From 4918ac508fd3ad341dd14abae1fd410b4bfd41f5 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Tue, 19 Sep 2017 17:54:30 +0200
Subject: [PATCH] Renamed ipaclient_{principal,password} to
 ipaadmin_{principal,password}

This has been done to make clear that these are admin settings and to make
these settings consistent to ipaadmin_keytab.
---
 README.md                         | 10 ++++----
 inventory/hosts                   | 40 ++++++++++++++++++++++---------
 roles/ipaclient/tasks/install.yml | 22 ++++++++---------
 3 files changed, 45 insertions(+), 27 deletions(-)

diff --git a/README.md b/README.md
index 805ee573..907fb9d8 100644
--- a/README.md
+++ b/README.md
@@ -16,7 +16,7 @@ Example inventory file with fixed principal using auto-discovery with DNS record
     ipaclient2.example.com
 
     [ipaclients:vars]
-    ipaclient_principal=admin
+    ipaadmin_principal=admin
 
 Example playbook to setup the IPA client(s) using principal from inventory file and password from an [Ansible Vault](http://docs.ansible.com/ansible/latest/playbooks_vault.html) file:
 
@@ -51,8 +51,8 @@ Example inventory file with fixed servers, principal, password and domain:
     
     [ipaclients:vars]
     ipaclient_domain=example.com
-    ipaclient_principal=admin
-    ipaclient_password=MySecretPassword123
+    ipaadmin_principal=admin
+    ipaadmin_password=MySecretPassword123
 
 Example playbook to setup the IPA client(s) using principal and password from inventory file:
 
@@ -79,10 +79,10 @@ Variables
 **ipaclient_realm** - The Kerberos realm of an existing IPA deployment.
  (string, optional)
 
-**ipaclient_principal** - The authorized kerberos principal used to join the IPA realm.
+**ipaadmin_principal** - The authorized kerberos principal used to join the IPA realm.
  (string, optional)
 
-**ipaclient_password** - The password for the kerberos principal.
+**ipaadmin_password** - The password for the kerberos principal.
  (string, optional)
 
 **ipaclient_keytab** - The path to a backed-up host keytab from previous enrollment.
diff --git a/inventory/hosts b/inventory/hosts
index 9461cb8e..3e6f2f0c 100644
--- a/inventory/hosts
+++ b/inventory/hosts
@@ -1,17 +1,35 @@
 [ipaclients]
-ipaclient.ipadomain.com
+ipaclient1.mine.dom
+#ipaclient2.mine.dom
+#ipaclient3.mine.dom
+#ipaclient4.mine.dom
+#ipaclient5.mine.dom
+ipaclient6.mine.dom
+ipaclient7.mine.dom
 
-# Disabled for auto detection
 #[ipaservers]
-#ipaserver.ipadomain.com
+#ipa.mine.dom
+
+#[ipaservers:vars]
+#ipaserver_domain=mine.dom
+#ipaserver_realm=MINE.DOM
+#ipaserver_principal=admin
+#ipaserver_password=password1
 
 [ipaclients:vars]
-# if neither ipaclient_password nor ipaclient_keytab is defined,
-# the enrollement will create a OneTime Password and enroll with this OTP
-# In this case ipaserver_password or ipaserver_keytab is required
-#ipaclient_principal=admin
-#ipaclient_password=SecretPassword123
 #ipaclient_keytab=/tmp/krb5.keytab
-ipaclient_principal=admin
-#ipaclient_password=SecretPassword123
-ipaclient_keytab=files/admin.keytab
+#ipaclient_domain=mine.dom
+#ipaclient_realm=MINE.DOM
+#ipaadmin_principal=admin
+#ipaadmin_password=password1
+#ipaclient_use_otp=yes
+#ipaclient_force_join=yes
+#ipaclient_kinit_attempts=3
+#ipaclient_mkhomedir=yes
+
+#ipaadmin_principal=admin
+#ipaclient_use_otp=yes
+#ipaclient_force_join=yes
+
+#ipaclient_use_otp=yes
+ipaclient_allow_repair=yes
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index 8223c531..53e69784 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -18,8 +18,8 @@
 
