|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
# tasks file for ipaclient
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Ensure that IPA client packages are installed
|
|
Packit Service |
0a38ef |
package:
|
|
Packit Service |
0a38ef |
name: "{{ ipaclient_packages }}"
|
|
Packit Service |
0a38ef |
state: present
|
|
Packit Service |
0a38ef |
when: ipaclient_install_packages | bool
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Set ipaclient_servers
|
|
Packit Service |
0a38ef |
set_fact:
|
|
Packit Service |
0a38ef |
ipaclient_servers: "{{ groups['ipaservers'] | list }}"
|
|
Packit Service |
0a38ef |
when: groups.ipaservers is defined and ipaclient_servers is not defined
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Set ipaclient_servers from cluster inventory
|
|
Packit Service |
0a38ef |
set_fact:
|
|
Packit Service |
0a38ef |
ipaclient_servers: "{{ groups['ipaserver'] | list }}"
|
|
Packit Service |
0a38ef |
when: ipaclient_no_dns_lookup | bool and groups.ipaserver is defined and
|
|
Packit Service |
0a38ef |
ipaclient_servers is not defined
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Check that either principal or keytab is set
|
|
Packit Service |
0a38ef |
fail: msg="ipaadmin_principal and ipaadmin_keytab cannot be used together"
|
|
Packit Service |
0a38ef |
when: ipaadmin_keytab is defined and ipaadmin_principal is defined
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Set default principal if no keytab is given
|
|
Packit Service |
0a38ef |
set_fact:
|
|
Packit Service |
0a38ef |
ipaadmin_principal: admin
|
|
Packit Service |
0a38ef |
when: ipaadmin_principal is undefined and ipaclient_keytab is undefined
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - IPA client test
|
|
Packit Service |
0a38ef |
ipaclient_test:
|
|
Packit Service |
0a38ef |
### basic ###
|
|
Packit Service |
0a38ef |
domain: "{{ ipaserver_domain | default(ipaclient_domain) | default(omit) }}"
|
|
Packit Service |
0a38ef |
servers: "{{ ipaclient_servers | default(omit) }}"
|
|
Packit Service |
0a38ef |
realm: "{{ ipaserver_realm | default(ipaclient_realm) | default(omit) }}"
|
|
Packit Service |
0a38ef |
hostname: "{{ ipaclient_hostname | default(ansible_fqdn) }}"
|
|
Packit Service |
0a38ef |
ntp_servers: "{{ ipaclient_ntp_servers | default(omit) }}"
|
|
Packit Service |
0a38ef |
ntp_pool: "{{ ipaclient_ntp_pool | default(omit) }}"
|
|
Packit Service |
0a38ef |
no_ntp: "{{ ipaclient_no_ntp }}"
|
|
Packit Service |
0a38ef |
force_ntpd: "{{ ipaclient_force_ntpd }}"
|
|
Packit Service |
0a38ef |
nisdomain: "{{ ipaclient_nisdomain | default(omit) }}"
|
|
Packit Service |
0a38ef |
no_nisdomain: "{{ ipaclient_no_nisdomain }}"
|
|
Packit Service |
0a38ef |
kinit_attempts: "{{ ipaclient_kinit_attempts }}"
|
|
Packit Service |
0a38ef |
ca_cert_files: "{{ ipaclient_ca_cert_file | default(omit) }}"
|
|
Packit Service |
0a38ef |
configure_firefox: "{{ ipaclient_configure_firefox }}"
|
|
Packit Service |
0a38ef |
firefox_dir: "{{ ipaclient_firefox_dir | default(omit) }}"
|
|
Packit Service |
0a38ef |
ip_addresses: "{{ ipaclient_ip_addresses | default(omit) }}"
|
|
Packit Service |
0a38ef |
all_ip_addresses: "{{ ipaclient_all_ip_addresses }}"
