diff --git a/README-dnsconfig.md b/README-dnsconfig.md
new file mode 100644
index 00000000..029ec515
--- /dev/null
+++ b/README-dnsconfig.md
@@ -0,0 +1,140 @@
+DNSConfig module
+============
+
+Description
+-----------
+
+The dnsconfig module allows to modify global DNS configuration.
+
+
+Features
+--------
+* Global DNS configuration
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipadnsconfig module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to set global DNS configuration:
+
+```yaml
+---
+- name: Playbook to handle global DNS configuration
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Set dnsconfig.
+ - ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ forward_policy: only
+ allow_sync_ptr: yes
+```
+
+Example playbook to ensure a global forwarder, with a custom port, is absent:
+
+```yaml
+---
+- name: Playbook to handle global DNS configuration
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Ensure global forwarder with a custom port is absent.
+ - ipadnsconfig:
+ forwarders:
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ state: absent
+```
+
+Example playbook to disable global forwarders:
+
+```yaml
+---
+- name: Playbook to disable global DNS forwarders
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Disable global forwarders.
+ - ipadnsconfig:
+ forward_policy: none
+```
+
+Example playbook to change global forward policy:
+
+```yaml
+---
+- name: Playbook to change global forward policy
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Disable global forwarders.
+ - ipadnsconfig:
+ forward_policy: first
+```
+
+Example playbook to disallow synchronization of forward (A, AAAA) and reverse (PTR) records:
+
+```yaml
+---
+- name: Playbook to disallow reverse synchronization.
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Disable global forwarders.
+ - ipadnsconfig:
+ allow_sync_ptr: no
+```
+
+Variables
+=========
+
+ipadnsconfig
+------------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
+ | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
+ | `port` - The custom port that should be used on this server. | no
+`forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`. | no
+`allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | yes
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
+
+
+Authors
+=======
+
+Rafael Guterres Jeffman
diff --git a/README-group.md b/README-group.md
index 8bba3237..4a278560 100644
--- a/README-group.md
+++ b/README-group.md
@@ -52,20 +52,20 @@ Example playbook to add groups:
tasks:
# Create group ops with gid 1234
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
gidnumber: 1234
# Create group sysops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops
user:
- pinky
# Create group appops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: appops
```
@@ -80,7 +80,7 @@ Example playbook to add users to a group:
tasks:
# Add user member brain to group sysops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops
action: member
user:
@@ -100,7 +100,7 @@ Example playbook to add group members to a group:
tasks:
# Add group members sysops and appops to group sysops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
group:
- sysops
@@ -118,7 +118,7 @@ Example playbook to remove groups:
tasks:
# Remove goups sysops, appops and ops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops,appops,ops
state: absent
```
@@ -138,7 +138,7 @@ Variable | Description | Required
`description` | The group description string. | no
`gid` \| `gidnumber` | The GID integer. | no
`nonposix` | Create as a non-POSIX group. (bool) | no
-`external` | Allow adding external non-IPA members from trusted domains. (flag) | no
+`external` | Allow adding external non-IPA members from trusted domains. (bool) | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`user` | List of user name strings assigned to this group. | no
`group` | List of group name strings assigned to this group. | no
diff --git a/README-hbacrule.md b/README-hbacrule.md
index 39a242c1..d14692f9 100644
--- a/README-hbacrule.md
+++ b/README-hbacrule.md
@@ -50,7 +50,7 @@ Example playbook to make sure HBAC Rule login exists:
tasks:
# Ensure HBAC Rule login is present
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
```
@@ -66,7 +66,7 @@ Example playbook to make sure HBAC Rule login exists with the only HBAC Service
tasks:
# Ensure HBAC Rule login is present with the only HBAC Service sshd
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -83,7 +83,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
tasks:
# Ensure HBAC Service sshd is present in HBAC Rule login
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -101,7 +101,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
tasks:
# Ensure HBAC Service sshd is present in HBAC Rule login
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -120,7 +120,7 @@ Example playbook to make sure HBAC Rule login is absent:
tasks:
# Ensure HBAC Rule login is present
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
state: absent
```
diff --git a/README-hbacsvc.md b/README-hbacsvc.md
index 861ed6f9..7203e549 100644
--- a/README-hbacsvc.md
+++ b/README-hbacsvc.md
@@ -50,7 +50,7 @@ Example playbook to make sure HBAC Service for http is present
tasks:
# Ensure HBAC Service for http is present
- ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http
description: Web service
```
@@ -66,7 +66,7 @@ Example playbook to make sure HBAC Service for tftp is present
tasks:
# Ensure HBAC Service for tftp is present
- ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: tftp
description: TFTPWeb service
```
@@ -82,7 +82,7 @@ Example playbook to make sure HBAC Services for http and tftp are absent
tasks:
# Ensure HBAC Service for http and tftp are absent
- ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http,tftp
state: absent
```
diff --git a/README-hbacsvcgroup.md b/README-hbacsvcgroup.md
index e2a8260f..56d5f7a6 100644
--- a/README-hbacsvcgroup.md
+++ b/README-hbacsvcgroup.md
@@ -4,7 +4,7 @@ HBACsvcgroup module
Description
-----------
-The hbacsvcgroup (HBAC Service Group) module allows to ensure presence and absence of HBAP Service Groups and members of the groups.
+The hbacsvcgroup (HBAC Service Group) module allows to ensure presence and absence of HBAC Service Groups and members of the groups.
Features
@@ -50,7 +50,7 @@ Example playbook to make sure HBAC Service Group login exists:
tasks:
# Ensure HBAC Service Group login is present
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
```
@@ -66,7 +66,7 @@ Example playbook to make sure HBAC Service Group login exists with the only HBAC
tasks:
# Ensure HBAC Service Group login is present with the only HBAC Service sshd
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -83,7 +83,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Service Group
tasks:
# Ensure HBAC Service sshd is present in HBAC Service Group login
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -101,7 +101,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Service Group
tasks:
# Ensure HBAC Service sshd is present in HBAC Service Group login
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -120,7 +120,7 @@ Example playbook to make sure HBAC Service Group login is absent:
tasks:
# Ensure HBAC Service Group login is present
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
state: absent
```
diff --git a/README-host.md b/README-host.md
index 77ca098d..5f540cac 100644
--- a/README-host.md
+++ b/README-host.md
@@ -52,7 +52,7 @@ Example playbook to ensure host presence:
tasks:
# Ensure host is present
- ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address: 192.168.0.123
@@ -65,6 +65,79 @@ Example playbook to ensure host presence:
- "52:54:00:BD:97:1E"
state: present
```
+Compared to `ipa host-add` command no IP address conflict check is done as the ipahost module supports to have several IPv4 and IPv6 addresses for a host.
+
+
+Example playbook to ensure host presence with several IP addresses:
+
+```yaml
+---
+- name: Playbook to handle hosts
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Ensure host is present
+ - ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: host01.example.com
+ description: Example host
+ ip_address:
+ - 192.168.0.123
+ - 192.168.0.124
+ - fe80::20c:29ff:fe02:a1b3
+ - fe80::20c:29ff:fe02:a1b4
+ locality: Lab
+ ns_host_location: Lab
+ ns_os_version: CentOS 7
+ ns_hardware_platform: Lenovo T61
+ mac_address:
+ - "08:00:27:E3:B1:2D"
+ - "52:54:00:BD:97:1E"
+ state: present
+```
+
+
+Example playbook to ensure IP addresses are present for a host:
+
+```yaml
+---
+- name: Playbook to handle hosts
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Ensure host is present
+ - ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: host01.example.com
+ ip_address:
+ - 192.168.0.124
+ - fe80::20c:29ff:fe02:a1b4
+ action: member
+ state: present
+```
+
+
+Example playbook to ensure IP addresses are absent for a host:
+
+```yaml
+---
+- name: Playbook to handle hosts
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Ensure host is present
+ - ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: host01.example.com
+ ip_address:
+ - 192.168.0.124
+ - fe80::20c:29ff:fe02:a1b4
+ action: member
+ state: absent
+```
Example playbook to ensure host presence without DNS:
@@ -78,7 +151,7 @@ Example playbook to ensure host presence without DNS:
tasks:
# Ensure host is present without DNS
- ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host02.example.com
description: Example host
force: yes
@@ -96,7 +169,7 @@ Example playbook to ensure host presence with a random password:
tasks:
- name: Host host01.example.com present with random password
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
random: yes
force: yes
@@ -120,7 +193,7 @@ Example playbook to ensure presence of several hosts with a random password:
tasks:
- name: Hosts host01.example.com and host01.example.com present with random passwords
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
random: yes
@@ -152,7 +225,7 @@ Example playbook to ensure presence of host member principal:
tasks:
- name: Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
principal:
- host/testhost01.example.com
@@ -171,7 +244,7 @@ Example playbook to ensure presence of host member certificate:
tasks:
- name: Host host01.example.com present with certificate
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
certificate:
- MIIC/zCCAeegAwIBAg...
@@ -189,7 +262,7 @@ Example playbook to ensure presence of member managedby_host for serveral hosts:
tasks:
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
managedby_host: server.exmaple.com
@@ -210,12 +283,12 @@ Example playbook to disable a host:
tasks:
# Ensure host is disabled
- ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
update_dns: yes
state: disabled
```
-`update_dns` controls if the DNS entries will be updated.
+`update_dns` controls if the DNS entries will be updated in this case. For `state` present it is controlling the update of the DNS SSHFP records, but not the the other DNS records.
Example playbook to ensure a host is absent:
@@ -269,25 +342,25 @@ Variable | Description | Required
`certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
`managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
`principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
-`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host.
Options: | no
-`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host.
Options: | no
-`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host.
Options: | no
-`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host.
Options: | no
-`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host.
Options: | no
-`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host.
Options: | no
-`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host.
Options: | no
-`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host.
Options: | no
+`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
+`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no
+`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host. | no
+`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host. | no
+`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host. | no
`mac_address` \| `macaddress` | List of hardware MAC addresses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
`userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
-`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened"] | no
+`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no
`force` | Force host name even if not in DNS. | no
`reverse` | Reverse DNS detection. | no
-`ip_address` \| `ipaddress` | The host IP address. | no
-`update_dns` | Update DNS entries. | no
+`ip_address` \| `ipaddress` | The host IP address list. It can contain IPv4 and IPv6 addresses. No conflict check for IP addresses is done. | no
+`update_dns` | For existing hosts: DNS SSHFP records are updated with `state` present and all DNS entries for a host removed with `state` absent. | no
Return Values
diff --git a/README-hostgroup.md b/README-hostgroup.md
index 39ea77f0..85701244 100644
--- a/README-hostgroup.md
+++ b/README-hostgroup.md
@@ -52,7 +52,7 @@ Example playbook to make sure hostgroup databases exists:
tasks:
# Ensure host-group databases is present
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -72,7 +72,7 @@ Example playbook to make sure that hosts and hostgroups are present in existing
tasks:
# Ensure hosts and hostgroups are present in existing databases hostgroup
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -94,7 +94,7 @@ Example playbook to make sure hosts and hostgroups are absent in databases hostg
tasks:
# Ensure hosts and hostgroups are absent in databases hostgroup
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -116,7 +116,7 @@ Example playbook to make sure host-group databases is absent:
tasks:
# Ensure host-group databases is absent
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: absent
```
diff --git a/README-pwpolicy.md b/README-pwpolicy.md
index 16306b74..f0b5d885 100644
--- a/README-pwpolicy.md
+++ b/README-pwpolicy.md
@@ -45,7 +45,7 @@ Example playbook to ensure presence of pwpolicies for exisiting group ops:
tasks:
- name: Ensure presence of pwpolicies for group ops
ipapwpolicy:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
minlife: 7
maxlife: 49
@@ -56,7 +56,7 @@ Example playbook to ensure presence of pwpolicies for exisiting group ops:
maxfail: 3
```
-Example playbook to ensure absence of pwpolicies for group ops
+Example playbook to ensure absence of pwpolicies for group ops:
```yaml
---
@@ -67,11 +67,26 @@ Example playbook to ensure absence of pwpolicies for group ops
tasks:
# Ensure absence of pwpolicies for group ops
- ipapwpolicy:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
state: absent
```
+Example playbook to ensure maxlife is set to 49 in global policy:
+
+```yaml
+---
+- name: Playbook to handle pwpolicies
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Ensure absence of pwpolicies for group ops
+ - ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ maxlife: 49
+```
+
Variables
=========
@@ -83,7 +98,7 @@ Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
-`name` \| `cn` | The list of pwpolicy name strings. | no
+`name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
`maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
`minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no
`history` \| `krbpwdhistorylength` | Password history size. (int) | no
diff --git a/README-service.md b/README-service.md
new file mode 100644
index 00000000..da0c692c
--- /dev/null
+++ b/README-service.md
@@ -0,0 +1,320 @@
+Service module
+==============
+
+Description
+-----------
+
+The service module allows to ensure presence and absence of services.
+
+
+Features
+--------
+
+* Service management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaservice module.
+
+Option `skip_host_check` requires FreeIPA version 4.7.0 or later.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FReeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure service is present:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
+ DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
+ ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
+ VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
+ LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
+ oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
+ 4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
+ xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
+ UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
+ eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
+ 5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
+ uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
+ 2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
+ obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
+ /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ pac_type: PAD
+ auth_ind: otp
+ requires_pre_auth: false
+ ok_as_delegate: false
+ ok_to_auth_as_delegate: false
+ skip-host-check: true
+ force: true
+```
+
+
+Example playbook to make sure service is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ state: absent
+```
+
+
+Example playbook to make sure service is disabled:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ state: disabled
+```
+
+Example playbook to add a service even if the host object does not exist, but only if it does have a DNS entry:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ skip_host_check: true
+ force: false
+```
+
+Example playbook to add a service if it does have a DNS entry, but host object exits:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ skip_host_check: false
+ force: true
+```
+
+Example playbook to ensure service has a certificate:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service member certificate is present.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
+ DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
+ ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
+ VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
+ LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
+ oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
+ 4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
+ xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
+ UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
+ eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
+ 5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
+ uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
+ 2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
+ obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
+ /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ action: member
+ state: present
+```
+
+Example playbook to add a principal to the service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Principal host/principal.example.com present in service.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ principal: host/principal.example.com
+ action: member
+```
+
+Example playbook to enable a host to manage service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure host can manage service, again.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ host: host1.example.com
+ action: member
+```
+
+Example playbook to allow users, groups, hosts or hostgroups to create a keytab of this service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Allow users, groups, hosts or host groups to create a keytab of this service.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - host1.example.com
+ - host2.example.com
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+```
+
+Example playbook to allow users, groups, hosts or hostgroups to retrieve a keytab of this service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Allow users, groups, hosts or host groups to retrieve a keytab of this service.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+```
+
+
+Variables
+---------
+
+ipaservice
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `service` | The list of service name strings. | yes
+`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
+`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
+`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
+`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
+`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
+`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
+`skip_host_check` | Force service to be created even when host object does not exist to manage it. Default to false. (bool)| no
+`force` | Force principal name even if host not in DNS. Default to false. (bool) | no
+`host` \| `managedby_host`| Hosts that can manage the service. | no
+`principal` \| `krbprincipalname` | List of principal aliases for the service. | no
+`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
+`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group`| Groups allowed to create a keytab of this host. | no
+`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host`| Hosts allowed to create a keytab of this host. | no
+`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_group`| Host groups allowed to create a keytab of this host. | no
+`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retrieve a keytab of this host. | no
+`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
+`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
+`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
+`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
+
+
+Authors
+=======
+
+Rafael Jeffman
diff --git a/README-sudocmd.md b/README-sudocmd.md
index 2842a2fc..64300e08 100644
--- a/README-sudocmd.md
+++ b/README-sudocmd.md
@@ -52,7 +52,7 @@ Example playbook to make sure sudocmd exists:
tasks:
# Ensure sudocmd is present
- ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: present
```
@@ -68,7 +68,7 @@ Example playbook to make sure sudocmd is absent:
tasks:
# Ensure sudocmd are absent
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: absent
```
diff --git a/README-sudocmdgroup.md b/README-sudocmdgroup.md
index f24b2cc4..cca08c19 100644
--- a/README-sudocmdgroup.md
+++ b/README-sudocmdgroup.md
@@ -52,7 +52,7 @@ Example playbook to make sure sudocmdgroup is present:
tasks:
# Ensure sudocmdgroup is present
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group01
description: Group of important commands
```
@@ -68,7 +68,7 @@ Example playbook to make sure that a sudo command and sudocmdgroups are present
tasks:
# Ensure sudo commands are present in existing sudocmdgroup
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group01
sudocmd:
- /usr/bin/su
@@ -88,7 +88,7 @@ Example playbook to make sure that a sudo command and sudocmdgroups are absent i
tasks:
# Ensure sudocmds are absent in existing sudocmdgroup
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group01
sudocmd:
- /usr/bin/su
@@ -108,7 +108,7 @@ Example playbook to make sure sudocmdgroup is absent:
tasks:
# Ensure sudocmdgroup is absent
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group01
state: absent
```
diff --git a/README-sudorule.md b/README-sudorule.md
index aca1b2d0..4bec5e65 100644
--- a/README-sudorule.md
+++ b/README-sudorule.md
@@ -50,7 +50,7 @@ Example playbook to make sure Sudo Rule is present:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
```
@@ -66,9 +66,9 @@ Example playbook to make sure sudocmds are present in Sudo Rule:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
action: member
```
@@ -85,9 +85,9 @@ Example playbook to make sure sudocmds are not present in Sudo Rule:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
action: member
state: absent
@@ -104,8 +104,9 @@ Example playbook to make sure Sudo Rule is absent:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
+ state: absent
```
@@ -124,13 +125,21 @@ Variable | Description | Required
`usercategory` | User category the rule applies to. Choices: ["all"] | no
`hostcategory` | Host category the rule applies to. Choices: ["all"] | no
`cmdcategory` | Command category the rule applies to. Choices: ["all"] | no
+`runasusercategory` | RunAs User category the rule applies to. Choices: ["all"] | no
+`runasgroupcategory` | RunAs Group category the rule applies to. Choices: ["all"] | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this sudorule. | no
`hostgroup` | List of host group name strings assigned to this sudorule. | no
`user` | List of user name strings assigned to this sudorule. | no
`group` | List of user group name strings assigned to this sudorule. | no
-`cmd` | List of sudocmd name strings assigned to this sudorule. | no
-`cmdgroup` | List of sudocmd group name strings assigned wto this sudorule. | no
+`allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no
+`deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no
+`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no
+`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no
+`sudooption` \| `option` | List of options to the sudorule | no
+`order` | Integer to order the sudorule | no
+`runasuser` | List of users for Sudo to execute as. | no
+`runasgroup` | List of groups for Sudo to execute as. | no
`action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
diff --git a/README-topology.md b/README-topology.md
index dc595ebd..84ab240d 100644
--- a/README-topology.md
+++ b/README-topology.md
@@ -50,7 +50,7 @@ Example playbook to add a topology segment with default name (cn):
tasks:
- name: Add topology segment
ipatopologysegment:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -70,7 +70,7 @@ Example playbook to delete a topology segment:
tasks:
- name: Delete topology segment
ipatopologysegment:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -90,7 +90,7 @@ Example playbook to reinitialize a topology segment:
tasks:
- name: Reinitialize topology segment
ipatopologysegment:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -111,7 +111,7 @@ Example playbook to verify a topology suffix:
tasks:
- name: Verify topology suffix
ipatopologysuffix:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
state: verified
```
diff --git a/README-user.md b/README-user.md
index 56772a77..6958ebe5 100644
--- a/README-user.md
+++ b/README-user.md
@@ -52,7 +52,7 @@ Example playbook to ensure a user is present:
tasks:
# Ensure user pinky is present
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
first: pinky
last: Acme
@@ -66,7 +66,7 @@ Example playbook to ensure a user is present:
# Ensure user brain is present
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: brain
first: brain
last: Acme
@@ -85,7 +85,7 @@ These two `ipauser` module calls can be combined into one with the `users` varia
tasks:
# Ensure users pinky and brain are present
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: pinky
first: pinky
@@ -153,7 +153,7 @@ Ensure user pinky is present with a generated random password and print the rand
tasks:
# Ensure user pinky is present with a random password
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: brain
first: brain
last: Acme
@@ -176,7 +176,7 @@ Ensure users pinky and brain are present with a generated random password and pr
tasks:
# Ensure users pinky and brain are present with random password
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: pinky
first: pinky
@@ -212,7 +212,7 @@ Example playbook to delete a user, but preserve it:
tasks:
# Remove but preserve user pinky
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
preserve: yes
state: absent
@@ -231,7 +231,7 @@ Example playbook to delete a user, but preserve it using the `users` variable:
tasks:
# Remove but preserve user pinky
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: pinky
preserve: yes
@@ -252,7 +252,7 @@ Example playbook to undelete a preserved user.
tasks:
# Undelete preserved user pinky
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
state: undeleted
```
@@ -271,7 +271,7 @@ Example playbook to disable a user:
tasks:
# Disable user pinky
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
state: disabled
```
@@ -290,7 +290,7 @@ Example playbook to enable users:
tasks:
# Enable user pinky and brain
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: enabled
```
@@ -309,7 +309,7 @@ Example playbook to unlock users:
tasks:
# Unlock user pinky and brain
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: unlocked
```
@@ -326,7 +326,7 @@ Example playbook to ensure users are absent:
tasks:
# Ensure users pinky and brain are absent
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: absent
```
@@ -345,7 +345,7 @@ Example playbook to ensure users are absent:
tasks:
# Ensure users pinky and brain are absent
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: pinky
- name: brain
@@ -408,7 +408,7 @@ Variable | Description | Required
`manager` | List of manager user names. | no
`carlicense` | List of car licenses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
-`userauthtype` | List of supported user authentication types. Choices: `password`, `radius` and `otp` | no
+`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp` and ``. Use empty string to reset userauthtype to the initial value. | no
`userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
`radius` | RADIUS proxy configuration | no
`radiususer` | RADIUS proxy username | no
diff --git a/README-vault.md b/README-vault.md
new file mode 100644
index 00000000..9c0c833c
--- /dev/null
+++ b/README-vault.md
@@ -0,0 +1,203 @@
+Vault module
+===================
+
+Description
+-----------
+
+The vault module allows to ensure presence and absence of vault and members of vaults.
+
+The vault module is as compatible as possible to the Ansible upstream `ipa_vault` module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
+
+
+Features
+--------
+* Vault management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipavault module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+* KRA service must be enabled
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to make sure vault is present:
+
+```yaml
+---
+- name: Playbook to handle vaults
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ vault_password: MyVaultPassword123
+ description: A standard private vault.
+```
+
+Example playbook to make sure that a vault and its members are present:
+
+```yaml
+---
+- name: Playbook to handle vaults
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ users: user01
+```
+
+`action` controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set `action` to `member`.
+
+Example playbook to make sure that a vault member is present in vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ users: user01
+ action: member
+```
+
+Example playbook to make sure that a vault owner is absent in vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ owner: user01
+ action: member
+ state: absent
+```
+
+Example playbook to make sure vault data is present in a symmetric vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ vault_password: MyVaultPassword123
+ vault_data: >
+ Data archived.
+ More data archived.
+ action: member
+```
+
+Example playbook to make sure vault data is absent in a symmetric vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ vault_password: MyVaultPassword123
+ action: member
+ state: absent
+```
+
+Example playbook to make sure vault is absent:
+
+```yaml
+---
+- name: Playbook to handle vaults
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ state: absent
+```
+
+Variables
+=========
+
+ipavault
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | The list of vault name strings. | yes
+`description` | The vault description string. | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+`vault_public_key` \| `ipavaultpublickey` | Vault public key. | no
+`vault_salt` \| `ipavaultsalt` | Vault salt. | no
+`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
+`service` | Any service can own one or more service vaults. | no
+`user` | Any user can own one or more user vaults. | no
+`shared` | Vault is shared. Default to false. (bool) | no
+`users` | Users that are members of the vault. | no
+`groups` | Groups that are member of the vault. | no
+`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
+`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+
+
+Notes
+=====
+
+ipavault uses a client context to execute, and it might affect execution time.
+
+
+Authors
+=======
+
+Rafael Jeffman
diff --git a/README.md b/README.md
index f95458a3..49060399 100644
--- a/README.md
+++ b/README.md
@@ -19,16 +19,18 @@ Features
* Modules for host management
* Modules for hostgroup management
* Modules for pwpolicy management
+* Modules for service management
* Modules for sudocmd management
* Modules for sudocmdgroup management
* Modules for sudorule management
* Modules for topology management
* Modules for user management
+* Modules for vault management
Supported FreeIPA Versions
--------------------------
-FreeIPA versions 4.6 and up are supported by all roles.
+FreeIPA versions 4.6 and up are supported by all roles.
The client role supports versions 4.4 and up, the server role is working with versions 4.5 and up, the replica role is currently only working with versions 4.6 and up.
@@ -156,6 +158,7 @@ ipaserver_install_packages=no
ipaserver_setup_firewalld=no
```
The installation of packages and also the configuration of the firewall are by default enabled.
+Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
For more server settings, please have a look at the [server role documentation](roles/ipaserver/README.md).
@@ -231,6 +234,7 @@ ipareplica_setup_firewalld=no
```
The installation of packages and also the configuration of the firewall are by default enabled.
+Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
For more replica settings, please have a look at the [replica role documentation](roles/ipareplica/README.md).
@@ -404,6 +408,7 @@ Roles
Modules in plugin/modules
=========================
+* [ipadnsconfig](README-dnsconfig.md)
* [ipadnsforwardzone](README-dnsforwardzone.md)
* [ipagroup](README-group.md)
* [ipahbacrule](README-hbacrule.md)
@@ -412,9 +417,11 @@ Modules in plugin/modules
* [ipahost](README-host.md)
* [ipahostgroup](README-hostgroup.md)
* [ipapwpolicy](README-pwpolicy.md)
+* [ipaservice](README-service.md)
* [ipasudocmd](README-sudocmd.md)
* [ipasudocmdgroup](README-sudocmdgroup.md)
* [ipasudorule](README-sudorule.md)
* [ipatopologysegment](README-topology.md)
* [ipatopologysuffix](README-topology.md)
* [ipauser](README-user.md)
+* [ipavault](README-vault.md)
diff --git a/galaxy.yml b/galaxy.yml
index 8c9788b2..9740ba3d 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -15,6 +15,8 @@ readme: "README.md"
license: "GPL-3.0-or-later"
license_file: "COPYING"
+dependencies:
+
tags:
- "identity"
- "ipa"
diff --git a/playbooks/dnsconfig/disable-global-forwarders.yml b/playbooks/dnsconfig/disable-global-forwarders.yml
new file mode 100644
index 00000000..3b4f638c
--- /dev/null
+++ b/playbooks/dnsconfig/disable-global-forwarders.yml
@@ -0,0 +1,9 @@
+---
+- name: Playbook to disable global DNS forwarders
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Disable global forwarders.
+ ipadnsconfig:
+ forward_policy: none
diff --git a/playbooks/dnsconfig/disallow-reverse-sync.yml b/playbooks/dnsconfig/disallow-reverse-sync.yml
new file mode 100644
index 00000000..e99996ef
--- /dev/null
+++ b/playbooks/dnsconfig/disallow-reverse-sync.yml
@@ -0,0 +1,9 @@
+---
+- name: Playbook to disallow reverse record synchronization.
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Disallow reverse record synchronization.
