Commit 166e4194 authored by Fabien Combernous's avatar Fabien Combernous
parent f3036abe
fixtures:
repositories:
stdlib: "git://github.com/puppetlabs/puppetlabs-stdlib"
\ No newline at end of file
.DS_Store
*.swp
*.bak
*~
pkg
spec/fixtures/
.idea/
.vagrant/
rvm: 2.2
notifications:
email:
- johnpuskar@gmail.com
env:
- PUPPET_VERSION=4.3.2
# puppet-easy_ipa
## 1.0.0
Initial release
source 'https://rubygems.org'
group :development do
# controlrepo is a helper tool to setup spec and integration testing inside of a
# Puppet control repository. We're not using the rake rakes, but instead
# directly invoking `rspec spec` in an effort to cut down on the amount of
# implicit, magic behavior. The controlrepo gem provides value in the form of
# an updated set of dependencies suitable for spec testing using rspec-puppet.
#
# https://github.com/jeffmccune/controlrepo_gem
gem 'controlrepo'
end
group :test, :development do
gem 'puppet', '4.9.4'
# should be 3.7.2 but not available on rubygems
gem 'facter'
gem 'hiera', '3.3.1'
gem 'parallel_tests'
# other testing gems we want
gem 'rspec-puppet'
gem 'puppetlabs_spec_helper'
gem 'rake-notes'
# pinning specific versions
gem 'puppet-lint', '~> 2.1'
end
# easy_ipa Puppet module
[![Build Status](https://travis-ci.org/jpuskar/puppet-ipa.svg?branch=master)](https://travis-ci.org/jpuskar/puppet-ipa)
## Overview
This module will install and configure IPA servers, replicas, and clients. This module was forked from huit-ipa,
and refactored with a focus on simplicity and ease of use.
The following features work great:
- Creating a domain.
- Adding IPA server replicas.
- Joining clients.
- WebUI proxy to https://localhost:8440 (for vagrant testing).
The following features were stripped out and are currently unavailable:
- Autofs configuration.
- Sudo rule management.
- Host management (beyond simple clinet domain joins).
- Host joins via one time passwords.
- Dns zone management (beyond creating an initial zone).
## Dependencies
This module requires [puppetlabs/stdlib](https://forge.puppetlabs.com/puppetlabs/stdlib) >= 4.13.0.
## Usage
### Example usage:
Creating an IPA master, with the WebUI proxied to `https://localhost:8440`.
```puppet
class {'easy_ipa':
ipa_role => 'master',
domain => 'vagrant.example.lan',
ipa_server_fqdn => 'ipa-server-1.vagrant.example.lan',
admin_password => 'vagrant123',
directory_services_password => 'vagrant123',
install_ipa_server => true,
ip_address => '192.168.44.35',
enable_ip_address => true,
enable_hostname => true,
manage_host_entry => true,
install_epel => true,
webui_disable_kerberos => true,
webui_enable_proxy => true,
webui_force_https => true,
}
```
Adding a replica:
```puppet
class {'::easy_ipa':
ipa_role => 'replica',
domain => 'vagrant.example.lan',
ipa_server_fqdn => 'ipa-server-2.vagrant.example.lan',
domain_join_password => 'vagrant123',
install_ipa_server => true,
ip_address => '192.168.44.36',
enable_ip_address => true,
enable_hostname => true,
manage_host_entry => true,
install_epel => true,
ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan',
}
```
Adding a client:
```puppet
class {'::easy_ipa':
ipa_role => 'client',
domain => 'vagrant.example.lan',
domain_join_password => 'vagrant123',
install_epel => true,
ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan',
}
```
### Mandatory Parameters
#### `domain`
Mandatory. The name of the IPA domain to create or join.
#### `ipa_role`
Mandatory. What role the node will be. Options are 'master', 'replica', and 'client'.
#### `admin_password`
Mandatory if `ipa_role` is set as 'Master' or 'Replica'.
Password which will be assigned to the IPA account named 'admin'.
#### `directory_services_password`
Mandatory if `ipa_role` is set as 'Master'.
Password which will be passed into the ipa setup's parameter named "--ds-password".
