Ensuring (adding) several groups with mixed types external, nonposix
and posix require to have a fix in IPA:
FreeIPA issue: https://pagure.io/freeipa/issue/9349
FreeIPA fix: https://github.com/freeipa/freeipa/pull/6741
The simple solution is to switch to client context for ensuring several
groups simply if the user was not explicitly asking for the server context
no matter if mixed types are used.
Adding an option `groups` to create multiple groups in one operation.
Adding tests (present/absent/external/nonposix) with server and
client context.
Simple example of `groups` option:
```
tasks:
- name: Ensure 2 groups are present
ipagroup:
ipaadmin_password: SomeADMINpassword
groups:
- name: group1
- name: group2
```
Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
The way how randompasswords are returned by the ipahost module depends
so far on the number of hosts that are handled by the module.
This is unexpected if for example a json file is provided with the hosts
parameter. As it might be unknown how many hosts are in the json file,
this behaviour is unexpected. The return should not vary in this case.
This chamge makes the return simply depend on the use of the hosts
paramater. As soon as this parameter is used, the return will always be:
"host": { "<the host>": { "randompassword": "<the host random password>" } }
In the simply case with one host it will be still
"host": { "randompassword": "<the host random password>" }
This change for ipahost is related to the ipauser PR #1053.
The way how randompasswords are returned by the ipauser module depends
so far on the number of users that are handled by the module.
This is unexpected if for example a json file is provided with the users
parameter. As it might be unknown how many users are in the json file,
this behaviour is unexpected. The return should not vary in this case.
This chamge makes the return simply depend on the use of the users
paramater. As soon as this parameter is used, the return will always be:
"user": { "<the user>": { "randompassword": "<the user random password>" } }
In the simply case with one user it will be still
"user": { "randompassword": "<the user random password>" }
Fixes: #1052 (ipauser should consitently return randompasswords when
used with users)
With 4.9.10, the value of bools have been changed from "TRUE" and
"FALSE" to real bool values.
With IPA < 4.9.10 the new bool checks distcheck and usercheck failed
the tests for enabling the checks with a "already enabled" error.
A new version check altogether with providing the ansible module for
gen_args has been added. The values True and False are now transformed
into "TRUE" and "FALSE" for IPA < 4.9.10.
The function bool_param has been renamed to bool_or_empty_param to match
the int_or_empty_param and to have a more explaining name.
All values for pwpolicy can be cleared with an empty string in IPA CLI,
and this behavior was missing in ansible-freeipa.
As of today, there is an issue in FreeIPA that does not allow clearing
'minlength' policy. The is is tracked by the FreeIPA project through
https://pagure.io/freeipa/issue/9297
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2150334
A combination of ansible-freeipa modifications and a newer version of
IPA has brought a regression regarding different OS localization.
For properly setting environment to use "C" language, as required by
ansible-freeipa, the setting must be executed before importing the
module 'ipaserver.dcerpc', so setting environment language was moved
closer to the 'import os' statement, so that it is always set, as soon
as possible.
Note that 'import os' should always be imported before any FreeIPA
module.
The hostmask parameter allows matching a sudorule against a network
address, and was missing from ipasudorule module.
Documentation and tests were updated to reflect changes.
Two new example playbooks are available:
playbooks/sudorule/ensure-sudorule-hostmask-member-is-absent.yml
playbooks/sudorule/ensure-sudorule-hostmask-member-is-present.yml
On recent versions of FreeIPA option to verify passwords and for
controlling a password grace period have been added to IPA API.
This patch adds support for the parameters maxrepeat, maxsequence,
dictcheck and usercheck, available since FreeIPA, 4.9 and gracelimit,
available since FreeIPA 4.9.10.
Test playbooks for the module have been updated with the new supported
parameters.
New example playbooks can be found at:
playbooks/pwpolicy/pwpolicy_grace_limit.yml
playbooks/pwpolicy/pwpolicy_password_check.yml
This patch modifies the way that the certificate load function is
defined, depending on the dependency version, so that the resulting
identifier for the function is always set and static analysis tools,
like linters don't complain about variables being used before being
set.