+ ipadnsconfig:
+ allow_sync_ptr: no
diff --git a/playbooks/dnsconfig/forwarders-absent.yml b/playbooks/dnsconfig/forwarders-absent.yml
new file mode 100644
index 00000000..21a393dd
--- /dev/null
+++ b/playbooks/dnsconfig/forwarders-absent.yml
@@ -0,0 +1,13 @@
+---
+- name: Playbook to handle global DNS configuration
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Set dnsconfig.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ state: absent
diff --git a/playbooks/dnsconfig/set-configuration.yml b/playbooks/dnsconfig/set-configuration.yml
new file mode 100644
index 00000000..17880aaf
--- /dev/null
+++ b/playbooks/dnsconfig/set-configuration.yml
@@ -0,0 +1,14 @@
+---
+- name: Playbook to handle global DNS configuration
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Set dnsconfig.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ forward_policy: only
+ allow_sync_ptr: yes
diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
index 73dfd2ac..fda5aeac 100644
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Rule allhosts is absent
ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
state: absent
diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
index 33196df5..4a5c7b15 100644
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Rule allhosts is disabled
ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
state: disabled
diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
index ad97b975..86b815f1 100644
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Rule allhosts is enabled
ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
state: enabled
diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
index 203f914a..d43bc4e5 100644
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Rule allhosts is present
ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
usercategory: all
diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
index d3a77394..bbe5e8ca 100644
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
@@ -7,7 +7,7 @@
tasks:
- name: Ensure host server is absent in HBAC Rule allhosts
ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
host: server
action: member
diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
index 286402fc..d1703b27 100644
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
@@ -7,7 +7,7 @@
tasks:
- name: Ensure host server is present in HBAC Rule allhosts
ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
host: server
action: member
diff --git a/playbooks/hbacsvc/ensure-hbacsvc-absent.yml b/playbooks/hbacsvc/ensure-hbacsvc-absent.yml
index cb766e73..357fa8af 100644
--- a/playbooks/hbacsvc/ensure-hbacsvc-absent.yml
+++ b/playbooks/hbacsvc/ensure-hbacsvc-absent.yml
@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Services for http and tftp are absent
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http,tftp
state: absent
diff --git a/playbooks/hbacsvc/ensure-hbacsvc-present.yml b/playbooks/hbacsvc/ensure-hbacsvc-present.yml
index 1ed1d7c9..6892125d 100644
--- a/playbooks/hbacsvc/ensure-hbacsvc-present.yml
+++ b/playbooks/hbacsvc/ensure-hbacsvc-present.yml
@@ -7,12 +7,12 @@
tasks:
- name: Ensure HBAC Service for http is present
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http
description: Web service
- name: Ensure HBAC Service for tftp is present
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: tftp
description: TFTP service
diff --git a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
index c4e24d13..7564b9bf 100644
--- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
+++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
@@ -7,7 +7,7 @@
tasks:
- name: Ensure HBAC Service Group login is absent
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
diff --git a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
index b72703c3..f37fa27c 100644
--- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
+++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
@@ -7,7 +7,7 @@
tasks:
- name: Ensure HBAC Services sshd is absent in HBAC Service Group login
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
diff --git a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
index 9b213c7b..c03c5571 100644
--- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
+++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
@@ -7,7 +7,7 @@
tasks:
- name: Ensure HBAC Service sshd is present in HBAC Service Group login
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
diff --git a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml
index 9b213c7b..c03c5571 100644
--- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml
+++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml
@@ -7,7 +7,7 @@
tasks:
- name: Ensure HBAC Service sshd is present in HBAC Service Group login
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
diff --git a/playbooks/host/delete-host.yml b/playbooks/host/delete-host.yml
index 30eaf3ef..c441c8bb 100644
--- a/playbooks/host/delete-host.yml
+++ b/playbooks/host/delete-host.yml
@@ -6,6 +6,6 @@
tasks:
- name: Ensure host host01.example.com is absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
state: absent
diff --git a/playbooks/host/disable-host.yml b/playbooks/host/disable-host.yml
index 3e265fe2..c6e277c7 100644
--- a/playbooks/host/disable-host.yml
+++ b/playbooks/host/disable-host.yml
@@ -6,6 +6,6 @@
tasks:
- name: Disable host host01.example.com
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
state: disabled
diff --git a/playbooks/host/ensure_host_with_randompassword.yml b/playbooks/host/ensure_host_with_randompassword.yml
index cd1a1331..d6376033 100644
--- a/playbooks/host/ensure_host_with_randompassword.yml
+++ b/playbooks/host/ensure_host_with_randompassword.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host "{{ 'host1.' + ipaserver_domain }}" present with random password
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ 'host1.' + ipaserver_domain }}"
random: yes
force: yes
diff --git a/playbooks/host/host-member-allow_create_keytab-absent.yml b/playbooks/host/host-member-allow_create_keytab-absent.yml
index 55e3110d..5ec1a171 100644
--- a/playbooks/host/host-member-allow_create_keytab-absent.yml
+++ b/playbooks/host/host-member-allow_create_keytab-absent.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com members allow_create_keytab absent for users, groups, hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_create_keytab_user:
- user01
diff --git a/playbooks/host/host-member-allow_create_keytab-present.yml b/playbooks/host/host-member-allow_create_keytab-present.yml
index f5865497..36c31dd2 100644
--- a/playbooks/host/host-member-allow_create_keytab-present.yml
+++ b/playbooks/host/host-member-allow_create_keytab-present.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com members allow_create_keytab present for users, groups, hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_create_keytab_user:
- user01
diff --git a/playbooks/host/host-member-allow_retrieve_keytab-absent.yml b/playbooks/host/host-member-allow_retrieve_keytab-absent.yml
index b8830f60..b7752e7c 100644
--- a/playbooks/host/host-member-allow_retrieve_keytab-absent.yml
+++ b/playbooks/host/host-member-allow_retrieve_keytab-absent.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com members allow_retrieve_keytab absent for users, groups, hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_retrieve_keytab_user:
- user01
diff --git a/playbooks/host/host-member-allow_retrieve_keytab-present.yml b/playbooks/host/host-member-allow_retrieve_keytab-present.yml
index fde116cc..ee849e06 100644
--- a/playbooks/host/host-member-allow_retrieve_keytab-present.yml
+++ b/playbooks/host/host-member-allow_retrieve_keytab-present.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com members allow_retrieve_keytab present for users, groups, hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_retrieve_keytab_user:
- user01
diff --git a/playbooks/host/host-member-certificate-absent.yml b/playbooks/host/host-member-certificate-absent.yml
index 918951f8..841b39cd 100644
--- a/playbooks/host/host-member-certificate-absent.yml
+++ b/playbooks/host/host-member-certificate-absent.yml
@@ -5,7 +5,7 @@
tasks:
- name: Host host01.example.com member certificate absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
certificate:
- MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3
diff --git a/playbooks/host/host-member-certificate-present.yml b/playbooks/host/host-member-certificate-present.yml
index 066ae0a9..8071a942 100644
--- a/playbooks/host/host-member-certificate-present.yml
+++ b/playbooks/host/host-member-certificate-present.yml
@@ -5,7 +5,7 @@
tasks:
- name: Host host01.example.com member certificate present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
certificate:
- MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3
diff --git a/playbooks/host/host-member-ipaddresses-absent.yml b/playbooks/host/host-member-ipaddresses-absent.yml
new file mode 100644
index 00000000..31c2eec7
--- /dev/null
+++ b/playbooks/host/host-member-ipaddresses-absent.yml
@@ -0,0 +1,17 @@
+---
+- name: Host member IP addresses absent
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Ensure host01.example.com IP addresses absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: host01.example.com
+ ip_address:
+ - 192.168.0.123
+ - fe80::20c:29ff:fe02:a1b3
+ - 192.168.0.124
+ - fe80::20c:29ff:fe02:a1b4
+ action: member
+ state: absent
diff --git a/playbooks/host/host-member-ipaddresses-present.yml b/playbooks/host/host-member-ipaddresses-present.yml
new file mode 100644
index 00000000..2dd88e13
--- /dev/null
+++ b/playbooks/host/host-member-ipaddresses-present.yml
@@ -0,0 +1,16 @@
+---
+- name: Host member IP addresses present
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Ensure host01.example.com IP addresses present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: host01.example.com
+ ip_address:
+ - 192.168.0.123
+ - fe80::20c:29ff:fe02:a1b3
+ - 192.168.0.124
+ - fe80::20c:29ff:fe02:a1b4
+ action: member
diff --git a/playbooks/host/host-member-managedby_host-absent.yml b/playbooks/host/host-member-managedby_host-absent.yml
index f899a52f..e9fc6b4c 100644
--- a/playbooks/host/host-member-managedby_host-absent.yml
+++ b/playbooks/host/host-member-managedby_host-absent.yml
@@ -5,7 +5,7 @@
tasks:
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
managedby_host: server.exmaple.com
action: member
diff --git a/playbooks/host/host-member-managedby_host-present.yml b/playbooks/host/host-member-managedby_host-present.yml
index 073d81ad..c00548cf 100644
--- a/playbooks/host/host-member-managedby_host-present.yml
+++ b/playbooks/host/host-member-managedby_host-present.yml
@@ -5,7 +5,7 @@
tasks:
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
managedby_host: server.exmaple.com
action: member
diff --git a/playbooks/host/host-member-principal-absent.yml b/playbooks/host/host-member-principal-absent.yml
index b2c3a8d8..2688737e 100644
--- a/playbooks/host/host-member-principal-absent.yml
+++ b/playbooks/host/host-member-principal-absent.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host01.example.com principals host/testhost01.example.com and host/myhost01.example.com absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
principal:
- host/testhost01.example.com
diff --git a/playbooks/host/host-member-principal-present.yml b/playbooks/host/host-member-principal-present.yml
index b56fd591..8b5d0cf5 100644
--- a/playbooks/host/host-member-principal-present.yml
+++ b/playbooks/host/host-member-principal-present.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host01.example.com principals host/testhost01.example.com and host/myhost01.example.com present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
principal:
- host/testhost01.example.com
diff --git a/playbooks/host/host-present-with-allow_create_keytab.yml b/playbooks/host/host-present-with-allow_create_keytab.yml
index f7b9c6f4..bcdd5df5 100644
--- a/playbooks/host/host-present-with-allow_create_keytab.yml
+++ b/playbooks/host/host-present-with-allow_create_keytab.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com present with allow_create_keytab for users, groups, hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_create_keytab_user:
- user01
diff --git a/playbooks/host/host-present-with-allow_retrieve_keytab.yml b/playbooks/host/host-present-with-allow_retrieve_keytab.yml
index 5a9f3af5..f12b15f6 100644
--- a/playbooks/host/host-present-with-allow_retrieve_keytab.yml
+++ b/playbooks/host/host-present-with-allow_retrieve_keytab.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com present with allow_retrieve_keytab for users, groups, hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_retrieve_keytab_user:
- user01
diff --git a/playbooks/host/host-present-with-certificate.yml b/playbooks/host/host-present-with-certificate.yml
index f5da46d7..919d7c0b 100644
--- a/playbooks/host/host-present-with-certificate.yml
+++ b/playbooks/host/host-present-with-certificate.yml
@@ -5,7 +5,7 @@
tasks:
- name: Host host01.example.com present with certificate
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
certificate:
- MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3
diff --git a/playbooks/host/host-present-with-managedby_host.yml b/playbooks/host/host-present-with-managedby_host.yml
index b85f5e60..51a1c21f 100644
--- a/playbooks/host/host-present-with-managedby_host.yml
+++ b/playbooks/host/host-present-with-managedby_host.yml
@@ -5,7 +5,7 @@
tasks:
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
managedby_host: server.exmaple.com
force: yes
diff --git a/playbooks/host/host-present-with-principal.yml b/playbooks/host/host-present-with-principal.yml
index 5b8ad4ee..e84f45a5 100644
--- a/playbooks/host/host-present-with-principal.yml
+++ b/playbooks/host/host-present-with-principal.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
principal:
- host/testhost01.example.com
diff --git a/playbooks/host/host-present-with-randompassword.yml b/playbooks/host/host-present-with-randompassword.yml
index 9063c480..2e9d793d 100644
--- a/playbooks/host/host-present-with-randompassword.yml
+++ b/playbooks/host/host-present-with-randompassword.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host01.example.com present with random password
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
random: yes
force: yes
diff --git a/playbooks/host/host-present-with-several-ip-addresses.yml b/playbooks/host/host-present-with-several-ip-addresses.yml
new file mode 100644
index 00000000..e74f67c6
--- /dev/null
+++ b/playbooks/host/host-present-with-several-ip-addresses.yml
@@ -0,0 +1,24 @@
+---
+- name: Host present with several IP addresses
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Ensure host is present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: host01.example.com
+ description: Example host
+ ip_address:
+ - 192.168.0.123
+ - fe80::20c:29ff:fe02:a1b3
+ - 192.168.0.124
+ - fe80::20c:29ff:fe02:a1b4
+ locality: Lab
+ ns_host_location: Lab
+ ns_os_version: CentOS 7
+ ns_hardware_platform: Lenovo T61
+ mac_address:
+ - "08:00:27:E3:B1:2D"
+ - "52:54:00:BD:97:1E"
+ state: present
diff --git a/playbooks/host/host-present.yml b/playbooks/host/host-present.yml
index d40c1ecf..afb9a0ec 100644
--- a/playbooks/host/host-present.yml
+++ b/playbooks/host/host-present.yml
@@ -6,7 +6,7 @@
tasks:
- name: Ensure host is present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address: 192.168.0.123
diff --git a/playbooks/host/hosts-member-certificate-absent.yml b/playbooks/host/hosts-member-certificate-absent.yml
index bb2d5b03..ec9ba94f 100644
--- a/playbooks/host/hosts-member-certificate-absent.yml
+++ b/playbooks/host/hosts-member-certificate-absent.yml
@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.example.com and host01.exmaple.com member certificate absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
certificate:
diff --git a/playbooks/host/hosts-member-certificate-present.yml b/playbooks/host/hosts-member-certificate-present.yml
index c402ef4a..2976244a 100644
--- a/playbooks/host/hosts-member-certificate-present.yml
+++ b/playbooks/host/hosts-member-certificate-present.yml
@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.example.com and host01.exmaple.com member certificate present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
certificate:
diff --git a/playbooks/host/hosts-member-managedby_host-absent.yml b/playbooks/host/hosts-member-managedby_host-absent.yml
index 9b584e51..40ae3b7d 100644
--- a/playbooks/host/hosts-member-managedby_host-absent.yml
+++ b/playbooks/host/hosts-member-managedby_host-absent.yml
@@ -5,7 +5,7 @@
tasks:
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
managedby_host: server.exmaple.com
diff --git a/playbooks/host/hosts-member-managedby_host-present.yml b/playbooks/host/hosts-member-managedby_host-present.yml
index f8d4e2b7..fe70a59f 100644
--- a/playbooks/host/hosts-member-managedby_host-present.yml
+++ b/playbooks/host/hosts-member-managedby_host-present.yml
@@ -5,7 +5,7 @@
tasks:
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
managedby_host: server.exmaple.com
diff --git a/playbooks/host/hosts-member-principal-absent.yml b/playbooks/host/hosts-member-principal-absent.yml
index edd33521..733bb126 100644
--- a/playbooks/host/hosts-member-principal-absent.yml
+++ b/playbooks/host/hosts-member-principal-absent.yml
@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.exmaple.com and host02.exmaple.com member principals host/testhost0X.exmaple.com absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
principal:
diff --git a/playbooks/host/hosts-member-principal-present.yml b/playbooks/host/hosts-member-principal-present.yml
index 54c9a8f6..68d26fe5 100644
--- a/playbooks/host/hosts-member-principal-present.yml
+++ b/playbooks/host/hosts-member-principal-present.yml
@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.exmaple.com and host02.exmaple.com member principals host/testhost0X.exmaple.com present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
principal:
diff --git a/playbooks/host/hosts-present-with-certificate.yml b/playbooks/host/hosts-present-with-certificate.yml
index 34e402f7..78102e25 100644
--- a/playbooks/host/hosts-present-with-certificate.yml
+++ b/playbooks/host/hosts-present-with-certificate.yml
@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.example.com and host01.exmaple.com present with certificate
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
certificate:
diff --git a/playbooks/host/hosts-present-with-managedby_host.yml b/playbooks/host/hosts-present-with-managedby_host.yml
index 5f3546b6..262f6c1d 100644
--- a/playbooks/host/hosts-present-with-managedby_host.yml
+++ b/playbooks/host/hosts-present-with-managedby_host.yml
@@ -5,7 +5,7 @@
tasks:
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
managedby_host: server.exmaple.com
diff --git a/playbooks/host/hosts-present-with-randompasswords.yml b/playbooks/host/hosts-present-with-randompasswords.yml
index f747ca31..5a1ea9c0 100644
--- a/playbooks/host/hosts-present-with-randompasswords.yml
+++ b/playbooks/host/hosts-present-with-randompasswords.yml
@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.example.com and host01.example.com present with random passwords
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
random: yes
diff --git a/playbooks/hostgroup/ensure-hostgroup-is-absent.yml b/playbooks/hostgroup/ensure-hostgroup-is-absent.yml
index 86508fc6..c9e37d3f 100644
--- a/playbooks/hostgroup/ensure-hostgroup-is-absent.yml
+++ b/playbooks/hostgroup/ensure-hostgroup-is-absent.yml
@@ -6,6 +6,6 @@
tasks:
# Ensure host-group databases is present
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: absent
diff --git a/playbooks/hostgroup/ensure-hostgroup-is-present.yml b/playbooks/hostgroup/ensure-hostgroup-is-present.yml
index a2c7ae9a..bc059dba 100644
--- a/playbooks/hostgroup/ensure-hostgroup-is-present.yml
+++ b/playbooks/hostgroup/ensure-hostgroup-is-present.yml
@@ -6,7 +6,7 @@
tasks:
# Ensure host-group databases is present
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
diff --git a/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml b/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
index 149dfcff..b3fbd558 100644
--- a/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
+++ b/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
@@ -6,7 +6,7 @@
tasks:
# Ensure hosts and hostgroups are present in existing databases hostgroup
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
diff --git a/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml b/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
index 4b22fd66..c103ce92 100644
--- a/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
+++ b/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
@@ -6,7 +6,7 @@
tasks:
# Ensure hosts and hostgroups are present in existing databases hostgroup
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
diff --git a/playbooks/service/service-host-is-absent.yml b/playbooks/service/service-host-is-absent.yml
new file mode 100644
index 00000000..5963340f
--- /dev/null
+++ b/playbooks/service/service-host-is-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure management host is absent.
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ host: "{{ groups.ipaserver[0] }}"
+ action: member
+ state: absent
diff --git a/playbooks/service/service-host-is-present.yml b/playbooks/service/service-host-is-present.yml
new file mode 100644
index 00000000..2460051e
--- /dev/null
+++ b/playbooks/service/service-host-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure management host is present.
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ host: "{{ groups.ipaserver[0] }}"
+ action: member
diff --git a/playbooks/service/service-is-absent.yml b/playbooks/service/service-is-absent.yml
new file mode 100644
index 00000000..fe65771e
--- /dev/null
+++ b/playbooks/service/service-is-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is absent
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ state: absent
diff --git a/playbooks/service/service-is-disabled.yml b/playbooks/service/service-is-disabled.yml
new file mode 100644
index 00000000..2bf01fb1
--- /dev/null
+++ b/playbooks/service/service-is-disabled.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook to disable IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is disabled
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ state: disabled
diff --git a/playbooks/service/service-is-present-with-all-attributes.yml b/playbooks/service/service-is-present-with-all-attributes.yml
new file mode 100644
index 00000000..f7e59ebc
--- /dev/null
+++ b/playbooks/service/service-is-present-with-all-attributes.yml
@@ -0,0 +1,23 @@
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ certificate:
+ - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
+ pac_type:
+ - MS-PAC
+ - PAD
+ auth_ind: otp
+ force: no
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ action: service
+ state: present
diff --git a/playbooks/service/service-is-present-with-host-force.yml b/playbooks/service/service-is-present-with-host-force.yml
new file mode 100644
index 00000000..2268ea8f
--- /dev/null
+++ b/playbooks/service/service-is-present-with-host-force.yml
@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/ihavenodns.info
+ force: yes
+ # state: absent
diff --git a/playbooks/service/service-is-present-without-host-object.yml b/playbooks/service/service-is-present-without-host-object.yml
new file mode 100644
index 00000000..ddf72b8e
--- /dev/null
+++ b/playbooks/service/service-is-present-without-host-object.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.ansible.com
+ skip_host_check: yes
diff --git a/playbooks/service/service-is-present.yml b/playbooks/service/service-is-present.yml
new file mode 100644
index 00000000..06e88343
--- /dev/null
+++ b/playbooks/service/service-is-present.yml
@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
diff --git a/playbooks/service/service-member-allow_create_keytab-absent.yml b/playbooks/service/service-member-allow_create_keytab-absent.yml
new file mode 100644
index 00000000..d4a15ea4
--- /dev/null
+++ b/playbooks/service/service-member-allow_create_keytab-absent.yml
@@ -0,0 +1,24 @@
+---
+- name: Service member allow_create_keytab absent
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Service HTTP/www.example.com members allow_create_keytab absent for users, groups, hosts and hostgroups
+ ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - host01.example.com
+ - host02.example.com
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
diff --git a/playbooks/service/service-member-allow_create_keytab-present.yml b/playbooks/service/service-member-allow_create_keytab-present.yml
new file mode 100644
index 00000000..b28b6dc2
--- /dev/null
+++ b/playbooks/service/service-member-allow_create_keytab-present.yml
@@ -0,0 +1,23 @@
+---
+- name: Service member allow_create_keytab present
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Service HTTP/www.example.com members allow_create_keytab present for users, groups, hosts and hostgroups
+ ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - host01.example.com
+ - host02.example.com
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
diff --git a/playbooks/service/service-member-allow_retrieve_keytab-absent.yml b/playbooks/service/service-member-allow_retrieve_keytab-absent.yml
new file mode 100644
index 00000000..ceada70e
--- /dev/null
+++ b/playbooks/service/service-member-allow_retrieve_keytab-absent.yml
@@ -0,0 +1,24 @@
+---
+- name: Service member allow_retrieve_keytab absent
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Service HTTP/www.example.com members allow_retrieve_keytab absent for users, groups, hosts and hostgroups
+ ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - host01.example.com
+ - host02.example.com
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
diff --git a/playbooks/service/service-member-allow_retrieve_keytab-present.yml b/playbooks/service/service-member-allow_retrieve_keytab-present.yml
new file mode 100644
index 00000000..ac98904b
--- /dev/null
+++ b/playbooks/service/service-member-allow_retrieve_keytab-present.yml
@@ -0,0 +1,23 @@
+---
+- name: Service member allow_retrieve_keytab present
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Service HTTP/www.example.com members allow_retrieve_keytab present for users, groups, hosts and hostgroups
+ ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - host01.example.com
+ - host02.example.com
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
diff --git a/playbooks/service/service-member-certificate-absent.yml b/playbooks/service/service-member-certificate-absent.yml
new file mode 100644
index 00000000..57b71e5e
--- /dev/null
+++ b/playbooks/service/service-member-certificate-absent.yml
@@ -0,0 +1,16 @@
+---
+- name: Service certificate absent.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service certificate is absent
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+
+ certificate:
+ - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
+ action: member
+ state: absent
diff --git a/playbooks/service/service-member-certificate-present.yml b/playbooks/service/service-member-certificate-present.yml
new file mode 100644
index 00000000..bfa01d05
--- /dev/null
+++ b/playbooks/service/service-member-certificate-present.yml
@@ -0,0 +1,15 @@
+---
+- name: Service certificate present.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service certificate is present
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ certificate:
+ - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
+ action: member
+ state: present
diff --git a/playbooks/service/service-member-principal-absent.yml b/playbooks/service/service-member-principal-absent.yml
new file mode 100644
index 00000000..6bfb168c
--- /dev/null
+++ b/playbooks/service/service-member-principal-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Service member principal absent
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Service HTTP/www.exmaple.com member principals host/test.exmaple.com absent
+ ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ principal:
+ - host/test.exmaple.com
+ action: member
+ state: absent
diff --git a/playbooks/service/service-member-principal-present.yml b/playbooks/service/service-member-principal-present.yml
new file mode 100644
index 00000000..aa94f32e
--- /dev/null
+++ b/playbooks/service/service-member-principal-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Service member principal present
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Service HTTP/www.exmaple.com member principals host/test.exmaple.com present
+ ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ principal:
+ - host/test.exmaple.com
+ action: member
diff --git a/playbooks/sudocmd/ensure-sudocmd-is-absent.yml b/playbooks/sudocmd/ensure-sudocmd-is-absent.yml
index 1b3bbf45..3539ed00 100644
--- a/playbooks/sudocmd/ensure-sudocmd-is-absent.yml
+++ b/playbooks/sudocmd/ensure-sudocmd-is-absent.yml
@@ -6,6 +6,6 @@
tasks:
# Ensure sudo command is absent
- ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: absent
diff --git a/playbooks/sudocmd/ensure-sudocmd-is-present.yml b/playbooks/sudocmd/ensure-sudocmd-is-present.yml
index 3aa0f471..d648de54 100644
--- a/playbooks/sudocmd/ensure-sudocmd-is-present.yml
+++ b/playbooks/sudocmd/ensure-sudocmd-is-present.yml
@@ -6,6 +6,6 @@
tasks:
# Ensure sudo command is present
- ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: present
diff --git a/playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml b/playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml
index bde823e5..49ba2d5a 100644
--- a/playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml
+++ b/playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml
@@ -6,7 +6,7 @@
tasks:
# Ensure sudocmds are absent in sudocmdgroup
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
diff --git a/playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml b/playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml
index c415695b..fe9ab207 100644
--- a/playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml
+++ b/playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml
@@ -6,7 +6,7 @@
tasks:
# Ensure sudo commands are present
- ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
- /usr/sbin/iwlist
@@ -14,7 +14,7 @@
# Ensure sudo commands are present in existing sudocmdgroup
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
diff --git a/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml
new file mode 100644
index 00000000..b48a710d
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudooption is absent in sudorule
+ - ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ sudooption: "!root"
+ action: member
+ state: absent
diff --git a/playbooks/sudorule/ensure-sudorule-has-sudooption.yml b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml
new file mode 100644
index 00000000..d1a394cf
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudooption is present in sudorule
+ - ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ sudooption: "!root"
+ action: member
diff --git a/playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml b/playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
index f74765c2..2f0655c5 100644
--- a/playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
+++ b/playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
@@ -7,7 +7,7 @@
tasks:
# Ensure host server is absent in Sudo Rule
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
host: server
action: member
diff --git a/playbooks/sudorule/ensure-sudorule-host-member-is-present.yml b/playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
index 4ecf3f33..e0ce73de 100644
--- a/playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
+++ b/playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
@@ -7,7 +7,7 @@
tasks:
# Ensure host server is present in Sudo Rule
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
host: server
action: member
diff --git a/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml b/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
index 301030f5..c30d63a0 100644
--- a/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
+++ b/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
@@ -7,7 +7,7 @@
tasks:
# Ensure hostgroup cluster is absent in Sudo Rule
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
hostgroup: cluster
action: member
diff --git a/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml b/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
index b4473b27..4813213b 100644
--- a/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
+++ b/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
@@ -7,7 +7,7 @@
tasks:
# Ensure hostgrep cluster is present in Sudo Rule
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
hostgroup: cluster
action: member
diff --git a/playbooks/sudorule/ensure-sudorule-is-disabled.yml b/playbooks/sudorule/ensure-sudorule-is-disabled.yml
index 90afbd24..b51da118 100644
--- a/playbooks/sudorule/ensure-sudorule-is-disabled.yml
+++ b/playbooks/sudorule/ensure-sudorule-is-disabled.yml
@@ -6,6 +6,6 @@
tasks:
# Ensure sudorule command is disabled
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: disabled
diff --git a/playbooks/sudorule/ensure-sudorule-is-enabled.yml b/playbooks/sudorule/ensure-sudorule-is-enabled.yml
index 6618344c..4cba3bec 100644
--- a/playbooks/sudorule/ensure-sudorule-is-enabled.yml
+++ b/playbooks/sudorule/ensure-sudorule-is-enabled.yml
@@ -6,6 +6,6 @@
tasks:
# Ensure sudorule command is enabled
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: enabled
diff --git a/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml b/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml
new file mode 100644
index 00000000..b884886e
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudorule is present with the given order.
+ - ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ order: 2
diff --git a/playbooks/sudorule/ensure-sudorule-is-present.yml b/playbooks/sudorule/ensure-sudorule-is-present.yml
index 5b8f32bc..e88017cf 100644
--- a/playbooks/sudorule/ensure-sudorule-is-present.yml
+++ b/playbooks/sudorule/ensure-sudorule-is-present.yml
@@ -6,7 +6,9 @@
tasks:
# Ensure sudorule command is present
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
description: A test sudo rule.
+ allow_sudocmd: /bin/ls
+ deny_sudocmd: /bin/vim
state: present
diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml b/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml
new file mode 100644
index 00000000..465f386c
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudorule is present with the given order.
+ - ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ runasuser: admin
+ action: member
+ state: absent
diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml b/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml
new file mode 100644
index 00000000..4a5bee94
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudorule is present with the given order.
+ - ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ runasuser: admin
+ action: member
diff --git a/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml b/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
index 942d0b53..3ded226e 100644
--- a/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
+++ b/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
@@ -6,10 +6,15 @@
tasks:
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
+ deny_sudocmd:
- /usr/bin/vim
+ allow_sudocmdgroup:
+ - devops
+ deny_sudocmdgroup:
+ - users
action: member
state: absent
diff --git a/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml b/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
index 61fcbb0d..23dd56de 100644
--- a/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
+++ b/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
@@ -6,9 +6,14 @@
tasks:
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
+ deny_sudocmd:
- /usr/bin/vim
+ allow_sudocmdgroup:
+ - devops
+ deny_sudocmdgroup:
+ - users
action: member
diff --git a/playbooks/topology/add-topologysegment.yml b/playbooks/topology/add-topologysegment.yml
index ebf55445..cf157e2c 100644
--- a/playbooks/topology/add-topologysegment.yml
+++ b/playbooks/topology/add-topologysegment.yml
@@ -6,7 +6,7 @@
tasks:
- name: Add topology segment
ipatopologysegment:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
diff --git a/playbooks/topology/delete-topologysegment.yml b/playbooks/topology/delete-topologysegment.yml
index a3f2c680..984ea1f5 100644
--- a/playbooks/topology/delete-topologysegment.yml
+++ b/playbooks/topology/delete-topologysegment.yml
@@ -6,7 +6,7 @@
tasks:
- name: Delete topology segment
ipatopologysegment:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
diff --git a/playbooks/topology/reinitialize-topologysegment.yml b/playbooks/topology/reinitialize-topologysegment.yml
index 1f21cd23..efe6bc3e 100644
--- a/playbooks/topology/reinitialize-topologysegment.yml
+++ b/playbooks/topology/reinitialize-topologysegment.yml
@@ -6,7 +6,7 @@
tasks:
- name: Reinitialize topology segment
ipatopologysegment:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
diff --git a/playbooks/topology/verify-topologysuffix.yml b/playbooks/topology/verify-topologysuffix.yml
index b27ca3d6..70e788c3 100644
--- a/playbooks/topology/verify-topologysuffix.yml
+++ b/playbooks/topology/verify-topologysuffix.yml
@@ -6,6 +6,6 @@
tasks:
- name: Verify topology suffix
ipatopologysuffix:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
state: verified
diff --git a/playbooks/user/add-group.yml b/playbooks/user/add-group.yml
index a36ca14f..46e0faab 100644
--- a/playbooks/user/add-group.yml
+++ b/playbooks/user/add-group.yml
@@ -6,19 +6,19 @@
tasks:
- name: Create group ops with gid 1234
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
gidnumber: 1234
- name: Create group sysops
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops
user:
- pinky
- name: Create group appops
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: appops
diff --git a/playbooks/user/add-groups-to-group.yml b/playbooks/user/add-groups-to-group.yml
index ecc9b455..d91e5264 100644
--- a/playbooks/user/add-groups-to-group.yml
+++ b/playbooks/user/add-groups-to-group.yml
@@ -6,7 +6,7 @@
tasks:
- name: Add group members sysops and appops to group sysops
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
group:
- sysops
diff --git a/playbooks/user/add-user-to-group.yml b/playbooks/user/add-user-to-group.yml
index 9ed5eb1a..635c0a91 100644
--- a/playbooks/user/add-user-to-group.yml
+++ b/playbooks/user/add-user-to-group.yml
@@ -6,7 +6,7 @@
tasks:
- name: Add user member brain to group sysops
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops
action: member
user:
diff --git a/playbooks/user/add-user.yml b/playbooks/user/add-user.yml
index 345a028e..ed72e51d 100644
--- a/playbooks/user/add-user.yml
+++ b/playbooks/user/add-user.yml
@@ -6,7 +6,7 @@
tasks:
- name: Create user pinky
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
first: pinky
last: Acme
diff --git a/playbooks/user/delete-group.yml b/playbooks/user/delete-group.yml
index 2d863c37..ae9f78c7 100644
--- a/playbooks/user/delete-group.yml
+++ b/playbooks/user/delete-group.yml
@@ -6,6 +6,6 @@
tasks:
- name: Remove goups sysops, appops and ops
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops,appops,ops
state: absent
diff --git a/playbooks/user/delete-preserve-user.yml b/playbooks/user/delete-preserve-user.yml
index c202b159..5d93a3d3 100644
--- a/playbooks/user/delete-preserve-user.yml
+++ b/playbooks/user/delete-preserve-user.yml
@@ -6,7 +6,7 @@
tasks:
- name: Delete and preserve user pinky
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
preserve: yes
state: absent
diff --git a/playbooks/user/delete-user.yml b/playbooks/user/delete-user.yml
index 101a2b4b..d9239e04 100644
--- a/playbooks/user/delete-user.yml
+++ b/playbooks/user/delete-user.yml
@@ -6,6 +6,6 @@
tasks:
- name: Remove user pinky and brain
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
state: absent
diff --git a/playbooks/user/disable-user.yml b/playbooks/user/disable-user.yml
index 192fd531..17c55940 100644
--- a/playbooks/user/disable-user.yml
+++ b/playbooks/user/disable-user.yml
@@ -6,6 +6,6 @@
tasks:
- name: Disable user pinky
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
state: disabled
diff --git a/playbooks/user/enable-user.yml b/playbooks/user/enable-user.yml
index dfbba493..fd3ebf3b 100644
--- a/playbooks/user/enable-user.yml
+++ b/playbooks/user/enable-user.yml
@@ -6,6 +6,6 @@
tasks:
- name: Enable user pinky
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
state: enabled
diff --git a/playbooks/user/ensure_user_with_randompassword.yml b/playbooks/user/ensure_user_with_randompassword.yml
index 4ca9f214..ee821f0a 100644
--- a/playbooks/user/ensure_user_with_randompassword.yml
+++ b/playbooks/user/ensure_user_with_randompassword.yml
@@ -6,7 +6,7 @@
tasks:
- name: User user1 present with random password
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: user1
first: first1
last: last1
diff --git a/playbooks/user/ensure_users_with_randompasswords.yml b/playbooks/user/ensure_users_with_randompasswords.yml
index 06f50c71..c0398877 100644
--- a/playbooks/user/ensure_users_with_randompasswords.yml
+++ b/playbooks/user/ensure_users_with_randompasswords.yml
@@ -6,7 +6,7 @@
tasks:
- name: Users user1 and user1 present with random password
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
first: first1
diff --git a/playbooks/user/undelete-user.yml b/playbooks/user/undelete-user.yml
index 79feda07..2b95100f 100644
--- a/playbooks/user/undelete-user.yml
+++ b/playbooks/user/undelete-user.yml
@@ -6,6 +6,6 @@
tasks:
- name: Undelete preserved user pinky
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
state: undeleted
diff --git a/playbooks/user/unlock-users.yml b/playbooks/user/unlock-users.yml
index 337e97f4..36edac25 100644
--- a/playbooks/user/unlock-users.yml
+++ b/playbooks/user/unlock-users.yml
@@ -6,6 +6,6 @@
tasks:
- name: Unlock users pinky and brain
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: unlocked
diff --git a/playbooks/vault/data-archive-in-asymmetric-vault.yml b/playbooks/vault/data-archive-in-asymmetric-vault.yml
new file mode 100644
index 00000000..5fd55dfe
--- /dev/null
+++ b/playbooks/vault/data-archive-in-asymmetric-vault.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ vault_data: The world of π is half rounded.
+ action: member
diff --git a/playbooks/vault/data-archive-in-symmetric-vault.yml b/playbooks/vault/data-archive-in-symmetric-vault.yml
new file mode 100644
index 00000000..f94e9d87
--- /dev/null
+++ b/playbooks/vault/data-archive-in-symmetric-vault.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ vault_password: MyVaultPassword123
+ vault_data: The world of π is half rounded.
+ action: member
diff --git a/playbooks/vault/ensure-asymetric-vault-is-absent.yml b/playbooks/vault/ensure-asymetric-vault-is-absent.yml
new file mode 100644
index 00000000..7ee6cf39
--- /dev/null
+++ b/playbooks/vault/ensure-asymetric-vault-is-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: admin
+ state: absent
diff --git a/playbooks/vault/ensure-asymetric-vault-is-present.yml b/playbooks/vault/ensure-asymetric-vault-is-present.yml
new file mode 100644
index 00000000..247f36fc
--- /dev/null
+++ b/playbooks/vault/ensure-asymetric-vault-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: admin
+ vault_public_key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlVbFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=
+ vault_type: asymmetric
diff --git a/playbooks/vault/ensure-service-vault-is-absent.yml b/playbooks/vault/ensure-service-vault-is-absent.yml
new file mode 100644
index 00000000..65c4c8d8
--- /dev/null
+++ b/playbooks/vault/ensure-service-vault-is-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: svcvault
+ service: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
diff --git a/playbooks/vault/ensure-service-vault-is-present.yml b/playbooks/vault/ensure-service-vault-is-present.yml
new file mode 100644
index 00000000..cf6da223
--- /dev/null
+++ b/playbooks/vault/ensure-service-vault-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: svcvault
+ service: "HTTP/{{ groups.ipaserver[0] }}"
+ ipavaultpassword: MyVaultPassword123
+ state: present
diff --git a/playbooks/vault/ensure-shared-vault-is-absent.yml b/playbooks/vault/ensure-shared-vault-is-absent.yml
new file mode 100644
index 00000000..0191ab1c
--- /dev/null
+++ b/playbooks/vault/ensure-shared-vault-is-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: sharedvault
+ shared: True
+ state: absent
diff --git a/playbooks/vault/ensure-shared-vault-is-present.yml b/playbooks/vault/ensure-shared-vault-is-present.yml
new file mode 100644
index 00000000..c403afcc
--- /dev/null
+++ b/playbooks/vault/ensure-shared-vault-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: sharedvault
+ shared: True
+ ipavaultpassword: MyVaultPassword123
+ state: present
diff --git a/playbooks/vault/ensure-standard-vault-is-absent.yml b/playbooks/vault/ensure-standard-vault-is-absent.yml
new file mode 100644
index 00000000..3d7cd8ab
--- /dev/null
+++ b/playbooks/vault/ensure-standard-vault-is-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: admin
+ state: absent
diff --git a/playbooks/vault/ensure-standard-vault-is-present.yml b/playbooks/vault/ensure-standard-vault-is-present.yml
new file mode 100644
index 00000000..64d08fec
--- /dev/null
+++ b/playbooks/vault/ensure-standard-vault-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ vault_type: standard
+ username: admin
+ description: A standard private vault.
diff --git a/playbooks/vault/ensure-symetric-vault-is-absent.yml b/playbooks/vault/ensure-symetric-vault-is-absent.yml
new file mode 100644
index 00000000..a0d5bbcd
--- /dev/null
+++ b/playbooks/vault/ensure-symetric-vault-is-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ state: absent
diff --git a/playbooks/vault/ensure-symetric-vault-is-present.yml b/playbooks/vault/ensure-symetric-vault-is-present.yml
new file mode 100644
index 00000000..949f60e2
--- /dev/null
+++ b/playbooks/vault/ensure-symetric-vault-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ vault_password: MyVaultPassword123
+ vault_type: symmetric
diff --git a/playbooks/vault/ensure-vault-is-present-with-members.yml b/playbooks/vault/ensure-vault-is-present-with-members.yml
new file mode 100644
index 00000000..ba96ad14
--- /dev/null
+++ b/playbooks/vault/ensure-vault-is-present-with-members.yml
@@ -0,0 +1,17 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ vault_type: standard
+ username: admin
+ users:
+ - user01
+ - user02
+ groups:
+ - ipausers
diff --git a/playbooks/vault/ensure-vault-member-group-is-absent.yml b/playbooks/vault/ensure-vault-member-group-is-absent.yml
new file mode 100644
index 00000000..c5e7f7d5
--- /dev/null
+++ b/playbooks/vault/ensure-vault-member-group-is-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: keychain
+ username: admin
+ state: absent
+ action: member
+ groups: ipausers
diff --git a/playbooks/vault/ensure-vault-member-group-is-present.yml b/playbooks/vault/ensure-vault-member-group-is-present.yml
new file mode 100644
index 00000000..12b52613
--- /dev/null
+++ b/playbooks/vault/ensure-vault-member-group-is-present.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: keychain
+ username: admin
+ state: present
+ action: member
+ groups: ipausers
diff --git a/playbooks/vault/ensure-vault-member-user-is-absent.yml b/playbooks/vault/ensure-vault-member-user-is-absent.yml
new file mode 100644
index 00000000..7d0578a6
--- /dev/null
+++ b/playbooks/vault/ensure-vault-member-user-is-absent.yml
@@ -0,0 +1,16 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: keychain
+ username: admin
+ state: absent
+ action: member
+ users:
+ - user01
+ - user02
diff --git a/playbooks/vault/ensure-vault-member-user-is-present.yml b/playbooks/vault/ensure-vault-member-user-is-present.yml
new file mode 100644
index 00000000..a04e6e20
--- /dev/null
+++ b/playbooks/vault/ensure-vault-member-user-is-present.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: keychain
+ username: admin
+ state: present
+ action: member
+ users: user1
diff --git a/playbooks/vault/ensure-vault-owner-is-absent.yml b/playbooks/vault/ensure-vault-owner-is-absent.yml
new file mode 100644
index 00000000..817a324b
--- /dev/null
+++ b/playbooks/vault/ensure-vault-owner-is-absent.yml
@@ -0,0 +1,15 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ owners: user01
+ ownergroups: ipausers
+ action: member
+ state: absent
diff --git a/playbooks/vault/ensure-vault-owner-is-present.yml b/playbooks/vault/ensure-vault-owner-is-present.yml
new file mode 100644
index 00000000..7c4cfb20
--- /dev/null
+++ b/playbooks/vault/ensure-vault-owner-is-present.yml
@@ -0,0 +1,15 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ owners: user01
+ ownergroups: ipausers
+ action: member
+ state: present
diff --git a/plugins/module_utils/ansible_freeipa_module.py b/plugins/module_utils/ansible_freeipa_module.py
index a8312bc5..b8df38d4 100644
--- a/plugins/module_utils/ansible_freeipa_module.py
+++ b/plugins/module_utils/ansible_freeipa_module.py
@@ -28,6 +28,7 @@ import shutil
import gssapi
from datetime import datetime
from ipalib import api
+from ipalib import errors as ipalib_errors
from ipalib.config import Env
from ipalib.constants import DEFAULT_CONFIG, LDAP_GENERALIZED_TIME_FORMAT
try:
@@ -42,6 +43,7 @@ try:
from ipalib.x509 import Encoding
except ImportError:
from cryptography.hazmat.primitives.serialization import Encoding
+import socket
import base64
import six
@@ -151,6 +153,13 @@ def api_command(module, command, name, args):
return api.Command[command](name, **args)
+def api_command_no_name(module, command, args):
+ """
+ Call ipa.Command without a name.
