ipaconfig: Do not require enable_sid for add_sids or netbios_name

Current behavior of ipaconfig mimics FreeIPA CLI and requires that 'enable_sid' is set to True every time add_sids or netbios_name are used. It is sufficient that SID generation is enabled to use add_sids and netbios_name, but the IPA API requires 'enable_sid' so that the operations are executed. This patch allows ansible-freeipa plugin ipaconfig to run 'add_sids' or set 'netbios_name without requiring 'enable_sid' to be set on the playbook. If SID generation is enabled, 'add_sids' and 'netbios_name' can be used without 'enable_sid: yes'. If SID generation is not enabled, an error message will be raised if 'enable_sid: yes' is not used.
2026-05-14 05:22:05 +00:00 · 2022-10-18 10:26:01 -03:00
parent 17606651eb
commit c808ad6e34
3 changed files with 75 additions and 28 deletions
--- a/tests/config/test_config_sid.yml
+++ b/tests/config/test_config_sid.yml
@@ -19,6 +19,32 @@

  # TESTS
  - block:
+    - name: Check if SID is enabled.
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        enable_sid: yes
+      check_mode: yes
+      register: sid_disabled
+
+    - name: Ensure netbios_name can't be changed without SID enabled.
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        netbios_name: IPATESTPLAY
+      register: result
+      failed_when: not result.failed and "SID generation must be enabled" in result.msg
+      when: sid_disabled.changed
+
+    - name: Ensure SIDs can't be changed without SID enabled.
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        add_sids: yes
+      register: result
+      failed_when: not result.failed and "SID generation must be enabled" in result.msg
+      when: sid_disabled.changed
+
    - name: Ensure SID is enabled.
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
@@ -56,18 +82,36 @@
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
-        enable_sid: yes
        netbios_name: IPATESTPLAY
      register: result
      failed_when: result.failed or result.changed

+    - name: Ensure netbios_name cannot be set with lowercase characters
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        netbios_name: IPATESTplay
+      register: result
+      failed_when:
+        (not result.failed
+         and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message)
+
+    - name: Ensure netbios_name cannot be set different lowercase characters
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        netbios_name: otherPLAY
+      register: result
+      failed_when:
+        (not result.failed
+         and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message)
+
    # add_sids is not idempotent as it always tries to generate the missing
    # SIDs for users and groups.
    - name: Add SIDs to users and groups.
      ipaconfig:
        ipaadmin_password: SomeADMINpassword
        ipaapi_context: "{{ ipa_context | default(omit) }}"
-        enable_sid: yes
        add_sids: yes

    # only run tests if version supports enable-sid