On 08/16/2017 09:16 AM, Martin Kosek wrote:
On 08/02/2017 01:36 PM, Florence Blanc-Renaud via FreeIPA-devel
wrote:
> Hi all,
>
> The first version of a new design document is available at
>
https://www.freeipa.org/page/V4/ClientInstallationWithAnsible
>
> The feature will allow to deploy IPA clients using Ansible. Please feel
> free to send your comments, suggestions or concerns.
>
> Thanks,
> Flo
Thanks for design, I just read it. For now, I have just a question
regarding what is the state of communication with Ansible upstream
community, especially regarding improvement of the already developed
modules.
In the design, I see:
"
ipa_host module does not allow to create a random One-Time Password
all the IPA modules are authenticating to IPA server using principal +
password and do not support keytabs
all the IPA modules are communicating with the IPA server using the
remote JSON API instead of the Python API
These limitations argue in favor of a new ipahost module.
"
Does it mean you want to propose a parallel ipahost Ansible module for
the upstream Module Index? I would think it would be better to work with
Ansible upstream and refactor/enhance the modules that are existing in
there already, rather than fork them. The upstream Ansible modules are
in "preview" mode anyway, i.e. the interface can change.
Thanks,
Martin
Hi,
an internal conversation also argued that my proposal would require ssh
access to ipa master from Ansible controller, and some users may not
agree with this.
Keeping this in mind, I now tend to think that it would be better to
enhance the existing ipa_host module (still using HTTP+JSON) and if
possible also support authentication with an admin keytab. The other IPA
modules would benefit from this change, too.
Are there any concerns with this new approach?
Flo