mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-05-06 13:23:14 +00:00
7a23c668fc
This change adds support for DNS over TLS to the ipaclient role.
New variables
ipaclient_dns_over_tls
Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later.
(bool, default: false)
required: false
ipaclient_no_dnssec_validation
Disable DNSSEC validation for DNS over TLS. This turns off DNSSEC
validation for unbound. Only usable if `ipaserver_dns_over_tls` is
enabled. (bool, default: false)
reqiured: false
New distribution specific variable
ipaclient_packages_dot
List of IPA packages needed for DNS over TLS.
The resolver configuratoin for DNS over TLS is not part of this change
and will be added later on. Therefore it is needed to configure the
resolver for DNS over TLS before starting the deployment with ipaclient
role. This is essential for using an IPA DNS server with DoT and enforced
DNS policy so that only DoT is usable.
199 lines
6.0 KiB
Python
199 lines
6.0 KiB
Python
# -*- coding: utf-8 -*-
|
|
|
|
# Authors:
|
|
# Thomas Woerner <twoerner@redhat.com>
|
|
#
|
|
# Based on ipa-client-install code
|
|
#
|
|
# Copyright (C) 2017-2022 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
from __future__ import (absolute_import, division, print_function)
|
|
|
|
__metaclass__ = type
|
|
|
|
ANSIBLE_METADATA = {
|
|
'metadata_version': '1.0',
|
|
'supported_by': 'community',
|
|
'status': ['preview'],
|
|
}
|
|
|
|
DOCUMENTATION = '''
|
|
---
|
|
module: ipaclient_setup_sssd
|
|
short_description: Setup sssd for IPA client
|
|
description:
|
|
Setup sssd for IPA client
|
|
options:
|
|
servers:
|
|
description: Fully qualified name of IPA servers to enroll to
|
|
type: list
|
|
elements: str
|
|
required: yes
|
|
domain:
|
|
description: Primary DNS domain of the IPA deployment
|
|
type: str
|
|
required: yes
|
|
realm:
|
|
description: Kerberos realm name of the IPA deployment
|
|
type: str
|
|
required: yes
|
|
hostname:
|
|
description: Fully qualified name of this host
|
|
type: str
|
|
required: yes
|
|
on_master:
|
|
description: Whether the configuration is done on the master or not
|
|
type: bool
|
|
required: no
|
|
no_ssh:
|
|
description: Do not configure OpenSSH client
|
|
type: bool
|
|
required: no
|
|
no_sshd:
|
|
description: Do not configure OpenSSH server
|
|
type: bool
|
|
required: no
|
|
no_sudo:
|
|
description: Do not configure SSSD as data source for sudo
|
|
type: bool
|
|
required: no
|
|
all_ip_addresses:
|
|
description:
|
|
All routable IP addresses configured on any interface will be added
|
|
to DNS
|
|
type: bool
|
|
required: no
|
|
fixed_primary:
|
|
description: Configure sssd to use fixed server as primary IPA server
|
|
type: bool
|
|
required: no
|
|
permit:
|
|
description: Disable access rules by default, permit all access
|
|
type: bool
|
|
required: no
|
|
enable_dns_updates:
|
|
description:
|
|
Configures the machine to attempt dns updates when the ip address
|
|
changes
|
|
type: bool
|
|
required: no
|
|
dns_over_tls:
|
|
description: Configure DNS over TLS
|
|
type: bool
|
|
default: no
|
|
required: no
|
|
preserve_sssd:
|
|
description: Preserve old SSSD configuration if possible
|
|
type: bool
|
|
required: no
|
|
no_krb5_offline_passwords:
|
|
description:
|
|
Configure SSSD not to store user password when the server is offline
|
|
type: bool
|
|
required: no
|
|
author:
|
|
- Thomas Woerner (@t-woerner)
|
|
'''
|
|
|
|
EXAMPLES = '''
|
|
- name: Configure SSSD
|
|
ipaclient_setup_sssd:
|
|
servers: ["server1.example.com","server2.example.com"]
|
|
domain: example.com
|
|
realm: EXAMPLE.COM
|
|
hostname: client1.example.com
|
|
no_krb5_offline_passwords: yes
|
|
'''
|
|
|
|
RETURN = '''
|
|
'''
|
|
|
|
from ansible.module_utils.basic import AnsibleModule
|
|
from ansible.module_utils.ansible_ipa_client import (
|
|
setup_logging, check_imports, options, sysrestore, paths,
|
|
configure_sssd_conf, logger
|
|
)
|
|
|
|
|
|
def main():
|
|
module = AnsibleModule(
|
|
argument_spec=dict(
|
|
servers=dict(required=True, type='list', elements='str'),
|
|
domain=dict(required=True, type='str'),
|
|
realm=dict(required=True, type='str'),
|
|
hostname=dict(required=True, type='str'),
|
|
on_master=dict(required=False, type='bool'),
|
|
no_ssh=dict(required=False, type='bool'),
|
|
no_sshd=dict(required=False, type='bool'),
|
|
no_sudo=dict(required=False, type='bool'),
|
|
all_ip_addresses=dict(required=False, type='bool'),
|
|
|
|
fixed_primary=dict(required=False, type='bool'),
|
|
permit=dict(required=False, type='bool'),
|
|
enable_dns_updates=dict(required=False, type='bool'),
|
|
dns_over_tls=dict(required=False, type='bool', default=False),
|
|
preserve_sssd=dict(required=False, type='bool'),
|
|
no_krb5_offline_passwords=dict(required=False, type='bool'),
|
|
),
|
|
supports_check_mode=False,
|
|
)
|
|
# ansible_log = AnsibleModuleLog(module, logger)
|
|
# options.set_logger(ansible_log)
|
|
|
|
module._ansible_debug = True
|
|
check_imports(module)
|
|
setup_logging()
|
|
|
|
cli_server = module.params.get('servers')
|
|
cli_domain = module.params.get('domain')
|
|
cli_realm = module.params.get('realm')
|
|
hostname = module.params.get('hostname')
|
|
options.on_master = module.params.get('on_master')
|
|
|
|
options.no_ssh = module.params.get('no_ssh')
|
|
options.conf_ssh = not options.no_ssh
|
|
options.no_sshd = module.params.get('no_sshd')
|
|
options.conf_sshd = not options.no_sshd
|
|
options.no_sudo = module.params.get('no_sudo')
|
|
options.conf_sudo = not options.no_sudo
|
|
options.all_ip_addresses = module.params.get('all_ip_addresses')
|
|
|
|
options.primary = module.params.get('fixed_primary')
|
|
options.permit = module.params.get('permit')
|
|
options.dns_updates = module.params.get('enable_dns_updates')
|
|
options.dns_over_tls = module.params.get('dns_over_tls')
|
|
options.preserve_sssd = module.params.get('preserve_sssd')
|
|
|
|
options.no_krb5_offline_passwords = module.params.get(
|
|
'no_krb5_offline_passwords')
|
|
options.krb5_offline_passwords = not options.no_krb5_offline_passwords
|
|
options.dns_over_tls = False
|
|
|
|
fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
|
|
client_domain = hostname[hostname.find(".") + 1:]
|
|
|
|
if configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server,
|
|
options, client_domain, hostname):
|
|
module.fail_json("configure_sssd_conf failed")
|
|
logger.info("Configured /etc/sssd/sssd.conf")
|
|
|
|
module.exit_json(changed=True)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
main()
|