diff --git a/roles/ipaserver/library/ipaserver_prepare.py b/roles/ipaserver/library/ipaserver_prepare.py
index 8bf5738e7c226f339a99d39e79df36833ee21545..62f46331512d6e30e331e839687447720bb6324e 100644
--- a/roles/ipaserver/library/ipaserver_prepare.py
+++ b/roles/ipaserver/library/ipaserver_prepare.py
@@ -109,7 +109,7 @@ def main():
forwarders=dict(required=False, type='list', default=[]),
no_forwarders=dict(required=False, type='bool', default=False),
auto_forwarders=dict(required=False, type='bool', default=False),
- forward_policy=dict(required=False),
+ forward_policy=dict(default=None, choices=['first', 'only']),
no_dnssec_validation=dict(required=False, type='bool',
default=False),
### ad trust ###
@@ -181,6 +181,15 @@ def main():
fstore = sysrestore.FileStore(paths.SYSRESTORE)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
+ # subject_base
+ if not options.subject_base:
+ options.subject_base = str(default_subject_base(options.realm_name))
+ # set options.subject for old ipa releases
+ options.subject = options.subject_base
+
+ if not options.ca_subject:
+ options.ca_subject = str(default_ca_subject_dn(options.subject_base))
+
# Configuration for ipalib, we will bootstrap and finalize later, after
# we are sure we have the configuration file ready.
cfg = dict(
@@ -268,7 +277,29 @@ def main():
if _update_hosts_file:
update_hosts_file(ip_addresses, options.host_name, fstore)
- ansible_module.exit_json(changed=True)
+ if hasattr(tasks, "configure_pkcs11_modules"):
+ if tasks.configure_pkcs11_modules(fstore):
+ ansible_log.info("Disabled p11-kit-proxy")
+
+ ansible_module.exit_json(changed=True,
+ ### basic ###
+ ip_addresses=[ str(ip) for ip in ip_addresses ],
+ ### certificate system ###
+ subject_base=options.subject_base,
+ _subject_base=options._subject_base,
+ ca_subject=options.ca_subject,
+ _ca_subject=options._ca_subject,
+ ### dns ###
+ reverse_zones=options.reverse_zones,
+ forward_policy=options.forward_policy,
+ forwarders=options.forwarders,
+ no_dnssec_validation=options.no_dnssec_validation,
+ ### additional ###
+ dns_ip_addresses=[ str(ip) for ip
+ in dns.ip_addresses ],
+ dns_reverse_zones=dns.reverse_zones,
+ adtrust_netbios_name=adtrust.netbios_name,
+ adtrust_reset_netbios_name=adtrust.reset_netbios_name)
if __name__ == '__main__':
main()
diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py
index 4b752407b8b8bbdeca857a1517d7d53def531429..aee919d0d9a16e0d6dfe653ea05faa92568c6737 100644
--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -60,7 +60,6 @@ def main():
dm_password=dict(required=True, no_log=True),
password=dict(required=True, no_log=True),
master_password=dict(required=False, no_log=True),
- ip_addresses=dict(required=False, type='list', default=[]),
domain=dict(required=False),
realm=dict(required=False),
hostname=dict(required=False),
@@ -658,101 +657,6 @@ def main():
"Apache Server SSL certificate and PKINIT KDC "
"certificate are not signed by the same CA certificate")
- # subject_base
- if not options.subject_base:
- options.subject_base = str(default_subject_base(options.realm_name))
- # set options.subject for old ipa releases
- options.subject = options.subject_base
-
- if not options.ca_subject:
- options.ca_subject = str(default_ca_subject_dn(options.subject_base))
-
- # temporary ipa configuration ###########################################
-
- ipa_tempdir = tempfile.mkdtemp(prefix="ipaconf")
- try:
- # Configuration for ipalib, we will bootstrap and finalize later, after
- # we are sure we have the configuration file ready.
