The variables dirsrv_cert_name, dirsrv_pin, http_cert_name, http_pin,
pkinit_cert_name and pkinit_pin have not been initialized properly.

These two varibles in the dns binding are initialized in the installation
check in the install_check parts of ipareplica_prepare and used later on
in the dns configuration in ipareplica_setup_dns.

There is a new setting for the ipareplica role:

ipareplica_pki_config_override

Some settings for kra have not been correct for kra with the change to
use single Custodia instance in the installer (freeipa 994f71ac8).

These modules have been adapted:

  ipareplica_custodia_import_dm_password
  ipareplica_enable_ipa
  ipareplica_setup_ca
  ipareplica_setup_custodia
  ipareplica_setup_kra

This is related to freeipa#0f31564b35aac250456233f98730811560eda664

  During ipa-replica-install, http installation first creates a service
  principal for http/hostname (locally on the soon-to-be-replica), then
  waits for this entry to be replicated on the master picked for the
  install.
  In a later step, the installer requests a certificate for HTTPd. The local
  certmonger first tries the master defined in xmlrpc_uri (which is
  pointing to the soon-to-be-replica), but fails because the service is not
  up yet. Then certmonger tries to find a master by using the DNS and looking
  for a ldap service. This step can pick a different master, where the
  principal entry has not always be replicated yet.
  As the certificate request adds the principal if it does not exist, we can
  end by re-creating the principal and have a replication conflict.

  The replication conflict later causes kerberos issues, preventing
  from installing a new replica.

  The proposed fix forces xmlrpc_uri to point to the same master as the one
  picked for the installation, in order to make sure that the master already
  contains the principal entry.

  https://pagure.io/freeipa/issue/7041

To make sure that there will be no issue with undefined output from
ipareplica_test, the default(omit) has been added.

The variable has been ignored and was not used. The servers are now
properly set from ipareplica_servers now.

The module ipareplica_master_password has been a copy from ipaserver role
and still contained code to read the cache file. This is not needed for
the replica. Therefore there is no need also to provide the dm password
to ipareplica_master_password any more.

The use of squash_actions to invoke a package module, such as “yum”, to
only invoke the module once is deprecated, and will be removed in
Ansible 2.11.
Instead of relying on implicit squashing, tasks should instead supply
the list directly to the name, pkg or package parameter of the module.

See [1] for a reference to the upstream documentation.

The ipa-krb5 and ipa-sssd modules include *_packages variables in both
defaults/ and vars/, additionally, the list of packages in ipa-sssd differs
from one to the other.
Unify list of packages into vars/

[1]: https://docs.ansible.com/ansible/latest/porting_guides/porting_guide_2.7.html#using-a-loop-on-a-package-module-via-squash-actions

This test is not properly working with EL-8 nodes as the default system
python is not located in /usr/bin. Additionally Ansible 2.8 is able to
detect the default python version on the system. As the installation
base for IPA 4.5.90 where the Python 3 bindings have not been working
properly should be really small or not existing any more the deactivation
of this test should be fine.

The result from ipareplica_test should be used to enable freeipa-trust
in the firewall.

The hidden replica support introduced some incompatible changes to replica
deployment. The methods find_providing_server and find_providing_serves
have been moved from ipaserver.install.service to ipaserver.masters.
Additionally the host_name argument for find_providing_server is a list
now. This breaks existing ipareplica Ansible modules ipareplica_prepare
and ipareplica_enable_ipa.

The freeipa-trust service has not been added if adtrust was enabled. For
ipareplica the addition of freeipa-replication has been removed as the
used port is not used anymore since some time.

Fixes: #83 (when installing with ipaserver_setup_adtrust: true the firewalld
service freeipa-trust is not added)

This reverts commit bbaaf1f7.

There have been missing settings that have not been provided to
ipareplica_setup_adtrust. These are: enable_compat, rid_base and
secondary_rid_base.

The settings rid_base and secondary_rid_base are now initialized in
ipareplica_prepare and propagated in the results.

The two settings netbios_name and reset_netbios_name are placed in the
adtrust binding in the adtrust.install_check call. These are now saved
when ipareplica_prepare finishes and are written back in the fist steps of
ipareplica_setup_adtrust to make adtrust.install working.

The settings add_sids and add_agents are now initialized in
ansible_ipa_replica in the same way as in ServerMasterInstall. These
settings are fixed in the replica deployment.

