Skip to content
  1. Mar 27, 2024
  2. Sep 14, 2023
  3. Mar 28, 2023
    • Thomas Woerner's avatar
      ipareplica/server: Enable removal from domain with undeployment · 476d9d50
      Thomas Woerner authored
      New variables have been added to ipareplica and ipaserver role to enable
      the removal from the domein with the undeployment.
      
      `ipaserver_remove_from_domain`
      This enables the removal of the server from the domain additionally to the
      undeployment.
      
      `ipaserver_remove_on_server`
      The value defines the server/replica in the domain that will to be used to
      remove the server/replica from the domain if
      `ipaserver_ignore_topology_disconnect` and `ipaserver_remove_from_domain`
      are enabled. Without the need to enable
      `ipaserver_ignore_topology_disconnect`, the value will be automatically
      detected using the replication agreements of the server/replica.
      
      For the replica role it is possible to use the server variables, but
      also the replica versions: `ipareplica_remove_from_domain` and
      `ipareplica_remove_on_server`.
      
      The already existing parameters `ipaserver_ignore_topology_disconnect` and
      `ipaserver_ignore_last_of_role` have been added to the README files for
      server and replica with descriptions. The same for the replica versions
      of the parameters.
      
      The ipareplica role is not calling the `ipa-server-install` anymore, it
      is instead using (including) the server role for the task.
      
      The new module `ipaserver_get_connected_server` has been added to the
      server role to be able to get a connected server using the replication
      agreements. This module is only used if
      `ipaserver_ignore_topology_disconnect` is not needed.
      476d9d50
  4. Nov 23, 2022
    • Thomas Woerner's avatar
      ipaclient: No kinit on controller for deployment using OTP · 624e0d34
      Thomas Woerner authored
      The generation of the OTP for client deployment is now completely
      happening on the first of the given or detected servers with delegate_to.
      The module ipaclient_get_otp has been replaced by a new module using code
      from ipahost module and module_utils ansible_freeipa_module.
      
      The action plugin ipaclient_get_otp has been removed and with this also
      ipaclient_get_facts.
      
      If an admin keytab is used instead of an admin password, it is copied to
      the server as a temporary file to enable the OTP generation. The temporary
      file is removed again after using the ipaclient_get_otp module.
      
      The utils script build-galaxy-release.sh has been updated to not copy the
      ipaclient action plugin to the global plugins folder of the collection.
      
      This change is import for the use of the ipaclient role with AAP as only
      the base environment is sufficient now.
      
      The ipaclient README and also the global README have been updated as
      kinit is not needed anymore on the controller for OTP.
      
      Fixes #903 (Allow the use of principals other than admin when using
                  ipaadmin_keytab)
      624e0d34
  5. Nov 14, 2022
    • Thomas Woerner's avatar
      ipaclient_get_otp: Fix documentation sections and agument spec · e932f65b
      Thomas Woerner authored
      ansible-test with ansible-2.14 is adding a lot of new tests to ensure
      that the documentation section and the agument spec is complete. Needed
      changes:
      
      DOCUMENTATION section
      
      - `type: str` needs to be set for string parameters
      - `type: list` needs to be set for list parameters
      - `elements: str` needs to be given for list of string parameters
      - `required` tags need to be fixed according to the `argument_spec`
      - `default` tag needs to match `argument_spec`
      - `author` needs to be given with the github user also: `Name (@user)`
      - `choices` needs to match `argument_spec`
      
      RETURN section
      
      - `type: string` is not valid and needs to be replaced by `type: str`
      - `elements: str` needs to be given for list of string parameters
      
      argument_spec
      
      - `type='str'` needs to be set for string parameters
      - `elements='str'` needs to be added to all list of string parameters
      
      A call to ansible_ipa_client.check_imports has been added to check for import
      errors.
      
