[RFE] Allow the use of principals other than admin when using ipaadmin_keytab

[JSpewock]

When installing a client using the ipaclient role, if you use the variable ipaadmin_keytab there is a task in the role that checks to make sure you haven't defined both ipaadmin_principal and ipaadmin_keytab but adding this limitation means you can only use the keytab for the admin user but other keytabs for users who are "admins" in your IPA configuration cannot use their own keytabs even though they have correct permissions. If you try to use any keytab other than the one for the admin user it will fail because the principal defaults to "admin" and the credentials for admin can't be found in someone else's keytab. I don't see the purpose of forcing you to only use the keytab for the admin user rather than allowing you to specify other principals to use with their own keytabs and just defaulting to admin. If you run the role with ignore_errors: true and specify the principal of a different admin user and also provide their keytab it skips over the check that would usually error out if they were both defined at the same time and the rest of the role finishes without error so it functions without this check as well. In my use case, I would much rather allow people to pass their own keytabs into my playbook instead of having to pass in a principal and password or worry about handing out the keytab for the admin user.

The task I'm referring to is "Check that either principal or keytab is set" in ansible-freeipa/roles/ipaclient/tasks/install.yml

[rjeffman]

I agree with the use case, but this change has a huge impact on how we expect the roles to work today, and some security concerns.

I'm setting this as an RFE ("enhancement"), so we can prioritize it.

[JSpewock]

Are these changes going to get pushed up to galaxy soon?

[t-woerner]

They will make it into galaxy with the next ansible-freeipa release that is planned for Dec 12th so far.