mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-03-30 07:13:05 +00:00
Compare commits
10 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
0ddd62ea01 | ||
|
|
36afd2220e | ||
|
|
2be00c1e0f | ||
|
|
93f9b900c6 | ||
|
|
e5be194d57 | ||
|
|
65fb75feaf | ||
|
|
d08291bec4 | ||
|
|
bb9abeec8c | ||
|
|
8c77c34d5f | ||
|
|
12006859d9 |
@@ -1,12 +0,0 @@
|
||||
---
|
||||
krb5_packages: krb5-workstation
|
||||
krb5_conf: /etc/krb5.conf
|
||||
krb5_conf_d: /etc/krb5.conf.d/ # paths.COMMON_KRB5_CONF_DIR
|
||||
krb5_include_d: /var/lib/sss/pubconf/krb5.include.d/ # paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR
|
||||
|
||||
krb5_realm:
|
||||
krb5_servers:
|
||||
krb5_dns_lookup_realm: "false"
|
||||
krb5_dns_lookup_kdc: "false"
|
||||
krb5_no_default_domain: "false"
|
||||
krb5_default_ccache_name: KEYRING:persistent:%{uid}
|
||||
@@ -1,12 +0,0 @@
|
||||
galaxy_info:
|
||||
author: Thomas Woerner
|
||||
description: A role to configure krb5
|
||||
company: Red Hat, Inc
|
||||
|
||||
license: GPLv3
|
||||
|
||||
min_ansible_version: 2.0
|
||||
|
||||
galaxy_tags: [ 'identity', 'ipa']
|
||||
|
||||
dependencies: []
|
||||
@@ -1,22 +0,0 @@
|
||||
---
|
||||
- name: Install {{ krb5_packages }}
|
||||
package: name="{{ item }}" state=present
|
||||
with_items: "{{ krb5_packages }}"
|
||||
|
||||
- name: Install - Create ipabkp of krb5.conf
|
||||
copy: src="{{ krb5_conf }}" dest="{{ krb5_conf }}".ipabkp
|
||||
failed_when: false
|
||||
|
||||
- name: Install - Backup krb5.conf
|
||||
ipaclient_fstore:
|
||||
backup: "{{ krb5_conf }}"
|
||||
|
||||
- name: Template krb5.conf
|
||||
template:
|
||||
src: krb5.conf.j2
|
||||
dest: "{{ krb5_conf }}"
|
||||
backup: no
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
force: yes
|
||||
@@ -1,39 +0,0 @@
|
||||
includedir {{ krb5_conf_d }}
|
||||
includedir {{ krb5_include_d }}
|
||||
|
||||
[libdefaults]
|
||||
default_realm = {{ krb5_realm | upper }}
|
||||
dns_lookup_realm = {{ krb5_dns_lookup_realm }}
|
||||
dns_lookup_kdc = {{ krb5_dns_lookup_kdc }}
|
||||
rdns = false
|
||||
{% if krb5_dns_canonicalize_hostname is defined %}
|
||||
dns_canonicalize_hostname = {{ krb5_dns_canonicalize_hostname }}
|
||||
{% endif %}
|
||||
ticket_lifetime = 24h
|
||||
forwardable = true
|
||||
udp_preference_limit = 0
|
||||
default_ccache_name = {{ krb5_default_ccache_name }}
|
||||
|
||||
[realms]
|
||||
{{ krb5_realm | upper }} = {
|
||||
{% for server in krb5_servers %}
|
||||
kdc = {{ server }}:88
|
||||
master_kdc = {{ server }}:88
|
||||
admin_server = {{ server }}:749
|
||||
kpasswd_server = {{ server }}:464
|
||||
{% endfor %}
|
||||
{% if krb5_default_domain | bool %}
|
||||
default_domain = {{ krb5_realm | lower }}
|
||||
{% endif %}
|
||||
{% if krb5_pkinit_anchors is defined %}
|
||||
pkinit_anchors = {{ krb5_pkinit_anchors }}
|
||||
{% endif %}
|
||||
{% if krb5_pkinit_pool is defined %}
|
||||
pkinit_pool = {{ krb5_pkinit_pool }}
|
||||
{% endif %}
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
.{{ krb5_realm | lower }} = {{ krb5_realm | upper }}
|
||||
{{ krb5_realm | lower }} = {{ krb5_realm | upper }}
|
||||
{{ ansible_host | lower }} = {{ krb5_realm | upper }}
|
||||
@@ -1,2 +0,0 @@
|
||||
krb5_packages:
|
||||
- krb5-workstation
|
||||
@@ -1,13 +0,0 @@
|
||||
---
|
||||
sssd_conf: /etc/sssd/sssd.conf
|
||||
sssd_packages: sssd, libselinux-python
|
||||
sssd_on_master: "false"
|
||||
sssd_domains:
|
||||
sssd_id_provider:
|
||||
sssd_auth_provider:
|
||||
sssd_access_provider:
|
||||
sssd_chpass_provider:
|
||||
sssd_cache_credentials: False
|
||||
sssd_krb5_offline_passwords: False
|
||||
sssd_ipa_servers:
|
||||
sssd_services:
|
||||
@@ -1,12 +0,0 @@
|
||||
galaxy_info:
|
||||
author: Thomas Woerner
|
||||
description: A role to configure sssd for IPA
|
||||
company: Red Hat, Inc
|
||||
|
||||
license: GPLv3
|
||||
|
||||
min_ansible_version: 2.0
|
||||
|
||||
galaxy_tags: [ 'identity', 'ipa']
|
||||
|
||||
dependencies: []
|
||||
@@ -1,27 +0,0 @@
|
||||
---
|
||||
- name: Install {{ sssd_packages }}
|
||||
package: name="{{ item }}" state=present
|
||||
with_items: "{{ sssd_packages }}"
|
||||
|
||||
# No backup in ipa-client-install mode
|
||||
#- name: Backup {{ sssd_conf }}
|
||||
# copy:
|
||||
# src: "{{ sssd_conf }}"
|
||||
# dest: "{{ sssd_conf }}.bkp"
|
||||
# force: no
|
||||
|
||||
- name: Template sssd.conf
|
||||
template:
|
||||
src: sssd.conf.j2
|
||||
dest: "{{ sssd_conf }}"
|
||||
backup: no
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0600
|
||||
force: yes