|
|
Packit Service |
0a38ef |
on_master: "{{ ipaclient_on_master }}"
|
|
Packit Service |
0a38ef |
### sssd ###
|
|
Packit Service |
0a38ef |
enable_dns_updates: "{{ ipassd_enable_dns_updates
|
|
Packit Service |
0a38ef |
| default(ipasssd_enable_dns_updates) }}"
|
|
Packit Service |
0a38ef |
register: result_ipaclient_test
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- block:
|
|
Packit Service |
0a38ef |
- name: Install - Cleanup leftover ccache
|
|
Packit Service |
0a38ef |
file:
|
|
Packit Service |
0a38ef |
path: "/etc/ipa/.dns_ccache"
|
|
Packit Service |
0a38ef |
state: absent
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Configure NTP
|
|
Packit Service |
0a38ef |
ipaclient_setup_ntp:
|
|
Packit Service |
0a38ef |
### basic ###
|
|
Packit Service |
0a38ef |
ntp_servers: "{{ result_ipaclient_test.ntp_servers | default(omit) }}"
|
|
Packit Service |
0a38ef |
ntp_pool: "{{ result_ipaclient_test.ntp_pool | default(omit) }}"
|
|
Packit Service |
0a38ef |
no_ntp: "{{ ipaclient_no_ntp }}"
|
|
Packit Service |
0a38ef |
# force_ntpd: "{{ ipaclient_force_ntpd }}"
|
|
Packit Service |
0a38ef |
on_master: "{{ ipaclient_on_master }}"
|
|
Packit Service |
0a38ef |
### additional ###
|
|
Packit Service |
0a38ef |
servers: "{{ result_ipaclient_test.servers }}"
|
|
Packit Service |
0a38ef |
domain: "{{ result_ipaclient_test.domain }}"
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Make sure One-Time Password is enabled if it's already defined
|
|
Packit Service |
0a38ef |
set_fact:
|
|
Packit Service |
0a38ef |
ipaclient_use_otp: "yes"
|
|
Packit Service |
0a38ef |
when: ipaclient_otp is defined
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Disable One-Time Password for on_master
|
|
Packit Service |
0a38ef |
set_fact:
|
|
Packit Service |
0a38ef |
ipaclient_use_otp: "no"
|
|
Packit Service |
0a38ef |
when: ipaclient_use_otp | bool and ipaclient_on_master | bool
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Test if IPA client has working krb5.keytab
|
|
Packit Service |
0a38ef |
ipaclient_test_keytab:
|
|
Packit Service |
0a38ef |
servers: "{{ result_ipaclient_test.servers }}"
|
|
Packit Service |
0a38ef |
domain: "{{ result_ipaclient_test.domain }}"
|
|
Packit Service |
0a38ef |
realm: "{{ result_ipaclient_test.realm }}"
|
|
Packit Service |
0a38ef |
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
Packit Service |
0a38ef |
kdc: "{{ result_ipaclient_test.kdc }}"
|
|
Packit Service |
0a38ef |
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
|
|
Packit Service |
0a38ef |
register: result_ipaclient_test_keytab
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Disable One-Time Password for client with working
|
|
Packit Service |
0a38ef |
krb5.keytab
|
|
Packit Service |
0a38ef |
set_fact:
|
|
Packit Service |
0a38ef |
ipaclient_use_otp: "no"
|
|
Packit Service |
0a38ef |
when: ipaclient_use_otp | bool and
|
|
Packit Service |
0a38ef |
result_ipaclient_test_keytab.krb5_keytab_ok and
|
|
Packit Service |
0a38ef |
not ipaclient_force_join | bool
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# The following block is executed when using OTP to enroll IPA client and
