For our puppet profile we use ipa-client-install unless the file 
/etc/ipa/default.conf exists (which is created by ipa-client-install), this 
should work for ansible as well. The creates option in both puppet exec and 
ansible shell modules seem to serve the same purpose in that regard.

-----Original Message-----
From: Florence Blanc-Renaud via FreeIPA-users 
Sent: maandag 12 juni 2017 10:51
To: Freeipa-users
Cc: Florence Blanc-Renaud
Subject: [Freeipa-users] Ansible and ipa-client-install


the team is starting investigations regarding the deployment of IPA using 
Ansible, and we would like to get community feedback. Ansible already provides 
a few community-maintained Identity Modules [1] allowing to manage users, 
groups, hosts, hbac rules, roles, sudo rules, but in a first phase, we are 
focusing on IPA client installation.

The command line ipa-client-install is configuring various components 
(hostname, NTP client, IPA client, SSSD, PAM and NSS, Kerberos client + host 
keytab, DNS, ssh, OpenLDAP client, NIS, automount, firefox prefs...) Because of 
this modularity, a possible strategy would be to provide an Ansible role for 
ipaclient, decomposing the installation into reusable Ansible parts (kerberos 
client role, OpenLDAP client etc).
In order to avoid maintaining 2 different installation mechanisms, we could 
rewrite ipa-client-install so that it internally calls Ansible to perform the 
configuration. Note that this would include a new dependency on Ansible, and we 
need to make sure that this is acceptable, keeping in mind that we are not 
targeting only RHEL and Fedora but also other Linux distributions.

Another strategy would be to have Ansible call the current ipa-client-install 
command, but the limitation is that this CLI is not idempotent. It exits on 
error when the host is already configured as an IPA client.
A few community-provided IPA roles (client or server) are already using this 
approach. They can be found in Galaxy [2].

Whatever strategy is picked, we need to
- keep aligned the Ansible module/role/playbook version and IPA version.
- identify the most important options from ipa-client-install in order to start 
with what is really needed from the community
- identify the most frequent use cases regarding
   * authentication: install with username and password, with one-time 
password, with an existing keytab
   * DNS configuration: using DNS autodiscovery based on the host domain name, 
specifying a domain or a server ...

We are waiting for your feedback on all these topics: would you be likely to 
use Ansible to deploy an IPA client, which requirements, concerns, ideas do you 
have in this area?

Thank you for your involvement in this project: as users of FreeIPA, your voice 
really matters, and you can take this opportunity to influence the direction we 
are going to take.


[1] https://docs.ansible.com/ansible/list_of_identity_modules.html
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to