install.yml

---
# tasks file for ipaclient

- name: Install - Install IPA client package
  package:
    name: "{{ ipaclient_package }}"
    state: present

- name: Install - IPA discovery
  ipadiscovery:
    domain: "{{ ipaclient_domain | default(omit) }}"
    servers: "{{ groups.ipaservers | default(omit) }}"
    realm: "{{ ipaclient_realm | default(omit) }}"
    hostname: "{{ ansible_fqdn }}"
  register: ipadiscovery

# The following block is executed when using OTP to enroll IPA client
# ie when neither ipaclient_password not ipaclient_keytab is set
# It connects to ipaserver and add the host with --random option in order
# to create a OneTime Password
- block:
  - name: Install - Get a One-Time Password for client enrollment
    ipahost:
      state: present
      principal: "{{ ipaserver_principal | default('admin') }}"
      password: "{{ ipaserver_password | default(omit) }}"
      keytab: "{{ ipaserver_keytab | default(omit) }}"
      fqdn: "{{ ansible_fqdn }}"
      lifetime: "{{ ipaserver_lifetime | default(omit) }}"
      random: True
    register: ipahost_output
    # If the host is already enrolled, this command will exit on error
    # The error can be ignored
    failed_when: ipahost_output|failed and "Password cannot be set on enrolled host" not in ipahost_output.msg
    delegate_to: "{{ ipadiscovery.servers[0] }}"

  - name: Install - Store the previously obtained OTP
    set_fact:
      ipaclient_otp: "{{ipahost_output.host.randompassword if ipahost_output.host is defined else 'dummyotp' }}"

  when: ipaclient_password is not defined and ipaclient_keytab is not defined

- name: Install - Join IPA
  ipajoin:
    servers: "{{ ipadiscovery.servers | default(omit) }}"
    basedn: "{{ ipadiscovery.basedn | default(omit) }}"
    realm: "{{ ipadiscovery.realm | default(omit) }}"
    kdc: "{{ ipadiscovery.kdc | default(omit) }}"
    hostname: "{{ ipadiscovery.hostname }}"
    domain: "{{ ipadiscovery.domain | default(omit) }}"
    force_join: "{{ ipaclient_force_join | default(omit) }}"
    principal: "{{ ipaclient_principal | default(omit) }}"
    password: "{{ ipaclient_password | default(omit) }}"
    keytab: "{{ ipaclient_keytab | default(omit) }}"
    #ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
    kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"

#- name: Configure krb5
#  include_role:
#    name: krb5
#  vars:
#    krb5_realm: "{{ ipadiscovery.realm }}"
#    krb5_servers: "{{ ipadiscovery.servers }}"
#    krb5_dns_lookup_realm: "false"
#    krb5_dns_lookup_kdc: "false"

#- name: Configure SSSD
#  include_role:
#    name: sssd
#  vars:
#    sssd_domains: "{{ ipaclient_domain }}"
#    sssd_id_provider: ipa
#    sssd_auth_provider: ipa
#    sssd_access_provider: ipa
#    sssd_chpass_provider: ipa
#    sssd_ipa_servers: "{{ ipadiscovery.servers }}"
#    sssd_cache_credentials: True
#    sssd_krb5_store_password_if_offline: True
#    sssd_services: nss, sudo, pam, ssh
#    sssd_on_master: "false"

- name: Install - Configure IPA client
  ipaclient:
    state: present
    domain: "{{ ipaclient_domain | default(omit) }}"
    realm: "{{ ipaclient_realm | default(omit) }}"
    servers: "{{ groups.ipaservers | default(omit) }}"
    principal: "{{ ipaclient_principal | default(omit) }}"
    password: "{{ ipaclient_password | default(omit) }}"
    keytab: "{{ ipaclient_keytab | default(omit) }}"
    otp: "{{ ipaclient_otp | default(omit) }}"
    force_join: "{{ ipaclient_force_join | default(omit) }}"
    kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
    ntp: "{{ ipaclient_ntp | default(omit) }}"
    mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}"
    extra_args: "{{ ipaclient_extraargs | default(omit) }}"