On 08/16/2017 09:16 AM, Martin Kosek wrote:
On 08/02/2017 01:36 PM, Florence Blanc-Renaud via FreeIPA-devel wrote:
Hi all,

The first version of a new design document is available at

The feature will allow to deploy IPA clients using Ansible. Please feel
free to send your comments, suggestions or concerns.


Thanks for design, I just read it. For now, I have just a question
regarding what is the state of communication with Ansible upstream
community, especially regarding improvement of the already developed

In the design, I see:
ipa_host module does not allow to create a random One-Time Password
all the IPA modules are authenticating to IPA server using principal +
password and do not support keytabs
all the IPA modules are communicating with the IPA server using the
remote JSON API instead of the Python API
These limitations argue in favor of a new ipahost module.
Does it mean you want to propose a parallel ipahost Ansible module for
the upstream Module Index? I would think it would be better to work with
Ansible upstream and refactor/enhance the modules that are existing in
there already, rather than fork them. The upstream Ansible modules are
in "preview" mode anyway, i.e. the interface can change.



an internal conversation also argued that my proposal would require ssh access to ipa master from Ansible controller, and some users may not agree with this.

Keeping this in mind, I now tend to think that it would be better to enhance the existing ipa_host module (still using HTTP+JSON) and if possible also support authentication with an admin keytab. The other IPA modules would benefit from this change, too.

Are there any concerns with this new approach?
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

Reply via email to