|
||||
|
||||
#- name: Enable and start sssd
|
||||
# service:
|
||||
# name: sssd
|
||||
# state: restarted
|
||||
# enabled: yes
|
||||
@@ -1,34 +0,0 @@
|
||||
[domain/{{ sssd_domains }}]
|
||||
cache_credentials = {{ sssd_cache_credentials }}
|
||||
krb5_store_password_if_offline = {{ sssd_krb5_offline_passwords }}
|
||||
ipa_domain = {{ sssd_domains }}
|
||||
id_provider = {{ sssd_id_provider }}
|
||||
auth_provider = {{ sssd_auth_provider }}
|
||||
access_provider = {{ sssd_access_provider }}
|
||||
ipa_hostname = {{ ansible_host }}
|
||||
chpass_provider = {{ sssd_chpass_provider }}
|
||||
{% if sssd_on_master | bool %}
|
||||
ipa_server = {{ sssd_ipa_servers | join(", ") }}
|
||||
ipa_server_mode = True
|
||||
{% else %}
|
||||
{% if sssd_domains != ansible_domain %}
|
||||
dns_discovery_domain = sssd_domains
|
||||
{% endif %}
|
||||
ipa_server = _srv_, {{ sssd_ipa_servers | join(", ")}}
|
||||
{% endif %}
|
||||
ldap_tls_cacert = /etc/ipa/ca.crt
|
||||
|
||||
{% if sssd_on_master | bool %}
|
||||
{% set sssd_services = sssd_services + ", ifp" %}
|
||||
{% endif %}
|
||||
[sssd]
|
||||
services = {{ sssd_services }}
|
||||
domains = {{ sssd_domains }}
|
||||
|
||||
{% for service in sssd_services.split(',') %}
|
||||
[{{ service | trim }}]
|
||||
{% if service | trim == "nss" %}
|
||||
homedir_substring = /home
|
||||
{% endif %}
|
||||
|
||||
{% endfor %}
|
||||
@@ -1,4 +0,0 @@
|
||||
sssd_packages:
|
||||
- sssd
|
||||
- sssd-ipa
|
||||
- sssd-krb5
|
||||
@@ -117,7 +117,7 @@ KRB5CONF_TEMPLATE = """
|
||||
|
||||
[domain_realm]
|
||||
.{{ ipa_domain }} = {{ ipa_realm }}
|
||||
{{ ipa_domain }} = {{ ipa_realm}}
|
||||
{{ ipa_domain }} = {{ ipa_realm }}
|
||||
"""
|
||||
|
||||
class ActionModule(ActionBase):
|
||||
|
||||
@@ -1,24 +1,20 @@
|
||||
dependencies: []
|
||||
|
||||
galaxy_info:
|
||||
author: Florence Blanc-Renaud, Thomas Woerner
|
||||
description: A role to join a machine to an IPA domain
|
||||
company: Red Hat, Inc
|
||||
|
||||
# issue_tracker_url: http://example.com/issue/tracker
|
||||
|
||||
license: GPLv3
|
||||
|
||||
min_ansible_version: 2.3.1
|
||||
|
||||
#github_branch:
|
||||
|
||||
min_ansible_version: 2.5.0
|
||||
platforms:
|
||||
- name: Fedora
|
||||
versions:
|
||||
- 25
|
||||
- name: rhel
|
||||
- all
|
||||
- name: EL
|
||||
versions:
|
||||
- 7
|
||||
|
||||
galaxy_tags: [ 'identity', 'ipa']
|
||||
|
||||
dependencies: []
|
||||
# - 8
|
||||
galaxy_tags:
|
||||
- identity
|
||||
- ipa
|
||||
- freeipa
|
||||
|
||||
@@ -9,7 +9,7 @@
|
||||
when: ipaclient_install_packages | bool
|
||||
|
||||
- name: Install - Include Python2/3 import test
|
||||
import_tasks: "{{role_path}}/tasks/python_2_3_test.yml"
|
||||
import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"
|
||||
|
||||
- name: Install - Set ipaclient_servers
|
||||
set_fact:
|
||||
@@ -19,9 +19,11 @@
|
||||
- name: Install - Set ipaclient_servers from cluster inventory
|
||||
set_fact:
|
||||
ipaclient_servers: "{{ groups['ipaserver'] | list }}"
|
||||
when: ipaclient_no_dns_lookup | bool and groups.ipaserver is defined and ipaclient_servers is not defined
|
||||
when: ipaclient_no_dns_lookup | bool and groups.ipaserver is defined and
|
||||
ipaclient_servers is not defined
|
||||
|
||||
- fail: msg="ipaadmin_principal and ipaadmin_keytab cannot be used together"
|
||||
- name: Install - Check that either principal or keytab is set
|
||||
fail: msg="ipaadmin_principal and ipaadmin_keytab cannot be used together"
|
||||
when: ipaadmin_keytab is defined and ipaadmin_principal is defined
|
||||
|
||||
- name: Install - Set default principal if no keytab is given
|
||||
@@ -65,7 +67,7 @@
|
||||
ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}"
|
||||
ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
|
||||
no_ntp: "{{ ipaclient_no_ntp }}"
|
||||
#force_ntpd: "{{ ipaclient_force_ntpd }}"
|
||||
# force_ntpd: "{{ ipaclient_force_ntpd }}"
|
||||
on_master: "{{ ipaclient_on_master }}"
|
||||
### additional ###
|
||||
servers: "{{ result_ipaclient_test.servers }}"
|
||||
@@ -81,11 +83,13 @@
|
||||
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
|
||||
register: result_ipaclient_test_keytab
|
||||
|
||||
- name: Install - Disable One-Time Password for client with working krb5.keytab
|
||||
- name: Install - Disable One-Time Password for client with working
|
||||
krb5.keytab
|
||||
set_fact:
|
||||
ipaclient_use_otp: "no"
|
||||
when: ipaclient_use_otp | bool and result_ipaclient_test_keytab.krb5_keytab_ok and not ipaclient_force_join | bool