+ """
+ return api.Command[command](**args)
+
+
def api_check_param(command, name):
"""
Return if param exists in command param list
@@ -215,10 +224,20 @@ def compare_args_ipa(module, args, ipa):
arg = [to_text(_arg) for _arg in arg]
if isinstance(ipa_arg[0], unicode) and isinstance(arg[0], int):
arg = [to_text(_arg) for _arg in arg]
- # module.warn("%s <=> %s" % (arg, ipa_arg))
- if set(arg) != set(ipa_arg):
- # module.warn("DIFFERENT")
- return False
+ # module.warn("%s <=> %s" % (repr(arg), repr(ipa_arg)))
+ try:
+ arg_set = set(arg)
+ ipa_arg_set = set(ipa_arg)
+ except TypeError:
+ if arg != ipa_arg:
+ # module.warn("%s != %s" % (repr(arg), repr(ipa_arg)))
+ return False
+ else:
+ if arg_set != ipa_arg_set:
+ # module.warn("%s != %s" % (repr(arg), repr(ipa_arg)))
+ return False
+
+ # module.warn("%s == %s" % (repr(arg), repr(ipa_arg)))
return True
@@ -261,10 +280,32 @@ def encode_certificate(cert):
Encode a certificate using base64 with also taking FreeIPA and Python
versions into account
"""
- if isinstance(cert, str) or isinstance(cert, unicode):
+ if isinstance(cert, (str, unicode, bytes)):
encoded = base64.b64encode(cert)
else:
encoded = base64.b64encode(cert.public_bytes(Encoding.DER))
if not six.PY2:
encoded = encoded.decode('ascii')
return encoded
+
+
+def is_ipv4_addr(ipaddr):
+ """
+ Test if figen IP address is a valid IPv4 address
+ """
+ try:
+ socket.inet_pton(socket.AF_INET, ipaddr)
+ except socket.error:
+ return False
+ return True
+
+
+def is_ipv6_addr(ipaddr):
+ """
+ Test if figen IP address is a valid IPv6 address
+ """
+ try:
+ socket.inet_pton(socket.AF_INET6, ipaddr)
+ except socket.error:
+ return False
+ return True
diff --git a/plugins/modules/ipadnsconfig.py b/plugins/modules/ipadnsconfig.py
new file mode 100644
index 00000000..4c9cf2d7
--- /dev/null
+++ b/plugins/modules/ipadnsconfig.py
@@ -0,0 +1,257 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Authors:
+# Rafael Guterres Jeffman
+#
+# Copyright (C) 2019 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+
+ANSIBLE_METADATA = {
+ "metadata_version": "1.0",
+ "supported_by": "community",
+ "status": ["preview"],
+}
+
+DOCUMENTATION = """
+---
+module: ipadnsconfig
+short description: Manage FreeIPA dnsconfig
+description: Manage FreeIPA dnsconfig
+options:
+ ipaadmin_principal:
+ description: The admin principal
+ default: admin
+ ipaadmin_password:
+ description: The admin password
+ required: false
+
+ forwarders:
+ description: The list of global DNS forwarders.
+ required: false
+ options:
+ ip_address:
+ description: The forwarder nameserver IP address list (IPv4 and IPv6).
+ required: true
+ port:
+ description: The port to forward requests to.
+ required: false
+ forward_policy:
+ description:
+ Global forwarding policy. Set to "none" to disable any configured
+ global forwarders.
+ required: false
+ choices: ['only', 'first', 'none']
+ allow_sync_ptr:
+ description:
+ Allow synchronization of forward (A, AAAA) and reverse (PTR) records.
+ required: false
+ type: bool
+ state:
+ description: State to ensure
+ default: present
+ choices: ["present", "absent"]
+"""
+
+EXAMPLES = """
+# Ensure global DNS forward configuration, allowing PTR record synchronization.
+- ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ forward_policy: only
+ allow_sync_ptr: yes
+
+# Ensure forwarder is absent.
+- ipadnsconfig:
+ forwarders:
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ state: absent
+
+# Disable PTR record synchronization.
+- ipadnsconfig:
+ allow_sync_ptr: no
+
+# Disable global forwarders.
+- ipadnsconfig:
+ forward_policy: none
+"""
+
+RETURN = """
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
+ temp_kdestroy, valid_creds, api_connect, api_command, \
+ api_command_no_name, compare_args_ipa, module_params_get, \
+ gen_add_del_lists, is_ipv4_addr, is_ipv6_addr, ipalib_errors
+
+
+def find_dnsconfig(module):
+ _args = {
+ "all": True,
+ }
+
+ _result = api_command_no_name(module, "dnsconfig_show", _args)
+
+ if "result" in _result:
+ if _result["result"].get('idnsforwarders', None) is None:
+ _result["result"]['idnsforwarders'] = ['']
+ return _result["result"]
+ else:
+ module.fail("Could not retrieve current DNS configuration.")
+ return None
+
+
+def gen_args(module, state, dnsconfig, forwarders, forward_policy,
+ allow_sync_ptr):
+ _args = {}
+
+ if forwarders:
+ _forwarders = []
+ for forwarder in forwarders:
+ ip_address = forwarder.get('ip_address')
+ port = forwarder.get('port')
+ if not (is_ipv4_addr(ip_address) or is_ipv6_addr(ip_address)):
+ module.fail(
+ msg="Invalid IP for DNS forwarder: %s" % ip_address)
+ if port is None:
+ _forwarders.append(ip_address)
+ else:
+ _forwarders.append('%s port %d' % (ip_address, port))
+
+ global_forwarders = dnsconfig.get('idnsforwarders', [])
+ if state == 'absent':
+ _args['idnsforwarders'] = [
+ fwd for fwd in global_forwarders if fwd not in _forwarders]
+ # When all forwarders should be excluded, use an empty string ('').
+ if not _args['idnsforwarders']:
+ _args['idnsforwarders'] = ['']
+
+ elif state == 'present':
+ _args['idnsforwarders'] = [
+ fwd for fwd in _forwarders if fwd not in global_forwarders]
+ # If no forwarders should be added, remove argument.
+ if not _args['idnsforwarders']:
+ del _args['idnsforwarders']
+
+ else:
+ # shouldn't happen, but let's be paranoid.
+ module.fail(msg="Invalid state: %s" % state)
+
+ if forward_policy is not None:
+ _args['idnsforwardpolicy'] = forward_policy
+
+ if allow_sync_ptr is not None:
+ _args['idnsallowsyncptr'] = 'TRUE' if allow_sync_ptr else 'FALSE'
+
+ return _args
+
+
+def main():
+ forwarder_spec = dict(
+ ip_address=dict(type=str, required=True),
+ port=dict(type=int, required=False, default=None)
+ )
+
+ ansible_module = AnsibleModule(
+ argument_spec=dict(
+ # general
+ ipaadmin_principal=dict(type='str', default='admin'),
+ ipaadmin_password=dict(type='str', no_log=True),
+
+ # dnsconfig
+ forwarders=dict(type='list', default=None, required=False,
+ options=dict(**forwarder_spec)),
+ forward_policy=dict(type='str', required=False, default=None,
+ choices=['only', 'first', 'none']),
+ allow_sync_ptr=dict(type='bool', required=False, default=None),
+
+ # general
+ state=dict(type="str", default="present",
+ choices=["present", "absent"]),
+
+ )
+ )
+
+ ansible_module._ansible_debug = True
+
+ # general
+ ipaadmin_principal = module_params_get(ansible_module,
+ "ipaadmin_principal")
+ ipaadmin_password = module_params_get(ansible_module,
+ "ipaadmin_password")
+
+ forwarders = module_params_get(ansible_module, 'forwarders') or []
+ forward_policy = module_params_get(ansible_module, 'forward_policy')
+ allow_sync_ptr = module_params_get(ansible_module, 'allow_sync_ptr')
+
+ state = module_params_get(ansible_module, 'state')
+
+ # Check parameters.
+ invalid = []
+ if state == 'absent':
+ invalid = ['forward_policy', 'allow_sync_ptr']
+
+ for x in invalid:
+ if vars()[x] is not None:
+ ansible_module.fail_json(
+ msg="Argument '%s' can not be used with state '%s'" %
+ (x, state))
+
+ # Init
+
+ changed = False
+ ccache_dir = None
+ ccache_name = None
+ try:
+ if not valid_creds(ansible_module, ipaadmin_principal):
+ ccache_dir, ccache_name = temp_kinit(ipaadmin_principal,
+ ipaadmin_password)
+ api_connect()
+
+ res_find = find_dnsconfig(ansible_module)
+ args = gen_args(ansible_module, state, res_find, forwarders,
+ forward_policy, allow_sync_ptr)
+
+ # Execute command only if configuration changes.
+ if not compare_args_ipa(ansible_module, args, res_find):
+ try:
+ api_command_no_name(ansible_module, 'dnsconfig_mod', args)
+ # If command did not fail, something changed.
+ changed = True
+
+ except Exception as e:
+ msg = str(e)
+ ansible_module.fail_json(msg="dnsconfig_mod: %s" % msg)
+
+ except Exception as e:
+ ansible_module.fail_json(msg=str(e))
+
+ finally:
+ temp_kdestroy(ccache_dir, ccache_name)
+
+ # Done
+
+ ansible_module.exit_json(changed=changed)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/plugins/modules/ipagroup.py b/plugins/modules/ipagroup.py
index 50838cbf..477c5051 100644
--- a/plugins/modules/ipagroup.py
+++ b/plugins/modules/ipagroup.py
@@ -90,23 +90,23 @@ author:
EXAMPLES = """
# Create group ops with gid 1234
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
gidnumber: 1234
# Create group sysops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops
# Create group appops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: appops
# Add user member pinky to group sysops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops
action: member
user:
@@ -114,7 +114,7 @@ EXAMPLES = """
# Add user member brain to group sysops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops
action: member
user:
@@ -122,7 +122,7 @@ EXAMPLES = """
# Add group members sysops and appops to group sysops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
group:
- sysops
@@ -130,7 +130,7 @@ EXAMPLES = """
# Remove goups sysops, appops and ops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops,appops,ops
state: absent
"""
diff --git a/plugins/modules/ipahbacrule.py b/plugins/modules/ipahbacrule.py
index 385876b3..fd0ce238 100644
--- a/plugins/modules/ipahbacrule.py
+++ b/plugins/modules/ipahbacrule.py
@@ -103,52 +103,52 @@ author:
EXAMPLES = """
# Ensure HBAC Rule allhosts is present
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
usercategory: all
# Ensure host server is present in HBAC Rule allhosts
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
host: server
action: member
# Ensure HBAC Rule sshd-pinky is present
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sshd-pinky
hostcategory: all
# Ensure user pinky is present in HBAC Rule sshd-pinky
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sshd-pinky
user: pinky
action: member
# Ensure HBAC service sshd is present in HBAC Rule sshd-pinky
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sshd-pinky
hbacsvc: sshd
action: member
# Ensure HBAC Rule sshd-pinky is disabled
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sshd-pinky
state: disabled
# Ensure HBAC Rule sshd-pinky is enabled
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sshd-pinky
state: enabled
# Ensure HBAC Rule sshd-pinky is absent
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sshd-pinky
state: absent
"""
@@ -344,41 +344,41 @@ def main():
# Generate addition and removal lists
host_add = list(
set(host or []) -
- set(res_find.get("member_host", [])))
+ set(res_find.get("memberhost_host", [])))
host_del = list(
- set(res_find.get("member_host", [])) -
+ set(res_find.get("memberhost_host", [])) -
set(host or []))
hostgroup_add = list(
set(hostgroup or []) -
- set(res_find.get("member_hostgroup", [])))
+ set(res_find.get("memberhost_hostgroup", [])))
hostgroup_del = list(
- set(res_find.get("member_hostgroup", [])) -
+ set(res_find.get("memberhost_hostgroup", [])) -
set(hostgroup or []))
hbacsvc_add = list(
set(hbacsvc or []) -
- set(res_find.get("member_hbacsvc", [])))
+ set(res_find.get("memberservice_hbacsvc", [])))
hbacsvc_del = list(
- set(res_find.get("member_hbacsvc", [])) -
+ set(res_find.get("memberservice_hbacsvc", [])) -
set(hbacsvc or []))
hbacsvcgroup_add = list(
set(hbacsvcgroup or []) -
- set(res_find.get("member_hbacsvcgroup", [])))
+ set(res_find.get("memberservice_hbacsvcgroup", [])))
hbacsvcgroup_del = list(
- set(res_find.get("member_hbacsvcgroup", [])) -
+ set(res_find.get("memberservice_hbacsvcgroup", [])) -
set(hbacsvcgroup or []))
user_add = list(
set(user or []) -
- set(res_find.get("member_user", [])))
+ set(res_find.get("memberuser_user", [])))
user_del = list(
- set(res_find.get("member_user", [])) -
+ set(res_find.get("memberuser_user", [])) -
set(user or []))
group_add = list(
set(group or []) -
- set(res_find.get("member_group", [])))
+ set(res_find.get("memberuser_group", [])))
group_del = list(
- set(res_find.get("member_group", [])) -
+ set(res_find.get("memberuser_group", [])) -
set(group or []))
# Add hosts and hostgroups
diff --git a/plugins/modules/ipahbacsvc.py b/plugins/modules/ipahbacsvc.py
index cf9bc60c..969a62ef 100644
--- a/plugins/modules/ipahbacsvc.py
+++ b/plugins/modules/ipahbacsvc.py
@@ -56,13 +56,13 @@ author:
EXAMPLES = """
# Ensure HBAC Service for http is present
- ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http
description: Web service
# Ensure HBAC Service for tftp is absent
- ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: tftp
state: absent
"""
diff --git a/plugins/modules/ipahbacsvcgroup.py b/plugins/modules/ipahbacsvcgroup.py
index 643f2805..3b9132a0 100644
--- a/plugins/modules/ipahbacsvcgroup.py
+++ b/plugins/modules/ipahbacsvcgroup.py
@@ -69,14 +69,14 @@ author:
EXAMPLES = """
# Ensure hbacsvcgroup login is present
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
# Ensure hbacsvc sshd is present in existing login hbacsvcgroup
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
hbacsvc:
- sshd
@@ -84,7 +84,7 @@ EXAMPLES = """
# Ensure hbacsvc sshd is abdsent in existing login hbacsvcgroup
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
hbacsvc:
- sshd
@@ -93,7 +93,7 @@ EXAMPLES = """
# Ensure hbacsvcgroup login is absent
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
state: absent
"""
diff --git a/plugins/modules/ipahost.py b/plugins/modules/ipahost.py
index ec5e1963..9b22f5bf 100644
--- a/plugins/modules/ipahost.py
+++ b/plugins/modules/ipahost.py
@@ -147,9 +147,10 @@ options:
Defines a whitelist for Authentication Indicators. Use 'otp' to allow
OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA
authentications. Other values may be used for custom configurations.
+ Use empty string to reset auth_ind to the initial value.
type: list
aliases: ["krbprincipalauthind"]
- choices: ["radius", "otp", "pkinit", "hardened"]
+ choices: ["radius", "otp", "pkinit", "hardened", ""]
required: false
requires_pre_auth:
description: Pre-authentication is required for the service
@@ -175,11 +176,16 @@ options:
default: true
required: false
ip_address:
- description: The host IP address
+ description:
+ The host IP address list (IPv4 and IPv6). No IP address conflict
+ check will be done.
aliases: ["ipaddress"]
required: false
update_dns:
- description: Update DNS entries
+ description:
+ Controls the update of the DNS SSHFP records for existing hosts and
+ the removal of all DNS entries if a host gets removed with state
+ absent.
required: false
description:
description: The host description
@@ -277,9 +283,10 @@ options:
Defines a whitelist for Authentication Indicators. Use 'otp' to allow
OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA
authentications. Other values may be used for custom configurations.
+ Use empty string to reset auth_ind to the initial value.
type: list
aliases: ["krbprincipalauthind"]
- choices: ["radius", "otp", "pkinit", "hardened"]
+ choices: ["radius", "otp", "pkinit", "hardened", ""]
required: false
requires_pre_auth:
description: Pre-authentication is required for the service
@@ -304,11 +311,16 @@ options:
default: true
required: false
ip_address:
- description: The host IP address
+ description:
+ The host IP address list (IPv4 and IPv6). No IP address conflict
+ check will be done.
aliases: ["ipaddress"]
required: false
update_dns:
- description: Update DNS entries
+ description:
+ Controls the update of the DNS SSHFP records for existing hosts and
+ the removal of all DNS entries if a host gets removed with state
+ absent.
required: false
update_password:
description:
@@ -331,7 +343,7 @@ author:
EXAMPLES = """
# Ensure host is present
- ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address: 192.168.0.123
@@ -346,14 +358,14 @@ EXAMPLES = """
# Ensure host is present without DNS
- ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host02.example.com
description: Example host
force: yes
# Initiate generation of a random password for the host
- ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address: 192.168.0.123
@@ -361,7 +373,7 @@ EXAMPLES = """
# Ensure host is disabled
- ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
update_dns: yes
state: disabled
@@ -396,7 +408,8 @@ from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils._text import to_text
from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \
- module_params_get, gen_add_del_lists, encode_certificate, api_get_realm
+ module_params_get, gen_add_del_lists, encode_certificate, api_get_realm, \
+ is_ipv4_addr, is_ipv6_addr, ipalib_errors
import six
@@ -426,6 +439,32 @@ def find_host(module, name):
return None
+def find_dnsrecord(module, name):
+ domain_name = name[name.find(".")+1:]
+ host_name = name[:name.find(".")]
+
+ _args = {
+ "all": True,
+ "idnsname": to_text(host_name),
+ }
+
+ _result = api_command(module, "dnsrecord_find", to_text(domain_name),
+ _args)
+
+ if len(_result["result"]) > 1:
+ module.fail_json(
+ msg="There is more than one host '%s'" % (name))
+ elif len(_result["result"]) == 1:
+ _res = _result["result"][0]
+ certs = _res.get("usercertificate")
+ if certs is not None:
+ _res["usercertificate"] = [encode_certificate(cert) for
+ cert in certs]
+ return _res
+ else:
+ return None
+
+
def show_host(module, name):
_result = api_command(module, "host_show", to_text(name), {})
return _result["result"]
@@ -468,16 +507,34 @@ def gen_args(description, locality, location, platform, os, password, random,
_args["ipakrboktoauthasdelegate"] = ok_to_auth_as_delegate
if force is not None:
_args["force"] = force
- if reverse is not None:
- _args["no_reverse"] = not reverse
if ip_address is not None:
- _args["ip_address"] = ip_address
+ # IP addresses are handed extra, therefore it is needed to set
+ # the force option here to make sure that host-add is able to
+ # add a host without IP address.
+ _args["force"] = True
if update_dns is not None:
_args["updatedns"] = update_dns
return _args
+def gen_dnsrecord_args(module, ip_address, reverse):
+ _args = {}
+ if reverse is not None:
+ _args["a_extra_create_reverse"] = reverse
+ _args["aaaa_extra_create_reverse"] = reverse
+ if ip_address is not None:
+ for ip in ip_address:
+ if is_ipv4_addr(ip):
+ _args.setdefault("arecord", []).append(ip)
+ elif is_ipv6_addr(ip):
+ _args.setdefault("aaaarecord", []).append(ip)
+ else:
+ module.fail_json(msg="'%s' is not a valid IP address." % ip)
+
+ return _args
+
+
def check_parameters(
module, state, action,
description, locality, location, platform, os, password, random,
@@ -497,8 +554,7 @@ def check_parameters(
"os", "password", "random", "mac_address", "sshpubkey",
"userclass", "auth_ind", "requires_pre_auth",
"ok_as_delegate", "ok_to_auth_as_delegate", "force",
- "reverse", "ip_address", "update_dns",
- "update_password"]
+ "reverse", "update_dns", "update_password"]
for x in invalid:
if vars()[x] is not None:
module.fail_json(
@@ -510,20 +566,26 @@ def check_parameters(
"password", "random", "mac_address", "sshpubkey",
"userclass", "auth_ind", "requires_pre_auth",
"ok_as_delegate", "ok_to_auth_as_delegate", "force",
- "reverse", "ip_address", "update_password"]
- if action == "host":
- invalid.extend([
- "certificate", "managedby_host", "principal",
- "allow_create_keytab_user", "allow_create_keytab_group",
- "allow_create_keytab_host", "allow_create_keytab_hostgroup",
- "allow_retrieve_keytab_user", "allow_retrieve_keytab_group",
- "allow_retrieve_keytab_host",
- "allow_retrieve_keytab_hostgroup"])
+ "reverse", "update_password"]
for x in invalid:
if vars()[x] is not None:
module.fail_json(
msg="Argument '%s' can not be used with state '%s'" %
(x, state))
+ if action == "host":
+ invalid = [
+ "certificate", "managedby_host", "principal",
+ "allow_create_keytab_user", "allow_create_keytab_group",
+ "allow_create_keytab_host", "allow_create_keytab_hostgroup",
+ "allow_retrieve_keytab_user", "allow_retrieve_keytab_group",
+ "allow_retrieve_keytab_host",
+ "allow_retrieve_keytab_hostgroup"
+ ]
+ for x in invalid:
+ if vars()[x] is not None:
+ module.fail_json(
+ msg="Argument '%s' can only be used with action "
+ "'member' for state '%s'" % (x, state))
def main():
@@ -541,9 +603,6 @@ def main():
default=None, no_log=True),
random=dict(type="bool", aliases=["random_password"],
default=None),
-
-
-
certificate=dict(type="list", aliases=["usercertificate"],
default=None),
managedby_host=dict(type="list",
@@ -590,7 +649,7 @@ def main():
default=None),
auth_ind=dict(type='list', aliases=["krbprincipalauthind"],
default=None,
- choices=['password', 'radius', 'otp']),
+ choices=['radius', 'otp', 'pkinit', 'hardened', '']),
requires_pre_auth=dict(type="bool", aliases=["ipakrbrequirespreauth"],
default=None),
ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"],
@@ -600,7 +659,7 @@ def main():
default=None),
force=dict(type='bool', default=None),
reverse=dict(type='bool', default=None),
- ip_address=dict(type="str", aliases=["ipaddress"],
+ ip_address=dict(type="list", aliases=["ipaddress"],
default=None),
update_dns=dict(type="bool", aliases=["updatedns"],
default=None),
@@ -812,6 +871,20 @@ def main():
# Make sure host exists
res_find = find_host(ansible_module, name)
+ try:
+ res_find_dnsrecord = find_dnsrecord(ansible_module, name)
+ except ipalib_errors.NotFound as e:
+ msg = str(e)
+ if ip_address is None and \
+ ("DNS is not configured" in msg or \
+ "DNS zone not found" in msg):
+ # IP address(es) not given and no DNS support in IPA
+ # -> Ignore failure
+ # IP address(es) not given and DNS zone is not found
+ # -> Ignore failure
+ res_find_dnsrecord = None
+ else:
+ ansible_module.fail_json(msg="%s: %s" % (host, msg))
# Create command
if state == "present":
@@ -821,6 +894,8 @@ def main():
random, mac_address, sshpubkey, userclass, auth_ind,
requires_pre_auth, ok_as_delegate, ok_to_auth_as_delegate,
force, reverse, ip_address, update_dns)
+ dnsrecord_args = gen_dnsrecord_args(
+ ansible_module, ip_address, reverse)
if action == "host":
# Found the host
@@ -835,6 +910,13 @@ def main():
if x in args:
del args[x]
+ # Ignore auth_ind if it is empty (for resetting)
+ # and not set in for the host
+ if "krbprincipalauthind" not in res_find and \
+ "krbprincipalauthind" in args and \
+ args["krbprincipalauthind"] == ['']:
+ del args["krbprincipalauthind"]
+
# For all settings is args, check if there are
# different settings in the find result.
# If yes: modify
@@ -923,39 +1005,25 @@ def main():
res_find.get(
"ipaallowedtoperform_read_keys_hostgroup"))
- else:
- certificate_add = certificate or []
- certificate_del = []
- managedby_host_add = managedby_host or []
- managedby_host_del = []
- principal_add = principal or []
- principal_del = []
- allow_create_keytab_user_add = \
- allow_create_keytab_user or []
- allow_create_keytab_user_del = []
- allow_create_keytab_group_add = \
- allow_create_keytab_group or []
- allow_create_keytab_group_del = []
- allow_create_keytab_host_add = \
- allow_create_keytab_host or []
- allow_create_keytab_host_del = []
- allow_create_keytab_hostgroup_add = \
- allow_create_keytab_hostgroup or []
- allow_create_keytab_hostgroup_del = []
- allow_retrieve_keytab_user_add = \
- allow_retrieve_keytab_user or []
- allow_retrieve_keytab_user_del = []
- allow_retrieve_keytab_group_add = \
- allow_retrieve_keytab_group or []
- allow_retrieve_keytab_group_del = []
- allow_retrieve_keytab_host_add = \
- allow_retrieve_keytab_host or []
- allow_retrieve_keytab_host_del = []
- allow_retrieve_keytab_hostgroup_add = \
- allow_retrieve_keytab_hostgroup or []
- allow_retrieve_keytab_hostgroup_del = []
+ # IP addresses are not really a member of hosts, but
+ # we will simply treat it as this to enable the
+ # addition and removal of IPv4 and IPv6 addresses in
+ # a simple way.
+ _dnsrec = res_find_dnsrecord or {}
+ dnsrecord_a_add, dnsrecord_a_del = gen_add_del_lists(
+ dnsrecord_args.get("arecord"),
+ _dnsrec.get("arecord"))
+ dnsrecord_aaaa_add, dnsrecord_aaaa_del = \
+ gen_add_del_lists(
+ dnsrecord_args.get("aaaarecord"),
+ _dnsrec.get("aaaarecord"))
else:
+ if res_find is None:
+ ansible_module.fail_json(
+ msg="No host '%s'" % name)
+
+ if action != "host" or (action == "host" and res_find is None):
certificate_add = certificate or []
certificate_del = []
managedby_host_add = managedby_host or []
@@ -986,6 +1054,10 @@ def main():
allow_retrieve_keytab_hostgroup_add = \
allow_retrieve_keytab_hostgroup or []
allow_retrieve_keytab_hostgroup_del = []
+ dnsrecord_a_add = dnsrecord_args.get("arecord") or []
+ dnsrecord_a_del = []
+ dnsrecord_aaaa_add = dnsrecord_args.get("aaaarecord") or []
+ dnsrecord_aaaa_del = []
# Remove canonical principal from principal_del
canonical_principal = "host/" + name + "@" + server_realm
@@ -1120,6 +1192,39 @@ def main():
"hostgroup": allow_retrieve_keytab_hostgroup_del,
}])
+ if len(dnsrecord_a_add) > 0 or len(dnsrecord_aaaa_add) > 0:
+ domain_name = name[name.find(".")+1:]
+ host_name = name[:name.find(".")]
+
+ _args = {"idnsname": host_name}
+ if len(dnsrecord_a_add) > 0:
+ _args["arecord"] = dnsrecord_a_add
+ if reverse is not None:
+ _args["a_extra_create_reverse"] = reverse
+ if len(dnsrecord_aaaa_add) > 0:
+ _args["aaaarecord"] = dnsrecord_aaaa_add
+ if reverse is not None:
+ _args["aaaa_extra_create_reverse"] = reverse
+
+ commands.append([domain_name,
+ "dnsrecord_add", _args])
+
+ if len(dnsrecord_a_del) > 0 or len(dnsrecord_aaaa_del) > 0:
+ domain_name = name[name.find(".")+1:]
+ host_name = name[:name.find(".")]
+
+ # There seems to be an issue with dnsrecord_del (not
+ # for dnsrecord_add) if aaaarecord is an empty list.
+ # Therefore this is done differently here:
+ _args = {"idnsname": host_name}
+ if len(dnsrecord_a_del) > 0:
+ _args["arecord"] = dnsrecord_a_del
+ if len(dnsrecord_aaaa_del) > 0:
+ _args["aaaarecord"] = dnsrecord_aaaa_del
+
+ commands.append([domain_name,
+ "dnsrecord_del", _args])
+
elif state == "absent":
if action == "host":
@@ -1200,6 +1305,17 @@ def main():
"hostgroup": allow_retrieve_keytab_hostgroup,
}])
+ dnsrecord_args = gen_dnsrecord_args(ansible_module,
+ ip_address, reverse)
+ if "arecord" in dnsrecord_args or \
+ "aaaarecord" in dnsrecord_args:
+ domain_name = name[name.find(".")+1:]
+ host_name = name[:name.find(".")]
+ dnsrecord_args["idnsname"] = host_name
+
+ commands.append([domain_name, "dnsrecord_del",
+ dnsrecord_args])
+
elif state == "disabled":
if res_find is not None:
commands.append([name, "host_disable", {}])
@@ -1244,6 +1360,11 @@ def main():
# Host is already disabled, ignore error
if "This entry is already disabled" in msg:
continue
+
+ # Ignore no modification error.
+ if "no modifications to be performed" in msg:
+ continue
+
ansible_module.fail_json(msg="%s: %s: %s" % (command, name,
msg))
diff --git a/plugins/modules/ipahostgroup.py b/plugins/modules/ipahostgroup.py
index 9dbfa625..5fcca1d6 100644
--- a/plugins/modules/ipahostgroup.py
+++ b/plugins/modules/ipahostgroup.py
@@ -73,7 +73,7 @@ author:
EXAMPLES = """
# Ensure host-group databases is present
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -83,7 +83,7 @@ EXAMPLES = """
# Ensure hosts and hostgroups are present in existing databases hostgroup
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -94,7 +94,7 @@ EXAMPLES = """
# Ensure hosts and hostgroups are absent in databases hostgroup
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -106,7 +106,7 @@ EXAMPLES = """
# Ensure host-group databases is absent
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: absent
"""
diff --git a/plugins/modules/ipapwpolicy.py b/plugins/modules/ipapwpolicy.py
index 9437b595..0d68fb1c 100644
--- a/plugins/modules/ipapwpolicy.py
+++ b/plugins/modules/ipapwpolicy.py
@@ -98,7 +98,7 @@ author:
EXAMPLES = """
# Ensure pwpolicy is set for ops
- ipapwpolicy:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
minlife: 7
maxlife: 49
@@ -167,7 +167,7 @@ def main():
ipaadmin_password=dict(type="str", required=False, no_log=True),
name=dict(type="list", aliases=["cn"], default=None,
- required=True),
+ required=False),
# present
maxlife=dict(type="int", aliases=["krbmaxpwdlife"], default=None),
@@ -218,6 +218,9 @@ def main():
# Check parameters
+ if names is None:
+ names = ["global_policy"]
+
if state == "present":
if len(names) != 1:
ansible_module.fail_json(
@@ -225,8 +228,10 @@ def main():
if state == "absent":
if len(names) < 1:
+ ansible_module.fail_json(msg="No name given.")
+ if "global_policy" in names:
ansible_module.fail_json(
- msg="No name given.")
+ msg="'global_policy' can not be made absent.")
invalid = ["maxlife", "minlife", "history", "minclasses",
"minlength", "priority", "maxfail", "failinterval",
"lockouttime"]
diff --git a/plugins/modules/ipaservice.py b/plugins/modules/ipaservice.py
new file mode 100644
index 00000000..e0da817c
--- /dev/null
+++ b/plugins/modules/ipaservice.py
@@ -0,0 +1,811 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Authors:
+# Rafael Guterres Jeffman
+#
+# Copyright (C) 2019 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+ANSIBLE_METADATA = {
+ "metadata_version": "1.0",
+ "supported_by": "community",
+ "status": ["preview"],
+}
+
+
+DOCUMENTATION = """
+---
+module: ipaservice
+short description: Manage FreeIPA service
+description: Manage FreeIPA service
+options:
+ ipaadmin_principal:
+ description: The admin principal
+ default: admin
+ ipaadmin_password:
+ description: The admin password
+ required: false
+ name:
+ description: The service to manage
+ required: true
+ aliases: ["service"]
+ certificate:
+ description: Base-64 encoded service certificate.
+ required: false
+ type: list
+ aliases=['usercertificate']
+ pac_type:
+ description: Supported PAC type.
+ required: false
+ choices: ["MS-PAC", "PAD", "NONE"]
+ type: list
+ aliases: ["pac_type", "ipakrbauthzdata"]
+ auth_ind:
+ description: Defines a whitelist for Authentication Indicators.
+ required: false
+ choices: ["otp", "radius", "pkinit", "hardened"]
+ aliases: ["krbprincipalauthind"]
+ skip_host_check:
+ description: Skip checking if host object exists.
+ required: False
+ type: bool
+ force:
+ description: Force principal name even if host is not in DNS.
+ required: False
+ type: bool
+ requires_pre_auth:
+ description: Pre-authentication is required for the service.
+ required: false
+ type: bool
+ default: False
+ aliases: ["ipakrbrequirespreauth"]
+ ok_as_delegate:
+ description: Client credentials may be delegated to the service.