|
|
Packit Service |
0a38ef |
# the OTP isn't predefined, ie when ipaclient_use_otp is set and ipaclient_otp
|
|
Packit Service |
0a38ef |
# is not set.
|
|
Packit Service |
0a38ef |
# It connects to ipaserver and add the host with --random option in order
|
|
Packit Service |
0a38ef |
# to create a OneTime Password
|
|
Packit Service |
0a38ef |
# If a keytab is specified in the hostent, then the hostent will be disabled
|
|
Packit Service |
0a38ef |
# if ipaclient_use_otp is set.
|
|
Packit Service |
0a38ef |
- block:
|
|
Packit Service |
0a38ef |
- name: Install - Keytab or password is required for getting otp
|
|
Packit Service |
0a38ef |
fail: msg="Keytab or password is required for getting otp"
|
|
Packit Service |
0a38ef |
when: ipaadmin_keytab is undefined and ipaadmin_password is undefined
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Get One-Time Password for client enrollment
|
|
Packit Service |
0a38ef |
no_log: yes
|
|
Packit Service |
0a38ef |
ipaclient_get_otp:
|
|
Packit Service |
0a38ef |
state: present
|
|
Packit Service |
0a38ef |
principal: "{{ ipaadmin_principal | default(omit) }}"
|
|
Packit Service |
0a38ef |
password: "{{ ipaadmin_password | default(omit) }}"
|
|
Packit Service |
0a38ef |
keytab: "{{ ipaadmin_keytab | default(omit) }}"
|
|
Packit Service |
0a38ef |
fqdn: "{{ result_ipaclient_test.hostname }}"
|
|
Packit Service |
0a38ef |
lifetime: "{{ ipaclient_lifetime | default(omit) }}"
|
|
Packit Service |
0a38ef |
random: True
|
|
Packit Service |
0a38ef |
register: result_ipaclient_get_otp
|
|
Packit Service |
0a38ef |
# If the host is already enrolled, this command will exit on error
|
|
Packit Service |
0a38ef |
# The error can be ignored
|
|
Packit Service |
0a38ef |
failed_when: result_ipaclient_get_otp is failed and
|
|
Packit Service |
0a38ef |
"Password cannot be set on enrolled host" not
|
|
Packit Service |
0a38ef |
in result_ipaclient_get_otp.msg
|
|
Packit Service |
0a38ef |
delegate_to: "{{ result_ipaclient_test.servers[0] }}"
|
|
Packit Service |
0a38ef |
ignore_errors: yes
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Report error for OTP generation
|
|
Packit Service |
0a38ef |
debug:
|
|
Packit Service |
0a38ef |
msg: "{{ result_ipaclient_get_otp.msg }}"
|
|
Packit Service |
0a38ef |
when: result_ipaclient_get_otp is failed
|
|
Packit Service |
0a38ef |
failed_when: yes
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Store the previously obtained OTP
|
|
Packit Service |
0a38ef |
no_log: yes
|
|
Packit Service |
0a38ef |
set_fact:
|
|
Packit Service |
0a38ef |
ipaadmin_orig_password: "{{ ipaadmin_password | default(omit) }}"
|
|
Packit Service |
0a38ef |
ipaadmin_password: "{{ result_ipaclient_get_otp.host.randompassword
|
|
Packit Service |
0a38ef |
if result_ipaclient_get_otp.host is defined }}"
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
when: ipaclient_use_otp | bool and ipaclient_otp is not defined
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Store predefined OTP in admin_password
|
|
Packit Service |
0a38ef |
no_log: yes
|
|
Packit Service |
0a38ef |
set_fact:
|
|
Packit Service |
0a38ef |
ipaadmin_orig_password: "{{ ipaadmin_password | default(omit) }}"
|
|
Packit Service |
0a38ef |
ipaadmin_password: "{{ ipaclient_otp }}"
|
|
Packit Service |
0a38ef |
when: ipaclient_otp is defined
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- block:
|
|
Packit Service |
0a38ef |
# This block is executed only when
|
|
Packit Service |
0a38ef |
# not (not ipaclient_on_master | bool and
|
|
Packit Service |
0a38ef |
# not result_ipaclient_join.changed and
|
|
Packit Service |
0a38ef |
# not ipaclient_allow_repair | bool and
|
|
Packit Service |
0a38ef |
# (result_ipaclient_test_keytab.krb5_keytab_ok or
|
|
Packit Service |
0a38ef |
# (result_ipaclient_join.already_joined is defined and
|
|
Packit Service |
0a38ef |
# result_ipaclient_join.already_joined)))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Check if principal and keytab are set
|
