|
Packit |
8cb997 |
#!/usr/bin/python
|
|
Packit |
8cb997 |
# -*- coding: utf-8 -*-
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# Authors:
|
|
Packit |
8cb997 |
# Thomas Woerner <twoerner@redhat.com>
|
|
Packit |
8cb997 |
#
|
|
Packit |
8cb997 |
# Based on ipa-replica-install code
|
|
Packit |
8cb997 |
#
|
|
Packit |
8cb997 |
# Copyright (C) 2018 Red Hat
|
|
Packit |
8cb997 |
# see file 'COPYING' for use and warranty information
|
|
Packit |
8cb997 |
#
|
|
Packit |
8cb997 |
# This program is free software; you can redistribute it and/or modify
|
|
Packit |
8cb997 |
# it under the terms of the GNU General Public License as published by
|
|
Packit |
8cb997 |
# the Free Software Foundation, either version 3 of the License, or
|
|
Packit |
8cb997 |
# (at your option) any later version.
|
|
Packit |
8cb997 |
#
|
|
Packit |
8cb997 |
# This program is distributed in the hope that it will be useful,
|
|
Packit |
8cb997 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
8cb997 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit |
8cb997 |
# GNU General Public License for more details.
|
|
Packit |
8cb997 |
#
|
|
Packit |
8cb997 |
# You should have received a copy of the GNU General Public License
|
|
Packit |
8cb997 |
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
from __future__ import print_function
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ANSIBLE_METADATA = {
|
|
Packit |
8cb997 |
'metadata_version': '1.0',
|
|
Packit |
8cb997 |
'supported_by': 'community',
|
|
Packit |
8cb997 |
'status': ['preview'],
|
|
Packit |
8cb997 |
}
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
DOCUMENTATION = '''
|
|
Packit |
8cb997 |
---
|
|
Packit |
8cb997 |
module: ipareplica_prepare
|
|
Packit |
8cb997 |
short description: Prepare ipa replica installation
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Prepare ipa replica installation: Create IPA configuration file, run install
|
|
Packit |
8cb997 |
checks again and also update the host name and the hosts file if needed.
|
|
Packit |
8cb997 |
The tests and also the results from ipareplica_test are needed.
|
|
Packit |
8cb997 |
ptions:
|
|
Packit |
8cb997 |
dm_password:
|
|
Packit |
8cb997 |
description: Directory Manager password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
password:
|
|
Packit |
8cb997 |
description: Admin user kerberos password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ip_addresses:
|
|
Packit |
8cb997 |
description: List of Master Server IP Addresses
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
domain:
|
|
Packit |
8cb997 |
description: Primary DNS domain of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
realm:
|
|
Packit |
8cb997 |
description: Kerberos realm name of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
hostname:
|
|
Packit |
8cb997 |
description: Fully qualified name of this host
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ca_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
List of files containing CA certificates for the service certificate
|
|
Packit |
8cb997 |
files
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_host_dns:
|
|
Packit |
8cb997 |
description: Do not use DNS for hostname lookup during installation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_adtrust:
|
|
Packit |
8cb997 |
description: Configure AD trust capability
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_kra:
|
|
Packit |
8cb997 |
description: Configure a dogtag KRA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_dns:
|
|
Packit |
8cb997 |
description: Configure bind with our zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
external_ca:
|
|
Packit |
8cb997 |
description: External ca setting
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
external_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the IPA CA certificate and the external CA certificate
|
|
Packit |
8cb997 |
chain
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
subject_base:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
The certificate subject base (default O=<realm-name>).
|
|
Packit |
8cb997 |
RDNs are in LDAP order (most specific RDN first).
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ca_subject:
|
|
Packit |
8cb997 |
description: The installer ca_subject setting
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
reverse_zones:
|
|
Packit |
8cb997 |
description: The reverse DNS zones to use
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_reverse:
|
|
Packit |
8cb997 |
description: Do not create new reverse DNS zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_reverse:
|
|
Packit |
8cb997 |
description: Create necessary reverse zones
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forwarders:
|
|
Packit |
8cb997 |
description: Add DNS forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_forwarders:
|
|
Packit |
8cb997 |
description: Do not add any DNS forwarders, use root servers instead
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_forwarders:
|
|
Packit |
8cb997 |
description: Use DNS forwarders configured in /etc/resolv.conf
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forward_policy:
|
|
Packit |
8cb997 |
description: DNS forwarding policy for global forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
enable_compat:
|
|
Packit |
8cb997 |
description: Enable support for trusted domains for old clients
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
netbios_name:
|
|
Packit |
8cb997 |
description: NetBIOS name of the IPA domain
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
rid_base:
|
|
Packit |
8cb997 |
description: Start value for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
secondary_rid_base:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Start value of the secondary range for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_ca:
|
|
Packit |
8cb997 |
description: Configure a dogtag CA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
_hostname_overridden:
|
|
Packit |
8cb997 |
description: The installer _hostname_overridden setting
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dm_password:
|
|
Packit |
8cb997 |
description: Directory Manager password
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
password:
|
|
Packit |
8cb997 |
description: Admin user kerberos password
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
ip_addresses:
|
|
Packit |
8cb997 |
description: List of Master Server IP Addresses
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
domain:
|
|
Packit |
8cb997 |
description: Primary DNS domain of the IPA deployment
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
realm:
|
|
Packit |
8cb997 |
description: Kerberos realm name of the IPA deployment
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
hostname:
|
|
Packit |
8cb997 |
description: Fully qualified name of this host
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
principal:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
User Principal allowed to promote replicas and join IPA realm
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
ca_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
List of files containing CA certificates for the service certificate
|
|
Packit |
8cb997 |
files
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
no_host_dns:
|
|
Packit |
8cb997 |
description: Do not use DNS for hostname lookup during installation
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
setup_adtrust:
|
|
Packit |
8cb997 |
description: Configure AD trust capability
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
setup_ca:
|
|
Packit |
8cb997 |
description: Configure a dogtag CA
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
setup_kra:
|
|
Packit |
8cb997 |
description: Configure a dogtag KRA
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
setup_dns:
|
|
Packit |
8cb997 |
description: Configure bind with our zone
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
dirsrv_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Files containing the Directory Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
dirsrv_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Directory Server SSL certificate to install
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
dirsrv_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Directory Server private key
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
http_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Apache Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
http_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Apache Server SSL certificate to install
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
http_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Apache Server private key
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
pkinit_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Kerberos KDC SSL certificate and private key
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
pkinit_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Kerberos KDC SSL certificate to install
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
pkinit_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Kerberos KDC private key
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
keytab:
|
|
Packit |
8cb997 |
description: Path to backed up keytab from previous enrollment
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
mkhomedir:
|
|
Packit |
8cb997 |
description: Create home directories for users on their first login
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
force_join:
|
|
Packit |
8cb997 |
description: Force client enrollment even if already enrolled
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
no_ntp:
|
|
Packit |
8cb997 |
description: Do not configure ntp
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
ssh_trust_dns:
|
|
Packit |
8cb997 |
description: Configure OpenSSH client to trust DNS SSHFP records
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
no_ssh:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH client
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
no_sshd:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH server
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
no_dns_sshfp:
|
|
Packit |
8cb997 |
description: Do not automatically create DNS SSHFP records
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
allow_zone_overlap:
|
|
Packit |
8cb997 |
description: Create DNS zone even if it already exists
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
reverse_zones:
|
|
Packit |
8cb997 |
description: The reverse DNS zones to use
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
no_reverse:
|
|
Packit |
8cb997 |
description: Do not create new reverse DNS zone
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
auto_reverse:
|
|
Packit |
8cb997 |
description: Create necessary reverse zones
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
forwarders:
|
|
Packit |
8cb997 |
description: Add DNS forwarders
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
no_forwarders:
|
|
Packit |
8cb997 |
description: Do not add any DNS forwarders, use root servers instead
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
auto_forwarders:
|
|
Packit |
8cb997 |
description: Use DNS forwarders configured in /etc/resolv.conf
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
forward_policy:
|
|
Packit |
8cb997 |
description: DNS forwarding policy for global forwarders
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
no_dnssec_validation:
|
|
Packit |
8cb997 |
description: Disable DNSSEC validation
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
enable_compat:
|
|
Packit |
8cb997 |
description: Enable support for trusted domains for old clients
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
netbios_name:
|
|
Packit |
8cb997 |
description: NetBIOS name of the IPA domain
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
rid_base:
|
|
Packit |
8cb997 |
description: Start value for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
secondary_rid_base:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Start value of the secondary range for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