### Optional Parameters
#### `autofs_package_name`
Name of the autofs package to install if enabled.
#### `configure_dns_server`
If true, then the parameter '--setup-dns' is passed to the IPA server installer.
Also, triggers the install of the required dns server packages.
#### `configure_ntp`
If false, then the parameter '--no-ntp' is passed to the IPA server installer.
#### `custom_dns_forwarders`
Each element in this array is prefixed with '--forwarder ' and passed to the IPA server installer.
#### `domain_join_principal`
The principal (usually username) used to join a client or replica to the IPA domain.
#### `domain_join_password`
The password for the domain_join_principal.
#### `enable_hostname`
If true, then the parameter '--hostname' is populated with the parameter 'ipa_server_fqdn'
and passed to the IPA installer.
#### `enable_ip_address`
If true, then the parameter '--ip-address' is populated with the parameter 'ip_address'
and passed to the IPA installer.
#### `fixed_primary`
If true, then the parameter '--fixed-primary' is passed to the IPA installer.
#### `idstart`
From the IPA man pages: "The starting user and group id number".
#### `install_autofs`
If true, then the autofs packages are installed.
#### `install_epel`
If true, then the epel repo is installed. The epel repo is usually required for sssd packages.
#### `install_kstart`
If true, then the kstart packages are installed.
#### `install_ldaputils`
If true, then the ldaputils packages are installed.
#### `install_sssdtools`
If true, then the sssdtools packages are installed.
#### `ipa_client_package_name`
Name of the IPA client package.
#### `ipa_server_package_name`
Name of the IPA server package.
#### `install_ipa_client`
If true, then the IPA client packages are installed if the parameter 'ipa_role' is set to 'client'.
#### `install_ipa_server`
If true, then the IPA server packages are installed if the parameter 'ipa_role' is not set to 'client'.
#### `install_sssd`
If true, then the sssd packages are installed.
#### `ip_address`
IP address to pass to the IPA installer.
#### `ipa_server_fqdn`
Actual fqdn of the IPA server or client.
#### `kstart_package_name`
Name of the kstart package.
#### `ldaputils_package_name`
Name of the ldaputils package.
#### `ipa_master_fqdn`
FQDN of the server to use for a client or replica domain join.
#### `manage_host_entry`
If true, then a host entry is created using the parameters 'ipa_server_fqdn' and 'ip_address'.
#### `mkhomedir`
If true, then the parameter '--mkhomedir' is passed to the IPA client installer.
#### `no_ui_redirect`
If true, then the parameter '--no-ui-redirect' is passed to the IPA server installer.
#### `realm`
The name of the IPA realm to create or join.
#### `sssd_package_name`
Name of the sssd package.
#### `sssdtools_package_name`
Name of the sssdtools package.
#### `webui_disable_kerberos`
If true, then /etc/httpd/conf.d/ipa.conf is written to exclude kerberos support for
incoming requests whose HTTP_HOST variable match the parameter 'webio_proxy_external_fqdn'.
This allows the IPA Web UI to work on a proxied port, while allowing IPA client access to
function as normal.
#### `webui_enable_proxy`
If true, then httpd is configured to act as a reverse proxy for the IPA Web UI. This allows
for the Web UI to be accessed from different ports and hostnames than the default.
#### `webui_force_https`
If true, then /etc/httpd/conf.d/ipa-rewrite.conf is modified to force all connections to https.
This is necessary to allow the WebUI to be accessed behind a reverse proxy when using nonstandard
ports.
#### `webui_proxy_external_fqdn`
The public or external FQDN used to access the IPA Web UI behind the reverse proxy.
#### `webui_proxy_https_port`
The HTTPS port to use for the reverse proxy. Cannot be 443.
## Limitations
This module has only been tested on Centos 7.
## Testing
A vagrantfile is provided for easy testing.
Steps to get started:
1. Install vagrant.
1. Install virtualbox.
1. Clone this repo.
1. Run `vagrant up` in a terminal window from the root of the repo.
1. Open a browser and navigate to `https://localhost:8440`.
Log in with username `admin` and password `vagrant123`.
