Adding an A/AAAA record to a host fails if there's not a reverse zone
set that the resulting PTR record can be added to, even if
create_reverse is false.
Changing the rule to create the reverse record fixes the issue.
Fixes: #1381
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
There is a new paskeyconfig management module placed in the plugins
folder:
plugins/modules/ipapasskeyconfig.py
The paskeyconfig module allows to retrieve and modify global passkey
configuration attributes.
Here is the documentation of the module:
README-passkeyconfig.md
New example playbooks have been added:
playbooks/passkeyconfig/passkeyconfig-retrieve.yml
playbooks/passkeyconfig/passkeyconfig-present.yml
New tests for the module can be found at:
tests/passkeyconfig/test_passkeyconfig.yml
tests/passkeyconfig/test_passkeyconfig_client_context.yml
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
sysaccounts can now be used as a member for roles.
Example:
- name: Ensure role my-app role has sysaccount member my-app
iparole:
name: my-app role
sysaccount: my-app
action: member
New tests for the module:
tests/role/test_role_sysaccount_member.yml
There is a new sysaccount management module placed in the plugins folder:
plugins/modules/ipasysaccount.py
The sysaccount module allows to ensure presence or absence of system
accounts.
Here is the documentation for the module:
README-sysaccount.md
New sysaccount example playbooks:
playbooks/sysaccount/sysaccount-absent.yml
playbooks/sysaccount/sysaccount-disabled.yml
playbooks/sysaccount/sysaccount-enabled.yml
playbooks/sysaccount/sysaccount-present.yml
playbooks/sysaccount/sysaccount-privileged.yml
playbooks/sysaccount/sysaccount-unprivileged.yml
New tests for the module:
tests/sysaccount/test_sysaccount.yml
tests/sysaccount/test_sysaccount_client_context.yml
With the latest pylint version, an issue is raised by inheriting from
BaseInventoryPlugin, as the class has too many ancestors
(too-many-ancestors). This is caused by a class hierarchy that is too
deep, and is not under ansible-freeipa's control.
When adding a new idrange of type 'ipa-local', the 'base_id',
'range_size', 'rid_base' and 'secondary_rid_base' are required so that
range entries are correctly set when SID are enabled.
Fixes: https://issues.redhat.com/browse/RHEL-79820
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The test has been changed with the management fix for AD objects. The
conditional was lacking brackets and therefore did not properly work.
The brackets have been added.
Related: https://issues.redhat.com/browse/RHEL-70023
When using AD objects, a user expects to use the more human readable
form, like "user@ad.domain", but this impose some dificulties on
evaluating which object is being referenced as AD has several forms to
refer to the same object.
Each object is AD is identified uniquely by its SID, and this is the
identifier that IPA stores in its database. When managing AD objects,
IPA finds its SID and works with that value.
ansible-freeipa tried to process these objects using the human readable
values, and it cause idempontence error when ensuring the values were
present or modified, and, at least in some cases, prevented the objects
to be made absent, as the object list created didn't match the SID to
the value used as module parameter.
By using SID to process the AD objects in ipagroup, the addition or
removal of members works and idempotence of these members is ensured.
The only issue with thils approach is that it only works no server
nodes. In client nodes, the conversion to SID is not available and the
same issues that existed before will still be present.
Tests were updated to reflect these changes, a new test, specific to
idempotence issues of AD objects was added:
tests/group/test_group_ad_users.yml
Resolves: https://issues.redhat.com/browse/RHEL-70023
When managing AD objects the SID of the objects are stored in FreeIPA
database, but a user would still use the human readable values, like
"AD\\user" or "user@ad.domain". This can cause idempotence issues in
many cases, and prevent some actions to be performed, like ensure
absence of the object.
The methods added allow the conversion of one or multiple objects, and
will be used by any module that manages AD objects.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
When handling users and hosts is ipasudorule we were missing nome entry
attributes returned from FreeIPA, which would cause the add/del lists to
be incorrectly generated.
By adding the proper lists, both attributes are handled correctly.
A new test to verify the fix is added:
tests/sudorule/test_sudorule_user_host_external.yml
Fixes https://issues.redhat.com/browse/RHEL-68439
When creating the lists of external members, the attribute
'ipaexternalmember' also needs to be added to the list of external
members that are part of the group object for external groups.
A test to verify the correct behavior was added and the test suite for
group external members have been cleaned up with 'yes' values changed to
'true' and the use of module_defaults.
