the team is starting investigations regarding the deployment of IPA using Ansible, and we would like to get community feedback. Ansible already provides a few community-maintained Identity Modules [1] allowing to manage users, groups, hosts, hbac rules, roles, sudo rules, but in a first phase, we are focusing on IPA client installation.

The command line ipa-client-install is configuring various components (hostname, NTP client, IPA client, SSSD, PAM and NSS, Kerberos client + host keytab, DNS, ssh, OpenLDAP client, NIS, automount, firefox prefs...) Because of this modularity, a possible strategy would be to provide an Ansible role for ipaclient, decomposing the installation into reusable Ansible parts (kerberos client role, OpenLDAP client etc). In order to avoid maintaining 2 different installation mechanisms, we could rewrite ipa-client-install so that it internally calls Ansible to perform the configuration. Note that this would include a new dependency on Ansible, and we need to make sure that this is acceptable, keeping in mind that we are not targeting only RHEL and Fedora but also other Linux distributions.

Another strategy would be to have Ansible call the current ipa-client-install command, but the limitation is that this CLI is not idempotent. It exits on error when the host is already configured as an IPA client. A few community-provided IPA roles (client or server) are already using this approach. They can be found in Galaxy [2].

Whatever strategy is picked, we need to
- keep aligned the Ansible module/role/playbook version and IPA version.
- identify the most important options from ipa-client-install in order to start with what is really needed from the community
- identify the most frequent use cases regarding
* authentication: install with username and password, with one-time password, with an existing keytab * DNS configuration: using DNS autodiscovery based on the host domain name, specifying a domain or a server

We are waiting for your feedback on all these topics: would you be likely to use Ansible to deploy an IPA client, which requirements, concerns, ideas do you have in this area?

Thank you for your involvement in this project: as users of FreeIPA, your voice really matters, and you can take this opportunity to influence the direction we are going to take.


[1] https://docs.ansible.com/ansible/list_of_identity_modules.html
[2] https://galaxy.ansible.com/list#/roles?page=1&page_size=10&autocomplete=ipa
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to