## License
jpuskar/puppet-easy_ipa forked from:
huit/puppet-ipa - Puppet module that can manage an IPA master, replicas and clients.
Copyright (C) 2013 Harvard University Information Technology
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
require 'rubygems'
require 'puppetlabs_spec_helper/rake_tasks'
require 'puppet-lint/tasks/puppet-lint'
PuppetLint.configuration.send('disable_80chars')
PuppetLint.configuration.ignore_paths = ["spec/**/*.pp", "pkg/**/*.pp"]
# Forsake support for Puppet 2.6.2 for the benefit of cleaner code.
# http://puppet-lint.com/checks/class_inherits_from_params_class/
PuppetLint.configuration.send('disable_class_inherits_from_params_class')
desc "Run all tests"
task :default => [:lint, :validate, :spec]
# -*- mode: ruby -*-
Vagrant.configure("2") do |config|
config.vm.define "ipa-server-1" do |box|
box.vm.box = "bento/centos-7.3"
box.vm.hostname = 'ipa-server-1.vagrant.example.lan'
# Assign this VM to a host-only network IP, allowing you to access it
# via the IP.
box.vm.provider 'virtualbox' do |vb|
vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"]
vb.gui = false
vb.memory = 4096
vb.customize ["modifyvm", :id, "--ioapic", "on"]
vb.customize ["modifyvm", :id, "--hpet", "on"]
end
box.vm.network "private_network", ip: "192.168.44.35"
box.vm.network "forwarded_port", guest: 8000, host: 8000
box.vm.network "forwarded_port", guest: 8440, host: 8440
$script = <<SCRIPT
echo I am provisioning...
export FACTER_is_vagrant='true'
rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
yum install -y puppet-agent
export PATH=$PATH:/opt/puppetlabs/bin
puppet module install puppetlabs-concat
puppet module install puppetlabs-stdlib
puppet module install crayfishx-firewalld
puppet module install puppet-selinux
if [ -d /tmp/modules/easy_ipa ]; then rm -rf /tmp/modules/easy_ipa; fi
mkdir -p /tmp/modules/easy_ipa
cp -r /vagrant/* /tmp/modules/easy_ipa
puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\
class {'::easy_ipa':\
ipa_role => 'master',\
domain => 'vagrant.example.lan',\
ipa_server_fqdn => 'ipa-server-1.vagrant.example.lan',\
admin_password => 'vagrant123',\
directory_services_password => 'vagrant123',\
install_ipa_server => true,\
ip_address => '192.168.44.35',\
enable_ip_address => true,\
enable_hostname => true,\
manage_host_entry => true,\
install_epel => true,\
webui_disable_kerberos => true,\
webui_enable_proxy => true,\
webui_force_https => true,\
}"
SCRIPT
box.vm.provision "shell", inline: $script
end
config.vm.define "ipa-server-2" do |box|
box.vm.box = "bento/centos-7.3"
box.vm.hostname = 'ipa-server-2.vagrant.example.lan'
# Assign this VM to a host-only network IP, allowing you to access it
# via the IP.
box.vm.provider 'virtualbox' do |vb|
vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"]
vb.gui = false
vb.memory = 4096
vb.customize ["modifyvm", :id, "--ioapic", "on"]
vb.customize ["modifyvm", :id, "--hpet", "on"]
end
box.vm.network "private_network", ip: "192.168.44.36"
$script = <<SCRIPT
echo I am provisioning...