 - name: Install - Set default principal if no keytab is given
   set_fact:
-    ipaclient_principal: admin
-  when: ipaclient_principal is undefined and ipaclient_keytab is undefined
+    ipaadmin_principal: admin
+  when: ipaadmin_principal is undefined and ipaclient_keytab is undefined
 
 - block:
   - name: Install - Test if IPA client has working krb5.keytab
@@ -29,7 +29,7 @@
       realm: "{{ ipadiscovery.realm }}"
       hostname: "{{ ipadiscovery.hostname }}"
       kdc: "{{ ipadiscovery.kdc }}"
-      principal: "{{ ipaclient_principal if not ipaclient_use_otp | bool else '' }}"
+      principal: "{{ ipaadmin_principal if not ipaclient_use_otp | bool else '' }}"
       kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
     register: ipatest
 
@@ -48,8 +48,8 @@
   - name: Install - Get a One-Time Password for client enrollment
     ipahost:
       state: present
-      principal: "{{ ipaclient_principal | default('admin') }}"
-      password: "{{ ipaclient_password | default(omit) }}"
+      principal: "{{ ipaadmin_principal | default('admin') }}"
+      password: "{{ ipaadmin_password | default(omit) }}"
       keytab: "{{ ipaadmin_keytab | default(omit) }}"
       fqdn: "{{ ansible_fqdn }}"
       lifetime: "{{ ipaclient_lifetime | default(omit) }}"
@@ -62,17 +62,17 @@
 
   - name: Install - Store the previously obtained OTP
     set_fact:
-      ipaclient_password: "{{ ipahost_output.host.randompassword if ipahost_output.host is defined }}"
+      ipaadmin_password: "{{ ipahost_output.host.randompassword if ipahost_output.host is defined }}"
 
   when: ipaclient_use_otp | bool
 
 - name: Install - Check if principal and keytab are set
   fail: msg="Principal and keytab cannot be used together"
-  when: ipaclient_principal is defined and ipaclient_principal != "" and ipaclient_keytab is defined and ipaclient_keytab != ""
+  when: ipaadmin_principal is defined and ipaadmin_principal != "" and ipaclient_keytab is defined and ipaclient_keytab != ""
 
 - name: Install - Check if one of password and keytab are set
   fail: msg="At least one of password or keytab must be specified"
-  when: not ipatest.krb5_keytab_ok and (ipaclient_password is undefined or ipaclient_password == "") and (ipaclient_keytab is undefined or ipaclient_keytab == "")
+  when: not ipatest.krb5_keytab_ok and (ipaadmin_password is undefined or ipaadmin_password == "") and (ipaclient_keytab is undefined or ipaclient_keytab == "")
 
 - name: Install - Purge {{ ipadiscovery.realm }} from host keytab
   command: /usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r "{{ ipadiscovery.realm }}"
@@ -92,8 +92,8 @@
     basedn: "{{ ipadiscovery.basedn }}"
     hostname: "{{ ipadiscovery.hostname }}"
     force_join: "{{ ipaclient_force_join | default(omit) }}"
-    principal: "{{ ipaclient_principal if not ipaclient_use_otp | bool and ipaclient_keytab is not defined else '' }}"
-    password: "{{ ipaclient_password | default(omit) }}"
+    principal: "{{ ipaadmin_principal if not ipaclient_use_otp | bool and ipaclient_keytab is not defined else '' }}"
+    password: "{{ ipaadmin_password | default(omit) }}"
     keytab: "{{ ipaclient_keytab | default(omit) }}"
     #ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
     kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
@@ -173,7 +173,7 @@
     basedn: "{{ ipadiscovery.basedn }}"
     hostname: "{{ ipadiscovery.hostname }}"
     subject_base: "{{ ipadiscovery.subject_base }}"
-    principal: "{{ ipaclient_principal | default(omit) }}"
+    principal: "{{ ipaadmin_principal | default(omit) }}"
     mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}"
     ca_enabled: "{{ ipaapi.ca_enabled | default(omit) }}"
     #on_master: no
-- 
GitLab