Thank you for this. I can definitely use this and will provide feedback
-g
> On Oct 5, 2017, at 10:45 AM, Alexander Bokovoy via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
>
>> On to, 05 loka 2017, Mark Haney wrote:
>> I'm fine with that. Just that IPA's implementation is very much
end-user
>> specific. I really doubt you could abstract the playbook enough to make it
>> viable for even a majority of users.
> That's why we want to make it possible to reference individual steps
> performed by IPA scripts in these playbooks. May be not so individual
> that each step within 'create DS instance' or 'create KDC instance'
can
> be addressed as that doesn't always make sense, but allowing to mix and
> match some of most important ones where we have a flexibility to do so.
>
>> Then again, what do I know, I'm just an engineer with 20+ years
>> experience.
> Me too.
>
> So, from your experience, what is missing in these playbooks?
>
>
>> On Thu, Oct 5, 2017 at 12:41 PM, Alexander Bokovoy <abokovoy(a)redhat.com>
>> wrote:
>>
>>>> On to, 05 loka 2017, Mark Haney via FreeIPA-users wrote:
>>>>
>>>> I never said I didn't like. Just that it's not that complicated
to setup a
>>>> playbook to do what you're doing.
>>>>
>>> There is a context to Thomas' message, Mark. We are trying to create a
>>> set of playbooks that would be supported by FreeIPA development team
>>> going forward. They may or may not become official ones in the Galaxy
>>> context but this is what we as an upstream would like to support.
>>>
>>> They cover right now a client side of install. Server installation would
>>> be a next step -- not wrapping around ipa-server-install and
>>> ipa-replica-install
>>> but making it possible to decouple parts of what ipa-*-install scripts
>>> are and reuse them in the playbook context in a more flexible way. This
>>> is different to what is done by other playbooks we know which mostly
>>> wrap existing scripts' execution.
>>>
>>> Thus, we are looking for a feedback to these playbooks because we want
>>> them to be useful in the field and be supported long term upstream.
>>>
>>>
>>> On Thu, Oct 5, 2017 at 11:17 AM, Thomas Woerner <twoerner(a)redhat.com>
>>>> wrote:
>>>>
>>>> Hello Mark,
>>>>>
>>>>> On 10/05/2017 03:57 PM, Mark Haney wrote:
>>>>> > I've been doing this using a custom Ansible playbook for
over a month
>>>>> now.
>>>>> > It appears to me to be very variable dependent.
>>>>> >
>>>>> For the full autodetection case you do not need more than the client
>>>>> hostname
>>>>> and the admin password/keytab (with or without OTP).
>>>>>
>>>>> The optional variables are there to alter the default configuration
>>>>> according
>>>>> to the needs. Or did I not get it right?
>>>>>
>>>>> Please be more specific on the things that you do not like.
>>>>>
>>>>> Regards,
>>>>> Thomas
>>>>>
>>>>> > On Thu, Oct 5, 2017 at 7:04 AM, Thomas Woerner via FreeIPA-users
<
>>>>> > freeipa-users(a)lists.fedorahosted.org> wrote:
>>>>> >
>>>>> >> Hello,
>>>>> >>
>>>>> >> we have made big progress with ansible-freeipa to be able to
install
>>>>> ipa
>>>>> >> clients using ansible.
>>>>> >>
>>>>> >> These are the things that we are able to do now:
>>>>> >>
>>>>> >> - Simple installation on more than one machine
>>>>> >> - One configuration file (inventory file) per realm (One
place for
>>>>> >> configuration options)
>>>>> >> - Authentication types
>>>>> >> - Simple use of OTP for installation and update
>>>>> >> - More secure (admin password not transferred to the
clients)
>>>>> >> - Only setting of a variable is needed to enable the use
of OTP
>>>>> >> - Admin principal and password
>>>>> >> - Existing host keytab
>>>>> >> - Advanced auto detection (server only, no need to provide
domain)
>>>>> >> - Repair of broken configurations
>>>>> >> - Known limitation: /etc/krb5.keytab can not be repaired
>>>>> >> - Working with freeipa-4.4 and up
>>>>> >> - RHEL-7.3 and up
>>>>> >> - Fedora-25+
>>>>> >> - Support for Python3 based freeipa in Fedora-27
>>>>> >>
>>>>> >> The basic usage is explained in the README of the
repository:
>>>>> >>
https://github.com/freeipa/ansible-freeipa
>>>>> >>
>>>>> >> I'd like to start a discussion about naming conventions
and also about
>>>>> >> customer
>>>>> >> and user requests for extensions and changes.
>>>>> >>
>>>>> >> Please give it a try and report issues you are running
into.
>>>>> >>
>>>>> >> Regards,
>>>>> >> Thomas
>>>>> >> _______________________________________________
>>>>> >> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
>>>>> >> To unsubscribe send an email to freeipa-users-leave@lists.
>>>>>
fedorahosted.org
>>>>> >>
>>>>> >
>>>>> >
>>>>> >
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> [image: photo]
>>>> Mark Haney
>>>> Network Engineer at NeoNova
>>>> 919-460-3330 <(919)%20460-3330> (opt 1) • mark.haney(a)neonova.net
>>>>
www.neonova.net <
https://neonova.net/>
>>>> <
https://www.facebook.com/NeoNovaNNS/>
<
https://twitter.com/NeoNova_NNS>
>>>> <
http://www.linkedin.com/company/neonova-network-services>
>>>>
>>>
>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>>> To unsubscribe send an email to freeipa-users-leave(a)lists.fedo
>>>>
rahosted.org
>>>>
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>
>>
>>
>> --
>> [image: photo]
>> Mark Haney
>> Network Engineer at NeoNova
>> 919-460-3330 <(919)%20460-3330> (opt 1) • mark.haney(a)neonova.net
>>
www.neonova.net <
https://neonova.net/>
>> <
https://www.facebook.com/NeoNovaNNS/>
<
https://twitter.com/NeoNova_NNS>
>> <
http://www.linkedin.com/company/neonova-network-services>
>
> --
> / Alexander Bokovoy
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org