export FACTER_is_vagrant='true'
rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
yum install -y puppet-agent
export PATH=$PATH:/opt/puppetlabs/bin
puppet module install puppetlabs-concat
puppet module install puppetlabs-stdlib
puppet module install crayfishx-firewalld
puppet module install puppet-selinux
puppet module install saz-resolv_conf
if [ -d /tmp/modules/easy_ipa ]; then rm -rf /tmp/modules/easy_ipa; fi
mkdir -p /tmp/modules/easy_ipa
cp -r /vagrant/* /tmp/modules/easy_ipa
puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\
class { 'resolv_conf':\
nameservers => ['192.168.44.35'],\
}"
puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\
host {'ipa-server-1.vagrant.example.lan':\
ensure => present,\
ip => '192.168.44.35',\
}"
puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\
class {'::easy_ipa':\
ipa_role => 'replica',\
domain => 'vagrant.example.lan',\
ipa_server_fqdn => 'ipa-server-2.vagrant.example.lan',\
domain_join_password => 'vagrant123',\
install_ipa_server => true,\
ip_address => '192.168.44.36',\
enable_ip_address => true,\
enable_hostname => true,\
manage_host_entry => true,\
install_epel => true,\
ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan',\
}"
SCRIPT
# admin_password => 'vagrant123',\
box.vm.provision "shell", inline: $script
end
config.vm.define "ipa-client-1" do |box|
box.vm.box = "bento/centos-7.3"
box.vm.hostname = 'ipa-client-1.vagrant.example.lan'
# Assign this VM to a host-only network IP, allowing you to access it
# via the IP.
box.vm.provider 'virtualbox' do |vb|
vb.customize ["modifyvm", :id, "--natnet1", "172.31.9/24"]
vb.gui = false
vb.memory = 4096
vb.customize ["modifyvm", :id, "--ioapic", "on"]
vb.customize ["modifyvm", :id, "--hpet", "on"]
end
box.vm.network "private_network", ip: "192.168.44.37"
$script = <<SCRIPT
echo I am provisioning...
export FACTER_is_vagrant='true'
rpm -ivh https://yum.puppetlabs.com/puppetlabs-release-pc1-el-7.noarch.rpm
yum install -y puppet-agent
export PATH=$PATH:/opt/puppetlabs/bin
puppet module install puppetlabs-concat
puppet module install puppetlabs-stdlib
puppet module install crayfishx-firewalld
puppet module install puppet-selinux
puppet module install saz-resolv_conf
if [ -d /tmp/modules/easy_ipa ]; then rm -rf /tmp/modules/easy_ipa; fi
mkdir -p /tmp/modules/easy_ipa
cp -r /vagrant/* /tmp/modules/easy_ipa
puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\
class { 'resolv_conf':\
nameservers => ['192.168.44.35'],\
}"
puppet apply --modulepath '/tmp/modules:/etc/puppetlabs/code/environments/production/modules' -e "\
class {'::easy_ipa':\
ipa_role => 'client',\
domain => 'vagrant.example.lan',\
domain_join_password => 'vagrant123',\
install_epel => true,\
ipa_master_fqdn => 'ipa-server-1.vagrant.example.lan',\
}"
SCRIPT
box.vm.provision "shell", inline: $script
end
end
\ No newline at end of file
#
class easy_ipa::config {
}
\ No newline at end of file
#
class easy_ipa::config::admin_user {
$uid_number = $easy_ipa::idstart
$home_dir_path = '/home/admin'
# Ensure admin homedir and keytab files.
file { $home_dir_path:
ensure => directory,
mode => '0700',
owner => $uid_number,
group => $uid_number,
recurse => true,
notify => Exec['configure_admin_keytab'],
require => Exec["server_install_${easy_ipa::ipa_server_fqdn}"],
}
file { "${home_dir_path}/.k5login":
owner => $uid_number,
group => $uid_number,
require => File[$home_dir_path],
}
file { "${home_dir_path}/admin.keytab":
owner => $uid_number,
group => $uid_number,
mode => '0600',
require => File[$home_dir_path],
notify => Exec['configure_admin_keytab'],
}
# Gives admin user the host/fqdn principal.
k5login { "${home_dir_path}/.k5login":
principals => $easy_ipa::master_principals,
notify => File["${home_dir_path}/.k5login"],
require => File[$home_dir_path]
