ipaconfig: Add support for SID related attributes.

Since FreeIPA 4.9.8 the 'config_mod' command has parameters to enable and configure SIDs, and set the Netbios name. This patch adds the following parameters to ipaconfig plugin: enable_sids: New users and groups automatically get a SID assigned add_sids: Add SIDs for existing users and groups netbios_name: NetBIOS name of the IPA domain Both add_sids and netbios_name requires 'enable_sid: yes'. 'enable_sid' and 'netbios_name' are returned when querying IPA configuration. 'add_sids' always generate SIDs for users and groups, so, muiltiple executions of the playbook with 'add_sids: yes' will return 'changed', even if users and groups SIDs are not modified. A new test playbook is available: tests/config/test_config_sid.yml New examples playbooks are available: playbooks/config/change-ipa-domain-netbios-name.yml playbooks/config/generate-users-groups-sids.yml Fixes: #781 Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069174 Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069184
2026-05-14 21:42:17 +00:00 · 2022-09-05 17:18:00 -03:00
parent 2973c80975
commit 3c8d6c7c7a
6 changed files with 256 additions and 9 deletions
--- a/tests/config/test_config_sid.yml
+++ b/tests/config/test_config_sid.yml
@@ -0,0 +1,70 @@
+---
+- name: Test config
+  hosts: "{{ ipa_test_host | default('ipaserver') }}"
+  become: no
+  gather_facts: no
+
+  tasks:
+
+  # GET CURRENT CONFIG
+
+  - name: Return current values of the global configuration options
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+    register: previous
+
+  # TESTS
+  - block:
+    - name: Ensure SID is enabled.
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        enable_sid: yes
+      register: result
+      failed_when: result.failed or previous.config.enable_sid == result.changed
+
+    - name: Ensure SID is enabled, again.
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        enable_sid: yes
+      register: result
+      failed_when: result.failed or result.changed
+
+    - name: Ensure netbios_name is "IPATESTPLAY"
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        enable_sid: yes
+        netbios_name: IPATESTPLAY
+      register: result
+      failed_when: result.failed or not result.changed
+
+    - name: Ensure netbios_name is "IPATESTPLAY", again
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        enable_sid: yes
+        netbios_name: IPATESTPLAY
+      register: result
+      failed_when: result.failed or result.changed
+
+    # add_sids is not idempotent as it always tries to generate the missing
+    # SIDs for users and groups.
+    - name: Add SIDs to users and groups.
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        enable_sid: yes
+        add_sids: yes
+
+    # REVERT TO PREVIOUS CONFIG
+    always:
+    # Once SID is enabled, it cannot be reverted.
+    - name: Revert netbios_name to original configuration
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        netbios_name: "{{ previous.config.netbios_name | default(omit) }}"
+        enable_sid: yes