+ required: false
+ type: bool
+ default: False
+ aliases: ["ipakrbokasdelegate"]
+ ok_to_auth_as_delegate: Allow service to authenticate on behalf of a client.
+ description: .
+ required: false
+ type: bool
+ default: False
+ aliases:["ipakrboktoauthasdelegate"]
+ principal:
+ description: List of principal aliases for the service.
+ required: false
+ type: list
+ aliases: ["krbprincipalname"]
+ host:
+ description: Host that can manage the service.
+ required: false
+ type: list
+ aliases: ["managedby_host"]
+ allow_create_keytab_user:
+ descrption: Users allowed to create a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_write_keys_user"]
+ allow_create_keytab_group:
+ descrption: Groups allowed to create a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_write_keys_group"]
+ allow_create_keytab_host:
+ descrption: Hosts allowed to create a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_write_keys_host"]
+ allow_create_keytab_hostgroup:
+ descrption: Host group allowed to create a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_write_keys_hostgroup"]
+ allow_retrieve_keytab_user:
+ descrption: User allowed to retrieve a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_read_keys_user"]
+ allow_retrieve_keytab_group:
+ descrption: Groups allowed to retrieve a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_read_keys_group"]
+ allow_retrieve_keytab_host:
+ descrption: Hosts allowed to retrieve a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_read_keys_host"]
+ allow_retrieve_keytab_hostgroup:
+ descrption: Host groups allowed to retrieve a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_read_keys_hostgroup"]
+ action:
+ description: Work on service or member level
+ default: service
+ choices: ["member", "service"]
+ state:
+ description: State to ensure
+ default: present
+ choices: ["present", "absent", "enabled", "disabled"]
+author:
+ - Rafael Jeffman
+"""
+
+EXAMPLES = """
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ pac_type:
+ - MS-PAC
+ - PAD
+ auth_ind: otp
+ skip_host_check: true
+ force: false
+ requires_pre_auth: true
+ ok_as_delegate: false
+ ok_to_auth_as_delegate: false
+
+ # Ensure service is absent
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ state: absent
+
+ # Ensure service member certificate is present.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
+ DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
+ ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
+ VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
+ LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
+ oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
+ 4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
+ xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
+ UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
+ eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
+ 5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
+ uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
+ 2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
+ obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
+ /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ action: member
+ state: present
+
+ # Ensure principal host/test.example.com present in service.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ principal:
+ - host/test.example.com
+ action: member
+
+ # Ensure host can manage service.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ host:
+ - host1.example.com
+ - host2.example.com
+ action: member
+"""
+
+RETURN = """
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
+ temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \
+ encode_certificate, gen_add_del_lists, module_params_get, to_text, \
+ api_check_param
+
+
+def find_service(module, name):
+ _args = {
+ "all": True,
+ }
+
+ _result = api_command(module, "service_find", to_text(name), _args)
+
+ if len(_result["result"]) > 1:
+ module.fail_json(
+ msg="There is more than one service '%s'" % (name))
+ elif len(_result["result"]) == 1:
+ _res = _result["result"][0]
+ certs = _res.get("usercertificate")
+ if certs is not None:
+ _res["usercertificate"] = [encode_certificate(cert) for
+ cert in certs]
+ return _res
+ else:
+ return None
+
+
+def gen_args(pac_type, auth_ind, skip_host_check, force, requires_pre_auth,
+ ok_as_delegate, ok_to_auth_as_delegate):
+ _args = {}
+
+ if pac_type is not None:
+ _args['ipakrbauthzdata'] = pac_type
+ if auth_ind is not None:
+ _args['krbprincipalauthind'] = auth_ind
+ if skip_host_check is not None:
+ _args['skip_host_check'] = (skip_host_check)
+ if force is not None:
+ _args['force'] = (force)
+ if requires_pre_auth is not None:
+ _args['ipakrbrequirespreauth'] = (requires_pre_auth)
+ if ok_as_delegate is not None:
+ _args['ipakrbokasdelegate'] = (ok_as_delegate)
+ if ok_to_auth_as_delegate is not None:
+ _args['ipakrboktoauthasdelegate'] = (ok_to_auth_as_delegate)
+
+ return _args
+
+
+def check_parameters(module, state, action, names, parameters):
+ assert isinstance(parameters, dict)
+
+ # invalid parameters for everything but state 'present', action 'service'.
+ invalid = ['pac_type', 'auth_ind', 'skip_host_check',
+ 'force', 'requires_pre_auth', 'ok_as_delegate',
+ 'ok_to_auth_as_delegate']
+
+ # invalid parameters when not handling service members.
+ invalid_not_member = \
+ ['principal', 'certificate', 'host', 'allow_create_keytab_user',
+ 'allow_create_keytab_group', 'allow_create_keytab_host',
+ 'allow_create_keytab_hostgroup', 'allow_retrieve_keytab_user',
+ 'allow_retrieve_keytab_group', 'allow_retrieve_keytab_host',
+ 'allow_retrieve_keytab_hostgroup']
+
+ if state == 'present':
+ if len(names) != 1:
+ module.fail_json(msg="Only one service can be added at a time.")
+
+ if action == 'service':
+ invalid = []
+
+ elif state == 'absent':
+ if len(names) < 1:
+ module.fail_json(msg="No name given.")
+
+ if action == "service":
+ invalid.extend(invalid_not_member)
+
+ elif state == 'disabled':
+ invalid.extend(invalid_not_member)
+ if action != "service":
+ module.fail_json(
+ msg="Invalid action '%s' for state '%s'" % (action, state))
+
+ else:
+ module.fail_json(msg="Invalid state '%s'" % (state))
+
+ for _invalid in invalid:
+ if parameters[_invalid] is not None:
+ module.fail_json(
+ msg="Argument '%s' can not be used with state '%s'" %
+ (_invalid, state))
+
+
+def init_ansible_module():
+ ansible_module = AnsibleModule(
+ argument_spec=dict(
+ # general
+ ipaadmin_principal=dict(type="str", default="admin"),
+ ipaadmin_password=dict(type="str", required=False, no_log=True),
+
+ name=dict(type="list", aliases=["service"], default=None,
+ required=True),
+ # service attributesstr
+ certificate=dict(type="list", aliases=['usercertificate'],
+ default=None, required=False),
+ principal=dict(type="list", aliases=["krbprincipalname"],
+ default=None),
+ pac_type=dict(type="list", aliases=["ipakrbauthzdata"],
+ choices=["MS-PAC", "PAD", "NONE"]),
+ auth_ind=dict(type="str",
+ aliases=["krbprincipalauthind"],
+ choices=["otp", "radius", "pkinit", "hardened"]),
+ skip_host_check=dict(type="bool"),
+ force=dict(type="bool"),
+ requires_pre_auth=dict(
+ type="bool", aliases=["ipakrbrequirespreauth"]),
+ ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"]),
+ ok_to_auth_as_delegate=dict(type="bool",
+ aliases=["ipakrboktoauthasdelegate"]),
+ host=dict(type="list", aliases=["managedby_host"], required=False),
+ allow_create_keytab_user=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_write_keys_user']),
+ allow_retrieve_keytab_user=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_read_keys_user']),
+ allow_create_keytab_group=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_write_keys_group']),
+ allow_retrieve_keytab_group=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_read_keys_group']),
+ allow_create_keytab_host=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_write_keys_host']),
+ allow_retrieve_keytab_host=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_read_keys_host']),
+ allow_create_keytab_hostgroup=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_write_keys_hostgroup']),
+ allow_retrieve_keytab_hostgroup=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_read_keys_hostgroup']),
+ # action
+ action=dict(type="str", default="service",
+ choices=["member", "service"]),
+ # state
+ state=dict(type="str", default="present",
+ choices=["present", "absent",
+ "enabled", "disabled"]),
+ ),
+ supports_check_mode=True,
+ )
+
+ ansible_module._ansible_debug = True
+
+ return ansible_module
+
+
+def main():
+ ansible_module = init_ansible_module()
+
+ # Get parameters
+
+ # general
+ ipaadmin_principal = module_params_get(ansible_module,
+ "ipaadmin_principal")
+ ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password")
+ names = module_params_get(ansible_module, "name")
+
+ # service attributes
+ principal = module_params_get(ansible_module, "principal")
+ certificate = module_params_get(ansible_module, "certificate")
+ pac_type = module_params_get(ansible_module, "pac_type")
+ auth_ind = module_params_get(ansible_module, "auth_ind")
+ skip_host_check = module_params_get(ansible_module, "skip_host_check")
+ force = module_params_get(ansible_module, "force")
+ requires_pre_auth = module_params_get(ansible_module, "requires_pre_auth")
+ ok_as_delegate = module_params_get(ansible_module, "ok_as_delegate")
+ ok_to_auth_as_delegate = module_params_get(ansible_module,
+ "ok_to_auth_as_delegate")
+
+ host = module_params_get(ansible_module, "host")
+
+ allow_create_keytab_user = module_params_get(
+ ansible_module, "allow_create_keytab_user")
+ allow_create_keytab_group = module_params_get(
+ ansible_module, "allow_create_keytab_group")
+ allow_create_keytab_host = module_params_get(
+ ansible_module, "allow_create_keytab_host")
+ allow_create_keytab_hostgroup = module_params_get(
+ ansible_module, "allow_create_keytab_hostgroup")
+
+ allow_retrieve_keytab_user = module_params_get(
+ ansible_module, "allow_retrieve_keytab_user")
+ allow_retrieve_keytab_group = module_params_get(
+ ansible_module, "allow_retrieve_keytab_group")
+ allow_retrieve_keytab_host = module_params_get(
+ ansible_module, "allow_create_keytab_host")
+ allow_retrieve_keytab_hostgroup = module_params_get(
+ ansible_module, "allow_retrieve_keytab_hostgroup")
+
+ # action
+ action = module_params_get(ansible_module, "action")
+ # state
+ state = module_params_get(ansible_module, "state")
+
+ # check parameters
+ check_parameters(ansible_module, state, action, names, vars())
+
+ # Init
+
+ changed = False
+ exit_args = {}
+ ccache_dir = None
+ ccache_name = None
+ try:
+ if not valid_creds(ansible_module, ipaadmin_principal):
+ ccache_dir, ccache_name = temp_kinit(ipaadmin_principal,
+ ipaadmin_password)
+ api_connect()
+
+ has_skip_host_check = api_check_param(
+ "service_add", "skip_host_check")
+ if skip_host_check and not has_skip_host_check:
+ ansible_module.fail_json(
+ msg="Skipping host check is not supported by your IPA version")
+
+ commands = []
+
+ for name in names:
+ res_find = find_service(ansible_module, name)
+
+ if state == "present":
+ if action == "service":
+ args = gen_args(
+ pac_type, auth_ind, skip_host_check, force,
+ requires_pre_auth, ok_as_delegate,
+ ok_to_auth_as_delegate)
+ if not has_skip_host_check and 'skip_host_check' in args:
+ del args['skip_host_check']
+
+ if res_find is None:
+ commands.append([name, 'service_add', args])
+
+ certificate_add = certificate or []
+ certificate_del = []
+ host_add = host or []
+ host_del = []
+ principal_add = principal or []
+ principal_del = []
+ allow_create_keytab_user_add = \
+ allow_create_keytab_user or []
+ allow_create_keytab_user_del = []
+ allow_create_keytab_group_add = \
+ allow_create_keytab_group or []
+ allow_create_keytab_group_del = []
+ allow_create_keytab_host_add = \
+ allow_create_keytab_host or []
+ allow_create_keytab_host_del = []
+ allow_create_keytab_hostgroup_add = \
+ allow_create_keytab_hostgroup or []
+ allow_create_keytab_hostgroup_del = []
+ allow_retrieve_keytab_user_add = \
+ allow_retrieve_keytab_user or []
+ allow_retrieve_keytab_user_del = []
+ allow_retrieve_keytab_group_add = \
+ allow_retrieve_keytab_group or []
+ allow_retrieve_keytab_group_del = []
+ allow_retrieve_keytab_host_add = \
+ allow_retrieve_keytab_host or []
+ allow_retrieve_keytab_host_del = []
+ allow_retrieve_keytab_hostgroup_add = \
+ allow_retrieve_keytab_hostgroup or []
+ allow_retrieve_keytab_hostgroup_del = []
+
+ else:
+ for remove in ['skip_host_check', 'force']:
+ if remove in args:
+ del args[remove]
+
+ if not compare_args_ipa(ansible_module, args,
+ res_find):
+ commands.append([name, "service_mod", args])
+
+ certificate_add, certificate_del = gen_add_del_lists(
+ certificate, res_find.get("usercertificate"))
+
+ host_add, host_del = gen_add_del_lists(
+ host, res_find.get('managedby_host', []))
+
+ principal_add, principal_del = gen_add_del_lists(
+ principal, res_find.get("principal"))
+
+ (allow_create_keytab_user_add,
+ allow_create_keytab_user_del) = \
+ gen_add_del_lists(
+ allow_create_keytab_user, res_find.get(
+ 'ipaallowedtoperform_write_keys_user',
+ []))
+ (allow_retrieve_keytab_user_add,
+ allow_retrieve_keytab_user_del) = \
+ gen_add_del_lists(
+ allow_retrieve_keytab_user, res_find.get(
+ 'ipaallowedtoperform_read_keys_user',
+ []))
+ (allow_create_keytab_group_add,
+ allow_create_keytab_group_del) = \
+ gen_add_del_lists(
+ allow_create_keytab_group, res_find.get(
+ 'ipaallowedtoperform_write_keys_group',
+ []))
+ (allow_retrieve_keytab_group_add,
+ allow_retrieve_keytab_group_del) = \
+ gen_add_del_lists(
+ allow_retrieve_keytab_group,
+ res_find.get(
+ 'ipaallowedtoperform_read_keys_group',
+ []))
+ (allow_create_keytab_host_add,
+ allow_create_keytab_host_del) = \
+ gen_add_del_lists(
+ allow_create_keytab_host,
+ res_find.get(
+ 'ipaallowedtoperform_write_keys_host',
+ []))
+ (allow_retrieve_keytab_host_add,
+ allow_retrieve_keytab_host_del) = \
+ gen_add_del_lists(
+ allow_retrieve_keytab_host,
+ res_find.get(
+ 'ipaallowedtoperform_read_keys_host',
+ []))
+ (allow_create_keytab_hostgroup_add,
+ allow_create_keytab_hostgroup_del) = \
+ gen_add_del_lists(
+ allow_create_keytab_hostgroup,
+ res_find.get(
+ 'ipaallowedtoperform_write_keys_hostgroup',
+ []))
+ (allow_retrieve_keytab_hostgroup_add,
+ allow_retrieve_keytab_hostgroup_del) = \
+ gen_add_del_lists(
+ allow_retrieve_keytab_hostgroup,
+ res_find.get(
+ 'ipaallowedtoperform_read_keys_hostgroup',
+ []))
+
+ elif action == "member":
+ if res_find is None:
+ ansible_module.fail_json(msg="No service '%s'" % name)
+
+ existing = res_find.get('usercertificate', [])
+ if certificate is None:
+ certificate_add = []
+ else:
+ certificate_add = [c for c in certificate
+ if c not in existing]
+ certificate_del = []
+ host_add = host or []
+ host_del = []
+ principal_add = principal or []
+ principal_del = []
+
+ allow_create_keytab_user_add = \
+ allow_create_keytab_user or []
+ allow_create_keytab_user_del = []
+ allow_create_keytab_group_add = \
+ allow_create_keytab_group or []
+ allow_create_keytab_group_del = []
+ allow_create_keytab_host_add = \
+ allow_create_keytab_host or []
+ allow_create_keytab_host_del = []
+ allow_create_keytab_hostgroup_add = \
+ allow_create_keytab_hostgroup or []
+ allow_create_keytab_hostgroup_del = []
+ allow_retrieve_keytab_user_add = \
+ allow_retrieve_keytab_user or []
+ allow_retrieve_keytab_user_del = []
+ allow_retrieve_keytab_group_add = \
+ allow_retrieve_keytab_group or []
+ allow_retrieve_keytab_group_del = []
+ allow_retrieve_keytab_host_add = \
+ allow_retrieve_keytab_host or []
+ allow_retrieve_keytab_host_del = []
+ allow_retrieve_keytab_hostgroup_add = \
+ allow_retrieve_keytab_hostgroup or []
+ allow_retrieve_keytab_hostgroup_del = []
+
+ # Add principals
+ for _principal in principal_add:
+ commands.append([name, "service_add_principal",
+ {
+ "krbprincipalname":
+ _principal,
+ }])
+
+ # Remove principals
+ for _principal in principal_del:
+ commands.append([name, "service_remove_principal",
+ {
+ "krbprincipalname":
+ _principal,
+ }])
+
+ for _certificate in certificate_add:
+ commands.append([name, "service_add_cert",
+ {
+ "usercertificate":
+ _certificate,
+ }])
+ # Remove certificates
+ for _certificate in certificate_del:
+ commands.append([name, "service_remove_cert",
+ {
+ "usercertificate":
+ _certificate,
+ }])
+
+ # Add hosts.
+ if host is not None and len(host) > 0 and len(host_add) > 0:
+ commands.append([name, "service_add_host",
+ {"host": host_add}])
+ # Remove hosts
+ if host is not None and len(host) > 0 and len(host_del) > 0:
+ commands.append([name, "service_remove_host",
+ {"host": host_del}])
+
+ # Allow create keytab
+ if len(allow_create_keytab_user_add) > 0 or \
+ len(allow_create_keytab_group_add) > 0 or \
+ len(allow_create_keytab_host_add) > 0 or \
+ len(allow_create_keytab_hostgroup_add) > 0:
+ commands.append(
+ [name, "service_allow_create_keytab",
+ {'user': allow_create_keytab_user_add,
+ 'group': allow_create_keytab_group_add,
+ 'host': allow_create_keytab_host_add,
+ 'hostgroup': allow_create_keytab_hostgroup_add
+ }])
+
+ # Disallow create keytab
+ if len(allow_create_keytab_user_del) > 0 or \
+ len(allow_create_keytab_group_del) > 0 or \
+ len(allow_create_keytab_host_del) > 0 or \
+ len(allow_create_keytab_hostgroup_del) > 0:
+ commands.append(
+ [name, "service_disallow_create_keytab",
+ {'user': allow_create_keytab_user_del,
+ 'group': allow_create_keytab_group_del,
+ 'host': allow_create_keytab_host_del,
+ 'hostgroup': allow_create_keytab_hostgroup_del
+ }])
+
+ # Allow retrieve keytab
+ if len(allow_retrieve_keytab_user_add) > 0 or \
+ len(allow_retrieve_keytab_group_add) > 0 or \
+ len(allow_retrieve_keytab_hostgroup_add) > 0 or \
+ len(allow_retrieve_keytab_hostgroup_add) > 0:
+ commands.append(
+ [name, "service_allow_retrieve_keytab",
+ {'user': allow_retrieve_keytab_user_add,
+ 'group': allow_retrieve_keytab_group_add,
+ 'host': allow_retrieve_keytab_host_add,
+ 'hostgroup': allow_retrieve_keytab_hostgroup_add
+ }])
+
+ # Disllow retrieve keytab
+ if len(allow_retrieve_keytab_user_del) > 0 or \
+ len(allow_retrieve_keytab_group_del) > 0 or \
+ len(allow_retrieve_keytab_host_del) > 0 or \
+ len(allow_retrieve_keytab_hostgroup_del) > 0:
+ commands.append(
+ [name, "service_disallow_retrieve_keytab",
+ {'user': allow_retrieve_keytab_user_del,
+ 'group': allow_retrieve_keytab_group_del,
+ 'host': allow_retrieve_keytab_host_del,
+ 'hostgroup': allow_retrieve_keytab_hostgroup_del
+ }])
+
+ elif state == "absent":
+ if action == "service":
+ if res_find is not None:
+ commands.append([name, 'service_del', {}])
+
+ elif action == "member":
+ if res_find is None:
+ ansible_module.fail_json(msg="No service '%s'" % name)
+
+ # Remove principals
+ if principal is not None:
+ for _principal in principal:
+ commands.append([name, "service_remove_principal",
+ {
+ "krbprincipalname":
+ _principal,
+ }])
+ # Remove certificates
+ if certificate is not None:
+ existing = res_find.get('usercertificate', [])
+ for _certificate in certificate:
+ if _certificate in existing:
+ commands.append([name, "service_remove_cert",
+ {
+ "usercertificate":
+ _certificate,
+ }])
+
+ # Add hosts
+ if host is not None:
+ commands.append(
+ [name, "service_remove_host", {"host": host}])
+
+ # Allow create keytab
+ if allow_create_keytab_user is not None or \
+ allow_create_keytab_group is not None or \
+ allow_create_keytab_host is not None or \
+ allow_create_keytab_hostgroup is not None:
+ commands.append(
+ [name, "service_disallow_create_keytab",
+ {'user': allow_create_keytab_user,
+ 'group': allow_create_keytab_group,
+ 'host': allow_create_keytab_host,
+ 'hostgroup': allow_create_keytab_hostgroup
+ }])
+
+ # Allow retriev keytab
+ if allow_retrieve_keytab_user is not None or \
+ allow_retrieve_keytab_group is not None or \
+ allow_retrieve_keytab_host is not None or \
+ allow_retrieve_keytab_hostgroup is not None:
+ commands.append(
+ [name, "service_disallow_retrieve_keytab",
+ {'user': allow_retrieve_keytab_user,
+ 'group': allow_retrieve_keytab_group,
+ 'host': allow_retrieve_keytab_host,
+ 'hostgroup': allow_retrieve_keytab_hostgroup
+ }])
+
+ elif state == "disabled":
+ if action == "service":
+ if res_find is not None and \
+ len(res_find.get('usercertificate', [])) > 0:
+ commands.append([name, 'service_disable', {}])
+ else:
+ ansible_module.fail_json(
+ msg="Invalid action '%s' for state '%s'" %
+ (action, state))
+ else:
+ ansible_module.fail_json(msg="Unkown state '%s'" % state)
+
+ # Execute commands
+ errors = []
+ for name, command, args in commands:
+ try:
+ result = api_command(ansible_module, command, name, args)
+
+ if "completed" in result:
+ if result["completed"] > 0:
+ changed = True
+ else:
+ changed = True
+ except Exception as ex:
+ ansible_module.fail_json(msg="%s: %s: %s" % (command, name,
+ str(ex)))
+ # Get all errors
+ # All "already a member" and "not a member" failures in the
+ # result are ignored. All others are reported.
+ if "failed" in result and len(result["failed"]) > 0:
+ for item in result["failed"]:
+ failed_item = result["failed"][item]
+ for member_type in failed_item:
+ for member, failure in failed_item[member_type]:
+ if "already a member" in failure \
+ or "not a member" in failure:
+ continue
+ errors.append("%s: %s %s: %s" % (
+ command, member_type, member, failure))
+ if len(errors) > 0:
+ ansible_module.fail_json(msg=", ".join(errors))
+
+ except Exception as ex:
+ ansible_module.fail_json(msg=str(ex))
+
+ finally:
+ temp_kdestroy(ccache_dir, ccache_name)
+
+ # Done
+ ansible_module.exit_json(changed=changed, **exit_args)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/plugins/modules/ipasudocmd.py b/plugins/modules/ipasudocmd.py
index 8e25561e..74947933 100644
--- a/plugins/modules/ipasudocmd.py
+++ b/plugins/modules/ipasudocmd.py
@@ -57,13 +57,13 @@ author:
EXAMPLES = """
# Ensure sudocmd is present
- ipacommand:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: su
state: present
# Ensure sudocmd is absent
- ipacommand:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: su
state: absent
"""
@@ -97,7 +97,7 @@ def find_sudocmd(module, name):
def gen_args(description):
_args = {}
if description is not None:
- _args["description"] = description
+ _args["description"] = to_text(description)
return _args
diff --git a/plugins/modules/ipasudocmdgroup.py b/plugins/modules/ipasudocmdgroup.py
index bfa01300..3cbb2803 100644
--- a/plugins/modules/ipasudocmdgroup.py
+++ b/plugins/modules/ipasudocmdgroup.py
@@ -73,13 +73,13 @@ author:
EXAMPLES = """
# Ensure sudocmd-group 'network' is present
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
state: present
# Ensure sudocmdgroup and sudocmd are present in 'network' sudocmdgroup
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -88,7 +88,7 @@ EXAMPLES = """
# Ensure sudocmdgroup and sudocmd are absent in 'network' sudocmdgroup
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -98,7 +98,7 @@ EXAMPLES = """
# Ensure sudocmd-group 'network' is absent
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
action: member
state: absent
diff --git a/plugins/modules/ipasudorule.py b/plugins/modules/ipasudorule.py
index c21f247a..24d0d7ee 100644
--- a/plugins/modules/ipasudorule.py
+++ b/plugins/modules/ipasudorule.py
@@ -79,18 +79,43 @@ options:
description: Host category the sudo rule applies to.
required: false
choices: ["all"]
- cmd:
- description: List of sudocmds assigned to this sudorule.
+ allow_sudocmd:
+ description: List of allowed sudocmds assigned to this sudorule.
required: false
type: list
- cmdgroup:
- description: List of sudocmd groups assigned to this sudorule.
+ allow_sudocmdgroup:
+ description: List of allowed sudocmd groups assigned to this sudorule.
+ required: false
+ type: list
+ deny_sudocmd:
+ description: List of denied sudocmds assigned to this sudorule.
+ required: false
+ type: list
+ deny_sudocmdgroup:
+ description: List of denied sudocmd groups assigned to this sudorule.
required: false
type: list
cmdcategory:
- description: Cammand category the sudo rule applies to
+ description: Command category the sudo rule applies to
required: false
choices: ["all"]
+ order:
+ description: Order to apply this rule.
+ required: false
+ type: int
+ sudooption:
+ description:
+ required: false
+ type: list
+ aliases: ["options"]
+ runasuser:
+ description: List of users for Sudo to execute as.
+ required: false
+ type: list
+ runasgroup:
+ description: List of groups for Sudo to execute as.
+ required: false
+ type: list
action:
description: Work on sudorule or member level
default: sudorule
@@ -106,50 +131,50 @@ author:
EXAMPLES = """
# Ensure Sudo Rule tesrule1 is present
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
# Ensure sudocmd is present in Sudo Rule
- ipasudorule:
- ipaadmin_password: pass1234
- name: testrule1
- cmd:
- - /sbin/ifconfig
- - /usr/bin/vim
- action: member
- state: absent
+ ipaadmin_password: pass1234
+ name: testrule1
+ allow_sudocmd:
+ - /sbin/ifconfig
+ - /usr/bin/vim
+ action: member
+ state: absent
# Ensure host server is present in Sudo Rule
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
host: server
action: member
# Ensure hostgroup cluster is present in Sudo Rule
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
hostgroup: cluster
action: member
# Ensure sudo rule for usercategory "all"
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
action: enabled
# Ensure sudo rule for hostcategory "all"
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
hostcategory: all
action: enabled
# Ensure Sudo Rule tesrule1 is absent
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: absent
"""
@@ -160,7 +185,7 @@ RETURN = """
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \
- module_params_get
+ module_params_get, gen_add_del_lists
def find_sudorule(module, name):
@@ -180,14 +205,26 @@ def find_sudorule(module, name):
return None
-def gen_args(ansible_module):
- arglist = ['description', 'usercategory', 'hostcategory', 'cmdcategory',
- 'runasusercategory', 'runasgroupcategory', 'nomembers']
+def gen_args(description, usercat, hostcat, cmdcat, runasusercat,
+ runasgroupcat, order, nomembers):
_args = {}
- for arg in arglist:
- value = module_params_get(ansible_module, arg)
- if value is not None:
- _args[arg] = value
+
+ if description is not None:
+ _args['description'] = description
+ if usercat is not None:
+ _args['usercategory'] = usercat
+ if hostcat is not None:
+ _args['hostcategory'] = hostcat
+ if cmdcat is not None:
+ _args['cmdcategory'] = cmdcat
+ if runasusercat is not None:
+ _args['ipasudorunasusercategory'] = runasusercat
+ if runasgroupcat is not None:
+ _args['ipasudorunasgroupcategory'] = runasgroupcat
+ if order is not None:
+ _args['sudoorder'] = order
+ if nomembers is not None:
+ _args['nomembers'] = nomembers
return _args
@@ -212,13 +249,21 @@ def main():
hostgroup=dict(required=False, type='list', default=None),
user=dict(required=False, type='list', default=None),
group=dict(required=False, type='list', default=None),
- cmd=dict(required=False, type="list", default=None),
+ allow_sudocmd=dict(required=False, type="list", default=None),
+ deny_sudocmd=dict(required=False, type="list", default=None),
+ allow_sudocmdgroup=dict(required=False, type="list", default=None),
+ deny_sudocmdgroup=dict(required=False, type="list", default=None),
cmdcategory=dict(required=False, type="str", default=None,
choices=["all"]),
runasusercategory=dict(required=False, type="str", default=None,
choices=["all"]),
runasgroupcategory=dict(required=False, type="str", default=None,
choices=["all"]),
+ runasuser=dict(required=False, type="list", default=None),
+ runasgroup=dict(required=False, type="list", default=None),
+ order=dict(type="int", required=False, aliases=['sudoorder']),
+ sudooption=dict(required=False, type='list', default=None,
+ aliases=["options"]),
action=dict(type="str", default="sudorule",
choices=["member", "sudorule"]),
# state
@@ -256,8 +301,16 @@ def main():
hostgroup = module_params_get(ansible_module, "hostgroup")
user = module_params_get(ansible_module, "user")
group = module_params_get(ansible_module, "group")
- cmd = module_params_get(ansible_module, 'cmd')
- cmdgroup = module_params_get(ansible_module, 'cmdgroup')
+ allow_sudocmd = module_params_get(ansible_module, 'allow_sudocmd')
+ allow_sudocmdgroup = module_params_get(ansible_module,
+ 'allow_sudocmdgroup')
+ deny_sudocmd = module_params_get(ansible_module, 'deny_sudocmd')
+ deny_sudocmdgroup = module_params_get(ansible_module,
+ 'deny_sudocmdgroup')
+ sudooption = module_params_get(ansible_module, "sudooption")
+ order = module_params_get(ansible_module, "order")
+ runasuser = module_params_get(ansible_module, "runasuser")
+ runasgroup = module_params_get(ansible_module, "runasgroup")
action = module_params_get(ansible_module, "action")
# state
@@ -272,28 +325,30 @@ def main():
if action == "member":
invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory",
- "runasgroupcategory", "nomembers"]
+ "runasgroupcategory", "order", "nomembers"]
- for x in invalid:
- if x in vars() and vars()[x] is not None:
+ for arg in invalid:
+ if arg in vars() and vars()[arg] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with action "
- "'%s'" % (x, action))
+ "'%s'" % (arg, action))
elif state == "absent":
if len(names) < 1:
ansible_module.fail_json(msg="No name given.")
invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory",
- "runasgroupcategory", "nomembers"]
+ "runasgroupcategory", "nomembers", "order"]
if action == "sudorule":
invalid.extend(["host", "hostgroup", "user", "group",
- "cmd", "cmdgroup"])
- for x in invalid:
- if vars()[x] is not None:
+ "runasuser", "runasgroup", "allow_sudocmd",
+ "allow_sudocmdgroup", "deny_sudocmd",
+ "deny_sudocmdgroup", "sudooption"])
+ for arg in invalid:
+ if vars()[arg] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with state '%s'" %
- (x, state))
+ (arg, state))
elif state in ["enabled", "disabled"]:
if len(names) < 1:
@@ -305,12 +360,14 @@ def main():
invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory", "runasgroupcategory",
"nomembers", "nomembers", "host", "hostgroup",
- "user", "group", "cmd", "cmdgroup"]
- for x in invalid:
- if vars()[x] is not None:
+ "user", "group", "allow_sudocmd", "allow_sudocmdgroup",
+ "deny_sudocmd", "deny_sudocmdgroup", "runasuser",
+ "runasgroup", "order", "sudooption"]
+ for arg in invalid:
+ if vars()[arg] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with state '%s'" %
- (x, state))
+ (arg, state))
else:
ansible_module.fail_json(msg="Invalid state '%s'" % state)
@@ -335,7 +392,9 @@ def main():
# Create command
if state == "present":
# Generate args
- args = gen_args(ansible_module)
+ args = gen_args(description, usercategory, hostcategory,
+ cmdcategory, runasusercategory,
+ runasgroupcategory, order, nomembers)
if action == "sudorule":
# Found the sudorule
if res_find is not None:
@@ -351,44 +410,42 @@ def main():
res_find = {}
# Generate addition and removal lists
- host_add = list(
- set(host or []) -
- set(res_find.get("member_host", [])))
- host_del = list(
- set(res_find.get("member_host", [])) -
- set(host or []))
- hostgroup_add = list(
- set(hostgroup or []) -
- set(res_find.get("member_hostgroup", [])))
- hostgroup_del = list(
- set(res_find.get("member_hostgroup", [])) -
- set(hostgroup or []))
+ host_add, host_del = gen_add_del_lists(
+ host, res_find.get('member_host', []))
- user_add = list(
- set(user or []) -
- set(res_find.get("member_user", [])))
- user_del = list(
- set(res_find.get("member_user", [])) -
- set(user or []))
- group_add = list(
- set(group or []) -
- set(res_find.get("member_group", [])))
- group_del = list(
- set(res_find.get("member_group", [])) -
- set(group or []))
+ hostgroup_add, hostgroup_del = gen_add_del_lists(
+ hostgroup, res_find.get('member_hostgroup', []))
- cmd_add = list(
- set(cmd or []) -
- set(res_find.get("member_cmd", [])))
- cmd_del = list(
- set(res_find.get("member_cmd", [])) -
- set(cmd or []))
- cmdgroup_add = list(
- set(cmdgroup or []) -
- set(res_find.get("member_cmdgroup", [])))
- cmdgroup_del = list(
- set(res_find.get("member_cmdgroup", [])) -
- set(cmdgroup or []))
+ user_add, user_del = gen_add_del_lists(
+ user, res_find.get('member_user', []))
+
+ group_add, group_del = gen_add_del_lists(
+ group, res_find.get('member_group', []))
+
+ allow_cmd_add, allow_cmd_del = gen_add_del_lists(
+ allow_sudocmd,
+ res_find.get('memberallowcmd_sudocmd', []))
+
+ allow_cmdgroup_add, allow_cmdgroup_del = gen_add_del_lists(
+ allow_sudocmdgroup,
+ res_find.get('memberallowcmd_sudocmdgroup', []))
+
+ deny_cmd_add, deny_cmd_del = gen_add_del_lists(
+ deny_sudocmd,
+ res_find.get('memberdenycmd_sudocmd', []))
+
+ deny_cmdgroup_add, deny_cmdgroup_del = gen_add_del_lists(
+ deny_sudocmdgroup,
+ res_find.get('memberdenycmd_sudocmdgroup', []))
+
+ sudooption_add, sudooption_del = gen_add_del_lists(
+ sudooption, res_find.get('ipasudoopt', []))
+
+ runasuser_add, runasuser_del = gen_add_del_lists(
+ runasuser, res_find.get('ipasudorunas_user', []))
+
+ runasgroup_add, runasgroup_del = gen_add_del_lists(
+ runasgroup, res_find.get('ipasudorunas_group', []))
# Add hosts and hostgroups
if len(host_add) > 0 or len(hostgroup_add) > 0:
@@ -420,20 +477,59 @@ def main():
"group": group_del,
}])
- # Add commands
- if len(cmd_add) > 0 or len(cmdgroup_add) > 0:
+ # Add commands allowed
+ if len(allow_cmd_add) > 0 or len(allow_cmdgroup_add) > 0:
commands.append([name, "sudorule_add_allow_command",
- {
- "sudocmd": cmd_add,
- "sudocmdgroup": cmdgroup_add,
- }])
+ {"sudocmd": allow_cmd_add,
+ "sudocmdgroup": allow_cmdgroup_add,
+ }])
- if len(cmd_del) > 0 or len(cmdgroup_del) > 0:
+ if len(allow_cmd_del) > 0 or len(allow_cmdgroup_del) > 0:
+ commands.append([name, "sudorule_remove_allow_command",
+ {"sudocmd": allow_cmd_del,
+ "sudocmdgroup": allow_cmdgroup_del
+ }])
+
+ # Add commands denied
+ if len(deny_cmd_add) > 0 or len(deny_cmdgroup_add) > 0:
commands.append([name, "sudorule_add_deny_command",
- {
- "sudocmd": cmd_del,
- "sudocmdgroup": cmdgroup_del
- }])
+ {"sudocmd": deny_cmd_add,
+ "sudocmdgroup": deny_cmdgroup_add,
+ }])
+
+ if len(deny_cmd_del) > 0 or len(deny_cmdgroup_del) > 0:
+ commands.append([name, "sudorule_remove_deny_command",
+ {"sudocmd": deny_cmd_del,
+ "sudocmdgroup": deny_cmdgroup_del
+ }])
+
+ # Add RunAS Users
+ if len(runasuser_add) > 0:
+ commands.append([name, "sudorule_add_runasuser",
+ {"user": runasuser_add}])
+ # Remove RunAS Users
+ if len(runasuser_del) > 0:
+ commands.append([name, "sudorule_remove_runasuser",
+ {"user": runasuser_del}])
+
+ # Add RunAS Groups
+ if len(runasgroup_add) > 0:
+ commands.append([name, "sudorule_add_runasgroup",
+ {"group": runasgroup_add}])
+ # Remove RunAS Groups
+ if len(runasgroup_del) > 0:
+ commands.append([name, "sudorule_remove_runasgroup",
+ {"group": runasgroup_del}])
+
+ # Add sudo options
+ for sudoopt in sudooption_add:
+ commands.append([name, "sudorule_add_option",
+ {"ipasudoopt": sudoopt}])
+
+ # Remove sudo options
+ for sudoopt in sudooption_del:
+ commands.append([name, "sudorule_remove_option",
+ {"ipasudoopt": sudoopt}])
elif action == "member":
if res_find is None:
@@ -456,11 +552,38 @@ def main():
}])
# Add commands
- if cmd is not None:
+ if allow_sudocmd is not None \
+ or allow_sudocmdgroup is not None:
commands.append([name, "sudorule_add_allow_command",
- {
- "sudocmd": cmd,
- }])
+ {"sudocmd": allow_sudocmd,
+ "sudocmdgroup": allow_sudocmdgroup,
+ }])
+
+ # Add commands
+ if deny_sudocmd is not None \
+ or deny_sudocmdgroup is not None:
+ commands.append([name, "sudorule_add_deny_command",
+ {"sudocmd": deny_sudocmd,
+ "sudocmdgroup": deny_sudocmdgroup,
+ }])
+
+ # Add RunAS Users
+ if runasuser is not None:
+ commands.append([name, "sudorule_add_runasuser",
+ {"user": runasuser}])
+
+ # Add RunAS Groups
+ if runasgroup is not None:
+ commands.append([name, "sudorule_add_runasgroup",
+ {"group": runasgroup}])
+
+ # Add options
+ if sudooption is not None:
+ existing_opts = res_find.get('ipasudoopt', [])
+ for sudoopt in sudooption:
+ if sudoopt not in existing_opts:
+ commands.append([name, "sudorule_add_option",
+ {"ipasudoopt": sudoopt}])
elif state == "absent":
if action == "sudorule":
@@ -487,12 +610,40 @@ def main():
"group": group,
}])
- # Remove commands
- if cmd is not None:
- commands.append([name, "sudorule_add_deny_command",
- {
- "sudocmd": cmd,
- }])
+ # Remove allow commands
+ if allow_sudocmd is not None \
+ or allow_sudocmdgroup is not None:
+ commands.append([name, "sudorule_remove_allow_command",
+ {"sudocmd": allow_sudocmd,
+ "sudocmdgroup": allow_sudocmdgroup
+ }])
+
+ # Remove deny commands
+ if deny_sudocmd is not None \
+ or deny_sudocmdgroup is not None:
+ commands.append([name, "sudorule_remove_deny_command",
+ {"sudocmd": deny_sudocmd,
+ "sudocmdgroup": deny_sudocmdgroup
+ }])
+
+ # Remove RunAS Users
+ if runasuser is not None:
+ commands.append([name, "sudorule_remove_runasuser",
+ {"user": runasuser}])
+
+ # Remove RunAS Groups
+ if runasgroup is not None:
+ commands.append([name, "sudorule_remove_runasgroup",
+ {"group": runasgroup}])
+
+ # Remove options
+ if sudooption is not None:
+ existing_opts = res_find.get('ipasudoopt', [])
+ for sudoopt in sudooption:
+ if sudoopt in existing_opts:
+ commands.append([name,
+ "sudorule_remove_option",
+ {"ipasudoopt": sudoopt}])
elif state == "enabled":
if res_find is None:
@@ -530,9 +681,9 @@ def main():
changed = True
else:
changed = True
- except Exception as e:
+ except Exception as ex:
ansible_module.fail_json(msg="%s: %s: %s" % (command, name,
- str(e)))
+ str(ex)))
# Get all errors
# All "already a member" and "not a member" failures in the
# result are ignored. All others are reported.
@@ -549,8 +700,8 @@ def main():
if len(errors) > 0:
ansible_module.fail_json(msg=", ".join(errors))
- except Exception as e:
- ansible_module.fail_json(msg=str(e))
+ except Exception as ex:
+ ansible_module.fail_json(msg=str(ex))
finally:
temp_kdestroy(ccache_dir, ccache_name)
diff --git a/plugins/modules/ipauser.py b/plugins/modules/ipauser.py
index ac452958..73f16eff 100644
--- a/plugins/modules/ipauser.py
+++ b/plugins/modules/ipauser.py
@@ -153,9 +153,12 @@ options:
required: false
aliases: ["ipasshpubkey"]
userauthtype:
- description: List of supported user authentication types
- choices=['password', 'radius', 'otp']
+ description:
+ List of supported user authentication types
+ Use empty string to reset userauthtype to the initial value.
+ choices=['password', 'radius', 'otp', '']
required: false
+ aliases: ["ipauserauthtype"]
userclass:
description:
- User category
@@ -310,9 +313,12 @@ options:
required: false
aliases: ["ipasshpubkey"]
userauthtype:
- description: List of supported user authentication types
- choices=['password', 'radius', 'otp']
+ description:
+ List of supported user authentication types
+ Use empty string to reset userauthtype to the initial value.
+ choices=['password', 'radius', 'otp', '']
required: false
+ aliases: ["ipauserauthtype"]
userclass:
description:
- User category
@@ -386,7 +392,7 @@ author:
EXAMPLES = """
# Create user pinky
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
first: pinky
last: Acme
@@ -400,39 +406,39 @@ EXAMPLES = """
# Create user brain
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: brain
first: brain
last: Acme
# Delete user pinky, but preserved
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
preserve: yes
state: absent
# Undelete user pinky
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
state: undeleted
# Disable user pinky
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: disabled
# Enable user pinky and brain
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: enabled
# Remove user pinky and brain
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: disabled
"""
@@ -460,7 +466,8 @@ from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils._text import to_text
from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
temp_kdestroy, valid_creds, api_connect, api_command, date_format, \
- compare_args_ipa, module_params_get, api_check_param, api_get_realm
+ compare_args_ipa, module_params_get, api_check_param, api_get_realm, \
+ api_command_no_name
import six
@@ -646,6 +653,14 @@ def check_parameters(module, state, action,
module.fail_json(msg="certmapdata: subject is missing")
+def extend_emails(email, default_email_domain):
+ if email is not None:
+ return [ "%s@%s" % (_email, default_email_domain)
+ if "@" not in _email else _email
+ for _email in email]
+ return email
+
+
def gen_certmapdata_args(certmapdata):
certificate = certmapdata.get("certificate")
issuer = certmapdata.get("issuer")
@@ -701,7 +716,7 @@ def main():
default=None),
userauthtype=dict(type='list', aliases=["ipauserauthtype"],
default=None,
- choices=['password', 'radius', 'otp']),
+ choices=['password', 'radius', 'otp', '']),
userclass=dict(type="list", aliases=["class"],
default=None),
radius=dict(type="str", aliases=["ipatokenradiusconfiglink"],
@@ -845,13 +860,6 @@ def main():
if names is not None and len(names) != 1:
ansible_module.fail_json(
msg="Only one user can be added at a time using name.")
- if action != "member":
- # Only check first and last here if names is set
- if names is not None:
- if first is None:
- ansible_module.fail_json(msg="First name is needed")
- if last is None:
- ansible_module.fail_json(msg="Last name is needed")
check_parameters(
ansible_module, state, action,
@@ -883,6 +891,17 @@ def main():
server_realm = api_get_realm()
+ # Default email domain
+
+ result = api_command_no_name(ansible_module, "config_show", {})
+ default_email_domain = result["result"]["ipadefaultemaildomain"][0]
+
+ # Extend email addresses
+
+ email = extend_emails(email, default_email_domain)
+
+ # commands
+
commands = []
for user in names:
@@ -949,6 +968,10 @@ def main():
certmapdata, noprivate, nomembers, preserve,
update_password)
+ # Extend email addresses
+
+ email = extend_emails(email, default_email_domain)
+
elif isinstance(user, str) or isinstance(user, unicode):
name = user
else:
@@ -1011,6 +1034,13 @@ def main():
if "noprivate" in args:
del args["noprivate"]
+ # Ignore userauthtype if it is empty (for resetting)
+ # and not set in for the user
+ if "ipauserauthtype" not in res_find and \
+ "ipauserauthtype" in args and \
+ args["ipauserauthtype"] == ['']:
+ del args["ipauserauthtype"]
+
# For all settings is args, check if there are
# different settings in the find result.
# If yes: modify
@@ -1019,6 +1049,14 @@ def main():
commands.append([name, "user_mod", args])
else:
+ # Make sure we have a first and last name
+ if first is None:
+ ansible_module.fail_json(
+ msg="First name is needed")
+ if last is None:
+ ansible_module.fail_json(
+ msg="Last name is needed")
+
commands.append([name, "user_add", args])
# Handle members: principal, manager, certificate and
diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py
new file mode 100644
index 00000000..d102202e
--- /dev/null
+++ b/plugins/modules/ipavault.py
@@ -0,0 +1,646 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Authors:
+# Rafael Guterres Jeffman
+#
+# Copyright (C) 2019 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see .
+
+ANSIBLE_METADATA = {
+ "metadata_version": "1.0",
+ "supported_by": "community",
+ "status": ["preview"],
+}
+
+DOCUMENTATION = """
+---
+module: ipavault
+short description: Manage vaults and secret vaults.
+description: Manage vaults and secret vaults. KRA service must be enabled.
+options:
+ ipaadmin_principal:
+ description: The admin principal
+ default: admin
+ ipaadmin_password:
+ description: The admin password
+ required: false
+ name:
+ description: The vault name
+ required: true
+ aliases: ["cn"]
+ description:
+ description: The vault description
+ required: false
+ vault_public_key:
+ description: Base64 encoded public key.
+ required: false
+ type: list
+ aliases: ["ipavaultpublickey"]
+ vault_salt:
+ description: Vault salt.
+ required: false
+ type: list
+ aliases: ["ipavaultsalt"]
+ vault_password:
+ description: password to be used on symmetric vault.
+ required: false
+ type: string
+ aliases: ["ipavaultpassword"]
+ vault_type:
+ description: Vault types are based on security level.
+ required: true
+ default: symmetric
+ choices: ["standard", "symmetric", "asymmetric"]
+ aliases: ["ipavaulttype"]
+ service:
+ description: Any service can own one or more service vaults.
+ required: false
+ type: list
+ username:
+ description: Any user can own one or more user vaults.
+ required: false
+ type: string
+ aliases: ["user"]
+ shared:
+ description: Vault is shared.
+ required: false
+ type: boolean
+ vault_data:
+ description: Data to be stored in the vault.
+ required: false
+ type: string
+ aliases: ["ipavaultdata"]
+ owners:
+ description: Users that are owners of the container.
+ required: false
+ type: list
+ users:
+ description: Users that are member of the container.
+ required: false
+ type: list
+ groups:
+ description: Groups that are member of the container.
+ required: false
+ type: list
+ action:
+ description: Work on vault or member level.
+ default: vault
+ choices: ["vault", "member"]
+ state:
+ description: State to ensure
+ default: present
+ choices: ["present", "absent"]
+author:
+ - Rafael Jeffman
+"""
+
+EXAMPLES = """
+# Ensure vault symvault is present
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ vault_password: MyVaultPassword123
+ vault_salt: MTIzNDU2Nzg5MAo=
+ vault_type: symmetric
+
+# Ensure group ipausers is a vault member.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ groups: ipausers
+ action: member
+
+# Ensure group ipausers is not a vault member.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ groups: ipausers
+ action: member
+ state: absent
+
+# Ensure vault users are present.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ users:
+ - user01
+ - user02
+ action: member
+
+# Ensure vault users are absent.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ users:
+ - user01
+ - user02
+ action: member
+ status: absent
+
+# Ensure user owns vault.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ action: member
+ owners: user01
+
+# Ensure user does not own vault.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ owners: user01
+ action: member
+ status: absent
+
+# Ensure data is archived to a symmetric vault
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ vault_password: MyVaultPassword123
+ vault_data: >
+ Data archived.
+ More data archived.
+ action: member
+
+# Ensure vault symvault is absent
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ user: admin
+ state: absent
+
+# Ensure asymmetric vault is present.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ description: An asymmetric vault
+ vault_type: asymmetric
+ vault_public_key:
+ LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTR
+ HTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi
+ 9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM
+ 295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlV
+ bFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVk
+ tLS0tLQo=
+
+# Ensure data is archived in an asymmetric vault
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: admin
+ vault_data: >
+ Data archived.
+ More data archived.
+ action: member
+
+# Ensure asymmetric vault is absent.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ vault_type: asymmetric
+ state: absent
+"""
+
+RETURN = """
+"""
+
+import os
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
+ temp_kdestroy, valid_creds, api_connect, api_command, \
+ gen_add_del_lists, compare_args_ipa, module_params_get
+from ipalib.errors import EmptyModlist
+
+
+def find_vault(module, name, username, service, shared):
+ _args = {
+ "all": True,
+ "cn": name,
+ }
+
+ if username is not None:
+ _args['username'] = username
+ elif service is not None:
+ _args['service'] = service
+ else:
+ _args['shared'] = shared
+
+ _result = api_command(module, "vault_find", name, _args)
+
+ if len(_result["result"]) > 1:
+ module.fail_json(
+ msg="There is more than one vault '%s'" % (name))
+ if len(_result["result"]) == 1:
+ return _result["result"][0]
+
+ return None
+
+
+def gen_args(description, username, service, shared, vault_type, salt,
+ public_key, vault_data):
+ _args = {}
+
+ if description is not None:
+ _args['description'] = description
+ if username is not None:
+ _args['username'] = username
+ if service is not None:
+ _args['service'] = service
+ if shared is not None:
+ _args['shared'] = shared
+ if vault_type is not None:
+ _args['ipavaulttype'] = vault_type
+ if salt is not None:
+ _args['ipavaultsalt'] = salt
+ if public_key is not None:
+ _args['ipavaultpublickey'] = public_key
+ if vault_data is not None:
+ _args['data'] = vault_data.encode('utf-8')
+
+ return _args
+
+
+def gen_member_args(args, users, groups):
+ _args = args.copy()
+
+ for arg in ['ipavaulttype', 'description', 'ipavaultpublickey',
+ 'ipavaultsalt']:
+ if arg in _args:
+ del _args[arg]
+
+ _args['user'] = users
+ _args['group'] = groups
+
+ return _args
+
+
+def data_storage_args(args, data, password):
+ _args = {}
+
+ if 'username' in args:
+ _args['username'] = args['username']
+ if 'service' in args:
+ _args['service'] = args['service']
+ if 'shared' in args:
+ _args['shared'] = args['shared']
+
+ if password is not None:
+ _args['password'] = password
+
+ _args['data'] = data
+
+ return _args
+
+
+def check_parameters(module, state, action, description, username, service,
+ shared, users, groups, owners, ownergroups, vault_type,
+ salt, password, public_key, vault_data):
+ invalid = []
+ if state == "present":
+ if action == "member":
+ invalid = ['description', 'public_key', 'salt']
+
+ for param in invalid:
+ if vars()[param] is not None:
+ module.fail_json(
+ msg="Argument '%s' can not be used with action '%s'" %
+ (param, action))
+
+ elif state == "absent":
+ invalid = ['description', 'salt']
+
+ if action == "vault":
+ invalid.extend(['users', 'groups', 'owners', 'ownergroups',
+ 'password', 'public_key'])
+
+ for arg in invalid:
+ if vars()[arg] is not None:
+ module.fail_json(
+ msg="Argument '%s' can not be used with action '%s'" %
+ (arg, state))
+
+
+def check_encryption_params(module, state, vault_type, password, public_key,
+ vault_data, res_find):
+ if state == "present":
+ if vault_type == "symmetric":
+ if password is None \
+ and (vault_data is not None or res_find is None):
+ module.fail_json(
+ msg="Vault password required for symmetric vault.")
+
+ if vault_type == "asymmetric":
+ if public_key is None and res_find is None:
+ module.fail_json(
+ msg="Public Key required for asymmetric vault.")
+
+
+def main():
+ ansible_module = AnsibleModule(
+ argument_spec=dict(
+ # generalgroups
+ ipaadmin_principal=dict(type="str", default="admin"),
+ ipaadmin_password=dict(type="str", required=False, no_log=True),
+
+ name=dict(type="list", aliases=["cn"], default=None,
+ required=True),
+
+ # present
+
+ description=dict(required=False, type="str", default=None),
+ vault_type=dict(type="str", aliases=["ipavaulttype"],
+ default=None, required=False,
+ choices=["standard", "symmetric", "asymmetric"]),
+ vault_public_key=dict(type="str", required=False, default=None,
+ aliases=['ipavaultpublickey']),
+ vault_salt=dict(type="str", required=False, default=None,
+ aliases=['ipavaultsalt']),
+ username=dict(type="str", required=False, default=None,
+ aliases=['user']),
+ service=dict(type="str", required=False, default=None),
+ shared=dict(type="bool", required=False, default=None),
+
+ users=dict(required=False, type='list', default=None),
+ groups=dict(required=False, type='list', default=None),
+ owners=dict(required=False, type='list', default=None),
+ ownergroups=dict(required=False, type='list', default=None),
+
+ vault_data=dict(type="str", required=False, default=None,
+ aliases=['ipavaultdata']),
+ vault_password=dict(type="str", required=False, default=None,
+ no_log=True, aliases=['ipavaultpassword']),
+
+ # state
+ action=dict(type="str", default="vault",
+ choices=["vault", "data", "member"]),
+ state=dict(type="str", default="present",
+ choices=["present", "absent"]),
+ ),
+ supports_check_mode=True,
+ mutually_exclusive=[['username', 'service', 'shared']],
+ required_one_of=[['username', 'service', 'shared']]
+ )
+
+ ansible_module._ansible_debug = True
+
+ # general
+ ipaadmin_principal = module_params_get(ansible_module,
+ "ipaadmin_principal")
+ ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password")
+ names = module_params_get(ansible_module, "name")
+
+ # present
+ description = module_params_get(ansible_module, "description")
+
+ username = module_params_get(ansible_module, "username")
+ service = module_params_get(ansible_module, "service")
+ shared = module_params_get(ansible_module, "shared")
+
+ users = module_params_get(ansible_module, "users")
+ groups = module_params_get(ansible_module, "groups")
+ owners = module_params_get(ansible_module, "owners")
+ ownergroups = module_params_get(ansible_module, "ownergroups")
+
+ vault_type = module_params_get(ansible_module, "vault_type")
+ salt = module_params_get(ansible_module, "vault_salt")
+ password = module_params_get(ansible_module, "vault_password")
+ public_key = module_params_get(ansible_module, "vault_public_key")
+
+ vault_data = module_params_get(ansible_module, "vault_data")
+
+ action = module_params_get(ansible_module, "action")
+ # state
+ state = module_params_get(ansible_module, "state")
+
+ # Check parameters
+
+ if state == "present":
+ if len(names) != 1:
+ ansible_module.fail_json(
+ msg="Only one vault can be added at a time.")
+
+ elif state == "absent":
+ if len(names) < 1:
+ ansible_module.fail_json(msg="No name given.")
+
+ else:
+ ansible_module.fail_json(msg="Invalid state '%s'" % state)
+
+ check_parameters(ansible_module, state, action, description, username,
+ service, shared, users, groups, owners, ownergroups,
+ vault_type, salt, password, public_key, vault_data)
+ # Init
+
+ changed = False
+ exit_args = {}
+ ccache_dir = None
+ ccache_name = None
+ try:
+ if not valid_creds(ansible_module, ipaadmin_principal):
+ ccache_dir, ccache_name = temp_kinit(ipaadmin_principal,
+ ipaadmin_password)
+
+ api_connect(context='ansible-freeipa')
+
+ commands = []
+
+ for name in names:
+ # Make sure vault exists
+ res_find = find_vault(
+ ansible_module, name, username, service, shared)
+
+ # Generate args
+ args = gen_args(description, username, service, shared, vault_type,
+ salt, public_key, vault_data)
+
+ # Set default vault_type if needed.
+ if vault_type is None and vault_data is not None:
+ if res_find is not None:
+ res_vault_type = res_find.get('ipavaulttype')[0]
+ args['ipavaulttype'] = vault_type = res_vault_type
+ else:
+ args['ipavaulttype'] = vault_type = "symmetric"
+
+ # verify data encription args
+ check_encryption_params(ansible_module, state, vault_type,
+ password, public_key, vault_data, res_find)
+
+ # Create command
+ if state == "present":
+
+ # Found the vault
+ if action == "vault":
+ if res_find is not None:
+ # For all settings is args, check if there are
+ # different settings in the find result.
+ # If yes: modify
+ if not compare_args_ipa(ansible_module, args,
+ res_find):
+ commands.append([name, "vault_mod_internal", args])
+ else:
+ if 'ipavaultsault' not in args:
+ args['ipavaultsalt'] = os.urandom(32)
+ commands.append([name, "vault_add_internal", args])
+ # archive empty data to set password
+ pwdargs = data_storage_args(
+ args, args.get('data', ''), password)
+ commands.append([name, "vault_archive", pwdargs])
+
+ # Set res_find to empty dict for next step # noqa
+ res_find = {}
+
+ # Generate adittion and removal lists
+ user_add, user_del = \
+ gen_add_del_lists(users,
+ res_find.get('member_user', []))
+ group_add, group_del = \
+ gen_add_del_lists(groups,
+ res_find.get('member_group', []))
+ owner_add, owner_del = \
+ gen_add_del_lists(owners,
+ res_find.get('owner_user', []))
+ ownergroups_add, ownergroups_del = \
+ gen_add_del_lists(ownergroups,
+ res_find.get('owner_group', []))
+
+ # Add users and groups
+ if len(user_add) > 0 or len(group_add) > 0:
+ user_add_args = gen_member_args(args, user_add,
+ group_add)
+ commands.append([name, 'vault_add_member',
+ user_add_args])
+
+ # Remove users and groups
+ if len(user_del) > 0 or len(group_del) > 0:
+ user_del_args = gen_member_args(args, user_del,
+ group_del)
+ commands.append([name, 'vault_remove_member',
+ user_del_args])
+
+ # Add owner users and groups
+ if len(user_add) > 0 or len(group_add) > 0:
+ owner_add_args = gen_member_args(args, owner_add,
+ ownergroups_add)
+ commands.append([name, 'vault_add_owner',
+ owner_add_args])
+
+ # Remove owner users and groups
+ if len(user_del) > 0 or len(group_del) > 0:
+ owner_del_args = gen_member_args(args, owner_del,
+ ownergroups_del)
+ commands.append([name, 'vault_remove_owner',
+ owner_del_args])
+
+ elif action in "member":
+ # Add users and groups
+ if users is not None or groups is not None:
+ user_args = gen_member_args(args, users, groups)
+ commands.append([name, 'vault_add_member', user_args])
+ if owners is not None or ownergroups is not None:
+ owner_args = gen_member_args(args, owners, ownergroups)
+ commands.append([name, 'vault_add_owner', owner_args])
+
+ if vault_data is not None:
+ data_args = data_storage_args(
+ args, args.get('data', ''), password)
+ commands.append([name, 'vault_archive', data_args])
+
+ elif state == "absent":
+ if 'ipavaulttype' in args:
+ del args['ipavaulttype']
+
+ if action == "vault":
+ if res_find is not None:
+ commands.append([name, "vault_del", args])
+
+ elif action == "member":
+ # remove users and groups
+ if users is not None or groups is not None:
+ user_args = gen_member_args(args, users, groups)
+ commands.append([name, 'vault_remove_member',
+ user_args])
+
+ if owners is not None or ownergroups is not None:
+ owner_args = gen_member_args(args, owners, ownergroups)
+ commands.append([name, 'vault_remove_owner',
+ owner_args])
+ else:
+ ansible_module.fail_json(
+ msg="Invalid action '%s' for state '%s'" %
+ (action, state))
+ else:
+ ansible_module.fail_json(msg="Unkown state '%s'" % state)
+
+ # Execute commands
+
+ errors = []
+ for name, command, args in commands:
+ try:
+ result = api_command(ansible_module, command, name, args)
+
+ if command == 'vault_archive':
+ changed = 'Archived data into' in result['summary']
+ else:
+ if "completed" in result:
+ if result["completed"] > 0:
+ changed = True
+ else:
+ changed = True
+ except EmptyModlist:
+ result = {}
+ except Exception as exception:
+ ansible_module.fail_json(
+ msg="%s: %s: %s" % (command, name, str(exception)))
+
+ # Get all errors
+ # All "already a member" and "not a member" failures in the
+ # result are ignored. All others are reported.
+ if "failed" in result and len(result["failed"]) > 0:
+ for item in result["failed"]:
+ failed_item = result["failed"][item]
+ for member_type in failed_item:
+ for member, failure in failed_item[member_type]:
+ if "already a member" in failure \
+ or "not a member" in failure:
+ continue
+ errors.append("%s: %s %s: %s" % (
+ command, member_type, member, failure))
+ if len(errors) > 0:
+ ansible_module.fail_json(msg=", ".join(errors))
+
+ except Exception as exception:
+ ansible_module.fail_json(msg=str(exception))
+
+ finally:
+ temp_kdestroy(ccache_dir, ccache_name)
+
+ # Done
+ ansible_module.exit_json(changed=changed, **exit_args)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/roles/ipareplica/README.md b/roles/ipareplica/README.md
index ef058c42..9e49fec2 100644
--- a/roles/ipareplica/README.md
+++ b/roles/ipareplica/README.md
@@ -47,60 +47,72 @@ Usage
Example inventory file with fixed principal using auto-discovery with DNS records:
- [ipareplicas]
- ipareplica1.example.com
- ipareplica2.example.com
-
- [ipareplicas:vars]
- ipaadmin_principal=admin
+```ini
+[ipareplicas]
+ipareplica1.example.com
+ipareplica2.example.com
+
+[ipareplicas:vars]
+ipaadmin_principal=admin
+```
Example playbook to setup the IPA client(s) using principal from inventory file and password from an [Ansible Vault](http://docs.ansible.com/ansible/latest/playbooks_vault.html) file:
- - name: Playbook to configure IPA replicas
- hosts: ipareplicas
- become: true
- vars_files:
- - playbook_sensitive_data.yml
-
- roles:
- - role: ipareplica
- state: present
+```yaml
+---
+- name: Playbook to configure IPA replicas
+ hosts: ipareplicas
+ become: true
+ vars_files:
+ - playbook_sensitive_data.yml
+
+ roles:
+ - role: ipareplica
+ state: present
+```
Example playbook to unconfigure the IPA client(s) using principal and password from inventory file:
- - name: Playbook to unconfigure IPA replicas
- hosts: ipareplicas
- become: true
-
- roles:
- - role: ipareplica
- state: absent
+```yaml
+---
+- name: Playbook to unconfigure IPA replicas
+ hosts: ipareplicas
+ become: true
+
+ roles:
+ - role: ipareplica
+ state: absent
+```
Example inventory file with fixed server, principal, password and domain:
- [ipaserver]
- ipaserver.example.com
-
- [ipareplicas]
- ipareplica1.example.com
- ipareplica2.example.com
-
- [ipareplicas:vars]
- ipaclient_domain=example.com
- ipaadmin_principal=admin
- ipaadmin_password=MySecretPassword123
- ipadm_password=MySecretPassword456
+```ini
+[ipaserver]
+ipaserver.example.com
+
+[ipareplicas]
+ipareplica1.example.com
+ipareplica2.example.com
+
+[ipareplicas:vars]
+ipaclient_domain=example.com
+ipaadmin_principal=admin
+ipaadmin_password=MySecretPassword123
+ipadm_password=MySecretPassword456
+```
Example playbook to setup the IPA client(s) using principal and password from inventory file:
- - name: Playbook to configure IPA replicas with username/password
- hosts: ipareplicas
- become: true
-
- roles:
- - role: ipareplica
- state: present
+```yaml
+---
+- name: Playbook to configure IPA replicas with username/password
+ hosts: ipareplicas
+ become: true
+ roles:
+ - role: ipareplica
+ state: present
+```
Playbooks
=========
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index 259ae3fb..3345beba 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -20,6 +20,19 @@
state: present
when: ipareplica_setup_adtrust | bool
+ - name: Install - Ensure that firewall packages installed
+ package:
+ name: "{{ ipareplica_packages_firewalld }}"
+ state: present
+ when: ipareplica_setup_firewalld | bool
+
+ - name: Firewalld service - Ensure that firewalld is running
+ systemd:
+ name: firewalld
+ enabled: yes
+ state: started
+ when: ipareplica_setup_firewalld | bool
+
when: ipareplica_install_packages | bool
#- name: Install - Include Python2/3 import test
@@ -44,7 +57,7 @@
domain: "{{ ipareplica_domain | default(ipaserver_domain) |
default(omit) }}"
servers: "{{ ipareplica_servers | default(omit) }}"
- realm: "{{ ipareplica_realm | default(omit) }}"
+ realm: "{{ ipareplica_realm | default(ipaserver_realm) |default(omit) }}"
hostname: "{{ ipareplica_hostname | default(ansible_fqdn) }}"
ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"
hidden_replica: "{{ ipareplica_hidden_replica }}"
diff --git a/roles/ipareplica/vars/CentOS-7.yml b/roles/ipareplica/vars/CentOS-7.yml
index 2baa874f..614de3e5 100644
--- a/roles/ipareplica/vars/CentOS-7.yml
+++ b/roles/ipareplica/vars/CentOS-7.yml
@@ -2,4 +2,5 @@
# vars/RedHat-7.yml
ipareplica_packages: [ "ipa-server", "libselinux-python" ]
ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora-25.yml b/roles/ipareplica/vars/Fedora-25.yml
index f1dc77f6..ce981ff8 100644
--- a/roles/ipareplica/vars/Fedora-25.yml
+++ b/roles/ipareplica/vars/Fedora-25.yml
@@ -2,4 +2,5 @@
# vars/Fedora-25.yml
ipareplica_packages: [ "ipa-server", "libselinux-python" ]
ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora-26.yml b/roles/ipareplica/vars/Fedora-26.yml
index a5250267..5a65e43a 100644
--- a/roles/ipareplica/vars/Fedora-26.yml
+++ b/roles/ipareplica/vars/Fedora-26.yml
@@ -2,4 +2,5 @@
# vars/Fedora-26.yml
ipareplica_packages: [ "ipa-server", "libselinux-python" ]
ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora-27.yml b/roles/ipareplica/vars/Fedora-27.yml
index f4e7ffcc..5d6f02a1 100644
--- a/roles/ipareplica/vars/Fedora-27.yml
+++ b/roles/ipareplica/vars/Fedora-27.yml
@@ -2,4 +2,5 @@
# vars/Fedora.yml
ipareplica_packages: [ "ipa-server", "libselinux-python" ]
ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora.yml b/roles/ipareplica/vars/Fedora.yml
index 5998d6de..f19fb996 100644
--- a/roles/ipareplica/vars/Fedora.yml
+++ b/roles/ipareplica/vars/Fedora.yml
@@ -2,4 +2,5 @@
# vars/Fedora.yml
ipareplica_packages: [ "freeipa-server", "python3-libselinux" ]
ipareplica_packages_dns: [ "freeipa-server-dns" ]
-ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/RedHat-7.3.yml b/roles/ipareplica/vars/RedHat-7.3.yml
index f7a951bc..a0e7ffea 100644
--- a/roles/ipareplica/vars/RedHat-7.3.yml
+++ b/roles/ipareplica/vars/RedHat-7.3.yml
@@ -2,4 +2,5 @@
# vars/RedHat-7.3.yml
ipareplica_packages: [ "ipa-server", "libselinux-python" ]
ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/RedHat-7.yml b/roles/ipareplica/vars/RedHat-7.yml
index 2baa874f..614de3e5 100644
--- a/roles/ipareplica/vars/RedHat-7.yml
+++ b/roles/ipareplica/vars/RedHat-7.yml
@@ -2,4 +2,5 @@
# vars/RedHat-7.yml
ipareplica_packages: [ "ipa-server", "libselinux-python" ]
ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/RedHat-8.yml b/roles/ipareplica/vars/RedHat-8.yml
index 2aad358b..02573025 100644
--- a/roles/ipareplica/vars/RedHat-8.yml
+++ b/roles/ipareplica/vars/RedHat-8.yml
@@ -3,3 +3,4 @@
ipareplica_packages: [ "@idm:DL1/server" ]
ipareplica_packages_dns: [ "@idm:DL1/dns" ]
ipareplica_packages_adtrust: [ "@idm:DL1/adtrust" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipareplica/vars/Ubuntu.yml b/roles/ipareplica/vars/Ubuntu.yml
index 761989a6..7cdabbfb 100644
--- a/roles/ipareplica/vars/Ubuntu.yml
+++ b/roles/ipareplica/vars/Ubuntu.yml
@@ -2,3 +2,4 @@
ipareplica_packages: [ "freeipa-server" ]
ipareplica_packages_dns: [ "freeipa-server-dns" ]
ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipareplica/vars/default.yml b/roles/ipareplica/vars/default.yml
index a1898867..ce7393a1 100644
--- a/roles/ipareplica/vars/default.yml
+++ b/roles/ipareplica/vars/default.yml
@@ -3,3 +3,4 @@
ipareplica_packages: [ "freeipa-server", "python3-libselinux" ]
ipareplica_packages_dns: [ "freeipa-server-dns" ]
ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipaserver/README.md b/roles/ipaserver/README.md
index 88afb3ac..55c9daa1 100644
--- a/roles/ipaserver/README.md
+++ b/roles/ipaserver/README.md
@@ -42,8 +42,7 @@ Requirements
Limitations
-----------
-External signed CA
-
+**External signed CA**
External signed CA is now supported. But the currently needed two step process is an issue for the processing in a simple playbook.