}
# Set keytab for admin user.
$configure_admin_keytab_cmd = "/usr/sbin/kadmin.local -q \"ktadd -norandkey -k ${home_dir_path}/admin.keytab admin\" "
exec { 'configure_admin_keytab':
command => $configure_admin_keytab_cmd,
cwd => $home_dir_path,
unless => shellquote('/usr/bin/kvno','-k',"${home_dir_path}/admin.keytab","admin@${easy_ipa::final_realm}"),
notify => Exec['chown_admin_keytab'],
refreshonly => true,
require => Cron['k5start_admin'],
}
$chown_admin_keytab_cmd = "chown ${uid_number}:${uid_number} ${home_dir_path}/admin.keytab"
$chown_admin_keytab_cmd_unless = "ls -lan ${home_dir_path}/admin.keytab | grep ${uid_number}\\ ${uid_number} "
exec { 'chown_admin_keytab':
command => $chown_admin_keytab_cmd,
cwd => $home_dir_path,
unless => $chown_admin_keytab_cmd_unless,
provider => shell,
}
$k5start_admin_keytab_cmd = "/sbin/runuser -l admin -c \"/usr/bin/k5start -f ${home_dir_path}/admin.keytab -U\""
$k5start_admin_keytab_cmd_unless = "/sbin/runuser -l admin -c /usr/bin/klist | grep -i krbtgt\\/${easy_ipa::final_realm}\\@"
exec { 'k5start_admin_keytab':
command => $k5start_admin_keytab_cmd,
cwd => $home_dir_path,
unless => $k5start_admin_keytab_cmd_unless,
require => [
Cron['k5start_admin'],
Exec['chown_admin_keytab'],
]
}
# Automatically refreshes admin keytab.
cron { 'k5start_admin':
command => "/usr/bin/k5start -f ${home_dir_path}/admin.keytab -U > /dev/null 2>&1",
user => 'admin',
minute => '*/1',
notify => Exec['chown_admin_keytab'],
require => [
Package[$easy_ipa::kstart_package_name],
K5login["${home_dir_path}/.k5login"],
File[$home_dir_path]
],
}
}
# Configures port and redirect overrides for the IPA server web UI.
class easy_ipa::config::webui {
if $easy_ipa::webui_enable_proxy {
#ref: https://www.redhat.com/archives/freeipa-users/2016-June/msg00128.html
$proxy_server_internal_fqdn = $easy_ipa::ipa_server_fqdn
$proxy_server_external_fqdn = $easy_ipa::webui_proxy_external_fqdn
$proxy_https_port = $easy_ipa::webui_proxy_https_port
$proxy_server_external_fqdn_and_port = "${proxy_server_external_fqdn}:${proxy_https_port}"
$proxy_internal_uri = "https://${proxy_server_internal_fqdn}"
$proxy_external_uri = "https://${proxy_server_external_fqdn}:${proxy_https_port}"
$proxy_server_name = "https://${easy_ipa::ipa_server_fqdn}:${proxy_https_port}"
$proxy_referrer_regex = regsubst(
$proxy_external_uri,
'\.',
'\.',
'G',
)
file_line { 'webui_additional_https_port_listener':
ensure => present,
path => '/etc/httpd/conf.d/nss.conf',
line => "Listen ${proxy_https_port}",
after => 'Listen\ 443',
notify => Service['httpd'],
}
file { '/etc/httpd/conf.d/ipa-rewrite.conf':
ensure => present,
replace => true,
content => template('easy_ipa/ipa-rewrite.conf.erb'),
notify => Service['httpd'],
}
file { '/etc/httpd/conf.d/ipa-webui-proxy.conf':
ensure => present,
replace => true,
content => template('easy_ipa/ipa-webui-proxy.conf.erb'),
notify => Service['httpd'],
}
}
if $easy_ipa::webui_disable_kerberos {
file_line{'disable_kerberos_via_if_1':
ensure => present,
path => '/etc/httpd/conf.d/ipa.conf',
line => " <If \"%{HTTP_HOST} != '${proxy_server_external_fqdn_and_port}'\">",
notify => Service['httpd'],
after => '<Location\ "/ipa">',
}
file_line{'disable_kerberos_via_if_2':
ensure => present,
path => '/etc/httpd/conf.d/ipa.conf',
line => ' </If>',
notify => Service['httpd'],
after => 'ErrorDocument\ 401\ /ipa/errors/unauthorized.html',
}
}
}
\ No newline at end of file
#
class easy_ipa::helpers {
}
\ No newline at end of file
define easy_ipa::helpers::flushcache {
#TODO: nscd should be called on both platforms.