|
Packit Service |
0a38ef |
fail: msg="Principal and keytab cannot be used together"
|
|
Packit Service |
0a38ef |
when: ipaadmin_principal is defined and ipaclient_keytab is defined
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Check if one of password or keytabs are set
|
|
Packit Service |
0a38ef |
fail: msg="At least one of password or keytabs must be specified"
|
|
Packit Service |
0a38ef |
when: not result_ipaclient_test_keytab.krb5_keytab_ok
|
|
Packit Service |
0a38ef |
and ipaadmin_password is undefined
|
|
Packit Service |
0a38ef |
and ipaadmin_keytab is undefined
|
|
Packit Service |
0a38ef |
and ipaclient_keytab is undefined
|
|
Packit Service |
0a38ef |
when: not ipaclient_on_master | bool
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Purge {{ result_ipaclient_test.realm }} from host keytab
|
|
Packit Service |
0a38ef |
command: >
|
|
Packit Service |
0a38ef |
/usr/sbin/ipa-rmkeytab
|
|
Packit Service |
0a38ef |
-k /etc/krb5.keytab
|
|
Packit Service |
0a38ef |
-r "{{ result_ipaclient_test.realm }}"
|
|
Packit Service |
0a38ef |
register: result_ipa_rmkeytab
|
|
Packit Service |
0a38ef |
# Do not fail on error codes 3 and 5:
|
|
Packit Service |
0a38ef |
# 3 - Unable to open keytab
|
|
Packit Service |
0a38ef |
# 5 - Principal name or realm not found in keytab
|
|
Packit Service |
0a38ef |
failed_when: result_ipa_rmkeytab.rc != 0 and
|
|
Packit Service |
0a38ef |
result_ipa_rmkeytab.rc != 3 and result_ipa_rmkeytab.rc != 5
|
|
Packit Service |
0a38ef |
when: (ipaclient_use_otp | bool or ipaclient_force_join | bool) and not ipaclient_on_master | bool
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Backup and set hostname
|
|
Packit Service |
0a38ef |
ipaclient_set_hostname:
|
|
Packit Service |
0a38ef |
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
Packit Service |
0a38ef |
when: not ipaclient_on_master | bool
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Join IPA
|
|
Packit Service |
0a38ef |
ipaclient_join:
|
|
Packit Service |
0a38ef |
servers: "{{ result_ipaclient_test.servers }}"
|
|
Packit Service |
0a38ef |
domain: "{{ result_ipaclient_test.domain }}"
|
|
Packit Service |
0a38ef |
realm: "{{ result_ipaclient_test.realm }}"
|
|
Packit Service |
0a38ef |
kdc: "{{ result_ipaclient_test.kdc }}"
|
|
Packit Service |
0a38ef |
basedn: "{{ result_ipaclient_test.basedn }}"
|
|
Packit Service |
0a38ef |
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
Packit Service |
0a38ef |
force_join: "{{ ipaclient_force_join | default(omit) }}"
|
|
Packit Service |
0a38ef |
principal: "{{ ipaadmin_principal if not ipaclient_use_otp | bool and
|
|
Packit Service |
0a38ef |
ipaclient_keytab is not defined else omit }}"
|
|
Packit Service |
0a38ef |
password: "{{ ipaadmin_password | default(omit) }}"
|
|
Packit Service |
0a38ef |
keytab: "{{ ipaclient_keytab | default(omit) }}"
|
|
Packit Service |
0a38ef |
admin_keytab: "{{ ipaadmin_keytab if ipaadmin_keytab is defined and not ipaclient_use_otp | bool else omit }}"
|
|
Packit Service |
0a38ef |
# ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
|
|
Packit Service |
0a38ef |
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
|
|
Packit Service |
0a38ef |
register: result_ipaclient_join
|
|
Packit Service |
0a38ef |
when: not ipaclient_on_master | bool and
|
|
Packit Service |
0a38ef |
(not result_ipaclient_test_keytab.krb5_keytab_ok or
|
|
Packit Service |
0a38ef |
ipaclient_force_join)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- block:
|
|
Packit Service |
0a38ef |
- fail:
|
|
Packit Service |
0a38ef |
msg: >
|
|
Packit Service |
0a38ef |
The krb5 configuration is not correct, please enable allow_repair
|
|
Packit Service |
0a38ef |
to fix this.
|
|
Packit Service |
0a38ef |
when: not result_ipaclient_test_keytab.krb5_conf_ok
|
|
Packit Service |
0a38ef |
- fail:
|
|
Packit Service |
0a38ef |
msg: "The IPA test failed, please enable allow_repair to fix this."
