On Thu, Oct 1, 2020 at 12:59 PM Ronald Wimmer via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
>
> On 01.10.20 17:46, Alexander Bokovoy wrote:
> > On to, 01 loka 2020, Ronald Wimmer via FreeIPA-users wrote:
> >> Is it possible to set this flag by default for all new IPA hosts?
> >
> > I checked the code and there is no way to set it by default. You have to
> > explicitly specify --ok-as-delegate=true when adding hosts and services.
>
> Host are added and enrolled by issuing the ipa-client-install command
> which does not seem to have a flag for this. So my only chance is to do
> a host-mod afterwards?
>

If you are willing to use Ansible, with ansible-freeipa you can use a playbook like:

```
- name: Add hosts
hosts: ipaserver

tasks:

- name: Add host with ok_as_delegate.

ipahost:

ipaadmin_password: SomeADMINpassword

name: client.ipa.test

ip_address: 10.10.10.10

update_dns: yes

ok_as_delegate: yes

```

After that:

# ipa host-show client --all | grep Trusted
Trusted for delegation: True
Trusted to authenticate as user: False

Rafael

Rafael Guterres Jeffman

Senior Software Engineer

FreeIPA - Red Hat