- cfg = dict(
- context='installer',
- confdir=ipa_tempdir,
- in_server=True,
- # make sure host name specified by user is used instead of default
- host=options.host_name,
- )
- if options.setup_ca:
- # we have an IPA-integrated CA
- cfg['ca_host'] = options.host_name
-
- # Create the management framework config file and finalize api
- target_fname = "%s/default.conf" % ipa_tempdir
- fd = open(target_fname, "w")
- fd.write("[global]\n")
- fd.write("host=%s\n" % options.host_name)
- fd.write("basedn=%s\n" % ipautil.realm_to_suffix(options.realm_name))
- fd.write("realm=%s\n" % options.realm_name)
- fd.write("domain=%s\n" % options.domain_name)
- fd.write("xmlrpc_uri=https://%s/ipa/xml\n" % ipautil.format_netloc(options.host_name))
- fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" %
- installutils.realm_to_serverid(options.realm_name))
- if options.setup_ca:
- fd.write("enable_ra=True\n")
- fd.write("ra_plugin=dogtag\n")
- fd.write("dogtag_version=10\n")
- else:
- fd.write("enable_ra=False\n")
- fd.write("ra_plugin=none\n")
- fd.write("mode=production\n")
- fd.close()
-
- # Must be readable for everyone
- os.chmod(target_fname, 0o644)
-
- api.bootstrap(**cfg)
- api.finalize()
-
- # install checks ####################################################
-
- if options.setup_ca:
- ca.install_check(False, None, options)
-
- if options.setup_kra:
- kra.install_check(api, None, options)
-
- if options.setup_dns:
- with redirect_stdout(ansible_log):
- dns.install_check(False, api, False, options, options.host_name)
- ip_addresses = dns.ip_addresses
- else:
- ip_addresses = get_server_ip_address(options.host_name,
- False, False,
- options.ip_addresses)
-
- # check addresses here, dns ansible_module is doing own check
- no_matching_interface_for_ip_address_warning(ip_addresses)
-
- options.ip_addresses = ip_addresses
- options.reverse_zones = dns.reverse_zones
- instance_name = "-".join(options.realm_name.split("."))
- dirsrv = services.knownservices.dirsrv
- if (options.external_cert_files
- and dirsrv.is_installed(instance_name)
- and not dirsrv.is_running(instance_name)):
- logger.debug('Starting Directory Server')
- services.knownservices.dirsrv.start(instance_name)
-
- if options.setup_adtrust:
- adtrust.install_check(False, options, api)
-
- except (RuntimeError, ValueError, ScriptError) as e:
- ansible_module.fail_json(msg=str(e))
-
- finally:
- try:
- shutil.rmtree(ipa_tempdir, ignore_errors=True)
- except OSError:
- ansible_module.fail_json(msg="Could not remove %s" % ipa_tempdir)
-
# Always set _host_name_overridden
options._host_name_overridden = bool(options.host_name)
@@ -763,7 +667,6 @@ def main():
### basic ###
domain=options.domain_name,
realm=options.realm_name,
- ip_addresses=[ str(ip) for ip in ip_addresses ],
hostname=options.host_name,
_hostname_overridden=options._host_name_overridden,
no_host_dns=options.no_host_dns,
@@ -784,27 +687,12 @@ def main():
_pkinit_pkcs12_file=pkinit_pkcs12_file,
_pkinit_pkcs12_info=pkinit_pkcs12_info,
_pkinit_ca_cert=pkinit_ca_cert,
- ### certificate system ###
- subject_base=options.subject_base,
- _subject_base=options._subject_base,
- ca_subject=options.ca_subject,
- _ca_subject=options._ca_subject,
- ### dns ###
- reverse_zones=options.reverse_zones,
- forward_policy=options.forward_policy,
- forwarders=options.forwarders,
- no_dnssec_validation=options.no_dnssec_validation,
### ad trust ###
rid_base=options.rid_base,
secondary_rid_base=options.secondary_rid_base,
### additional ###
_installation_cleanup=_installation_cleanup,
- domainlevel=options.domainlevel,
- dns_ip_addresses=[ str(ip) for ip
- in dns.ip_addresses ],
- dns_reverse_zones=dns.reverse_zones,
- adtrust_netbios_name=adtrust.netbios_name,
- adtrust_reset_netbios_name=adtrust.reset_netbios_name)
+ domainlevel=options.domainlevel)
if __name__ == '__main__':
main()
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index ccb823dfdbfb3c15ac8765b9880bc519d9682f5e..99ce783cae341c1bdc79ce7cde5b2dddb9299427 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -33,7 +33,6 @@
