Skip to content
  1. Jul 27, 2020
  2. Jul 07, 2020
    • Thomas Woerner's avatar
      ipareplica: Fix missing parameters for several modules · 7a2eaa6f
      Thomas Woerner authored
      The parameters master_host_name, config_setup_ca, dirman_password have not
      been set for some modules. Also there was no ldap2 connection within
      ipareplica_setup_kra. All this resulted in improper configuration where
      for example KRA deployment failed in the end.
      
      A conversion warning in ipareplica_setup_adtrust has also been fixed for
      the setup_ca parameter.
      
      Fixes #314 (IPA replica installation failure - DS enabled SSL - second part)
      7a2eaa6f
  3. Jul 02, 2020
    • Thomas Woerner's avatar
      ipa[server,replica]: Fix pkcs12 info regressions introduced with CA-less · 8ce5fd14
      Thomas Woerner authored
      With the CA-less patches the types for the pkcs12 infos have been changed
      to lists in the modules. This is resulting in a bad conversion from None
      to [''] for the parameters. Because of this a normal replica deployment is
      failing as [''] is not a valid value.
      
      The install.yml files for ipareplica and also ipaserver have been changed
      in the way that the pkcs12 values are checked if they are None. The
      parameter will simply be omitted in this case and the parameter in the
      module will become None by default.
      8ce5fd14
  4. Jun 30, 2020
  5. Jun 22, 2020
  6. Jun 15, 2020
  7. Jun 09, 2020
  8. Jun 03, 2020
    • Thomas Woerner's avatar
      library/ipaserver_setup_ca: Use x509 IPA upstream code for pkcs12 files · 09fefbb2
      Thomas Woerner authored
      With the encoded _http_ca_cert from ipaserver_test it is possible to revert
      back to the IPA upstream code to write the pkcs12 http certificates.
      
      The passed _http_ca_cert only needs to be decoded with decode_certificate.
      09fefbb2
    • Thomas Woerner's avatar
      ipaserver/tasks/install.yml: Always remove temporary pkcs12 copies · 8e6d433d
      Thomas Woerner authored
      The created temporary pkcs12 copies need to be removed in all cases. A
      new task has been added.
      8e6d433d
    • Thomas Woerner's avatar
      library/ipaserver_test: Revert to IPA upstream code for pkcs12 files · 578d08c7
      Thomas Woerner authored
      The function load_pkcs12 should not be skipped to verify the given
      certificates. After the certificates have been verified and the temporary
      certificate copies have been generated, these files are copied to
      /etc/ipa/.tmp_pkcs12_* as the temporary files will simply be removed as
      soon as the file descriptors have been closed.
      
      Additionally the [http,dirsrv,pkinit]_pkcs12_info is recreated to point to
      the copied temporary files.
      
      With this revertion the need to change other modules has been rediced to
      the minium, the IPA upstream code can simply be used.
      
      The passed back certificates [http,dirsrv,pkinit]_ca_cert are encoded using
      encode_certificate.
      578d08c7
    • Thomas Woerner's avatar
      ansible_ipa_server: New functions encode_certificate and decode_certificate · 2408a9b7
      Thomas Woerner authored
      The encode_certificate and decode_certificate are needed to encode and
      decode a certificate in the way that it can be passed back from a module
      and imported back into a usable certificate in another module.
      
      For newer IPA versions the certificate is normally an IPACertificate for
      older IPA versions it is simply a bytes array. But in both cases it needs
      to be converted not to break Ansible.
      2408a9b7
    • Samuel Veloso's avatar
      Install ipaserver without ca · 4221213f
      Samuel Veloso authored
      4221213f
  9. May 14, 2020
  10. Apr 26, 2020
  11. Apr 02, 2020
  12. Mar 30, 2020
    • Thomas Woerner's avatar
      ipaserver docs: Calm down module linter · a972beb4
      Thomas Woerner authored
      The use of "default: idstart+199999" in the description of the idmax
      parameter was resulting in the galaxy import error:
      
        Cannot parse "DOCUMENTATION": mapping values are not allowed here in
        "<unicode string>", line 52, column 58: ... value for the IDs range
        (default: idstart+199999)
      
      The ":" has simply been removed to fix this issue.
      a972beb4
  13. Mar 20, 2020
  14. Feb 13, 2020
  15. Jan 23, 2020
  16. Dec 11, 2019
    • Thomas Woerner's avatar
      ipaserver_test: Do not use zone_overlap_check for domain name validation · 9c853894
      Thomas Woerner authored
      The use of zone_overlay_check for the domain name validation is not good
      for a repeated execution of the server deployment where setup_dns is
      enabled. The zone overlay check will fail with "DNS zone X already exists
      in DNS". zone_overlay_check is later on used in dns.install_check so it is
      not needed to do it here also.
      
      Fixes issues #164 (domain option validator should not call zone overlap..)
      9c853894
  17. Dec 09, 2019
    • Alexander Bokovoy's avatar
      Install and enable firewalld if it is configured for ipareplica role · 592680f5
      Alexander Bokovoy authored
      ipareplica role by default tries to configure firewalld but it didn't
      check if firewalld related packages were installed.
      
      Similar to DNS and trust to AD features, install firewalld-related
      packages before trying to configure firewalld.
      
      Additionally, enable and start firewalld.service because otherwise
      firewall-cmd cannot communicate with firewalld itself (it is not
      starting on demand).
      
      If and administrator considers not to use firewalld, a default for
      ipareplica_setup_firewalld variable has to be set to 'no'.
      
      Fixes: https://github.com/freeipa/ansible-freeipa/issues/116
      592680f5
    • Alexander Bokovoy's avatar
      Install and enable firewalld if it is configured for ipaserver role · 2136c734
      Alexander Bokovoy authored
      ipaserver role by default tries to configure firewalld but it didn't
      check if firewalld related packages were installed.
      
      Similar to DNS and trust to AD features, install firewalld-related
      packages before trying to configure firewalld.
      
      Additionally, enable and start firewalld.service because otherwise
      firewall-cmd cannot communicate with firewalld itself (it is not
      starting on demand).
      
      If and administrator considers not to use firewalld, a default for
      ipaserver_setup_firewalld variable has to be set to 'no'.
      
      Fixes: https://github.com/freeipa/ansible-freeipa/issues/116
      2136c734
  18. Dec 06, 2019
  19. Dec 02, 2019
  20. Nov 20, 2019
    • Thomas Woerner's avatar
      ipaclient: Fix misspelled sssd options · 6ad82e6b
      Thomas Woerner authored
      The sssd options in the ipaclient role missed a 's' in the role. The readme
      of the role used the proper names with 3 's'. The names in the role have
      been fixed and if the old setting are used, they will be used in the first
      place.
      
      Also utils/ansible-ipa-client-install has been adaped to use the proper
      option names now.
      
      This fixes issue #145 (The ipaclient role misspells sssd)
      6ad82e6b
  21. Oct 25, 2019
  22. Oct 07, 2019
  23. Sep 04, 2019
  24. Jul 30, 2019
  25. Jul 26, 2019
  26. Jul 23, 2019
Loading