ipahostgroup parameters 'host', 'hostgroup', 'membermanager_user' and
'membermanager_group' must be compared in a case insensitive manner
and stored as lower case strings.
This patch fixes the comparison and storage of this parameters, and
change the handling of members to use the same structure as in newer
modules.
Two new tests files were added:
tests/hostgroup/test_hostgroup_case_insensitive.yml
tests/hostgroup/test_hostgroup_membermanager_case_insensitive.yml
FreeIPA provides a default hbacsvcgroup named "Sudo", with capital 'S',
that is different from every other hbacsvcgroup, which are all
represented by lower case letters.
As data from IPA API was not modified, this causes an idempotence error
when using different capitalization with the 'hbacsvcgroup' parameter.
This patch fixes the issue by using the CaseInsensitive comparator to
create the hbacsvcgroup list.
Tests were update to make sure a regression is not included in the
future.
On IPA CLI sudorule-add/del-runasuser accept 'group' as a parameter,
and this option was missing in ansible-freeipa ipasudorule module.
This patch adds a new parameter 'runasuser_group' to allow setting
Groups of RunAs Users, as allowed by CLI and WebUI.
New example playboks can be found at:
playbooks/sudorule/ensure-sudorule-runasusesr-group-is-absent.yml
playbooks/sudorule/ensure-sudorule-runasusesr-group-is-present.yml
FreeIPA suports renaming groupobjects with the CLI parameter "rename",
and this parameter was missing in ansible-freeipa ipagroup module.
This patch adds support for a new state 'renamed' and the 'rename'
parameter.
Tests were updated to cope with the changes.
FreeIPA suports renaming user objects with the CLI parameter "rename",
and this parameter was missing in ansible-freeipa ipauser module.
This patch adds support for a new state 'renamed' and the 'rename'
parameter.
Tests were updated to cope with the changes.
Related to RHBZ#2234379, RHBZ#2234380
Fixes#1103
IPA DNS Zones management can be delegated by adding a "Manage DNS zone"
permission. The CLI commands that manage these permissions are
dnszone-add-permission and dnszone-remove-permission.
The ansible-freeipa module ipadnszone did not have this capability, and
it now support dnszone per-zone management delegation by setting the
module parameter 'permission'. If set to 'true' the permission will be
assigned to the zone, if set to false the permission will be removed.
The parameter 'allow_empty_string' in 'module_params_get' is used to
allow an item in a list to be an empty string. The problem is that the
naming is misleading, as it is checking a list item rather than a
string.
This patch rename the parameter to 'allow_empty_list_item' so that it
more clearly refers to list itens instead of standalone strings, and do
not collide with future parameters that may test for empty strings which
are not part of lists.
The uri parameters auth_uri, dev_auth_uri, token_uri, userinfo_uri and
keys_uri have not been validated before. Also the base_url was not
normalized. The auth_uri, dev_auth_uri, token_uri and userinfo_uri need
to be set for new entries, but might be empty or empty string for reset
or updates.
The ipaidpclientsecret needs to be decoded from binary string in
find_idp result to not trigger no change ipd_mod calls.
The code for validate_uri and base_url normalization has been copied
from the ipaserver idp plugin.
ansible_freeipa_module:
urlparse from urllib.parse with a fallback to six.moves.urllib.parse is
imported and also exported. urlparse is needed for validate_uri in ipaidp
module.
Resolves: RHEL-17954, RHEL-17955, RHEL-17957 and RHEL-17958
If a playbook to ensure the existence of a user contains 'random:false'
and 'update_password: always' is executed twice, the second execution
will raise an exception due to "No modifications to perform", as there
is actually nothing to modify.
The fix for the issue is to remove 'random' if it is not set to true, as
setting it to 'false' would have no effect on the user object.
Related: https://issues.redhat.com/browse/RHEL-4934
All tasks for idoverrideuser and idoverridegroup with state absent
failed with "'continue' is required" when delete_continue was not set.
This happended as delete_continue was internally None and continue: None
was provided to the API.
The fix is simply to use '"continue": delete_continue or False' so that
continue is set to False in this case.
The task to apply an unknown (invalid) host to an idview was not failing
as expected and only reported no change.
A new host verification step has been added to fail before trying to
apply invalid hosts. unapplying an invalid host is not failing as the
invalid host is indeed not applied.
The result_handler is not needed anymore as the idempotency issues with
members have been fixed already for this module.
Related: #685 hbacsvcgroup: Fix member management idempotence issues.
hbacsvcgroup names are converted to lower case while creation with
hbacsvcgroup_add.
The hbacsvcgroup for sudo is builtin with the name "Sudo" though. This
breaks the lower case comparison. Therefore all memberservice_hbacsvcgroup
items are converted to lower case if "Sudo" is in the list.
There is a new idp management module placed in the plugins folder:
plugins/modules/ipaidp.py
The idp module allows to ensure presence or absence of external Identity
Providers.
Here is the documentation for the module:
README-idp.md
New idp example playbooks:
playbooks/idp/idp-present.yml
playbooks/idp/idp-absent.yml
New tests for the module:
tests/idp/test_idp.yml
tests/idp/test_idp_client_context.yml
There is a new idoverridegroup management module placed in the plugins
folder:
plugins/modules/ipaidoverridegroup.py
The idoverridegroup module allows to ensure presence and absence of
idoverrides for groups.
