On 08/16/2017 09:16 AM, Martin Kosek wrote:
> On 08/02/2017 01:36 PM, Florence Blanc-Renaud via FreeIPA-devel wrote:
>> Hi all,
>>
>> The first version of a new design document is available at
>>
https://www.freeipa.org/page/V4/ClientInstallationWithAnsible
>>
>> The feature will allow to deploy IPA clients using Ansible. Please feel
>> free to send your comments, suggestions or concerns.
>>
>> Thanks,
>> Flo
>
> Thanks for design, I just read it. For now, I have just a question
> regarding what is the state of communication with Ansible upstream
> community, especially regarding improvement of the already developed
> modules.
>
> In the design, I see:
> "
> ipa_host module does not allow to create a random One-Time Password
> all the IPA modules are authenticating to IPA server using principal +
> password and do not support keytabs
> all the IPA modules are communicating with the IPA server using the
> remote JSON API instead of the Python API
> These limitations argue in favor of a new ipahost module.
> "
> Does it mean you want to propose a parallel ipahost Ansible module for
> the upstream Module Index? I would think it would be better to work with
> Ansible upstream and refactor/enhance the modules that are existing in
> there already, rather than fork them. The upstream Ansible modules are
> in "preview" mode anyway, i.e. the interface can change.
>
> Thanks,
> Martin
>
Hi,
an internal conversation also argued that my proposal would require ssh
access to ipa master from Ansible controller, and some users may not
agree with this.
Keeping this in mind, I now tend to think that it would be better to
enhance the existing ipa_host module (still using HTTP+JSON) and if
possible also support authentication with an admin keytab. The other IPA
modules would benefit from this change, too.
Are there any concerns with this new approach?