tasks.create_tmpfiles_dirs only needs IPAAPI_USER as an argument for
version 4.5.4. For 4.5 there is no support for arguments.

IPAAPI_USER is therefore only needed for 4.5.4 in
module_utils/ansible_ipa_server.py

The directories library and action_plugins do only contain ipaclient specific
modules and plugins. Therefore these directories should be located in the
ipaclient role directory.

When forwarders list or the no_forwarders flag has been set, the
configuraiton does not reflect the setting. With no_forwarders
the preparation step of the DNS server could fail in ipaserver_prepare.

This is addressing the issue of pull request #25.

krb5 DNS discovery was not possible in cluster environments as the server
list from groups.ipaserver was used all the time. DNS discovery is though
only used if no servers are given.

The new setting ipaclient_no_dns_lookup has been added to make sure that
DNS lookup is used in the first place and can be disabled easily with this
setting. There is also a new way to override servers per client in the
inventory file with ipaclient_servers.

Two new settings have been added:

ipaclient_no_dns_lookup (bool, default: no)
  Set to 'yes' to use groups.ipaserver in cluster environments as servers
  for the clients. This deactivates DNS lookup in krb5.

ipaclient_servers (list of strings, default: undefined)
  Manually override list of servers for example in a cluster environment on
  a per client basis. The list of servers is normally taken from from
  groups.ipaserver in cluster environments.

The krb5 DNS lookup settings krb5_dns_lookup_realm and krb5_dns_lookup_kdc
ans also the servers have not been set properly set if no server has been
specified and discovery succeeded. This has been fixed.

This fixes issue #23.

- Do not register a change in the playbook run when registering the
  variable checking for whether or not Python 3 imports work

Signed-off-by: Kellin <kellin@retromud.org>

The support for external cert files is not complete yet.

Please have a look at the example inventory file inventory/hosts.replica and
also the install and uninstall playbook files install-replica.yml and
uninstall-replica.yml

b29db07c3b3d8937f53684fdbba985fec525d69d by Christian Heimes

    Replace custom file_exists() and dir_exists() functions with proper
    functions from Python's stdlib.

    The change also gets rid of pylint's invalid bad-python3-import error,
    https://github.com/PyCQA/pylint/issues/1565

tasks.create_tmpfiles_dirs does not support options for FreeIPA 4.5

options.kasp_db_file is used in dns.install_check if options.dnssec_master
is enabled. kasp_db_file defauts to None and is only a supported option in
the post deployment ipa-dns-install script. Therefore it is suffient to
set it to None.

A new section has been added to configure firewalld automatically as the
last step of the server installation.

A new switch has been added to be able to turn firewalld configuration off:
ipaserver_no_firewalld. It defaults to no.

The client role is used also while installing the server. There has been an
issue where the server installation has not been complete because of a
playbook termination in the client.

This has been fixed and the client and also the server are fully configured
in the server installation.

The roles ipaconf, krb5 and sssd have been using GPLv2+ in the license meta
information while everything else is GPLv3. Therefore the license meta
information has been changed to GPLv3.

force and allow_zone_overlap options were missing from a couple places.

Signed-off-by: Scott Poore <spoore@redhat.com>

This is needed to fix the installation without configuring the dns server in
the IPA server.

The relative import of the distribution specific vars files requires to use
is not working. {{ role_path }} needs to be used to force the load of the
proper files.

The server role has different setting names:

- groups.ipaserver: groups.ipaservers
- ipaserver_domain: ipaclient_domain
- ipaserver_realm: ipaclient_realm

Both need to be supported to be able to sue the client role within the server
role, but also standalone.

forward_policy needs to be None for the DNS check for proper initialization
if the user is not providing another forward_policy value. forward_policy will
be set in the DNS check.

no_dnssec_validation is enabled in the DNS check if the forwarders do not
provide DNSSEC validation. Therefore this needs to be handed over to the dns
installation later on.

New return values for forward_policy and no_dnssec_validation have been added
to the ipaserver_test module.

The client settings are:

ipaclient_mkhomedir
ipaclient_no_ntp
ipaclient_ssh_trust_dns
ipaclient_no_ssh
ipaclient_no_sshd
ipaclient_no_dns_sshfp

ipaserver_password has been renamed to ipaadmin_password
ipaserver_dm_password has been renamed to ipadm_password

With using the name password for the password return it will be hidden
automatically and an error message will still be visible.

There is no way to repair a server installation like it is possible with a
client.

These global variables are initialized in the dns module in the
dns.install_check function. The settings are needed to be able to do a
proper dns setup in the ipaserver_setup_dns ansible module.

This methods creates a list of ipautil.CheckedIPAddress from the provided
ip string list.

Attempt to sync time if on_master is not set and no_ntp is not set: At
first with given or dicovered time servers. If no ntp servers have been
given or discovered, then with the ipa server.

New parameters:
  on_master:
    description: IPA client installation on IPA server
    required: false
    default: false
    type: bool
    default: no
  ntp_servers:
    description: List of NTP servers to use
    required: false
    type: list
    default: []
  no_ntp:
    description: Do not sync time and do not detect time servers
    required: false
    default: false
    type: bool
    default: no

The ntp_servers output parameter is now always an empty list if on_master
or no_ntp is set.