There is a new idp management module placed in the plugins folder:
plugins/modules/ipaidp.py
The idp module allows to ensure presence or absence of external Identity
Providers.
Here is the documentation for the module:
README-idp.md
New idp example playbooks:
playbooks/idp/idp-present.yml
playbooks/idp/idp-absent.yml
New tests for the module:
tests/idp/test_idp.yml
tests/idp/test_idp_client_context.yml
There is a new idoverridegroup management module placed in the plugins
folder:
plugins/modules/ipaidoverridegroup.py
The idoverridegroup module allows to ensure presence and absence of
idoverrides for groups.
Here is the documentation for the module:
README-idoverridegroup.md
New example playbooks have been added:
playbooks/idoverridegroup/idoverridegroup-absent.yml
playbooks/idoverridegroup/idoverridegroup-present.yml
New tests for the module can be found at:
tests/idoverridegroup/test_idoverridegroup.yml
tests/idoverridegroup/test_idoverridegroup_client_context.yml
There is a new idoverrideuser management module placed in the plugins
folder:
plugins/modules/ipaidoverrideuser.py
The idoverrideuser module allows to ensure presence and absence of
idoverrides for users and certificate members.
Here is the documentation for the module:
README-idoverrideuser.md
New example playbooks have been added:
playbooks/idoverrideuser/idoverrideuser-absent.yml
playbooks/idoverrideuser/idoverrideuser-certificate-absent.yml
playbooks/idoverrideuser/idoverrideuser-certificate-present.yml
playbooks/idoverrideuser/idoverrideuser-present.yml
New tests for the module can be found at:
tests/idoverrideuser/test_idoverrideuser.yml
tests/idoverrideuser/test_idoverrideuser_client_context.yml
In recent pylint versions, use of broad exceptions for both raise and
try/except blocks raise a linter warning. As its use is justifiable in
the case of ipavault, the warnings are disabled where they occur.
Recent pylint versions warn against the use of an 'else' in a
'try-except' block if using a 'return' on the 'except' part is is the
idom used by ansible-freeipa when retrieving IPA data objects.
This change removes the usage of the 'else:' in such cases, and modify
the templates so that new modules do not have the same issue in the
future.
There is a new idview management module placed in the plugins folder:
plugins/modules/ipaidview.py
The idview module allows to ensure presence and absence of idviews and
idview host members.
Here is the documentation for the module:
README-idview.md
New example playbooks have been added:
playbooks/idview/idview-absent.yml
playbooks/idview/idview-host-applied.yml
playbooks/idview/idview-host-unapplied.yml
playbooks/idview/idview-present.yml
New tests for the module can be found at:
tests/idview/test_idview.yml
tests/idview/test_idview_client_context.yml
Indirect maps were not supported by ansible-freeipa ipaautomountmap.
This patch adds support for adding indirect automount maps using the
"parent" and "mount" parameters, if the map do not yet exist. An
existing map cannot be modified.
The "parent" parameter must match an existing automount map, and the
"mount" parameter is required if "parent" is used.
A new example playbook can be found at:
playbooks/automount/automount-map-indirect-map.yml
A new test playbook was added to test the feature:
tests/automount/test_automountmap_indirect.yml
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.
An additional check was added to verify that the values of the
user_auth_type list are valid for the used IPA version.
The parameter auth_ind has been updated in FreeIPA. The choice
idp have been missing and is now added.
An additional check was added to verify that the values of the
auth_ind list are valid for the used IPA version.
The parameter auth_ind has been updated in FreeIPA. The choice
idp have been missing and is now added.
An additional check was added to verify that the values of the
auth_ind list are valid for the used IPA version.
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.
An additional check was added to verify that the values of the
user_auth_type list are valid for the used IPA version.
Since FreeIPA version 4.8.0 ipauser has support for smb-logon-script,
smb-profile-path, smb-home-dir, and smb-home-drive drive attributes.
On FreeIPA, these attributes are only available when modifying a user,
so if the user defined in the playbook does not exist, two calls to IPA
API are executed, a 'user_add' followed by a 'user_mod'.
(see https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-domain-controller.md
A new example playbook can be found at:
playbooks/user/smb-attributes.yml
A new test playbook can be found at:
tests/user/test_user_smb_attrs.yml
Host location and server location have very different meanings in IPA.
ipahost uses 'location' as an optional hint to where the host may be
physically located, ipaserever uses location to identify which DNS
location the server is part of.
This change updates documentation to make attribute description more
clear. Surrounding text have been changed to match text style as used in
other plugins.
This patch is related to: https://github.com/freeipa/freeipa/pull/6840
Most of ipapwpolicy parameters can be set to an empty string ("") so
that the policy is not applied to pwpolicy. This was not refelected on
the documentation.
This change adds 'or ""' to all the fields that can be disabled by
setting it to an empty string. Also, `data types were reviewed and fixed.