|
||||
|
||||
when: ipaclient_use_otp | bool and
|
||||
result_ipaclient_test_keytab.krb5_keytab_ok and
|
||||
not ipaclient_force_join | bool
|
||||
|
||||
# The following block is executed when using OTP to enroll IPA client
|
||||
# ie when ipaclient_use_otp is set.
|
||||
@@ -94,7 +98,8 @@
|
||||
# If a keytab is specified in the hostent, then the hostent will be disabled
|
||||
# if ipaclient_use_otp is set.
|
||||
- block:
|
||||
- fail: msg="Keytab or password is required for otp"
|
||||
- name: Install - Keytab or password is required for otp
|
||||
fail: msg="Keytab or password is required for otp"
|
||||
when: ipaadmin_keytab is undefined and ipaadmin_password is undefined
|
||||
|
||||
- name: Install - Save client ansible_python_interpreter setting
|
||||
@@ -102,11 +107,11 @@
|
||||
ipaclient_ansible_python_interpreter: "{{ ansible_python_interpreter }}"
|
||||
|
||||
- name: Install - Include Python2/3 import test
|
||||
import_tasks: "{{role_path}}/tasks/python_2_3_test.yml"
|
||||
import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"
|
||||
delegate_to: "{{ result_ipaclient_test.servers[0] }}"
|
||||
|
||||
- name: Install - Get One-Time Password for client enrollment
|
||||
#no_log: yes
|
||||
no_log: yes
|
||||
ipaclient_get_otp:
|
||||
state: present
|
||||
principal: "{{ ipaadmin_principal | default('admin') }}"
|
||||
@@ -119,14 +124,17 @@
|
||||
register: result_ipaclient_get_otp
|
||||
# If the host is already enrolled, this command will exit on error
|
||||
# The error can be ignored
|
||||
failed_when: result_ipaclient_get_otp is failed and "Password cannot be set on enrolled host" not in result_ipaclient_get_otp.msg
|
||||
failed_when: result_ipaclient_get_otp is failed and
|
||||
"Password cannot be set on enrolled host" not
|
||||
in result_ipaclient_get_otp.msg
|
||||
delegate_to: "{{ result_ipaclient_test.servers[0] }}"
|
||||
delegate_facts: True
|
||||
delegate_facts: yes
|
||||
|
||||
- name: Install - Store the previously obtained OTP
|
||||
no_log: yes
|
||||
set_fact:
|
||||
ipaadmin_password: "{{ result_ipaclient_get_otp.host.randompassword if result_ipaclient_get_otp.host is defined }}"
|
||||
ipaadmin_password: "{{ result_ipaclient_get_otp.host.randompassword
|
||||
if result_ipaclient_get_otp.host is defined }}"
|
||||
|
||||
- name: Install - Restore client ansible_python_interpreter setting
|
||||
set_fact:
|
||||
@@ -145,11 +153,14 @@
|
||||
|
||||
- name: Install - Check if principal and keytab are set
|
||||
fail: msg="Principal and keytab cannot be used together"
|
||||
when: ipaadmin_principal is defined and ipaadmin_principal != "" and ipaclient_keytab is defined and ipaclient_keytab != ""
|
||||
when: ipaadmin_principal is defined and ipaadmin_principal|length > 0
|
||||
and ipaclient_keytab is defined and ipaclient_keytab|length > 0
|
||||
|
||||
- name: Install - Check if one of password and keytab are set
|
||||
fail: msg="At least one of password or keytab must be specified"
|
||||
when: not result_ipaclient_test_keytab.krb5_keytab_ok and (ipaadmin_password is undefined or ipaadmin_password == "") and (ipaclient_keytab is undefined or ipaclient_keytab == "")
|
||||
when: not result_ipaclient_test_keytab.krb5_keytab_ok and
|
||||
(ipaadmin_password is undefined or ipaadmin_password|length == 0)
|
||||
and (ipaclient_keytab is undefined or ipaclient_keytab|lenth == 0)
|
||||
when: not ipaclient_on_master | bool
|
||||
|
||||
- name: Install - Purge {{ result_ipaclient_test.realm }} from host keytab
|
||||
@@ -161,7 +172,8 @@
|
||||
# Do not fail on error codes 3 and 5:
|
||||
# 3 - Unable to open keytab
|
||||
# 5 - Principal name or realm not found in keytab
|
||||
failed_when: result_ipa_rmkeytab.rc != 0 and result_ipa_rmkeytab.rc != 3 and result_ipa_rmkeytab.rc != 5
|
||||
failed_when: result_ipa_rmkeytab.rc != 0 and
|
||||
result_ipa_rmkeytab.rc != 3 and result_ipa_rmkeytab.rc != 5
|
||||
when: ipaclient_use_otp | bool or ipaclient_force_join | bool
|
||||
|
||||
- name: Install - Backup and set hostname
|
||||
@@ -178,25 +190,36 @@
|
||||
basedn: "{{ result_ipaclient_test.basedn }}"
|
||||
hostname: "{{ result_ipaclient_test.hostname }}"
|
||||
force_join: "{{ ipaclient_force_join | default(omit) }}"
|
||||
principal: "{{ ipaadmin_principal if not ipaclient_use_otp | bool and ipaclient_keytab is not defined else '' }}"
|
||||
principal: "{{ ipaadmin_principal if not ipaclient_use_otp | bool and
|
||||
ipaclient_keytab is not defined else '' }}"
|
||||
password: "{{ ipaadmin_password | default(omit) }}"
|
||||
keytab: "{{ ipaclient_keytab | default(omit) }}"
|
||||
#ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
|
||||
# ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
|
||||
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
|
||||
register: result_ipaclient_join
|
||||
when: not ipaclient_on_master | bool and (not result_ipaclient_test_keytab.krb5_keytab_ok or ipaclient_force_join)
|
||||
when: not ipaclient_on_master | bool and
|
||||
(not result_ipaclient_test_keytab.krb5_keytab_ok or
|
||||
ipaclient_force_join)
|
||||
|
||||
- block:
|
||||
- fail:
|
||||
msg: "The krb5 configuration is not correct, please enable allow_repair to fix this."
|
||||
msg: >
|
||||
The krb5 configuration is not correct, please enable allow_repair
|
||||
to fix this.
|
||||
when: not result_ipaclient_test_keytab.krb5_conf_ok
|
||||
- fail:
|
||||
msg: "The IPA test failed, please enable allow_repair to fix this."
|
||||
when: not result_ipaclient_test_keytab.ping_test_ok
|
||||
- fail:
|
||||
msg: "The ca.crt file is missing, please enable allow_repair to fix this."
|
||||
msg: >
|
||||
The ca.crt file is missing, please enable allow_repair to fix this.
