diff --git a/SOURCES/ansible-freeipa-0.1.12-ipareplica-Fix-missing-parameters-for-several-module_hbz#1855299.patch b/SOURCES/ansible-freeipa-0.1.12-ipareplica-Fix-missing-parameters-for-several-module_hbz#1855299.patch
new file mode 100644
index 0000000..ad3ce22
--- /dev/null
+++ b/SOURCES/ansible-freeipa-0.1.12-ipareplica-Fix-missing-parameters-for-several-module_hbz#1855299.patch
@@ -0,0 +1,271 @@
+From 7a2eaa6f535b1353d46bcfa8b0b2484b15ff3863 Mon Sep 17 00:00:00 2001
+From: Thomas Woerner <twoerner@redhat.com>
+Date: Tue, 7 Jul 2020 17:13:09 +0200
+Subject: [PATCH] ipareplica: Fix missing parameters for several modules
+
+The parameters master_host_name, config_setup_ca, dirman_password have not
+been set for some modules. Also there was no ldap2 connection within
+ipareplica_setup_kra. All this resulted in improper configuration where
+for example KRA deployment failed in the end.
+
+A conversion warning in ipareplica_setup_adtrust has also been fixed for
+the setup_ca parameter.
+
+Fixes #314 (IPA replica installation failure - DS enabled SSL - second part)
+---
+ .../library/ipareplica_create_ipa_conf.py | 1 +
+ .../library/ipareplica_ds_apply_updates.py | 1 +
+ .../library/ipareplica_ds_enable_ssl.py | 1 +
+ .../library/ipareplica_setup_adtrust.py | 2 +-
+ .../library/ipareplica_setup_custodia.py | 1 +
+ .../library/ipareplica_setup_http.py | 2 +-
+ .../ipareplica/library/ipareplica_setup_kra.py | 18 ++++++++++++++++++
+ .../ipareplica/library/ipareplica_setup_krb.py | 7 +++++++
+ roles/ipareplica/tasks/install.yml | 8 ++++++++
+ 9 files changed, 39 insertions(+), 2 deletions(-)
+
+diff --git a/roles/ipareplica/library/ipareplica_create_ipa_conf.py b/roles/ipareplica/library/ipareplica_create_ipa_conf.py
+index 3a85a6f..c475469 100644
+--- a/roles/ipareplica/library/ipareplica_create_ipa_conf.py
++++ b/roles/ipareplica/library/ipareplica_create_ipa_conf.py
+@@ -262,6 +262,7 @@ def main():
+ config.subject_base = options.subject_base
+ config.dirman_password = dirman_password
+ config.ca_host_name = ca_host_name
++ config.setup_ca = options.setup_ca
+
+ remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
+ installer._remote_api = remote_api
+diff --git a/roles/ipareplica/library/ipareplica_ds_apply_updates.py b/roles/ipareplica/library/ipareplica_ds_apply_updates.py
+index 3796874..71008b3 100644
+--- a/roles/ipareplica/library/ipareplica_ds_apply_updates.py
++++ b/roles/ipareplica/library/ipareplica_ds_apply_updates.py
+@@ -177,6 +177,7 @@ def main():
+ config = gen_ReplicaConfig()
+ config.dirman_password = dirman_password
+ config.subject_base = options.subject_base
++ config.master_host_name = master_host_name
+
+ remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
+
+diff --git a/roles/ipareplica/library/ipareplica_ds_enable_ssl.py b/roles/ipareplica/library/ipareplica_ds_enable_ssl.py
+index a1b638e..3e4090d 100644
+--- a/roles/ipareplica/library/ipareplica_ds_enable_ssl.py
++++ b/roles/ipareplica/library/ipareplica_ds_enable_ssl.py
+@@ -173,6 +173,7 @@ def main():
+ config = gen_ReplicaConfig()
+ config.dirman_password = dirman_password
+ config.subject_base = options.subject_base
++ config.master_host_name = master_host_name
+
+ remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
+ # installer._remote_api = remote_api
+diff --git a/roles/ipareplica/library/ipareplica_setup_adtrust.py b/roles/ipareplica/library/ipareplica_setup_adtrust.py
+index c830ebf..734e56d 100644
+--- a/roles/ipareplica/library/ipareplica_setup_adtrust.py
++++ b/roles/ipareplica/library/ipareplica_setup_adtrust.py
+@@ -110,7 +110,7 @@ def main():
+ # additional
+ ccache=dict(required=True),
+ _top_dir=dict(required=True),
+- setup_ca=dict(required=True),
++ setup_ca=dict(required=True, type='bool'),
+ config_master_host_name=dict(required=True),
+ ),
+ supports_check_mode=True,
+diff --git a/roles/ipareplica/library/ipareplica_setup_custodia.py b/roles/ipareplica/library/ipareplica_setup_custodia.py
+index 5a74e87..2e95c26 100644
+--- a/roles/ipareplica/library/ipareplica_setup_custodia.py
++++ b/roles/ipareplica/library/ipareplica_setup_custodia.py
+@@ -169,6 +169,7 @@ def main():
+ config.promote = installer.promote
+ config.kra_enabled = kra_enabled
+ config.kra_host_name = kra_host_name