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
master_password: "{{ ipaserver_master_password | default(omit) }}"
- ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}"
domain: "{{ ipaserver_domain | default(omit) }}"
realm: "{{ ipaserver_realm | default(omit) }}"
hostname: "{{ ipaserver_hostname | default(ansible_fqdn) }}"
@@ -122,34 +121,36 @@
### basic ###
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
- # ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
+ ip_addresses: "{{ ipaserver_ip_addresses | default([]) }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
### server ###
- setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
- setup_kra: "{{ result_ipaserver_test.setup_kra }}"
+ setup_adtrust: "{{ ipaserver_setup_adtrust }}"
+ setup_kra: "{{ ipaserver_setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
### certificate system ###
# external_ca
# external_cert_files
- subject_base: "{{ result_ipaserver_test.subject_base }}"
- ca_subject: "{{ result_ipaserver_test.ca_subject }}"
+ subject_base: "{{ ipaserver_subject_base | default(omit) }}"
+ ca_subject: "{{ ipaserver_ca_subject | default(omit) }}"
### dns ###
allow_zone_overlap: "{{ ipaserver_allow_zone_overlap }}"
- reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
+ reverse_zones: "{{ ipaserver_reverse_zones | default([]) }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_reverse: "{{ ipaserver_auto_reverse }}"
+ zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
forwarders: "{{ ipaserver_forwarders | default([]) }}"
no_forwarders: "{{ ipaserver_no_forwarders }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
- no_dnssec_validation: "{{ result_ipaserver_test.no_dnssec_validation }}"
+ forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"
+ no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
### ad trust ###
enable_compat: "{{ ipaserver_enable_compat }}"
netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"
- # rid_base
- # secondary_rid_base
+ rid_base: "{{ ipaserver_rid_base | default(omit) }}"
+ secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
### additional ###
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
_hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
@@ -168,8 +169,8 @@
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm | default(omit) }}"
hostname: "{{ result_ipaserver_test.hostname }}"
- # ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
- # reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
+ # ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
+ # reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
# setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
# setup_kra: "{{ result_ipaserver_test.setup_kra }}"
# setup_dns: "{{ ipaserver_setup_dns }}"
@@ -178,8 +179,8 @@
dirsrv_config_file: "{{ ipaserver_dirsrv_config_file | default(omit) }}"
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
- subject_base: "{{ result_ipaserver_test.subject_base }}"
- ca_subject: "{{ result_ipaserver_test.ca_subject }}"
+ subject_base: "{{ result_ipaserver_prepare.subject_base }}"
+ ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
# no_reverse: "{{ ipaserver_no_reverse }}"
# auto_forwarders: "{{ ipaserver_auto_forwarders }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
@@ -195,16 +196,16 @@
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
- # ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
- reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
+ # ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
+ reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
- subject_base: "{{ result_ipaserver_test.subject_base }}"
- ca_subject: "{{ result_ipaserver_test.ca_subject }}"
+ subject_base: "{{ result_ipaserver_prepare.subject_base }}"
+ ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
@@ -224,7 +225,7 @@
dm_password: "{{ ipadm_password }}"
password: "{{ ipaadmin_password }}"
master_password: "{{ ipaserver_master_password }}"
- # ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
+ # ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
@@ -244,13 +245,13 @@
_dirsrv_pkcs12_info: "{{ result_ipaserver_test._dirsrv_pkcs12_info }}"
external_ca: "{{ ipaserver_external_ca }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
- subject_base: "{{ result_ipaserver_test.subject_base }}"
- _subject_base: "{{ result_ipaserver_test._subject_base }}"
- ca_subject: "{{ result_ipaserver_test.ca_subject }}"
- _ca_subject: "{{ result_ipaserver_test._ca_subject }}"
+ subject_base: "{{ result_ipaserver_prepare.subject_base }}"
+ _subject_base: "{{ result_ipaserver_prepare._subject_base }}"
+ ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
+ _ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"
ca_signing_algorithm: "{{ ipaserver_ca_signing_algorithm |
default(omit) }}"
- reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
+ reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
@@ -268,8 +269,8 @@
domain: "{{ result_ipaserver_test.domain }}"
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
- # ip_addresses: "{{ result_ipaserver_test.ip_addresses }}"
- reverse_zones: "{{ result_ipaserver_test.reverse_zones }}"
+ # ip_addresses: "{{ result_ipaserver_prepare.ip_addresses }}"
+ reverse_zones: "{{ result_ipaserver_prepare.reverse_zones }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
@@ -277,10 +278,10 @@
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
dirsrv_cert_files: "{{ ipaserver_dirsrv_cert_files | default([]) }}"
external_cert_files: "{{ ipaserver_external_cert_files | default([]) }}"
- subject_base: "{{ result_ipaserver_test.subject_base }}"
- _subject_base: "{{ result_ipaserver_test._subject_base }}"
- ca_subject: "{{ result_ipaserver_test.ca_subject }}"
- _ca_subject: "{{ result_ipaserver_test._ca_subject }}"
+ subject_base: "{{ result_ipaserver_prepare.subject_base }}"
+ _subject_base: "{{ result_ipaserver_prepare._subject_base }}"
+ ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
+ _ca_subject: "{{ result_ipaserver_prepare._ca_subject }}"
no_reverse: "{{ ipaserver_no_reverse }}"
auto_forwarders: "{{ ipaserver_auto_forwarders }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
@@ -306,13 +307,13 @@
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
setup_dns: "{{ ipaserver_setup_dns }}"
- forwarders: "{{ result_ipaserver_test.forwarders }}"
- forward_policy: "{{ result_ipaserver_test.forward_policy }}"
+ forwarders: "{{ result_ipaserver_prepare.forwarders }}"
+ forward_policy: "{{ result_ipaserver_prepare.forward_policy }}"
zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
- no_dnssec_validation: "{{ result_ipaserver_test.no_dnssec_validation }}"
+ no_dnssec_validation: "{{ result_ipaserver_prepare.no_dnssec_validation }}"
### additional ###
- dns_ip_addresses: "{{ result_ipaserver_test.dns_ip_addresses }}"
- dns_reverse_zones: "{{ result_ipaserver_test.dns_reverse_zones }}"
+ dns_ip_addresses: "{{ result_ipaserver_prepare.dns_ip_addresses }}"
+ dns_reverse_zones: "{{ result_ipaserver_prepare.dns_reverse_zones }}"
when: ipaserver_setup_dns | bool
- name: Install - Setup ADTRUST
@@ -325,9 +326,9 @@
rid_base: "{{ result_ipaserver_test.rid_base }}"
secondary_rid_base: "{{ result_ipaserver_test.secondary_rid_base }}"
### additional ###
- adtrust_netbios_name: "{{ result_ipaserver_test.adtrust_netbios_name }}"
+ adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}"
adtrust_reset_netbios_name:
- "{{ result_ipaserver_test.adtrust_reset_netbios_name }}"
+ "{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}"
when: result_ipaserver_test.setup_adtrust
- name: Install - Set DS password
@@ -338,8 +339,8 @@
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
- subject_base: "{{ result_ipaserver_test.subject_base }}"
- ca_subject: "{{ result_ipaserver_test.ca_subject }}"
+ subject_base: "{{ result_ipaserver_prepare.subject_base }}"
+ ca_subject: "{{ result_ipaserver_prepare.ca_subject }}"
no_pkinit: "{{ result_ipaserver_test.no_pkinit }}"
no_hbac_allow: "{{ ipaserver_no_hbac_allow }}"
idstart: "{{ result_ipaserver_test.idstart }}"