|
|
Packit Service |
0a38ef |
when: not result_ipaclient_test_keytab.ping_test_ok
|
|
Packit Service |
0a38ef |
- fail:
|
|
Packit Service |
0a38ef |
msg: >
|
|
Packit Service |
0a38ef |
The ca.crt file is missing, please enable allow_repair to fix this.
|
|
Packit Service |
0a38ef |
when: not result_ipaclient_test_keytab.ca_crt_exists
|
|
Packit Service |
0a38ef |
when: not ipaclient_on_master | bool and
|
|
Packit Service |
0a38ef |
not result_ipaclient_join.changed and
|
|
Packit Service |
0a38ef |
not ipaclient_allow_repair | bool and
|
|
Packit Service |
0a38ef |
(result_ipaclient_test_keytab.krb5_keytab_ok or
|
|
Packit Service |
0a38ef |
(result_ipaclient_join.already_joined is defined and
|
|
Packit Service |
0a38ef |
result_ipaclient_join.already_joined))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- block:
|
|
Packit Service |
0a38ef |
- name: Install - Configure IPA default.conf
|
|
Packit Service |
0a38ef |
ipaclient_ipa_conf:
|
|
Packit Service |
0a38ef |
servers: "{{ result_ipaclient_test.servers }}"
|
|
Packit Service |
0a38ef |
domain: "{{ result_ipaclient_test.domain }}"
|
|
Packit Service |
0a38ef |
realm: "{{ result_ipaclient_test.realm }}"
|
|
Packit Service |
0a38ef |
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
Packit Service |
0a38ef |
basedn: "{{ result_ipaclient_test.basedn }}"
|
|
Packit Service |
0a38ef |
when: not ipaclient_on_master | bool
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Configure SSSD
|
|
Packit Service |
0a38ef |
ipaclient_setup_sssd:
|
|
Packit Service |
0a38ef |
servers: "{{ result_ipaclient_test.servers }}"
|
|
Packit Service |
0a38ef |
domain: "{{ result_ipaclient_test.domain }}"
|
|
Packit Service |
0a38ef |
realm: "{{ result_ipaclient_test.realm }}"
|
|
Packit Service |
0a38ef |
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
Packit Service |
0a38ef |
on_master: "{{ ipaclient_on_master }}"
|
|
Packit Service |
0a38ef |
no_ssh: "{{ ipaclient_no_ssh }}"
|
|
Packit Service |
0a38ef |
no_sshd: "{{ ipaclient_no_sshd }}"
|
|
Packit Service |
0a38ef |
no_sudo: "{{ ipaclient_no_sudo }}"
|
|
Packit Service |
0a38ef |
all_ip_addresses: "{{ ipaclient_all_ip_addresses }}"
|
|
Packit Service |
0a38ef |
fixed_primary: "{{ ipassd_fixed_primary
|
|
Packit Service |
0a38ef |
| default(ipasssd_fixed_primary) }}"
|
|
Packit Service |
0a38ef |
permit: "{{ ipassd_permit | default(ipasssd_permit) }}"
|
|
Packit Service |
0a38ef |
enable_dns_updates: "{{ ipassd_enable_dns_updates
|
|
Packit Service |
0a38ef |
| default(ipasssd_enable_dns_updates) }}"
|
|
Packit Service |
0a38ef |
preserve_sssd: "{{ ipassd_preserve_sssd
|
|
Packit Service |
0a38ef |
| default(ipasssd_preserve_sssd) }}"
|
|
Packit Service |
0a38ef |
no_krb5_offline_passwords:
|
|
Packit Service |
0a38ef |
"{{ ipassd_no_krb5_offline_passwords
|
|
Packit Service |
0a38ef |
| default(ipasssd_no_krb5_offline_passwords) }}"
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Configure krb5 for IPA realm
|
|
Packit Service |
0a38ef |
ipaclient_setup_krb5:
|
|
Packit Service |
0a38ef |
realm: "{{ result_ipaclient_test.realm }}"
|
|
Packit Service |
0a38ef |
domain: "{{ result_ipaclient_test.domain }}"
|
|
Packit Service |
0a38ef |
servers: "{{ result_ipaclient_test.servers }}"
|
|
Packit Service |
0a38ef |
kdc: "{{ result_ipaclient_test.kdc }}"
|
|
Packit Service |
0a38ef |
