internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-06-10 10:45:55 +00:00
Code Issues Projects Releases Wiki Activity
Files
747ec875884e87e3cac59bb4d127c5387958d0cd
ansible-freeipa/roles/ipaserver/tasks/install.yml
Thomas Woerner ecdbcea1e8 ipaserver: Fix DNS installation forward policy and DNSSEC validation 
forward_policy needs to be None for the DNS check for proper initialization
if the user is not providing another forward_policy value. forward_policy will
be set in the DNS check.

no_dnssec_validation is enabled in the DNS check if the forwarders do not
provide DNSSEC validation. Therefore this needs to be handed over to the dns
installation later on.

New return values for forward_policy and no_dnssec_validation have been added
to the ipaserver_test module.
2018-01-30 10:25:56 +01:00

365 lines
16 KiB
YAML
Raw Blame History

---
# tasks file for ipaserver
- name: Install - Ensure that IPA server packages are installed
package:
name: "{{ item }}"
state: present
with_items: "{{ ipaserver_packages }}"
- name: Install - Ensure that IPA server packages for dns are installed
package:
name: "{{ item }}"
state: present
with_items: "{{ ipaserver_packages_dns }}"
when: ipaserver_setup_dns | bool
- name: Install - Ensure that IPA server packages for adtrust are installed
package:
name: "{{ item }}"
state: present
with_items: "{{ ipaserver_packages_adtrust }}"
when: ipaserver_setup_adtrust | bool
- name: Install - Include Python2/3 import test
include: "{{role_path}}/tasks/python_2_3_test.yml"
static: yes
- name: Install - Server installation test
ipaserver_test:
### basic ###
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
master_password: "{{ ipaserver_master_password | default(omit) }}"
ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}"
domain: "{{ ipaserver_domain | default(omit) }}"
realm: "{{ ipaserver_realm | default(omit) }}"
hostname: "{{ ipaserver_hostname | default(ansible_fqdn) }}"
ca_cert_files: "{{ ipaserver_ca_cert_files | default(omit) }}"
# no_host_dns: "{{ ipaserver_no_host_dns }}"
### server ###
setup_adtrust: "{{ ipaserver_setup_adtrust }}"
setup_kra: "{{ ipaserver_setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
idstart: "{{ ipaserver_idstart | default(omit) }}"
idmax: "{{ ipaserver_idmax | default(omit) }}"
# no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
no_pkinit: "{{ ipaserver_no_pkinit }}"
# no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
### ssl certificate ###
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
http_cert_files: "{{ ipaserver_http_cert_files | default([]) }}"
pkinit_cert_files: "{{ ipaserver_pkinit_cert_files | default([]) }}"
# dirsrv_pin
# http_pin
# pkinit_pin
# dirsrv_name
# http_name
# pkinit_name
### client ###
# mkhomedir
no_ntp: "{{ ipaclient_no_ntp }}"
# ssh_trust_dns
# no_ssh
# no_sshd
# no_dns_sshfp
### certificate system ###
external_ca: "{{ ipaserver_external_ca }}"
external_ca_type: "{{ ipaserver_external_ca_type | default(omit) }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
subject_base: "{{ ipaserver_subject_base | default(omit) }}"
ca_subject: "{{ ipaserver_ca_subject | default(omit) }}"
# ca_signing_algorithm
### dns ###
allow_zone_overlap: "{{ ipaserver_allow_zone_overlap }}"
reverse_zones: "{{ ipaserver_reverse_zones | default([]) }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_reverse: "{{ ipaserver_auto_reverse }}"
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
forwarders: "{{ ipaserver_forwarders | default([]) }}"
no_forwarders: "{{ ipaserver_no_forwarders }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"
no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
### ad trust ###
enable_compat: "{{ ipaserver_enable_compat }}"
netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"
rid_base: "{{ ipaserver_rid_base | default(omit) }}"
secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
### additional ###
register: result_ipaserver_test
- block:
- block:
- name: Install - Master password creation
no_log: yes
ipaserver_master_password:
dm_password: "{{ ipadm_password }}"
master_password: "{{ ipaserver_master_password | default(omit) }}"
register: result_ipaserver_master_password
- name: Install - Use new master password
set_fact:
ipaserver_master_password: "{{ result_ipaserver_master_password.password }}"
when: ipaserver_master_password is undefined
- name: Install - Server preparation
ipaserver_prepare:
### basic ###
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
### server ###
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
#no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
### certificate system ###
subject_base: "{{ result_ipaserver_test.subject_base }}"
ca_subject: "{{ result_ipaserver_test.ca_subject }}"
### dns ###
reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_reverse: "{{ ipaserver_auto_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
no_dnssec_validation: "{{ result_ipaserver_test.no_dnssec_validation }}"
### additional ###
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
_hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
register: result_ipaserver_prepare
- name: Install - Setup NTP
ipaserver_setup_ntp:
when: not ipaclient_no_ntp | bool and (ipaserver_external_cert_files is undefined or ipaserver_external_cert_files|length < 1)
- name: Install - Setup DS
ipaserver_setup_ds:
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
#master_password: "{{ ipaserver_master_password }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm | default(omit) }}"
hostname: "{{ result_ipaserver_test.hostname }}"
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
#reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
#setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
#setup_kra: "{{ result_ipaserver_test.setup_kra }}"
