- Mar 27, 2024
-
-
Thomas Woerner authored
FreeIPA PR https://github.com/freeipa/freeipa/pull/7286 moved ipalib.install.kinit to ipalib. It is first tried to import kinit_keytab and kinit_password from ipalib.kinit, then ipalib.install.kinit and finally in some cases where support for IPA 4.5.0 is needed still also ipapython.ipautil. Related: https://github.com/freeipa/freeipa/pull/7286
-
- Mar 13, 2024
-
-
Thomas Woerner authored
The custodia setup is executed twice. At first in ipaserver_setup_custodia and then additionally in ipaserver_setup_ca. The custodia setup code in ipaserver_setup_ca.py has been adapted to fit the code in ipaserver_setup_custodia.py. The extra Setup custodia step in the server roles has been removed together with ipaserver_setup_custodia.py.
-
- Mar 11, 2024
-
-
Thomas Woerner authored
If ipaserver_domain is not given, the domain name is generated from the host fqdn. This generated value was so far not returned, but the empty given value instead.
-
- Feb 07, 2024
-
-
Rafael Guterres Jeffman authored
As FreeIPA now requires MS-PAC to be set in ipaKrbAuthzData to trigger PAC generation, there's a timing issue that causes API malfunction which is long enough to cause the client part insallation to fail. By restarting KDC after DS password is set, we force cached values to be refreshed, allowing the API to work correctly. Resolves: https://github.com/freeipa/ansible-freeipa/issues/1200
-
Thomas Woerner authored
The returned changed state was always True. changed is now only True if automount_location is set and configure_automount was called.
-
Thomas Woerner authored
This is "Fix ipa-client-automount install/uninstall with new install states" https://github.com/freeipa/freeipa/pull/7100 for ansible-freeipa: Issue 8384 introduced a new installation state for the statestore to identify when client/server installation is completely finished rather than relying on has_files(). The problem is that ipa-client-automount may be called during ipa-client-install and since installation is not complete at that point the automount install was failing with "IPA client not configured". Add a new state, 'automount', to designate that automount installation is in process. If check_client_configuration() fails it checks to see if [installation] automount is True. If so it continues with the installation. This also addresses an issue where the filestore and statestore are shared between the client and automount installers but the client wasn't refreshing state after automount completed. This resulted in an incomplete state and index file of backed-up files which caused files to not be restored on uninstall and the state file to be orphaned. Fixes: https://pagure.io/freeipa/issue/9487
-
- Feb 06, 2024
-
-
Thomas Woerner authored
This is "ipa-client-install: enable SELinux for SSSD" https://github.com/freeipa/freeipa/pull/6978 for ansible-freeipa: For passkeys (FIDO2) support, SSSD uses libfido2 library which needs access to USB devices. Add SELinux booleans handling to ipa-client-install so that correct SELinux booleans can be enabled and disabled during install and uninstall. Ignore and record a warning when SELinux policy does not support the boolean. Fixes: https://pagure.io/freeipa/issue/9434
-
- Dec 06, 2023
-
-
Rafael Guterres Jeffman authored
When deploying an IPA client with ipaclient, if an error occured while getting an OTP, no error message is logged, as the task that logs the error is not excuted due to the previous taks failure. By adding a 'rescue' section to the code block and moving the error reporting to this new section, we ensure that the proper error messages will be reported.
-
- Nov 08, 2023
-
-
Thomas Woerner authored
The ipaclient_automount_location variable was badly named as ipaautomount_location. Additionally it was not documented in the role README file. Fixes: #1166 (.. automount-location to the ipa-client role)
-
- Oct 20, 2023
-
-
Rafael Guterres Jeffman authored
Altough most of ansible-freeipa documentation and playbooks use 'ipaserver' as the group for the first server deployed for a realm, the ipareplica role only supported the use of groups["ipaservers"] as an alternative to set ipareplica_servers. Also supporting groups.ipaserver, as already supported by the ipaclient role, make ansible-freeipa playbooks more consistent and current documentation and examples easier to follow when deploying a cluster with a server and a replica.
-
- Sep 14, 2023
-
-
Thomas Woerner authored
The use of del os.environ assumes that the environment variable exists. If the variable does not exist, this call will result in a traceback. The solution is to use os.environ.pop(VARIABLE, None) instead. This is the ansible-freeipa fix for https://pagure.io/freeipa/issue/9446 (Nightly test failure for replica installation with --setup-ca)
-
- Sep 11, 2023
-
-
Rafael Guterres Jeffman authored
Changing the use of 'Exception' to 'RuntimeError' has the benefits of making the error more specific and meaningful for what is being reported and to remove warnings from linters (pylint). The same change is applied to all deployment roles.
