[Freeipa-users] Re: Running ipa commands through Ansible

Fri, 08 Jan 2021 06:40:39 -0800 

On Fri, Jan 08, 2021 at 11:31:28AM -0300, Rafael Jeffman wrote:
> On Fri, Jan 8, 2021 at 11:03 AM Dominik Vogt via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
> > We have to set up the ipa-server with Ansible scripts, but there
> > isn't a module for everything.  For example, this command needs to
> > be executed.
> >
> >   - name: ...
> >     shell: ipa config-mod --ipaselinuxusermaporder="..."
> >
> > However, that doesn't work (using either the "root" or ipa "admin"
> > accounts) because the Kerberos ticket granting ticket is missing.
> > Hard coding user and password in a plain script or on the command
> > line is bad.  I've really no idea how to solve this.
> >
>
> If running IPA commands with the `shell` module, you need to `kinit` in the
> script. If I need to, I wrap them with something like:

Actually the command to run is so complex that I use "script"
instead of "shell" - mostly because of that very annoying
behaviour of the ipa commands to generate an error if a change is
requested but the requested value was already active.

> - block:
>     - name: Verify assymetric-only fields are not present.
>       shell: |
>          echo {{ some_secret }} | kinit -c {{ KRB5CCNAME }} admin
>          KRB5CCNAME={{ KRB5CCNAME }} ipa vault-show test_vault
>          kdestroy -A -q -c {{ KRB5CCNAME }}
>   vars:
>       KRB5CCNAME: some_very_unique_name
>
> But I resort to it only if I really need to.

I'll check that.

> I'd second the suggestion to use ansible-freeipa's ipaconfig module.

Okay, I'll take a look at that.  Sounds much better than the
modules coming with Ansible.  Is it considered to be a part of
ipa?  Because, if we use third party software for our project,
we'll have to justify why we need it and why it can be assumed to
be safe, and that security patches will be available.

Ciao

Dominik ^_^  ^_^

--

Dominik Vogt
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to