Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
New function:
- convert_input_certificates(module, certs, state)
FreeIPA commit ea0bf4020ce0b1e32572e128e9323c5af60ec93d
After an HSM replica install ensure all certs are visible
If a certificate on a token does not have NSS trust set then
it won't be visible in the softoken. This can be disconcerting
for those used to seeing all the certificates.
Loop through the possibilities and set no trust (or Peer) for
all the certificates on the token.
Also ensure that the CA certificate has the correct nickname.
Related: https://pagure.io/freeipa/issue/9273
replicainstall.install_ca_cert has been removed, paths.IPA_CERTUPDATE is
called instead if the client was configured before deploying with
iparepica role.
FreeIPA commit 8f25b2a74a587548976f3d29f0b69d566d70125d
Refactor CA file handling in replica installer
Clean up and remove obsolete code from ipa-replica-install. For several
versions replica installer first ensures that a host is an IPA client,
then promotes the client to a replica. The client installer code sets up
CA stores like IPA_CA_CRT already.
The config attributes config_master_host_name and also config_ca_host_name
are not changed within ipareplica_install_ca_certs, therefore it is not
needed to return them and also to use the returned values for following
tasks.
The HSM parameters
token_name
token_library_path
token_password
token_password_file
are set to None to enable deployment with IPA 4.12 as a workaround till
HSM can be fully supported by the ipaserver role.
pylint doesn't know that some functions may terminate execution, like,
AnsibleModule's fail_json, and assume that, depending on the code path,
some variables may not be initialized when used.
This change ensure that variables are always initialized independent of
the code path.
New versions of pylint ignore Python 2 functions and types, evaluating
'unicode' as "undefined". ansible-freeipa will always define 'unicode'
when running under Python 3, and it is always defined under Python 2.
This patch fixes these false positives.
Github actions checkout v3.1.0 and setup-python v4.3.0 use deprecated
Node.js 16.
Bumping version to checkout v4.1.1 and setup-python v5.1.0 fixes the
workflows, as both use the recommended Node.js 20.
The checkout depth has been set to 1 (shallow copy) for all tasks that
do not require git history to be available.
The use of the batch command is enabled for execute_ipa_commands.
Additionally keeponly is set to ["randompassword"] as this is the only
parameter that is used from the data returned from the commands.
The use of the batch command is enabled for execute_ipa_commands.
Additionally keeponly is set to [] as nothing is used from the data returned
from the commands.
The use of the batch command is enabled for execute_ipa_commands.
Additionally keeponly is set to [] as nothing is used from the data returned
from the commands.
The use of the batch command is enabled for execute_ipa_commands.
Additionally keeponly is set to ["randompassword"] as this is the only
parameter that is used from the data returned from the commands.
The method execute_ipa_commands has been extended to handle multi
commands with the batch command.
New constants for execute_ipa_commands debugging:
DEBUG_COMMAND_ALL = 0b1111
DEBUG_COMMAND_LIST = 0b0001
Print the while command list
DEBUG_COMMAND_COUNT = 0b0010
Print the command number
DEBUG_COMMAND_BATCH = 0b0100
Print information about the batch slice size and currently executed
batch slice
New parameters have been added to execute_ipa_commands:
batch: bool
Enable batch command use to speed up processing
batch_slice_size: integer
Maximum mumber of commands processed in a slice with the batch
command
keeponly: list of string
The attributes to keep in the results returned.
Default: None (Keep all)
debug: integer
Enable debug output for the exection using DEBUG_COMMAND_*
Batch mode can be enabled within the module with setting batch to True
for execute_ipa_commands.
Fixes: #1128 (batch command support)
delete_continue defaults to None. The use of continue: None is resulting
in an error with the batch command. Therefore only set continue if it is
not None.
These are manager, principal, certificate and certmapdata.
The result_handler function has been adapted and the exception_handler
function has been removed.
A new function has been added:
convert_certificate
The changed state returned from ipaclient_configure_dns_resolver was
always True. The internal functions (copies from FreeIPA code) have been
fixed to return a changed state.
Fixes: #1217 (ipaclient: Configure DNS resolver always reports as changed)
Two new options have been added to enable the offline build within rpm:
-o <A.B.C> Build offline without using git, using version A.B.C
Also enables -a
-p <path> Installation the generated collection in the path, the
ansible_collections sub directory will be created and will
contain the collection: ansible_collections/<namespace>/<name>
Also enables -i
The usage text has been fixed also for specifying namespace and name.
The collection variable has been renamed to name.
Example usage:
utils/build-galaxy-release.sh -o 1.12.1 \
-p %{buildroot}%{_datadir}/ansible/collections \
freeipa ansible_freeipa
Use IPAChangeConf and realm_to_ldapi_uri to create IPA_DEFAULT_CONF.
With realm_to_ldapi_uri the ldap_uri is correctly using /run instead of
/var/run.
Before IPA_DEFAULT_CONF was created using file operations.
The custodia setup is executed twice. At first in
ipaserver_setup_custodia and then additionally in ipaserver_setup_ca.
The custodia setup code in ipaserver_setup_ca.py has been adapted to fit
the code in ipaserver_setup_custodia.py.
The extra Setup custodia step in the server roles has been removed
together with ipaserver_setup_custodia.py.
