ipaserver: Changing role password parameters doesn't trigger update on server

Question

ipaserver: Changing role password parameters doesn't trigger update on server

aph3rson opened this issue 10 months ago · comments

I intend on running Ansible in a CD pipeline. I deploy my FreeIPA server accordingly in my playbook's tasks:

    - name: Install and configure FreeIPA role
      vars:
        ipaserver_domain: my.domain
        ipaserver_realm: MY.DOMAIN
        ipaserver_setup_dns: yes
        ipaserver_auto_forwarders: yes
        # Admin user password
        ipaadmin_password: "{{ lookup('ansible.builtin.password', hostvars.localhost.freeipa_dir.path + '/freeipa_admin_password') }}"
        # Directory manager password
        ipadm_password: "{{ lookup('ansible.builtin.password', hostvars.localhost.freeipa_dir.path + '/ldap_manager_password') }}"
        # Prevent management check
        ipaserver_allow_zone_overlap: true
      ansible.builtin.include_role:
        name: freeipa.ansible_freeipa.ipaserver

In this case, both ipaadmin_password and ipadm_password may change on deployment, as the underlying password files would not be present.
If this happens, I was hoping the passwords would be updated to whatever value Ansible had generated.

However, what I see in the Ansible output instead is a lot of skipped tasks:

TASK [freeipa.ansible_freeipa.ipaserver : Install - Master password creation] ***
skipping: [freeipa]

TASK [freeipa.ansible_freeipa.ipaserver : Install - Use new master password] ***
skipping: [freeipa]

TASK [freeipa.ansible_freeipa.ipaserver : Use user defined master password, if provided] ***
skipping: [freeipa]

Is there a better way to be doing this? I expect the node that I'm deploying FreeIPA to to be able to handle these parameters changing.

Thomas Woerner · Answer 1 · Mon Oct 30 2023 22:55:35 GMT+0800 (China Standard Time)

The ipaserver role is not able to update an existing server deployment.

Thomas Woerner · Answer 2 · Mon Oct 30 2023 23:00:47 GMT+0800 (China Standard Time)

The admin password can be set with the user module ipa user-mod. For the dm password there is more to do. Here is a (outdated) guide from freeipa.org: https://www.freeipa.org/page/Howto/Change_Directory_Manager_Password and a guide from 389ds: https://www.port389.org/docs/389ds/howto/howto-resetdirmgrpassword.html

Thomas Woerner · Answer 3 · Mon Oct 30 2023 23:13:41 GMT+0800 (China Standard Time)

The admin password change will be replicated to the whole domain, the change of the dm password needs to be done on all servers/replicas.