      The `copyright` date is extended with `-2022`.
      e932f65b
  6. Aug 26, 2022
  7. Jan 12, 2022
  8. Nov 24, 2021
  9. Apr 26, 2020
  10. Jul 22, 2019
  11. Jul 17, 2019
  12. Jul 11, 2019
    • Thomas Woerner's avatar
      library/ipaclient_get_otp: Enable force mode for host_add call · 1fa1468b
      Thomas Woerner authored
      When OTP is used for installation of a client or the client part of
      a replica and also there is no DNS record for the client, then
      ipaclient_get_otp fails in the host_add call.
      
      With the force mode the host_add call will ignore the missing DNS
      record and will properly add the host. The host information and also
      the DNS record will be updated while deploying the client according
      to the given settings.
      
      Fixes: #74 (ipaclient fails when ipaclient_use_otp is true and client ..)
      1fa1468b
  13. Jun 12, 2019
  14. Mar 21, 2019
    • Thomas Woerner's avatar
      ipaclient role: Fix naming of modules, action_plugins and registered vars · 7c378d9c
      Thomas Woerner authored
      The naming in the ipaclient role has not been following the naming scheme
      and conventions used in the ipaserver and ipareplica roles. Also registered
      results of modules and commands have not been unsing the result_ prefix as
      in the other roles. All this has been fixed and the naming is consistent
      now.
      
      These are the renames:
      
      ipahost -> ipaclient_get_otp
      ipaapi -> ipaclient_api
      ipaextras -> ipaclient_extras
      ipafixca -> ipaclient_fix_ca
      ipafstore -> ipaclient_fstore
      ipa_facts -> ipaclient_get_facts
      ipahost -> ipaclient_get_otp
      ipajoin -> ipaclient_join
      ipanss -> ipaclient_setup_nss
      ipasssd -> ipaclient_setup_sssd
      ipadiscovery -> ipaclient_test
      ipatest -> ipaclient_test_keytab
      7c378d9c
  15. Jun 21, 2018
    • Thomas Woerner's avatar
      ipaclient: Fix OTP action plugin to work with python3 bindings · 1ed9379c
      Thomas Woerner authored
      As the action plugin is used with the default python interpreter and
      the change to python3 for FreeIPA, the use of OTP was not working anymore.
      
      The ansible_python_interpreter is not automatically used for the module
      part of the action plugin. Therefore ansible_python_interpreter needed to
      be added to the action plugin call as a new var to make sure that the
      module part is used with the proper python version.
      
      Also a new import for the Python2/3 import test has been added to discover
      of the server is supporting python2 or python3. The old
      ansible_python_interpreter setting is saved before doing this and restored
      after the one-time password has been generated on the server.
      1ed9379c
    • Thomas Woerner's avatar
      ipaclient: Use paths variables for executables used in modules · 28579023
      Thomas Woerner authored
      paths.KDESTROY instead of "kdestroy" and paths.GETENT instead of "getent"
      
      Affected modules:
        roles/ipaclient/library/ipahost.py
        roles/ipaclient/library/ipajoin.py
        roles/ipaclient/library/ipanss.py
      28579023
    • Thomas Woerner's avatar
      ipclient: Move library and action_plugins into ipaclient role directory · 1ecc194c
      Thomas Woerner authored
      The directories library and action_plugins do only contain ipaclient specific
      modules and plugins. Therefore these directories should be located in the
      ipaclient role directory.
      1ecc194c
  16. Feb 01, 2018
  17. Oct 17, 2017
  18. Sep 15, 2017
    • Florence Blanc-Renaud's avatar
      Fix logic trying to obtain a keytab · c824cf67
      Florence Blanc-Renaud authored
      When ipahost is run to generate an OTP and the host is already existing,
      the OTP is properly generated but ipa-join will fail if the host is
      already enrolled (ie when it has a keytab).
      Add a step calling ipa host-disable to erase OTP and keytab before
      requesting an OTP.
      c824cf67
  19. Aug 10, 2017
  20. Jul 03, 2017