From 5b770ae1353d6c7a077932fe319f45053d2b1747 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Tue, 26 Mar 2019 13:26:47 +0100
Subject: [PATCH] New ipareplica_enable_ipa: Use of ipaserver_enable_ipa is not
 possible anymore

With the changes for IPA enablement in the replica installer it is not
possible anymore to enable the IPA server in the same way as in the
server deployment.

The new module ipareplica_enable_ipa has been added and the link for
ipaserver_enable_ipa has been removed.
---
 .../library/ipareplica_enable_ipa.py          | 152 ++++++++++++++++++
 .../library/ipaserver_enable_ipa.py           |   1 -
 roles/ipareplica/tasks/install.yml            |  11 +-
 3 files changed, 159 insertions(+), 5 deletions(-)
 create mode 100644 roles/ipareplica/library/ipareplica_enable_ipa.py
 delete mode 120000 roles/ipareplica/library/ipaserver_enable_ipa.py

diff --git a/roles/ipareplica/library/ipareplica_enable_ipa.py b/roles/ipareplica/library/ipareplica_enable_ipa.py
new file mode 100644
index 00000000..7c473b82
--- /dev/null
+++ b/roles/ipareplica/library/ipareplica_enable_ipa.py
@@ -0,0 +1,152 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Thomas Woerner <twoerner@redhat.com>
+#
+# Based on ipa-replica-install code
+#
+# Copyright (C) 2018  Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import print_function
+
+ANSIBLE_METADATA = {
+    'metadata_version': '1.0',
+    'supported_by': 'community',
+    'status': ['preview'],
+}
+
+DOCUMENTATION = '''
+---
+module: ipareplica_enable_ipa
+short description:
+description: Enable IPA
+  Enable IPA
+options:
+  subject_base:
+    description: The certificate subject base (default O=<realm-name>).
+    required: yes
+  ccache:
+    description: The installation specific ccache file.
+    required: yes
+  _top_dir:
+    description: The temporary top directory used for the installation.
+    required: yes
+  setup_ca:
+    description: Configure a dogtag CA
+    required: yes
+  config_master_host_name:
+    description: The master host name
+    required: yes
+author:
+    - Thomas Woerner
+'''
+
+EXAMPLES = '''
+'''
+
+RETURN = '''
+'''
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.ansible_ipa_replica import *
+
+def main():
+    ansible_module = AnsibleModule(
+        argument_spec = dict(
+            hostname=dict(required=False),
+            ### server ###
+            ### certificate system ###
+            subject_base=dict(required=True),
+            ### additional ###
+            ccache=dict(required=True),
+            _top_dir = dict(required=True),
+            setup_ca=dict(required=True),
+            config_master_host_name=dict(required=True),
+        ),
+        supports_check_mode = True,
+    )
+
+    ansible_module._ansible_debug = True
+    ansible_log = AnsibleModuleLog(ansible_module)
+
+    # get parameters #
+
+    options = installer
+    options.host_name = ansible_module.params.get('hostname')
+    ### server ###
+    ### certificate system ###
+    options.subject_base = ansible_module.params.get('subject_base')
+    if options.subject_base is not None:
+        options.subject_base = DN(options.subject_base)
+    ### additional ###
+    ccache = ansible_module.params.get('ccache')
+    os.environ['KRB5CCNAME'] = ccache
+    options._top_dir = ansible_module.params.get('_top_dir')
+    options.setup_ca = ansible_module.params.get('setup_ca')
+    config_master_host_name = ansible_module.params.get('config_master_host_name')
+
+    # init #
+
+    fstore = sysrestore.FileStore(paths.SYSRESTORE)
+    sstore = sysrestore.StateFile(paths.SYSRESTORE)
+
+    ansible_log.debug("== INSTALL ==")
+
+    promote = installer.promote
+
+    env = gen_env_boostrap_finalize_core(paths.ETC_IPA,
+                                         constants.DEFAULT_CONFIG)
+    api_bootstrap_finalize(env)
+    config = gen_ReplicaConfig()
+    config.subject_base = options.subject_base
+    config.master_host_name = config_master_host_name
+
+    remote_api = gen_remote_api(config.master_host_name, paths.ETC_IPA)
+    installer._remote_api = remote_api
+
+    conn = remote_api.Backend.ldap2
+    ccache = os.environ['KRB5CCNAME']
+
+    api.Backend.ldap2.connect()
+
+    with redirect_stdout(ansible_log):
+        # Enable configured services and update DNS SRV records
+        service.enable_services(config.host_name)
+        api.Command.dns_update_system_records()
+        ca_servers = service.find_providing_servers('CA', api.Backend.ldap2,
+                                                    api)
+        api.Backend.ldap2.disconnect()
+
+        # Everything installed properly, activate ipa service.
+        services.knownservices.ipa.enable()
+
+        # Print a warning if CA role is only installed on one server
+        if len(ca_servers) == 1:
+            msg = textwrap.dedent(u'''
+                WARNING: The CA service is only installed on one server ({}).
+                It is strongly recommended to install it on another server.
+                Run ipa-ca-install(1) on another master to accomplish this.
+            '''.format(ca_servers[0]))
+            ansible_module.warn(msg)
+
+    # done #
+
+    ansible_module.exit_json(changed=True)
+
+if __name__ == '__main__':
+    main()
diff --git a/roles/ipareplica/library/ipaserver_enable_ipa.py b/roles/ipareplica/library/ipaserver_enable_ipa.py
deleted file mode 120000
index d708756f..00000000
--- a/roles/ipareplica/library/ipaserver_enable_ipa.py
+++ /dev/null
@@ -1 +0,0 @@
-../../ipaserver/library/ipaserver_enable_ipa.py
\ No newline at end of file
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index e99ea51e..e8e8056a 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -603,12 +603,15 @@
   #  ipareplica_backend_disconnect:
 
   - name: Install - Enable IPA
-    ipaserver_enable_ipa:
+    ipareplica_enable_ipa:
       hostname: "{{ result_ipareplica_test.hostname }}"
+      ### certificate system ###
+      subject_base: "{{ result_ipareplica_prepare.subject_base }}"
+      ### additional ###
+      ccache: "{{ result_ipareplica_prepare.ccache }}"
+      _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
       setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
-      # The setup_dns step is only used on the server, therefore simply
-      # setting setup_dns to reuse the server version here.
-      setup_dns: no
+      config_master_host_name: "{{ result_ipareplica_prepare.config_master_host_name }}"
     register: result_ipareplica_enable_ipa
 
   - name: Install - Cleanup root IPA cache
-- 
GitLab