dnsok: "{{ result_ipaclient_test.dnsok }}"
|
|
Packit Service |
0a38ef |
client_domain: "{{ result_ipaclient_test.client_domain }}"
|
|
Packit Service |
0a38ef |
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
Packit Service |
0a38ef |
sssd: "{{ result_ipaclient_test.sssd }}"
|
|
Packit Service |
0a38ef |
force: "{{ ipaclient_force }}"
|
|
Packit Service |
0a38ef |
# on_master: "{{ ipaclient_on_master }}"
|
|
Packit Service |
0a38ef |
when: not ipaclient_on_master | bool
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - IPA API calls for remaining enrollment parts
|
|
Packit Service |
0a38ef |
ipaclient_api:
|
|
Packit Service |
0a38ef |
servers: "{{ result_ipaclient_test.servers }}"
|
|
Packit Service |
0a38ef |
realm: "{{ result_ipaclient_test.realm }}"
|
|
Packit Service |
0a38ef |
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
Packit Service |
0a38ef |
# debug: yes
|
|
Packit Service |
0a38ef |
register: result_ipaclient_api
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Fix IPA ca
|
|
Packit Service |
0a38ef |
ipaclient_fix_ca:
|
|
Packit Service |
0a38ef |
servers: "{{ result_ipaclient_test.servers }}"
|
|
Packit Service |
0a38ef |
realm: "{{ result_ipaclient_test.realm }}"
|
|
Packit Service |
0a38ef |
basedn: "{{ result_ipaclient_test.basedn }}"
|
|
Packit Service |
0a38ef |
allow_repair: "{{ ipaclient_allow_repair }}"
|
|
Packit Service |
0a38ef |
when: not ipaclient_on_master | bool and
|
|
Packit Service |
0a38ef |
result_ipaclient_test_keytab.krb5_keytab_ok and
|
|
Packit Service |
0a38ef |
not result_ipaclient_test_keytab.ca_crt_exists
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Create IPA NSS database
|
|
Packit Service |
0a38ef |
ipaclient_setup_nss:
|
|
Packit Service |
0a38ef |
servers: "{{ result_ipaclient_test.servers }}"
|
|
Packit Service |
0a38ef |
domain: "{{ result_ipaclient_test.domain }}"
|
|
Packit Service |
0a38ef |
realm: "{{ result_ipaclient_test.realm }}"
|
|
Packit Service |
0a38ef |
basedn: "{{ result_ipaclient_test.basedn }}"
|
|
Packit Service |
0a38ef |
hostname: "{{ result_ipaclient_test.hostname }}"
|
|
Packit Service |
0a38ef |
subject_base: "{{ result_ipaclient_api.subject_base }}"
|
|
Packit Service |
0a38ef |
principal: "{{ ipaadmin_principal | default(omit) }}"
|
|
Packit Service |
0a38ef |
mkhomedir: "{{ ipaclient_mkhomedir }}"
|
|
Packit Service |
0a38ef |
ca_enabled: "{{ result_ipaclient_api.ca_enabled }}"
|
|
Packit Service |
0a38ef |
on_master: "{{ ipaclient_on_master }}"
|
|
Packit Service |
0a38ef |
dnsok: "{{ result_ipaclient_test.dnsok }}"
|
|
Packit Service |
0a38ef |
enable_dns_updates: "{{ ipassd_enable_dns_updates
|
|
Packit Service |
0a38ef |
| default(ipasssd_enable_dns_updates) }}"
|
|
Packit Service |
0a38ef |
all_ip_addresses: "{{ ipaclient_all_ip_addresses }}"
|
|
Packit Service |
0a38ef |
ip_addresses: "{{ ipaclient_ip_addresses | default(omit) }}"
|
|
Packit Service |
0a38ef |
request_cert: "{{ ipaclient_request_cert }}"
|
|
Packit Service |
0a38ef |
preserve_sssd: "{{ ipassd_preserve_sssd
|
|
Packit Service |
0a38ef |
| default(ipasssd_preserve_sssd) }}"
|
|
Packit Service |
0a38ef |
no_ssh: "{{ ipaclient_no_ssh }}"
|
|
Packit Service |
0a38ef |
no_sshd: "{{ ipaclient_no_sshd }}"
|
|
Packit Service |
0a38ef |
no_sudo: "{{ ipaclient_no_sudo }}"
|
|
Packit Service |
0a38ef |
fixed_primary: "{{ ipassd_fixed_primary
