Skip to content
Snippets Groups Projects
Select Git revision
0 results
Blame Permalink
CLIENT.md 6.15 KiB

ipaclient role

Description

This role allows to join hosts as clients to an IPA domain. This can be done in differnt ways using auto-discovery of the servers, domain and other settings or by specifying them.

Usage

Example inventory file with fixed principal using auto-discovery with DNS records:

[ipaclients]
ipaclient1.example.com
ipaclient2.example.com

[ipaclients:vars]
ipaadmin_principal=admin

Example playbook to setup the IPA client(s) using principal from inventory file and password from an Ansible Vault file:

- name: Playbook to configure IPA clients with username/password
  hosts: ipaclients
  become: true
  vars_files:
  - playbook_sensitive_data.yml

  roles:
  - role: ipaclient
    state: present

Example playbook to unconfigure the IPA client(s) using principal and password from inventory file:

- name: Playbook to unconfigure IPA clients
  hosts: ipaclients
  become: true

  roles:
  - role: ipaclient
    state: absent

Example inventory file with fixed servers, principal, password and domain:

[ipaclients]
ipaclient1.example.com
ipaclient2.example.com

[ipaservers]
ipaserver.example.com

[ipaclients:vars]
ipaclient_domain=example.com
ipaadmin_principal=admin
ipaadmin_password=MySecretPassword123

Example playbook to setup the IPA client(s) using principal and password from inventory file:

- name: Playbook to configure IPA clients with username/password
  hosts: ipaclients
  become: true

  roles:
  - role: ipaclient
    state: present

Variables

ipaclients

The mandatory ipaclients group is a list of the names of the IPA clients in FQDN form. All these clients will be installed or configured using the playbook.

ipaclient_domain

The optional ipaclient_domain variable sets the DNS domain that will be used for client installation. Usually the DNS domain is a lower-cased name of the Kerberos realm.

If ipaclient_domain is not set, then it will be generated from the domain part of the first entry from the ipaservers FQDN group if the group is defined and contains at least one entry. If ipaservers is not defined, then the domain will be tried to gather using DNS autodiscovery. ipaclient_domain needs to be set if the primary DNS domain is different from domain part of the server FQDN.