Newer
Older
- name: Install - Install IPA client package
package:
name: "{{ ipaclient_package }}"
state: present
- name: Install - IPA discovery
ipadiscovery:
domain: "{{ ipaclient_domain | default(omit) }}"
servers: "{{ groups.ipaservers | default(omit) }}"
realm: "{{ ipaclient_realm | default(omit) }}"
hostname: "{{ ansible_fqdn }}"
register: ipadiscovery
Florence Blanc-Renaud
committed
# The following block is executed when using OTP to enroll IPA client
# ie when neither ipaclient_password not ipaclient_keytab is set
# It connects to ipaserver and add the host with --random option in order
# to create a OneTime Password
- block:
- name: Install - Get a One-Time Password for client enrollment
ipahost:
state: present
principal: "{{ ipaserver_principal | default('admin') }}"
password: "{{ ipaserver_password | default(omit) }}"
keytab: "{{ ipaserver_keytab | default(omit) }}"
fqdn: "{{ ansible_fqdn }}"
lifetime: "{{ ipaserver_lifetime | default(omit) }}"
random: True
register: ipahost_output
# If the host is already enrolled, this command will exit on error
# The error can be ignored
failed_when: ipahost_output|failed and "Password cannot be set on enrolled host" not in ipahost_output.msg
delegate_to: "{{ ipadiscovery.servers[0] }}"
Florence Blanc-Renaud
committed
- name: Install - Store the previously obtained OTP
set_fact:
ipaclient_otp: "{{ipahost_output.host.randompassword if ipahost_output.host is defined else 'dummyotp' }}"
when: ipaclient_password is not defined and ipaclient_keytab is not defined
- name: Install - Join IPA
ipajoin:
servers: "{{ ipadiscovery.servers | default(omit) }}"
basedn: "{{ ipadiscovery.basedn | default(omit) }}"
realm: "{{ ipadiscovery.realm | default(omit) }}"
kdc: "{{ ipadiscovery.kdc | default(omit) }}"
hostname: "{{ ipadiscovery.hostname }}"
domain: "{{ ipadiscovery.domain | default(omit) }}"
force_join: "{{ ipaclient_force_join | default(omit) }}"
principal: "{{ ipaclient_principal | default(omit) }}"
password: "{{ ipaclient_password | default(omit) }}"
keytab: "{{ ipaclient_keytab | default(omit) }}"
#ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
#- name: Configure krb5
# include_role:
# name: krb5
# vars:
# krb5_realm: "{{ ipadiscovery.realm }}"
# krb5_servers: "{{ ipadiscovery.servers }}"
# krb5_dns_lookup_realm: "false"
# krb5_dns_lookup_kdc: "false"
#- name: Configure SSSD
# include_role:
# name: sssd
# vars:
# sssd_domains: "{{ ipaclient_domain }}"
# sssd_id_provider: ipa
# sssd_auth_provider: ipa
# sssd_access_provider: ipa
# sssd_chpass_provider: ipa
# sssd_ipa_servers: "{{ ipadiscovery.servers }}"
# sssd_cache_credentials: True
# sssd_krb5_store_password_if_offline: True
# sssd_services: nss, sudo, pam, ssh
# sssd_on_master: "false"
- name: Install - Configure IPA client
ipaclient:
state: present
Florence Blanc-Renaud
committed
domain: "{{ ipaclient_domain | default(omit) }}"
realm: "{{ ipaclient_realm | default(omit) }}"
servers: "{{ groups.ipaservers | default(omit) }}"
Florence Blanc-Renaud
committed
principal: "{{ ipaclient_principal | default(omit) }}"
password: "{{ ipaclient_password | default(omit) }}"
keytab: "{{ ipaclient_keytab | default(omit) }}"
otp: "{{ ipaclient_otp | default(omit) }}"
force_join: "{{ ipaclient_force_join | default(omit) }}"
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
ntp: "{{ ipaclient_ntp | default(omit) }}"
mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}"
Florence Blanc-Renaud
committed
extra_args: "{{ ipaclient_extraargs | default(omit) }}"