++ config.setup_ca = options.setup_ca
+
+ remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
+
+diff --git a/roles/ipareplica/library/ipareplica_setup_http.py b/roles/ipareplica/library/ipareplica_setup_http.py
+index 987ea95..3fa4807 100644
+--- a/roles/ipareplica/library/ipareplica_setup_http.py
++++ b/roles/ipareplica/library/ipareplica_setup_http.py
+@@ -164,7 +164,7 @@ def main():
+ config.subject_base = options.subject_base
+ config.dirman_password = dirman_password
+ config.setup_ca = options.setup_ca
+- # config.master_host_name = master_host_name
++ config.master_host_name = master_host_name
+ config.ca_host_name = ca_host_name
+ config.promote = installer.promote
+
+diff --git a/roles/ipareplica/library/ipareplica_setup_kra.py b/roles/ipareplica/library/ipareplica_setup_kra.py
+index 3149c10..0b2f681 100644
+--- a/roles/ipareplica/library/ipareplica_setup_kra.py
++++ b/roles/ipareplica/library/ipareplica_setup_kra.py
+@@ -120,6 +120,9 @@ options:
+ _subject_base:
+ description: The installer _subject_base setting
+ required: no
++ dirman_password:
++ description: Directory Manager (master) password
++ required: no
+ author:
+ - Thomas Woerner
+ '''
+@@ -173,10 +176,12 @@ def main():
+ _ca_enabled=dict(required=False, type='bool'),
+ _kra_enabled=dict(required=False, type='bool'),
+ _kra_host_name=dict(required=False),
++ _ca_host_name=dict(required=False),
+ _top_dir=dict(required=True),
+ _add_to_ipaservers=dict(required=True, type='bool'),
+ _ca_subject=dict(required=True),
+ _subject_base=dict(required=True),
++ dirman_password=dict(required=True, no_log=True),
+ ),
+ supports_check_mode=True,
+ )
+@@ -233,6 +238,7 @@ def main():
+ ca_enabled = ansible_module.params.get('_ca_enabled')
+ kra_enabled = ansible_module.params.get('_kra_enabled')
+ kra_host_name = ansible_module.params.get('_kra_host_name')
++ ca_host_name = ansible_module.params.get('_ca_host_name')
+
+ options.subject_base = ansible_module.params.get('subject_base')
+ if options.subject_base is not None:
+@@ -243,6 +249,7 @@ def main():
+
+ options._ca_subject = ansible_module.params.get('_ca_subject')
+ options._subject_base = ansible_module.params.get('_subject_base')
++ dirman_password = ansible_module.params.get('dirman_password')
+
+ # init #
+
+@@ -254,14 +261,25 @@ def main():
+ constants.DEFAULT_CONFIG)
+ api_bootstrap_finalize(env)
+ config = gen_ReplicaConfig()
++ config.dirman_password = dirman_password
+ config.subject_base = options.subject_base
+ config.promote = installer.promote
+ config.kra_enabled = kra_enabled
+ config.kra_host_name = kra_host_name
++ config.ca_host_name = ca_host_name
++ config.master_host_name = master_host_name
+
+ remote_api = gen_remote_api(master_host_name, paths.ETC_IPA)
+ installer._remote_api = remote_api
+
++ conn = remote_api.Backend.ldap2
++ ccache = os.environ['KRB5CCNAME']
++
++ # There is a api.Backend.ldap2.connect call somewhere in ca, ds, dns or
++ # ntpinstance
++ api.Backend.ldap2.connect()
++ conn.connect(ccache=ccache)
++
+ with redirect_stdout(ansible_log):
+ ansible_log.debug("-- INSTALL KRA --")
+
+diff --git a/roles/ipareplica/library/ipareplica_setup_krb.py b/roles/ipareplica/library/ipareplica_setup_krb.py
+index c8d09f7..4500a6f 100644
+--- a/roles/ipareplica/library/ipareplica_setup_krb.py
++++ b/roles/ipareplica/library/ipareplica_setup_krb.py
+@@ -63,6 +63,9 @@ options:
+ _top_dir:
+ description: The installer _top_dir setting
+ required: no
++ dirman_password:
++ description: Directory Manager (master) password
++ required: no
+ author:
+ - Thomas Woerner
+ '''
+@@ -98,6 +101,7 @@ def main():
+ ccache=dict(required=True),
+ _pkinit_pkcs12_info=dict(required=False, type='list'),
+ _top_dir=dict(required=True),
++ dirman_password=dict(required=True, no_log=True),
+ ),
+ supports_check_mode=True,
+ )
+@@ -126,6 +130,7 @@ def main():
+ '_pkinit_pkcs12_info')
+
+ options._top_dir = ansible_module.params.get('_top_dir')
++ dirman_password = ansible_module.params.get('dirman_password')
+
+ # init #
+
+@@ -141,8 +146,10 @@ def main():
+ constants.DEFAULT_CONFIG)
+ api_bootstrap_finalize(env)
+ config = gen_ReplicaConfig()
++ config.dirman_password = dirman_password
+ config.master_host_name = config_master_host_name
+ config.subject_base = options.subject_base
