diff --git a/roles/ipaserver/README.md b/roles/ipaserver/README.md
index c96e4636f6b1e48eb6c3d16f0cad67f1a3087cb2..79588ea5b99b422e9b34271227db1486a08cd744 100644
--- a/roles/ipaserver/README.md
+++ b/roles/ipaserver/README.md
@@ -129,6 +129,9 @@ Variables
**ipaserver_no_host_dns** - Do not use DNS for hostname lookup during installation.
(bool, optional)
+**ipaserver_pki_config_override** - Path to ini file with config overrides.
+ (string, optional)
+
**ipaserver_no_dnssec_validation** - Disable DNSSEC validation on this server.
(bool, optional)
diff --git a/roles/ipaserver/library/ipaserver_setup_ca.py b/roles/ipaserver/library/ipaserver_setup_ca.py
index 1ac0bea0c3bf9ba474f28513a0e3b7d282517eff..50ca0e3e111ae9cafd5bbbb59404d2c578e75ebe 100644
--- a/roles/ipaserver/library/ipaserver_setup_ca.py
+++ b/roles/ipaserver/library/ipaserver_setup_ca.py
@@ -91,6 +91,7 @@ def main():
realm=dict(required=True),
hostname=dict(required=False),
no_host_dns=dict(required=False, type='bool', default=False),
+ pki_config_override=dict(required=False),
### server ###
setup_adtrust=dict(required=False, type='bool', default=False),
setup_kra=dict(required=False, type='bool', default=False),
@@ -136,6 +137,8 @@ def main():
options.realm_name = ansible_module.params.get('realm')
options.host_name = ansible_module.params.get('hostname')
options.no_host_dns = ansible_module.params.get('no_host_dns')
+ options.pki_config_override = ansible_module.params.get(
+ 'pki_config_override')
### server ###
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
options.setup_kra = ansible_module.params.get('setup_kra')
diff --git a/roles/ipaserver/library/ipaserver_setup_kra.py b/roles/ipaserver/library/ipaserver_setup_kra.py
index c1776a169a3a459c860883bda64c6dc9143cac22..fbfd1e1eafc7af08c69971ecbafb422fed321fa4 100644
--- a/roles/ipaserver/library/ipaserver_setup_kra.py
+++ b/roles/ipaserver/library/ipaserver_setup_kra.py
@@ -58,6 +58,7 @@ def main():
setup_ca=dict(required=True, type='bool'),
setup_kra=dict(required=True, type='bool'),
realm=dict(required=True),
+ pki_config_override=dict(required=False),
),
)
@@ -71,6 +72,8 @@ def main():
options.setup_ca = ansible_module.params.get('setup_ca')
options.setup_kra = ansible_module.params.get('setup_kra')
options.realm_name = ansible_module.params.get('realm')
+ options.pki_config_override = ansible_module.params.get(
+ 'pki_config_override')
options.promote = False # first master, no promotion
# init ##########################################################
diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py
index 6385651185a4f0c3aac46f4ad0736ee1bedd9386..4b752407b8b8bbdeca857a1517d7d53def531429 100644
--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -66,6 +66,7 @@ def main():
hostname=dict(required=False),
ca_cert_files=dict(required=False, type='list', default=[]),
no_host_dns=dict(required=False, type='bool', default=False),
+ pki_config_override=dict(required=False),
### server ###
setup_adtrust=dict(required=False, type='bool', default=False),
setup_kra=dict(required=False, type='bool', default=False),
@@ -134,13 +135,13 @@ def main():
options.dm_password = ansible_module.params.get('dm_password')
options.admin_password = ansible_module.params.get('password')
options.master_password = ansible_module.params.get('master_password')
- options.ip_addresses = ansible_module_get_parsed_ip_addresses(
- ansible_module)
options.domain_name = ansible_module.params.get('domain')
options.realm_name = ansible_module.params.get('realm')
options.host_name = ansible_module.params.get('hostname')
options.ca_cert_files = ansible_module.params.get('ca_cert_files')
options.no_host_dns = ansible_module.params.get('no_host_dns')
+ options.pki_config_override = ansible_module.params.get(
+ 'pki_config_override')
### server ###
options.setup_adtrust = ansible_module.params.get('setup_adtrust')
options.setup_dns = ansible_module.params.get('setup_dns')
@@ -213,6 +214,19 @@ def main():
# options.setup_kra = False
# ansible_module.warn(msg="kra is not supported, disabling")
+ if options.pki_config_override is not None:
+ if PKIIniLoader is None:
+ ansible_module.warn("The use of pki_config_override is not "
+ "supported for this IPA version")
+ else:
+ # From DogtagInstallInterface @pki_config_override.validator
+ try:
+ PKIIniLoader.verify_pki_config_override(
+ options.pki_config_override)
+ except ValueError as e:
+ ansible_module.fail_json(
+ msg="pki_config_override: %s" % str(e))
+
# validation #############################################################
if options.dm_password is None:
diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py
index dfa26031209d54053737a777d112a76d62463d8e..255a2336d59ea9d6763861c7fe34b8240e829d00 100644
--- a/roles/ipaserver/module_utils/ansible_ipa_server.py
+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
@@ -101,6 +101,10 @@ if NUM_VERSION >= 40500:
from ipaserver.install.server.install import (
check_dirsrv, validate_admin_password, validate_dm_password,
write_cache)
+ try:
+ from ipaserver.install.dogtaginstance import PKIIniLoader
+ except ImportError:
+ PKIIniLoader = None
try:
from ipaserver.install.installutils import default_subject_base
except ImportError:
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index 7678166f9f96088f8ecf238064129ad05548266d..ccb823dfdbfb3c15ac8765b9880bc519d9682f5e 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -39,6 +39,7 @@
hostname: "{{ ipaserver_hostname | default(ansible_fqdn) }}"
ca_cert_files: "{{ ipaserver_ca_cert_files | default(omit) }}"
no_host_dns: "{{ ipaserver_no_host_dns }}"
+ pki_config_override: "{{ ipaserver_pki_config_override | default(omit) }}"
### server ###
setup_adtrust: "{{ ipaserver_setup_adtrust }}"
setup_kra: "{{ ipaserver_setup_kra }}"
@@ -228,6 +229,8 @@
realm: "{{ result_ipaserver_test.realm }}"
hostname: "{{ result_ipaserver_test.hostname }}"
no_host_dns: "{{ result_ipaserver_test.no_host_dns }}"
+ pki_config_override: "{{ ipaserver_pki_config_override |
+ default(omit) }}"
setup_adtrust: "{{ result_ipaserver_test.setup_adtrust }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
setup_dns: "{{ ipaserver_setup_dns }}"
@@ -294,6 +297,8 @@
dm_password: "{{ ipadm_password }}"
setup_kra: "{{ result_ipaserver_test.setup_kra }}"
realm: "{{ result_ipaserver_test.realm }}"
+ pki_config_override: "{{ ipaserver_pki_config_override |
+ default(omit) }}"
when: result_ipaserver_test.setup_kra | bool
- name: Install - Setup DNS