Skip to content

Commit 072a765

Browse files
sjpbsjpb
authored
Support passing freeipa server cert on client enrolment (#739)
* support passing freeipa server cert on client enrolment * Fix markdown in freeipa readme
1 parent 7c51c39 commit 072a765

File tree

3 files changed

+17
-1
lines changed

3 files changed

+17
-1
lines changed

ansible/roles/freeipa/README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@ Support FreeIPA in the appliance. In production use it is expected the FreeIPA s
3737

3838
- `freeipa_host_password`. Required for initial enrolment only, FreeIPA host password as described above.
3939
- `freeipa_setup_dns`: Optional, whether to use the FreeIPA server as the client's nameserver. Defaults to `true` when `freeipa_server` contains a host, otherwise `false`.
40+
- `freeipa_ca_cert_file`: Optional, path **on the ansible deploy host** to FreeIPA server cert. Else this will be downloaded (insecurely) from the FreeIPA server over http.
4041

4142
See also use of `appliances_state_dir` on the control node as described above.
4243

ansible/roles/freeipa/defaults/main.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,5 +10,5 @@ freeipa_user_defaults:
1010
ipa_pass: "{{ freeipa_admin_password | quote }}"
1111
ipa_user: admin
1212
freeipa_users: [] # see community.general.ipa_user
13-
13+
freeipa_ca_cert_file: ''
1414
_freeipa_keytab_backup_path: "{{ hostvars[groups['control'].0].appliances_state_dir }}/freeipa/{{ inventory_hostname }}/krb5.keytab"

ansible/roles/freeipa/tasks/enrol.yml

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,15 @@
1616
mode: ug=rw,o=
1717
when: '"content" in _slurp_persisted_keytab'
1818

19+
- name: Copy CA Cert to host
20+
ansible.builtin.copy:
21+
src: "{{ freeipa_ca_cert_file }}"
22+
dest: /etc/ipa/ca.crt
23+
mode: u=rw,go=r
24+
owner: root
25+
group: root
26+
when: freeipa_ca_cert_file != ''
27+
1928
- name: Re-enrol with FreeIPA using backed-up keytab
2029
# Re-enrolment requires --force-join and --password, or --keytab
2130
# Re-rolement means:
@@ -31,6 +40,9 @@
3140
--mkhomedir
3241
--enable-dns-updates
3342
--keytab /tmp/krb5.keytab
43+
{% if freeipa_ca_cert_file != '' %}
44+
--ca-cert-file=/etc/ipa/ca.crt
45+
{% endif %}
3446
when: '"content" in _slurp_persisted_keytab'
3547
register: ipa_client_install_keytab
3648
changed_when: ipa_client_install_keytab.rc == 0
@@ -47,6 +59,9 @@
4759
--mkhomedir
4860
--enable-dns-updates
4961
--password '{{ freeipa_host_password }}'
62+
{% if freeipa_ca_cert_file != '' %}
63+
--ca-cert-file=/etc/ipa/ca.crt
64+
{% endif %}
5065
when:
5166
- '"content" not in _slurp_persisted_keytab'
5267
- freeipa_host_password is defined

0 commit comments

Comments
 (0)