-
- Sep 08, 2023
-
-
Rafael Guterres Jeffman authored
Currently, the minimum supported Ansible version is 2.13, and ansible-freeipa roles does not work with any version less than 2.9, altough ansible-freeipa documentation states that the minimum version to use is 2.8. This patch fixes documentation and roles metadata to require that the minimum Ansible version used is 2.13.
-
- Aug 23, 2023
-
-
Rafael Guterres Jeffman authored
Updated all roles README files to add supported distros, as CentOS Stream is supported (both 8 and 9) and also Debian clients.
-
- Jul 19, 2023
-
-
Rafael Guterres Jeffman authored
Ubuntu does not have a FreeIPA server package since version 20.04. As versions 16.04 (Xenial Xerus) and 18.04 (Bionic Beaver) will be supported by Canonical until 2026 and 2028, repectively, we should keep existing support for both versions in the ipaserver, ipareplica and ipabackup roles until them. This patch changes documentation to reflect that only those versions are supported.
-
- Jun 15, 2023
-
-
Renich Bon Ciric authored
The setting was in singular in the example while being documented in plural form.
-
- Jun 05, 2023
-
-
Rafael Guterres Jeffman authored
If server FQDN matches the domain name, the installation will succeed, but DNS records will not work. If 'setup_dns: true' is used, there will be no A record for the host, only a NS record, and the PTR record will point to the domain name. Based on: https://github.com/freeipa/freeipa/pull/6853 Related to: https://pagure.io/freeipa/issue/9003
-
- May 05, 2023
-
-
Thomas Woerner authored
random_serial_numbers was missing the default value in the DOCMENTATION section.
-
Thomas Woerner authored
Automatic field numbering specification is not allowed by ansible-test.
-
- Apr 05, 2023
-
-
Thomas Woerner authored
ipaserver_random_serial_numbers was enabled by default in roles/ipaserver/defaults/main.yml. This should not be the default and also resulted in issues in all IPA versions that do not support RSN. The parameter now defaults to false.
-
- Apr 04, 2023
-
-
Rafael Guterres Jeffman authored
Since FreeIPA version 4.10 it is possible to deploy servers that use Random Serial Number v3 support for certificates. This patch exposes the 'random_serial_numbers' parameter, as 'ipaserver_random_serial_numbers', allowing a user to have random serial numbers enabled for the domain. The use of random serial numbers is allowed on new installations only.
-
- Mar 28, 2023
-
-
Thomas Woerner authored
New variables have been added to ipareplica and ipaserver role to enable the removal from the domein with the undeployment. `ipaserver_remove_from_domain` This enables the removal of the server from the domain additionally to the undeployment. `ipaserver_remove_on_server` The value defines the server/replica in the domain that will to be used to remove the server/replica from the domain if `ipaserver_ignore_topology_disconnect` and `ipaserver_remove_from_domain` are enabled. Without the need to enable `ipaserver_ignore_topology_disconnect`, the value will be automatically detected using the replication agreements of the server/replica. For the replica role it is possible to use the server variables, but also the replica versions: `ipareplica_remove_from_domain` and `ipareplica_remove_on_server`. The already existing parameters `ipaserver_ignore_topology_disconnect` and `ipaserver_ignore_last_of_role` have been added to the README files for server and replica with descriptions. The same for the replica versions of the parameters. The ipareplica role is not calling the `ipa-server-install` anymore, it is instead using (including) the server role for the task. The new module `ipaserver_get_connected_server` has been added to the server role to be able to get a connected server using the replication agreements. This module is only used if `ipaserver_ignore_topology_disconnect` is not needed.
-
- Mar 27, 2023
-
-
Thomas Woerner authored
The cleanup of the root IPA cache was depending on the result of the ipaserver_enable_ipa and ipareplica_enable_ipa tasks. Instead of "when: something.changed" a handler should be used instead. As "/root/.ipa_cache" should be removed always (same in command line) the removal of the file has been moded into the always section and does not need a when anymore.
-
Thomas Woerner authored
The parameters nameservers and searchdomains had both the alias "cn". Both aliases have been removed.
-
- Mar 24, 2023
-
-
Thomas Woerner authored
With the fix to defer creating the final krb5.conf on clients a bug has been introduced with ipaclient_fix_ca: The krb_name parameter that points to the temporary krb5 configuration was not added to the module Without this the server affinity is broken for allow_repair and additionally ipaclient_fix_ca could fail if krb5 configuration needs to be repraied and also CA needs to be fixed. The krb_name parameter has been added to ipaclient_fix_ca and is also properly set in tasks/install.yml.