Modified handling of boolean values by using Ansible's 'boolean()' check
function so that a string can be used and either a bool value is
accepted or an empty string.
As the error message was changed to use the same Ansible message, tests
were also updated.
This patch adds a new parameter to ipauser, 'gecos', which can be used
to set the 'gecos' field of an IPA user. The default behavior of
automatically set the GECOS field to "<first> <last>" is not modified,
it is only possible to change the field to a custom value.
No validation on the value provided is done, as it is with FreeIPA.
The 'maxsequence' attribute was never applied as there was a typo when
it was set. By fixing the field name, 'maxsequence' is correclty set.
The failure was not seen before due to missing tests. The tests will be
added in a separate PR.
There is a new certificate management module placed in the plugins
folder:
plugins/modules/ipacert.py
The certificate module allows to request, revoke, release and retrieve
certificates for users, hosts and services.
Here is the documentation for the module:
README-cert.md
New example playbooks have been added:
playbooks/cert/cert-hold.yml
playbooks/cert/cert-release.yml
playbooks/cert/cert-request-host.yml
playbooks/cert/cert-request-service.yml
playbooks/cert/cert-request-user.yml
playbooks/cert/cert-retrieve.yml
playbooks/cert/cert-revoke.yml
New tests for the module can be found at:
tests/cert/test_cert_client_context.yml
tests/cert/test_cert_host.yml
tests/cert/test_cert_service.yml
tests/cert/test_cert_user.yml
The module has been co-authored by Sam Morris (@yrro) and Rafael
Guterres Jeffman (@rjeffman).
Any leading or trailing whitespace is removed while adding the
certificates with serive_add_cert. To be able to compare the results
from service_show with the given certificates we have to remove the
white space also.
Adding an option to create multiple services in one go.
Adding tests (present/absent/without_skip_host_check)
Copied from PR #1054
Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
Ensuring (adding) several groups with mixed types external, nonposix
and posix require to have a fix in IPA:
FreeIPA issue: https://pagure.io/freeipa/issue/9349
FreeIPA fix: https://github.com/freeipa/freeipa/pull/6741
The simple solution is to switch to client context for ensuring several
groups simply if the user was not explicitly asking for the server context
no matter if mixed types are used.
Adding an option `groups` to create multiple groups in one operation.
Adding tests (present/absent/external/nonposix) with server and
client context.
Simple example of `groups` option:
```
tasks:
- name: Ensure 2 groups are present
ipagroup:
ipaadmin_password: SomeADMINpassword
groups:
- name: group1
- name: group2
```
Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
Due to an API misbehaviour in FreeIPA, ipaexternalmembers need to be
treated differently than other group members parameters. Even an empty
array triggers all tests for external members, including the check for
installed dcerpc bindings.
Therefore ipagroup module has been changed to not set ipaexternalmember
to an empty list if there are no external members to be added or
removed.
The way how randompasswords are returned by the ipahost module depends
so far on the number of hosts that are handled by the module.
This is unexpected if for example a json file is provided with the hosts
parameter. As it might be unknown how many hosts are in the json file,
this behaviour is unexpected. The return should not vary in this case.
This chamge makes the return simply depend on the use of the hosts
paramater. As soon as this parameter is used, the return will always be:
"host": { "<the host>": { "randompassword": "<the host random password>" } }
In the simply case with one host it will be still
"host": { "randompassword": "<the host random password>" }
This change for ipahost is related to the ipauser PR #1053.
The way how randompasswords are returned by the ipauser module depends
so far on the number of users that are handled by the module.
This is unexpected if for example a json file is provided with the users
parameter. As it might be unknown how many users are in the json file,
this behaviour is unexpected. The return should not vary in this case.
This chamge makes the return simply depend on the use of the users
paramater. As soon as this parameter is used, the return will always be:
"user": { "<the user>": { "randompassword": "<the user random password>" } }
In the simply case with one user it will be still
"user": { "randompassword": "<the user random password>" }
Fixes: #1052 (ipauser should consitently return randompasswords when
used with users)
With 4.9.10, the value of bools have been changed from "TRUE" and
"FALSE" to real bool values.
With IPA < 4.9.10 the new bool checks distcheck and usercheck failed
the tests for enabling the checks with a "already enabled" error.
A new version check altogether with providing the ansible module for
gen_args has been added. The values True and False are now transformed
into "TRUE" and "FALSE" for IPA < 4.9.10.
The function bool_param has been renamed to bool_or_empty_param to match
the int_or_empty_param and to have a more explaining name.
All values for pwpolicy can be cleared with an empty string in IPA CLI,
and this behavior was missing in ansible-freeipa.
As of today, there is an issue in FreeIPA that does not allow clearing
'minlength' policy. The is is tracked by the FreeIPA project through
https://pagure.io/freeipa/issue/9297
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2150334
