freeipa.ansible_freeipa.ipaclient_join (1.8.4) — module

Join a machine to an IPA realm and get a keytab for the host service principal

Authors: Thomas Woerner

preview | supported by community

Install collection

Install with ansible-galaxy collection install freeipa.ansible_freeipa:==1.8.4


Add to requirements.yml

  collections:
    - name: freeipa.ansible_freeipa
      version: 1.8.4

Description

Join a machine to an IPA realm and get a keytab for the host service principal

Usage examples

  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
# Join IPA to get the keytab
- name: Join IPA in force mode with maximum 5 kinit attempts
  freeipa.ansible_freeipa.ipaclient_join:
    servers: ["server1.example.com","server2.example.com"]
    domain: example.com
    realm: EXAMPLE.COM
    kdc: server1.example.com
    basedn: dc=example,dc=com
    hostname: client1.example.com
    principal: admin
    password: MySecretPassword
    force_join: yes
    kinit_attempts: 5
  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
# Join IPA to get the keytab using ipadiscovery return values
- name: Join IPA
  freeipa.ansible_freeipa.ipaclient_join:
    servers: "{{ ipadiscovery.servers }}"
    domain: "{{ ipadiscovery.domain }}"
    realm: "{{ ipadiscovery.realm }}"
    kdc: "{{ ipadiscovery.kdc }}"
    basedn: "{{ ipadiscovery.basedn }}"
    hostname: "{{ ipadiscovery.hostname }}"
    principal: admin
    password: MySecretPassword

Inputs

    
kdc:
    description: The name or address of the host running the KDC
    required: false

debug:
    description: Turn on extra debugging
    required: true

realm:
    description: Kerberos realm name of the IPA deployment
    required: false

basedn:
    description: The basedn of the IPA server (of the form dc=example,dc=com)
    required: false

domain:
    description: Primary DNS domain of the IPA deployment
    required: false

keytab:
    description: Path to backed up keytab from previous enrollment
    required: true

servers:
    description: Fully qualified name of IPA servers to enroll to
    required: false

hostname:
    description: Fully qualified name of this host
    required: false

password:
    description: Admin user kerberos password
    required: true

principal:
    description: User Principal allowed to promote replicas and join IPA realm
    required: true

force_join:
    description: Force client enrollment even if already enrolled
    required: true

admin_keytab:
    description: The path to a local admin keytab
    required: true

ca_cert_file:
    description: A CA certificate to use. Do not acquire the IPA CA certificate via automated
      means
    required: true

kinit_attempts:
    description: Repeat the request for host Kerberos ticket X times
    required: true

Outputs

already_joined:
  description: The flag describes if the host is arelady joined.
  returned: always
  type: bool