server:
|
|
Packit |
8cb997 |
description: Fully qualified name of IPA server to enroll to
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
skip_conncheck:
|
|
Packit |
8cb997 |
description: Skip connection check to remote master
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
dm_password:
|
|
Packit |
8cb997 |
description: Directory Manager password
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
password:
|
|
Packit |
8cb997 |
description: Admin user kerberos password
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
ip_addresses:
|
|
Packit |
8cb997 |
description: List of Master Server IP Addresses
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
domain:
|
|
Packit |
8cb997 |
description: Primary DNS domain of the IPA deployment
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
realm:
|
|
Packit |
8cb997 |
description: Kerberos realm name of the IPA deployment
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
hostname:
|
|
Packit |
8cb997 |
description: Fully qualified name of this host
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
principal:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
User Principal allowed to promote replicas and join IPA realm
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
ca_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
List of files containing CA certificates for the service certificate
|
|
Packit |
8cb997 |
files
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
no_host_dns:
|
|
Packit |
8cb997 |
description: Do not use DNS for hostname lookup during installation
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
setup_adtrust:
|
|
Packit |
8cb997 |
description: Configure AD trust capability
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
setup_ca:
|
|
Packit |
8cb997 |
description: Configure a dogtag CA
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
setup_kra:
|
|
Packit |
8cb997 |
description: Configure a dogtag KRA
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
setup_dns:
|
|
Packit |
8cb997 |
description: Configure bind with our zone
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
dirsrv_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Files containing the Directory Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
dirsrv_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Directory Server SSL certificate to install
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
dirsrv_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Directory Server private key
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
http_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Apache Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
http_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Apache Server SSL certificate to install
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
http_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Apache Server private key
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
pkinit_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Kerberos KDC SSL certificate and private key
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
pkinit_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Kerberos KDC SSL certificate to install
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
pkinit_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Kerberos KDC private key
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
keytab:
|
|
Packit |
8cb997 |
description: Path to backed up keytab from previous enrollment
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
mkhomedir:
|
|
Packit |
8cb997 |
description: Create home directories for users on their first login
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
force_join:
|
|
Packit |
8cb997 |
description: Force client enrollment even if already enrolled
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
no_ntp:
|
|
Packit |
8cb997 |
description: Do not configure ntp
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
ssh_trust_dns:
|
|
Packit |
8cb997 |
description: Configure OpenSSH client to trust DNS SSHFP records
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
no_ssh:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH client
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
no_sshd:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH server
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
no_dns_sshfp:
|
|
Packit |
8cb997 |
description: Do not automatically create DNS SSHFP records
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
allow_zone_overlap:
|
|
Packit |
8cb997 |
description: Create DNS zone even if it already exists
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
reverse_zones:
|
|
Packit |
8cb997 |
description: The reverse DNS zones to use
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
no_reverse:
|
|
Packit |
8cb997 |
description: Do not create new reverse DNS zone
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
auto_reverse:
|
|
Packit |
8cb997 |
description: Create necessary reverse zones
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
forwarders:
|
|
Packit |
8cb997 |
description: Add DNS forwarders
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
no_forwarders:
|
|
Packit |
8cb997 |
description: Do not add any DNS forwarders, use root servers instead
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
auto_forwarders:
|
|
Packit |
8cb997 |
description: Use DNS forwarders configured in /etc/resolv.conf
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
forward_policy:
|
|
Packit |
8cb997 |
description: DNS forwarding policy for global forwarders
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
no_dnssec_validation:
|
|
Packit |
8cb997 |
description: Disable DNSSEC validation
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
enable_compat:
|
|
Packit |
8cb997 |
description: Enable support for trusted domains for old clients
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
netbios_name:
|
|
Packit |
8cb997 |
description: NetBIOS name of the IPA domain
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
rid_base:
|
|
Packit |
8cb997 |
description: Start value for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
secondary_rid_base:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Start value of the secondary range for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
server:
|
|
Packit |
8cb997 |
description: Fully qualified name of IPA server to enroll to
|
|
Packit |
8cb997 |
required: False
|
|
Packit |
8cb997 |
skip_conncheck:
|
|
Packit |
8cb997 |
description: Skip connection check to remote master
|
|
Packit |
8cb997 |
required: True
|
|
Packit |
8cb997 |
dm_password:
|
|
Packit |
8cb997 |
description: Directory Manager password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
password:
|
|
Packit |
8cb997 |
description: Admin user kerberos password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ip_addresses:
|
|
Packit |
8cb997 |
description: List of Master Server IP Addresses
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
domain:
|
|
Packit |
8cb997 |
description: Primary DNS domain of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
realm:
|
|
Packit |
8cb997 |
description: Kerberos realm name of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
hostname:
|
|
Packit |
8cb997 |
description: Fully qualified name of this host
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
principal:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
User Principal allowed to promote replicas and join IPA realm
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
ca_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
List of files containing CA certificates for the service certificate
|
|
Packit |
8cb997 |
files
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_host_dns:
|
|
Packit |
8cb997 |
description: Do not use DNS for hostname lookup during installation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_adtrust:
|
|
Packit |
8cb997 |
description: Configure AD trust capability
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_ca:
|
|
Packit |
8cb997 |
description: Configure a dogtag CA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_kra:
|
|
Packit |
8cb997 |
description: Configure a dogtag KRA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_dns:
|
|
Packit |
8cb997 |
description: Configure bind with our zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Files containing the Directory Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Directory Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Directory Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Apache Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Apache Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Apache Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Kerberos KDC SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Kerberos KDC SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Kerberos KDC private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
keytab:
|
|
Packit |
8cb997 |
description: Path to backed up keytab from previous enrollment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
mkhomedir:
|
|
Packit |
8cb997 |
description: Create home directories for users on their first login
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
force_join:
|
|
Packit |
8cb997 |
description: Force client enrollment even if already enrolled
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ntp:
|
|
Packit |
8cb997 |
description: Do not configure ntp
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ssh_trust_dns:
|
|
Packit |
8cb997 |
description: Configure OpenSSH client to trust DNS SSHFP records
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ssh:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH client
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_sshd:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH server
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dns_sshfp:
|
|
Packit |
8cb997 |
description: Do not automatically create DNS SSHFP records
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
allow_zone_overlap:
|
|
Packit |
8cb997 |
description: Create DNS zone even if it already exists
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
reverse_zones:
|
|
Packit |
8cb997 |
description: The reverse DNS zones to use
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_reverse:
|
|
Packit |
8cb997 |
description: Do not create new reverse DNS zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_reverse:
|
|
Packit |
8cb997 |
description: Create necessary reverse zones
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forwarders:
|
|
Packit |
8cb997 |
description: Add DNS forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_forwarders:
|
|
Packit |
8cb997 |
description: Do not add any DNS forwarders, use root servers instead
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_forwarders:
|
|
Packit |
8cb997 |
description: Use DNS forwarders configured in /etc/resolv.conf
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forward_policy:
|
|
Packit |
8cb997 |
description: DNS forwarding policy for global forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dnssec_validation:
|
|
Packit |
8cb997 |
description: Disable DNSSEC validation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
enable_compat:
|
|
Packit |
8cb997 |
description: Enable support for trusted domains for old clients
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
netbios_name:
|
|
Packit |
8cb997 |
description: NetBIOS name of the IPA domain
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
rid_base:
|
|
Packit |
8cb997 |
description: Start value for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
secondary_rid_base:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Start value of the secondary range for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
server:
|
|
Packit |
8cb997 |
description: Fully qualified name of IPA server to enroll to
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
skip_conncheck:
|
|
Packit |
8cb997 |
description: Skip connection check to remote master
