diff --git a/SOURCES/ansible-freeipa-0.1.12-ipareplica-Fix-missing-parameters-for-several-module_hbz#1855299.patch b/SOURCES/ansible-freeipa-0.1.12-ipareplica-Fix-missing-parameters-for-several-module_hbz#1855299.patch new file mode 100644 index 0000000..ad3ce22 --- /dev/null +++ b/SOURCES/ansible-freeipa-0.1.12-ipareplica-Fix-missing-parameters-for-several-module_hbz#1855299.patch @@ -0,0 +1,271 @@ +From 7a2eaa6f535b1353d46bcfa8b0b2484b15ff3863 Mon Sep 17 00:00:00 2001 +From: Thomas Woerner +Date: Tue, 7 Jul 2020 17:13:09 +0200 +Subject: [PATCH] ipareplica: Fix missing parameters for several modules + +The parameters master_host_name, config_setup_ca, dirman_password have not +been set for some modules. Also there was no ldap2 connection within +ipareplica_setup_kra. All this resulted in improper configuration where +for example KRA deployment failed in the end. + +A conversion warning in ipareplica_setup_adtrust has also been fixed for +the setup_ca parameter. + +Fixes #314 (IPA replica installation failure - DS enabled SSL - second part) +--- + .../library/ipareplica_create_ipa_conf.py | 1 + + .../library/ipareplica_ds_apply_updates.py | 1 + + .../library/ipareplica_ds_enable_ssl.py | 1 + + .../library/ipareplica_setup_adtrust.py | 2 +- + .../library/ipareplica_setup_custodia.py | 1 + + .../library/ipareplica_setup_http.py | 2 +- + .../ipareplica/library/ipareplica_setup_kra.py | 18 ++++++++++++++++++ + .../ipareplica/library/ipareplica_setup_krb.py | 7 +++++++ + roles/ipareplica/tasks/install.yml | 8 ++++++++ + 9 files changed, 39 insertions(+), 2 deletions(-) + +diff --git a/roles/ipareplica/library/ipareplica_create_ipa_conf.py b/roles/ipareplica/library/ipareplica_create_ipa_conf.py +index 3a85a6f..c475469 100644 +--- a/roles/ipareplica/library/ipareplica_create_ipa_conf.py ++++ b/roles/ipareplica/library/ipareplica_create_ipa_conf.py +@@ -262,6 +262,7 @@ def main(): + config.subject_base = options.subject_base + config.dirman_password = dirman_password + config.ca_host_name = ca_host_name ++ config.setup_ca = options.setup_ca + + remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) + installer._remote_api = remote_api +diff --git a/roles/ipareplica/library/ipareplica_ds_apply_updates.py b/roles/ipareplica/library/ipareplica_ds_apply_updates.py +index 3796874..71008b3 100644 +--- a/roles/ipareplica/library/ipareplica_ds_apply_updates.py ++++ b/roles/ipareplica/library/ipareplica_ds_apply_updates.py +@@ -177,6 +177,7 @@ def main(): + config = gen_ReplicaConfig() + config.dirman_password = dirman_password + config.subject_base = options.subject_base ++ config.master_host_name = master_host_name + + remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) + +diff --git a/roles/ipareplica/library/ipareplica_ds_enable_ssl.py b/roles/ipareplica/library/ipareplica_ds_enable_ssl.py +index a1b638e..3e4090d 100644 +--- a/roles/ipareplica/library/ipareplica_ds_enable_ssl.py ++++ b/roles/ipareplica/library/ipareplica_ds_enable_ssl.py +@@ -173,6 +173,7 @@ def main(): + config = gen_ReplicaConfig() + config.dirman_password = dirman_password + config.subject_base = options.subject_base ++ config.master_host_name = master_host_name + + remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) + # installer._remote_api = remote_api +diff --git a/roles/ipareplica/library/ipareplica_setup_adtrust.py b/roles/ipareplica/library/ipareplica_setup_adtrust.py +index c830ebf..734e56d 100644 +--- a/roles/ipareplica/library/ipareplica_setup_adtrust.py ++++ b/roles/ipareplica/library/ipareplica_setup_adtrust.py +@@ -110,7 +110,7 @@ def main(): + # additional + ccache=dict(required=True), + _top_dir=dict(required=True), +- setup_ca=dict(required=True), ++ setup_ca=dict(required=True, type='bool'), + config_master_host_name=dict(required=True), + ), + supports_check_mode=True, +diff --git a/roles/ipareplica/library/ipareplica_setup_custodia.py b/roles/ipareplica/library/ipareplica_setup_custodia.py +index 5a74e87..2e95c26 100644 +--- a/roles/ipareplica/library/ipareplica_setup_custodia.py ++++ b/roles/ipareplica/library/ipareplica_setup_custodia.py +@@ -169,6 +169,7 @@ def main(): + config.promote = installer.promote + config.kra_enabled = kra_enabled + config.kra_host_name = kra_host_name ++ config.setup_ca = options.setup_ca + + remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) + +diff --git a/roles/ipareplica/library/ipareplica_setup_http.py b/roles/ipareplica/library/ipareplica_setup_http.py +index 987ea95..3fa4807 100644 +--- a/roles/ipareplica/library/ipareplica_setup_http.py ++++ b/roles/ipareplica/library/ipareplica_setup_http.py +@@ -164,7 +164,7 @@ def main(): + config.subject_base = options.subject_base + config.dirman_password = dirman_password + config.setup_ca = options.setup_ca +- # config.master_host_name = master_host_name ++ config.master_host_name = master_host_name + config.ca_host_name = ca_host_name + config.promote = installer.promote + +diff --git a/roles/ipareplica/library/ipareplica_setup_kra.py b/roles/ipareplica/library/ipareplica_setup_kra.py +index 3149c10..0b2f681 100644 +--- a/roles/ipareplica/library/ipareplica_setup_kra.py ++++ b/roles/ipareplica/library/ipareplica_setup_kra.py +@@ -120,6 +120,9 @@ options: + _subject_base: + description: The installer _subject_base setting + required: no ++ dirman_password: ++ description: Directory Manager (master) password ++ required: no + author: + - Thomas Woerner + ''' +@@ -173,10 +176,12 @@ def main(): + _ca_enabled=dict(required=False, type='bool'), + _kra_enabled=dict(required=False, type='bool'), + _kra_host_name=dict(required=False), ++ _ca_host_name=dict(required=False), + _top_dir=dict(required=True), + _add_to_ipaservers=dict(required=True, type='bool'), + _ca_subject=dict(required=True), + _subject_base=dict(required=True), ++ dirman_password=dict(required=True, no_log=True), + ), + supports_check_mode=True, + ) +@@ -233,6 +238,7 @@ def main(): + ca_enabled = ansible_module.params.get('_ca_enabled') + kra_enabled = ansible_module.params.get('_kra_enabled') + kra_host_name = ansible_module.params.get('_kra_host_name') ++ ca_host_name = ansible_module.params.get('_ca_host_name') + + options.subject_base = ansible_module.params.get('subject_base') + if options.subject_base is not None: +@@ -243,6 +249,7 @@ def main(): + + options._ca_subject = ansible_module.params.get('_ca_subject') + options._subject_base = ansible_module.params.get('_subject_base') ++ dirman_password = ansible_module.params.get('dirman_password') + + # init # + +@@ -254,14 +261,25 @@ def main(): + constants.DEFAULT_CONFIG) + api_bootstrap_finalize(env) + config = gen_ReplicaConfig() ++ config.dirman_password = dirman_password + config.subject_base = options.subject_base + config.promote = installer.promote + config.kra_enabled = kra_enabled + config.kra_host_name = kra_host_name ++ config.ca_host_name = ca_host_name ++ config.master_host_name = master_host_name + + remote_api = gen_remote_api(master_host_name, paths.ETC_IPA) + installer._remote_api = remote_api + ++ conn = remote_api.Backend.ldap2 ++ ccache = os.environ['KRB5CCNAME'] ++ ++ # There is a api.Backend.ldap2.connect call somewhere in ca, ds, dns or ++ # ntpinstance ++ api.Backend.ldap2.connect() ++ conn.connect(ccache=ccache) ++ + with redirect_stdout(ansible_log): + ansible_log.debug("-- INSTALL KRA --") + +diff --git a/roles/ipareplica/library/ipareplica_setup_krb.py b/roles/ipareplica/library/ipareplica_setup_krb.py +index c8d09f7..4500a6f 100644 +--- a/roles/ipareplica/library/ipareplica_setup_krb.py ++++ b/roles/ipareplica/library/ipareplica_setup_krb.py +@@ -63,6 +63,9 @@ options: + _top_dir: + description: The installer _top_dir setting + required: no ++ dirman_password: ++ description: Directory Manager (master) password ++ required: no + author: + - Thomas Woerner + ''' +@@ -98,6 +101,7 @@ def main(): + ccache=dict(required=True), + _pkinit_pkcs12_info=dict(required=False, type='list'), + _top_dir=dict(required=True), ++ dirman_password=dict(required=True, no_log=True), + ), + supports_check_mode=True, + ) +@@ -126,6 +130,7 @@ def main(): + '_pkinit_pkcs12_info') + + options._top_dir = ansible_module.params.get('_top_dir') ++ dirman_password = ansible_module.params.get('dirman_password') + + # init # + +@@ -141,8 +146,10 @@ def main(): + constants.DEFAULT_CONFIG) + api_bootstrap_finalize(env) + config = gen_ReplicaConfig() ++ config.dirman_password = dirman_password + config.master_host_name = config_master_host_name + config.subject_base = options.subject_base ++ config.setup_ca = options.setup_ca + + ccache = os.environ['KRB5CCNAME'] + +diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml +index c2a6222..ddb3f85 100644 +--- a/roles/ipareplica/tasks/install.yml ++++ b/roles/ipareplica/tasks/install.yml +@@ -226,6 +226,8 @@ + setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}" + setup_kra: "{{ result_ipareplica_test.setup_kra }}" + setup_dns: "{{ ipareplica_setup_dns }}" ++ ### server ### ++ setup_ca: "{{ ipareplica_setup_ca }}" + ### ssl certificate ### + dirsrv_cert_files: "{{ ipareplica_dirsrv_cert_files | default([]) }}" + ### client ### +@@ -332,6 +334,7 @@ + _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" + _subject_base: "{{ result_ipareplica_prepare._subject_base }}" + dirman_password: "{{ ipareplica_dirman_password }}" ++ setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" + + - name: Install - Setup KRB + ipareplica_setup_krb: +@@ -347,6 +350,7 @@ + ccache: "{{ result_ipareplica_prepare.ccache }}" + _pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}" + _top_dir: "{{ result_ipareplica_prepare._top_dir }}" ++ dirman_password: "{{ ipareplica_dirman_password }}" + + # We need to point to the master in ipa default conf when certmonger + # asks for HTTP certificate in newer ipa versions. In these versions +@@ -388,6 +392,7 @@ + _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" + _subject_base: "{{ result_ipareplica_prepare._subject_base }}" + dirman_password: "{{ ipareplica_dirman_password }}" ++ setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" + master: + "{{ result_ipareplica_install_ca_certs.config_master_host_name }}" + when: result_ipareplica_test.change_master_for_certmonger +@@ -471,6 +476,7 @@ + _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" + _subject_base: "{{ result_ipareplica_prepare._subject_base }}" + dirman_password: "{{ ipareplica_dirman_password }}" ++ setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" + when: result_ipareplica_test.change_master_for_certmonger + + - name: Install - Setup otpd +@@ -611,10 +617,12 @@ + _ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}" + _kra_enabled: "{{ result_ipareplica_prepare._kra_enabled }}" + _kra_host_name: "{{ result_ipareplica_prepare.config_kra_host_name }}" ++ _ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}" + _top_dir: "{{ result_ipareplica_prepare._top_dir }}" + _add_to_ipaservers: "{{ result_ipareplica_prepare._add_to_ipaservers }}" + _ca_subject: "{{ result_ipareplica_prepare._ca_subject }}" + _subject_base: "{{ result_ipareplica_prepare._subject_base }}" ++ dirman_password: "{{ ipareplica_dirman_password }}" + when: result_ipareplica_test.setup_kra + + - name: Install - Restart KDC +-- +2.26.2 + diff --git a/SPECS/ansible-freeipa.spec b/SPECS/ansible-freeipa.spec index c7862d2..a6d4b0b 100644 --- a/SPECS/ansible-freeipa.spec +++ b/SPECS/ansible-freeipa.spec @@ -6,7 +6,7 @@ Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients Name: ansible-freeipa Version: 0.1.12 -Release: 4%{?dist} +Release: 5%{?dist} URL: https://github.com/freeipa/ansible-freeipa License: GPLv3+ Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz @@ -17,6 +17,7 @@ Patch4: ansible-freeipa-0.1.12-ipa-host-group-Fix-membermanager-unknow-user-issu Patch5: ansible-freeipa-0.1.12-ipa-user,host-Fail-on-duplucate-names-in-the-users-and-hosts-lists_rhbz#1822683.patch Patch6: ansible-freeipa-0.1.12-action_plugins-ipaclient_get_otp-Discovered-python-n_rhbz#1852714.patch Patch7: ansible-freeipa-0.1.12-ipa-server-replica-Fix-pkcs12-info-regressions-intro_rhbz#1853284.patch +Patch8: ansible-freeipa-0.1.12-ipareplica-Fix-missing-parameters-for-several-module_hbz#1855299.patch BuildArch: noarch #Requires: ansible @@ -102,6 +103,7 @@ a separate step before starting the server installation. %patch5 -p1 %patch6 -p1 %patch7 -p1 +%patch8 -p1 # Fix python modules and module utils: # - Remove shebang # - Remove execute flag @@ -136,6 +138,10 @@ cp -rp plugins/* %{buildroot}%{_datadir}/ansible/plugins/ %doc playbooks %changelog +* Tue Jul 14 2020 Thomas Woerner - 0.1.12-5 +- ipareplica: Fix failure while deploying KRA + Resolves: RHBZ#1855299 + * Thu Jul 02 2020 Thomas Woerner - 0.1.12-4 - ipa[server,replica]: Fix pkcs12 info regressions introduced with CA-less Resolves: RHBZ#1853284