the team is starting investigations regarding the deployment of IPA
using Ansible, and we would like to get community feedback. Ansible
already provides a few community-maintained Identity Modules 
allowing to manage users, groups, hosts, hbac rules, roles, sudo rules,
but in a first phase, we are focusing on IPA client installation.
The command line ipa-client-install is configuring various components
(hostname, NTP client, IPA client, SSSD, PAM and NSS, Kerberos client +
host keytab, DNS, ssh, OpenLDAP client, NIS, automount, firefox prefs...)
Because of this modularity, a possible strategy would be to provide an
Ansible role for ipaclient, decomposing the installation into reusable
Ansible parts (kerberos client role, OpenLDAP client etc).
In order to avoid maintaining 2 different installation mechanisms, we
could rewrite ipa-client-install so that it internally calls Ansible to
perform the configuration. Note that this would include a new dependency
on Ansible, and we need to make sure that this is acceptable, keeping in
mind that we are not targeting only RHEL and Fedora but also other Linux
Another strategy would be to have Ansible call the current
ipa-client-install command, but the limitation is that this CLI is not
idempotent. It exits on error when the host is already configured as an
A few community-provided IPA roles (client or server) are already using
this approach. They can be found in Galaxy .
Whatever strategy is picked, we need to
- keep aligned the Ansible module/role/playbook version and IPA version.
- identify the most important options from ipa-client-install in order
to start with what is really needed from the community
- identify the most frequent use cases regarding
* authentication: install with username and password, with one-time
password, with an existing keytab
* DNS configuration: using DNS autodiscovery based on the host domain
name, specifying a domain or a server
We are waiting for your feedback on all these topics: would you be
likely to use Ansible to deploy an IPA client, which requirements,
concerns, ideas do you have in this area?
Thank you for your involvement in this project: as users of FreeIPA,
your voice really matters, and you can take this opportunity to
influence the direction we are going to take.
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org