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dm_password:
|
|
Packit |
8cb997 |
description: Directory Manager password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
password:
|
|
Packit |
8cb997 |
description: Admin user kerberos password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ip_addresses:
|
|
Packit |
8cb997 |
description: List of Master Server IP Addresses
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
domain:
|
|
Packit |
8cb997 |
description: Primary DNS domain of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
realm:
|
|
Packit |
8cb997 |
description: Kerberos realm name of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
hostname:
|
|
Packit |
8cb997 |
description: Fully qualified name of this host
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
principal:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
User Principal allowed to promote replicas and join IPA realm
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
ca_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
List of files containing CA certificates for the service certificate
|
|
Packit |
8cb997 |
files
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_host_dns:
|
|
Packit |
8cb997 |
description: Do not use DNS for hostname lookup during installation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_adtrust:
|
|
Packit |
8cb997 |
description: Configure AD trust capability
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_ca:
|
|
Packit |
8cb997 |
description: Configure a dogtag CA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_kra:
|
|
Packit |
8cb997 |
description: Configure a dogtag KRA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_dns:
|
|
Packit |
8cb997 |
description: Configure bind with our zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Files containing the Directory Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Directory Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Directory Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Apache Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Apache Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Apache Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Kerberos KDC SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Kerberos KDC SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Kerberos KDC private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
keytab:
|
|
Packit |
8cb997 |
description: Path to backed up keytab from previous enrollment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
mkhomedir:
|
|
Packit |
8cb997 |
description: Create home directories for users on their first login
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
force_join:
|
|
Packit |
8cb997 |
description: Force client enrollment even if already enrolled
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ntp:
|
|
Packit |
8cb997 |
description: Do not configure ntp
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ssh_trust_dns:
|
|
Packit |
8cb997 |
description: Configure OpenSSH client to trust DNS SSHFP records
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ssh:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH client
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_sshd:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH server
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dns_sshfp:
|
|
Packit |
8cb997 |
description: Do not automatically create DNS SSHFP records
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
allow_zone_overlap:
|
|
Packit |
8cb997 |
description: Create DNS zone even if it already exists
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
reverse_zones:
|
|
Packit |
8cb997 |
description: The reverse DNS zones to use
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_reverse:
|
|
Packit |
8cb997 |
description: Do not create new reverse DNS zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_reverse:
|
|
Packit |
8cb997 |
description: Create necessary reverse zones
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forwarders:
|
|
Packit |
8cb997 |
description: Add DNS forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_forwarders:
|
|
Packit |
8cb997 |
description: Do not add any DNS forwarders, use root servers instead
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_forwarders:
|
|
Packit |
8cb997 |
description: Use DNS forwarders configured in /etc/resolv.conf
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forward_policy:
|
|
Packit |
8cb997 |
description: DNS forwarding policy for global forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dnssec_validation:
|
|
Packit |
8cb997 |
description: Disable DNSSEC validation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
enable_compat:
|
|
Packit |
8cb997 |
description: Enable support for trusted domains for old clients
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
netbios_name:
|
|
Packit |
8cb997 |
description: NetBIOS name of the IPA domain
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
rid_base:
|
|
Packit |
8cb997 |
description: Start value for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
secondary_rid_base:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Start value of the secondary range for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
server:
|
|
Packit |
8cb997 |
description: Fully qualified name of IPA server to enroll to
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
skip_conncheck:
|
|
Packit |
8cb997 |
description: Skip connection check to remote master
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dm_password:
|
|
Packit |
8cb997 |
description: Directory Manager password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
password:
|
|
Packit |
8cb997 |
description: Admin user kerberos password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ip_addresses:
|
|
Packit |
8cb997 |
description: List of Master Server IP Addresses
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
domain:
|
|
Packit |
8cb997 |
description: Primary DNS domain of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
realm:
|
|
Packit |
8cb997 |
description: Kerberos realm name of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
hostname:
|
|
Packit |
8cb997 |
description: Fully qualified name of this host
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
principal:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
User Principal allowed to promote replicas and join IPA realm
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
ca_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
List of files containing CA certificates for the service certificate
|
|
Packit |
8cb997 |
files
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_host_dns:
|
|
Packit |
8cb997 |
description: Do not use DNS for hostname lookup during installation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_adtrust:
|
|
Packit |
8cb997 |
description: Configure AD trust capability
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_ca:
|
|
Packit |
8cb997 |
description: Configure a dogtag CA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_kra:
|
|
Packit |
8cb997 |
description: Configure a dogtag KRA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_dns:
|
|
Packit |
8cb997 |
description: Configure bind with our zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Files containing the Directory Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Directory Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Directory Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Apache Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Apache Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Apache Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Kerberos KDC SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Kerberos KDC SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Kerberos KDC private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
keytab:
|
|
Packit |
8cb997 |
description: Path to backed up keytab from previous enrollment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
mkhomedir:
|
|
Packit |
8cb997 |
description: Create home directories for users on their first login
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
force_join:
|
|
Packit |
8cb997 |
description: Force client enrollment even if already enrolled
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ntp:
|
|
Packit |
8cb997 |
description: Do not configure ntp
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ssh_trust_dns:
|
|
Packit |
8cb997 |
description: Configure OpenSSH client to trust DNS SSHFP records
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ssh:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH client
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_sshd:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH server
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dns_sshfp:
|
|
Packit |
8cb997 |
description: Do not automatically create DNS SSHFP records
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
allow_zone_overlap:
|
|
Packit |
8cb997 |
description: Create DNS zone even if it already exists
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
reverse_zones:
|
|
Packit |
8cb997 |
description: The reverse DNS zones to use
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_reverse:
|
|
Packit |
8cb997 |
description: Do not create new reverse DNS zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_reverse:
|
|
Packit |
8cb997 |
description: Create necessary reverse zones
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forwarders:
|
|
Packit |
8cb997 |
description: Add DNS forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_forwarders:
|
|
Packit |
8cb997 |
description: Do not add any DNS forwarders, use root servers instead
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_forwarders:
|
|
Packit |
8cb997 |
description: Use DNS forwarders configured in /etc/resolv.conf
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forward_policy:
|
|
Packit |
8cb997 |
description: DNS forwarding policy for global forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dnssec_validation:
|
|
Packit |
8cb997 |
description: Disable DNSSEC validation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
enable_compat:
|
|
Packit |
8cb997 |
description: Enable support for trusted domains for old clients
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
netbios_name:
|
|
Packit |
8cb997 |
description: NetBIOS name of the IPA domain
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
rid_base:
|
|
Packit |
8cb997 |
description: Start value for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
secondary_rid_base:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Start value of the secondary range for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
server:
|
|
Packit |
8cb997 |
description: Fully qualified name of IPA server to enroll to
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
skip_conncheck:
|
|
Packit |
8cb997 |
description: Skip connection check to remote master
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dm_password:
|
|
Packit |
8cb997 |
description: Directory Manager password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
password:
|
|
Packit |
8cb997 |
description: Admin user kerberos password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ip_addresses:
|
|
Packit |
8cb997 |
description: List of Master Server IP Addresses
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
domain:
|
|
Packit |
8cb997 |
description: Primary DNS domain of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
realm:
|
|
Packit |
8cb997 |
description: Kerberos realm name of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
hostname:
|
|
Packit |
8cb997 |
description: Fully qualified name of this host
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
principal:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
User Principal allowed to promote replicas and join IPA realm
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
ca_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
List of files containing CA certificates for the service certificate
|
|
Packit |
