The freeipa-trust service has not been added if adtrust was enabled. For
ipareplica the addition of freeipa-replication has been removed as the
used port is not used anymore since some time.

Fixes: #83 (when installing with ipaserver_setup_adtrust: true the firewalld
service freeipa-trust is not added)

Replication agreements are not removed with the command line tools.

This calms down ansible-lint in Ansible galaxy.

This reverts commit bbaaf1f7.

There have been missing settings that have not been provided to
ipareplica_setup_adtrust. These are: enable_compat, rid_base and
secondary_rid_base.

The settings rid_base and secondary_rid_base are now initialized in
ipareplica_prepare and propagated in the results.

The two settings netbios_name and reset_netbios_name are placed in the
adtrust binding in the adtrust.install_check call. These are now saved
when ipareplica_prepare finishes and are written back in the fist steps of
ipareplica_setup_adtrust to make adtrust.install working.

The settings add_sids and add_agents are now initialized in
ansible_ipa_replica in the same way as in ServerMasterInstall. These
settings are fixed in the replica deployment.

Related: #73 (ipaserver_setup_adtrust fails on default smb.conf)

Meta end_play has been used as a simple solution to end the playbook
processing in special conditions, like for example when the deployment
was already done before.

meta end_play has been replaced with blocks and conditions for these
blocks.

Fixes: #70 (Avoid using meta end_play)

The ansible_fqdn hostname has been enforced to be set and used in
ipaserver, ipareplica and also ipaclient role. This has been removed as
the hostname should only be set if specified explicitly with
ipa[server,replica,client]_hostname.

forward_policy is only set in dns.install_test in ipareplica_test if
setup_dns is enabled. Therefore forward_policy will be ommited in this
case.

The configuration of DNS failed because of missing DNS settings in the
ipareplica_prepare and ipareplica_setup_dns.

Some fixed settings for use with DNSInstallInterface have been added
to ansible_ipa_replica:

options.dnssec_master = False
options.disable_dnssec_master = False
options.kasp_db_file = None
options.force = False

Fixes: #58 (install-replica fails: reverse_zones seems to be empty)
Fixes: #63 (ipareplica_setup_dns fails)

Use ipareplica_install_packages to enable or disable package installation
for the client deployment part with ipaclient role.

The dns settings in options have not been used and also not provided to
the module in the tasks file. Therefore these settings shoul dbe removed.

The dns settings in options have not been used and also not provided to
the module in the tasks file. Therefore these settings shoul dbe removed.

The dns settings in options have not been used and also not provided to
the module in the tasks file. Therefore these settings shoul dbe removed.

ipaserver_master_password and ipaserver_setup_ntp have been linked from
the ipaserver role before. With the move of the module_utils parts to the
specific role locations the use of ipaserver modules leads to the missing
dependency ansible_ipa_server, that is now only available in the server
role.

The ipaserver_master_password module has been replaced by the ipareplica
specific ipareplica_master_password module. The ipaserver_setup_ntp module
has been removed as the time related changes for replica are done in the
client install part.

Fixes: #59 (Module is missing interpreter line)

The role test is executed in the ipa[server,replica,client] roles first.
These tests are usable in the Ansible test mode, but the folllowing steps
in the task list are not. Therefore the blocks following the tests are
limited to not being executed in test mode.

python_2_3_test needs to be executed also in test mode to make sure that the
follwing ipa[server,replica,client]_test modules could be executed also in
test mode.

Up to now the try to deploy an already deployed replica resulted in an
error. Now this ends in an end play and no error is reported.

For consitency the result_ prefix has been added to the registered result
of the py3test.py script.

With the changes for IPA enablement in the replica installer it is not
possible anymore to enable the IPA server in the same way as in the
server deployment.

The new module ipareplica_enable_ipa has been added and the link for
ipaserver_enable_ipa has been removed.

The parameter config_setup_ca has been renamed to setup_ca and added to
options. master_host_name has been added to config. Also a call for
api.Backend.ldap2.connect has been added to make sure that the backend is
connected.

ntp_server and ntp_pool are now provided to ipareplica_test. A conflict
test with no_ntp has been added from the normal installer.

Also added are references to options.password and options.dm_password, but
these are commented out and not used or provided to the module.

Proper ntp_servers and ntp_pool tests are needed still.

The use of the _no_ prefix was not good and has been fixed now.

The X_setup_firewalld settings default to yes.

With these settings for server, replica and client it is possible to skip
package installation. This is for example useful if the packages are already
installed. The settings default to yes

The setting ipareplica_no_package_install has been removed.

The ipareplica role is reusing the ipaserver_enable_ipa module. This module
needed some extensions on the server to enable the delayed services and
also to dump DNS configuration (see commit a1287265).
For replica it is not needed to dump the DNS configuration, therefore it is
simply possible to set detup_dns to no to make this module also working
for ipareplica.

This typo has been introduced with 20d25d0d in import_tasks for the
Python 2/3 test.

As the old way to include tasks is deprecated, replace static include
statements with import_tasks and dynamic ones with include_tasks.

Increaded the required ansible version to 2.5.0 to make sure that
include_tasks and import_tasks is working as expected.

Fixes issue #38

This reverts commit 7a76f73b.

It needs to be done as ansible 2.7.1 is now complaining on unknown attribues.

This fixes issue #48: https://github.com/freeipa/ansible-freeipa/issues/48

There is a pull request and also a proposal for ansible be able to limit the
number of concurrent executions for a single task:

- https://github.com/ansible/proposals/issues/129
- https://github.com/ansible/ansible/pull/42528

The keyword is currently named max_concurrent, but might be renamed later
on. If the keyword is present, but not supported by ansible, it will be
simply ignored. Therefore there is no issue right now with adding in here
early.

The ipaclient role is now used instead of ipa-client-install.

custodia needs to be used here with newer IPA versions (introduced with 4.6.4).
With this master_host_name does is not supplied to custodia.import_dm_password
as an arguemtn anymore.

With IPA 4.7 bigger changes have been introduced

Changes:
- Use of timeconf and chrony instead of ntpconf and ntpd.
- custodia instance needed for ca and kra
- Use of create_ipa_conf with changed setting in setup_http for install_http,
  reverted back afterwards.

The _pkinit_pkcs12_info var seems not to be needed for now. Will be removed
in a following cleanup.

- Do not register a change in the playbook run when registering the
  variable checking for whether or not Python 3 imports work

Signed-off-by: Kellin <kellin@retromud.org>

The support for external cert files is not complete yet.

Please have a look at the example inventory file inventory/hosts.replica and
also the install and uninstall playbook files install-replica.yml and
uninstall-replica.yml