identity: Autodetect FreeIPA server with DNS (#50988)

* identity: Autodetect FreeIPA server with DNS

This adds the ability for the freeIPA related modules to be able to
auto-detect the IPA server through DNS.

This takes advantage of the fact that a lot of FreeIPA deployments
configure their hosts to use IPA as the nameserver.

This check is only used if we didn't set neither the ipa_host parameter,
nor the environment variable IPA_HOST.

* identity: Specify docs for DNS discovery of ipa_host

These docs specify that it can now default to DNS if the 'ipa-ca' entry
is available.
pull/51602/head
Juan Antonio Osorio 6 years ago committed by John R Barker
parent 9df6f152e1
commit bac19c3301

@ -28,13 +28,28 @@
# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
import json import json
import socket
import re import re
from ansible.module_utils._text import to_bytes, to_native, to_text from ansible.module_utils._text import to_bytes, to_native, to_text
from ansible.module_utils.six import PY3 from ansible.module_utils.six import PY3
from ansible.module_utils.six.moves.urllib.parse import quote from ansible.module_utils.six.moves.urllib.parse import quote
from ansible.module_utils.urls import fetch_url from ansible.module_utils.urls import fetch_url
from ansible.module_utils.basic import env_fallback from ansible.module_utils.basic import env_fallback, AnsibleFallbackNotFound
def _env_then_dns_fallback(*args, **kwargs):
''' Load value from environment or DNS in that order'''
try:
return env_fallback(*args, **kwargs)
except AnsibleFallbackNotFound:
# If no host was given, we try to guess it from IPA.
# The ipa-ca entry is a standard entry that IPA will have set for
# the CA.
try:
return socket.gethostbyaddr(socket.gethostbyname('ipa-ca'))[0]
except Exception:
raise AnsibleFallbackNotFound
class IPAClient(object): class IPAClient(object):
@ -181,7 +196,7 @@ class IPAClient(object):
def ipa_argument_spec(): def ipa_argument_spec():
return dict( return dict(
ipa_prot=dict(type='str', default='https', choices=['http', 'https'], fallback=(env_fallback, ['IPA_PROT'])), ipa_prot=dict(type='str', default='https', choices=['http', 'https'], fallback=(env_fallback, ['IPA_PROT'])),
ipa_host=dict(type='str', default='ipa.example.com', fallback=(env_fallback, ['IPA_HOST'])), ipa_host=dict(type='str', default='ipa.example.com', fallback=(_env_then_dns_fallback, ['IPA_HOST'])),
ipa_port=dict(type='int', default=443, fallback=(env_fallback, ['IPA_PORT'])), ipa_port=dict(type='int', default=443, fallback=(env_fallback, ['IPA_PORT'])),
ipa_user=dict(type='str', default='admin', fallback=(env_fallback, ['IPA_USER'])), ipa_user=dict(type='str', default='admin', fallback=(env_fallback, ['IPA_USER'])),
ipa_pass=dict(type='str', required=True, no_log=True, fallback=(env_fallback, ['IPA_PASS'])), ipa_pass=dict(type='str', required=True, no_log=True, fallback=(env_fallback, ['IPA_PASS'])),

@ -18,7 +18,9 @@ options:
description: description:
- IP or hostname of IPA server. - IP or hostname of IPA server.
- If the value is not specified in the task, the value of environment variable C(IPA_HOST) will be used instead. - If the value is not specified in the task, the value of environment variable C(IPA_HOST) will be used instead.
- If both the environment variable C(IPA_HOST) and the value are not specified in the task, then default value is set. - If both the environment variable C(IPA_HOST) and the value are not specified in the task, then DNS will be used to try to discover the FreeIPA server.
- The relevant entry needed in FreeIPA is the 'ipa-ca' entry.
- If neither the DNS entry, nor the environment C(IPA_HOST), nor the value are available in the task, then the default value will be used.
- 'Environment variable fallback mechanism is added in version 2.5.' - 'Environment variable fallback mechanism is added in version 2.5.'
default: ipa.example.com default: ipa.example.com
ipa_user: ipa_user:

Loading…
Cancel
Save