|
||||
when: not result_ipaclient_test_keytab.ca_crt_exists
|
||||
when: not ipaclient_on_master | bool and not result_ipaclient_join.changed and not ipaclient_allow_repair | bool and (result_ipaclient_test_keytab.krb5_keytab_ok or (result_ipaclient_join.already_joined is defined and result_ipaclient_join.already_joined))
|
||||
when: not ipaclient_on_master | bool and
|
||||
not result_ipaclient_join.changed and
|
||||
not ipaclient_allow_repair | bool and
|
||||
(result_ipaclient_test_keytab.krb5_keytab_ok or
|
||||
(result_ipaclient_join.already_joined is defined and
|
||||
result_ipaclient_join.already_joined))
|
||||
|
||||
- block:
|
||||
- name: Install - Configure IPA default.conf
|
||||
@@ -236,7 +259,7 @@
|
||||
hostname: "{{ result_ipaclient_test.hostname }}"
|
||||
sssd: "{{ result_ipaclient_test.sssd }}"
|
||||
force: "{{ ipaclient_force }}"
|
||||
#on_master: "{{ ipaclient_on_master }}"
|
||||
# on_master: "{{ ipaclient_on_master }}"
|
||||
when: not ipaclient_on_master | bool
|
||||
|
||||
- name: Install - IPA API calls for remaining enrollment parts
|
||||
@@ -244,7 +267,7 @@
|
||||
servers: "{{ result_ipaclient_test.servers }}"
|
||||
realm: "{{ result_ipaclient_test.realm }}"
|
||||
hostname: "{{ result_ipaclient_test.hostname }}"
|
||||
#debug: yes
|
||||
# debug: yes
|
||||
register: result_ipaclient_api
|
||||
|
||||
- name: Install - Fix IPA ca
|
||||
@@ -253,7 +276,9 @@
|
||||
realm: "{{ result_ipaclient_test.realm }}"
|
||||
basedn: "{{ result_ipaclient_test.basedn }}"
|
||||
allow_repair: "{{ ipaclient_allow_repair }}"
|
||||
when: not ipaclient_on_master | bool and result_ipaclient_test_keytab.krb5_keytab_ok and not result_ipaclient_test_keytab.ca_crt_exists
|
||||
when: not ipaclient_on_master | bool and
|
||||
result_ipaclient_test_keytab.krb5_keytab_ok and
|
||||
not result_ipaclient_test_keytab.ca_crt_exists
|
||||
|
||||
- name: Install - Create IPA NSS database
|
||||
ipaclient_setup_nss:
|
||||
@@ -302,16 +327,22 @@
|
||||
- name: Install - Configure NIS
|
||||
ipaclient_setup_nis:
|
||||
domain: "{{ result_ipaclient_test.domain }}"
|
||||
nisdomain: "{{ ipaclient_nisdomain | default(omit)}}"
|
||||
nisdomain: "{{ ipaclient_nisdomain | default(omit) }}"
|
||||
when: not ipaclient_no_nisdomain | bool
|
||||
|
||||
when: not (not ipaclient_on_master | bool and not result_ipaclient_join.changed and not ipaclient_allow_repair | bool and (result_ipaclient_test_keytab.krb5_keytab_ok or (result_ipaclient_join.already_joined is defined and result_ipaclient_join.already_joined)))
|
||||
when: not (not ipaclient_on_master | bool and
|
||||
not result_ipaclient_join.changed and
|
||||
not ipaclient_allow_repair | bool
|
||||
and (result_ipaclient_test_keytab.krb5_keytab_ok
|
||||
or (result_ipaclient_join.already_joined is defined
|
||||
and result_ipaclient_join.already_joined)))
|
||||
|
||||
when: not ansible_check_mode and not (result_ipaclient_test.client_already_configured and not ipaclient_allow_repair | bool and not ipaclient_force_join | bool)
|
||||
when: not ansible_check_mode and
|
||||
not (result_ipaclient_test.client_already_configured and
|
||||
not ipaclient_allow_repair | bool and not ipaclient_force_join | bool)
|
||||
|
||||
always:
|
||||
- name: Cleanup leftover ccache
|
||||
file:
|
||||
path: "/etc/ipa/.dns_ccache"
|
||||
state: absent
|
||||
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
---
|
||||
- block:
|
||||
- name: Verify Python3 import
|
||||
script: py3test.py
|
||||
|
||||
@@ -1,8 +1,8 @@
|
||||
---
|
||||
# tasks to uninstall IPA client
|
||||
|
||||
#- name: Uninstall - Include Python2/3 import test
|
||||
# import_tasks: "{{role_path}}/tasks/python_2_3_test.yml"
|
||||
# - name: Uninstall - Include Python2/3 import test
|
||||
# import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"
|
||||
|
||||
- name: Uninstall - Uninstall IPA client
|
||||
command: >
|
||||
@@ -14,8 +14,8 @@
|
||||
failed_when: uninstall.rc != 0 and uninstall.rc != 2
|
||||
changed_when: uninstall.rc == 0
|
||||
|
||||
#- name: Remove IPA client package
|
||||
# package:
|
||||
# name: "{{ item }}"
|
||||
# state: absent
|
||||
# with_items: "{{ ipaclient_packages }}"
|
||||
# - name: Remove IPA client package
|
||||
# package:
|
||||
# name: "{{ item }}"
|
||||
# state: absent
|
||||
# with_items: "{{ ipaclient_packages }}"
|
||||
|
||||
@@ -1,8 +0,0 @@
|
||||
---
|
||||
ipaconf_default_conf: /etc/ipa/default.conf
|
||||
|
||||
ipaconf_basedn:
|
||||
ipaconf_realm:
|
||||
ipaconf_domain:
|
||||
ipaconf_server:
|
||||
ipaconf_hostname:
|
||||
@@ -1,12 +0,0 @@
|
||||
galaxy_info:
|
||||
author: Thomas Woerner
|
||||
description: A role to configure IPA default.conf
|
||||
company: Red Hat, Inc
|
||||
|
||||
license: GPLv3
|
||||
|
||||
min_ansible_version: 2.0
|
||||
|
||||
galaxy_tags: [ 'identity', 'ipa']
|
||||
|
||||
dependencies: []
|
||||
@@ -1,13 +0,0 @@
|
||||
---
|
||||
- name: Backup IPA default.conf
|
||||
ipaclient_fstore:
|
||||
backup: "{{ ipaconf_default_conf }}"
|
||||
|
||||
- name: Template IPA default.conf
|
||||
template:
|
||||
src: default.conf.j2
|
||||
dest: "{{ ipaconf_default_conf }}"
|
||||
backup: yes
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
@@ -1,8 +0,0 @@
|
||||
[global]
|
||||
basedn = {{ ipaconf_basedn }}
|
||||
realm = {{ ipaconf_realm }}
|
||||
domain = {{ ipaconf_domain }}
|
||||
server = {{ ipaconf_server }}
|
||||
host = {{ ipaconf_hostname }}
|
||||
xmlrpc_uri = {{ 'https://' + ipaconf_server + '/ipa/xml' }}
|
||||
enable_ra = True
|
||||
@@ -1,2 +0,0 @@
|
||||
krb5_packages:
|
||||
- krb5-workstation
|
||||
@@ -1,27 +1,21 @@
|
||||
# dependencies:
|
||||
# - role: t_woerner.ipaclient
|
||||
|
||||
galaxy_info:
|
||||
author: Thomas Woerner
|
||||
description: A role to setup an IPA domain replica
|
||||
company: Red Hat, Inc
|
||||
|
||||
# issue_tracker_url: http://example.com/issue/tracker
|
||||
|
||||
license: GPLv3
|
||||
|
||||
min_ansible_version: 2.0
|
||||
|
||||
#github_branch:
|
||||
|
||||
min_ansible_version: 2.5
|
||||
platforms:
|
||||
- name: Fedora
|
||||
versions:
|
||||
- 25
|
||||
- 26
|
||||
- 27
|
||||
- name: rhel
|
||||
- all
|
||||
- name: EL
|
||||
versions:
|
||||
- 7.3
|
||||
- 7.4
|
||||
|
||||
galaxy_tags: [ 'identity', 'ipa']
