ipaclient: when using OTP, ssh connection to the server is required.

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA

GNU General Public License v3.0

495 stars 232 forks source link

ipaclient: when using OTP, ssh connection to the server is required. #1181

Open rjeffman opened 10 months ago

rjeffman commented 10 months ago

When deploying a new IPA client with the ipaclient role using OTP, access to the IPA server is required due to delegate_to: "{{ result_ipaclient_test.servers[0] }}" on several OTP related tasks in the client.

In some environments, access to the servers is restricted, and the role fails. On the same environmets ipa-client-install (CLI) works.

ansible-freeipa should allow client deployment on more restricted environments.

t-woerner commented 10 months ago

Only if ipaclient_get_otp is enabled to generate the OTP automatically, it is required to connect to be able to a server of the domain (to generate the OTP). It might be possible to use an existing client domain member also for this, but this is not implemented. It is also possible to generate the OTP outside of the ipaclient role and set ipaclient_otp.

rjeffman commented 10 months ago

For the moment, I'll document that to generate an OTP requires access to a server, and provide an alternative path setting ipaclient_opt.