if $::osfamily == 'RedHat' {
$ipa_fluch_cache_cmd = "\
if [ -x /usr/sbin/sss_cache ]; then \
/usr/sbin/sss_cache -UGNA >/dev/null 2>&1 ; \
else \
/usr/bin/find /var/lib/sss/db -type f -exec rm -f \"{}\" ; ; \
fi"
} elsif $::osfamily == 'Debian' {
$ipa_fluch_cache_cmd = "\
if [ -x /usr/sbin/nscd ]; then \
/usr/sbin/nscd -i passwd -i group -i netgroup -i automount >/dev/null 2>&1 ; \
elif [ -x /usr/sbin/sss_cache ]; then \
/usr/sbin/sss_cache -UGNA >/dev/null 2>&1 ; \
else \
/usr/bin/find /var/lib/sss/db -type f -exec rm -f \"{}\" ; ; \
fi"
} else {
fail('The class easy_ipa::flushcache is only written for RedHat and Debian.')
}
exec { "ipa_flushcache_${title}":
command => "/bin/bash -c ${ipa_fluch_cache_cmd}",
returns => ['0','1','2'],
notify => Service['sssd'],
refreshonly => true,
}
}
# == Class: ipa
#
# Manages IPA masters, replicas and clients.
#
# Parameters
# ----------
# `domain`
# (string) The name of the IPA domain to create or join.
# `ipa_role`
# (string) What role the node will be. Options are 'master', 'replica', and 'client'.
#
# `admin_password`
# (string) Password which will be assigned to the IPA account named 'admin'.
#
# `directory_services_password`
# (string) Password which will be passed into the ipa setup's parameter named "--ds-password".
#
# `autofs_package_name`
# (string) Name of the autofs package to install if enabled.
#
# `client_install_ldaputils`
# (boolean) If true, then the ldaputils packages are installed if ipa_role is set to client.
#
# `configure_dns_server`
# (boolean) If true, then the parameter '--setup-dns' is passed to the IPA server installer.
# Also, triggers the install of the required dns server packages.
#
# `configure_ntp`
# (boolean) If false, then the parameter '--no-ntp' is passed to the IPA server installer.
#
# `custom_dns_forwarders`
# (array[string]) Each element in this array is prefixed with '--forwarder '
# and passed to the IPA server installer.
#
# `domain_join_principal`
# (string) The principal (usually username) used to join a client or replica to the IPA domain.
#
# `domain_join_password`
# (string) The password for the domain_join_principal.
#
# `enable_hostname`
# (boolean) If true, then the parameter '--hostname' is populated with the parameter 'ipa_server_fqdn'
# and passed to the IPA installer.
#
# `enable_ip_address`
# (boolean) If true, then the parameter '--ip-address' is populated with the parameter 'ip_address'
# and passed to the IPA installer.
#
# `fixed_primary`
# (boolean) If true, then the parameter '--fixed-primary' is passed to the IPA installer.
#
# `idstart`
# (integer) From the IPA man pages: "The starting user and group id number".
#
# `install_autofs`
# (boolean) If true, then the autofs packages are installed.
#
# `install_epel`
# (boolean) If true, then the epel repo is installed. The epel repo is usually required for sssd packages.
#
# `install_kstart`
# (boolean) If true, then the kstart packages are installed.
#
# `install_sssdtools`
# (boolean) If true, then the sssdtools packages are installed.
#
# `ipa_client_package_name`
# (string) Name of the IPA client package.
#
# `ipa_server_package_name`
# (string) Name of the IPA server package.
#
# `install_ipa_client`
# (boolean) If true, then the IPA client packages are installed if the parameter 'ipa_role' is set to 'client'.
#
# `install_ipa_server`
# (boolean) If true, then the IPA server packages are installed if the parameter 'ipa_role' is not set to 'client'.
#
# `install_sssd`
# (boolean) If true, then the sssd packages are installed.
#
# `ip_address`
# (string) IP address to pass to the IPA installer.
#
# `ipa_server_fqdn`
# (string) Actual fqdn of the IPA server or client.
#