++ config.setup_ca = options.setup_ca
+
+ ccache = os.environ['KRB5CCNAME']
+
+diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
+index c2a6222..ddb3f85 100644
+--- a/roles/ipareplica/tasks/install.yml
++++ b/roles/ipareplica/tasks/install.yml
+@@ -226,6 +226,8 @@
+ setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"
+ setup_kra: "{{ result_ipareplica_test.setup_kra }}"
+ setup_dns: "{{ ipareplica_setup_dns }}"
++ ### server ###
++ setup_ca: "{{ ipareplica_setup_ca }}"
+ ### ssl certificate ###
+ dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}"
+ ### client ###
+@@ -332,6 +334,7 @@
+ _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"
+ _subject_base: "{{ result_ipareplica_prepare._subject_base }}"
+ dirman_password: "{{ ipareplica_dirman_password }}"
++ setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
+
+ - name: Install - Setup KRB
+ ipareplica_setup_krb:
+@@ -347,6 +350,7 @@
+ ccache: "{{ result_ipareplica_prepare.ccache }}"
+ _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}"
+ _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
++ dirman_password: "{{ ipareplica_dirman_password }}"
+
+ # We need to point to the master in ipa default conf when certmonger
+ # asks for HTTP certificate in newer ipa versions. In these versions
+@@ -388,6 +392,7 @@
+ _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"
+ _subject_base: "{{ result_ipareplica_prepare._subject_base }}"
+ dirman_password: "{{ ipareplica_dirman_password }}"
++ setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
+ master:
+ "{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
+ when: result_ipareplica_test.change_master_for_certmonger
+@@ -471,6 +476,7 @@
+ _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"
+ _subject_base: "{{ result_ipareplica_prepare._subject_base }}"
+ dirman_password: "{{ ipareplica_dirman_password }}"
++ setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
+ when: result_ipareplica_test.change_master_for_certmonger
+
+ - name: Install - Setup otpd
+@@ -611,10 +617,12 @@
+ _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
+ _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}"
+ _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}"
++ _ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
+ _top_dir: "{{ result_ipareplica_prepare._top_dir }}"
+ _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}"
+ _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}"
+ _subject_base: "{{ result_ipareplica_prepare._subject_base }}"
++ dirman_password: "{{ ipareplica_dirman_password }}"
+ when: result_ipareplica_test.setup_kra
+
+ - name: Install - Restart KDC
+--
+2.26.2
+
diff --git a/SPECS/ansible-freeipa.spec b/SPECS/ansible-freeipa.spec
index c7862d2..a6d4b0b 100644
--- a/SPECS/ansible-freeipa.spec
+++ b/SPECS/ansible-freeipa.spec
@@ -6,7 +6,7 @@
Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients
Name: ansible-freeipa
Version: 0.1.12
-Release: 4%{?dist}
+Release: 5%{?dist}
URL: https://github.com/freeipa/ansible-freeipa
License: GPLv3+
Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
@@ -17,6 +17,7 @@ Patch4: ansible-freeipa-0.1.12-ipa-host-group-Fix-membermanager-unknow-user-issu
Patch5: ansible-freeipa-0.1.12-ipa-user,host-Fail-on-duplucate-names-in-the-users-and-hosts-lists_rhbz#1822683.patch
Patch6: ansible-freeipa-0.1.12-action_plugins-ipaclient_get_otp-Discovered-python-n_rhbz#1852714.patch
Patch7: ansible-freeipa-0.1.12-ipa-server-replica-Fix-pkcs12-info-regressions-intro_rhbz#1853284.patch
+Patch8: ansible-freeipa-0.1.12-ipareplica-Fix-missing-parameters-for-several-module_hbz#1855299.patch
BuildArch: noarch
#Requires: ansible
@@ -102,6 +103,7 @@ a separate step before starting the server installation.
%patch5 -p1
%patch6 -p1
%patch7 -p1
+%patch8 -p1
# Fix python modules and module utils:
# - Remove shebang
# - Remove execute flag
@@ -136,6 +138,10 @@ cp -rp plugins/* %{buildroot}%{_datadir}/ansible/plugins/
%doc playbooks
%changelog
+* Tue Jul 14 2020 Thomas Woerner <twoerner@redhat.com> - 0.1.12-5
+- ipareplica: Fix failure while deploying KRA
+ Resolves: RHBZ#1855299
+
* Thu Jul 02 2020 Thomas Woerner <twoerner@redhat.com> - 0.1.12-4
- ipa[server,replica]: Fix pkcs12 info regressions introduced with CA-less
Resolves: RHBZ#1853284