Add credentials cache for novajoin user
With a switch to using the ansible-freeipa modules instead of the community modules, we need to specify a credentials cache file. We need to change to ansible-freeipa modules because the community modules do not support FIPS. This is required for the tripleo-ipa change[1]. [1] https://review.opendev.org/c/x/tripleo-ipa/+/848255 Change-Id: Iffc0c1f9cf038f20436b65bb9602f121f1c07d37
This commit is contained in:
parent
9a09f2f2be
commit
7761fed0cb
@ -44,6 +44,10 @@ parameters:
|
||||
default: 'FILE:/etc/novajoin/krb5.keytab'
|
||||
description: keytab for the nova/[host fqdn] user on the FreeIPA server.
|
||||
type: string
|
||||
IdMNovaCredentialCache:
|
||||
default: '/etc/novajoin/krb5.cache'
|
||||
description: credential cache for nova/[host fqdn] user
|
||||
type: string
|
||||
MakeHomeDir:
|
||||
type: boolean
|
||||
description: Configure PAM to create a users home directory if it does not exist.
|
||||
@ -109,13 +113,13 @@ outputs:
|
||||
tripleo_ipa_ptr_zone_split_ipv6: {get_param: IdMZoneSplitIPv6}
|
||||
when: {get_param: IdMModifyDNS}
|
||||
environment:
|
||||
if:
|
||||
- idm_server_provided
|
||||
- IPA_HOST: {get_param: [IdMServer, 0]}
|
||||
IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
|
||||
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
|
||||
map_merge:
|
||||
- IPA_USER: "nova/{{ ansible_facts['fqdn'] }}"
|
||||
KRB5_CLIENT_KTNAME: {get_param: IdMNovaKeytab}
|
||||
KRB5CCNAME: {get_param: IdMNovaCredentialCache}
|
||||
- if:
|
||||
- idm_server_provided
|
||||
- IPA_HOST: {get_param: [IdMServer, 0]}
|
||||
- name: enroll the node as an ipa client
|
||||
#NOTE(xek): this is moved to external_deploy_tasks to make sure this happens before certificates are requested from certmonger
|
||||
when: step|int == 1
|
||||
|
Loading…
Reference in New Issue
Block a user