|
|
Packit Service |
0a38ef |
| default(ipasssd_fixed_primary) }}"
|
|
Packit Service |
0a38ef |
permit: "{{ ipassd_permit | default(ipasssd_permit) }}"
|
|
Packit Service |
0a38ef |
no_krb5_offline_passwords:
|
|
Packit Service |
0a38ef |
"{{ ipassd_no_krb5_offline_passwords
|
|
Packit Service |
0a38ef |
| default(ipasssd_no_krb5_offline_passwords) }}"
|
|
Packit Service |
0a38ef |
no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Configure SSH and SSHD
|
|
Packit Service |
0a38ef |
ipaclient_setup_ssh:
|
|
Packit Service |
0a38ef |
servers: "{{ result_ipaclient_test.servers }}"
|
|
Packit Service |
0a38ef |
sssd: "{{ result_ipaclient_test.sssd }}"
|
|
Packit Service |
0a38ef |
no_ssh: "{{ ipaclient_no_ssh }}"
|
|
Packit Service |
0a38ef |
ssh_trust_dns: "{{ ipaclient_ssh_trust_dns }}"
|
|
Packit Service |
0a38ef |
no_sshd: "{{ ipaclient_no_sshd }}"
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Configure automount
|
|
Packit Service |
0a38ef |
ipaclient_setup_automount:
|
|
Packit Service |
0a38ef |
servers: "{{ result_ipaclient_test.servers }}"
|
|
Packit Service |
0a38ef |
sssd: "{{ result_ipaclient_test.sssd }}"
|
|
Packit Service |
0a38ef |
automount_location: "{{ ipaautomount_location | default(omit) }}"
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Configure firefox
|
|
Packit Service |
0a38ef |
ipaclient_setup_firefox:
|
|
Packit Service |
0a38ef |
firefox_dir: "{{ ipaclient_firefox_dir | default(omit) }}"
|
|
Packit Service |
a166ed |
domain: "{{ result_ipaclient_test.domain }}"
|
|
Packit Service |
0a38ef |
when: ipaclient_configure_firefox | bool
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Install - Configure NIS
|
|
Packit Service |
0a38ef |
ipaclient_setup_nis:
|
|
Packit Service |
0a38ef |
domain: "{{ result_ipaclient_test.domain }}"
|
|
Packit Service |
0a38ef |
nisdomain: "{{ ipaclient_nisdomain | default(omit) }}"
|
|
Packit Service |
0a38ef |
when: not ipaclient_no_nisdomain | bool
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
when: not (not ipaclient_on_master | bool and
|
|
Packit Service |
0a38ef |
not result_ipaclient_join.changed and
|
|
Packit Service |
0a38ef |
not ipaclient_allow_repair | bool
|
|
Packit Service |
0a38ef |
and (result_ipaclient_test_keytab.krb5_keytab_ok
|
|
Packit Service |
0a38ef |
or (result_ipaclient_join.already_joined is defined
|
|
Packit Service |
0a38ef |
and result_ipaclient_join.already_joined)))
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
when: not ansible_check_mode and
|
|
Packit Service |
0a38ef |
not (result_ipaclient_test.client_already_configured and
|
|
Packit Service |
0a38ef |
not ipaclient_allow_repair | bool and not ipaclient_force_join | bool)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
always:
|
|
Packit Service |
0a38ef |
- name: Install - Restore original admin password if overwritten by OTP
|
|
Packit Service |
0a38ef |
no_log: yes
|
|
Packit Service |
0a38ef |
set_fact:
|
|
Packit Service |
0a38ef |
ipaadmin_password: "{{ ipaadmin_orig_password }}"
|
|
Packit Service |
0a38ef |
when: ipaclient_use_otp | bool and ipaadmin_orig_password is defined
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
- name: Cleanup leftover ccache
|
|
Packit Service |
0a38ef |
file:
|
|
Packit Service |
0a38ef |
path: "/etc/ipa/.dns_ccache"
|
|
Packit Service |
0a38ef |
state: absent
|