It was not possible to reset the userauthtype. The empty string has been
added to userauthtype for this.
Also ipauser will only depend on given first and last name if the user
does not exist yet. For the update operation these parameters are not
needed anymore.
The choices for the auth_ind parameter have been wrong. The choices are now
['radius', 'otp', 'pkinit', 'hardened', '']. The empty string has been added
to be able to rest auth_ind for the host entry.
There is a new vault management module placed in the plugins folder:
plugins/modules/ipavault.py
The vault module allows to ensure presence and absence of vaults, manage
members and owner of the vault, and archive data in the vault.
Here is the documentation for the module:
README-vault.md
New example playbooks have been added:
playbooks/vault/data-archive-in-asymmetric-vault.yml
playbooks/vault/data-archive-in-symmetric-vault.yml
playbooks/vault/ensure-asymetric-vault-is-absent.yml
playbooks/vault/ensure-asymetric-vault-is-present.yml
playbooks/vault/ensure-service-vault-is-absent.yml
playbooks/vault/ensure-service-vault-is-present.yml
playbooks/vault/ensure-shared-vault-is-absent.yml
playbooks/vault/ensure-shared-vault-is-present.yml
playbooks/vault/ensure-standard-vault-is-absent.yml
playbooks/vault/ensure-standard-vault-is-present.yml
playbooks/vault/ensure-symetric-vault-is-absent.yml
playbooks/vault/ensure-symetric-vault-is-present.yml
playbooks/vault/ensure-vault-is-present-with-members.yml
playbooks/vault/ensure-vault-member-group-is-absent.yml
playbooks/vault/ensure-vault-member-group-is-present.yml
playbooks/vault/ensure-vault-member-user-is-absent.yml
playbooks/vault/ensure-vault-member-user-is-present.yml
playbooks/vault/ensure-vault-owner-is-absent.yml
playbooks/vault/ensure-vault-owner-is-present.yml
New tests added for the module:
tests/vault/test_vault.yml
If there is no domain set for email addresses, extend the email addresses
with the default email domain that is gathered from the config_show output.
This fixes RHBZ#1747413 ([ansible-freeipa] user module throwing an error if..)
The ipahost management module was not able to add several hosts at once.
Addtionally there have been settings missing.
ansible_freeipa_module has been extended to provide two additional functions
that are needed to simplify the extension of the ipahost module:
gen_add_del_lists(user_list, res_list)
encode_certificate(cert)
gen_add_del_lists will generate the lists for the addition and removal of
members using the provided user and ipa settings.
encode_certificate will encode a certificate using base64 with also taking
FreeIPA and Python versions into account.
The missing settings in ipahost have been:
certificate
managedby_host
principal
create_keytab_[user,group,host,hostgroup]
retrieve_keytab_[user,group,host,hostgroup]
sshpubkey
userclass
auth_ind
requires_pre_auth
ok_as_delegate
ok_to_auth_as_delegate
The README-host.md file has been updated to provide information about the
new settings and also the members. Also examples for the new things have
been added.
New example playbooks have been added:
playbooks/host/add-host.yml
playbooks/host/host-member-allow_create_keytab-absent.yml
playbooks/host/host-member-allow_create_keytab-present.yml
playbooks/host/host-member-allow_retrieve_keytab-absent.yml
playbooks/host/host-member-allow_retrieve_keytab-present.yml
playbooks/host/host-member-certificate-absent.yml
playbooks/host/host-member-certificate-present.yml
playbooks/host/host-member-managedby_host-absent.yml
playbooks/host/host-member-managedby_host-present.yml
playbooks/host/host-member-principal-absent.yml
playbooks/host/host-member-principal-present.yml
playbooks/host/host-present-with-allow_create_keytab.yml
playbooks/host/host-present-with-allow_retrieve_keytab.yml
playbooks/host/host-present-with-certificate.yml
playbooks/host/host-present-with-managedby_host.yml
playbooks/host/host-present-with-principal.yml
playbooks/host/host-present-with-randompassword.yml
playbooks/host/host-present.yml
playbooks/host/hosts-member-certificate-absent.yml
playbooks/host/hosts-member-certificate-present.yml
playbooks/host/hosts-member-managedby_host-absent.yml
playbooks/host/hosts-member-managedby_host-present.yml
playbooks/host/hosts-member-principal-absent.yml
playbooks/host/hosts-member-principal-present.yml
playbooks/host/hosts-present-with-certificate.yml
playbooks/host/hosts-present-with-managedby_host.yml
playbooks/host/hosts-present-with-randompasswords.yml
New tests have been added for the module:
tests/host/certificate/cert1.der
tests/host/certificate/cert1.pem
tests/host/certificate/cert2.der
tests/host/certificate/cert2.pem
tests/host/certificate/cert3.der
tests/host/certificate/cert3.pem
tests/host/certificate/private1.key
tests/host/certificate/private2.key
tests/host/certificate/private3.key
tests/host/certificate/test_host_certificate.yml
tests/host/certificate/test_hosts_certificate.yml
tests/host/test_host.yml
tests/host/test_host_allow_create_keytab.yml
tests/host/test_host_allow_retrieve_keytab.yml
tests/host/test_host_managedby_host.yml
tests/host/test_host_principal.yml
tests/host/test_host_random.yml
tests/host/test_hosts.yml
tests/host/test_hosts_managedby_host.yml
tests/host/test_hosts_principal.yml
The random password is only returned if random is yes and the host did
not exist or update_password is yes.
