ipareplica_enable_ipa has been added and the link for
ipaserver_enable_ipa has been removed.
The parameter config_setup_ca has been renamed to setup_ca and added to
options. master_host_name has been added to config. Also a call for
api.Backend.ldap2.connect has been added to make sure that the backend is
connected.
The promote argument has been dropped with the final removal of domain
level 0 support in version 4.7.1. The fstore argument has been added
with the 4.7.1 version also.
The promote argument has been dropped with the final removal of domain
level 0 support in version 4.7.1. The fstore argument has been added
with the 4.7.1 version also.
The promote argument has been dropped with the final removal of domain
level 0 support in version 4.7.1. The fstore argument has been added
with the 4.7.1 version also.
Double imports and also the import of create_replica_config from
ipaserver.install.installutils have been removed. create_replica_config
is not used because the use of domain level 0 is not supported.
ntp_server and ntp_pool are now provided to ipareplica_test. A conflict
test with no_ntp has been added from the normal installer.
Also added are references to options.password and options.dm_password, but
these are commented out and not used or provided to the module.
Proper ntp_servers and ntp_pool tests are needed still.
With FreeIPA 4.7.0 there is no support for domain level 0 anymore, the
check for the minimal domain level should use MIN_DOMAIN_LEVEL instead of
DOMAIN_LEVEL_1.
With these settings for server, replica and client it is possible to skip
package installation. This is for example useful if the packages are already
installed. The settings default to yes
The setting ipareplica_no_package_install has been removed.
The ipareplica role is reusing the ipaserver_enable_ipa module. This module
needed some extensions on the server to enable the delayed services and
also to dump DNS configuration (see commit a128726).
For replica it is not needed to dump the DNS configuration, therefore it is
simply possible to set detup_dns to no to make this module also working
for ipareplica.
As the old way to include tasks is deprecated, replace static include
statements with import_tasks and dynamic ones with include_tasks.
Increaded the required ansible version to 2.5.0 to make sure that
include_tasks and import_tasks is working as expected.
Fixes issue #38
This is a partly pick of the changes done by pyguy for pull request #28.
The unrelated changed on inventory files have been removed and the change
to the README has been adapted to use the "Supported Distributions" section.
The original commits by pyguy in https://github.com/pyguy/ansible-freeipa
are:
commit 1ed1fa845eafd69432b1fd1fc8e5329e4991e84a
Author: pyguy <hr.josheghani@gmail.com>
Date: Mon Jun 25 17:17:31 2018 +0430
Ubuntu Support added
commit 9a4a7c84e4af20af27e814aba4fc2c6b8b35ec0f
Author: pyguy <hr.josheghani@gmail.com>
Date: Sun Jun 24 10:58:07 2018 +0430
Ubuntu support added
There is a pull request and also a proposal for ansible be able to limit the
number of concurrent executions for a single task:
- https://github.com/ansible/proposals/issues/129
- https://github.com/ansible/ansible/pull/42528
The keyword is currently named max_concurrent, but might be renamed later
on. If the keyword is present, but not supported by ansible, it will be
simply ignored. Therefore there is no issue right now with adding in here
early.
custodiainstance.import_dm_password does not support master_host_name post
4.6.90 anymore. A new inspect call has been added to verify if the arg is
supported or not.
custodia needs to be used here with newer IPA versions (introduced with 4.6.4).
With this master_host_name does is not supplied to custodia.import_dm_password
as an arguemtn anymore.
The use of IPA versions to determine if get_custodia_instance should be
used was not optimal as the patch that introduced this has been back-ported
to the EL-7 package with verion 4.5.4. As get_custodia_instance was not
available before we can simply check if get_custodia_instance exists in
custodiainstance.
A new Fedora-27 ditribution specific file has been added. Additionally
ipareplica_packages_adtrust has been updated in all files to contain
[free]ipa-server-trust-ad.
With IPA 4.7 bigger changes have been introduced
Changes:
- Use of timeconf and chrony instead of ntpconf and ntpd.
- custodia instance needed for ca and kra
- Use of create_ipa_conf with changed setting in setup_http for install_http,
reverted back afterwards.
