With ansible-2.13 it is required to use jinja for list concatenation.

  list: "[] + ['a'] + ['b']"

needs to become

  list: "{{ [] + ['a'] + ['b'] }}"

copy_external_cert.yml needed to be changed.

There are new smartcard roles in the roles folder:

    roles/ipasmartcard_server
    roles/ipasmartcard_client

This roles allows to setup smartcard for servers and clients.

Here is the documentation for the roles:

    roles/ipasmartcard_server/README.md
    roles/ipasmartcard_client/README.md

New example playbooks have been added:

    playbooks/install-smartcard-server.yml
    playbooks/install-smartcard-replicas.yml
    playbooks/install-smartcard-servers.yml
    playbooks/install-smartcard-clients.yml

The unnamed tasks have been reported as issues by new ansible-lint.

Due to a change in Ansible to depend on Python 3.8 it is needed to only
use bindings that are provided by Python and Ansible core. gssapi is
therefore not usable any more.

The kinit_keytab function was using gssapi and now has to use the kinit
command insead.

ERROR: Found 6 pylint issue(s) which need to be resolved:
ERROR: plugins/modules/ipaserver_prepare.py:395:4: invalid-name: Variable name "e" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/library/ipaserver_prepare.py:395:4: invalid-name: Variable name "e" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:333:12: invalid-name: Variable name "ds" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:348:12: invalid-name: Variable name "ds" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:361:12: invalid-name: Variable name "ip" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:364:12: invalid-name: Variable name "e" doesn't conform to snake_case naming style

e has been replaced with err, ds with _ds, ip with _ip.

Fix pylint warnings raised by enabling linter on ansible-freeipa roles.

Recently added Ubuntu configuration filesi for roles miss document
start marker.

When using ipaclient role under Debian 10 (Buster), it is required
that the python interpreter is set to Python 2.7 as freeipa-client
package pulls in Python 2.7 dependencies, and does not work with
Python 3.

This patch adds configuration to properly set python interpreter.

Based on the work by Marc Richter (@The-Judge on Github).

Fix issue #607.

Ubuntu Bionic Beaver must use python2 as Python interpreter due to
the way python-ipalib package is defined.

Before using the role for installation, one  must install package
python2.7 before executing this role.

Based on the work by Manuel Laurent (@mlaurent205 on Github).

This patch is needed to pass Automation Hub tests.

This patch is needed to pass Automation Hub tests.

This patch is needed to pass Automation Hub tests.

This patch is needed to pass Automation Hub tests.

This patch is needed to pass Automation Hub tests.

This patch is needed to pass Automation Hub tests.

This patch is needed to pass Automation Hub tests.

ipaclient_setup_nss is using the nosssd_files dict if sssd is disabled
with no_sssd.

The nosssd_files dict is generated in ipaclient_test and used in
ipaclient_setup_nss. So far ipaclient_setup_nss was using nosssd_files
from ipaclient installer, which was always None.

When loading variables in all ansible-freeipa roles, it is expected
that a file with these variables is present for each supported Linux
distribution, and then, based on the information about the distribution
provided by Ansible, the correct file is loaded.

Previously, only the facts `distribution` and dinstribution version
related facts were used, which required specific files, or links to
files for distributions in the same "family", which will probably have
the same variables set.

This change adds searching for files based on the `os_family` fact,
allowing distributions that follow the same family rules to be
supported, without any changes to the codebase. It is still possible
that a specific distribution configuration overrides the default
behavior, as `os_family` has lower priority than `distribution`.

For example, distributions on the `RedHat` family, like Oracle Linux,
Alma Linux, and Rocky Linux, work withoutadding new files, or links to
files, to fill the `vars`.

Fix issue #573. Fix issue #523.

When loading variables in all ansible-freeipa roles, it is expected
that a file with these variables is present for each supported Linux
distribution, and then, based on the information about the distribution
provided by Ansible, the correct file is loaded.

Previously, only the facts `distribution` and dinstribution version
related facts were used, which required specific files, or links to
files for distributions in the same "family", which will probably have
the same variables set.