|
||||
|
||||
dependencies: []
|
||||
- 7
|
||||
# - 8
|
||||
galaxy_tags:
|
||||
- identity
|
||||
- ipa
|
||||
- freeipa
|
||||
|
||||
@@ -26,7 +26,7 @@
|
||||
when: ipareplica_install_packages | bool
|
||||
|
||||
- name: Install - Include Python2/3 import test
|
||||
import_tasks: "{{role_path}}/tasks/python_2_3_test.yml"
|
||||
import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"
|
||||
|
||||
- name: Install - Set default principal if no keytab is given
|
||||
set_fact:
|
||||
@@ -36,11 +36,13 @@
|
||||
- name: Install - Replica installation test
|
||||
ipareplica_test:
|
||||
### basic ###
|
||||
#dm_password: "{{ ipadm_password | default(omit) }}"
|
||||
#password: "{{ ipaadmin_password | default(omit) }}"
|
||||
# dm_password: "{{ ipadm_password | default(omit) }}"
|
||||
# password: "{{ ipaadmin_password | default(omit) }}"
|
||||
ip_addresses: "{{ ipareplica_ip_addresses | default([]) }}"
|
||||
domain: "{{ ipareplica_domain | default(ipaserver_domain) | default(omit) }}"
|
||||
servers: "{{ groups.ipaservers | default(groups.ipaserver) | default(omit) }}"
|
||||
domain: "{{ ipareplica_domain | default(ipaserver_domain) |
|
||||
default(omit) }}"
|
||||
servers: "{{ groups.ipaservers | default(groups.ipaserver) |
|
||||
default(omit) }}"
|
||||
realm: "{{ ipareplica_realm | default(omit) }}"
|
||||
hostname: "{{ ipareplica_hostname | default(ansible_fqdn) }}"
|
||||
ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"
|
||||
@@ -83,15 +85,8 @@
|
||||
ipaclient_realm: "{{ result_ipareplica_test.realm }}"
|
||||
ipaclient_servers: ["{{ result_ipareplica_test.server }}"]
|
||||
ipaclient_hostname: "{{ result_ipareplica_test.hostname }}"
|
||||
#ipaclient_keytab: "{{ ipaclient_keytab }}"
|
||||
#ipaclient_mkhomedir: "{{ ipaclient_mkhomedir }}"
|
||||
#ipaclient_force_join: "{{ ipaclient_force_join }}"
|
||||
##ipaclient_no_ntp: "{{ ipaclient_no_ntp }}"
|
||||
ipaclient_no_ntp: "{{ result_ipareplica_test.ipa_python_version < 40690 }}"
|
||||
#ipaclient_ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}"
|
||||
##ipaclient_no_ssh: "{{ ipaclient_no_ssh }}"
|
||||
##ipaclient_no_sshd: "{{ ipaclient_no_sshd }}"
|
||||
##ipaclient_no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
|
||||
ipaclient_no_ntp: "{{ result_ipareplica_test.ipa_python_version
|
||||
< 40690 }}"
|
||||
ipaclient_install_packages: "{{ ipareplica_install_packages }}"
|
||||
when: not result_ipareplica_test.client_enrolled
|
||||
|
||||
@@ -173,7 +168,8 @@
|
||||
### server ###
|
||||
setup_kra: "{{ result_ipareplica_test.setup_kra }}"
|
||||
### additional ###
|
||||
config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
|
||||
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
|
||||
@@ -189,7 +185,8 @@
|
||||
- name: Install - Set dirman password
|
||||
no_log: yes
|
||||
set_fact:
|
||||
ipareplica_dirman_password: "{{ result_ipareplica_master_password.password }}"
|
||||
ipareplica_dirman_password:
|
||||
"{{ result_ipareplica_master_password.password }}"
|
||||
|
||||
- name: Install - Setup certmonger
|
||||
ipareplica_setup_certmonger:
|
||||
@@ -234,7 +231,8 @@
|
||||
_subject_base: "{{ result_ipareplica_prepare._subject_base }}"
|
||||
dirman_password: "{{ ipareplica_dirman_password }}"
|
||||
config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
|
||||
config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
|
||||
config_ips: "{{ result_ipareplica_prepare.config_ips }}"
|
||||
register: result_ipareplica_install_ca_certs
|
||||
@@ -280,7 +278,8 @@
|
||||
_subject_base: "{{ result_ipareplica_prepare._subject_base }}"
|
||||
dirman_password: "{{ ipareplica_dirman_password }}"
|
||||
config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
|
||||
config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
|
||||
config_ips: "{{ result_ipareplica_prepare.config_ips }}"
|
||||
register: result_ipareplica_setup_ds
|
||||
@@ -310,7 +309,8 @@
|
||||
secondary_rid_base: "{{ ipareplica_secondary_rid_base | default(omit) }}"
|
||||
### additional ###
|
||||
server: "{{ result_ipareplica_test.server }}"
|
||||
config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
|
||||
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
|
||||
@@ -334,7 +334,8 @@
|
||||
### certificate system ###
|
||||
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
|
||||
### additional ###
|
||||
config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
|
||||
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
|
||||
@@ -349,7 +350,8 @@
|
||||
### certificate system ###
|
||||
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
|
||||
### additional ###
|
||||
config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
|
||||
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
|
||||
@@ -368,7 +370,8 @@
|
||||
### certificate system ###
|
||||
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
|
||||
### additional ###
|
||||
config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
|
||||
@@ -387,7 +390,8 @@
|
||||
### certificate system ###
|
||||
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
|
||||
### additional ###
|
||||
config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
|
||||
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
|
||||
@@ -404,7 +408,8 @@
|
||||
### certificate system ###
|
||||
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
|
||||
### additional ###
|
||||
config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
|
||||
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
|
||||
@@ -431,8 +436,10 @@
|
||||
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
|
||||
dirman_password: "{{ ipareplica_dirman_password }}"
|
||||
config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
|
||||
config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
config_ca_host_name: "{{ result_ipareplica_install_ca_certs.config_ca_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
config_ca_host_name:
|
||||
"{{ result_ipareplica_install_ca_certs.config_ca_host_name }}"
|
||||
config_ips: "{{ result_ipareplica_prepare.config_ips }}"
|
||||
when: result_ipareplica_prepare._ca_enabled
|
||||
|
||||
@@ -442,11 +449,12 @@
|
||||
setup_ca: "{{ ipareplica_setup_ca }}"
|
||||