If only one host is handled by the module, the returned dict is containing
this dict:
{ "randompassword": "<the host random password>" }
If several hosts are handled by the module (future feature):
{ "<host>": { "randompassword": "<the host random password>" } }
Fixes issue #134 (ipahost does not return the random password)
The random password is only returned if random is yes and user did not exist
or update_password is yes.
If only one user is handled by the module, the returned dict is containing
this dict:
{ "randompassword": "<the user random password>" }
If several users are handled by the module:
{ "<user>": { "randompassword": "<the user random password>" } }
This is related to issue #134 (ipahost does not return the random password)
There is a new sudorule (Sudo Rule) management module placed in the plugins
folder:
plugins/modules/ipasudorule.py
The sudorule module allows to ensure presence and absence of Sudo Rules.
Here is the documentation for the module:
README-sudorule.md
New example playbooks have been added:
playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
playbooks/sudorule/ensure-sudorule-is-absent.yml
playbooks/sudorule/ensure-sudorule-is-disabled.yml
playbooks/sudorule/ensure-sudorule-is-enabled.yml
playbooks/sudorule/ensure-sudorule-is-present.yml
playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
New tests added for the module:
tests/hbacrule/test_sudorule.yml
The changed flag returned by ipahostgroup calls have not always been correct.
The use of the module with IPA version 4.6 on RHEL-7 resulted in encoding
errors. All this has been fixed.
Addtitionally new test cases have been added to make sure that the issues
are solved.
There is a new hbacrule (HBAC Rule) management module placed in the plugins
folder:
plugins/modules/ipahbacrule.py
The hbacrule module allows to ensure presence and absence of HBAC Rules.
Here is the documentation for the module:
README-hbacrule.md
New example playbooks have been added:
playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
New tests added for the module:
tests/hbacrule/test_hbacrule.yml
The information about the version limitation of the passwordexpiration
parameter has been missing. The parameter is only usable for IPA versions
4.7 and up.
The changed flag returned by ipagroup calls have not been correct. This
change fixes this. Addtitionally new test cases have been added to make
sure that the changed flag is correct.
group_add_member is only supporting services in more recent IPA versions.
This is 4.7+. Code has been added to detect if services are supported by
the used IPA version and used in the parameters of the module. In this case
an error is printed.
Additionally all parameters will be get from the module using
module_params_get provided by ansible_freeipa_module. Additional to_text
conversions have been removed as they are not needed anymore with this.
There is a new hbacsvcgroup (HBAC Service Group) management module placed
in the plugins folder:
plugins/modules/ipahbacsvcgroup.py
The hbacsvc module allows to ensure presence and absence of HBAC Service
Groups.
Here is the documentation for the module:
README-hbacsvcgroup.md
New example playbooks have been added:
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml
New tests added for the module:
tests/hbacsvcgroup/test_hbacsvcgroup.yml
There is a new hbacsvc (HBAC Service) management module placed in the plugins
folder:
plugins/modules/ipahbacsvc.py
The hbacsvc module allows to ensure presence and absence of HBAC Services.