Related: #73 (ipaserver_setup_adtrust fails on default smb.conf)

Meta end_play has been used as a simple solution to end the playbook
processing in special conditions, like for example when the deployment
was already done before.

meta end_play has been replaced with blocks and conditions for these
blocks.

Fixes: #70 (Avoid using meta end_play)

The ansible_fqdn hostname has been enforced to be set and used in
ipaserver, ipareplica and also ipaclient role. This has been removed as
the hostname should only be set if specified explicitly with
ipa[server,replica,client]_hostname.

forward_policy is only set in dns.install_test in ipareplica_test if
setup_dns is enabled. Therefore forward_policy will be ommited in this
case.

The configuration of DNS failed because of missing DNS settings in the
ipareplica_prepare and ipareplica_setup_dns.

Some fixed settings for use with DNSInstallInterface have been added
to ansible_ipa_replica:

options.dnssec_master = False
options.disable_dnssec_master = False
options.kasp_db_file = None
options.force = False

Fixes: #58 (install-replica fails: reverse_zones seems to be empty)
Fixes: #63 (ipareplica_setup_dns fails)

Use ipareplica_install_packages to enable or disable package installation
for the client deployment part with ipaclient role.

The dns settings in options have not been used and also not provided to
the module in the tasks file. Therefore these settings shoul dbe removed.

The dns settings in options have not been used and also not provided to
the module in the tasks file. Therefore these settings shoul dbe removed.

The dns settings in options have not been used and also not provided to
the module in the tasks file. Therefore these settings shoul dbe removed.

ipaserver_master_password and ipaserver_setup_ntp have been linked from
the ipaserver role before. With the move of the module_utils parts to the
specific role locations the use of ipaserver modules leads to the missing
dependency ansible_ipa_server, that is now only available in the server
role.

The ipaserver_master_password module has been replaced by the ipareplica
specific ipareplica_master_password module. The ipaserver_setup_ntp module
has been removed as the time related changes for replica are done in the
client install part.

Fixes: #59 (Module is missing interpreter line)

The role test is executed in the ipa[server,replica,client] roles first.
These tests are usable in the Ansible test mode, but the folllowing steps
in the task list are not. Therefore the blocks following the tests are
limited to not being executed in test mode.

Up to now the try to deploy an already deployed replica resulted in an
error. Now this ends in an end play and no error is reported.

With the changes for IPA enablement in the replica installer it is not
possible anymore to enable the IPA server in the same way as in the
server deployment.

The new module ipareplica_enable_ipa has been added and the link for
ipaserver_enable_ipa has been removed.

The parameter config_setup_ca has been renamed to setup_ca and added to
options. master_host_name has been added to config. Also a call for
api.Backend.ldap2.connect has been added to make sure that the backend is
connected.

ntp_server and ntp_pool are now provided to ipareplica_test. A conflict
test with no_ntp has been added from the normal installer.

Also added are references to options.password and options.dm_password, but
these are commented out and not used or provided to the module.

Proper ntp_servers and ntp_pool tests are needed still.

The use of the _no_ prefix was not good and has been fixed now.

The X_setup_firewalld settings default to yes.

With these settings for server, replica and client it is possible to skip
package installation. This is for example useful if the packages are already
installed. The settings default to yes

The setting ipareplica_no_package_install has been removed.

The ipareplica role is reusing the ipaserver_enable_ipa module. This module
needed some extensions on the server to enable the delayed services and
also to dump DNS configuration (see commit a1287265).
For replica it is not needed to dump the DNS configuration, therefore it is
simply possible to set detup_dns to no to make this module also working
for ipareplica.

This typo has been introduced with 20d25d0d in import_tasks for the
Python 2/3 test.

As the old way to include tasks is deprecated, replace static include
statements with import_tasks and dynamic ones with include_tasks.

Increaded the required ansible version to 2.5.0 to make sure that
include_tasks and import_tasks is working as expected.

Fixes issue #38

This reverts commit 7a76f73b.

It needs to be done as ansible 2.7.1 is now complaining on unknown attribues.

This fixes issue #48: https://github.com/freeipa/ansible-freeipa/issues/48

There is a pull request and also a proposal for ansible be able to limit the
number of concurrent executions for a single task:

- https://github.com/ansible/proposals/issues/129
- https://github.com/ansible/ansible/pull/42528

The keyword is currently named max_concurrent, but might be renamed later
on. If the keyword is present, but not supported by ansible, it will be
simply ignored. Therefore there is no issue right now with adding in here
early.