From a7e78597c6fddcf02c8bc1b5b5d35d3ba5484253 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Wed, 6 Dec 2017 12:46:57 +0100
Subject: [PATCH] Add support for on_master flag
This is needed to be able to use ipaclient role in the server role
---
roles/ipaclient/defaults/main.yml | 1 +
roles/ipaclient/tasks/install.yml | 16 +++++++++-------
2 files changed, 10 insertions(+), 7 deletions(-)
diff --git a/roles/ipaclient/defaults/main.yml b/roles/ipaclient/defaults/main.yml
index 90ed18cd..c3baf701 100644
--- a/roles/ipaclient/defaults/main.yml
+++ b/roles/ipaclient/defaults/main.yml
@@ -7,3 +7,4 @@ ipaclient_mkhomedir: no
ipaclient_kinit_attempts: 5
ipaclient_use_otp: no
ipaclient_allow_repair: no
+ipaclient_on_master: no
diff --git a/roles/ipaclient/tasks/install.yml b/roles/ipaclient/tasks/install.yml
index fbf03f34..540ee37f 100644
--- a/roles/ipaclient/tasks/install.yml
+++ b/roles/ipaclient/tasks/install.yml
@@ -41,6 +41,7 @@
kdc: "{{ ipadiscovery.kdc }}"
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
register: ipatest
+ when: not ipaclient_on_master | bool
- name: Install - Disable One-Time Password for client with working krb5.keytab
set_fact:
@@ -116,7 +117,7 @@
#ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
register: ipajoin
- when: not ipatest.krb5_keytab_ok or ipaclient_force_join
+ when: not ipaclient_on_master | bool and (not ipatest.krb5_keytab_ok or ipaclient_force_join)
- block:
- name: Install - End playbook processing
@@ -133,7 +134,7 @@
msg: "The ca.crt file is missing, please enable allow_repair to fix this."
when: not ipatest.ca_crt_exists
- meta: end_play
- when: not ipajoin.changed and not ipaclient_allow_repair | bool and (ipatest.krb5_keytab_ok or ipajoin.already_joined)
+ when: not ipaclient_on_master | bool and not ipajoin.changed and not ipaclient_allow_repair | bool and (ipatest.krb5_keytab_ok or ipajoin.already_joined)
- name: Install - Configure IPA default.conf
include_role:
@@ -144,6 +145,7 @@
ipaconf_realm: "{{ ipadiscovery.realm }}"
ipaconf_hostname: "{{ ipadiscovery.hostname }}"
ipaconf_basedn: "{{ ipadiscovery.basedn }}"
+ when: not ipaclient_on_master | bool
- name: Install - Configure SSSD
ipasssd:
@@ -153,7 +155,7 @@
hostname: "{{ ipadiscovery.hostname }}"
services: ["ssh", "sudo"]
krb5_offline_passwords: yes
- #on_master: no
+ on_master: "{{ ipaclient_on_master }}"
#primary: no
#permit: no
#dns_updates: no
@@ -169,7 +171,7 @@
krb5_dns_lookup_kdc: "{{ 'true' if ipadiscovery.dnsok else 'false' }}"
krb5_no_default_domain: "{{ 'true' if ipadiscovery.domain != ipadiscovery.client_domain else 'false' }}"
krb5_pkinit_anchors: "FILE:/etc/ipa/ca.crt"
- when: ipadiscovery.ipa_python_version <= 40400
+ when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version <= 40400
- name: Install - Configure krb5 for IPA realm "{{ ipadiscovery.realm }} > 4.4"
include_role:
@@ -183,7 +185,7 @@
krb5_dns_canonicalize_hostname: "false"
krb5_pkinit_pool: "FILE:/var/lib/ipa-client/pki/ca-bundle.pem"
krb5_pkinit_anchors: "FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem"
- when: ipadiscovery.ipa_python_version > 40400
+ when: not ipaclient_on_master | bool and ipadiscovery.ipa_python_version > 40400
- name: Install - IPA API calls for remaining enrollment parts
ipaapi:
@@ -212,7 +214,7 @@
principal: "{{ ipaadmin_principal | default(omit) }}"
mkhomedir: "{{ ipaclient_mkhomedir | default(omit) }}"
ca_enabled: "{{ ipaapi.ca_enabled | default(omit) }}"
- #on_master: no
+ on_master: "{{ ipaclient_on_master }}"
- name: Install - IPA extras configuration
ipaextras:
@@ -220,6 +222,7 @@
domain: "{{ ipadiscovery.domain }}"
ntp_servers: "{{ ipadiscovery.ntp_servers }}"
ntp: "{{ ipaclient_ntp | default(omit) }}"
+ on_master: "{{ ipaclient_on_master }}"
#force_ntpd: no
#sssd: yes
#ssh: yes
@@ -230,7 +233,6 @@
#firefox_dir:
#no_nisdomain: no
#nisdomain:
- #on_master: no
always:
- name: Cleanup leftover ccache
--
GitLab