I'm not an tls-e expert but my understanding is that as long as your IDM server can be lookup within DNSDomain then you don't need to add IdmDomain.
> It is unclear how not setting `IdMDomain` the `freeipa_ansible.client` can detect it.
Are you talking about the ipaclient role from ansible-freeipa or anything different ?
I could not find anything referring to freeipa_ansible.
Again, did you set BOTH IdMServer and IdMDomain in your deployment templates ?
If you set the parameter to non-empty value then IdMDomain should be passed to that ipaclient role. Unless you set IdMServer, IdMDomain is not passed to the role.
The parameter description[1] says;
```
IDM domain to register IDM client. Typically, this is discovered through DNS and does not have to be set explicitly.
```
[1] https:/ /github. com/openstack/ tripleo- heat-templates/ blob/5f7f6334c3 77e7cbd6012f359 66bd18ed6709fc6 /deployment/ ipa/ipaservices -baremetal- ansible. yaml#L36- L40
I'm not an tls-e expert but my understanding is that as long as your IDM server can be lookup within DNSDomain then you don't need to add IdmDomain.
> It is unclear how not setting `IdMDomain` the `freeipa_ ansible. client` can detect it.
Are you talking about the ipaclient role from ansible-freeipa or anything different ?
I could not find anything referring to freeipa_ansible.
Again, did you set BOTH IdMServer and IdMDomain in your deployment templates ?
If you set the parameter to non-empty value then IdMDomain should be passed to that ipaclient role. Unless you set IdMServer, IdMDomain is not passed to the role.