diff --git a/CLIENT.md b/CLIENT.md index 273ea89110949199628aa9954837ea9a4a19b615..ada2f3e582fdca6b2bd19e4c9cee2954340f8aa8 100644 --- a/CLIENT.md +++ b/CLIENT.md @@ -67,56 +67,87 @@ Example playbook to setup the IPA client(s) using principal and password from in Variables --------- -**ipaservers** - Group of IPA server hostnames. - (list of strings, optional) +The client role is configured with variables. The `ipaclient_ ` prefix is used for client specific settings and `ipaadmin_` prefix for admin user specific settings. -**ipaclients** - Group of IPA client hostnames. - (list of strings) +### `ipaservers` -**ipaadmin_keytab** - The path to the admin keytab used for alternative authentication. - (string, optional) +The optional `ipaservers` group is a list of the IPA server full qualified host names. In a topology with a chain of servers and replicas, it is important to use the right server or replica as the server for the client. If there is a need to overwrite the setting for a client in the `ipaclients` group, please use the list `ipaclient_servers` explained below. -**ipaadmin_principal** - The authorized kerberos principal used to join the IPA realm. - (string, optional) +If no `ipaservers` group is defined than the installation preparation step will try to use DNS autodiscovery to identify the the IPA server using DNS txt records. -**ipaadmin_password** - The password for the kerberos principal. - (string, optional) - -**ipaclient_domain** - The primary DNS domain of an existing IPA deployment. - (string, optional) +### `ipaclients` -**ipaclient_realm** - The Kerberos realm of an existing IPA deployment. - (string, optional) +The mandatory `ipaclients` group is a list of the names of the IPA clients in FQDN form. All these clients will be installed or configured using the playbook. -**ipaclient_keytab** - The path to a backed-up host keytab from previous enrollment. - (string, optional) +### `ipaadmin_keytab` -**ipaclient_force_join** - Set force_join to yes to join the host even if it is already enrolled. - (bool, optional) +The `ipaadmin_keytab` variable enables the use of an admin keytab as an alternativce authentication method. The variable needs to contain the local path to the keytab file. If `ipaadmin_keytab` is used, then `ipaadmin_password` does not need to be set. -**ipaclient_use_otp** - Enforce the generation of a one time password to configure new and existing hosts. The enforcement on an existing host is not done if there is a working krb5.keytab on the host. If the generation of an otp is enforced for an existing host entry, then the host gets diabled and the containing keytab gets removed. - (bool, optional) +### `ipaadmin_principal` -**ipaclient_allow_repair** - Allow repair of already joined hosts. Contrary to ipaclient_force_join the host entry will not be changed on the server. - (bool, optional) +The optional `ipaadmin_principal` variable only needs to be set if the name of the Kerberos admin principal is not "admin". If `ipaadmin_principal` is not set it will be set internally to "admin". -**ipaclient_kinit_attempts** - Repeat the request for host Kerberos ticket X times if it fails. - (int, optional) +### `ipaadmin_password` -**ipaclient_ntp** - Set to no to not configure and enable NTP - (bool, optional) +The `ipaadmin_password` variable contains the Kerberos password of the Kerberos admin principal. If `ipaadmin_keytab` is used, then `ipaadmin_password` does not need to be set. -**ipaclient_mkhomedir** - Set to yes to configure PAM to create a users home directory if it does not exist. - (string, optional) +### `ipaclient_domain` -Cluster Specific Variables --------------------------- +The optional `ipaclient_domain` variable sets the DNS domain that will be used for client installation. Usually the DNS domain is a lower-cased name of the Kerberos realm. -**ipaclient_no_dns_lookup** - Set to 'yes' to use groups.ipaserver in cluster environments as servers for the clients. This deactivates DNS lookup in krb5. - (bool, optional, default: 'no') +If `ipaclient_domain` is not set, then it will be generated from the domain part of the first entry from the `ipaservers` FQDN group if the group is defined and contains at least one entry. If `ipaservers` is not defined, then the domain will be tried to gather using DNS autodiscovery. `ipaclient_domain` needs to be set if the primary DNS domain is different from domain part of the server FQDN. -**ipaclient_servers** - Manually override list of servers for example in a cluster environment on a per client basis. The list of servers is normally taken from from groups.ipaserver in cluster environments. - (list of strings, optional) +### `ipaclient_realm` + +The optional `ipaclient_realm` sets the Kerberos realm that will be used for client installation. Usually the Kerberos realm is an upper-cased name of the DNS domain. + +If `ipaclient_realm` is not set, then it will be generated from `ipaclient_domain` if this is set. If both are not set, then this + + +### `ipaclient_keytab` + +The optional `ipaclient_keytab` contains the path of a backup host keytab from a previous enrollment. + +### `ipaclient_force_join` + +The `ipaclient_force_join` bool value defines if an already enrolled host can join again. `ipaclient_force_join` defaults to `no`. + +### `ipaclient_use_otp` + +The `ipaclient_use_otp` bool value defines if a one-time password will be generated to join a new or existing host. `ipaclient_use_otp` defaults to `no`. + +The enforcement on an existing host is not done if there is a working krb5.keytab on the host. If the generation of an otp is enforced for an existing host entry, then the host gets diabled and the containing keytab gets removed. + +### `ipaclient_allow_repair` + +The `ipaclient_allow_repair` bool value defines if an already joined or partly set-up client can be repaired. `ipaclient_allow_repair` defaults to `no`. + +Contrary to `ipaclient_force_join=yes` the host entry will not be changed on the server. + +### `ipaclient_kinit_attempts` + +The optional `ipaclient_kinit_attempts` defines the number of tries to repeat the request for a failed host Kerberos ticket. `ipaclient_kinit_attempts` defaults to 3. + +### `ipaclient_no_ntp` + +The `ipaclient_no_ntp` bool value defines if NTP will not be configured and enabled. `ipaclient_no_ntp` defaults to `no`. + +### `ipaclient_mkhomedir` + +The `ipaclient_mkhomedir` bool value defines if PAM will be configured to create a users home directory if it does not exist. `ipaclient_mkhomedir` defaults to `no`. + +Topology Specific Variables +--------------------------- + +These variables can be used to define or change how clients are arranged within a cluster for example. + +### `ipaclient_no_dns_lookup` + +The `ipaclient_no_dns_lookup` bool value defines if the `ipaservers` group will be used as servers for the clients automatically. If enabled this deactivates DNS lookup in Kerberos in client installations. `ipaclient_no_dns_lookup` defauults to `no`. + +### `ipaclient_servers` + +The optional `ipaclient_servers` varaible can be used to manually override list of servers on a per client basis. The list of servers is normally taken from from `ipaservers` group. Requirements ------------