Skip to content

Support passing freeipa server cert on client enrolment #739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Jul 30, 2025
Merged

Support passing freeipa server cert on client enrolment #739

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
1d0650d
support passing freeipa server cert on client enrolment
sjpb Jul 29, 2025
253de35
Fix markdown in freeipa readme
sjpb Jul 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions ansible/roles/freeipa/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ Support FreeIPA in the appliance. In production use it is expected the FreeIPA s

- `freeipa_host_password`. Required for initial enrolment only, FreeIPA host password as described above.
- `freeipa_setup_dns`: Optional, whether to use the FreeIPA server as the client's nameserver. Defaults to `true` when `freeipa_server` contains a host, otherwise `false`.
- `freeipa_ca_cert_file`: Optional, path **on the ansible deploy host** to FreeIPA server cert. Else this will be downloaded (insecurely) from the FreeIPA server over http.

See also use of `appliances_state_dir` on the control node as described above.

Expand Down
2 changes: 1 addition & 1 deletion ansible/roles/freeipa/defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,5 @@ freeipa_user_defaults:
ipa_pass: "{{ freeipa_admin_password | quote }}"
ipa_user: admin
freeipa_users: [] # see community.general.ipa_user

freeipa_ca_cert_file: ''
_freeipa_keytab_backup_path: "{{ hostvars[groups['control'].0].appliances_state_dir }}/freeipa/{{ inventory_hostname }}/krb5.keytab"
15 changes: 15 additions & 0 deletions ansible/roles/freeipa/tasks/enrol.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,15 @@
mode: ug=rw,o=
when: '"content" in _slurp_persisted_keytab'

- name: Copy CA Cert to host
ansible.builtin.copy:
src: "{{ freeipa_ca_cert_file }}"
dest: /etc/ipa/ca.crt
mode: u=rw,go=r
owner: root
group: root
when: freeipa_ca_cert_file != ''

- name: Re-enrol with FreeIPA using backed-up keytab
# Re-enrolment requires --force-join and --password, or --keytab
# Re-rolement means:
Expand All @@ -31,6 +40,9 @@
--mkhomedir
--enable-dns-updates
--keytab /tmp/krb5.keytab
{% if freeipa_ca_cert_file != '' %}
--ca-cert-file=/etc/ipa/ca.crt
{% endif %}
when: '"content" in _slurp_persisted_keytab'
register: ipa_client_install_keytab
changed_when: ipa_client_install_keytab.rc == 0
Expand All @@ -47,6 +59,9 @@
--mkhomedir
--enable-dns-updates
--password '{{ freeipa_host_password }}'
{% if freeipa_ca_cert_file != '' %}
--ca-cert-file=/etc/ipa/ca.crt
{% endif %}
when:
- '"content" not in _slurp_persisted_keytab'
- freeipa_host_password is defined
Expand Down
Loading