218d77e9c6
For ipa versions prior to 4.5 it is needed to use ipa-client-install script as a source for functions. But the script contains a global finally clause in which the generated ccache file gets removed. Threfore the script is temporarily copied to ipa_client_install.py and the global finally clause gets removed from the copy. All this is done in a temporary directory, which gets removed right after the import has been done. A Object called options is generated as ipa-client-install and also ipaclient/install/client.py functions are using this object. inspect.argspec is used on configure_krb5_conf to find out if the function requires configure_sssd as an optional argument or in the options object.
ansible-freeipa
Description
This role allows to join hosts as clients to an IPA domain. This can be done in differnt ways using auto-discovery of the servers, domain and other settings or by specifying them.
Usage
Example inventory file with fixed principal and using auto-discovery with DNS records:
[ipaclients]
ipaclient1.example.com
ipaclient2.example.com
[ipaclients:vars]
ipaclient_principal=admin
Example playbook to setup the IPA client(s) using principal from inventory file and password from an Ansible Vault file:
- name: Playbook to configure IPA clients with username/password
hosts: ipaclients
become: true
vars_files:
- playbook_sensitive_data.yml
roles:
- role: ipaclient
state: present
Example playbook to unconfigure the IPA client(s) using principal and password from inventory file:
- name: Playbook to unconfigure IPA clients
hosts: ipaclients
become: true
roles:
- role: ipaclient
state: absent
Example inventory file with fixed servers, principal, password and domain:
[ipaclients]
ipaclient1.example.com
ipaclient2.example.com
[ipaservers]
ipaserver.example.com
[ipaclients:vars]
ipaclient_domain=example.com
ipaclient_principal=admin
ipaclient_password=MySecretPassword123
Example playbook to setup the IPA client(s) using principal and password from inventory file:
- name: Playbook to configure IPA clients with username/password
hosts: ipaclients
become: true
roles:
- role: ipaclient
state: present
Variables
ipaservers - Group of IPA server hostnames. (list of strings, optional)
ipaclient_domain - The primary DNS domain of an existing IPA deployment. (string, optional)
ipaclient_realm - The Kerberos realm of an existing IPA deployment. (string, optional)
ipaclient_principal - The authorized kerberos principal used to join the IPA realm. (string, optional)
ipaclient_password - The password for the kerberos principal. (string, optional)
ipaclient_keytab - The path to a backed-up host keytab from previous enrollment. (string, optional)
ipaclient_force_join - Set force_join to yes to join the host even if it is already enrolled. (bool, optional)
ipaclient_kinit_attempts - Repeat the request for host Kerberos ticket X times if it fails. (int, optional)
ipaclient_ntp - Set to no to not configure and enable NTP (bool, optional)
ipaclient_mkhomedir - Set to yes to configure PAM to create a users home directory if it does not exist. (string, optional)
Requirements
freeipa-client v4.6
Authors
Florence Blanc-Renaud
Thomas Woerner