Add support for on_master flag

This is needed to be able to use ipaclient role in the server role

roles/ipaclient/defaults/main.yml

@@ -7,3 +7,4 @@ ipaclient_mkhomedir: no
 ipaclient_kinit_attempts: 5
 ipaclient_use_otp: no
 ipaclient_allow_repair: no
+ipaclient_on_master: no

roles/ipaclient/tasks/install.yml

@@ -41,6 +41,7 @@
       kdc: "{{ ipadiscovery.kdc }}"
       kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
     register: ipatest
+    when: not ipaclient_on_master | bool
 
   - name: Install - Disable One-Time Password for client with working krb5.keytab
     set_fact:
@@ -116,7 +117,7 @@
       #ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
       kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
     register: ipajoin
-    when: not ipatest.krb5_keytab_ok or ipaclient_force_join
+    when: not ipaclient_on_master | bool and (not ipatest.krb5_keytab_ok or ipaclient_force_join)
 
   - block:
     - name: Install - End playbook processing
@@ -133,7 +134,7 @@
         msg: "The ca.crt file is missing, please enable allow_repair to fix this."
       when: not ipatest.ca_crt_exists
     - meta: end_play
-    when: not ipajoin.changed and not ipaclient_allow_repair | bool and (ipatest.krb5_keytab_ok or ipajoin.already_joined)
+    when: not ipaclient_on_master | bool and not ipajoin.changed and not ipaclient_allow_repair | bool and (ipatest.krb5_keytab_ok or ipajoin.already_joined)
 
   - name: Install - Configure IPA default.conf
     include_role:
@@ -144,6 +145,7 @@
       ipaconf_realm: "{{ ipadiscovery.realm }}"
       ipaconf_hostname: "{{ ipadiscovery.hostname }}"
       ipaconf_basedn: "{{ ipadiscovery.basedn }}"
+    when: not ipaclient_on_master | bool
 
   - name: Install - Configure SSSD
     ipasssd:
@@ -153,7 +155,7 @@
       hostname: "{{ ipadiscovery.hostname }}"
       services: ["ssh", "sudo"]
       krb5_offline_passwords: yes
-      #on_master: no
+      on_master: "{{ ipaclient_on_master }}"
       #primary: no
       #permit: no
       #dns_updates: no
@@ -169,7 +171,7 @@
       krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
       krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
       krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
-    when: ipadiscovery.ipa_python_version <= 40400
+    when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version <= 40400
 
   - name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} > 4.4"
     include_role:
@@ -183,7 +185,7 @@
       krb5_dns_canonicalize_hostname: "false"
       krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
       krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
-    when: ipadiscovery.ipa_python_version > 40400
+    when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version > 40400
 
   - name: Install - IPA API calls for remaining enrollment parts
     ipaapi:
@@ -212,7 +214,7 @@
       principal: "{{ ipaadmin_principal | default(omit) }}"
       mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}"
       ca_enabled: "{{ ipaapi.ca_enabled | default(omit) }}"
-      #on_master: no
+      on_master: "{{ ipaclient_on_master }}"
 
   - name: Install - IPA extras configuration
     ipaextras:
@@ -220,6 +222,7 @@
       domain: "{{ ipadiscovery.domain }}"
       ntp_servers: "{{ ipadiscovery.ntp_servers }}"
       ntp: "{{ ipaclient_ntp | default(omit) }}"
+      on_master: "{{ ipaclient_on_master }}"
       #force_ntpd: no
       #sssd: yes
       #ssh: yes
@@ -230,7 +233,6 @@
       #firefox_dir:
       #no_nisdomain: no
       #nisdomain:
-      #on_master: no
 
   always:
   - name: Cleanup leftover ccache