search

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA
GNU General Public License v3.0
489 stars 232 forks source link

ipaserver: Changing role password parameters doesn't trigger update on server #1162

Open aph3rson opened 10 months ago

aph3rson commented 10 months ago

I intend on running Ansible in a CD pipeline. I deploy my FreeIPA server accordingly in my playbook's tasks:

    - name: Install and configure FreeIPA role
      vars:
        ipaserver_domain: my.domain
        ipaserver_realm: MY.DOMAIN
        ipaserver_setup_dns: yes
        ipaserver_auto_forwarders: yes
        # Admin user password
        ipaadmin_password: "{{ lookup('ansible.builtin.password', hostvars.localhost.freeipa_dir.path + '/freeipa_admin_password') }}"
        # Directory manager password
        ipadm_password: "{{ lookup('ansible.builtin.password', hostvars.localhost.freeipa_dir.path + '/ldap_manager_password') }}"
        # Prevent management check
        ipaserver_allow_zone_overlap: true
      ansible.builtin.include_role:
        name: freeipa.ansible_freeipa.ipaserver

In this case, both ipaadmin_password and ipadm_password may change on deployment, as the underlying password files would not be present. If this happens, I was hoping the passwords would be updated to whatever value Ansible had generated.

However, what I see in the Ansible output instead is a lot of skipped tasks:

TASK [freeipa.ansible_freeipa.ipaserver : Install - Master password creation] ***
skipping: [freeipa]

TASK [freeipa.ansible_freeipa.ipaserver : Install - Use new master password] ***
skipping: [freeipa]

TASK [freeipa.ansible_freeipa.ipaserver : Use user defined master password, if provided] ***
skipping: [freeipa]

Is there a better way to be doing this? I expect the node that I'm deploying FreeIPA to to be able to handle these parameters changing.

t-woerner commented 10 months ago

The ipaserver role is not able to update an existing server deployment.

t-woerner commented 10 months ago

The admin password can be set with the user module ipa user-mod. For the dm password there is more to do. Here is a (outdated) guide from freeipa.org: https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password and a guide from 389ds: https://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html

t-woerner commented 10 months ago

The admin password change will be replicated to the whole domain, the change of the dm password needs to be done on all servers/replicas.