diff --git a/manifests/init.pp b/manifests/init.pp index 51b7040a..5bdf8891 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -47,7 +47,8 @@ # $clntpkg = 'ipa-client' - IPA client package. # $ldaputils = true - Controls the instalation of the LDAP utilities package. # $ldaputilspkg = 'openldap-clients' - LDAP utilities package. -# +# $enable_firewall = true - Install and Configure iptables ? this is not desired for docker container +# $enable_hostname = true - Configure hostname during instalation? this is not desired for docker container # === Variables # # @@ -102,15 +103,17 @@ $autofs = false, $svrpkg = 'ipa-server', $clntpkg = $::osfamily ? { - Debian => 'freeipa-client', + 'Debian' => 'freeipa-client', default => 'ipa-client', }, $ldaputils = true, $ldaputilspkg = $::osfamily ? { - Debian => 'ldap-utils', + 'Debian' => 'ldap-utils', default => 'openldap-clients', }, - $idstart = false + $idstart = false, + $enable_firewall = true, + $enable_hostname = true ) { @package { $ipa::svrpkg: @@ -158,6 +161,9 @@ } if $ipa::dns { + @package {'ipa-server-dns': + ensure => installed + } @package { 'bind-dyndb-ldap': ensure => installed } @@ -259,7 +265,9 @@ http_pin => $ipa::http_pin, subject => $ipa::subject, selfsign => $ipa::selfsign, - idstart => $ipa::idstart + idstart => $ipa::idstart, + enable_firewall => $ipa::enable_firewall, + enable_hostname => $ipa::enable_hostname, } if ! $ipa::adminpw { @@ -278,7 +286,8 @@ adminpw => $ipa::adminpw, dspw => $ipa::dspw, kstart => $ipa::kstart, - sssd => $ipa::sssd + sssd => $ipa::sssd, + enable_firewall => $ipa::enable_firewall } class { 'ipa::client': diff --git a/manifests/master.pp b/manifests/master.pp index 5746593a..5d0f3444 100644 --- a/manifests/master.pp +++ b/manifests/master.pp @@ -38,12 +38,19 @@ $http_pin = {}, $subject = {}, $selfsign = {}, - $idstart = {} + $idstart = {}, + $enable_firewall = '', + $enable_hostname = '', ) { - Ipa::Serverinstall[$::fqdn] -> File['/etc/ipa/primary'] -> Ipa::Hostadd <<| |>> -> Ipa::Replicareplicationfirewall <<| tag == "ipa-replica-replication-firewall-${ipa::master::domain}" |>> -> Ipa::Replicaprepare <<| tag == "ipa-replica-prepare-${ipa::master::domain}" |>> -> Ipa::Createreplicas[$::fqdn] + if $enable_firewall { + Ipa::Serverinstall[$::fqdn] -> File['/etc/ipa/primary'] -> Ipa::Hostadd <<| |>> -> Ipa::Replicareplicationfirewall <<| tag == "ipa-replica-replication-firewall-${ipa::master::domain}" |>> -> Ipa::Replicaprepare <<| tag == "ipa-replica-prepare-${ipa::master::domain}" |>> -> Ipa::Createreplicas[$::fqdn] - Ipa::Replicareplicationfirewall <<| tag == "ipa-replica-replication-firewall-${ipa::master::domain}" |>> + Ipa::Replicareplicationfirewall <<| tag == "ipa-replica-replication-firewall-${ipa::master::domain}" |>> + } + else{ + Ipa::Serverinstall[$::fqdn] -> File['/etc/ipa/primary'] -> Ipa::Hostadd <<| |>> -> Ipa::Replicaprepare <<| tag == "ipa-replica-prepare-${ipa::master::domain}" |>> -> Ipa::Createreplicas[$::fqdn] + } Ipa::Replicaprepare <<| tag == "ipa-replica-prepare-${ipa::master::domain}" |>> Ipa::Hostadd <<| |>> @@ -100,12 +107,21 @@ } $dnsopt = '--setup-dns' realize Package['bind-dyndb-ldap'] + realize Package['ipa-server-dns'] } else { $dnsopt = '' $forwarderopts = '' } + if $ipa::master::enable_hostname { + $hostopt = "--hostname=${::fqdn}" + } + else + { + $hostopt = '' + } + $ntpopt = $ipa::master::ntp ? { false => '--no-ntp', default => '' @@ -133,7 +149,8 @@ ntpopt => $ipa::master::ntpopt, extcaopt => $ipa::master::extcaopt, idstart => $ipa::master::generated_idstart, - require => Package[$ipa::master::svrpkg] + require => Package[$ipa::master::svrpkg], + hostopt => $ipa::master::hostopt } if $extca { @@ -159,33 +176,35 @@ ipa::createreplicas { $::fqdn: } - firewall { '101 allow IPA master TCP services (http,https,kerberos,kpasswd,ldap,ldaps)': - ensure => 'present', - action => 'accept', - proto => 'tcp', - dport => ['80','88','389','443','464','636'] - } + if $ipa::enable_firewall { + firewall { '101 allow IPA master TCP services (http,https,kerberos,kpasswd,ldap,ldaps)': + ensure => 'present', + action => 'accept', + proto => 'tcp', + dport => ['80','88','389','443','464','636'] + } - firewall { '102 allow IPA master UDP services (kerberos,kpasswd,ntp)': - ensure => 'present', - action => 'accept', - proto => 'udp', - dport => ['88','123','464'] - } + firewall { '102 allow IPA master UDP services (kerberos,kpasswd,ntp)': + ensure => 'present', + action => 'accept', + proto => 'udp', + dport => ['88','123','464'] + } - @@ipa::replicapreparefirewall { $::fqdn: - source => $::ipaddress, - tag => "ipa-replica-prepare-firewall-${ipa::master::domain}" - } + @@ipa::replicapreparefirewall { $::fqdn: + source => $::ipaddress, + tag => "ipa-replica-prepare-firewall-${ipa::master::domain}" + } - @@ipa::masterreplicationfirewall { $::fqdn: - source => $::ipaddress, - tag => "ipa-master-replication-firewall-${ipa::master::domain}" - } + @@ipa::masterreplicationfirewall { $::fqdn: + source => $::ipaddress, + tag => "ipa-master-replication-firewall-${ipa::master::domain}" + } - @@ipa::masterprincipal { $::fqdn: - realm => $ipa::master::realm, - tag => "ipa-master-principal-${ipa::master::domain}" + @@ipa::masterprincipal { $::fqdn: + realm => $ipa::master::realm, + tag => "ipa-master-principal-${ipa::master::domain}" + } } @@ipa::clientinstall { $::fqdn: diff --git a/manifests/replica.pp b/manifests/replica.pp index efb355ca..d1d534ad 100644 --- a/manifests/replica.pp +++ b/manifests/replica.pp @@ -16,14 +16,19 @@ $dspw = {}, $domain = {}, $kstart = {}, - $sssd = {} + $sssd = {}, + $enable_firewall = '', ) { - Class['ipa::client'] -> Ipa::Masterprincipal <<| tag == "ipa-master-principal-${ipa::replica::domain}" |>> -> Ipa::Replicapreparefirewall <<| tag == "ipa-replica-prepare-firewall-${ipa::replica::domain}" |>> -> Ipa::Masterreplicationfirewall <<| tag == "ipa-master-replication-firewall-${ipa::replica::domain}" |>> -> Ipa::Replicainstall[$::fqdn] -> Service['ipa'] + if $enable_firewall { + Class['ipa::client'] -> Ipa::Masterprincipal <<| tag == "ipa-master-principal-${ipa::replica::domain}" |>> -> Ipa::Replicapreparefirewall <<| tag == "ipa-replica-prepare-firewall-${ipa::replica::domain}" |>> -> Ipa::Masterreplicationfirewall <<| tag == "ipa-master-replication-firewall-${ipa::replica::domain}" |>> -> Ipa::Replicainstall[$::fqdn] -> Service['ipa'] - Ipa::Replicapreparefirewall <<| tag == "ipa-replica-prepare-firewall-${ipa::replica::domain}" |>> - Ipa::Masterreplicationfirewall <<| tag == "ipa-master-replication-firewall-${ipa::replica::domain}" |>> - Ipa::Masterprincipal <<| tag == "ipa-master-principal-${ipa::replica::domain}" |>> + Ipa::Replicapreparefirewall <<| tag == "ipa-replica-prepare-firewall-${ipa::replica::domain}" |>> + Ipa::Masterreplicationfirewall <<| tag == "ipa-master-replication-firewall-${ipa::replica::domain}" |>> + Ipa::Masterprincipal <<| tag == "ipa-master-principal-${ipa::replica::domain}" |>> + }else { + Class['ipa::client'] -> Ipa::Replicainstall[$::fqdn] -> Service['ipa'] + } if $::osfamily != 'RedHat' { fail("Cannot configure an IPA replica server on ${::operatingsystem} operating systems. Must be a RedHat-like operating system.") @@ -42,18 +47,30 @@ realize Service['sssd'] } - firewall { '101 allow IPA replica TCP services (kerberos,kpasswd,ldap,ldaps)': - ensure => 'present', - action => 'accept', - proto => 'tcp', - dport => ['88','389','464','636'] - } + if $enable_firewall { + firewall { '101 allow IPA replica TCP services (kerberos,kpasswd,ldap,ldaps)': + ensure => 'present', + action => 'accept', + proto => 'tcp', + dport => ['88','389','464','636'] + } + + firewall { '102 allow IPA replica UDP services (kerberos,kpasswd,ntp)': + ensure => 'present', + action => 'accept', + proto => 'udp', + dport => ['88','123','464'] + } + + @@ipa::replicareplicationfirewall { $::fqdn: + source => $::ipaddress, + tag => "ipa-replica-replication-firewall-${ipa::replica::domain}" + } - firewall { '102 allow IPA replica UDP services (kerberos,kpasswd,ntp)': - ensure => 'present', - action => 'accept', - proto => 'udp', - dport => ['88','123','464'] + @@ipa::replicaprepare { $::fqdn: + dspw => $ipa::replica::dspw, + tag => "ipa-replica-prepare-${ipa::replica::domain}" + } } ipa::replicainstall { $::fqdn: @@ -62,13 +79,4 @@ require => Package[$ipa::replica::svrpkg] } - @@ipa::replicareplicationfirewall { $::fqdn: - source => $::ipaddress, - tag => "ipa-replica-replication-firewall-${ipa::replica::domain}" - } - - @@ipa::replicaprepare { $::fqdn: - dspw => $ipa::replica::dspw, - tag => "ipa-replica-prepare-${ipa::replica::domain}" - } } diff --git a/manifests/serverinstall.pp b/manifests/serverinstall.pp index 1889cc53..fcda4cc5 100644 --- a/manifests/serverinstall.pp +++ b/manifests/serverinstall.pp @@ -11,7 +11,8 @@ $forwarderopts = {}, $ntpopt = {}, $extcaopt = {}, - $idstart = {} + $idstart = {}, + $hostopt = {}, ) { $idstartopt = "--idstart=${idstart}" @@ -19,7 +20,7 @@ anchor { 'ipa::serverinstall::start': } exec { "serverinstall-${host}": - command => "/usr/sbin/ipa-server-install --hostname=${host} --realm=${realm} --domain=${domain} --admin-password='${adminpw}' --ds-password='${dspw}' ${dnsopt} ${forwarderopts} ${ntpopt} ${extcaopt} ${idstartopt} --unattended", + command => "/usr/sbin/ipa-server-install ${hostopt} --realm=${realm} --domain=${domain} --admin-password='${adminpw}' --ds-password='${dspw}' ${dnsopt} ${forwarderopts} ${ntpopt} ${extcaopt} ${idstartopt} --unattended", timeout => '0', unless => '/usr/sbin/ipactl status >/dev/null 2>&1', creates => '/etc/ipa/default.conf',