On Mon, 2017-06-12 at 10:50 +0200, Florence Blanc-Renaud via FreeIPA-users wrote: > Hi,
> We are waiting for your feedback on all these topics: would you be > likely to use Ansible to deploy an IPA client, which requirements, > concerns, ideas do you have in this area? > > Thank you for your involvement in this project: as users of FreeIPA, > your voice really matters, and you can take this opportunity to > influence the direction we are going to take. > > Flo Hi, we're already using ansible to ipa-client-install our RedHat/CentOS machines, which works well in about 99% of all installations. Our ansible playbook calls something like this: - name: Join IPA domain '{{ ansible_domain }}' shell: ipa-client-install --domain={{ ansible_domain }} --mkhomedir --hostname={{ ansible_hostname }}.{{ ansible_domain }} --enable-dns-updates -p XXXXXXX -w XXXXXXX --unattended We have a few different use cases: 1.)- new install on servers -> using static IP address (--ip-address=x.x.x.x) 2.)- new install on workstations -> mostly using DHCP for assigning IP address (--enable-dns-updates) 3.)- remove server/workstation from Windows Active Directory (AD.MH.LOCAL), getting rid of Windows AD membership, afterwards joining IPA domain 4.)- remove server/workstation from IPA domain e.g. 'MHDEV.LOCAL', afterwards add server/workstation to IPA domain e.g. 'MH.LOCAL' As from the experience with all these use cases, we would like to see an idempotent installation mechanism. Reasons: - As a bad example, if we run our playbook for use case 3.) (didn't try for use case 4.) ) and we do not delete /etc/sssd/sssd.conf, no new sssd.conf will be created, but the existing one will be expanded with new additional config parameters. If i remember correct, .bkp files are created anyways, so if you would want to go back to your old files, these can be still found. - If 'ipa-client-install' fails, we use 'ipa-client-install --uninstall' to get rid of the failed installation. Maybe this could be automated, since you never want to have a broken installation. (Reboot needed?) Nice to have: - Create & delete host entries, as well as DNS records when installation & uninstallation was successful. At the moment, after unenrollment, we have to delete DNS records of a machine (which does not exist in our IPA domain anymore) by either doing this in the Web UI or by cli command. - As you can see, we're using username + password during 'ipa-client-install'. Either allow crypted passwords or give out OTP, which can be automatically used with ansible. Regards, Gerald -- Gerald-Markus Zabos <gmzgames...@googlemail.com> Web: http://www.gmzgames.de _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org