There is a new sudorule (Sudo Rule) management module placed in the plugins
folder:
plugins/modules/ipasudorule.py
The sudorule module allows to ensure presence and absence of Sudo Rules.
Here is the documentation for the module:
README-sudorule.md
New example playbooks have been added:
playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
playbooks/sudorule/ensure-sudorule-is-absent.yml
playbooks/sudorule/ensure-sudorule-is-disabled.yml
playbooks/sudorule/ensure-sudorule-is-enabled.yml
playbooks/sudorule/ensure-sudorule-is-present.yml
playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
New tests added for the module:
tests/hbacrule/test_sudorule.yml
The changed flag returned by ipahostgroup calls have not always been correct.
The use of the module with IPA version 4.6 on RHEL-7 resulted in encoding
errors. All this has been fixed.
Addtitionally new test cases have been added to make sure that the issues
are solved.
There is a new hbacrule (HBAC Rule) management module placed in the plugins
folder:
plugins/modules/ipahbacrule.py
The hbacrule module allows to ensure presence and absence of HBAC Rules.
Here is the documentation for the module:
README-hbacrule.md
New example playbooks have been added:
playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
New tests added for the module:
tests/hbacrule/test_hbacrule.yml
The information about the version limitation of the passwordexpiration
parameter has been missing. The parameter is only usable for IPA versions
4.7 and up.
The changed flag returned by ipagroup calls have not been correct. This
change fixes this. Addtitionally new test cases have been added to make
sure that the changed flag is correct.
group_add_member is only supporting services in more recent IPA versions.
This is 4.7+. Code has been added to detect if services are supported by
the used IPA version and used in the parameters of the module. In this case
an error is printed.
Additionally all parameters will be get from the module using
module_params_get provided by ansible_freeipa_module. Additional to_text
conversions have been removed as they are not needed anymore with this.
There is a new hbacsvcgroup (HBAC Service Group) management module placed
in the plugins folder:
plugins/modules/ipahbacsvcgroup.py
The hbacsvc module allows to ensure presence and absence of HBAC Service
Groups.
Here is the documentation for the module:
README-hbacsvcgroup.md
New example playbooks have been added:
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml
New tests added for the module:
tests/hbacsvcgroup/test_hbacsvcgroup.yml
There is a new hbacsvc (HBAC Service) management module placed in the plugins
folder:
plugins/modules/ipahbacsvc.py
The hbacsvc module allows to ensure presence and absence of HBAC Services.
Here is the documentation for the module:
README-hbacsvc.md
New example playbooks have been added:
playbooks/hbacsvc/ensure-hbacsvc-absent.yml
playbooks/hbacsvc/ensure-hbacsvc-present.yml
New tests added for pwpolicy:
tests/hbacsvc/test_hbacsvc.yml
There is a new pwpolicy management module placed in the plugins folder:
plugins/modules/ipapwpolicy.py
The pwpolicy module allows to ensure presence and absence of pwpolicies for
groups.
Here is the documentation for the module:
README-pwpolicy.md
New example playbooks have been added:
playbooks/pwpolicy/pwpolicy_absent.yml
playbooks/pwpolicy/pwpolicy_present.yml
New tests added for pwpolicy:
tests/pwpolicy/test_pwpolicy.yml
With IPA 4.5 integers for examle in pwpolicy_find are returned as
integer values. The internally generated value will be converted from
integer to string (using to_text) if the value from find call result
is a string (or unicode for Python2).
There is a new sudocmdgroup management module placed in the plugins folder:
plugins/modules/ipasudocmdgroup.py
The sudocmdgroup module allows to add or remove sudo command groups..
The sudocmdgroup module is as compatible as possible to the Ansible upstream
ipa_sudocmdgroup module, and additionally offers to ensure member presence
and absence.
Here is the documentation for the module:
README-sudocmdgroup.md
New example playbooks have been added:
playbooks/sudocmd/ensure-sudocmdgroup-is-absent.yml
playbooks/sudocmd/ensure-sudocmdgroup-is-present.yml
playbooks/sudocmd/ensure-sudocmd-is-absent-in-sudocmdgroup.yml
playbooks/sudocmd/ensure-sudocmd-is-present-in-sudocmdgroup.yml
A test playbook is provided in:
tests/sudocmdgroup/test_sudocmdgroup.yml
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
There is a new sudocmd management module placed in the plugins folder:
plugins/modules/ipasudocmd.py
The sudocmd module allows to add or remove sudo commands.
The sudocmd module is as compatible as possible to the Ansible upstream
ipa_sudocmd module.
Here is the documentation for the module:
README-sudocmd.md
New example playbooks have been added:
playbooks/sudocmd/ensure-sudocmd-is-absent.yml
playbooks/sudocmd/ensure-sudocmd-is-present.yml
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The ipauser module now supports all user settings and additionally to ensure
the presence of several users with the new users setting. The users setting
can also be used with other states, but it has to be limited to only contain
the name of the users.