8cb997 |
files
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_host_dns:
|
|
Packit |
8cb997 |
description: Do not use DNS for hostname lookup during installation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_adtrust:
|
|
Packit |
8cb997 |
description: Configure AD trust capability
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_ca:
|
|
Packit |
8cb997 |
description: Configure a dogtag CA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_kra:
|
|
Packit |
8cb997 |
description: Configure a dogtag KRA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_dns:
|
|
Packit |
8cb997 |
description: Configure bind with our zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Files containing the Directory Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Directory Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Directory Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Apache Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Apache Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Apache Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Kerberos KDC SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Kerberos KDC SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Kerberos KDC private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
keytab:
|
|
Packit |
8cb997 |
description: Path to backed up keytab from previous enrollment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
mkhomedir:
|
|
Packit |
8cb997 |
description: Create home directories for users on their first login
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
force_join:
|
|
Packit |
8cb997 |
description: Force client enrollment even if already enrolled
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ntp:
|
|
Packit |
8cb997 |
description: Do not configure ntp
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ssh_trust_dns:
|
|
Packit |
8cb997 |
description: Configure OpenSSH client to trust DNS SSHFP records
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ssh:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH client
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_sshd:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH server
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dns_sshfp:
|
|
Packit |
8cb997 |
description: Do not automatically create DNS SSHFP records
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
allow_zone_overlap:
|
|
Packit |
8cb997 |
description: Create DNS zone even if it already exists
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
reverse_zones:
|
|
Packit |
8cb997 |
description: The reverse DNS zones to use
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_reverse:
|
|
Packit |
8cb997 |
description: Do not create new reverse DNS zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_reverse:
|
|
Packit |
8cb997 |
description: Create necessary reverse zones
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forwarders:
|
|
Packit |
8cb997 |
description: Add DNS forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_forwarders:
|
|
Packit |
8cb997 |
description: Do not add any DNS forwarders, use root servers instead
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_forwarders:
|
|
Packit |
8cb997 |
description: Use DNS forwarders configured in /etc/resolv.conf
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forward_policy:
|
|
Packit |
8cb997 |
description: DNS forwarding policy for global forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dnssec_validation:
|
|
Packit |
8cb997 |
description: Disable DNSSEC validation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
enable_compat:
|
|
Packit |
8cb997 |
description: Enable support for trusted domains for old clients
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
netbios_name:
|
|
Packit |
8cb997 |
description: NetBIOS name of the IPA domain
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
rid_base:
|
|
Packit |
8cb997 |
description: Start value for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
secondary_rid_base:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Start value of the secondary range for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
server:
|
|
Packit |
8cb997 |
description: Fully qualified name of IPA server to enroll to
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
skip_conncheck:
|
|
Packit |
8cb997 |
description: Skip connection check to remote master
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dm_password:
|
|
Packit |
8cb997 |
description: Directory Manager password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
password:
|
|
Packit |
8cb997 |
description: Admin user kerberos password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ip_addresses:
|
|
Packit |
8cb997 |
description: List of Master Server IP Addresses
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
domain:
|
|
Packit |
8cb997 |
description: Primary DNS domain of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
realm:
|
|
Packit |
8cb997 |
description: Kerberos realm name of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
hostname:
|
|
Packit |
8cb997 |
description: Fully qualified name of this host
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
principal:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
User Principal allowed to promote replicas and join IPA realm
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
ca_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
List of files containing CA certificates for the service certificate
|
|
Packit |
8cb997 |
files
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_host_dns:
|
|
Packit |
8cb997 |
description: Do not use DNS for hostname lookup during installation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_adtrust:
|
|
Packit |
8cb997 |
description: Configure AD trust capability
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_ca:
|
|
Packit |
8cb997 |
description: Configure a dogtag CA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_kra:
|
|
Packit |
8cb997 |
description: Configure a dogtag KRA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_dns:
|
|
Packit |
8cb997 |
description: Configure bind with our zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Files containing the Directory Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Directory Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Directory Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Apache Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Apache Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Apache Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Kerberos KDC SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Kerberos KDC SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Kerberos KDC private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
keytab:
|
|
Packit |
8cb997 |
description: Path to backed up keytab from previous enrollment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
mkhomedir:
|
|
Packit |
8cb997 |
description: Create home directories for users on their first login
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
force_join:
|
|
Packit |
8cb997 |
description: Force client enrollment even if already enrolled
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ntp:
|
|
Packit |
8cb997 |
description: Do not configure ntp
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ssh_trust_dns:
|
|
Packit |
8cb997 |
description: Configure OpenSSH client to trust DNS SSHFP records
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ssh:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH client
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_sshd:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH server
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dns_sshfp:
|
|
Packit |
8cb997 |
description: Do not automatically create DNS SSHFP records
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
allow_zone_overlap:
|
|
Packit |
8cb997 |
description: Create DNS zone even if it already exists
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
reverse_zones:
|
|
Packit |
8cb997 |
description: The reverse DNS zones to use
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_reverse:
|
|
Packit |
8cb997 |
description: Do not create new reverse DNS zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_reverse:
|
|
Packit |
8cb997 |
description: Create necessary reverse zones
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forwarders:
|
|
Packit |
8cb997 |
description: Add DNS forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_forwarders:
|
|
Packit |
8cb997 |
description: Do not add any DNS forwarders, use root servers instead
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_forwarders:
|
|
Packit |
8cb997 |
description: Use DNS forwarders configured in /etc/resolv.conf
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forward_policy:
|
|
Packit |
8cb997 |
description: DNS forwarding policy for global forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dnssec_validation:
|
|
Packit |
8cb997 |
description: Disable DNSSEC validation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
enable_compat:
|
|
Packit |
8cb997 |
description: Enable support for trusted domains for old clients
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
netbios_name:
|
|
Packit |
8cb997 |
description: NetBIOS name of the IPA domain
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
rid_base:
|
|
Packit |
8cb997 |
description: Start value for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
secondary_rid_base:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Start value of the secondary range for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
server:
|
|
Packit |
8cb997 |
description: Fully qualified name of IPA server to enroll to
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
skip_conncheck:
|
|
Packit |
8cb997 |
description: Skip connection check to remote master
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dm_password:
|
|
Packit |
8cb997 |
description: Directory Manager password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
password:
|
|
Packit |
8cb997 |
description: Admin user kerberos password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ip_addresses:
|
|
Packit |
8cb997 |
description: List of Master Server IP Addresses
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
domain:
|
|
Packit |
8cb997 |
description: Primary DNS domain of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
realm:
|
|
Packit |
8cb997 |
description: Kerberos realm name of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
hostname:
|
|
Packit |
8cb997 |
description: Fully qualified name of this host
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
principal:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
User Principal allowed to promote replicas and join IPA realm
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
ca_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
List of files containing CA certificates for the service certificate
|
|
Packit |
8cb997 |
files
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_host_dns:
|
|
Packit |
8cb997 |
description: Do not use DNS for hostname lookup during installation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_adtrust:
|
|
Packit |
8cb997 |
description: Configure AD trust capability
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_ca:
|
|
Packit |
8cb997 |
description: Configure a dogtag CA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_kra:
|
|
Packit |
8cb997 |
description: Configure a dogtag KRA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_dns:
|
|
Packit |
8cb997 |
description: Configure bind with our zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Files containing the Directory Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Directory Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Directory Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Apache Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Apache Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Apache Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Kerberos KDC SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Kerberos KDC SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Kerberos KDC private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