Here is the documentation for the module:
README-hbacsvc.md
New example playbooks have been added:
playbooks/hbacsvc/ensure-hbacsvc-absent.yml
playbooks/hbacsvc/ensure-hbacsvc-present.yml
New tests added for pwpolicy:
tests/hbacsvc/test_hbacsvc.yml
There is a new pwpolicy management module placed in the plugins folder:
plugins/modules/ipapwpolicy.py
The pwpolicy module allows to ensure presence and absence of pwpolicies for
groups.
Here is the documentation for the module:
README-pwpolicy.md
New example playbooks have been added:
playbooks/pwpolicy/pwpolicy_absent.yml
playbooks/pwpolicy/pwpolicy_present.yml
New tests added for pwpolicy:
tests/pwpolicy/test_pwpolicy.yml
There is a new sudocmdgroup management module placed in the plugins folder:
plugins/modules/ipasudocmdgroup.py
The sudocmdgroup module allows to add or remove sudo command groups..
The sudocmdgroup module is as compatible as possible to the Ansible upstream
ipa_sudocmdgroup module, and additionally offers to ensure member presence
and absence.
Here is the documentation for the module:
README-sudocmdgroup.md
New example playbooks have been added:
playbooks/sudocmd/ensure-sudocmdgroup-is-absent.yml
playbooks/sudocmd/ensure-sudocmdgroup-is-present.yml
playbooks/sudocmd/ensure-sudocmd-is-absent-in-sudocmdgroup.yml
playbooks/sudocmd/ensure-sudocmd-is-present-in-sudocmdgroup.yml
A test playbook is provided in:
tests/sudocmdgroup/test_sudocmdgroup.yml
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
There is a new sudocmd management module placed in the plugins folder:
plugins/modules/ipasudocmd.py
The sudocmd module allows to add or remove sudo commands.
The sudocmd module is as compatible as possible to the Ansible upstream
ipa_sudocmd module.
Here is the documentation for the module:
README-sudocmd.md
New example playbooks have been added:
playbooks/sudocmd/ensure-sudocmd-is-absent.yml
playbooks/sudocmd/ensure-sudocmd-is-present.yml
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The ipauser module now supports all user settings and additionally to ensure
the presence of several users with the new users setting. The users setting
can also be used with other states, but it has to be limited to only contain
the name of the users.
There updated user management module is placed in the plugins folder:
plugins/modules/ipauser.py
The user module now additionally allows to handle these user settings:
initials
principalexpiration
random
city
userstate
postalcode
mobile
pager
fax
orgunit
manager
carlicense
sshpubkey
userauthtype
userclass
radius
radiususer
departmentnumber
employeenumber
employeetype
preferredlanguage
certificate
certmapdata
noprivate
nomembers
Here is the updated documentation for the module:
README-user.md
New example playbooks have been added:
playbooks/user/user_certificate_absent.yml
playbooks/user/user_certificate_present.yml
playbooks/user/user_present.yml
playbooks/user/users_absent.yml
playbooks/user/users_certificate_absent.yml
playbooks/user/users_certificate_present.yml
playbooks/user/users_present.yml
plugins/modules/ipauser.py
New tests added for ipauser:
tests/user/certificate/cert1.der
tests/user/certificate/cert1.pem
tests/user/certificate/cert2.der
tests/user/certificate/cert2.pem
tests/user/certificate/cert3.der
tests/user/certificate/cert3.pem
tests/user/certificate/private1.key
tests/user/certificate/private2.key
tests/user/certificate/private3.key
tests/user/certificate/test_user_certificate.yml
tests/user/certificate/test_users_certificate.yml
tests/user/certmapdata/test_user_certmapdata.yml
tests/user/certmapdata/test_user_certmapdata_issuer_subject.yml
tests/user/certmapdata/test_users_certmapdata.yml
tests/user/test_user.yml
tests/user/test_users.yml
tests/user/test_users_absent.yml
tests/user/test_users_invalid_cert.yml
tests/user/test_users_present.yml
tests/user/test_users_present_slice.yml
tests/user/users_absent.json
tests/user/users_absent.sh
tests/user/users_present.json
tests/user/users_present.sh
The ipagroup module was not using the failed and completed items in the dict
that is returned with api_command. But it was creating add and remove
lists for users, groups and services. This is not needed if the failures
"already a member" and "not a member" in the result failures are ignored.