There updated user management module is placed in the plugins folder:
plugins/modules/ipauser.py
The user module now additionally allows to handle these user settings:
initials
principalexpiration
random
city
userstate
postalcode
mobile
pager
fax
orgunit
manager
carlicense
sshpubkey
userauthtype
userclass
radius
radiususer
departmentnumber
employeenumber
employeetype
preferredlanguage
certificate
certmapdata
noprivate
nomembers
Here is the updated documentation for the module:
README-user.md
New example playbooks have been added:
playbooks/user/user_certificate_absent.yml
playbooks/user/user_certificate_present.yml
playbooks/user/user_present.yml
playbooks/user/users_absent.yml
playbooks/user/users_certificate_absent.yml
playbooks/user/users_certificate_present.yml
playbooks/user/users_present.yml
plugins/modules/ipauser.py
New tests added for ipauser:
tests/user/certificate/cert1.der
tests/user/certificate/cert1.pem
tests/user/certificate/cert2.der
tests/user/certificate/cert2.pem
tests/user/certificate/cert3.der
tests/user/certificate/cert3.pem
tests/user/certificate/private1.key
tests/user/certificate/private2.key
tests/user/certificate/private3.key
tests/user/certificate/test_user_certificate.yml
tests/user/certificate/test_users_certificate.yml
tests/user/certmapdata/test_user_certmapdata.yml
tests/user/certmapdata/test_user_certmapdata_issuer_subject.yml
tests/user/certmapdata/test_users_certmapdata.yml
tests/user/test_user.yml
tests/user/test_users.yml
tests/user/test_users_absent.yml
tests/user/test_users_invalid_cert.yml
tests/user/test_users_present.yml
tests/user/test_users_present_slice.yml
tests/user/users_absent.json
tests/user/users_absent.sh
tests/user/users_present.json
tests/user/users_present.sh
The function api_get_realm is returning the realm of a connected FreeIPA
api. This is needed for proper principal checks in the extended ipauser
module that supports principals now.
The conversion is needed because older FreeIPA versions are returning
tuples in some cases instead of lists. To be able to compare them the
conversion to a list is needed.
The module_params_get function can and should be used as a replacement of
ansible_module.params.get. For Python2 it is needed to convert parameters
to unicode. Otherwise there will be an error in the FreeIPA API command.
The private function _afm_convert has been added to do the conversion
recursively.
api_check_param can be used to verify if params are available for a command
in the used FreeIPA version. The function has been added as api is normally
not imported into modules.
api_command is always used within try clause, therefore it is not needed
to have an extra try clause within api_command. Additionally it is needed
to get the dofferent errors in the next level.
The ipagroup module was not using the failed and completed items in the dict
that is returned with api_command. But it was creating add and remove
lists for users, groups and services. This is not needed if the failures
"already a member" and "not a member" in the result failures are ignored.
Only other failures are reported.
The serial numbers have not been set for the creation of the CA and also
to sign the request. Because of this the local time has been used, which
resulted sometimes in the use of the same time stamp for the CA and the
signing reuqest. The import failed then with same issuer and serial number
error.
The cat to generate the chain.crt has been replaces with openssl x509 calls.
Some comments have also been added.
The script in external-signed-ca-with-manual-copy has been replaced with a
link to the external-signed-ca-with-automatic-copy directory.
The states member_present and member_absent are not used and should also not
be used. This is a remain of the first try to ensure absence and presence
of users (members) in the group. This has been replaced with the setting
action: member.
There is a new hostgroup management module placed in the plugins folder:
plugins/modules/ipahostgroup.py
The hostgroup module allows to add, remove and disable hosts.
The hostgroup module is as compatible as possible to the Ansible upstream
ipa_hostgroup module, but addtionally offers to ensure member presence and
absence.
Here is the documentation for the module:
README-hostgroup.md
New example playbooks have been added:
playbooks/hostgroup/ensure-hostgroup-is-absent.yml
playbooks/hostgroup/ensure-hostgroup-is-present.yml
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
There is a new hostgroup management module placed in the plugins folder:
plugins/modules/ipahostgroup.py
The hostgroup module allows to add, remove and disable hosts.
The hostgroup module is as compatible as possible to the Ansible upstream
ipa_hostgroup module, but addtionally offers to ensure member presence and
absence.
Here is the documentation for the module:
README-hostgroup.md
New example playbooks have been added:
playbooks/hostgroup/ensure-hostgroup-is-absent.yml
playbooks/hostgroup/ensure-hostgroup-is-present.yml
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
With Ansible there is no add or remove user, there is only ensure presence
or absence of users. The descriptions have been adapted to make sure that
the description is correct now.
There is a new user management module placed in the plugins folder:
plugins/modules/ipauser.py
The host module allows to add, remove and disable hosts.
The host module is as compatible as possible to the Ansible upstream
ipa_host` module, but addtionally offers to disable hosts.
Here is the documentation for the module:
README-host.md
New example playbooks have been added:
playbooks/host/add-host.yml
playbooks/host/delete-host.yml
playbooks/host/disable-host.yml
configure_nsswitch_database has been removed with the freeipa commit
41ef8fba31
The 4.4 compatibility hack leads to a ALREADY installed error in
ipaclient_test because of the removal. This affects ipaclient and
ipareplica roles and also the ipaclient deployment part in ipaserver.
configure_nsswitch_database is not used any more in ipaclient role modules
and therefore simply can be removed from ansible_ipa_client.
