These roles will most likely not work in the common case. Therefore the roles
have been renamed.
The ipa-krpb5 role is used by ipcalient, but the ipa-sssd role is currently
not used.
custodiainstance.import_dm_password does not support master_host_name post
4.6.90 anymore. A new inspect call has been added to verify if the arg is
supported or not.
custodia needs to be used here with newer IPA versions (introduced with 4.6.4).
With this master_host_name does is not supplied to custodia.import_dm_password
as an arguemtn anymore.
The use of IPA versions to determine if get_custodia_instance should be
used was not optimal as the patch that introduced this has been back-ported
to the EL-7 package with verion 4.5.4. As get_custodia_instance was not
available before we can simply check if get_custodia_instance exists in
custodiainstance.
Tee message for a domain and realm name mismatch should be a warning and
not a fail in the ipaserver test. It is also a warning in the normal
installer.
The use of IPA versions to determine if get_custodia_instance should be
used was not optimal as the patch that introduced this has been back-ported
to the EL-7 package with verion 4.5.4. As get_custodia_instance was not
available before we can simply check if get_custodia_instance exists in
custodiainstance.
Lowered version check to be compatible with CentOS 7.5
Added missing attributes to setup_kra to be compatible with latest python2-ipaserver librarty on CentOS 7.5 (python2-ipaserver-4.5.4-10.el7.centos.3.noarch)
A new Fedora-27 ditribution specific file has been added. Additionally
ipareplica_packages_adtrust has been updated in all files to contain
[free]ipa-server-trust-ad.
A new Fedora-27 ditribution specific file has been added. Additionally
ipaserver_packages_adtrust has been updated in all files to contain
[free]ipa-server-trust-ad.
With IPA 4.7 bigger changes have been introduced
Changes:
- Use of timeconf and chrony instead of ntpconf and ntpd.
- custodia instance needed for ca and kra
- Use of create_ipa_conf with changed setting in setup_http for install_http,
reverted back afterwards.
With IPA 4.7 bigger changes have been introduced
Changes:
- Use of timeconf and chrony instead of ntpconf and ntpd.
- New IPAChangeConf (not used in ipaserver modules)
- New check_ldap_conf form ipaclient.install.client
- custodia instance needed for ca and kra
- no_ntp defaults to yes for client installation part
- A new option ntp_pool has been introduced (set to None).
As the action plugin is used with the default python interpreter and
the change to python3 for FreeIPA, the use of OTP was not working anymore.
The ansible_python_interpreter is not automatically used for the module
part of the action plugin. Therefore ansible_python_interpreter needed to
be added to the action plugin call as a new var to make sure that the
module part is used with the proper python version.
Also a new import for the Python2/3 import test has been added to discover
of the server is supporting python2 or python3. The old
ansible_python_interpreter setting is saved before doing this and restored
after the one-time password has been generated on the server.
With IPA 4.7 bigger changes have been introduced
Changes:
- Use of timeconf and chrony instead of ntpconf and ntpd.
- A new option ntp_pool has been introduced.
paths.KDESTROY instead of "kdestroy" and paths.GETENT instead of "getent"
Affected modules:
roles/ipaclient/library/ipahost.py
roles/ipaclient/library/ipajoin.py
roles/ipaclient/library/ipanss.py
tasks.create_tmpfiles_dirs only needs IPAAPI_USER as an argument for
version 4.5.4. For 4.5 there is no support for arguments.
IPAAPI_USER is therefore only needed for 4.5.4 in
module_utils/ansible_ipa_server.py
The directories library and action_plugins do only contain ipaclient specific
modules and plugins. Therefore these directories should be located in the
ipaclient role directory.
When forwarders list or the no_forwarders flag has been set, the
configuraiton does not reflect the setting. With no_forwarders
the preparation step of the DNS server could fail in ipaserver_prepare.
This is addressing the issue of pull request #25.
krb5 DNS discovery was not possible in cluster environments as the server
list from groups.ipaserver was used all the time. DNS discovery is though
only used if no servers are given.
The new setting ipaclient_no_dns_lookup has been added to make sure that
DNS lookup is used in the first place and can be disabled easily with this
setting. There is also a new way to override servers per client in the
inventory file with ipaclient_servers.
Two new settings have been added:
ipaclient_no_dns_lookup (bool, default: no)
Set to 'yes' to use groups.ipaserver in cluster environments as servers
for the clients. This deactivates DNS lookup in krb5.
ipaclient_servers (list of strings, default: undefined)
Manually override list of servers for example in a cluster environment on
a per client basis. The list of servers is normally taken from from
groups.ipaserver in cluster environments.
The krb5 DNS lookup settings krb5_dns_lookup_realm and krb5_dns_lookup_kdc
ans also the servers have not been set properly set if no server has been
specified and discovery succeeded. This has been fixed.
This fixes issue #23.
- Do not register a change in the playbook run when registering the
variable checking for whether or not Python 3 imports work
Signed-off-by: Kellin <kellin@retromud.org>
The support for external cert files is not complete yet.
Please have a look at the example inventory file inventory/hosts.replica and
also the install and uninstall playbook files install-replica.yml and
uninstall-replica.yml
b29db07c3b3d8937f53684fdbba985fec525d69d by Christian Heimes
Replace custom file_exists() and dir_exists() functions with proper
functions from Python's stdlib.
The change also gets rid of pylint's invalid bad-python3-import error,
https://github.com/PyCQA/pylint/issues/1565
options.kasp_db_file is used in dns.install_check if options.dnssec_master
is enabled. kasp_db_file defauts to None and is only a supported option in
the post deployment ipa-dns-install script. Therefore it is suffient to
set it to None.
A new section has been added to configure firewalld automatically as the
last step of the server installation.
A new switch has been added to be able to turn firewalld configuration off:
ipaserver_no_firewalld. It defaults to no.
The client role is used also while installing the server. There has been an
issue where the server installation has not been complete because of a
playbook termination in the client.
This has been fixed and the client and also the server are fully configured
in the server installation.
The roles ipaconf, krb5 and sssd have been using GPLv2+ in the license meta
information while everything else is GPLv3. Therefore the license meta
information has been changed to GPLv3.
The relative import of the distribution specific vars files requires to use
is not working. {{ role_path }} needs to be used to force the load of the
proper files.