Work is planned to have a new method to handle CSR for external signed CAs in a separate step before starting the server installation.
@@ -54,57 +53,70 @@ Usage
Example inventory file with fixed domain and realm, setting up of the DNS server and using forwarders from /etc/resolv.conf:
- [ipaserver]
- ipaserver2.example.com
-
- [ipaserver:vars]
- ipaserver_domain=example.com
- ipaserver_realm=EXAMPLE.COM
- ipaserver_setup_dns=yes
- ipaserver_auto_forwarders=yes
+```ini
+[ipaserver]
+ipaserver2.example.com
+
+[ipaserver:vars]
+ipaserver_domain=example.com
+ipaserver_realm=EXAMPLE.COM
+ipaserver_setup_dns=yes
+ipaserver_auto_forwarders=yes
+```
Example playbook to setup the IPA server using admin and dirman passwords from an [Ansible Vault](http://docs.ansible.com/ansible/latest/playbooks_vault.html) file:
- - name: Playbook to configure IPA server
- hosts: ipaserver
- become: true
- vars_files:
- - playbook_sensitive_data.yml
-
- roles:
- - role: ipaserver
- state: present
+```yaml
+---
+- name: Playbook to configure IPA server
+ hosts: ipaserver
+ become: true
+ vars_files:
+ - playbook_sensitive_data.yml
+
+ roles:
+ - role: ipaserver
+ state: present
+```
Example playbook to unconfigure the IPA client(s) using principal and password from inventory file:
- - name: Playbook to unconfigure IPA server
- hosts: ipaserver
- become: true
-
- roles:
- - role: ipaserver
- state: absent
+```yaml
+---
+- name: Playbook to unconfigure IPA server
+ hosts: ipaserver
+ become: true
+
+ roles:
+ - role: ipaserver
+ state: absent
+```
Example inventory file with fixed domain, realm, admin and dirman passwords:
- [ipaserver]
- ipaserver.example.com
-
- [ipaserver:vars]
- ipaserver_domain=example.com
- ipaserver_realm=EXAMPLE.COM
- ipaadmin_password=MySecretPassword123
- ipadm_password=MySecretPassword234
+```ini
+[ipaserver]
+ipaserver.example.com
+
+[ipaserver:vars]
+ipaserver_domain=example.com
+ipaserver_realm=EXAMPLE.COM
+ipaadmin_password=MySecretPassword123
+ipadm_password=MySecretPassword234
+```
Example playbook to setup the IPA server using admin and dirman passwords from inventory file:
- - name: Playbook to configure IPA server
- hosts: ipaserver
- become: true
-
- roles:
- - role: ipaserver
- state: present
+```yaml
+---
+- name: Playbook to configure IPA server
+ hosts: ipaserver
+ become: true
+
+ roles:
+ - role: ipaserver
+ state: present
+```
Example playbook to setup the IPA primary with external signed CA using the previous inventory file:
@@ -135,6 +147,7 @@ Sign with CA: This is up to you
Server installation step 2: Copy `-chain.crt` to the IPA server and continue with installation of the primary.
```yaml
+---
- name: Playbook to configure IPA server step3
hosts: ipaserver
become: true
diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py
index 1075e6d4..5668231f 100644
--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -719,12 +719,7 @@ def main():
msg="File %s does not exist." % options.dirsrv_config_file)
# domain_name
- if options.setup_dns and not options.allow_zone_overlap and \
- options.domain_name is not None:
- try:
- check_zone_overlap(options.domain_name, False)
- except ValueError as e:
- ansible_module.fail_json(msg=str(e))
+ # Validation is done later on in ipaserver_prepare dns.install_check
# dm_password
with redirect_stdout(ansible_log):
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index 268f5d36..85df9a7d 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -19,6 +19,19 @@
state: present
when: ipaserver_setup_adtrust | bool
+ - name: Install - Ensure that firewall packages installed
+ package:
+ name: "{{ ipaserver_packages_firewalld }}"
+ state: present
+ when: ipaserver_setup_firewalld | bool
+
+ - name: Firewalld service - Ensure that firewalld is running
+ systemd:
+ name: firewalld
+ enabled: yes
+ state: started
+ when: ipaserver_setup_firewalld | bool
+
when: ipaserver_install_packages | bool
#- name: Install - Include Python2/3 import test
diff --git a/roles/ipaserver/vars/CentOS-7.yml b/roles/ipaserver/vars/CentOS-7.yml
index 079b719c..11863757 100644
--- a/roles/ipaserver/vars/CentOS-7.yml
+++ b/roles/ipaserver/vars/CentOS-7.yml
@@ -2,4 +2,5 @@
# vars/rhel.yml
ipaserver_packages: [ "ipa-server", "libselinux-python" ]
ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/Fedora-25.yml b/roles/ipaserver/vars/Fedora-25.yml
index d97afb19..374056c0 100644
--- a/roles/ipaserver/vars/Fedora-25.yml
+++ b/roles/ipaserver/vars/Fedora-25.yml
@@ -1,3 +1,4 @@
ipaserver_packages: [ "ipa-server", "libselinux-python" ]
ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/Fedora-26.yml b/roles/ipaserver/vars/Fedora-26.yml
index d97afb19..374056c0 100644
--- a/roles/ipaserver/vars/Fedora-26.yml
+++ b/roles/ipaserver/vars/Fedora-26.yml
@@ -1,3 +1,4 @@
ipaserver_packages: [ "ipa-server", "libselinux-python" ]
ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/Fedora-27.yml b/roles/ipaserver/vars/Fedora-27.yml
index fa21e34c..b8bfb577 100644
--- a/roles/ipaserver/vars/Fedora-27.yml
+++ b/roles/ipaserver/vars/Fedora-27.yml
@@ -1,3 +1,4 @@
ipaserver_packages: [ "ipa-server", "libselinux-python" ]
ipaserver_packages_dns: [ "ipa-server-dns" ]
ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipaserver/vars/Fedora.yml b/roles/ipaserver/vars/Fedora.yml
index 9db4446a..55a38382 100644
--- a/roles/ipaserver/vars/Fedora.yml
+++ b/roles/ipaserver/vars/Fedora.yml
@@ -1,3 +1,4 @@
ipaserver_packages: [ "freeipa-server", "python3-libselinux" ]
ipaserver_packages_dns: [ "freeipa-server-dns" ]
-ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/RedHat-7.3.yml b/roles/ipaserver/vars/RedHat-7.3.yml
index 079b719c..11863757 100644
--- a/roles/ipaserver/vars/RedHat-7.3.yml
+++ b/roles/ipaserver/vars/RedHat-7.3.yml
@@ -2,4 +2,5 @@
# vars/rhel.yml
ipaserver_packages: [ "ipa-server", "libselinux-python" ]
ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/RedHat-7.yml b/roles/ipaserver/vars/RedHat-7.yml
index 079b719c..11863757 100644
--- a/roles/ipaserver/vars/RedHat-7.yml
+++ b/roles/ipaserver/vars/RedHat-7.yml
@@ -2,4 +2,5 @@
# vars/rhel.yml
ipaserver_packages: [ "ipa-server", "libselinux-python" ]
ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/RedHat-8.yml b/roles/ipaserver/vars/RedHat-8.yml
index 5b9caac1..7f5ae464 100644
--- a/roles/ipaserver/vars/RedHat-8.yml
+++ b/roles/ipaserver/vars/RedHat-8.yml
@@ -3,3 +3,4 @@
ipaserver_packages: [ "@idm:DL1/server" ]
ipaserver_packages_dns: [ "@idm:DL1/dns" ]
ipaserver_packages_adtrust: [ "@idm:DL1/adtrust" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipaserver/vars/Ubuntu.yml b/roles/ipaserver/vars/Ubuntu.yml
index b3944a92..d0e01ea8 100644
--- a/roles/ipaserver/vars/Ubuntu.yml
+++ b/roles/ipaserver/vars/Ubuntu.yml
@@ -2,3 +2,4 @@
ipaserver_packages: [ "freeipa-server" ]
ipaserver_packages_dns: [ "freeipa-server-dns" ]
ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipaserver/vars/default.yml b/roles/ipaserver/vars/default.yml
index eb5c4894..9f6d58a4 100644
--- a/roles/ipaserver/vars/default.yml
+++ b/roles/ipaserver/vars/default.yml
@@ -3,3 +3,4 @@
ipaserver_packages: [ "ipa-server", "python3-libselinux" ]
ipaserver_packages_dns: [ "ipa-server-dns" ]
ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
diff --git a/tests/dnsconfig/test_dnsconfig.yml b/tests/dnsconfig/test_dnsconfig.yml
new file mode 100644
index 00000000..1e1b1094
--- /dev/null
+++ b/tests/dnsconfig/test_dnsconfig.yml
@@ -0,0 +1,141 @@
+---
+- name: Test dnsconfig
+ hosts: ipaserver
+ become: true
+ gather_facts: true
+
+ tasks:
+ # Setup.
+ - name: Ensure forwarders are absent.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ state: absent
+
+ # Tests.
+
+ - name: Set dnsconfig.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ forward_policy: only
+ allow_sync_ptr: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Set dnsconfig, with the same values.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ forward_policy: only
+ allow_sync_ptr: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure forwarder is absent.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure forwarder is absent, again.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Disable global forwarders.
+ ipadnsconfig:
+ forward_policy: none
+ register: result
+ failed_when: not result.changed
+
+ - name: Disable global forwarders, again.
+ ipadnsconfig:
+ forward_policy: none
+ register: result
+ failed_when: result.changed
+
+ - name: Re-enable global forwarders.
+ ipadnsconfig:
+ forward_policy: first
+ register: result
+ failed_when: not result.changed
+
+ - name: Re-enable global forwarders, again.
+ ipadnsconfig:
+ forward_policy: first
+ register: result
+ failed_when: result.changed
+
+ - name: Disable PTR record synchronization.
+ ipadnsconfig:
+ allow_sync_ptr: no
+ register: result
+ failed_when: not result.changed
+
+ - name: Disable PTR record synchronization, again.
+ ipadnsconfig:
+ allow_sync_ptr: no
+ register: result
+ failed_when: result.changed
+
+ - name: Re-enable PTR record synchronization.
+ ipadnsconfig:
+ allow_sync_ptr: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Re-enable PTR record synchronization, again.
+ ipadnsconfig:
+ allow_sync_ptr: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure all forwarders are absent.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+
+ - name: Ensure all forwarders are absent, again.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ # Cleanup.
+ - name: Ensure forwarders are absent.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ state: absent
diff --git a/tests/group/test_group.yml b/tests/group/test_group.yml
index 5fc63dd1..28df3a5a 100644
--- a/tests/group/test_group.yml
+++ b/tests/group/test_group.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test group
hosts: ipaserver
become: true
gather_facts: false
@@ -7,19 +7,19 @@
tasks:
- name: Ensure users user1, user2 and user3 are absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: user1,user2,user3
state: absent
- name: Ensure group group3, group2 and group1 are absent
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group3,group2,group1
state: absent
- name: Ensure users user1..user3 are present
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
first: user1
@@ -35,49 +35,49 @@
- name: Ensure group1 is present
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
register: result
failed_when: not result.changed
- name: Ensure group1 is present again
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
register: result
failed_when: result.changed
- name: Ensure group2 is present
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group2
register: result
failed_when: not result.changed
- name: Ensure group2 is present again
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group2
register: result
failed_when: result.changed
- name: Ensure group3 is present
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group3
register: result
failed_when: not result.changed
- name: Ensure group3 is present again
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group3
register: result
failed_when: result.changed
- name: Ensure groups group2 and group3 are present in group group1
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
group:
- group2
@@ -88,7 +88,7 @@
- name: Ensure groups group2 and group3 are present in group group1 again
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
group:
- group2
@@ -99,7 +99,7 @@
- name: Ensure group3 ia present in group group1
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
group:
- group3
@@ -109,7 +109,7 @@
- name: Ensure users user1, user2 and user3 are present in group group1
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
user:
- user1
@@ -121,7 +121,7 @@
- name: Ensure users user1, user2 and user3 are present in group group1 again
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
user:
- user1
@@ -132,7 +132,7 @@
failed_when: result.changed
#- ipagroup:
- # ipaadmin_password: MyPassword123
+ # ipaadmin_password: SomeADMINpassword
# name: group1
# user:
# - user7
@@ -140,7 +140,7 @@
- name: Ensure user user7 is absent in group group1
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
user:
- user7
@@ -151,7 +151,7 @@
- name: Ensure group group4 is absent
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group4
state: absent
register: result
@@ -159,7 +159,7 @@
- name: Ensure group group3, group2 and group1 are absent
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group3,group2,group1
state: absent
register: result
@@ -167,7 +167,7 @@
- name: Ensure users user1, user2 and user3 are absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: user1,user2,user3
state: absent
register: result
diff --git a/tests/hbacrule/test_hbacrule.yml b/tests/hbacrule/test_hbacrule.yml
index a5615cce..4d0c2030 100644
--- a/tests/hbacrule/test_hbacrule.yml
+++ b/tests/hbacrule/test_hbacrule.yml
@@ -1,338 +1,629 @@
---
-- name: Tests
+- name: Test hbacrule
hosts: ipaserver
become: true
- gather_facts: false
tasks:
- - name: Ensure HBAC Rule allhosts is absent
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts,sshd-pinky,loginRule
+ - name: Get Domain from server name
+ set_fact:
+ ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
+ when: ipaserver_domain is not defined
+
+ # CLEANUP TEST ITEMS
+
+ - name: Ensure test hosts are absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ - "{{ 'testhost03.' + ipaserver_domain }}"
+ - "{{ 'testhost04.' + ipaserver_domain }}"
state: absent
- - name: User pinky absent
+ - name: Ensure test hostgroups are absent
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhostgroup01,testhostgroup02,testhostgroup03,testhostgroup04
+ state: absent
+
+ - name: Ensure test users are absent
ipauser:
- ipaadmin_password: MyPassword123
- name: pinky
+ ipaadmin_password: SomeADMINpassword
+ name: testuser01,testuser02,testuser03,testuser04
state: absent
- - name: User group login absent
+ - name: Ensure test user groups are absent
ipagroup:
- ipaadmin_password: MyPassword123
- name: login
+ ipaadmin_password: SomeADMINpassword
+ name: testgroup01,testgroup02,testgroup03,testgroup04
state: absent
- - name: User pinky present
+ - name: Ensure test HBAC Services are absent
+ ipahbacsvc:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvc01,testhbacsvc02,testhbacsvc03,testhbacsvc04
+ state: absent
+
+ - name: Ensure test HBAC Service Groups are absent
+ ipahbacsvcgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvcgroup01,testhbacsvcgroup02,testhbacsvcgroup03,testhbacsvcgroup04
+ state: absent
+
+ # CREATE TEST ITEMS
+
+ - name: Ensure hosts "{{ 'host[1..4].' + ipaserver_domain }}" are present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ 'testhost01.' + ipaserver_domain }}"
+ force: yes
+ - name: "{{ 'testhost02.' + ipaserver_domain }}"
+ force: yes
+ - name: "{{ 'testhost03.' + ipaserver_domain }}"
+ force: yes
+ - name: "{{ 'testhost04.' + ipaserver_domain }}"
+ force: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host-group testhostgroup01 is present
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhostgroup01
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host-group testhostgroup02 is present
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhostgroup02
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host-group testhostgroup03 is present
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhostgroup03
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host-group testhostgroup04 is present
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhostgroup04
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure testusers are present
ipauser:
- ipaadmin_password: MyPassword123
- name: pinky
- uid: 10001
- gid: 100
- phone: "+555123457"
- email: pinky@acme.com
- principalexpiration: "20220119235959"
- #passwordexpiration: "2022-01-19 23:59:59"
- first: pinky
- last: Acme
+ ipaadmin_password: SomeADMINpassword
+ users:
+ - name: testuser01
+ first: test
+ last: user01
+ - name: testuser02
+ first: test
+ last: user02
+ - name: testuser03
+ first: test
+ last: user03
+ - name: testuser04
+ first: test
+ last: user04
register: result
failed_when: not result.changed
- - name: User group login present
+ - name: Ensure user group testgroup01 is present
ipagroup:
- ipaadmin_password: MyPassword123
- name: login
+ ipaadmin_password: SomeADMINpassword
+ name: testgroup01
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule allhosts is present
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
- usercategory: all
+ - name: Ensure user group testgroup02 is present
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testgroup02
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule allhosts is present again
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
- usercategory: all
- register: result
- failed_when: result.changed
-
- - name: Ensure host "{{ groups.ipaserver[0] }}" is present in HBAC Rule allhosts
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
- host: "{{ groups.ipaserver[0] }}"
- action: member
+ - name: Ensure user group testgroup03 is present
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testgroup03
register: result
failed_when: not result.changed
- - name: Ensure host "{{ groups.ipaserver[0] }}" is present in HBAC Rule allhosts again
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
- host: "{{ groups.ipaserver[0] }}"
- action: member
- register: result
- failed_when: result.changed
-
- - name: Ensure HBAC Rule sshd-pinky is present
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- hostcategory: all
+ - name: Ensure user group testgroup04 is present
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testgroup04
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule sshd-pinky is present again
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- hostcategory: all
- register: result
- failed_when: result.changed
-
- - name: Ensure user pinky is present in HBAC Rule sshd-pinky
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- user: pinky
- action: member
+ - name: Ensure HBAC Service testhbacsvc01 is present
+ ipahbacsvc:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvc01
register: result
failed_when: not result.changed
- - name: Ensure user pinky is present in HBAC Rule sshd-pinky again
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- user: pinky
- action: member
- register: result
- failed_when: result.changed
-
- - name: Ensure HBAC service sshd is present in HBAC Rule sshd-pinky
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- hbacsvc: sshd
- action: member
+ - name: Ensure HBAC Service testhbacsvc02 is present
+ ipahbacsvc:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvc02
register: result
failed_when: not result.changed
- - name: Ensure HBAC service sshd is present in HBAC Rule sshd-pinky again
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- hbacsvc: sshd
- action: member
- register: result
- failed_when: result.changed
-
- - name: Ensure HBAC Rule loginRule is present with HBAC service sshd
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
- group: login
+ - name: Ensure HBAC Service testhbacsvc03 is present
+ ipahbacsvc:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvc03
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule loginRule is present with HBAC service sshd again
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
- group: login
- register: result
- failed_when: result.changed
-
- - name: Ensure user pinky is present in HBAC Rule loginRule
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
- user: pinky
- action: member
+ - name: Ensure HBAC Service testhbacsvc04 is present
+ ipahbacsvc:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvc04
register: result
failed_when: not result.changed
- - name: Ensure user pinky is present in HBAC Rule loginRule again
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
- user: pinky
- action: member
+ - name: Ensure HBAC Service Group testhbacsvcgroup01 is present
+ ipahbacsvcgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvcgroup01
register: result
- failed_when: result.changed
+ failed_when: not result.changed
- - name: Ensure user pinky is absent in HBAC Rule loginRule
+ - name: Ensure HBAC Service Group testhbacsvcgroup02 is present
+ ipahbacsvcgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvcgroup02
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC Service Group testhbacsvcgroup03 is present
+ ipahbacsvcgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvcgroup03
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC Service Group testhbacsvcgroup04 is present
+ ipahbacsvcgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvcgroup04
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 is absent
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
- user: pinky
- action: member
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
state: absent
+
+ # ENSURE HBACRULE
+
+ - name: Ensure HBAC rule hbacrule01 is present
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
register: result
failed_when: not result.changed
- - name: Ensure user pinky is absent in HBAC Rule loginRule again
+ - name: Ensure HBAC rule hbacrule01 is present again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
- user: pinky
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ register: result
+ failed_when: result.changed
+
+ # CHANGE HBACRULE WITH ALL MEMBERS
+
+ - name: Ensure HBAC rule hbacrule01 is present with hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ hostgroup: testhostgroup01,testhostgroup02
+ user: testuser01,testuser02
+ group: testgroup01,testgroup02
+ hbacsvc: testhbacsvc01,testhbacsvc02
+ hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC rule hbacrule01 is present with hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups again
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ hostgroup: testhostgroup01,testhostgroup02
+ user: testuser01,testuser02
+ group: testgroup01,testgroup02
+ hbacsvc: testhbacsvc01,testhbacsvc02
+ hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
+ register: result
+ failed_when: result.changed
+
+ # REMOVE MEMBERS ONE BY ONE
+
+ - name: Ensure test HBAC rule hbacrule01 host members are absent
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ state: absent
action: member
- state: absent
- register: result
- failed_when: result.changed
-
- - name: Ensure HBAC Rule loginRule is absent
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
- state: absent
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule loginRule is absent again
+ - name: Ensure test HBAC rule hbacrule01 host members are absent again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
state: absent
- register: result
- failed_when: result.changed
-
- - name: Ensure HBAC service sshd is absent in HBAC Rule sshd-pinky
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- hbacsvc: sshd
action: member
- state: absent
register: result
- failed_when: not result.changed
+ failed_when: result.changed
- - name: Ensure HBAC service sshd is absent in HBAC Rule sshd-pinky again
+ - name: Ensure test HBAC rule hbacrule01 hostgroup members are absent
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- hbacsvc: sshd
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hostgroup: testhostgroup01,testhostgroup02
+ state: absent
action: member
- state: absent
register: result
- failed_when: result.changed
+ failed_when: not result.changed
- - name: Ensure user pinky is absent in HBAC Rule sshd-pinky
+ - name: Ensure test HBAC rule hbacrule01 hostgroup members are absent again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- user: pinky
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hostgroup: testhostgroup01,testhostgroup02
+ state: absent
action: member
- state: absent
register: result
- failed_when: not result.changed
+ failed_when: result.changed
- - name: Ensure user pinky is absent in HBAC Rule sshd-pinky again
+ - name: Ensure test HBAC rule hbacrule01 user members are absent
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- user: pinky
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ user: testuser01,testuser02
+ state: absent
action: member
- state: absent
- register: result
- failed_when: result.changed
-
- - name: Ensure HBAC Rule sshd-pinky is disabled
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- state: disabled
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule sshd-pinky is disabled again
+ - name: Ensure test HBAC rule hbacrule01 user members are absent again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- state: disabled
- register: result
- failed_when: result.changed
-
- - name: Ensure HBAC Rule sshd-pinky is enabled
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- state: enabled
- register: result
- failed_when: not result.changed
-
- - name: Ensure HBAC Rule sshd-pinky is enabled again
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- state: enabled
- register: result
- failed_when: result.changed
-
- - name: Ensure HBAC Rule sshd-pinky is absent
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ user: testuser01,testuser02
state: absent
- register: result
- failed_when: not result.changed
-
- - name: Ensure HBAC Rule sshd-pinky is absent again
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- state: absent
- register: result
- failed_when: result.changed
-
- - name: Ensure host "{{ groups.ipaserver[0] }}" is absent in HBAC Rule allhosts
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
- host: "{{ groups.ipaserver[0] }}"
action: member
- state: absent
register: result
- failed_when: not result.changed
+ failed_when: result.changed
- - name: Ensure host "{{ groups.ipaserver[0] }}" is absent in HBAC Rule allhosts again
+ - name: Ensure test HBAC rule hbacrule01 user group members are absent
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
- host: "{{ groups.ipaserver[0] }}"
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ group: testgroup01,testgroup02
+ state: absent
action: member
- state: absent
- register: result
- failed_when: result.changed
-
- - name: Ensure HBAC Rule allhosts is absent
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
- state: absent
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule allhosts is absent again
+ - name: Ensure test HBAC rule hbacrule01 user group members are absent again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ group: testgroup01,testgroup02
state: absent
+ action: member
register: result
failed_when: result.changed
- - name: User pinky absent
+ - name: Ensure test HBAC rule hbacrule01 hbacsvc members are absent
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvc: testhbacsvc01,testhbacsvc02
+ state: absent
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 hbacsvc members are absent again
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvc: testhbacsvc01,testhbacsvc02
+ state: absent
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are absent
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
+ state: absent
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are absent again
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
+ state: absent
+ action: member
+ register: result
+ failed_when: result.changed
+
+ # ADD MEMBERS BACK
+
+ - name: Ensure test HBAC rule hbacrule01 host members are present
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 host members are present again
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 hostgroup members are present
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hostgroup: testhostgroup01,testhostgroup02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 hostgroup members are present again
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hostgroup: testhostgroup01,testhostgroup02
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 user members are present
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ user: testuser01,testuser02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 user members are present again
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ user: testuser01,testuser02
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 user group members are present
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ group: testgroup01,testgroup02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 user group members are present again
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ group: testgroup01,testgroup02
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 hbacsvc members are present
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvc: testhbacsvc01,testhbacsvc02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 hbacsvc members are present again
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvc: testhbacsvc01,testhbacsvc02
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are present
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are present again
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
+ action: member
+ register: result
+ failed_when: result.changed
+
+ # CHANGE TO DIFFERENT MEMBERS
+
+ - name: Ensure HBAC rule hbacrule01 is present with different hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost03.' + ipaserver_domain }}"
+ - "{{ 'testhost04.' + ipaserver_domain }}"
+ hostgroup: testhostgroup03,testhostgroup04
+ user: testuser03,testuser04
+ group: testgroup03,testgroup04
+ hbacsvc: testhbacsvc03,testhbacsvc04
+ hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC rule hbacrule01 is present with different hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups again
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost03.' + ipaserver_domain }}"
+ - "{{ 'testhost04.' + ipaserver_domain }}"
+ hostgroup: testhostgroup03,testhostgroup04
+ user: testuser03,testuser04
+ group: testgroup03,testgroup04
+ hbacsvc: testhbacsvc03,testhbacsvc04
+ hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04
+ register: result
+ failed_when: result.changed
+
+ # ENSURE OLD TEST MEMBERS ARE ABSENT
+
+ - name: Ensure HBAC rule hbacrule01 members (same) are present
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ hostgroup: testhostgroup01,testhostgroup02
+ user: testuser01,testuser02
+ group: testgroup01,testgroup02
+ hbacsvc: testhbacsvc01,testhbacsvc02
+ hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
+ state: absent
+ action: member
+ register: result
+ failed_when: result.changed
+
+ # ENSURE NEW TEST MEMBERS ARE ABSENT
+
+ - name: Ensure HBAC rule hbacrule01 members are absent
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost03.' + ipaserver_domain }}"
+ - "{{ 'testhost04.' + ipaserver_domain }}"
+ hostgroup: testhostgroup03,testhostgroup04
+ user: testuser03,testuser04
+ group: testgroup03,testgroup04
+ hbacsvc: testhbacsvc03,testhbacsvc04
+ hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04
+ state: absent
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC rule hbacrule01 members are absent again
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost03.' + ipaserver_domain }}"
+ - "{{ 'testhost04.' + ipaserver_domain }}"
+ hostgroup: testhostgroup03,testhostgroup04
+ user: testuser03,testuser04
+ group: testgroup03,testgroup04
+ hbacsvc: testhbacsvc03,testhbacsvc04
+ hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04
+ state: absent
+ action: member
+ register: result
+ failed_when: result.changed
+
+ # CLEANUP TEST ITEMS
+
+ - name: Ensure test HBAC rule hbacrule01 is absent
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ state: absent
+
+ - name: Ensure test hosts are absent
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ - "{{ 'testhost03.' + ipaserver_domain }}"
+ - "{{ 'testhost04.' + ipaserver_domain }}"
+ state: absent
+
+ - name: Ensure test hostgroups are absent
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhostgroup01,testhostgroup02,testhostgroup03,testhostgroup04
+ state: absent
+
+ - name: Ensure test users are absent
ipauser:
- ipaadmin_password: MyPassword123
- name: pinky
+ ipaadmin_password: SomeADMINpassword
+ name: testuser01,testuser02,testuser03,testuser04
state: absent
- - name: User group login absent
+ - name: Ensure test user groups are absent
ipagroup:
- ipaadmin_password: MyPassword123
- name: login
+ ipaadmin_password: SomeADMINpassword
+ name: testgroup01,testgroup02,testgroup03,testgroup04
+ state: absent
+
+ - name: Ensure test HBAC Services are absent
+ ipahbacsvc:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvc01,testhbacsvc02,testhbacsvc03,testhbacsvc04
+ state: absent
+
+ - name: Ensure test HBAC Service Groups are absent
+ ipahbacsvcgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvcgroup01,testhbacsvcgroup02,testhbacsvcgroup03,testhbacsvcgroup04
state: absent
diff --git a/tests/hbacsvc/test_hbacsvc.yml b/tests/hbacsvc/test_hbacsvc.yml
index d919b668..87a6bbd5 100644
--- a/tests/hbacsvc/test_hbacsvc.yml
+++ b/tests/hbacsvc/test_hbacsvc.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test hbacsvc
hosts: ipaserver
become: true
gather_facts: false
@@ -7,27 +7,27 @@
tasks:
- name: Ensure HBAC Service for http is absent
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http,tftp
state: absent
- name: Ensure HBAC Service for http is present
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http
register: result
failed_when: not result.changed
- name: Ensure HBAC Service for http is present again
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http
register: result
failed_when: result.changed
- name: Ensure HBAC Service for tftp is present
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: tftp
description: TFTP service
register: result
@@ -35,7 +35,7 @@
- name: Ensure HBAC Service for tftp is present again
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: tftp
description: TFTP service
register: result
@@ -43,7 +43,7 @@
- name: Ensure HBAC Services for http and tftp are absent
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http,tftp
state: absent
register: result
@@ -51,7 +51,7 @@
- name: Ensure HBAC Services for http and tftp are absent again
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http,tftp
state: absent
register: result
diff --git a/tests/hbacsvcgroup/test_hbacsvcgroup.yml b/tests/hbacsvcgroup/test_hbacsvcgroup.yml
index 9a659f1e..853efa29 100644
--- a/tests/hbacsvcgroup/test_hbacsvcgroup.yml
+++ b/tests/hbacsvcgroup/test_hbacsvcgroup.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test hbacsvcgroup
hosts: ipaserver
become: true
gather_facts: false
@@ -7,32 +7,32 @@
tasks:
- name: Ensure HBAC Service Group login is absent
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
state: absent
- name: Ensure HBAC Service for sshd is present
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
- name: Ensure HBAC Service Group login is present
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
register: result
failed_when: not result.changed
- name: Ensure HBAC Service Group login is present again
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
register: result
failed_when: result.changed
- name: Ensure HBAC Service sshd is present in HBAC Service Group login
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -42,7 +42,7 @@
- name: Ensure HBAC Service sshd is present in HBAC Service Group login again
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -52,7 +52,7 @@
- name: Ensure HBAC Services sshd and foo are absent in HBAC Service Group login
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -64,7 +64,7 @@
- name: Ensure HBAC Services sshd and foo are absent in HBAC Service Group login again
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -76,7 +76,7 @@
- name: Ensure HBAC Service Group login is absent
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
state: absent
register: result
@@ -84,7 +84,7 @@
- name: Ensure HBAC Service Group login is absent again
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
state: absent
register: result
diff --git a/tests/host/test_host.yml b/tests/host/test_host.yml
index 1a555a13..efb0524a 100644
--- a/tests/host/test_host.yml
+++ b/tests/host/test_host.yml
@@ -20,7 +20,7 @@
- name: Host absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -38,7 +38,7 @@
- name: Host "{{ host1_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
ip_address: "{{ ipv4_prefix + '.201' }}"
update_dns: yes
@@ -48,7 +48,7 @@
- name: Host "{{ host1_fqdn }}" present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
ip_address: "{{ ipv4_prefix + '.201' }}"
update_dns: yes
@@ -58,7 +58,7 @@
- name: Host "{{ host2_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host2_fqdn }}"
ip_address: "{{ ipv4_prefix + '.202' }}"
update_dns: yes
@@ -68,7 +68,7 @@
- name: Host "{{ host2_fqdn }}" present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host2_fqdn }}"
ip_address: "{{ ipv4_prefix + '.202' }}"
update_dns: yes
@@ -78,7 +78,7 @@
- name: Host "{{ host3_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host3_fqdn }}"
ip_address: "{{ ipv4_prefix + '.203' }}"
update_dns: yes
@@ -88,7 +88,7 @@
- name: Host "{{ host3_fqdn }}" present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host3_fqdn }}"
ip_address: "{{ ipv4_prefix + '.203' }}"
update_dns: yes
@@ -98,7 +98,7 @@
- name: Host "{{ host4_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host4_fqdn }}"
ip_address: "{{ ipv4_prefix + '.204' }}"
update_dns: yes
@@ -108,7 +108,7 @@
- name: Host "{{ host4_fqdn }}" present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host4_fqdn }}"
ip_address: "{{ ipv4_prefix + '.204' }}"
update_dns: yes
@@ -118,7 +118,7 @@
- name: Host "{{ host5_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host5_fqdn }}"
ip_address: "{{ ipv4_prefix + '.205' }}"
update_dns: yes
@@ -128,8 +128,8 @@
- name: Host "{{ host5_fqdn }}" present again
ipahost:
- ipaadmin_password: MyPassword123
- name: "{{ host1_fqdn }}"
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host5_fqdn }}"
ip_address: "{{ ipv4_prefix + '.205' }}"
update_dns: yes
reverse: no
@@ -138,7 +138,7 @@
- name: Host "{{ host6_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host6_fqdn }}"
ip_address: "{{ ipv4_prefix + '.206' }}"
update_dns: yes
@@ -148,7 +148,7 @@
- name: Host "{{ host6_fqdn }}" present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host6_fqdn }}"
ip_address: "{{ ipv4_prefix + '.206' }}"