The same idiom is applied to both the ipaclient role and the plugins
ansible_module_utils.
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `type: string` is not valid and needs to be replaced by `type: str`
- `suboptions` instead of `options` needs to be used for dict parameters
- `authors` needs to be given with the github user also: `Name (@user)`
- `choices` needs to match `argument_spec`
- `description` needs to match parameter
- all parameters need to be defined
argument_spec
- `elements="str"` needs to be added to all list of string parameters
- `no_log=False` or `no_log=True` needs to be set for all parameters
that have `key` in the name or for dicts also in one the key names
- `elements="dict"` needs to be added to all list of dict parameters
The `copyright` date is extended with `-2022`.
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `suboptions` instead of `options` needs to be used for dict parameters
- `required` tags need to be fixed according to the `argument_spec`
- `aliases` tag needs to match `argument_spec`
- `type` tag needs to match `argument_spec`
- `default` tag needs to match `argument_spec`
- `author` needs to be given with the github user also: `Name (@user)`
RETURN section
- `contains` needs to be used instead of `options` for dicts
- `type: str` needs to be used for string parameters
argument_spec
- `elements="str"` needs to be added to all list of string parameters
- `no_log=False` or `no_log=True` needs to be set for all parameters
that have `key` in the name or for dicts also in one the key names
The `copyright` date is extended with `-2022`.
Additional changes:
- Parameter sshpubkey changed to list of strings in argument_spec
- New test test/host/test_host_sshpubkey.yml
There is a new netgroup management module placed in the plugins folder:
plugins/modules/ipanetgroup.py
The netgroup module allows to ensure presence or absence of netgroup
and manage netgroup members.
Here is the documentation for the module:
README-netgroup.md
New example playbooks have been added:
playbooks/netgroup/netgroup-absent.yml
playbooks/netgroup/netgroup-member-absent.yml
playbooks/netgroup/netgroup-member-present.yml
playbooks/netgroup/netgroup-present.yml
New tests for the module:
tests/netgroup/test_netgroup.yml
tests/netgroup/test_netgroup_client_context.yml
tests/netgroup/test_netgroup_member.yml
tests/netgroup/test_netgroup_member_absent.yml
tests/netgroup/test_netgroup_member_case_insensitive.yml
Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `author` needs to be given with the github user also: `Name (@user)`
argument_spec
- `type="str"` needs to added to all string parameters
The `copyright` date is extended with `-2022`.
ansible-test with ansible-2.14 is adding a lot of new tests to ensure
that the documentation section and the agument spec is complete. Needed
changes:
DOCUMENTATION section
- `type: str` needs to be set for string parameters
- `type: bool` needs to be set for bool parameters
- `type: list` needs to be set for list parameters
- `elements: str` needs to be given for list of string parameters
- `type: string` is not valid and needs to be replaced by `type: str`
- `required` tags need to be fixed according to the `argument_spec`
- `aliases` tag needs to match `argument_spec`
- `author` needs to be given with the github user also: `Name (@user)`
- `choices` needs to match `argument_spec`
- all parameters need to be defined
RETURN section
- `contains` needs to be used instead of `options` for dicts
- `type: string` is not valid and needs to be replaced by `type: str`
argument_spec
- `elements="str"` needs to be added to all list of string parameters
- `default=.*` needs to be dropped if `required=True` is also given
The `copyright` date is extended with `-2022`.
Current behavior of ipaconfig mimics FreeIPA CLI and requires that
'enable_sid' is set to True every time add_sids or netbios_name are
used. It is sufficient that SID generation is enabled to use add_sids
and netbios_name, but the IPA API requires 'enable_sid' so that the
operations are executed.
This patch allows ansible-freeipa plugin ipaconfig to run 'add_sids' or
set 'netbios_name without requiring 'enable_sid' to be set on the
playbook.
If SID generation is enabled, 'add_sids' and 'netbios_name' can be used
without 'enable_sid: yes'. If SID generation is not enabled, an error
message will be raised if 'enable_sid: yes' is not used.
