On 09/01/2017 03:56 PM, Rob Crittenden via FreeIPA-devel wrote:
Florence Blanc-Renaud via FreeIPA-devel wrote:
On 08/16/2017 09:16 AM, Martin Kosek wrote:
On 08/02/2017 01:36 PM, Florence Blanc-Renaud via FreeIPA-devel wrote:
Hi all,
The first version of a new design document is available at
https://www.freeipa.org/page/V4/ClientInstallationWithAnsible
The feature will allow to deploy IPA clients using Ansible. Please feel
free to send your comments, suggestions or concerns.
Thanks,
Flo
Thanks for design, I just read it. For now, I have just a question
regarding what is the state of communication with Ansible upstream
community, especially regarding improvement of the already developed
modules.
In the design, I see:
"
ipa_host module does not allow to create a random One-Time Password
all the IPA modules are authenticating to IPA server using principal +
password and do not support keytabs
all the IPA modules are communicating with the IPA server using the
remote JSON API instead of the Python API
These limitations argue in favor of a new ipahost module.
"
Does it mean you want to propose a parallel ipahost Ansible module for
the upstream Module Index? I would think it would be better to work with
Ansible upstream and refactor/enhance the modules that are existing in
there already, rather than fork them. The upstream Ansible modules are
in "preview" mode anyway, i.e. the interface can change.
Thanks,
Martin
Hi,
an internal conversation also argued that my proposal would require ssh
access to ipa master from Ansible controller, and some users may not
agree with this.
Keeping this in mind, I now tend to think that it would be better to
enhance the existing ipa_host module (still using HTTP+JSON) and if
possible also support authentication with an admin keytab. The other IPA
modules would benefit from this change, too.
Are there any concerns with this new approach?
Support for using an OTP is a must for proper automation.
rob
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Hi Rob,
I totally agree that we need to support OTP.
The draft design was proposing to provide a new Ansible module
performing the equivalent of ipa host-add/mod --random (to create the
OTP) by executing the Ansible module on IPA master and using IPA API.
Then concerns were raised, that this required ssh access to the master
for Ansible. Hence my proposal for the module to use JSON and be
executed on the Ansible controller.
Does this clarify (or did I have a wrong interpretation of your concern)?
Flo
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