This change adds searching for files based on the `os_family` fact,
allowing distributions that follow the same family rules to be
supported, without any changes to the codebase. It is still possible
that a specific distribution configuration overrides the default
behavior, as `os_family` has lower priority than `distribution`.

For example, distributions on the `RedHat` family, like Oracle Linux,
Alma Linux, and Rocky Linux, work withoutadding new files, or links to
files, to fill the `vars`.

Fix issue #573. Fix issue #523.

When loading variables in all ansible-freeipa roles, it is expected
that a file with these variables is present for each supported Linux
distribution, and then, based on the information about the distribution
provided by Ansible, the correct file is loaded.

Previously, only the facts `distribution` and dinstribution version
related facts were used, which required specific files, or links to
files for distributions in the same "family", which will probably have
the same variables set.

This change adds searching for files based on the `os_family` fact,
allowing distributions that follow the same family rules to be
supported, without any changes to the codebase. It is still possible
that a specific distribution configuration overrides the default
behavior, as `os_family` has lower priority than `distribution`.

For example, distributions on the `RedHat` family, like Oracle Linux,
Alma Linux, and Rocky Linux, work withoutadding new files, or links to
files, to fill the `vars`.

Fix issue #573. Fix issue #523.

When loading variables in all ansible-freeipa roles, it is expected
that a file with these variables is present for each supported Linux
distribution, and then, based on the information about the distribution
provided by Ansible, the correct file is loaded.

Previously, only the facts `distribution` and dinstribution version
related facts were used, which required specific files, or links to
files for distributions in the same "family", which will probably have
the same variables set.

This change adds searching for files based on the `os_family` fact,
allowing distributions that follow the same family rules to be
supported, without any changes to the codebase. It is still possible
that a specific distribution configuration overrides the default
behavior, as `os_family` has lower priority than `distribution`.

For example, distributions on the `RedHat` family, like Oracle Linux,
Alma Linux, and Rocky Linux, work withoutadding new files, or links to
files, to fill the `vars`.

Fix issue #573. Fix issue #523.

Up to now a python snippet was used to get IPA_BACKUP_DIR from ipaplatform
but this was not working when ansible_facts was false due to not getting
ansible_python_interpreter set.

The module version is also working if gather_facts is turned off.

Line too long and too many blank line errors and a trailing whitespace have
been fixed.

Without this change the "Import variables specific to distribution"
tasks fail with "Could not find file on the Ansible Controller..."
on environments with inject facts disabled.

This changes the tests to run with ansible with
inject_facts_as_vars = false and fixes other roles and playbooks.

Due to commit f3f9672d527008dc741ac90aa465bac842eea08d (ipa-rmkeytab: Check
return value of krb5_kt_(start|end)_seq_get) in IPA 4.9.2 there is a new
error reported for ipa-rmkeytab in case of a non existing keytab file.
Using ipa-rmkeytab now results in the error #7 in this case.

The client role is using ipa-rmkeytab and needs to ignore error #7 also.

Fixes: #510 (ipa-client installation with OTP is failed with error code 7
             (keytab: /usr/sbin/ipa-rmkeytab returned 7))

* prevents failures on Ansible 2.9 during module build due to https://github.com/ansible/ansible/issues/68361
* fixes https://github.com/freeipa/ansible-freeipa/issues/315

The use of conditions in shell tasks without else clause is failing on
some systems with an undefined variable error.

The parameter options.no_dnssec_validation was set using a bad
parameter name. This lead to not beeing able to turn off dnssec
validation in the replica deployment.

Fixes: #456 (ipareplica_no_dnssec_validation)

There was a typo in the README and also the ipareplica_hidden_replica
parameter was missing.

The common_check function in the replica installer code has been changed
for the new memory checker code. With this the server and replica command
line installers got the option --skip-mem-check.

The server and replica role now also support the memory cheker and there
are new variables for server and replica:

    ipaserver_mem_check - for ipaserver
    ipareplica_mem_check - for ipaserver

These bool values default to yes and can be turned off in the inventory
or playbook if needed.

Related to freeipa PR https://pagure.io/freeipa/issue/8404 (Detect and
fail if not enough memory is available for installation)

Fixes: #450 (IPA Replica Installation Fails)