When a revoked certificate with reason 6 (certificateHold) is revoked
with reason 8 (removeFromCRL), the effect is that the certificate is
valid again, as it is the same procedure as 'state: release'.
This is, at least, the behavior with IPA CLI comands, which is
implemented by this patch.
A new test is added to verify this behavior:
tests/cert/test_cert_remove_hold_with_removeFromCRL.yml
When searching for objects with *_show IPA API command, most plugins
were hiding errors other than "ipalib_errors.NotFound" by handling the
broad exception Exception instead.
This patch uses "ipalib_errors.NotFound" whenever "*_show" is used so
that the only exception handled is when an object is not found. Other
errors will not be handled making the module break as expected.
Currently, ipasudorule must add or modify a single sudorule at a time,
incurring in more load in the server if there are many rules to be
processed.
This patch adds suport for adding multiple sudorules in one playbook
task by using the parameter 'sudorules' and defining a list of sudorules
configurations to be ensured.
As multiple sudorules will be processed, the patch also enables batch
mode processing of sudorules, trying to reduce the load on the server.
Test 'tests/sudorule/test_sudorule_client_context.yml' was modified to
include tasks with 'sudorules' to be executed both on the server or on
the client context.
New tests were added to the sudorule test suite:
tests/sudorule/test_sudorules.yml
tests/sudorule/test_sudorules_member_case_insensitive.yml
This patch adds the class EntryFactory to the ansible-freeipa module
utils. This class allows the handling of modules with multiple object
entries as list of objects. When the multi-object parameter is not used,
it creates a list of a single object, allowing for the same code idiom
to be used.
The entries created can be used both as objects, by acessing the values
as properties, or as dictionaires, by accessing the elements as
key-value pairs.
So far a datetime object was created for the expiration dates
krbpasswordexpiration and krbprincipalexpiration. This resulted in also
sending these objects to the API. With this change, the dates are
converted into strings using the LDAP_GENERALIZED_TIME_FORMAT defined in
ipalib.constants. This way only strings are used with the IPA API.
A new function has been added to ansible_freeipa_module:
- date_string: Convert datetime to gernalized time format string
This fuction is used on the result of user_show to convert the
expiration dates to the gernalized time format string.
The existing function date_format in ansible_freeipa_module has been
renamed to convert_date and fixed in the way that it also uses
date_string to return a gernalized time format string and not a
datetime object. This function was only used in the ipauser module so
far.
The no_log tag is only allowed in the argument_spec, but not in the
DOCUMENTATION section. Set no_log=False for token_uri and
keys_uri=keys_uri in the argument_spec to enforce logging.
Several fixes for the DOCUMENTATION section: The short_description tag
was 'short description', the chain option was missing and the unknown
authers tag has been removed.
The bindings for requests and urllib3 might not be available, especially
in the ansible-test fake execution test (next version). These imports are
now in a try exception clause to make sure that the fake execution test
will be passing and also that there is a better error message if the
bindings are missing.
urllib3.exceptions.InsecureRequestWarning is now also only disabled if
no certificate has been given for the verification of the connection.
The parameters
- subtree (ipapermlocation)
- target (ipapermtarget)
- targetto (ipapermtargetto)
- targetfrom (ipapermtargetfrom)
have not been idempotent as the result returned from permission_show was
a DN and not a string.
The find_permission function has been exetended to convert the values
for these parameters to strings.
Fixes: #1257
The error string returned by execute_ipa_commands in batch mode
additionally contains the whole parameter list for the command. This is
different to non batch mode execution and breaks tests that are checking
the returned error message.
A left over debug message also have been removed from the error
processing.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
New function:
- convert_input_certificates(module, certs, state)
pylint doesn't know that some functions may terminate execution, like,
AnsibleModule's fail_json, and assume that, depending on the code path,
some variables may not be initialized when used.
This change ensure that variables are always initialized independent of
the code path.
New versions of pylint ignore Python 2 functions and types, evaluating
'unicode' as "undefined". ansible-freeipa will always define 'unicode'
when running under Python 3, and it is always defined under Python 2.
This patch fixes these false positives.
The use of the batch command is enabled for execute_ipa_commands.
Additionally keeponly is set to ["randompassword"] as this is the only
parameter that is used from the data returned from the commands.
The use of the batch command is enabled for execute_ipa_commands.
Additionally keeponly is set to [] as nothing is used from the data returned
from the commands.