keytab:
|
|
Packit |
8cb997 |
description: Path to backed up keytab from previous enrollment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
mkhomedir:
|
|
Packit |
8cb997 |
description: Create home directories for users on their first login
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
force_join:
|
|
Packit |
8cb997 |
description: Force client enrollment even if already enrolled
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ntp:
|
|
Packit |
8cb997 |
description: Do not configure ntp
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ssh_trust_dns:
|
|
Packit |
8cb997 |
description: Configure OpenSSH client to trust DNS SSHFP records
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ssh:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH client
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_sshd:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH server
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dns_sshfp:
|
|
Packit |
8cb997 |
description: Do not automatically create DNS SSHFP records
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
allow_zone_overlap:
|
|
Packit |
8cb997 |
description: Create DNS zone even if it already exists
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
reverse_zones:
|
|
Packit |
8cb997 |
description: The reverse DNS zones to use
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_reverse:
|
|
Packit |
8cb997 |
description: Do not create new reverse DNS zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_reverse:
|
|
Packit |
8cb997 |
description: Create necessary reverse zones
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forwarders:
|
|
Packit |
8cb997 |
description: Add DNS forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_forwarders:
|
|
Packit |
8cb997 |
description: Do not add any DNS forwarders, use root servers instead
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_forwarders:
|
|
Packit |
8cb997 |
description: Use DNS forwarders configured in /etc/resolv.conf
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forward_policy:
|
|
Packit |
8cb997 |
description: DNS forwarding policy for global forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dnssec_validation:
|
|
Packit |
8cb997 |
description: Disable DNSSEC validation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
enable_compat:
|
|
Packit |
8cb997 |
description: Enable support for trusted domains for old clients
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
netbios_name:
|
|
Packit |
8cb997 |
description: NetBIOS name of the IPA domain
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
rid_base:
|
|
Packit |
8cb997 |
description: Start value for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
secondary_rid_base:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Start value of the secondary range for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
server:
|
|
Packit |
8cb997 |
description: Fully qualified name of IPA server to enroll to
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
skip_conncheck:
|
|
Packit |
8cb997 |
description: Skip connection check to remote master
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dm_password:
|
|
Packit |
8cb997 |
description: Directory Manager password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
password:
|
|
Packit |
8cb997 |
description: Admin user kerberos password
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ip_addresses:
|
|
Packit |
8cb997 |
description: List of Master Server IP Addresses
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
domain:
|
|
Packit |
8cb997 |
description: Primary DNS domain of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
realm:
|
|
Packit |
8cb997 |
description: Kerberos realm name of the IPA deployment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
hostname:
|
|
Packit |
8cb997 |
description: Fully qualified name of this host
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
principal:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
User Principal allowed to promote replicas and join IPA realm
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
ca_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
List of files containing CA certificates for the service certificate
|
|
Packit |
8cb997 |
files
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_host_dns:
|
|
Packit |
8cb997 |
description: Do not use DNS for hostname lookup during installation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_adtrust:
|
|
Packit |
8cb997 |
description: Configure AD trust capability
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_ca:
|
|
Packit |
8cb997 |
description: Configure a dogtag CA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_kra:
|
|
Packit |
8cb997 |
description: Configure a dogtag KRA
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
setup_dns:
|
|
Packit |
8cb997 |
description: Configure bind with our zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Files containing the Directory Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Directory Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
dirsrv_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Directory Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Apache Server SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Apache Server SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
http_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Apache Server private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_files:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
File containing the Kerberos KDC SSL certificate and private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_cert_name:
|
|
Packit |
8cb997 |
description: Name of the Kerberos KDC SSL certificate to install
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
pkinit_pin:
|
|
Packit |
8cb997 |
description: The password to unlock the Kerberos KDC private key
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
keytab:
|
|
Packit |
8cb997 |
description: Path to backed up keytab from previous enrollment
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
mkhomedir:
|
|
Packit |
8cb997 |
description: Create home directories for users on their first login
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
force_join:
|
|
Packit |
8cb997 |
description: Force client enrollment even if already enrolled
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ntp:
|
|
Packit |
8cb997 |
description: Do not configure ntp
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
ssh_trust_dns:
|
|
Packit |
8cb997 |
description: Configure OpenSSH client to trust DNS SSHFP records
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_ssh:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH client
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_sshd:
|
|
Packit |
8cb997 |
description: Do not configure OpenSSH server
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dns_sshfp:
|
|
Packit |
8cb997 |
description: Do not automatically create DNS SSHFP records
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
allow_zone_overlap:
|
|
Packit |
8cb997 |
description: Create DNS zone even if it already exists
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
reverse_zones:
|
|
Packit |
8cb997 |
description: The reverse DNS zones to use
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_reverse:
|
|
Packit |
8cb997 |
description: Do not create new reverse DNS zone
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_reverse:
|
|
Packit |
8cb997 |
description: Create necessary reverse zones
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forwarders:
|
|
Packit |
8cb997 |
description: Add DNS forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_forwarders:
|
|
Packit |
8cb997 |
description: Do not add any DNS forwarders, use root servers instead
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
auto_forwarders:
|
|
Packit |
8cb997 |
description: Use DNS forwarders configured in /etc/resolv.conf
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
forward_policy:
|
|
Packit |
8cb997 |
description: DNS forwarding policy for global forwarders
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
no_dnssec_validation:
|
|
Packit |
8cb997 |
description: Disable DNSSEC validation
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
enable_compat:
|
|
Packit |
8cb997 |
description: Enable support for trusted domains for old clients
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
netbios_name:
|
|
Packit |
8cb997 |
description: NetBIOS name of the IPA domain
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
rid_base:
|
|
Packit |
8cb997 |
description: Start value for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
secondary_rid_base:
|
|
Packit |
8cb997 |
description:
|
|
Packit |
8cb997 |
Start value of the secondary range for mapping UIDs and GIDs to RIDs
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
server:
|
|
Packit |
8cb997 |
description: Fully qualified name of IPA server to enroll to
|
|
Packit |
8cb997 |
required: no
|
|
Packit |
8cb997 |
skip_conncheck:
|
|
Packit |
8cb997 |
description: Skip connection check to remote master
|
|
Packit |
8cb997 |
required: yes
|
|
Packit |
8cb997 |
author:
|
|
Packit |
8cb997 |
- Thomas Woerner
|
|
Packit |
8cb997 |
'''
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
EXAMPLES = '''
|
|
Packit |
8cb997 |
'''
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
RETURN = '''
|
|
Packit |
8cb997 |
'''
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
import os
|
|
Packit |
8cb997 |
import tempfile
|
|
Packit |
8cb997 |
import traceback
|
|
Packit |
8cb997 |
import six
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
from ansible.module_utils.basic import AnsibleModule
|
|
Packit |
8cb997 |
from ansible.module_utils.ansible_ipa_replica import (
|
|
Packit |
8cb997 |
AnsibleModuleLog, options, installer, DN, paths, sysrestore,
|
|
Packit |
8cb997 |
ansible_module_get_parsed_ip_addresses, Env, ipautil, ipaldap,
|
|
Packit |
8cb997 |
installutils, ReplicaConfig, load_pkcs12, kinit_keytab, create_api,
|
|
Packit |
8cb997 |
rpc_client, check_remote_version, parse_version, check_remote_fips_mode,
|
|
Packit |
8cb997 |
ReplicationManager, promotion_check_ipa_domain, current_domain_level,
|
|
Packit |
8cb997 |
check_domain_level_is_supported, errors, ScriptError,
|
|
Packit |
8cb997 |
logger, check_dns_resolution, service, find_providing_server, ca, kra,
|
|
Packit |
8cb997 |
dns, no_matching_interface_for_ip_address_warning, adtrust,
|
|
Packit |
8cb997 |
constants, api, redirect_stdout, replica_conn_check, tasks
|
|
Packit |
8cb997 |
)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if six.PY3:
|
|
Packit |
8cb997 |
unicode = str
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
def main():
|
|
Packit |
8cb997 |
ansible_module = AnsibleModule(
|
|
Packit |
8cb997 |
argument_spec=dict(
|
|
Packit |
8cb997 |
# basic
|
|
Packit |
8cb997 |
dm_password=dict(required=False, no_log=True),
|
|
Packit |
8cb997 |
password=dict(required=False, no_log=True),
|
|
Packit |
8cb997 |
ip_addresses=dict(required=False, type='list', default=[]),
|
|
Packit |
8cb997 |
domain=dict(required=False),
|
|
Packit |
8cb997 |
realm=dict(required=False),
|
|
Packit |
8cb997 |
hostname=dict(required=False),
|
|
Packit |
8cb997 |
principal=dict(required=True),
|
|
Packit |
8cb997 |
ca_cert_files=dict(required=False, type='list', default=[]),
|
|
Packit |
8cb997 |
no_host_dns=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
# server
|
|
Packit |
8cb997 |
setup_adtrust=dict(required=False, type='bool'),
|
|
Packit |
8cb997 |
setup_ca=dict(required=False, type='bool'),
|
|
Packit |
8cb997 |
setup_kra=dict(required=False, type='bool'),
|
|
Packit |
8cb997 |
setup_dns=dict(required=False, type='bool'),
|
|
Packit |
8cb997 |
# ssl certificate
|
|
Packit |
8cb997 |
dirsrv_cert_files=dict(required=False, type='list', default=[]),
|
|
Packit |
8cb997 |
dirsrv_cert_name=dict(required=False),
|
|
Packit |
8cb997 |