#setup_dns: "{{ ipaserver_setup_dns }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
#no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
subject_base: "{{ result_ipaserver_test.subject_base }}"
ca_subject: "{{ result_ipaserver_test.ca_subject }}"
#no_reverse: "{{ ipaserver_no_reverse }}"
#auto_forwarders: "{{ ipaserver_auto_forwarders }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
idstart: "{{ result_ipaserver_test.idstart }}"
idmax: "{{ result_ipaserver_test.idmax }}"
- name: Install - Setup KRB
ipaserver_setup_krb:
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
master_password: "{{ ipaserver_master_password }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
subject_base: "{{ result_ipaserver_test.subject_base }}"
ca_subject: "{{ result_ipaserver_test.ca_subject }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
idstart: "{{ result_ipaserver_test.idstart }}"
idmax: "{{ result_ipaserver_test.idmax }}"
_pkinit_pkcs12_info: "{{ result_ipaserver_test._pkinit_pkcs12_info }}"
- name: Install - Setup CA
ipaserver_setup_ca:
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
master_password: "{{ ipaserver_master_password }}"
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
idstart: "{{ result_ipaserver_test.idstart }}"
idmax: "{{ result_ipaserver_test.idmax }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info }}"
external_ca: "{{ ipaserver_external_ca }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
subject_base: "{{ result_ipaserver_test.subject_base }}"
_subject_base: "{{ result_ipaserver_test._subject_base }}"
ca_subject: "{{ result_ipaserver_test.ca_subject }}"
_ca_subject: "{{ result_ipaserver_test._ca_subject }}"
ca_signing_algorithm: "{{ ipaserver_ca_signing_algorithm | default(omit) }}"
reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
- name: Install - Setup otpd
ipaserver_setup_otpd:
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
- name: Install - Setup custodia
ipaserver_setup_custodia:
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
- name: Install - Setup HTTP
ipaserver_setup_http:
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
master_password: "{{ ipaserver_master_password }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
#ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
subject_base: "{{ result_ipaserver_test.subject_base }}"
_subject_base: "{{ result_ipaserver_test._subject_base }}"
ca_subject: "{{ result_ipaserver_test.ca_subject }}"
_ca_subject: "{{ result_ipaserver_test._ca_subject }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
idstart: "{{ result_ipaserver_test.idstart }}"
idmax: "{{ result_ipaserver_test.idmax }}"
http_cert_files: "{{ ipaserver_http_cert_files | default([]) }}"
no_ui_redirect: "{{ ipaserver_no_ui_redirect }}"
- name: Install - Setup KRA
ipaserver_setup_kra:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
dm_password: "{{ ipadm_password }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
when: result_ipaserver_test.setup_kra | bool
- name: Install - Setup DNS
ipaserver_setup_dns:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
setup_dns: "{{ ipaserver_setup_dns }}"
forwarders: "{{ result_ipaserver_test.forwarders }}"
forward_policy: "{{ result_ipaserver_test.forward_policy }}"
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
no_dnssec_validation: "{{ result_ipaserver_test.no_dnssec_validation }}"
### additional ###
dns_ip_addresses: "{{ result_ipaserver_test.dns_ip_addresses }}"
dns_reverse_zones: "{{ result_ipaserver_test.dns_reverse_zones }}"
when: ipaserver_setup_dns | bool
- name: Install - Setup ADTRUST
ipaserver_setup_adtrust:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
when: result_ipaserver_test.setup_adtrust
- name: Install - Set DS password
ipaserver_set_ds_password:
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
subject_base: "{{ result_ipaserver_test.subject_base }}"
ca_subject: "{{ result_ipaserver_test.ca_subject }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
idstart: "{{ result_ipaserver_test.idstart }}"
idmax: "{{ result_ipaserver_test.idmax }}"
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info }}"
#- name: Install - Setup client
# include_role:
# name: ipaclient
# private: yes
# defaults_from: "/roles/ipaclient/defaults/main.yml"
# tasks_from: "/roles/ipaclient/tasks/main.yml"
# vars_from: "/roles/ipaclient/vars/main.yml"
# vars:
# state: present
# on_master: yes
# domain: "{{ result_ipaserver_test.domain }}"
# realm: "{{ result_ipaserver_test.realm }}"
# server: "{{ result_ipaserver_test.hostname }}"
# hostname: "{{ result_ipaserver_test.hostname }}"
# #no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
# #ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}"
# #no_ssh: "{{ ipaclient_no_ssh }}"
# #no_sshd: "{{ ipaclient_no_sshd }}"
# mkhomedir: "{{ ipaclient_mkhomedir }}"
- name: Install - Setup client
command: >
/usr/sbin/ipa-client-install
--unattended
--on-master
--domain "{{ result_ipaserver_test.domain }}"
--realm "{{ result_ipaserver_test.realm }}"
--server "{{ result_ipaserver_test.hostname }}"
--hostname "{{ result_ipaserver_test.hostname }}"
{{ "--mkhomedir" if ipaclient_mkhomedir | bool else "" }}
# {{ "--no-dns-sshfp" if ipaclient_no_dns_sshfp | bool else "" }}
# {{ "--ssh-trust-dns" if ipaclient_ssh_trust_dns | bool else "" }}
# {{ "--no-ssh" if ipaclient_no_ssh | bool else "" }}
# {{ "--no-sshd" if ipaclient_no_sshd | bool else "" }}
- name: Install - Enable IPA
ipaserver_enable_ipa:
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
register: result_ipaserver_enable_ipa
- name: Install - Cleanup root IPA cache
file:
path: "/root/.ipa_cache"
state: absent
when: result_ipaserver_enable_ipa.changed
Reference in New Issue View Git Blame Copy Permalink