setup_kra: "{{ result_ipareplica_test.setup_kra }}"
|
||||
no_pkinit: "{{ ipareplica_no_pkinit }}"
|
||||
#no_ui_redirect: "{{ ipareplica_no_ui_redirect }}"
|
||||
# no_ui_redirect: "{{ ipareplica_no_ui_redirect }}"
|
||||
### certificate system ###
|
||||
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
|
||||
### additional ###
|
||||
config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
|
||||
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
|
||||
@@ -465,7 +473,8 @@
|
||||
### certificate system ###
|
||||
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
|
||||
### additional ###
|
||||
config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
|
||||
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
|
||||
@@ -498,7 +507,8 @@
|
||||
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
|
||||
### additional ###
|
||||
server: "{{ result_ipareplica_test.server }}"
|
||||
config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
|
||||
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
|
||||
@@ -522,11 +532,12 @@
|
||||
### certificate system ###
|
||||
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
|
||||
### additional ###
|
||||
config_master_host_name: "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
|
||||
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
|
||||
#_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
|
||||
# _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info }}"
|
||||
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
|
||||
dirman_password: "{{ ipareplica_dirman_password }}"
|
||||
|
||||
@@ -540,7 +551,8 @@
|
||||
### certificate system ###
|
||||
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
|
||||
### additional ###
|
||||
config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
|
||||
@@ -560,7 +572,8 @@
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
|
||||
config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
|
||||
config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
|
||||
- name: Install - Promote openldap.conf
|
||||
ipareplica_promote_openldap_conf:
|
||||
@@ -572,7 +585,8 @@
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
|
||||
config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
|
||||
config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
|
||||
- name: Install - Setup DNS
|
||||
ipareplica_setup_dns:
|
||||
@@ -585,13 +599,16 @@
|
||||
### dns ###
|
||||
zonemgr: "{{ ipareplica_zonemgr | default(omit) }}"
|
||||
forwarders: "{{ ipareplica_forwarders | default([]) }}"
|
||||
forward_policy: "{{ result_ipareplica_prepare.forward_policy if result_ipareplica_prepare.forward_policy is not none else omit }}"
|
||||
forward_policy: "{{ result_ipareplica_prepare.forward_policy if
|
||||
result_ipareplica_prepare.forward_policy is
|
||||
not none else omit }}"
|
||||
no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"
|
||||
### additional ###
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
|
||||
setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
|
||||
config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
|
||||
- name: Install - Setup adtrust
|
||||
ipareplica_setup_adtrust:
|
||||
@@ -607,13 +624,16 @@
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
|
||||
setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
|
||||
config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
adtrust_netbios_name: "{{ result_ipareplica_prepare.adtrust_netbios_name }}"
|
||||
adtrust_reset_netbios_name: "{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
adtrust_netbios_name:
|
||||
"{{ result_ipareplica_prepare.adtrust_netbios_name }}"
|
||||
adtrust_reset_netbios_name:
|
||||
"{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}"
|
||||
when: result_ipareplica_test.setup_adtrust
|
||||
|
||||
#- name: Install - Disconnect backend
|
||||
# ipareplica_backend_disconnect:
|
||||
# - name: Install - Disconnect backend
|
||||
# ipareplica_backend_disconnect:
|
||||
|
||||
- name: Install - Enable IPA
|
||||
ipareplica_enable_ipa:
|
||||
@@ -624,7 +644,8 @@
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
|
||||
setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
|
||||
config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
register: result_ipareplica_enable_ipa
|
||||
|
||||
- name: Install - Cleanup root IPA cache
|
||||
@@ -633,4 +654,6 @@
|
||||
state: absent
|
||||
when: result_ipareplica_enable_ipa.changed
|
||||
|
||||
when: not ansible_check_mode and not (result_ipareplica_test.client_already_configured is defined or result_ipareplica_test.server_already_configured is defined)
|
||||
when: not ansible_check_mode and
|
||||
not (result_ipareplica_test.client_already_configured is defined or
|
||||
result_ipareplica_test.server_already_configured is defined)
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
---
|
||||
- block:
|
||||
- name: Verify Python3 import
|
||||
script: py3test.py
|
||||
@@ -13,7 +14,8 @@
|
||||
|
||||
- name: Fail for IPA 4.5.90
|
||||
fail: msg="You need to install python2 bindings for ipa server usage"
|
||||
when: result_py3test.rc != 0 and "not usable with python3" in result_py3test.stdout
|
||||
when: result_py3test.rc != 0 and "not usable with python3" in
|
||||
result_py3test.stdout
|
||||
|
||||
- name: Set python interpreter to 2
|
||||
set_fact:
|
||||
|
||||
@@ -1,22 +1,26 @@
|
||||
---
|
||||
# tasks to uninstall IPA replica
|
||||
|
||||
#- name: Uninstall - Include Python2/3 import test
|
||||
# import_tasks: "{{role_path}}/tasks/python_2_3_test.yml"
|
||||
# - name: Uninstall - Include Python2/3 import test
|
||||
# import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"
|
||||
|
||||
- name: Uninstall - Uninstall IPA replica
|
||||
command: >
|
||||
/usr/sbin/ipa-server-install
|
||||
--uninstall
|
||||
-U
|
||||
{{ "--ignore-topology-disconnect" if ipareplica_ignore_topology_disconnect | bool else "" }}
|
||||
{{ "--ignore-last-of-role" if ipareplica_ignore_last_of_role | bool else "" }}
|
||||
{{ "--ignore-topology-disconnect" if
|
||||
ipareplica_ignore_topology_disconnect | bool else "" }}
|
||||
{{ "--ignore-last-of-role" if ipareplica_ignore_last_of_role | bool
|
||||
else "" }}
|
||||
register: result_uninstall
|
||||
