The new module ipaclient_setup_ntp to configure and sync time with the NTP
server has been added. The irregular setting ipaclient_ntp has been removed.

The ipaclient_setup_ntp module is using either the new sync_time call or
for compatibility with older FreeIPA versions synconce_ntp.

The reference for ipaclient_ntp in REPLICA.md has been removed also.

This also fixes #55.

ipaclient_extras could configure several things internally according to
provided settings. These have been ssh, sshd, automount, firefox an also
nis. The ssh and sshd configuration is now plocated in ipaclient_setup_ssh,
the automount configuration in ipaclient_setup_automount, the firefox
configuration in ipaclient_setup_firefox and the nis configuration in
ipaclient_setup_nis.

The following additional settings have been added to
roles/ipaclient/defaults/main.yml to provide the same configruation options
as ipa-client-install does:

ipaclient_no_ssh: no
ipaclient_no_sshd: no
ipaclient_no_nisdomain: no
ipaclient_configure_firefox: no

The naming in the ipaclient role has not been following the naming scheme
and conventions used in the ipaserver and ipareplica roles. Also registered
results of modules and commands have not been unsing the result_ prefix as
in the other roles. All this has been fixed and the naming is consistent
now.

These are the renames:

ipahost -> ipaclient_get_otp
ipaapi -> ipaclient_api
ipaextras -> ipaclient_extras
ipafixca -> ipaclient_fix_ca
ipafstore -> ipaclient_fstore
ipa_facts -> ipaclient_get_facts
ipahost -> ipaclient_get_otp
ipajoin -> ipaclient_join
ipanss -> ipaclient_setup_nss
ipasssd -> ipaclient_setup_sssd
ipadiscovery -> ipaclient_test
ipatest -> ipaclient_test_keytab

Move module_utils to role specific locations

The use of the _no_ prefix was not good and has been fixed now.

The X_setup_firewalld settings default to yes.

With these settings for server, replica and client it is possible to skip
package installation. This is for example useful if the packages are already
installed. The settings default to yes

The setting ipareplica_no_package_install has been removed.

Fixes #51 upstream

New information about requirements, limitations, installation and usage

The ipareplica role is reusing the ipaserver_enable_ipa module. This module
needed some extensions on the server to enable the delayed services and
also to dump DNS configuration (see commit a1287265).
For replica it is not needed to dump the DNS configuration, therefore it is
simply possible to set detup_dns to no to make this module also working
for ipareplica.

This typo has been introduced with 20d25d0d in import_tasks for the
Python 2/3 test.

The use of custodiainstance.get_custodia_instance requires that
options.promote exists. As this is a server installation, promote
is set to False.

As the old way to include tasks is deprecated, replace static include
statements with import_tasks and dynamic ones with include_tasks.

Increaded the required ansible version to 2.5.0 to make sure that
include_tasks and import_tasks is working as expected.

Fixes issue #38

ipaserver_setup_adtrust was using api_Backend_ldap2_connect instead of
api_Backend_ldap2 with attribute connect set to True.

Fixes issue #39

This is more like the normal installer behavior and should also help with
issue #50: https://github.com/freeipa/ansible-freeipa/issues/50

subject_validator and also VALID_SUBJECT_ATTRS are provided of the ca
binding.

Fixes issue #43

This reverts commit 7a76f73b.

It needs to be done as ansible 2.7.1 is now complaining on unknown attribues.

This fixes issue #48: https://github.com/freeipa/ansible-freeipa/issues/48

Service entries in cn=FQDN,cn=masters,cn=ipa,cn=etc are no longer
created as enabled. Instead they are flagged as configuredService. At
the very end of the installer, the service entries are switched from
configured to enabled service.

This is related to freeipa upstream commit:

Delay enabling services until end of installer:
  https://github.com/freeipa/freeipa/commit/7284097

Custodia is configured before CA and used in the setup of CA. Also add
support for name FIRST_MASTER as a replacement for MASTER_PEER.

This is related to the freeipa upstream commits:

Use single Custodia instance in installers:
  https://github.com/freeipa/freeipa/commit/994f71a
Rename CustodiaModes.STANDALONE to CustodiaModes.FIRST_MASTER:
  https://github.com/freeipa/freeipa/commit/842cb5f

The api command to get the server config is failing with more recent
freeipa versions. Therefore another way to gather the server config using
api.Backend.rpcclient.forward has been added in case the first version
fails.

The new code is from freeipa commit 8af6accfa5734a7e9a7c92fcf38d5440482413d4
(https://github.com/freeipa/freeipa/commit/8af6accf)

This is a partly pick of the changes done by pyguy for pull request #28.
The unrelated changed on inventory files have been removed and the change
to the README has been adapted to use the "Supported Distributions" section.

The original commits by pyguy in https://github.com/pyguy/ansible-freeipa
are:

commit 1ed1fa845eafd69432b1fd1fc8e5329e4991e84a
Author: pyguy <hr.josheghani@gmail.com>
Date:   Mon Jun 25 17:17:31 2018 +0430

    Ubuntu Support added

commit 9a4a7c84e4af20af27e814aba4fc2c6b8b35ec0f
Author: pyguy <hr.josheghani@gmail.com>
Date:   Sun Jun 24 10:58:07 2018 +0430

    Ubuntu support added

There is a pull request and also a proposal for ansible be able to limit the
number of concurrent executions for a single task:

- https://github.com/ansible/proposals/issues/129
- https://github.com/ansible/ansible/pull/42528

The keyword is currently named max_concurrent, but might be renamed later
on. If the keyword is present, but not supported by ansible, it will be
simply ignored. Therefore there is no issue right now with adding in here
early.

The ipaclient role is now used instead of ipa-client-install.

This is needed to use ipaclient in ipareplica for client deployment.

This is done in IPAChangeConf.changeConf and IPAChangeConf.newConf

Set default_domain if not ipadiscovery.dnsok or not ipadiscovery.kdc like it
is done in ipa-client-install.

These roles will most likely not work in the common case. Therefore the roles
have been renamed.

The ipa-krpb5 role is used by ipcalient, but the ipa-sssd role is currently
not used.

custodiainstance.import_dm_password does not support master_host_name post
4.6.90 anymore. A new inspect call has been added to verify if the arg is
supported or not.

custodia needs to be used here with newer IPA versions (introduced with 4.6.4).
With this master_host_name does is not supplied to custodia.import_dm_password
as an arguemtn anymore.

The use of IPA versions to determine if get_custodia_instance should be
used was not optimal as the patch that introduced this has been back-ported
to the EL-7 package with verion 4.5.4. As get_custodia_instance was not
available before we can simply check if get_custodia_instance exists in
custodiainstance.

Tee message for a domain and realm name mismatch should be a warning and
not a fail in the ipaserver test. It is also a warning in the normal
installer.

The use of IPA versions to determine if get_custodia_instance should be
used was not optimal as the patch that introduced this has been back-ported
to the EL-7 package with verion 4.5.4. As get_custodia_instance was not
available before we can simply check if get_custodia_instance exists in
custodiainstance.

Lowered Version for Setup CA | Tested on CentOS 7.5

CentOS 7 Compatibility