Only other failures are reported.
The states member_present and member_absent are not used and should also not
be used. This is a remain of the first try to ensure absence and presence
of users (members) in the group. This has been replaced with the setting
action: member.
There is a new hostgroup management module placed in the plugins folder:
plugins/modules/ipahostgroup.py
The hostgroup module allows to add, remove and disable hosts.
The hostgroup module is as compatible as possible to the Ansible upstream
ipa_hostgroup module, but addtionally offers to ensure member presence and
absence.
Here is the documentation for the module:
README-hostgroup.md
New example playbooks have been added:
playbooks/hostgroup/ensure-hostgroup-is-absent.yml
playbooks/hostgroup/ensure-hostgroup-is-present.yml
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
There is a new user management module placed in the plugins folder:
plugins/modules/ipauser.py
The host module allows to add, remove and disable hosts.
The host module is as compatible as possible to the Ansible upstream
ipa_host` module, but addtionally offers to disable hosts.
Here is the documentation for the module:
README-host.md
New example playbooks have been added:
playbooks/host/add-host.yml
playbooks/host/delete-host.yml
playbooks/host/disable-host.yml
Currently it is ignored if the entry for reinitialized can not be found if
the name or left and right are not correct. Now there is a failure in this
case.
Fixes: #107 (Reinitialize are failed to find the node in ipatopology ..)
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
With adding the domain and ca suffixes with `suffix: domain+ca` only ca
has been added as the suffix was only used from the last command. The
suffix is now stored together with the command and the argument. This
will fix this error.
Fixes: #106 (Last suffix adding twice in the list of topology segments)
There is a new group management module placed in the plugins folder:
plugins/modules/ipagroup.py
The group module allows to add, remove, enable, disable, unlock und undelete
groups.
The group module is as compatible as possible to the Ansible upstream
`ipa_group` module, but addtionally offers to add users to a group and also
to remove users from a group.
Here is the documentation for the module:
README-group.md
New example playbooks have been added:
playbooks/user/add-groups-to-group.yml
playbooks/user/add-user-to-group.yml
playbooks/user/add-group.yml
playbooks/user/delete-group.yml
There is a new user management module placed in the plugins folder:
plugins/modules/ipauser.py
The user module allows to add, remove, enable, disable, unlock und undelete
users.
The user module is as compatible as possible to the Ansible upstream
`ipa_user` module, but addtionally offers to preserve delete, enable,
disable, unlock and undelete users.
Here is the documentation for the module:
README-user.md
New example playbooks have been added:
playbooks/user/add-user.yml
playbooks/user/delete-user.yml
playbooks/user/enable-user.yml
playbooks/user/disable-user.yml
playbooks/user/delete-preserve--user.yml
playbooks/user/undelete-user.yml
The use of password will conflict with the user password setting and is
not really descriptive. ipaadmin_principal and ipaadmin_password are also
used in the roles.
It is now possible to use domain+ca as suffix, That means that the segment
will be handled for the suffixes domain and also ca.
The new state checked is returning two lists found and not-found. If a
segment exists, the ckecked suffix is added to the found list. If a segment
from suffix is not found, it is added to the not-found list.
New example playbooks have been added:
playbooks/topology/add-topologysegments.yml
playbooks/topology/check-topologysegments.yml
playbooks/topology/delete-topologysegments.yml
The cluster playbook has been extended by the
There are now two topology management modules placed in the plugins folder:
plugins/modules/ipatopologysegment.py
plugins/modules/ipatopologysuffix.py
Topology segments can be added, removed and reinitialized with the
ipatopologysegment module. Also it is possible to verify topology suffixes
with the ipatopologysuffix module.
A new module_utils for plugins has been added:
plugins/module_utils/ansible_freeipa_module.py
And documentation for the modules:
README-topology.md
New sample playbooks are available in playbooks/topology:
playbooks/topology/add-topologysegment.yml
playbooks/topology/delete-topologysegment.yml
playbooks/topology/reinitialize-topologysegment.yml
playbooks/topology/verify-topologysuffix.yml
The plugins folder can be used with the new Ansible Collections supported
by Ansible 2.8 and Ansible galaxy 3.2.
