Skip to content
Snippets Groups Projects
Select Git revision
  • f02d313fee73b620dd492640de4472cfa0f966e0
  • master default protected
  • v2.28.0
  • v2.27.0
  • v2.25.1
  • v2.24.3
  • v2.26.0
  • v2.24.2
  • v2.25.0
  • v2.24.1
  • v2.22.2
  • v2.23.3
  • v2.24.0
  • v2.23.2
  • v2.23.1
  • v2.23.0
  • v2.22.1
  • v2.22.0
  • v2.21.0
  • v2.20.0
  • v2.19.1
  • v2.18.2
22 results

ansible.cfg

Blame
    • install.yml 7.55 KiB 
    ---
# tasks file for ipaclient

- name: Install - Install IPA client package
  package:
    name: "{{ ipaclient_package }}"
    state: present

- name: Install - IPA discovery
  ipadiscovery:
    domain: "{{ ipaclient_domain | default(omit) }}"
    servers: "{{ groups.ipaservers | default(omit) }}"
    realm: "{{ ipaclient_realm | default(omit) }}"
    hostname: "{{ ansible_fqdn }}"
    #ca_cert_file: "{{ ipaclient_ca_cert_file | default(omit) }}"
    check: yes
  register: ipadiscovery

- name: Install - Set default principal if no keytab is given
  set_fact:
    ipaadmin_principal: admin
  when: ipaadmin_principal is undefined and ipaclient_keytab is undefined

- block:
  - name: Install - Test if IPA client has working krb5.keytab
    ipatest:
      servers: "{{ ipadiscovery.servers }}"
      domain: "{{ ipadiscovery.domain }}"
      realm: "{{ ipadiscovery.realm }}"
      hostname: "{{ ipadiscovery.hostname }}"
      kdc: "{{ ipadiscovery.kdc }}"
      principal: "{{ ipaadmin_principal if not ipaclient_use_otp | bool else '' }}"
      kinit_attempts: "{{ ipaclient_kinit_attempts | default(omit) }}"
    register: ipatest

  - name: Install - Disable One-Time Password for client with working krb5.keytab
    set_fact:
      ipaclient_use_otp: "no"
    when: ipaclient_use_otp | bool and ipatest.krb5_keytab_ok

# The following block is executed when using OTP to enroll IPA client
# ie when ipaclient_use_otp is set.
# It connects to ipaserver and add the host with --random option in order
# to create a OneTime Password
# If a keytab is specified in the hostent, then the hostent will be disabled
# if ipaclient_use_otp is set.
- block:
  - name: Install - Get a One-Time Password for client enrollment
    no_log: yes
    ipahost:
      state: present
      principal: "{{ ipaadmin_principal | default('admin') }}"
      password: "{{ ipaadmin_password | default(omit) }}"
      keytab: "{{ ipaadmin_keytab | default(omit) }}"
      fqdn: "{{ ansible_fqdn }}"
      lifetime: "{{ ipaclient_lifetime | default(omit) }}"
      random: True
    register: ipahost_output
    # If the host is already enrolled, this command will exit on error
    # The error can be ignored
    failed_when: ipahost_output|failed and "Password cannot be set on enrolled host" not in ipahost_output.msg
    delegate_to: "{{ ipadiscovery.servers[0] }}"

  - name: Install - Store the previously obtained OTP
    no_log: yes
    set_fact:
      ipaadmin_password: "{{ ipahost_output.host.randompassword if ipahost_output.host is defined }}"

  when: ipaclient_use_otp | bool