# 2 means that uninstall failed because IPA replica was not configured
|
||||
failed_when: result_uninstall.rc != 0 and "'Env' object has no attribute 'basedn'" not in result_uninstall.stderr
|
||||
#IPA server is not configured on this system" not in result_uninstall.stdout_lines
|
||||
#changed_when: result_uninstall.rc == 0
|
||||
#until: result_uninstall.rc == 0
|
||||
failed_when: result_uninstall.rc != 0 and "'Env' object
|
||||
has no attribute 'basedn'" not in result_uninstall.stderr
|
||||
# IPA server is not configured on this system" not in
|
||||
# result_uninstall.stdout_lines
|
||||
# changed_when: result_uninstall.rc == 0
|
||||
# until: result_uninstall.rc == 0
|
||||
retries: 2
|
||||
delay: 1
|
||||
|
||||
@@ -30,8 +34,8 @@
|
||||
failed_when: False
|
||||
delegate_to: "{{ groups.ipaserver[0] | default(fail) }}"
|
||||
|
||||
#- name: Remove IPA replica packages
|
||||
# package:
|
||||
# name: "{{ item }}"
|
||||
# state: absent
|
||||
# with_items: "{{ ipareplica_packages }}"
|
||||
# - name: Remove IPA replica packages
|
||||
# package:
|
||||
# name: "{{ item }}"
|
||||
# state: absent
|
||||
# with_items: "{{ ipareplica_packages }}"
|
||||
|
||||
@@ -1,27 +1,21 @@
|
||||
# dependencies:
|
||||
# - role: t_woerner.ipaclient
|
||||
|
||||
galaxy_info:
|
||||
author: Thomas Woerner
|
||||
description: A role to setup an iPA domain server
|
||||
company: Red Hat, Inc
|
||||
|
||||
# issue_tracker_url: http://example.com/issue/tracker
|
||||
|
||||
license: GPLv3
|
||||
|
||||
min_ansible_version: 2.0
|
||||
|
||||
#github_branch:
|
||||
|
||||
min_ansible_version: 2.5
|
||||
platforms:
|
||||
- name: Fedora
|
||||
versions:
|
||||
- 25
|
||||
- 26
|
||||
- 27
|
||||
- name: rhel
|
||||
- all
|
||||
- name: EL
|
||||
versions:
|
||||
- 7.3
|
||||
- 7.4
|
||||
|
||||
galaxy_tags: [ 'identity', 'ipa']
|
||||
|
||||
dependencies: []
|
||||
- 7
|
||||
# - 8
|
||||
galaxy_tags:
|
||||
- identity
|
||||
- ipa
|
||||
- freeipa
|
||||
|
||||
@@ -25,7 +25,7 @@
|
||||
when: ipaserver_install_packages | bool
|
||||
|
||||
- name: Install - Include Python2/3 import test
|
||||
import_tasks: "{{role_path}}/tasks/python_2_3_test.yml"
|
||||
import_tasks: "{{ role_path }}/tasks/python_2_3_test.yml"
|
||||
|
||||
- name: Install - Server installation test
|
||||
ipaserver_test:
|
||||
@@ -111,7 +111,8 @@
|
||||
- name: Install - Use new master password
|
||||
no_log: yes
|
||||
set_fact:
|
||||
ipaserver_master_password: "{{ result_ipaserver_master_password.password }}"
|
||||
ipaserver_master_password:
|
||||
"{{ result_ipaserver_master_password.password }}"
|
||||
|
||||
when: ipaserver_master_password is undefined
|
||||
|
||||
@@ -120,7 +121,7 @@
|
||||
### basic ###
|
||||
dm_password: "{{ ipadm_password }}"
|
||||
password: "{{ ipaadmin_password }}"
|
||||
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
|
||||
# ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
|
||||
domain: "{{ result_ipaserver_test.domain }}"
|
||||
realm: "{{ result_ipaserver_test.realm }}"
|
||||
hostname: "{{ result_ipaserver_test.hostname }}"
|
||||
@@ -155,30 +156,31 @@
|
||||
|
||||
- name: Install - Setup NTP
|
||||
ipaserver_setup_ntp:
|
||||
when: not ipaclient_no_ntp | bool and (ipaserver_external_cert_files is undefined or ipaserver_external_cert_files|length < 1)
|
||||
when: not ipaclient_no_ntp | bool and (ipaserver_external_cert_files
|
||||
is undefined or ipaserver_external_cert_files|length < 1)
|
||||
|
||||
- name: Install - Setup DS
|
||||
ipaserver_setup_ds:
|
||||
dm_password: "{{ ipadm_password }}"
|
||||
password: "{{ ipaadmin_password }}"
|
||||
#master_password: "{{ ipaserver_master_password }}"
|
||||
# master_password: "{{ ipaserver_master_password }}"
|
||||
domain: "{{ result_ipaserver_test.domain }}"
|
||||
realm: "{{ result_ipaserver_test.realm | default(omit) }}"
|
||||
hostname: "{{ result_ipaserver_test.hostname }}"
|
||||
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
|
||||
#reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
|
||||
#setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
||||
#setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
||||
#setup_dns: "{{ ipaserver_setup_dns }}"
|
||||
# ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
|
||||
# reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
|
||||
# setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
||||
# setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
||||
# setup_dns: "{{ ipaserver_setup_dns }}"
|
||||
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
||||
#no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
||||
# no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
|
||||
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
|
||||
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
|
||||
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
|
||||
subject_base: "{{ result_ipaserver_test.subject_base }}"
|
||||
ca_subject: "{{ result_ipaserver_test.ca_subject }}"
|
||||
#no_reverse: "{{ ipaserver_no_reverse }}"
|
||||
#auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
||||
# no_reverse: "{{ ipaserver_no_reverse }}"
|
||||
# auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
||||
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
|
||||
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
|
||||
idstart: "{{ result_ipaserver_test.idstart }}"
|
||||
@@ -192,7 +194,7 @@
|
||||
domain: "{{ result_ipaserver_test.domain }}"
|
||||
realm: "{{ result_ipaserver_test.realm }}"
|
||||
hostname: "{{ result_ipaserver_test.hostname }}"
|
||||
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
|
||||
# ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
|
||||
reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
|
||||
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
||||
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
||||
@@ -221,7 +223,7 @@
|
||||
dm_password: "{{ ipadm_password }}"
|
||||
password: "{{ ipaadmin_password }}"
|
||||
master_password: "{{ ipaserver_master_password }}"
|
||||
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
|
||||
# ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
|
||||
domain: "{{ result_ipaserver_test.domain }}"
|
||||
realm: "{{ result_ipaserver_test.realm }}"