update_dns: yes
@@ -160,7 +160,7 @@
# not enabled.
#- name: Hosts host1..host6 disabled
# ipahost:
- # ipaadmin_password: MyPassword123
+ # ipaadmin_password: SomeADMINpassword
# name:
# - "{{ host1_fqdn }}"
# - "{{ host2_fqdn }}"
@@ -174,7 +174,7 @@
#
#- name: Hosts host1..host6 disabled again
# ipahost:
- # ipaadmin_password: MyPassword123
+ # ipaadmin_password: SomeADMINpassword
# name:
# - "{{ host1_fqdn }}"
# - "{{ host2_fqdn }}"
@@ -188,7 +188,7 @@
- name: Hosts host1..host6 absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -203,7 +203,7 @@
- name: Hosts host1..host6 absent again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
diff --git a/tests/host/test_host_allow_create_keytab.yml b/tests/host/test_host_allow_create_keytab.yml
index eb7b7764..b9ad0a19 100644
--- a/tests/host/test_host_allow_create_keytab.yml
+++ b/tests/host/test_host_allow_create_keytab.yml
@@ -22,7 +22,7 @@
- name: Host host1..., host2... and host3... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -31,13 +31,13 @@
- name: Ensure host-groups hostgroup1 and hostgroup2 absent
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup1,hostgroup2
state: absent
- name: Ensure users user1 and user2 absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
- name: user2
@@ -45,13 +45,13 @@
- name: Ensure group1 and group2 absent
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1,group2
state: absent
- name: Host host2... and host3... present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host2_fqdn }}"
force: yes
@@ -62,7 +62,7 @@
- name: Ensure host-group hostgroup1 present
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup1
state: present
register: result
@@ -70,7 +70,7 @@
- name: Ensure host-group hostgroup2 present
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup2
state: present
register: result
@@ -78,7 +78,7 @@
- name: Ensure users user1 and user2 present
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
first: First1
@@ -91,21 +91,21 @@
- name: Ensure group1 present
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
register: result
failed_when: not result.changed
- name: Ensure group2 present
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group2
register: result
failed_when: not result.changed
- name: Host host1... present with allow_create_keytab users,groups,hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_create_keytab_user:
- user1
@@ -125,7 +125,7 @@
- name: Host host1... present with allow_create_keytab users,groups,hosts and hostgroups again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_create_keytab_user:
- user1
@@ -145,14 +145,14 @@
- name: Host host1... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
state: absent
- name: Host host1... present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
force: yes
register: result
@@ -160,7 +160,7 @@
- name: Host host1... ensure allow_create_keytab users,groups,hosts and hostgroups present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_create_keytab_user:
- user1
@@ -180,7 +180,7 @@
- name: Host host1... ensure allow_create_keytab users,groups,hosts and hostgroups present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_create_keytab_user:
- user1
@@ -200,7 +200,7 @@
- name: Host host1... ensure allow_create_keytab users,groups,hosts and hostgroups absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_create_keytab_user:
- user1
@@ -221,7 +221,7 @@
- name: Host host1... ensure allow_create_keytab users,groups,hosts and hostgroups absent again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_create_keytab_user:
- user1
@@ -242,7 +242,7 @@
- name: Host host1..., host2... and host3... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -253,7 +253,7 @@
- name: Ensure host-groups hostgroup1 and hostgroup2 absent
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup1,hostgroup2
state: absent
register: result
@@ -261,7 +261,7 @@
- name: Ensure users user1 and user2 absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
- name: user2
@@ -271,7 +271,7 @@
- name: Ensure group1 and group2 absent
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1,group2
state: absent
register: result
diff --git a/tests/host/test_host_allow_retrieve_keytab.yml b/tests/host/test_host_allow_retrieve_keytab.yml
index 65d86aa6..8f955407 100644
--- a/tests/host/test_host_allow_retrieve_keytab.yml
+++ b/tests/host/test_host_allow_retrieve_keytab.yml
@@ -22,7 +22,7 @@
- name: Host host1..., host2... and host3... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -31,13 +31,13 @@
- name: Ensure host-groups hostgroup1 and hostgroup2 absent
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup1,hostgroup2
state: absent
- name: Ensure users user1 and user2 absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
- name: user2
@@ -45,13 +45,13 @@
- name: Ensure group1 and group2 absent
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1,group2
state: absent
- name: Host host2... and host3... present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host2_fqdn }}"
force: yes
@@ -62,7 +62,7 @@
- name: Ensure host-group hostgroup1 present
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup1
state: present
register: result
@@ -70,7 +70,7 @@
- name: Ensure host-group hostgroup2 present
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup2
state: present
register: result
@@ -78,7 +78,7 @@
- name: Ensure users user1 and user2 present
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
first: First1
@@ -91,21 +91,21 @@
- name: Ensure group1 present
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
register: result
failed_when: not result.changed
- name: Ensure group2 present
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group2
register: result
failed_when: not result.changed
- name: Host host1... present with allow_retrieve_keytab users,groups,hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_retrieve_keytab_user:
- user1
@@ -125,7 +125,7 @@
- name: Host host1... present with allow_retrieve_keytab users,groups,hosts and hostgroups again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_retrieve_keytab_user:
- user1
@@ -145,14 +145,14 @@
- name: Host host1... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
state: absent
- name: Host host1... present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
force: yes
register: result
@@ -160,7 +160,7 @@
- name: Host host1... ensure allow_retrieve_keytab users,groups,hosts and hostgroups present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_retrieve_keytab_user:
- user1
@@ -180,7 +180,7 @@
- name: Host host1... ensure allow_retrieve_keytab users,groups,hosts and hostgroups present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_retrieve_keytab_user:
- user1
@@ -200,7 +200,7 @@
- name: Host host1... ensure allow_retrieve_keytab users,groups,hosts and hostgroups absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_retrieve_keytab_user:
- user1
@@ -221,7 +221,7 @@
- name: Host host1... ensure allow_retrieve_keytab users,groups,hosts and hostgroups absent again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_retrieve_keytab_user:
- user1
@@ -242,7 +242,7 @@
- name: Host host1..., host2... and host3... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -253,7 +253,7 @@
- name: Ensure host-groups hostgroup1 and hostgroup2 absent
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup1,hostgroup2
state: absent
register: result
@@ -261,7 +261,7 @@
- name: Ensure users user1 and user2 absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
- name: user2
@@ -271,7 +271,7 @@
- name: Ensure group1 and group2 absent
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1,group2
state: absent
register: result
diff --git a/tests/host/test_host_bool_params.yml b/tests/host/test_host_bool_params.yml
new file mode 100644
index 00000000..efded1f1
--- /dev/null
+++ b/tests/host/test_host_bool_params.yml
@@ -0,0 +1,119 @@
+---
+- name: Test host bool parameters
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Get Domain from server name
+ set_fact:
+ ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
+ when: ipaserver_domain is not defined
+
+ - name: Set host1_fqdn .. host6_fqdn
+ set_fact:
+ host1_fqdn: "{{ 'host1.' + ipaserver_domain }}"
+
+ - name: Host absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ update_dns: yes
+ state: absent
+
+ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ force: yes
+ requires_pre_auth: yes
+ ok_as_delegate: yes
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ requires_pre_auth: yes
+ ok_as_delegate: yes
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate set to no
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ requires_pre_auth: no
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate set to no again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ requires_pre_auth: no
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ requires_pre_auth: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ requires_pre_auth: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with ok_as_delegate
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ok_as_delegate: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with ok_as_delegate again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ok_as_delegate: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with ok_to_auth_as_delegate
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with ok_to_auth_as_delegate again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Host absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ update_dns: yes
+ state: absent
diff --git a/tests/host/test_host_ipaddresses.yml b/tests/host/test_host_ipaddresses.yml
new file mode 100644
index 00000000..45500707
--- /dev/null
+++ b/tests/host/test_host_ipaddresses.yml
@@ -0,0 +1,321 @@
+---
+- name: Test host IP addresses
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Get Domain from server name
+ set_fact:
+ ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
+ when: ipaserver_domain is not defined
+
+ - name: Set host1_fqdn .. host6_fqdn
+ set_fact:
+ host1_fqdn: "{{ 'host1.' + ipaserver_domain }}"
+ host2_fqdn: "{{ 'host2.' + ipaserver_domain }}"
+ host3_fqdn: "{{ 'host3.' + ipaserver_domain }}"
+
+ - name: Get IPv4 address prefix from server node
+ set_fact:
+ ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+ join('.') }}"
+
+ - name: Host absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ - "{{ host3_fqdn }}"
+ update_dns: yes
+ state: absent
+
+ - name: Host "{{ host1_fqdn }}" present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.201' }}"
+ - fe80::20c:29ff:fe02:a1b2
+ update_dns: yes
+ reverse: no
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.201' }}"
+ - fe80::20c:29ff:fe02:a1b2
+ update_dns: yes
+ reverse: no
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" present again with new IP address
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ update_dns: yes
+ reverse: no
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present again with new IP address again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ update_dns: yes
+ reverse: no
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv4 address present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv4 address present again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv4 address absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv4 address absent again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv6 address present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: fe80::20c:29ff:fe02:a1b2
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv6 address present again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: fe80::20c:29ff:fe02:a1b2
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv6 address absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: fe80::20c:29ff:fe02:a1b2
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv6 address absent again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: fe80::20c:29ff:fe02:a1b2
+ action: member
+ state: absent
+ register: result
+
+ - name: Host "{{ host1_fqdn }}" member all ip-addresses absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" all member ip-addresses absent again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" present with same IP addresses
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ - name: "{{ host2_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ register: result
+ failed_when: not result.changed
+
+ - name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" present with same IP addresses again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ - name: "{{ host2_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ register: result
+ failed_when: result.changed
+
+ - name: Hosts "{{ host3_fqdn }}" present with same IP addresses
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host3_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ register: result
+ failed_when: not result.changed
+
+ - name: Hosts "{{ host3_fqdn }}" present with same IP addresses again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host3_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host3_fqdn }}" present with differnt IP addresses
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host3_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.111' }}"
+ - fe80::20c:29ff:fe02:a1b1
+ - "{{ ipv4_prefix + '.121' }}"
+ - fe80::20c:29ff:fe02:a1b2
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host3_fqdn }}" present with different IP addresses again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host3_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.111' }}"
+ - fe80::20c:29ff:fe02:a1b1
+ - "{{ ipv4_prefix + '.121' }}"
+ - fe80::20c:29ff:fe02:a1b2
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host3_fqdn }}" present with old IP addresses
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host3_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host3_fqdn }}" present with old IP addresses again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host3_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ register: result
+ failed_when: result.changed
+
+ - name: Absent host01.ihavenodns.info test
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: host01.ihavenodns.info
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Host absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ - "{{ host3_fqdn }}"
+ update_dns: yes
+ state: absent
diff --git a/tests/host/test_host_managedby_host.yml b/tests/host/test_host_managedby_host.yml
index 78c5a43d..e6fb9dc6 100644
--- a/tests/host/test_host_managedby_host.yml
+++ b/tests/host/test_host_managedby_host.yml
@@ -16,7 +16,7 @@
- name: Host absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -25,7 +25,7 @@
- name: Host "{{ host1_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
force: yes
register: result
@@ -33,7 +33,7 @@
- name: Host "{{ host2_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host2_fqdn }}"
force: yes
register: result
@@ -41,7 +41,7 @@
- name: Host "{{ host1_fqdn }}" managed by "{{ 'host2.' + ipaserver_domain }}"
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ host2_fqdn }}"
register: result
@@ -49,7 +49,7 @@
- name: Host "{{ host1_fqdn }}" managed by "{{ 'host2.' + ipaserver_domain }}" again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ host2_fqdn }}"
register: result
@@ -57,7 +57,7 @@
- name: Host "{{ host1_fqdn }}" managed by "{{ groups.ipaserver[0] }}"
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ groups.ipaserver[0] }}"
action: member
@@ -66,7 +66,7 @@
- name: Host "{{ host1_fqdn }}" managed by "{{ groups.ipaserver[0] }}" again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ groups.ipaserver[0] }}"
action: member
@@ -75,7 +75,7 @@
- name: Host "{{ host1_fqdn }}" not managed by "{{ groups.ipaserver[0] }}"
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ groups.ipaserver[0] }}"
action: member
@@ -85,7 +85,7 @@
- name: Host "{{ host1_fqdn }}" not managed by "{{ groups.ipaserver[0] }}" again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ groups.ipaserver[0] }}"
action: member
@@ -95,7 +95,7 @@
- name: Host "{{ host1_fqdn }}" not managed by "{{ 'host2.' + ipaserver_domain }}"
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ host2_fqdn }}"
state: absent
@@ -105,7 +105,7 @@
- name: Host "{{ host1_fqdn }}" not managed by "{{ 'host2.' + ipaserver_domain }}" again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ host2_fqdn }}"
action: member
@@ -115,7 +115,7 @@
- name: Host absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
diff --git a/tests/host/test_host_principal.yml b/tests/host/test_host_principal.yml
index 0dce400a..6c7d0dc0 100644
--- a/tests/host/test_host_principal.yml
+++ b/tests/host/test_host_principal.yml
@@ -20,7 +20,7 @@
- name: Host host1 absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
update_dns: yes
@@ -28,7 +28,7 @@
- name: Host host1... present with principal host/testhost1...
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal:
- "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
@@ -38,7 +38,7 @@
- name: Host host1... principal host/host1... present (existing already)
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal:
- "{{ 'host/host1.' + ipaserver_domain + '@' + ipaserver_realm }}"
@@ -48,7 +48,7 @@
- name: Host host1... principal host/testhost1... present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal: "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
action: member
@@ -57,7 +57,7 @@
- name: Host host1... principal host/testhost1... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal: "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
action: member
@@ -67,7 +67,7 @@
- name: Host host1... principal host/testhost1... absent again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal: "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
action: member
@@ -77,7 +77,7 @@
- name: Host host1... principal host/testhost1... and host/myhost1... present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal:
- "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
@@ -88,7 +88,7 @@
- name: Host host1... principal host/testhost1... and host/myhost1... present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal:
- "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
@@ -99,7 +99,7 @@
- name: Host host1... principal host/testhost1... and host/myhost1... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal:
- "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
@@ -111,7 +111,7 @@
- name: Host host1... principal host/testhost1... and host/myhost1... absent again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal:
- "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
@@ -123,7 +123,7 @@
- name: Host host1... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
update_dns: yes
diff --git a/tests/host/test_host_random.yml b/tests/host/test_host_random.yml
index 84893f90..4d1b2545 100644
--- a/tests/host/test_host_random.yml
+++ b/tests/host/test_host_random.yml
@@ -16,7 +16,7 @@
- name: Test hosts absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -25,7 +25,7 @@
- name: Host "{{ host1_fqdn }}" present with random password
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
random: yes
force: yes
@@ -43,14 +43,14 @@
- name: Host "{{ host1_fqdn }}" absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
state: absent
- name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" present with random password
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
random: yes
@@ -79,7 +79,7 @@
- name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
diff --git a/tests/host/test_host_reverse.yml b/tests/host/test_host_reverse.yml
new file mode 100644
index 00000000..9031b70b
--- /dev/null
+++ b/tests/host/test_host_reverse.yml
@@ -0,0 +1,103 @@
+---
+- name: Test host
+ hosts: ipaserver
+ become: true
+ gather_facts: true
+
+ tasks:
+ - name: Get Domain from server name
+ set_fact:
+ ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
+ when: ipaserver_domain is not defined
+
+ - name: Set host1_fqdn
+ set_fact:
+ host1_fqdn: "{{ 'host1.' + ipaserver_domain }}"
+
+ - name: Host absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ update_dns: yes
+ state: absent
+
+ - name: Get IPv4 address prefix from server node
+ set_fact:
+ ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+ join('.') }}"
+ reverse_zone: "{{ ansible_default_ipv4.address.split('.')[2::-1] |
+ join('.') }}"
+
+ - name: Set zone for reverse address.
+ command: ipa dnszone-add "{{ item }}" --skip-nameserver-check --skip-overlap-check
+ with_items:
+ - "{{ reverse_zone + '.in-addr.arpa.' }}"
+ - 'ip6.arpa.'
+ ignore_errors: yes
+
+ - name: Host "{{ host1_fqdn }}" present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ update_dns: yes
+ reverse: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present, again.
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ update_dns: yes
+ reverse: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Hosts host1 absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ update_dns: yes
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with IPv6
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "fd00::0001"
+ update_dns: yes
+ reverse: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with IPv6, again.
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "fd00::0001"
+ update_dns: yes
+ reverse: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Hosts host1 absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ update_dns: yes
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Set zone for reverse address.
+ command: ipa dnszone-del "{{ item }}"
+ with_items:
+ - "{{ reverse_zone + '.in-addr.arpa.' }}"
+ - 'ip6.arpa.'
diff --git a/tests/host/test_hosts.yml b/tests/host/test_hosts.yml
index 8e92bf32..30fd6538 100644
--- a/tests/host/test_hosts.yml
+++ b/tests/host/test_hosts.yml
@@ -21,7 +21,7 @@
- name: Host host1..host6 absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
- name: "{{ host2_fqdn }}"
@@ -33,7 +33,7 @@
- name: Hosts host1..host6 present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
force: yes
@@ -52,7 +52,7 @@
- name: Hosts host1..host6 present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
force: yes
@@ -71,7 +71,7 @@
- name: Hosts host1..host6 absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
- name: "{{ host2_fqdn }}"
@@ -85,7 +85,7 @@
- name: Hosts host1..host6 absent again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
- name: "{{ host2_fqdn }}"
diff --git a/tests/host/test_hosts_managedby_host.yml b/tests/host/test_hosts_managedby_host.yml
index a692745a..bd6452c4 100644
--- a/tests/host/test_hosts_managedby_host.yml
+++ b/tests/host/test_hosts_managedby_host.yml
@@ -19,7 +19,7 @@
- name: Host absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -31,7 +31,7 @@
- name: Host "{{ host5_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host5_fqdn }}"
force: yes
register: result
@@ -39,7 +39,7 @@
- name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" present and managed by "{{ 'host5.' + ipaserver_domain }}"
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
managedby_host: "{{ host5_fqdn }}"
@@ -61,7 +61,7 @@
- name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" present and managed by "{{ 'host5.' + ipaserver_domain }}" again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
managedby_host: "{{ host5_fqdn }}"
@@ -83,7 +83,7 @@
- name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" managed by "{{ 'host5.' + ipaserver_domain }}"
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
managedby_host: "{{ host5_fqdn }}"
@@ -101,7 +101,7 @@
- name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" not managed by "{{ 'host5.' + ipaserver_domain }}"
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
managedby_host: "{{ host5_fqdn }}"
@@ -120,7 +120,7 @@
- name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" not managed by "{{ 'host5.' + ipaserver_domain }}" again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
managedby_host: "{{ host5_fqdn }}"
@@ -139,7 +139,7 @@
- name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
- name: "{{ host2_fqdn }}"
diff --git a/tests/host/test_hosts_principal.yml b/tests/host/test_hosts_principal.yml
index 5918d35d..87e3a853 100644
--- a/tests/host/test_hosts_principal.yml
+++ b/tests/host/test_hosts_principal.yml
@@ -21,7 +21,7 @@
- name: Host host1... and host2... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -30,7 +30,7 @@
- name: Host hostX... present with principal host/testhostX... X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -45,7 +45,7 @@
- name: Host hostX... principal 'host/hostX... present (existing already) X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -59,7 +59,7 @@
- name: Host hostX... principal host/testhostX... present again X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -73,7 +73,7 @@
- name: Host hostX.. principal host/testhostX... absent X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -88,7 +88,7 @@
- name: Host hostX... principal host/testhostX... absent again X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -103,7 +103,7 @@
- name: Host hostX... principal host/testhostX... and host/myhostX... present X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -119,7 +119,7 @@
- name: Host hostX... principal host/testhostX... and host/myhostX... present again X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -135,7 +135,7 @@
- name: Host hostX... principal host/testhostX... and host/myhostX... absent X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -153,7 +153,7 @@
- name: Host hostX... principal host/testhostX... and host/myhostX... absent again X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -171,7 +171,7 @@
- name: Hosts host1... and host2... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
diff --git a/tests/hostgroup/test_hostgroup.yml b/tests/hostgroup/test_hostgroup.yml
index c3c44966..ba449a06 100644
--- a/tests/hostgroup/test_hostgroup.yml
+++ b/tests/hostgroup/test_hostgroup.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test hostgroup
hosts: ipaserver
become: true
gather_facts: false
@@ -12,7 +12,7 @@
- name: Ensure host-group databases, mysql-server and oracle-server are absent
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- databases
- mysql-server
@@ -21,7 +21,7 @@
- name: Test hosts db1 and db2 absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ 'db1.' + ipaserver_domain }}"
- "{{ 'db2.' + ipaserver_domain }}"
@@ -29,7 +29,7 @@
- name: Host "{{ 'db1.' + ipaserver_domain }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ 'db1.' + ipaserver_domain }}"
force: yes
register: result
@@ -37,7 +37,7 @@
- name: Host "{{ 'db2.' + ipaserver_domain }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ 'db2.' + ipaserver_domain }}"
force: yes
register: result
@@ -45,7 +45,7 @@
- name: Ensure host-group mysql-server is present
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: mysql-server
state: present
register: result
@@ -53,7 +53,7 @@
- name: Ensure host-group mysql-server is present again
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: mysql-server
state: present
register: result
@@ -61,7 +61,7 @@
- name: Ensure host-group oracle-server is present
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: oracle-server
state: present
register: result
@@ -69,7 +69,7 @@
- name: Ensure host-group oracle-server is present again
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: oracle-server
state: present
register: result
@@ -77,7 +77,7 @@
- name: Ensure host-group databases is present
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: present
host:
@@ -89,7 +89,7 @@
- name: Ensure host-group databases is present again
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: present
host:
@@ -101,7 +101,7 @@
- name: Ensure host db2 is member of host-group databases
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: present
host:
@@ -112,7 +112,7 @@
- name: Ensure host db2 is member of host-group databases again
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: present
host:
@@ -123,7 +123,7 @@
- name: Ensure host-group mysql-server is member of host-group databases
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: present
hostgroup:
@@ -134,7 +134,7 @@
- name: Ensure host-group mysql-server is member of host-group databases again
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: present
hostgroup:
@@ -145,7 +145,7 @@
- name: Ensure host-group oracle-server is member of host-group databases (again)
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: present
hostgroup:
@@ -156,7 +156,7 @@
- name: Ensure host-group databases, mysql-server and oracle-server are absent
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- databases
- mysql-server
@@ -167,7 +167,7 @@
- name: Ensure host-group databases, mysql-server and oracle-server are absent again
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- databases
- mysql-server
@@ -178,7 +178,7 @@
- name: Test hosts db1 and db2 absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ 'db1.' + ipaserver_domain }}"
- "{{ 'db2.' + ipaserver_domain }}"
diff --git a/tests/pwpolicy/test_pwpolicy.yml b/tests/pwpolicy/test_pwpolicy.yml
index 5c69345c..d5a254e4 100644
--- a/tests/pwpolicy/test_pwpolicy.yml
+++ b/tests/pwpolicy/test_pwpolicy.yml
@@ -1,14 +1,34 @@
---
-- name: Tests
+- name: Test pwpolicy
hosts: ipaserver
become: true
gather_facts: false
tasks:
+ - name: Ensure maxlife of 90 for global_policy
+ ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ maxlife: 90
+
+ - name: Ensure absence of group ops
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: ops
+ state: absent
+
+ - name: Ensure absence of pwpolicies for group ops
+ ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ name: ops
+ state: absent
+
- name: Ensure presence of group ops
ipagroup:
ipaadmin_password: SomeADMINpassword
name: ops
+ state: present
+ register: result
+ failed_when: not result.changed
- name: Ensure presence of pwpolicies for group ops
ipapwpolicy:
@@ -42,6 +62,28 @@
register: result
failed_when: result.changed
+ - name: Ensure maxlife of 49 for global_policy
+ ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ maxlife: 49
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure maxlife of 49 for global_policy again
+ ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ maxlife: 49
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure absence of pwpoliciy global_policy will fail
+ ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ state: absent
+ register: result
+ ignore_errors: True
+ failed_when: result is defined and result
+
- name: Ensure absence of pwpolicies for group ops
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
@@ -50,6 +92,13 @@
register: result
failed_when: not result.changed
+ - name: Ensure maxlife of 90 for global_policy
+ ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ maxlife: 90
+ register: result
+ failed_when: not result.changed
+
- name: Ensure absence of pwpolicies for group ops
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
diff --git a/tests/service/certificate/cert1.der b/tests/service/certificate/cert1.der
new file mode 100644
index 00000000..b1b90efd
Binary files /dev/null and b/tests/service/certificate/cert1.der differ
diff --git a/tests/service/certificate/cert1.pem b/tests/service/certificate/cert1.pem
new file mode 100644
index 00000000..ab3704bb
--- /dev/null
+++ b/tests/service/certificate/cert1.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQx
+MDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk
++OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa
+8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0am
+nvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cj
+QQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidS
+X0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYuku
+H/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0
+WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
+uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkG
+wIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyE
+iaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj
+9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV
+7MVq
+-----END CERTIFICATE-----
diff --git a/tests/service/certificate/cert2.der b/tests/service/certificate/cert2.der
new file mode 100644
index 00000000..e176c2ba
Binary files /dev/null and b/tests/service/certificate/cert2.der differ
diff --git a/tests/service/certificate/cert2.pem b/tests/service/certificate/cert2.pem
new file mode 100644
index 00000000..e8ea2e43
--- /dev/null
+++ b/tests/service/certificate/cert2.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIURhps6LEteMDCdBrlVkWe4cgSh0YwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQyNDBaFw0zMDAyMDExNDQy
+NDBaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC4W56H0VraEKGlCxSTS2PqnaD11shMjruexmholmTEtYPePPnQHpwiiZlg
+K7CPBIOdCn4hHH+hXQDg/TJRMjrde1VzD0pFRBUq6H25sy8oOlfD0bDXkncWn82S
+OJu2UJHeL7htQLRxW14VIAO2YO9zaXdophy6/csTAkFq1ls/vTBp73pnnYp8D7Tg
+zBB6bb95OZBSHeCzPIH2FSCJ/W0j6bHw4i7uHu/jWx0o0LR152fSFFwk0Wrmp8HH
+b2083OlnSBgTM+BZDg9rB7jpLCsIGHWXbjG36jmRaZu5z4vq2FNomJ8PXkX7mwUf
+aft6z+px7UlhrwUxEVWIXOoUBYcJAgMBAAGjUzBRMB0GA1UdDgQWBBTttCQn5UaQ
+i+N5WRnA7ZTQlkVfRTAfBgNVHSMEGDAWgBTttCQn5UaQi+N5WRnA7ZTQlkVfRTAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBW3vRR5wEDztuLVrcQ
+Dojn1XB24OOqn4C6OJyz3FUxd4MQA8J2vKN4P2QXhY0oYsauFKhR5xfOaDUcK2Tu
+kAtFz1mxqm1ygUVQHbrs8lBeIi4hoMc76ODJ/V9GNY7N/y/5xtD7XlyTVT2tb6tc
+6tmv8e4497PTPspuHp9YbbvzdSI12JENDW4hKCOpR/Uv7mRcCT+c2iMJdUL3f3YO
+FsGBbxVdTPmuhL4My8qR/CtCNpN0gBsaxUKFAP+/1AvFbFDChFVDEEdD8PLznH5x
+8HLmA9/K5x/cXbgqESUqK13P53f1XYOfggKb1f7yqBAZRnTY82+k9Kn9qWOcnyxS
+uUtZ
+-----END CERTIFICATE-----
diff --git a/tests/service/certificate/private1.key b/tests/service/certificate/private1.key
new file mode 100644
index 00000000..372908d2
--- /dev/null
+++ b/tests/service/certificate/private1.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+XVVGFYpHVkcD
+fVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJ
+zMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmj
+fMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn
+0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQW
+AnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63
+g5cZyE+nAgMBAAECggEBALJIsw5aKhE5inSIN0xZT3FTWxcjHF26jE+X86G0H3KZ
+roLqnjOagOKTwjeErXt66IWKFh3b5vKCSNq6PEs8OCeRHv71bay5zK1WWLH87sKJ
+EAUSPuK5O6donI9aC36VL8tTwSOOOS9WJ0KoHqsn/tLHlONXOvo063iYEg8xFhuP
+etrOf2gDjwGbeWis7VeHG7wL5p2/WdsyjTDbQPhmUlBO93rtkBlm9FaqYKwrp8qe
+4c5gf6ZAKgY2EZaQuEvq3Lonk7TRCtPDVCPLYQxZGOmn2UeUS+HMnDSqrlQesBKD
+hNNCCJVaQZHsghmwXa8t9yRBIxoOqVObdEQYJ8wuxMECgYEA676x3m7T2PwJXS+q
+Km3snv60lCozxKbzaNJ1xlAmpW08MijYCkDS/kWSIwN5GO+b5B6use8iALrV9SyP
+eC/6bFuMJ+zRfGhn1cw4Ibz79EroTxmJio7J7SiD/yxvjNVznKx5xgQeB9tdgjaf
+yHSxInWoQzcDGKUe2h2KFJxUzJECgYEAzrh6zI8Ugne5iBUbLcpJUehlMd4+RM0l
+1y8ZOBS1tjzimWycjZaPtMB0q4FOc1ou2zcSxwoGIv5khvUsjKhTfOc6lK+cHPhE
+fAppYUxhHw2UDpX/0hKDuDu++O+86ANp7AOvM+KcNAiEoovxUyurVjBsT/PPlrTA
+r5w7xuyi1LcCgYAZ7ZdSh431R4MgJKXqlLx5oDnsMdgPwOz0knExpo8ZkrIUMjnQ
+puCN5sjz4OXowDG9HULJfyuWOPZfSM9ewKgiUs9PdNR1gmYpNZTW4Ro0/CggywY9
+nwbGdrZN0m1SaAeXK8EY7kr/Qjk+oRNh0LPKvnYLLnnAtCh4hNcy/R62gQKBgBaD
+3UweYVt8csaxlc489BNpvmvaCuovdemkBZkoGEqLAxs2yy5Ysbo8I/jyEntZ3TSf
+IPpwyw5Qqt5QIdQIGV/HR4geQGCfYcYo1CV2zjU1o2SbTcuxnIsaZshyRB75EDZW
+iGScT+sS6m9R0qz+WqD+kS18HqYJddsqpxAZgfqtAoGBAJx7E8HxFpaNfz/QQPAQ
+mvON6ub5u4AfhH4DgiPErMxNsdzVICL+mnQy0wdmi1oEpq9KH4/8aSxdPhadyl/8
+l+0CkCkBZvEP7+NmctR8Zot60wS0DnOwuURCxm/zYJ26DXjB0XitDDumFJ56Wd6p
+uLl9eKMBE/jBsCSWQTuwrtnT
+-----END PRIVATE KEY-----
diff --git a/tests/service/certificate/private2.key b/tests/service/certificate/private2.key
new file mode 100644
index 00000000..58909dbf
--- /dev/null
+++ b/tests/service/certificate/private2.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC4W56H0VraEKGl
+CxSTS2PqnaD11shMjruexmholmTEtYPePPnQHpwiiZlgK7CPBIOdCn4hHH+hXQDg
+/TJRMjrde1VzD0pFRBUq6H25sy8oOlfD0bDXkncWn82SOJu2UJHeL7htQLRxW14V
+IAO2YO9zaXdophy6/csTAkFq1ls/vTBp73pnnYp8D7TgzBB6bb95OZBSHeCzPIH2
+FSCJ/W0j6bHw4i7uHu/jWx0o0LR152fSFFwk0Wrmp8HHb2083OlnSBgTM+BZDg9r
+B7jpLCsIGHWXbjG36jmRaZu5z4vq2FNomJ8PXkX7mwUfaft6z+px7UlhrwUxEVWI
+XOoUBYcJAgMBAAECggEAPTBrlbiu5uHORPFAiwLizuQyoGYBZSearkA8Nzpzh7aX
+ZhPm9mSyfeQdvAXEPDPLWzw4UNUcp3ou6H4hTUHWt9xPqDjS9dp7DBrOX+xRIpD6
+wEvA3kwGqsOvf3C6ffCP+abtF5X6TgV9XJWbpdTWpP/EWj+IGahS1qRRAhzTfHvF
+YGMTFwlgbz4eOs+FXBnVNGsdsdMLpOyqHMdDAA4BhyspWHyHgCRjEjROuJCKSDUR
+MD1pNdaEYzoj5QeE1IKzXAzTaxG/YKd36BxV5Cp9DOBuZZLgNEd2EisXxV7UwZL4
+leGgxAc+KQs6QoPoz+mrKbdDnxe6V+uaa9KHoqnj4QKBgQD1qh+MEIF+Vuf/keFJ
+vDgS7oFeg1UGzMtWypiNfVYu9cBLp32tgY48+ey3OCvhRSJAVROH1rc5ZfkESSQ2
+rSeV/T3plr5bBkLc7chuDM8An745p8VSOM+Ak1zE2qb+Qo+IsxNRA9KyeUvupuB8
+HJ7fxdZ7JpgueD/mKyCn1WaGIwKBgQDAHTS6J7LKm52d2norERK6ZyBNVhKaKNDW
+ssRqSh906oFU63Qijsp4dbm1iRXGME6Zoe1quN/K80iATdv/VzjzxS1Of8mqA7gr
+/2juZbpEluSxjkqPAZp1p4Kx9WURdzv2ModkYwM3zSTGR5l22Whd9QdNQvVl1mf0
++RfgE6ty4wKBgA+GtwO1L1n6yCLg52ovmSOpK0f76O3LF7beixG2MDI7mfGuHkVP
+ANxdt1ZFGJDeO7HxLpDRQzc/eKOKs904yF20aatPuawrEyK/bIF4EcUqU211awUt
+TgAEUEKoxxEex8+N8dSW90QMYn4s0ddGP8xIxqt13vxg4Tj81M2GsTodAoGAOa8L
+S/Hrj0ZWdzVIhXHk669XVaFIiJ1Ex5J5w2hqNZLMLpFcF5xEUxMWJdn5fb63ew3R
+2b+VAr01wcCfE/Y+lYNY7T8VcEUZoaxY92v4F+wu0tlkrbfPhxA6//As3qesi2n0
+mUHZj4G7TwXkoHj7C2stPBek02UjZbz9XDzLt/0CgYAiawpqmHJK4LhRm+P6J1+X
+nzLPzQ6t15ivh4jPrWZPgOG3hKV+If+PTv7lLy51y2X4Ttuyumy09J+kYiy3qIHR
+nmbAEkc9lesrxk1eytxmYY+fGTBpaLAc+vNXWCtUc1ttKcfrPhZdncmSh5Z0aFN3
+D+EddEZHzfzoGlfbNVkfmQ==
+-----END PRIVATE KEY-----
diff --git a/tests/service/certificate/test_service_certificate.yml b/tests/service/certificate/test_service_certificate.yml
new file mode 100644
index 00000000..89c46f10
--- /dev/null
+++ b/tests/service/certificate/test_service_certificate.yml
@@ -0,0 +1,225 @@
+#
+# Generate self-signed certificates using openssl:
+#
+# openssl req -x509 -newkey rsa:2048 -days 3650 -nodes -keyout private1.key -out cert1.pem -subj '/CN=test'
+# openssl req -x509 -newkey rsa:2048 -days 3650 -nodes -keyout private2.key -out cert2.pem -subj '/CN=test'
+#
+# Convert the certificate do DER for easier handling through CLI
+#
+# openssl x509 -outform der -in cert1.pem -out cert1.der
+# openssl x509 -outform der -in cert2.pem -out cert2.der
+#
+# Use base64:
+#
+# base64 cert1.der -w5000
+# base64 cert2.der -w5000
+#
+# Certificates:
+# cert1:
+# - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+# cert2:
+# - MIIC/zCCAeegAwIBAgIURhps6LEteMDCdBrlVkWe4cgSh0YwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQyNDBaFw0zMDAyMDExNDQyNDBaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4W56H0VraEKGlCxSTS2PqnaD11shMjruexmholmTEtYPePPnQHpwiiZlgK7CPBIOdCn4hHH+hXQDg/TJRMjrde1VzD0pFRBUq6H25sy8oOlfD0bDXkncWn82SOJu2UJHeL7htQLRxW14VIAO2YO9zaXdophy6/csTAkFq1ls/vTBp73pnnYp8D7TgzBB6bb95OZBSHeCzPIH2FSCJ/W0j6bHw4i7uHu/jWx0o0LR152fSFFwk0Wrmp8HHb2083OlnSBgTM+BZDg9rB7jpLCsIGHWXbjG36jmRaZu5z4vq2FNomJ8PXkX7mwUfaft6z+px7UlhrwUxEVWIXOoUBYcJAgMBAAGjUzBRMB0GA1UdDgQWBBTttCQn5UaQi+N5WRnA7ZTQlkVfRTAfBgNVHSMEGDAWgBTttCQn5UaQi+N5WRnA7ZTQlkVfRTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBW3vRR5wEDztuLVrcQDojn1XB24OOqn4C6OJyz3FUxd4MQA8J2vKN4P2QXhY0oYsauFKhR5xfOaDUcK2TukAtFz1mxqm1ygUVQHbrs8lBeIi4hoMc76ODJ/V9GNY7N/y/5xtD7XlyTVT2tb6tc6tmv8e4497PTPspuHp9YbbvzdSI12JENDW4hKCOpR/Uv7mRcCT+c2iMJdUL3f3YOFsGBbxVdTPmuhL4My8qR/CtCNpN0gBsaxUKFAP+/1AvFbFDChFVDEEdD8PLznH5x8HLmA9/K5x/cXbgqESUqK13P53f1XYOfggKb1f7yqBAZRnTY82+k9Kn9qWOcnyxSuUtZ
+
+---
+- name: Test service certificates
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # setup
+ - name: Get Domain from server name
+ set_fact:
+ ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
+ when: ipaserver_domain is not defined
+
+ - name: Get IPv4 address prefix from server node
+ set_fact:
+ ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+ join('.') }}"
+
+ - name: Set test host FQDN
+ set_fact:
+ test_subdomain: testcert
+ test_host: "{{ 'testcert.' + ipaserver_domain }}"
+
+ - name: Host test absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ test_host }}"
+ update_dns: yes
+ state: absent
+
+ - name: Host test present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ test_host }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ update_dns: yes
+
+ - name: Ensure testing group group01 is present.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: group01
+
+ - name: Ensure testing group group02 is present.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: group02
+
+ - name: Ensure services are absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ state: absent
+
+ # tests
+ - name: Ensure service is present
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ pac_type:
+ - MS-PAC
+ - PAD
+ auth_ind: otp
+ force: no
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is present, again
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ pac_type:
+ - MS_PAC
+ - PAD
+ auth_ind: otp
+ force: no
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service is disabled
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ state: disabled
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service member certificate is present.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ action: member
+ state: present
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service member certificate is present, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ action: member
+ state: present
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service multiple member certificates are present, with duplicate.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ - MIIC/zCCAeegAwIBAgIURhps6LEteMDCdBrlVkWe4cgSh0YwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQyNDBaFw0zMDAyMDExNDQyNDBaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4W56H0VraEKGlCxSTS2PqnaD11shMjruexmholmTEtYPePPnQHpwiiZlgK7CPBIOdCn4hHH+hXQDg/TJRMjrde1VzD0pFRBUq6H25sy8oOlfD0bDXkncWn82SOJu2UJHeL7htQLRxW14VIAO2YO9zaXdophy6/csTAkFq1ls/vTBp73pnnYp8D7TgzBB6bb95OZBSHeCzPIH2FSCJ/W0j6bHw4i7uHu/jWx0o0LR152fSFFwk0Wrmp8HHb2083OlnSBgTM+BZDg9rB7jpLCsIGHWXbjG36jmRaZu5z4vq2FNomJ8PXkX7mwUfaft6z+px7UlhrwUxEVWIXOoUBYcJAgMBAAGjUzBRMB0GA1UdDgQWBBTttCQn5UaQi+N5WRnA7ZTQlkVfRTAfBgNVHSMEGDAWgBTttCQn5UaQi+N5WRnA7ZTQlkVfRTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBW3vRR5wEDztuLVrcQDojn1XB24OOqn4C6OJyz3FUxd4MQA8J2vKN4P2QXhY0oYsauFKhR5xfOaDUcK2TukAtFz1mxqm1ygUVQHbrs8lBeIi4hoMc76ODJ/V9GNY7N/y/5xtD7XlyTVT2tb6tc6tmv8e4497PTPspuHp9YbbvzdSI12JENDW4hKCOpR/Uv7mRcCT+c2iMJdUL3f3YOFsGBbxVdTPmuhL4My8qR/CtCNpN0gBsaxUKFAP+/1AvFbFDChFVDEEdD8PLznH5x8HLmA9/K5x/cXbgqESUqK13P53f1XYOfggKb1f7yqBAZRnTY82+k9Kn9qWOcnyxSuUtZ
+ action: member
+ state: present
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service member certificate is absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service member certificate is absent, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service member certificates are absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ - MIIC/zCCAeegAwIBAgIURhps6LEteMDCdBrlVkWe4cgSh0YwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQyNDBaFw0zMDAyMDExNDQyNDBaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4W56H0VraEKGlCxSTS2PqnaD11shMjruexmholmTEtYPePPnQHpwiiZlgK7CPBIOdCn4hHH+hXQDg/TJRMjrde1VzD0pFRBUq6H25sy8oOlfD0bDXkncWn82SOJu2UJHeL7htQLRxW14VIAO2YO9zaXdophy6/csTAkFq1ls/vTBp73pnnYp8D7TgzBB6bb95OZBSHeCzPIH2FSCJ/W0j6bHw4i7uHu/jWx0o0LR152fSFFwk0Wrmp8HHb2083OlnSBgTM+BZDg9rB7jpLCsIGHWXbjG36jmRaZu5z4vq2FNomJ8PXkX7mwUfaft6z+px7UlhrwUxEVWIXOoUBYcJAgMBAAGjUzBRMB0GA1UdDgQWBBTttCQn5UaQi+N5WRnA7ZTQlkVfRTAfBgNVHSMEGDAWgBTttCQn5UaQi+N5WRnA7ZTQlkVfRTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBW3vRR5wEDztuLVrcQDojn1XB24OOqn4C6OJyz3FUxd4MQA8J2vKN4P2QXhY0oYsauFKhR5xfOaDUcK2TukAtFz1mxqm1ygUVQHbrs8lBeIi4hoMc76ODJ/V9GNY7N/y/5xtD7XlyTVT2tb6tc6tmv8e4497PTPspuHp9YbbvzdSI12JENDW4hKCOpR/Uv7mRcCT+c2iMJdUL3f3YOFsGBbxVdTPmuhL4My8qR/CtCNpN0gBsaxUKFAP+/1AvFbFDChFVDEEdD8PLznH5x8HLmA9/K5x/cXbgqESUqK13P53f1XYOfggKb1f7yqBAZRnTY82+k9Kn9qWOcnyxSuUtZ
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service multiple member certificates is present.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ action: member
+ state: present
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is disabled
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ state: disabled
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is disabled, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ state: disabled
+ register: result
+ failed_when: result.changed
+
+ # cleanup
+ - name: Ensure services are absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ state: absent
+
+ - name: Ensure host is absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ test_host }}"
+ update_dns: yes
+ state: absent
diff --git a/tests/service/test_service.yml b/tests/service/test_service.yml
new file mode 100644
index 00000000..10d1285a
--- /dev/null
+++ b/tests/service/test_service.yml
@@ -0,0 +1,536 @@
+# This test uses skip_host_check, so it will fail if not using
+# FreeIPA version 4.7.0 or later.