dirsrv_pin=dict(required=False),
|
|
Packit |
8cb997 |
http_cert_files=dict(required=False, type='list', default=[]),
|
|
Packit |
8cb997 |
http_cert_name=dict(required=False),
|
|
Packit |
8cb997 |
http_pin=dict(required=False),
|
|
Packit |
8cb997 |
pkinit_cert_files=dict(required=False, type='list', default=[]),
|
|
Packit |
8cb997 |
pkinit_cert_name=dict(required=False),
|
|
Packit |
8cb997 |
pkinit_pin=dict(required=False),
|
|
Packit |
8cb997 |
# client
|
|
Packit |
8cb997 |
keytab=dict(required=False),
|
|
Packit |
8cb997 |
mkhomedir=dict(required=False, type='bool'),
|
|
Packit |
8cb997 |
force_join=dict(required=False, type='bool'),
|
|
Packit |
8cb997 |
no_ntp=dict(required=False, type='bool'),
|
|
Packit |
8cb997 |
ssh_trust_dns=dict(required=False, type='bool'),
|
|
Packit |
8cb997 |
no_ssh=dict(required=False, type='bool'),
|
|
Packit |
8cb997 |
no_sshd=dict(required=False, type='bool'),
|
|
Packit |
8cb997 |
no_dns_sshfp=dict(required=False, type='bool'),
|
|
Packit |
8cb997 |
# certificate system
|
|
Packit |
8cb997 |
# subject_base=dict(required=False),
|
|
Packit |
8cb997 |
# dns
|
|
Packit |
8cb997 |
allow_zone_overlap=dict(required=False, type='bool',
|
|
Packit |
8cb997 |
default=False),
|
|
Packit |
8cb997 |
reverse_zones=dict(required=False, type='list', default=[]),
|
|
Packit |
8cb997 |
no_reverse=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
auto_reverse=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
forwarders=dict(required=False, type='list', default=[]),
|
|
Packit |
8cb997 |
no_forwarders=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
auto_forwarders=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
forward_policy=dict(default=None, choices=['first', 'only']),
|
|
Packit |
8cb997 |
no_dnssec_validation=dict(required=False, type='bool',
|
|
Packit |
8cb997 |
default=False),
|
|
Packit |
8cb997 |
# ad trust
|
|
Packit |
8cb997 |
enable_compat=dict(required=False, type='bool', default=False),
|
|
Packit |
8cb997 |
netbios_name=dict(required=False),
|
|
Packit |
8cb997 |
rid_base=dict(required=False, type='int', default=1000),
|
|
Packit |
8cb997 |
secondary_rid_base=dict(required=False, type='int',
|
|
Packit |
8cb997 |
default=100000000),
|
|
Packit |
8cb997 |
# additional
|
|
Packit |
8cb997 |
server=dict(required=True),
|
|
Packit |
8cb997 |
skip_conncheck=dict(required=False, type='bool'),
|
|
Packit |
8cb997 |
),
|
|
Packit |
8cb997 |
supports_check_mode=True,
|
|
Packit |
8cb997 |
)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_module._ansible_debug = True
|
|
Packit |
8cb997 |
ansible_log = AnsibleModuleLog(ansible_module)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# get parameters #
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
options.dm_password = ansible_module.params.get('dm_password')
|
|
Packit |
8cb997 |
options.password = options.dm_password
|
|
Packit |
8cb997 |
options.admin_password = ansible_module.params.get('password')
|
|
Packit |
8cb997 |
options.ip_addresses = ansible_module_get_parsed_ip_addresses(
|
|
Packit |
8cb997 |
ansible_module)
|
|
Packit |
8cb997 |
options.domain_name = ansible_module.params.get('domain')
|
|
Packit |
8cb997 |
options.realm_name = ansible_module.params.get('realm')
|
|
Packit |
8cb997 |
options.host_name = ansible_module.params.get('hostname')
|
|
Packit |
8cb997 |
options.principal = ansible_module.params.get('principal')
|
|
Packit |
8cb997 |
options.ca_cert_files = ansible_module.params.get('ca_cert_files')
|
|
Packit |
8cb997 |
options.no_host_dns = ansible_module.params.get('no_host_dns')
|
|
Packit |
8cb997 |
# server
|
|
Packit |
8cb997 |
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
|
|
Packit |
8cb997 |
options.setup_ca = ansible_module.params.get('setup_ca')
|
|
Packit |
8cb997 |
options.setup_kra = ansible_module.params.get('setup_kra')
|
|
Packit |
8cb997 |
options.setup_dns = ansible_module.params.get('setup_dns')
|
|
Packit |
8cb997 |
# ssl certificate
|
|
Packit |
8cb997 |
options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
|
|
Packit |
8cb997 |
options.dirsrv_cert_name = ansible_module.params.get('dirsrv_cert_name')
|
|
Packit |
8cb997 |
options.dirsrv_pin = ansible_module.params.get('dirsrv_pin')
|
|
Packit |
8cb997 |
options.http_cert_files = ansible_module.params.get('http_cert_files')
|
|
Packit |
8cb997 |
options.http_cert_name = ansible_module.params.get('http_cert_name')
|
|
Packit |
8cb997 |
options.http_pin = ansible_module.params.get('http_pin')
|
|
Packit |
8cb997 |
options.pkinit_cert_files = ansible_module.params.get('pkinit_cert_files')
|
|
Packit |
8cb997 |
options.pkinit_cert_name = ansible_module.params.get('pkinit_cert_name')
|
|
Packit |
8cb997 |
options.pkinit_pin = ansible_module.params.get('pkinit_pin')
|
|
Packit |
8cb997 |
# client
|
|
Packit |
8cb997 |
options.keytab = ansible_module.params.get('keytab')
|
|
Packit |
8cb997 |
options.mkhomedir = ansible_module.params.get('mkhomedir')
|
|
Packit |
8cb997 |
options.force_join = ansible_module.params.get('force_join')
|
|
Packit |
8cb997 |
options.no_ntp = ansible_module.params.get('no_ntp')
|
|
Packit |
8cb997 |
options.ssh_trust_dns = ansible_module.params.get('ssh_trust_dns')
|
|
Packit |
8cb997 |
options.no_ssh = ansible_module.params.get('no_ssh')
|
|
Packit |
8cb997 |
options.no_sshd = ansible_module.params.get('no_sshd')
|
|
Packit |
8cb997 |
options.no_dns_sshfp = ansible_module.params.get('no_dns_sshfp')
|
|
Packit |
8cb997 |
# certificate system
|
|
Packit |
8cb997 |
options.external_ca = ansible_module.params.get('external_ca')
|
|
Packit |
8cb997 |
options.external_cert_files = ansible_module.params.get(
|
|
Packit |
8cb997 |
'external_cert_files')
|
|
Packit |
8cb997 |
# options.subject_base = ansible_module.params.get('subject_base')
|
|
Packit |
8cb997 |
# options.ca_subject = ansible_module.params.get('ca_subject')
|
|
Packit |
8cb997 |
options.no_dnssec_validation = ansible_module.params.get(
|
|
Packit |
8cb997 |
'no_dnssec_validation')
|
|
Packit |
8cb997 |
# dns
|
|
Packit |
8cb997 |
options.allow_zone_overlap = ansible_module.params.get(
|
|
Packit |
8cb997 |
'allow_zone_overlap')
|
|
Packit |
8cb997 |
options.reverse_zones = ansible_module.params.get('reverse_zones')
|
|
Packit |
8cb997 |
options.no_reverse = ansible_module.params.get('no_reverse')
|
|
Packit |
8cb997 |
options.auto_reverse = ansible_module.params.get('auto_reverse')
|
|
Packit |
8cb997 |
options.forwarders = ansible_module.params.get('forwarders')
|
|
Packit |
8cb997 |
options.no_forwarders = ansible_module.params.get('no_forwarders')
|
|
Packit |
8cb997 |
options.auto_forwarders = ansible_module.params.get('auto_forwarders')
|
|
Packit |
8cb997 |
options.forward_policy = ansible_module.params.get('forward_policy')
|
|
Packit |
8cb997 |
options.no_dnssec_validation = ansible_module.params.get(
|
|
Packit |
8cb997 |
'no_dnssec_validationdnssec_validation')
|
|
Packit |
8cb997 |
# ad trust
|
|
Packit |
8cb997 |
options.enable_compat = ansible_module.params.get('enable_compat')
|
|
Packit |
8cb997 |
options.netbios_name = ansible_module.params.get('netbios_name')
|
|
Packit |
8cb997 |
options.rid_base = ansible_module.params.get('rid_base')
|
|
Packit |
8cb997 |
options.secondary_rid_base = ansible_module.params.get(
|
|
Packit |
8cb997 |
'secondary_rid_base')
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# additional
|
|
Packit |
8cb997 |
# options._host_name_overridden = ansible_module.params.get(
|
|
Packit |
8cb997 |
# '_hostname_overridden')
|
|
Packit |
8cb997 |
options.server = ansible_module.params.get('server')
|
|
Packit |
8cb997 |
options.skip_conncheck = ansible_module.params.get('skip_conncheck')
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# init #
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
fstore = sysrestore.FileStore(paths.SYSRESTORE)
|
|
Packit |
8cb997 |
sstore = sysrestore.StateFile(paths.SYSRESTORE)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# prepare (install prepare, install checks) #
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
##########################################################################
|
|
Packit |
8cb997 |
# replica promote_check ##################################################
|
|
Packit |
8cb997 |
##########################################################################
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("== PROMOTE CHECK ==")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# ansible_log.debug("-- NO_NTP --") # already done in test
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# check selinux status, http and DS ports, NTP conflicting services
|
|
Packit |
8cb997 |
# common_check(options.no_ntp)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
installer._enrollment_performed = False
|
|
Packit |
8cb997 |
installer._top_dir = tempfile.mkdtemp("ipa")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# with ipautil.private_ccache():
|
|
Packit |
8cb997 |
dir_path = tempfile.mkdtemp(prefix='krbcc')
|
|
Packit |
8cb997 |
os.environ['KRB5CCNAME'] = os.path.join(dir_path, 'ccache')
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- API --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
env = Env()
|
|
Packit |
8cb997 |
env._bootstrap(context='installer', confdir=paths.ETC_IPA, log=None)
|
|
Packit |
8cb997 |
env._finalize_core(**dict(constants.DEFAULT_CONFIG))
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# pylint: disable=no-member
|
|
Packit |
8cb997 |
xmlrpc_uri = 'https://{}/ipa/xml'.format(ipautil.format_netloc(env.host))
|
|
Packit |
8cb997 |
if hasattr(ipaldap, "realm_to_ldapi_uri"):
|
|
Packit |
8cb997 |
realm_to_ldapi_uri = ipaldap.realm_to_ldapi_uri
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
realm_to_ldapi_uri = installutils.realm_to_ldapi_uri
|
|
Packit |
8cb997 |
api.bootstrap(in_server=True,
|
|
Packit |
8cb997 |
context='installer',
|
|
Packit |
8cb997 |
confdir=paths.ETC_IPA,
|
|
Packit |
8cb997 |
ldap_uri=realm_to_ldapi_uri(env.realm),
|
|
Packit |
8cb997 |
xmlrpc_uri=xmlrpc_uri)
|
|
Packit |
8cb997 |
# pylint: enable=no-member
|
|
Packit |
8cb997 |
api.finalize()
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- REPLICA_CONFIG --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
config = ReplicaConfig()
|
|
Packit |
8cb997 |
config.realm_name = api.env.realm
|
|
Packit |
8cb997 |
config.host_name = api.env.host
|
|
Packit |
8cb997 |
config.domain_name = api.env.domain
|
|
Packit |
8cb997 |
config.master_host_name = api.env.server
|
|
Packit |
8cb997 |
if not api.env.ca_host or api.env.ca_host == api.env.host:
|
|
Packit |
8cb997 |
# ca_host has not been configured explicitly, prefer source master
|
|
Packit |
8cb997 |
config.ca_host_name = api.env.server
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
# default to ca_host from IPA config
|
|
Packit |
8cb997 |
config.ca_host_name = api.env.ca_host
|
|
Packit |
8cb997 |
config.kra_host_name = config.ca_host_name
|
|
Packit |
8cb997 |
config.ca_ds_port = 389
|
|
Packit |
8cb997 |
config.setup_ca = options.setup_ca
|
|
Packit |
8cb997 |
config.setup_kra = options.setup_kra
|
|
Packit |
8cb997 |
config.dir = installer._top_dir
|
|
Packit |
8cb997 |
config.basedn = api.env.basedn
|
|
Packit |
8cb997 |
# config.hidden_replica = options.hidden_replica
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# load and check certificates #
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- CERT_FILES --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
http_pkcs12_file = None
|
|
Packit |
8cb997 |
http_pkcs12_info = None
|
|
Packit |
8cb997 |
http_ca_cert = None
|
|
Packit |
8cb997 |
dirsrv_pkcs12_file = None
|
|
Packit |
8cb997 |
dirsrv_pkcs12_info = None
|
|
Packit |
8cb997 |
dirsrv_ca_cert = None
|
|
Packit |
8cb997 |
pkinit_pkcs12_file = None
|
|
Packit |
8cb997 |
pkinit_pkcs12_info = None
|
|
Packit |
8cb997 |
pkinit_ca_cert = None
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.http_cert_files:
|
|
Packit |
8cb997 |
ansible_log.debug("-- HTTP_CERT_FILES --")
|
|
Packit |
8cb997 |
if options.http_pin is None:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Apache Server private key unlock password required")
|
|
Packit |
8cb997 |
http_pkcs12_file, http_pin, http_ca_cert = load_pkcs12(