|
||||
hostname: "{{ result_ipaserver_test.hostname }}"
|
||||
@@ -243,8 +245,8 @@
|
||||
_subject_base: "{{ result_ipaserver_test._subject_base }}"
|
||||
ca_subject: "{{ result_ipaserver_test.ca_subject }}"
|
||||
_ca_subject: "{{ result_ipaserver_test._ca_subject }}"
|
||||
ca_signing_algorithm: "{{ ipaserver_ca_signing_algorithm | default(omit) }}"
|
||||
|
||||
ca_signing_algorithm: "{{ ipaserver_ca_signing_algorithm |
|
||||
default(omit) }}"
|
||||
reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
|
||||
no_reverse: "{{ ipaserver_no_reverse }}"
|
||||
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
|
||||
@@ -263,7 +265,7 @@
|
||||
domain: "{{ result_ipaserver_test.domain }}"
|
||||
realm: "{{ result_ipaserver_test.realm }}"
|
||||
hostname: "{{ result_ipaserver_test.hostname }}"
|
||||
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
|
||||
# ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
|
||||
reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
|
||||
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
|
||||
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
|
||||
@@ -319,7 +321,8 @@
|
||||
secondary_rid_base: "{{ result_ipaserver_test.secondary_rid_base }}"
|
||||
### additional ###
|
||||
adtrust_netbios_name: "{{ result_ipaserver_test.adtrust_netbios_name }}"
|
||||
adtrust_reset_netbios_name: "{{ result_ipaserver_test.adtrust_reset_netbios_name }}"
|
||||
adtrust_reset_netbios_name:
|
||||
"{{ result_ipaserver_test.adtrust_reset_netbios_name }}"
|
||||
when: result_ipaserver_test.setup_adtrust
|
||||
|
||||
- name: Install - Set DS password
|
||||
@@ -347,25 +350,27 @@
|
||||
ipaclient_on_master: yes
|
||||
ipaclient_domain: "{{ result_ipaserver_test.domain }}"
|
||||
ipaclient_realm: "{{ result_ipaserver_test.realm }}"
|
||||
ipaclient_servers: [ "{{ result_ipaserver_test.hostname }}" ]
|
||||
ipaclient_servers: ["{{ result_ipaserver_test.hostname }}"]
|
||||
ipaclient_hostname: "{{ result_ipaserver_test.hostname }}"
|
||||
ipaclient_no_ntp: "{{ 'true' if result_ipaserver_test.ipa_python_version >= 40690 else 'false' }}"
|
||||
ipaclient_no_ntp:
|
||||
"{{ 'true' if result_ipaserver_test.ipa_python_version >= 40690
|
||||
else 'false' }}"
|
||||
ipaclient_install_packages: "{{ ipaserver_install_packages }}"
|
||||
|
||||
#- name: Install - Setup client
|
||||
# command: >
|
||||
# /usr/sbin/ipa-client-install
|
||||
# --unattended
|
||||
# --on-master
|
||||
# --domain "{{ result_ipaserver_test.domain }}"
|
||||
# --realm "{{ result_ipaserver_test.realm }}"
|
||||
# --server "{{ result_ipaserver_test.hostname }}"
|
||||
# --hostname "{{ result_ipaserver_test.hostname }}"
|
||||
# {{ "--mkhomedir" if ipaclient_mkhomedir | bool else "" }}
|
||||
# # {{ "--no-dns-sshfp" if ipaclient_no_dns_sshfp | bool else "" }}
|
||||
# # {{ "--ssh-trust-dns" if ipaclient_ssh_trust_dns | bool else "" }}
|
||||
# # {{ "--no-ssh" if ipaclient_no_ssh | bool else "" }}
|
||||
# # {{ "--no-sshd" if ipaclient_no_sshd | bool else "" }}
|
||||
# - name: Install - Setup client
|
||||
# command: >
|
||||
# /usr/sbin/ipa-client-install
|
||||
# --unattended
|
||||
# --on-master
|
||||
# --domain "{{ result_ipaserver_test.domain }}"
|
||||
# --realm "{{ result_ipaserver_test.realm }}"
|
||||
# --server "{{ result_ipaserver_test.hostname }}"
|
||||
# --hostname "{{ result_ipaserver_test.hostname }}"
|
||||
# {{ "--mkhomedir" if ipaclient_mkhomedir | bool else "" }}
|
||||
# # {{ "--no-dns-sshfp" if ipaclient_no_dns_sshfp | bool else "" }}
|
||||
# # {{ "--ssh-trust-dns" if ipaclient_ssh_trust_dns | bool else "" }}
|
||||
# # {{ "--no-ssh" if ipaclient_no_ssh | bool else "" }}
|
||||
# # {{ "--no-sshd" if ipaclient_no_sshd | bool else "" }}
|
||||
|
||||
- name: Install - Enable IPA
|
||||
ipaserver_enable_ipa:
|
||||
@@ -399,4 +404,7 @@
|
||||
{{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
|
||||
when: ipaserver_setup_firewalld | bool
|
||||
|
||||
when: not ansible_check_mode and not (not result_ipaserver_test.changed and (result_ipaserver_test.client_already_configured is defined or result_ipaserver_test.server_already_configured is defined))
|
||||
when: not ansible_check_mode and not
|
||||
(not result_ipaserver_test.changed and
|
||||
(result_ipaserver_test.client_already_configured is defined or
|
||||
result_ipaserver_test.server_already_configured is defined))
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
---
|
||||
- block:
|
||||
- name: Verify Python3 import
|
||||
script: py3test.py
|
||||
@@ -13,7 +14,8 @@
|
||||
|
||||
- name: Fail for IPA 4.5.90
|
||||
fail: msg="You need to install python2 bindings for ipa server usage"
|
||||
when: result_py3test.rc != 0 and "not usable with python3" in result_py3test.stdout
|
||||
when: result_py3test.rc != 0 and "not usable with python3"
|
||||
in result_py3test.stdout
|
||||
|
||||
- name: Set python interpreter to 2
|
||||
set_fact:
|
||||
|
||||
@@ -1,23 +1,24 @@
|
||||
---
|
||||
# tasks to uninstall IPA server
|
||||
|
||||
#- name: Uninstall - Include Python2/3 import test
|
||||
# import: "{{role_path}}/tasks/python_2_3_test.yml"
|
||||
# - name: Uninstall - Include Python2/3 import test
|
||||
# import: "{{ role_path }}/tasks/python_2_3_test.yml"
|
||||
|
||||
- name: Uninstall - Uninstall IPA server
|
||||
command: >
|
||||
/usr/sbin/ipa-server-install
|
||||
--uninstall
|
||||
-U
|
||||
{{ '--ignore-topology-disconnect' if ipaserver_ignore_topology_disconnect | bool else '' }}
|
||||
{{ '--ignore-topology-disconnect' if ipaserver_ignore_topology_disconnect
|
||||
| bool else '' }}
|
||||
{{ '--ignore-last-of-role' if ipaserver_ignore_last_of_role | bool else ''}}
|
||||
register: uninstall
|
||||
# 1 means that uninstall failed because IPA server was not configured
|
||||
failed_when: uninstall.rc != 0 and uninstall.rc != 1
|
||||
changed_when: uninstall.rc == 0
|
||||
|
||||
#- name: Remove IPA server packages
|
||||
# package:
|
||||
# name: "{{ item }}"
|
||||
# state: absent
|
||||
# with_items: "{{ ipaserver_packages }}"
|
||||
# - name: Remove IPA server packages
|
||||
# package:
|
||||
# name: "{{ item }}"
|
||||
# state: absent
|
||||
# with_items: "{{ ipaserver_packages }}"
|
||||
|
||||
Reference in New Issue
Block a user