+#
+# To test against earlier versions, use test_without_skip_host_check.yml.
+#
+# This test define 6 hosts:
+# - www.ansible.com: a host with a DNS setup (external), not present in IPA
+# - no.idontexist.info: a host without DNS and not present in IPA.
+# - svc.ihavenodns.inf: a host without DNS, but present in IPA.
+# - svc_fqdn: a host with DNS and present in IPA.
+# - host1_fqdn and host2_fqdn: used for member actions only.
+#
+---
+- name: Test service
+ hosts: ipaserver
+ become: yes
+
+ tasks:
+ # setup
+ - name: Get Domain from server name
+ set_fact:
+ ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
+ when: ipaserver_domain is not defined
+
+ - name: Set host1, host2 and svc hosts fqdn
+ set_fact:
+ host1_fqdn: "{{ 'host1.' + ipaserver_domain }}"
+ host2_fqdn: "{{ 'host2.' + ipaserver_domain }}"
+ svc_fqdn: "{{ 'svc.' + ipaserver_domain }}"
+
+ - name: Host absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - www.ansible.com
+ - no.idontexist.info
+ - svc.ihavenodns.info
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ - "{{ svc_fqdn }}"
+ update_dns: no
+ state: absent
+
+ - name: Get IPv4 address prefix from server node
+ set_fact:
+ ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+ join('.') }}"
+
+ - name: Add hosts for tests.
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host1_fqdn }}"
+ force: yes
+ - name: "{{ host2_fqdn }}"
+ force: yes
+ - name: "{{ svc_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ - name: svc.ihavenodns.info
+ force: yes
+
+ - name: Ensure testing user user01 is present.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name: user01
+ first: user01
+ last: last
+
+ - name: Ensure testing user user02 is present.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name: user02
+ first: user02
+ last: last
+
+ - name: Ensure testing group group01 is present.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: group01
+
+ - name: Ensure testing group group02 is present.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: group02
+
+ - name: Ensure testing hostgroup hostgroup01 is present.
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: hostgroup01
+
+ - name: Ensure testing hostgroup hostgroup02 is present.
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: hostgroup02
+
+ - name: Ensure services are absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "HTTP/{{ svc_fqdn }}"
+ - HTTP/www.ansible.com
+ - HTTP/svc.ihavenodns.info
+ - HTTP/no.idontexist.info
+ state: absent
+
+ # tests
+ - name: Ensure service is present
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type:
+ - MS-PAC
+ - PAD
+ auth_ind: otp
+ skip_host_check: no
+ force: no
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is present, again
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type:
+ - MS_PAC
+ - PAD
+ auth_ind: otp
+ skip_host_check: no
+ force: no
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: result.changed
+
+ - name: Modify service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type: NONE
+ ok_as_delegate: yes
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Modify service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type: NONE
+ ok_as_delegate: yes
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service is present, without host object.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.ansible.com
+ skip_host_check: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is present, without host object, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.ansible.com
+ skip_host_check: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service is present, with host not in DNS.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/svc.ihavenodns.info
+ skip_host_check: no
+ force: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is present, with host not in DNS, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/svc.ihavenodns.info
+ skip_host_check: no
+ force: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service is present, whithout host object and with host not in DNS.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/no.idontexist.info
+ skip_host_check: yes
+ force: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is present, whithout host object and with host not in DNS, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/no.idontexist.info
+ skip_host_check: yes
+ force: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Principal host/test.example.com present in service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Principal host/test.example.com present in service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Principal host/test.example.com absent in service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Principal host/test.example.com absent in service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure host can manage service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host can manage service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host: "{{ host1_fqdn }}"
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure host cannot manage service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host cannot manage service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - host02.exampl "{{ groups.ipaserver[0] }}"e.com
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ #
+ - name: Ensure service is absent
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is absent, again
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ # cleanup
+
+ - name: Ensure services are absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "HTTP/{{ svc_fqdn }}"
+ - HTTP/www.ansible.com
+ - HTTP/svc.ihavenodns.info
+ - HTTP/no.idontexist.local
+ state: absent
+
+ - name: Ensure host "{{ svc_fqdn }}" is absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ svc_fqdn }}"
+ update_dns: yes
+ state: absent
+
+ - name: Ensure host is absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ - www.ansible.com
+ - svc.ihavenodns.info
+ update_dns: no
+ state: absent
+
+ - name: Ensure testing users are absent.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - user01
+ - user02
+ state: absent
+
+ - name: Ensure testing groups are absent.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - group01
+ - group02
+ state: absent
+
+ - name: Ensure testing hostgroup hostgroup01 is absent.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - hostgroup01
+ state: absent
+
+ - name: Ensure testing hostgroup hostgroup02 is absent.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - hostgroup02
+ state: absent
diff --git a/tests/service/test_service_without_skip_host_check.yml b/tests/service/test_service_without_skip_host_check.yml
new file mode 100644
index 00000000..147da0c9
--- /dev/null
+++ b/tests/service/test_service_without_skip_host_check.yml
@@ -0,0 +1,476 @@
+---
+- name: Test service without using option skip_host_check
+ hosts: ipaserver
+ become: yes
+
+ tasks:
+ # setup
+ - name: Get Domain from server name
+ set_fact:
+ ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
+ when: ipaserver_domain is not defined
+
+ - name: Set host1, host2 and svc hosts fqdn
+ set_fact:
+ host1_fqdn: "{{ 'host1.' + ipaserver_domain }}"
+ host2_fqdn: "{{ 'host2.' + ipaserver_domain }}"
+ svc_fqdn: "{{ 'svc.' + ipaserver_domain }}"
+
+ - name: Host absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - svc.ihavenodns.info
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ - "{{ svc_fqdn }}"
+ update_dns: yes
+ state: absent
+
+ - name: Get IPv4 address prefix from server node
+ set_fact:
+ ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+ join('.') }}"
+
+ - name: Add hosts for tests.
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host1_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ update_dns: yes
+ - name: "{{ host2_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.202' }}"
+ update_dns: yes
+ - name: "{{ svc_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.203' }}"
+ update_dns: yes
+ - name: svc.ihavenodns.info
+ update_dns: no
+ force: yes
+
+ - name: Ensure testing user user01 is present.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name: user01
+ first: user01
+ last: last
+
+ - name: Ensure testing user user02 is present.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name: user02
+ first: user02
+ last: last
+
+ - name: Ensure testing group group01 is present.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: group01
+
+ - name: Ensure testing group group02 is present.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: group02
+
+ - name: Ensure testing hostgroup hostgroup01 is present.
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: hostgroup01
+
+ - name: Ensure testing hostgroup hostgroup02 is present.
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: hostgroup02
+
+ - name: Ensure services are absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "HTTP/{{ svc_fqdn }}"
+ - HTTP/svc.ihavenodns.info
+ state: absent
+
+ # tests
+ - name: Ensure service is present
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type:
+ - MS-PAC
+ - PAD
+ auth_ind: otp
+ force: no
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is present, again
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type:
+ - MS_PAC
+ - PAD
+ auth_ind: otp
+ force: no
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: result.changed
+
+ - name: Modify service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type: NONE
+ ok_as_delegate: yes
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Modify service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type: NONE
+ ok_as_delegate: yes
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service is present, with host not in DNS.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/svc.ihavenodns.info
+ force: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is present, with host not in DNS, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/svc.ihavenodns.info
+ force: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Principal host/test.example.com present in service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Principal host/test.exabple.com present in service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Principal host/test.example.com absent in service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Principal host/test.example.com absent in service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure host can manage service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host can manage service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host: "{{ host1_fqdn }}"
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure host cannot manage service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host cannot manage service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - host02.exampl "{{ groups.ipaserver[0] }}"e.com
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ #
+ - name: Ensure service is absent
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is absent, again
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ # cleanup
+
+ - name: Ensure services are absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "HTTP/{{ svc_fqdn }}"
+ - HTTP/svc.ihavenodns.info
+ state: absent
+
+ - name: Ensure host is absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ svc_fqdn }}"
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ - svc.ihavenodns.info
+ state: absent
+
+ - name: Ensure testing users are absent.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - user01
+ - user02
+ state: absent
+
+ - name: Ensure testing groups are absent.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - group01
+ - group02
+ state: absent
+
+ - name: Ensure testing hostgroup hostgroup01 is absent.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - hostgroup01
+ state: absent
+
+ - name: Ensure testing hostgroup hostgroup02 is absent.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - hostgroup02
+ state: absent
diff --git a/tests/sudocmd/test_sudocmd.yml b/tests/sudocmd/test_sudocmd.yml
index 97427869..c66e8108 100644
--- a/tests/sudocmd/test_sudocmd.yml
+++ b/tests/sudocmd/test_sudocmd.yml
@@ -1,6 +1,6 @@
---
-- name: Tests
+- name: Test sudocmd
hosts: ipaserver
become: true
gather_facts: false
@@ -8,7 +8,7 @@
tasks:
- name: Ensure sudocmds are absent
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/bin/su
- /usr/sbin/ifconfig
@@ -17,7 +17,7 @@
- name: Ensure sudocmd is present
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: present
register: result
@@ -25,7 +25,7 @@
- name: Ensure sudocmd is present again
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: present
register: result
@@ -33,7 +33,7 @@
- name: Ensure sudocmd is absent
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: absent
register: result
@@ -41,7 +41,7 @@
- name: Ensure sudocmd is absent again
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: absent
register: result
@@ -49,7 +49,7 @@
- name: Ensure multiple sudocmd are present
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
- /usr/sbin/iwlist
@@ -59,7 +59,7 @@
- name: Ensure multiple sudocmd are present again
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
- /usr/sbin/iwlist
@@ -69,7 +69,7 @@
- name: Ensure multiple sudocmd are absent
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
- /usr/sbin/iwlist
@@ -79,7 +79,7 @@
- name: Ensure multiple sudocmd are absent again
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
- /usr/sbin/iwlist
@@ -88,7 +88,7 @@
failed_when: result.changed
- name: Ensure sudocmds are absent
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/bin/su
- /usr/sbin/ifconfig
@@ -97,21 +97,21 @@
- name: Ensure sudocmds are absent
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
state: absent
- name: Ensure sudocmds are present
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/iwlist
state: present
- name: Ensure multiple sudocmd are absent when only one was present
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
- /usr/sbin/iwlist
diff --git a/tests/sudocmdgroup/test_sudocmdgroup.yml b/tests/sudocmdgroup/test_sudocmdgroup.yml
index 226e986f..ce149de6 100644
--- a/tests/sudocmdgroup/test_sudocmdgroup.yml
+++ b/tests/sudocmdgroup/test_sudocmdgroup.yml
@@ -1,6 +1,6 @@
---
-- name: Tests
+- name: Test sudocmdgroup
hosts: ipaserver
become: true
gather_facts: false
@@ -8,7 +8,7 @@
tasks:
- name: Ensure sudocmds are present
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/bin/su
- /usr/sbin/ifconfig
@@ -17,13 +17,13 @@
- name: Ensure sudocmdgroup is absent
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
state: absent
- name: Ensure sudocmdgroup is present
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
state: present
register: result
@@ -31,7 +31,7 @@
- name: Ensure sudocmdgroup is present again
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
state: present
register: result
@@ -39,7 +39,7 @@
- name: Ensure sudocmdgroup is absent
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
state: absent
register: result
@@ -47,7 +47,7 @@
- name: Ensure sudocmdgroup is absent again
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
state: absent
register: result
@@ -55,7 +55,7 @@
- name: Ensure testing sudocmdgroup is present
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
state: present
register: result
@@ -63,7 +63,7 @@
- name: Ensure sudo commands are present in existing sudocmdgroup
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -74,7 +74,7 @@
- name: Ensure sudo commands are present in existing sudocmdgroup, again
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -85,7 +85,7 @@
- name: Ensure sudo commands are absent in existing sudocmdgroup
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -97,7 +97,7 @@
- name: Ensure sudo commands are absent in existing sudocmdgroup, again
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -109,7 +109,7 @@
- name: Ensure sudo commands are present in sudocmdgroup
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -121,7 +121,7 @@
- name: Ensure one sudo command is not present in sudocmdgroup
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -132,7 +132,7 @@
- name: Ensure one sudo command is present in sudocmdgroup
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -143,7 +143,7 @@
- name: Ensure the other sudo command is not present in sudocmdgroup
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/iwlist
@@ -154,7 +154,7 @@
- name: Ensure the other sudo commandsis not present in sudocmdgroup, again
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/iwlist
diff --git a/tests/sudorule/test_sudorule.yml b/tests/sudorule/test_sudorule.yml
index 88ed90ab..0c4aef7f 100644
--- a/tests/sudorule/test_sudorule.yml
+++ b/tests/sudorule/test_sudorule.yml
@@ -1,6 +1,6 @@
---
-- name: Tests
+- name: Test sudorule
hosts: ipaserver
become: true
gather_facts: false
@@ -9,22 +9,29 @@
- name: Ensure hostgroup is present, with a host.
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: cluster
host:
- "{{ groups.ipaserver[0] }}"
- name: Ensure some sudocmds are available
ipasudocmd:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name:
- /sbin/ifconfig
- /usr/bin/vim
state: present
+ - name: Ensure sudocmdgroup is available
+ ipasudocmdgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: test_sudorule
+ sudocmd: /usr/bin/vim
+ state: present
+
- name: Ensure sudorules are absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name:
- testrule1
- allusers
@@ -34,21 +41,21 @@
- name: Ensure sudorule is present
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
register: result
failed_when: not result.changed
- name: Ensure sudorule is present again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
register: result
failed_when: result.changed
- name: Ensure sudorule is present, runAsUserCategory.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
runAsUserCategory: all
register: result
@@ -56,7 +63,7 @@
- name: Ensure sudorule is present, with usercategory 'all'
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
register: result
@@ -64,7 +71,7 @@
- name: Ensure sudorule is present, with usercategory 'all', again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
register: result
@@ -72,7 +79,7 @@
- name: Ensure sudorule is present, with hostategory 'all'
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allhosts
hostcategory: all
register: result
@@ -80,7 +87,7 @@
- name: Ensure sudorule is present, with hostategory 'all', again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allhosts
hostcategory: all
register: result
@@ -88,13 +95,13 @@
- name: Ensure sudorule is disabled
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: disabled
- name: Ensure sudorule is disabled, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: disabled
register: result
@@ -102,7 +109,7 @@
- name: Ensure sudorule is enabled
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: enabled
register: result
@@ -110,37 +117,77 @@
- name: Ensure sudorule is enabled, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: enabled
register: result
failed_when: result.changed
- - name: Ensure sudorule is present and some sudocmd are a member of it.
+ - name: Ensure sudorule is present and some sudocmd are allowed.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present and some sudocmd are allowed, again.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ allow_sudocmd:
+ - /sbin/ifconfig
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure sudorule is present and some sudocmd are denyed.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ deny_sudocmd:
- /usr/bin/vim
action: member
register: result
failed_when: not result.changed
- - name: Ensure sudorule is present and some sudocmd are a member of it, again.
+ - name: Ensure sudorule is present and some sudocmd are denyed, again.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
- - /sbin/ifconfig
+ deny_sudocmd:
- /usr/bin/vim
action: member
register: result
failed_when: result.changed
+ - name: Ensure sudorule is present and, sudocmds are absent.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ allow_sudocmd: /sbin/ifconfig
+ deny_sudocmd: /usr/bin/vim
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present and, sudocmds are absent, again.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ allow_sudocmd: /sbin/ifconfig
+ deny_sudocmd: /usr/bin/vim
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
- name: Ensure sudorule is present with cmdcategory 'all'.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allcommands
cmdcategory: all
register: result
@@ -148,7 +195,7 @@
- name: Ensure sudorule is present with cmdcategory 'all', again.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allcommands
cmdcategory: all
register: result
@@ -156,7 +203,7 @@
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
host: "{{ groups.ipaserver[0] }}"
action: member
@@ -165,7 +212,7 @@
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule, again.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
host: "{{ groups.ipaserver[0] }}"
action: member
@@ -174,7 +221,7 @@
- name: Ensure hostgroup is present in sudorule.
ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
hostgroup: cluster
action: member
@@ -183,32 +230,84 @@
- name: Ensure hostgroup is present in sudorule, again.
ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
hostgroup: cluster
action: member
register: result
failed_when: result.changed
- - name: Ensure sudorule sudocmds are absent
+ - name: Ensure sudorule is present, with an allow_sudocmdgroup.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
- - /sbin/ifconfig
- - /usr/bin/vim
+ allow_sudocmdgroup: test_sudorule
+ state: present
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present, with an allow_sudocmdgroup, again.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ allow_sudocmdgroup: test_sudorule
+ state: present
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ allow_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: not result.changed
- - name: Ensure sudorule sudocmds are absent, again
+ - name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
- - /sbin/ifconfig
- - /usr/bin/vim
+ allow_sudocmdgroup: test_sudorule
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure sudorule is present, with an deny_sudocmdgroup.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ deny_sudocmdgroup: test_sudorule
+ state: present
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present, with an deny_sudocmdgroup, again.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ deny_sudocmdgroup: test_sudorule
+ state: present
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure sudorule is present, but deny_sudocmdgroup is absent.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ deny_sudocmdgroup: test_sudorule
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ deny_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
@@ -216,7 +315,7 @@
- name: Ensure sudorule is absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: absent
register: result
@@ -224,7 +323,7 @@
- name: Ensure sudorule is absent, again.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: absent
register: result
@@ -232,7 +331,7 @@
- name: Ensure sudorule allhosts is absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allhosts
state: absent
register: result
@@ -240,7 +339,7 @@
- name: Ensure sudorule allhosts is absent, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allhosts
state: absent
register: result
@@ -248,7 +347,7 @@
- name: Ensure sudorule allusers is absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allusers
state: absent
register: result
@@ -256,7 +355,7 @@
- name: Ensure sudorule allusers is absent, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allusers
state: absent
register: result
@@ -264,7 +363,7 @@
- name: Ensure sudorule allcommands is absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allcommands
state: absent
register: result
@@ -272,8 +371,29 @@
- name: Ensure sudorule allcommands is absent, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allcommands
state: absent
register: result
failed_when: result.changed
+
+ # cleanup
+ - name : Ensure sudocmdgroup is absent
+ ipasudocmdgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: test_sudorule
+ state: absent
+
+ - name: Ensure hostgroup is absent.
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: cluster
+ state: absent
+
+ - name: Ensure sudocmds are absent
+ ipasudocmd:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - /sbin/ifconfig
+ - /usr/bin/vim
+ state: absent
diff --git a/tests/user/test_user.yml b/tests/user/test_user.yml
index c172049f..541ea7cf 100644
--- a/tests/user/test_user.yml
+++ b/tests/user/test_user.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test user
hosts: ipaserver
become: true
gather_facts: false
diff --git a/tests/user/test_user_random.yml b/tests/user/test_user_random.yml
index 47e4a350..44b9373a 100644
--- a/tests/user/test_user_random.yml
+++ b/tests/user/test_user_random.yml
@@ -6,7 +6,7 @@
tasks:
- name: Users user1 and user2 absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- user1
- user2
@@ -14,7 +14,7 @@
- name: User user1 present with random password
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: user1
first: first1
last: last1
@@ -30,14 +30,14 @@
- name: User user1 absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- user1
state: absent
- name: Users user1 and user1 present with random password
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
first: first1
@@ -63,7 +63,7 @@
- name: Users user1 and user2 absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- user1
- user2
diff --git a/tests/user/test_users.yml b/tests/user/test_users.yml
index 129594d3..d66115cb 100644
--- a/tests/user/test_users.yml
+++ b/tests/user/test_users.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test users
hosts: ipaserver
become: true
gather_facts: false
diff --git a/tests/user/test_users_absent.yml b/tests/user/test_users_absent.yml
index eaab27f7..1611c6d3 100644
--- a/tests/user/test_users_absent.yml
+++ b/tests/user/test_users_absent.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test users absent
hosts: ipaserver
become: true
gather_facts: false
diff --git a/tests/user/test_users_present.yml b/tests/user/test_users_present.yml
index 370b1372..9489c0d3 100644
--- a/tests/user/test_users_present.yml
+++ b/tests/user/test_users_present.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test users present
hosts: ipaserver
become: true
gather_facts: false
diff --git a/tests/user/test_users_present_slice.yml b/tests/user/test_users_present_slice.yml
index 8c6524d8..f6e67106 100644
--- a/tests/user/test_users_present_slice.yml
+++ b/tests/user/test_users_present_slice.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test users present slice
hosts: ipaserver
become: true
gather_facts: false
diff --git a/tests/vault/test_vault.yml b/tests/vault/test_vault.yml
new file mode 100644
index 00000000..5b467f61
--- /dev/null
+++ b/tests/vault/test_vault.yml
@@ -0,0 +1,562 @@
+---
+
+- name: Test vault
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+
+ - name: Ensure user vaults are absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - stdvault
+ - symvault
+ - asymvault
+ username: user01
+ state: absent
+
+ - name: Ensure test users do not exist.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - user01
+ - user02
+ - user03
+ state: absent
+
+ - name: Ensure test groups do not exist.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: vaultgroup
+ state: absent
+
+ - name: Ensure vaultgroup exists.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: vaultgroup
+
+ - name: Ensure user01 exists.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name: user01
+ first: First
+ last: Start
+
+ - name: Ensure user02 exists.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name: user02
+ first: Second
+ last: Middle
+
+ - name: Ensure user03 exists.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name: user03
+ first: Third
+ last: Last
+
+ - name: Ensure shared vaults are absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: sharedvault
+ shared: True
+ state: absent
+
+ - name: Ensure service vaults are absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: svcvault
+ service: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
+
+ - name: Ensure symmetric vault is present
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: user01
+ vault_password: MyVaultPassword123
+ vault_type: symmetric
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure symmetric vault is present, again
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: user01
+ vault_password: MyVaultPassword123
+ vault_type: symmetric
+ register: result
+ failed_when: result.changed
+
+ - name: Archive data to symmetric vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: user01
+ vault_password: MyVaultPassword123
+ vault_data: Hello World.
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Archive data with non-ASCII characters to symmetric vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: user01
+ vault_password: MyVaultPassword123
+ vault_data: The world of π is half rounded.
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure symmetric vault is absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: user01
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure symmetric vault is absent, again
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: user01
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure asymmetric vault is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ description: A symmetric private vault.
+ vault_public_key:
+ LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTR
+ HTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi
+ 9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM
+ 295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlV
+ bFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVk
+ tLS0tLQo=
+ vault_type: asymmetric
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure asymmetric vault is present, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ vault_public_key:
+ LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTR
+ HTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi
+ 9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM
+ 295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlV
+ bFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVk
+ tLS0tLQo=
+ vault_type: asymmetric
+ register: result
+ failed_when: result.changed
+
+ - name: Archive data in asymmetric vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ vault_data: Hello World.
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure asymmetric vault is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure asymmetric vault is absent, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure standard vault is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ vault_type: standard
+ username: user01
+ description: A standard private vault.
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure standard vault is present, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ vault_type: standard
+ description: A standard private vault.
+ register: result
+ failed_when: result.changed
+
+ - name: Archive data in standard vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ vault_data: Hello World.
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure standard vault member user is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ users:
+ - user02
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure standard vault member user is present, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ users:
+ - user02
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure more vault member users are present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ users:
+ - user01
+ - user02
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault member user is still present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ users:
+ - user02
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault users are absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ users:
+ - user01
+ - user02
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault users are absent, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ users:
+ - user01
+ - user02
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault user is absent, once more.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ users:
+ - user01
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault member group is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ groups: vaultgroup
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault member group is present, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ groups: vaultgroup
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault member group is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ groups: vaultgroup
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault member group is absent, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ groups: vaultgroup
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault is absent, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure shared vault is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: sharedvault
+ shared: True
+ ipavaultpassword: MyVaultPassword123
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure shared vault is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: sharedvault
+ shared: True
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service vault is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: svcvault
+ ipavaultpassword: MyVaultPassword123
+ service: "HTTP/{{ groups.ipaserver[0] }}"
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service vault is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: svcvault
+ service: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault is present, with members.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ vault_type: standard
+ users:
+ - user02
+ - user03
+ groups:
+ - vaultgroup
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault is present, with members, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ vault_type: standard
+ users:
+ - user02
+ - user03
+ groups:
+ - vaultgroup
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure user02 is not a member of vault stdvault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ users: user02
+ state: absent
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure user02 is not a member of vault stdvault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ users: user02
+ state: absent
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure user02 is a member of vault stdvault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ users: user02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure user02 is a member of vault stdvault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ users: user03
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure user03 owns vault stdvault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ owners: user03
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure user03 owns vault stdvault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ owners: user03
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure user03 is not owner of stdvault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ owners: user03
+ state: absent
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure user03 is not owner of stdvault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ owners: user03
+ state: absent
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ state: absent
+
+ # cleaup
+ - name: Ensure test vaults are absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - stdvault
+ - symvault
+ - asymvault
+ username: user01
+ state: absent
+
+ - name: Ensure shared vaults are absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: sharedvault
+ shared: True
+ state: absent
+
+ - name: Ensure service vaults are absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: svcvault
+ service: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
+
+ - name: Ensure test users do not exist.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - user01
+ - user02
+ - user03
+ state: absent
+
+ - name: Ensure test groups do not exist.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: vaultgroup
+ state: absent
diff --git a/utils/build-galaxy-release.sh b/utils/build-galaxy-release.sh
index 4f4597e2..fc6bcdd6 100644
--- a/utils/build-galaxy-release.sh
+++ b/utils/build-galaxy-release.sh
@@ -35,7 +35,7 @@ done
#git diff
-mazer build
+ansible-galaxy collection build
rm plugins/module_utils/ansible_ipa_*
rm plugins/modules/ipaserver_*