|
|
Packit |
8cb997 |
cert_files=options.http_cert_files,
|
|
Packit |
8cb997 |
key_password=options.http_pin,
|
|
Packit |
8cb997 |
key_nickname=options.http_cert_name,
|
|
Packit |
8cb997 |
ca_cert_files=options.ca_cert_files,
|
|
Packit |
8cb997 |
host_name=config.host_name)
|
|
Packit |
8cb997 |
http_pkcs12_info = (http_pkcs12_file.name, http_pin)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.dirsrv_cert_files:
|
|
Packit |
8cb997 |
ansible_log.debug("-- DIRSRV_CERT_FILES --")
|
|
Packit |
8cb997 |
if options.dirsrv_pin is None:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Directory Server private key unlock password required")
|
|
Packit |
8cb997 |
dirsrv_pkcs12_file, dirsrv_pin, dirsrv_ca_cert = load_pkcs12(
|
|
Packit |
8cb997 |
cert_files=options.dirsrv_cert_files,
|
|
Packit |
8cb997 |
key_password=options.dirsrv_pin,
|
|
Packit |
8cb997 |
key_nickname=options.dirsrv_cert_name,
|
|
Packit |
8cb997 |
ca_cert_files=options.ca_cert_files,
|
|
Packit |
8cb997 |
host_name=config.host_name)
|
|
Packit |
8cb997 |
dirsrv_pkcs12_info = (dirsrv_pkcs12_file.name, dirsrv_pin)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.pkinit_cert_files:
|
|
Packit |
8cb997 |
ansible_log.debug("-- PKINIT_CERT_FILES --")
|
|
Packit |
8cb997 |
if options.pkinit_pin is None:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Kerberos KDC private key unlock password required")
|
|
Packit |
8cb997 |
pkinit_pkcs12_file, pkinit_pin, pkinit_ca_cert = load_pkcs12(
|
|
Packit |
8cb997 |
cert_files=options.pkinit_cert_files,
|
|
Packit |
8cb997 |
key_password=options.pkinit_pin,
|
|
Packit |
8cb997 |
key_nickname=options.pkinit_cert_name,
|
|
Packit |
8cb997 |
ca_cert_files=options.ca_cert_files,
|
|
Packit |
8cb997 |
realm_name=config.realm_name)
|
|
Packit |
8cb997 |
pkinit_pkcs12_info = (pkinit_pkcs12_file.name, pkinit_pin)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if (options.http_cert_files and options.dirsrv_cert_files and
|
|
Packit |
8cb997 |
http_ca_cert != dirsrv_ca_cert):
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Apache Server SSL certificate and Directory "
|
|
Packit |
8cb997 |
"Server SSL certificate are not signed by the same"
|
|
Packit |
8cb997 |
" CA certificate")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if (options.http_cert_files and
|
|
Packit |
8cb997 |
options.pkinit_cert_files and
|
|
Packit |
8cb997 |
http_ca_cert != pkinit_ca_cert):
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Apache Server SSL certificate and PKINIT KDC "
|
|
Packit |
8cb997 |
"certificate are not signed by the same CA "
|
|
Packit |
8cb997 |
"certificate")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- FQDN --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
installutils.verify_fqdn(config.host_name, options.no_host_dns)
|
|
Packit |
8cb997 |
installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- KINIT_KEYTAB --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ccache = os.environ['KRB5CCNAME']
|
|
Packit |
8cb997 |
kinit_keytab('host/{env.host}@{env.realm}'.format(env=api.env),
|
|
Packit |
8cb997 |
paths.KRB5_KEYTAB,
|
|
Packit |
8cb997 |
ccache)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- CA_CRT --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
cafile = paths.IPA_CA_CRT
|
|
Packit |
8cb997 |
if not os.path.isfile(cafile):
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="CA cert file is not available! Please reinstall"
|
|
Packit |
8cb997 |
"the client and try again.")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- REMOTE_API --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
|
|
Packit |
8cb997 |
xmlrpc_uri = 'https://{}/ipa/xml'.format(
|
|
Packit |
8cb997 |
ipautil.format_netloc(config.master_host_name))
|
|
Packit |
8cb997 |
remote_api = create_api(mode=None)
|
|
Packit |
8cb997 |
remote_api.bootstrap(in_server=True,
|
|
Packit |
8cb997 |
context='installer',
|
|
Packit |
8cb997 |
confdir=paths.ETC_IPA,
|
|
Packit |
8cb997 |
ldap_uri=ldapuri,
|
|
Packit |
8cb997 |
xmlrpc_uri=xmlrpc_uri)
|
|
Packit |
8cb997 |
remote_api.finalize()
|
|
Packit |
8cb997 |
installer._remote_api = remote_api
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- RPC_CLIENT --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
with rpc_client(remote_api) as client:
|
|
Packit |
8cb997 |
check_remote_version(client, parse_version(api.env.version))
|
|
Packit |
8cb997 |
check_remote_fips_mode(client, api.env.fips_mode)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
conn = remote_api.Backend.ldap2
|
|
Packit |
8cb997 |
replman = None
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
ansible_log.debug("-- CONNECT --")
|
|
Packit |
8cb997 |
# Try out authentication
|
|
Packit |
8cb997 |
conn.connect(ccache=ccache)
|
|
Packit |
8cb997 |
replman = ReplicationManager(config.realm_name,
|
|
Packit |
8cb997 |
config.master_host_name, None)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- CHECK IPA_DOMAIN --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
promotion_check_ipa_domain(conn, remote_api.env.basedn)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- CHECK DOMAIN_LEVEL --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# Make sure that domain fulfills minimal domain level
|
|
Packit |
8cb997 |
# requirement
|
|
Packit |
8cb997 |
domain_level = current_domain_level(remote_api)
|
|
Packit |
8cb997 |
check_domain_level_is_supported(domain_level)
|
|
Packit |
8cb997 |
if domain_level < constants.MIN_DOMAIN_LEVEL:
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg="Cannot promote this client to a replica. The domain "
|
|
Packit |
8cb997 |
"level "
|
|
Packit |
8cb997 |
"must be raised to {mindomainlevel} before the replica can be "
|
|
Packit |
8cb997 |
"installed".format(
|
|
Packit |
8cb997 |
mindomainlevel=constants.MIN_DOMAIN_LEVEL))
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- CHECK AUTHORIZATION --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# Check authorization
|
|
Packit |
8cb997 |
result = remote_api.Command['hostgroup_find'](
|
|
Packit |
8cb997 |
cn=u'ipaservers',
|
|
Packit |
8cb997 |
host=[unicode(api.env.host)]
|
|
Packit |
8cb997 |
)['result']
|
|
Packit |
8cb997 |
add_to_ipaservers = not result
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- ADD_TO_IPASERVERS --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if add_to_ipaservers:
|
|
Packit |
8cb997 |
if options.password and not options.admin_password:
|
|
Packit |
8cb997 |
raise errors.ACIError(info="Not authorized")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if installer._ccache is None:
|
|
Packit |
8cb997 |
del os.environ['KRB5CCNAME']
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
os.environ['KRB5CCNAME'] = installer._ccache
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
installutils.check_creds(options, config.realm_name)
|
|
Packit |
8cb997 |
installer._ccache = os.environ.get('KRB5CCNAME')
|
|
Packit |
8cb997 |
finally:
|
|
Packit |
8cb997 |
os.environ['KRB5CCNAME'] = ccache
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
conn.disconnect()
|
|
Packit |
8cb997 |
conn.connect(ccache=installer._ccache)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
result = remote_api.Command['hostgroup_show'](
|
|
Packit |
8cb997 |
u'ipaservers',
|
|
Packit |
8cb997 |
all=True,
|
|
Packit |
8cb997 |
rights=True
|
|
Packit |
8cb997 |
)['result']
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if 'w' not in result['attributelevelrights']['member']:
|
|
Packit |
8cb997 |
raise errors.ACIError(info="Not authorized")
|
|
Packit |
8cb997 |
finally:
|
|
Packit |
8cb997 |
ansible_log.debug("-- RECONNECT --")
|
|
Packit |
8cb997 |
conn.disconnect()
|
|
Packit |
8cb997 |
conn.connect(ccache=ccache)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- CHECK FOR REPLICATION AGREEMENT --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# Check that we don't already have a replication agreement
|
|
Packit |
8cb997 |
if replman.get_replication_agreement(config.host_name):
|
|
Packit |
8cb997 |
msg = ("A replication agreement for this host already exists. "
|
|
Packit |
8cb997 |
"It needs to be removed.\n"
|
|
Packit |
8cb997 |
"Run this command:\n"
|
|
Packit |
8cb997 |
" %% ipa-replica-manage del {host} --force"
|
|
Packit |
8cb997 |
.format(host=config.host_name))
|
|
Packit |
8cb997 |
raise ScriptError(msg, rval=3)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- DETECT REPLICATION MANAGER GROUP --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# Detect if the other master can handle replication managers
|
|
Packit |
8cb997 |
# cn=replication managers,cn=sysaccounts,cn=etc,$SUFFIX
|
|
Packit |
8cb997 |
dn = DN(('cn', 'replication managers'), ('cn', 'sysaccounts'),
|
|
Packit |
8cb997 |
('cn', 'etc'), ipautil.realm_to_suffix(config.realm_name))
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
conn.get_entry(dn)
|
|
Packit |
8cb997 |
except errors.NotFound:
|
|
Packit |
8cb997 |
msg = ("The Replication Managers group is not available in "
|
|
Packit |
8cb997 |
"the domain. Replica promotion requires the use of "
|
|
Packit |
8cb997 |
"Replication Managers to be able to replicate data. "
|
|
Packit |
8cb997 |
"Upgrade the peer master or use the ipa-replica-prepare "
|
|
Packit |
8cb997 |
"command on the master and use a prep file to install "
|
|
Packit |
8cb997 |
"this replica.")
|
|
Packit |
8cb997 |
logger.error("%s", msg)
|
|
Packit |
8cb997 |
raise ScriptError(msg, rval=3)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- CHECK DNS_MASTERS --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
dns_masters = remote_api.Object['dnsrecord'].get_dns_masters()
|
|
Packit |
8cb997 |
if dns_masters:
|
|
Packit |
8cb997 |
if not options.no_host_dns:
|
|
Packit |
8cb997 |
logger.debug('Check forward/reverse DNS resolution')
|
|
Packit |
8cb997 |
resolution_ok = (
|
|
Packit |
8cb997 |
check_dns_resolution(config.master_host_name,
|
|
Packit |
8cb997 |
dns_masters) and
|
|
Packit |
8cb997 |
check_dns_resolution(config.host_name, dns_masters))
|
|
Packit |
8cb997 |
if not resolution_ok and installer.interactive:
|
|
Packit |
8cb997 |
if not ipautil.user_input("Continue?", False):
|
|
Packit |
8cb997 |
raise ScriptError(rval=0)
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
logger.debug('No IPA DNS servers, '
|
|
Packit |
8cb997 |
'skipping forward/reverse resolution check')
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- GET_IPA_CONFIG --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
entry_attrs = conn.get_ipa_config()
|
|
Packit |
8cb997 |
subject_base = entry_attrs.get('ipacertificatesubjectbase', [None])[0]
|
|
Packit |
8cb997 |
if subject_base is not None:
|
|
Packit |
8cb997 |
config.subject_base = DN(subject_base)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- SEARCH FOR CA --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# Find if any server has a CA
|
|
Packit |
8cb997 |
if not hasattr(service, "find_providing_server"):
|
|
Packit |
8cb997 |
_host = [config.ca_host_name]
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
_host = config.ca_host_name
|
|
Packit |
8cb997 |
ca_host = find_providing_server('CA', conn, _host)
|
|
Packit |
8cb997 |
if ca_host is not None:
|
|
Packit |
8cb997 |
config.ca_host_name = ca_host
|
|
Packit |
8cb997 |
ca_enabled = True
|
|
Packit |
8cb997 |
if options.dirsrv_cert_files:
|
|
Packit |
8cb997 |
msg = ("Certificates could not be provided when "
|
|
Packit |
8cb997 |
"CA is present on some master.")
|
|
Packit |
8cb997 |
logger.error(msg)
|
|
Packit |
8cb997 |
raise ScriptError(msg, rval=3)
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
if options.setup_ca:
|
|
Packit |
8cb997 |
msg = ("The remote master does not have a CA "
|
|
Packit |
8cb997 |
"installed, can't set up CA")
|
|
Packit |
8cb997 |
logger.error(msg)
|
|
Packit |
8cb997 |
raise ScriptError(msg, rval=3)
|
|
Packit |
8cb997 |
ca_enabled = False
|
|
Packit |
8cb997 |
if not options.dirsrv_cert_files:
|
|
Packit |
8cb997 |
msg = ("Cannot issue certificates: a CA is not "
|
|
Packit |
8cb997 |
"installed. Use the --http-cert-file, "
|
|
Packit |
8cb997 |
"--dirsrv-cert-file options to provide "
|
|
Packit |
8cb997 |
"custom certificates.")
