On Mon, 2017-06-12 at 10:50 +0200, Florence Blanc-Renaud via
FreeIPA-users wrote:
> Hi,

> We are waiting for your feedback on all these topics: would you be 
> likely to use Ansible to deploy an IPA client, which requirements, 
> concerns, ideas do you have in this area?
> Thank you for your involvement in this project: as users of FreeIPA, 
> your voice really matters, and you can take this opportunity to 
> influence the direction we are going to take.
> Flo


we're already using ansible to ipa-client-install our RedHat/CentOS
machines, which works well in about 99% of all installations. Our
ansible playbook calls something like this:

- name: Join IPA domain '{{ ansible_domain }}'
  shell: ipa-client-install --domain={{ ansible_domain }} --mkhomedir
--hostname={{ ansible_hostname }}.{{ ansible_domain }}
--enable-dns-updates -p XXXXXXX -w XXXXXXX --unattended

We have a few different use cases:

1.)- new install on servers -> using static IP address
2.)- new install on workstations -> mostly using DHCP for assigning IP
address (--enable-dns-updates)
3.)- remove server/workstation from Windows Active Directory
(AD.MH.LOCAL), getting rid of Windows AD membership, afterwards joining
IPA domain
4.)- remove server/workstation from IPA domain e.g. 'MHDEV.LOCAL',
afterwards add server/workstation to IPA domain e.g. 'MH.LOCAL'

As from the experience with all these use cases, we would like to see an
idempotent installation mechanism. Reasons:

- As a bad example, if we run our playbook for use case 3.) (didn't try
for use case 4.) ) and we do not delete /etc/sssd/sssd.conf, no new
sssd.conf will be created, but the existing one will be expanded with
new additional config parameters. If i remember correct, .bkp files are
created anyways, so if you would want to go back to your old files,
these can be still found.

- If 'ipa-client-install' fails, we use 'ipa-client-install --uninstall'
to get rid of the failed installation. Maybe this could be automated,
since you never want to have a broken installation. (Reboot needed?)

Nice to have:
- Create & delete host entries, as well as DNS records when installation
& uninstallation was successful. At the moment, after unenrollment, we
have to delete DNS records of a machine (which does not exist in our IPA
domain anymore) by either doing this in the Web UI or by cli command.

- As you can see, we're using username + password during
'ipa-client-install'. Either allow crypted passwords or give out OTP,
which can be automatically used with ansible.


Gerald-Markus Zabos <gmzgames...@googlemail.com>
Web: http://www.gmzgames.de
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to