Here is the documentation for the module:
README-idoverridegroup.md
New example playbooks have been added:
playbooks/idoverridegroup/idoverridegroup-absent.yml
playbooks/idoverridegroup/idoverridegroup-present.yml
New tests for the module can be found at:
tests/idoverridegroup/test_idoverridegroup.yml
tests/idoverridegroup/test_idoverridegroup_client_context.yml
There is a new idoverrideuser management module placed in the plugins
folder:
plugins/modules/ipaidoverrideuser.py
The idoverrideuser module allows to ensure presence and absence of
idoverrides for users and certificate members.
Here is the documentation for the module:
README-idoverrideuser.md
New example playbooks have been added:
playbooks/idoverrideuser/idoverrideuser-absent.yml
playbooks/idoverrideuser/idoverrideuser-certificate-absent.yml
playbooks/idoverrideuser/idoverrideuser-certificate-present.yml
playbooks/idoverrideuser/idoverrideuser-present.yml
New tests for the module can be found at:
tests/idoverrideuser/test_idoverrideuser.yml
tests/idoverrideuser/test_idoverrideuser_client_context.yml
In recent pylint versions, use of broad exceptions for both raise and
try/except blocks raise a linter warning. As its use is justifiable in
the case of ipavault, the warnings are disabled where they occur.
Recent pylint versions warn against the use of an 'else' in a
'try-except' block if using a 'return' on the 'except' part is is the
idom used by ansible-freeipa when retrieving IPA data objects.
This change removes the usage of the 'else:' in such cases, and modify
the templates so that new modules do not have the same issue in the
future.
There is a new idview management module placed in the plugins folder:
plugins/modules/ipaidview.py
The idview module allows to ensure presence and absence of idviews and
idview host members.
Here is the documentation for the module:
README-idview.md
New example playbooks have been added:
playbooks/idview/idview-absent.yml
playbooks/idview/idview-host-applied.yml
playbooks/idview/idview-host-unapplied.yml
playbooks/idview/idview-present.yml
New tests for the module can be found at:
tests/idview/test_idview.yml
tests/idview/test_idview_client_context.yml
Indirect maps were not supported by ansible-freeipa ipaautomountmap.
This patch adds support for adding indirect automount maps using the
"parent" and "mount" parameters, if the map do not yet exist. An
existing map cannot be modified.
The "parent" parameter must match an existing automount map, and the
"mount" parameter is required if "parent" is used.
A new example playbook can be found at:
playbooks/automount/automount-map-indirect-map.yml
A new test playbook was added to test the feature:
tests/automount/test_automountmap_indirect.yml
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.
An additional check was added to verify that the values of the
user_auth_type list are valid for the used IPA version.
The parameter auth_ind has been updated in FreeIPA. The choice
idp have been missing and is now added.
An additional check was added to verify that the values of the
auth_ind list are valid for the used IPA version.
The parameter auth_ind has been updated in FreeIPA. The choice
idp have been missing and is now added.
An additional check was added to verify that the values of the
auth_ind list are valid for the used IPA version.
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.
An additional check was added to verify that the values of the
user_auth_type list are valid for the used IPA version.
Since FreeIPA version 4.8.0 ipauser has support for smb-logon-script,
smb-profile-path, smb-home-dir, and smb-home-drive drive attributes.
On FreeIPA, these attributes are only available when modifying a user,
so if the user defined in the playbook does not exist, two calls to IPA
API are executed, a 'user_add' followed by a 'user_mod'.
(see https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-domain-controller.md
A new example playbook can be found at:
playbooks/user/smb-attributes.yml
A new test playbook can be found at:
tests/user/test_user_smb_attrs.yml
Host location and server location have very different meanings in IPA.
ipahost uses 'location' as an optional hint to where the host may be
physically located, ipaserever uses location to identify which DNS
location the server is part of.
This change updates documentation to make attribute description more
clear. Surrounding text have been changed to match text style as used in
other plugins.
This patch is related to: https://github.com/freeipa/freeipa/pull/6840
Most of ipapwpolicy parameters can be set to an empty string ("") so
that the policy is not applied to pwpolicy. This was not refelected on
the documentation.
This change adds 'or ""' to all the fields that can be disabled by
setting it to an empty string. Also, `data types were reviewed and fixed.
Modified handling of boolean values by using Ansible's 'boolean()' check
function so that a string can be used and either a bool value is
accepted or an empty string.
As the error message was changed to use the same Ansible message, tests
were also updated.
This patch adds a new parameter to ipauser, 'gecos', which can be used
to set the 'gecos' field of an IPA user. The default behavior of
automatically set the GECOS field to "<first> <last>" is not modified,
it is only possible to change the field to a custom value.
No validation on the value provided is done, as it is with FreeIPA.
The 'maxsequence' attribute was never applied as there was a typo when
it was set. By fixing the field name, 'maxsequence' is correclty set.
The failure was not seen before due to missing tests. The tests will be
added in a separate PR.