|
|
Packit |
8cb997 |
logger.error(msg)
|
|
Packit |
8cb997 |
raise ScriptError(msg, rval=3)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- SEARCH FOR KRA --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if not hasattr(service, "find_providing_server"):
|
|
Packit |
8cb997 |
_host = [config.kra_host_name]
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
_host = config.kra_host_name
|
|
Packit |
8cb997 |
kra_host = find_providing_server('KRA', conn, _host)
|
|
Packit |
8cb997 |
if kra_host is not None:
|
|
Packit |
8cb997 |
config.kra_host_name = kra_host
|
|
Packit |
8cb997 |
kra_enabled = True
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
if options.setup_kra:
|
|
Packit |
8cb997 |
msg = ("There is no active KRA server in the domain, "
|
|
Packit |
8cb997 |
"can't setup a KRA clone")
|
|
Packit |
8cb997 |
logger.error(msg)
|
|
Packit |
8cb997 |
raise ScriptError(msg, rval=3)
|
|
Packit |
8cb997 |
kra_enabled = False
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- CHECK CA --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if ca_enabled:
|
|
Packit |
8cb997 |
options.realm_name = config.realm_name
|
|
Packit |
8cb997 |
options.host_name = config.host_name
|
|
Packit |
8cb997 |
ca.install_check(False, config, options)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug(" ca.external_cert_file=%s" %
|
|
Packit |
8cb997 |
repr(ca.external_cert_file))
|
|
Packit |
8cb997 |
ansible_log.debug(" ca.external_ca_file=%s" %
|
|
Packit |
8cb997 |
repr(ca.external_ca_file))
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# TODO
|
|
Packit |
8cb997 |
# TODO
|
|
Packit |
8cb997 |
# Save global vars external_cert_file, external_ca_file for
|
|
Packit |
8cb997 |
# later use
|
|
Packit |
8cb997 |
# TODO
|
|
Packit |
8cb997 |
# TODO
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- CHECK KRA --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if kra_enabled:
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
kra.install_check(remote_api, config, options)
|
|
Packit |
8cb997 |
except RuntimeError as e:
|
|
Packit |
8cb997 |
raise ScriptError(e)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- CHECK DNS --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.setup_dns:
|
|
Packit |
8cb997 |
dns.install_check(False, remote_api, True, options,
|
|
Packit |
8cb997 |
config.host_name)
|
|
Packit |
8cb997 |
config.ips = dns.ip_addresses
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
config.ips = installutils.get_server_ip_address(
|
|
Packit |
8cb997 |
config.host_name, not installer.interactive,
|
|
Packit |
8cb997 |
False, options.ip_addresses)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# check addresses here, dns module is doing own check
|
|
Packit |
8cb997 |
no_matching_interface_for_ip_address_warning(config.ips)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- CHECK ADTRUST --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if options.setup_adtrust:
|
|
Packit |
8cb997 |
adtrust.install_check(False, options, remote_api)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
except errors.ACIError:
|
|
Packit |
8cb997 |
logger.debug("%s", traceback.format_exc())
|
|
Packit |
8cb997 |
ansible_module.fail_json(
|
|
Packit |
8cb997 |
msg=("\nInsufficient privileges to promote the server."
|
|
Packit |
8cb997 |
"\nPossible issues:"
|
|
Packit |
8cb997 |
"\n- A user has insufficient privileges"
|
|
Packit |
8cb997 |
"\n- This client has insufficient privileges "
|
|
Packit |
8cb997 |
"to become an IPA replica"))
|
|
Packit |
8cb997 |
except errors.LDAPError:
|
|
Packit |
8cb997 |
logger.debug("%s", traceback.format_exc())
|
|
Packit |
8cb997 |
ansible_module.fail_json(msg="\nUnable to connect to LDAP server %s" %
|
|
Packit |
8cb997 |
config.master_host_name)
|
|
Packit |
8cb997 |
except ScriptError as e:
|
|
Packit |
8cb997 |
ansible_module.fail_json(msg=str(e))
|
|
Packit |
8cb997 |
finally:
|
|
Packit |
8cb997 |
if replman and replman.conn:
|
|
Packit |
8cb997 |
ansible_log.debug("-- UNBIND REPLMAN--")
|
|
Packit |
8cb997 |
replman.conn.unbind()
|
|
Packit |
8cb997 |
if conn.isconnected():
|
|
Packit |
8cb997 |
ansible_log.debug("-- DISCONNECT --")
|
|
Packit |
8cb997 |
conn.disconnect()
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_log.debug("-- CHECK CONNECTION --")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# check connection
|
|
Packit |
8cb997 |
if not options.skip_conncheck:
|
|
Packit |
8cb997 |
if add_to_ipaservers:
|
|
Packit |
8cb997 |
# use user's credentials when the server host is not ipaservers
|
|
Packit |
8cb997 |
if installer._ccache is None:
|
|
Packit |
8cb997 |
del os.environ['KRB5CCNAME']
|
|
Packit |
8cb997 |
else:
|
|
Packit |
8cb997 |
os.environ['KRB5CCNAME'] = installer._ccache
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
try:
|
|
Packit |
8cb997 |
with redirect_stdout(ansible_log):
|
|
Packit |
8cb997 |
replica_conn_check(
|
|
Packit |
8cb997 |
config.master_host_name, config.host_name,
|
|
Packit |
8cb997 |
config.realm_name, options.setup_ca, 389,
|
|
Packit |
8cb997 |
options.admin_password, principal=options.principal,
|
|
Packit |
8cb997 |
ca_cert_file=cafile)
|
|
Packit |
8cb997 |
except ScriptError as e:
|
|
Packit |
8cb997 |
ansible_module.fail_json(msg=str(e))
|
|
Packit |
8cb997 |
finally:
|
|
Packit |
8cb997 |
if add_to_ipaservers:
|
|
Packit |
8cb997 |
os.environ['KRB5CCNAME'] = ccache
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if hasattr(tasks, "configure_pkcs11_modules"):
|
|
Packit |
8cb997 |
if tasks.configure_pkcs11_modules(fstore):
|
|
Packit |
8cb997 |
ansible_log.info("Disabled p11-kit-proxy")
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
installer._ca_enabled = ca_enabled
|
|
Packit |
8cb997 |
installer._kra_enabled = kra_enabled
|
|
Packit |
8cb997 |
installer._ca_file = cafile
|
|
Packit |
8cb997 |
installer._fstore = fstore
|
|
Packit |
8cb997 |
installer._sstore = sstore
|
|
Packit |
8cb997 |
installer._config = config
|
|
Packit |
8cb997 |
installer._add_to_ipaservers = add_to_ipaservers
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
# done #
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
ansible_module.exit_json(
|
|
Packit |
8cb997 |
changed=True,
|
|
Packit |
8cb997 |
ccache=ccache,
|
|
Packit |
8cb997 |
installer_ccache=installer._ccache,
|
|
Packit |
8cb997 |
subject_base=str(config.subject_base),
|
|
Packit |
8cb997 |
forward_policy=options.forward_policy,
|
|
Packit |
8cb997 |
_ca_enabled=ca_enabled,
|
|
Packit |
8cb997 |
_ca_subject=str(options._ca_subject),
|
|
Packit |
8cb997 |
_subject_base=str(options._subject_base) if options._subject_base
|
|
Packit |
8cb997 |
is not None else None,
|
|
Packit |
8cb997 |
_kra_enabled=kra_enabled,
|
|
Packit |
8cb997 |
_ca_file=cafile,
|
|
Packit |
8cb997 |
_top_dir=installer._top_dir,
|
|
Packit |
8cb997 |
_add_to_ipaservers=add_to_ipaservers,
|
|
Packit |
8cb997 |
_dirsrv_pkcs12_info=dirsrv_pkcs12_info,
|
|
Packit |
8cb997 |
_dirsrv_ca_cert=dirsrv_ca_cert,
|
|
Packit |
8cb997 |
_http_pkcs12_info=http_pkcs12_info,
|
|
Packit |
8cb997 |
_http_ca_cert=http_ca_cert,
|
|
Packit |
8cb997 |
_pkinit_pkcs12_info=pkinit_pkcs12_info,
|
|
Packit |
8cb997 |
_pkinit_ca_cert=pkinit_ca_cert,
|
|
Packit |
8cb997 |
no_dnssec_validation=options.no_dnssec_validation,
|
|
Packit |
8cb997 |
config_setup_ca=config.setup_ca,
|
|
Packit |
8cb997 |
config_master_host_name=config.master_host_name,
|
|
Packit |
8cb997 |
config_ca_host_name=config.ca_host_name,
|
|
Packit |
8cb997 |
config_kra_host_name=config.kra_host_name,
|
|
Packit |
8cb997 |
config_ips=[str(ip) for ip in config.ips],
|
|
Packit |
8cb997 |
# ad trust
|
|
Packit |
8cb997 |
dns_ip_addresses=[str(ip) for ip in dns.ip_addresses],
|
|
Packit |
8cb997 |
dns_reverse_zones=dns.reverse_zones,
|
|
Packit |
8cb997 |
rid_base=options.rid_base,
|
|
Packit |
8cb997 |
secondary_rid_base=options.secondary_rid_base,
|
|
Packit |
8cb997 |
adtrust_netbios_name=adtrust.netbios_name,
|
|
Packit |
8cb997 |
adtrust_reset_netbios_name=adtrust.reset_netbios_name)
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
|
|
Packit |
8cb997 |
if __name__ == '__main__':
|
|
Packit |
8cb997 |
main()
|