-
Thomas Woerner authored
With the fix to defer creating the final krb5.conf on clients a bug has been introduced with ipaclient_setup_nss: The krb_name parameter that points to the temporary krb5 configuration was not added to the module. With a properly configured DNS (like for example IPA DNS) the krb TXT records have been present in the DNS configuration. These have been used automatically as a fallback and broke server affinity for the client. Without the TXT records creating the IPA NSS database failed with "Cannot find KDC for realm ..". The krb_name parameter has been added to ipaclient_setup_nss and is also properly set in tasks/install.yml.
-
- Mar 17, 2023
-
-
Rafael Guterres Jeffman authored
Some ipareplica role had a few module calls with parameters set like 'some_argument | default(omit)' that were not actually available in such modules. If a user provided 'some_argument', the paramater would then be passed to the module and ipareplica deployment would fail. By removing the parameters from the 'install' task, ipareplica deployment works even if the variables are set by the user.
-
- Mar 06, 2023
-
-
Denis Karpelevich authored
This is an ansible-freeipa update for the freeipa RFE: https://pagure.io/freeipa/issue/9159 "`ipa-client-install` should provide option to enable `subid: sss` in `/etc/nsswitch.conf`". This option allows to configure authselect with the sssd profile + with-subid feature, in order to have SSSD setup as a datasource for subid in /etc/nsswitch.conf. The default behavior remains unchanged: without the option, /etc/nsswitch.conf keeps the line subid: files Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
-
- Feb 27, 2023
-
-
Thomas Woerner authored
A temporary krb5 configuration was used to join the domain in ipaclient_join. After that the final krkb5 configuration was created with enabled DNS discovery and used for the remainaing tasks, where also a connection to the IPA API was done. With several servers the DNS discovery could have picked up a different server. If the client deployment was faster than the replication this could have lead to an unknown host error. The issue was seen in performance testing where many simultaneous client enrollments have been done.. The goal is to keep server affinity as long as possible within the deployment process: The temporary krb5.conf that was used before in ipaclient_join was pulled out into an own module. The generated temporary krb5.conf is now used in ipaclient_join and also ipaclient_api. The generation of the final krb5.conf is moved to the end of the deployment process. Same as: https://pagure.io/freeipa/issue/9228 The setup of certmonger has been pulled out of ipaclient_setup_nss and moved to the end of the process after generating the final krb5.conf as it will use t will only use /etc/krb5.conf. Certificate issuance may fail during deployment due to using the final krb5.conf, but certmonger will re-try the request in this case. Same as: https://pagure.io/freeipa/issue/9246
-
- Feb 08, 2023
-
-
Thomas Woerner authored
The test in ipaclient_test_keytab is at first trying to use an existing krb5.conf to test if the host keytab can be used. With working DNS lookup an absent krb5.conf is not reported as an error as DNS lookup is silently used instead. A temporary krb5.conf is now used in this test that forces to deactivate DNS lookups and also to load /etc/krb5.conf. A missing krb5.conf is now detected properly as the kinit call fails now properly. Thanks to Julien Rische for this proposal. ipaclient_test_keytab is now properly returning the state of usable or not usable krb5.conf in krb5_conf_ok. This fixes the handling of this case later on in the role.
-
- Jan 31, 2023
-
-
Thomas Woerner authored
ipabackup_item needs to be set again in copy_backup_to_server.yml. The variable is later on used in restore.yml.
-
- Jan 12, 2023
-
-
Rafael Guterres Jeffman authored
ansible-lint warns if Jinja2 templates are not used as the last item in a task name.
-
Rafael Guterres Jeffman authored
ansible-lint warns if set_fact sets a variable where the name is used or can be as a parameter for the role.
-
- Jan 11, 2023
-
-
Rafael Guterres Jeffman authored
ansible-lint warns if 'warn' key is used before block and always keys.
-
Rafael Guterres Jeffman authored
This patch fixes ansible-lint warns on jinja2 template spacing in roles
-
Rafael Guterres Jeffman authored
ansible-lint warns if task names don't start with an uppercase letter.
-
Rafael Guterres Jeffman authored
ansible-lint warns to avoid using free-form when calling module actions and ansible-freeipa roles used this form with 'ansible.builtin.fail'.
-
Rafael Guterres Jeffman authored
ansible-lint warns if version strings are used as numbers instead fo strings.
-
Thomas Woerner authored
yamllint is failing for unnamed tasks. All block and include_tasks tasks are now named.
-
- Dec 20, 2022
-
-
Thomas Woerner authored
Use Fully Qualified Collection Name (FQCN) for ansible builtins. This is ansible.builtin.set_fact instead of set_fact for example and aplies for all actions that are part of ansible.builtin. All the replaced ansible.builtins: assert, command, copy, debug, fail, fetch, file, import_playbook, import_tasks, include_role, include_tasks, include_vars, package, set_fact, shell, slurp, stat, systemd
-