On recent versions of FreeIPA option to verify passwords and for
controlling a password grace period have been added to IPA API.
This patch adds support for the parameters maxrepeat, maxsequence,
dictcheck and usercheck, available since FreeIPA, 4.9 and gracelimit,
available since FreeIPA 4.9.10.
Test playbooks for the module have been updated with the new supported
parameters.
New example playbooks can be found at:
playbooks/pwpolicy/pwpolicy_grace_limit.yml
playbooks/pwpolicy/pwpolicy_password_check.yml
There is a new netgroup management module placed in the plugins folder:
plugins/modules/ipanetgroup.py
The netgroup module allows to ensure presence or absence of netgroup
and manage netgroup members.
Here is the documentation for the module:
README-netgroup.md
New example playbooks have been added:
playbooks/netgroup/netgroup-absent.yml
playbooks/netgroup/netgroup-member-absent.yml
playbooks/netgroup/netgroup-member-present.yml
playbooks/netgroup/netgroup-present.yml
New tests for the module:
tests/netgroup/test_netgroup.yml
tests/netgroup/test_netgroup_client_context.yml
tests/netgroup/test_netgroup_member.yml
tests/netgroup/test_netgroup_member_absent.yml
tests/netgroup/test_netgroup_member_case_insensitive.yml
Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
Since FreeIPA 4.9.8 the 'config_mod' command has parameters to enable
and configure SIDs, and set the Netbios name.
This patch adds the following parameters to ipaconfig plugin:
enable_sids: New users and groups automatically get a SID assigned
add_sids: Add SIDs for existing users and groups
netbios_name: NetBIOS name of the IPA domain
Both add_sids and netbios_name requires 'enable_sid: yes'.
'enable_sid' and 'netbios_name' are returned when querying IPA
configuration.
'add_sids' always generate SIDs for users and groups, so, muiltiple
executions of the playbook with 'add_sids: yes' will return 'changed',
even if users and groups SIDs are not modified.
A new test playbook is available:
tests/config/test_config_sid.yml
New examples playbooks are available:
playbooks/config/change-ipa-domain-netbios-name.yml
playbooks/config/generate-users-groups-sids.yml
Fixes: #781
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069174
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069184
There are new smartcard roles in the roles folder:
roles/ipasmartcard_server
roles/ipasmartcard_client
This roles allows to setup smartcard for servers and clients.
Here is the documentation for the roles:
roles/ipasmartcard_server/README.md
roles/ipasmartcard_client/README.md
New example playbooks have been added:
playbooks/install-smartcard-server.yml
playbooks/install-smartcard-replicas.yml
playbooks/install-smartcard-servers.yml
playbooks/install-smartcard-clients.yml
There is a new idrange management module placed in the plugins folder:
plugins/modules/ipaidrange.py
The idrange module allows to ensure presence and absence of idranges.
Here is the documentation of the module:
README-idrange.md
New example playbooks have been added:
playbooks/idrange/idrange-absent.yml
playbooks/idrange/idrange-ad-posix-present.yml
playbooks/idrange/idrange-ad-present.yml
playbooks/idrange/idrange-present.yml
New tests for the module can be found at:
tests/idrange/test_idrange.yml
tests/idrange/test_idrange_client_context.yml
Some example playbooks do not had the parameter `ipaadmin_password`
set, and some had a different value than the standard value
"SomeADMINpassword".
This patch fixes this difference in all example playbooks.
There is a new servicedelegationrule management module placed in the plugins
folder:
plugins/modules/ipaservicedelegationrule.py
The servicedelegationrule module allows to ensure presence and absence of
servicedelegationrules and servicedelegationrule members.
Here is the documentation of the module:
README-servicedelegationrule.md
New example playbooks have been added:
playbooks/servicedelegationrule/servicedelegationrule-absent.yml
playbooks/servicedelegationrule/servicedelegationrule-principal-member-absent.yml
playbooks/servicedelegationrule/servicedelegationrule-principal-member-present.yml
playbooks/servicedelegationrule/servicedelegationrule-target-member-absent.yml
playbooks/servicedelegationrule/servicedelegationrule-target-member-present.yml
playbooks/servicedelegationrule/servicedelegationrule-present.yml
New tests for the module:
tests/servicedelegationrule/test_servicedelegationrule.yml
tests/servicedelegationrule/test_servicedelegationrule_client_context.yml
tests/servicedelegationrule/test_servicedelegationrule_hostprincipal.yml
There is a new servicedelegationtarget management module placed in the plugins
folder:
plugins/modules/ipaservicedelegationtarget.py
The servicedelegationtarget module allows to ensure presence and absence of
servicedelegationtargets and servicedelegationtarget members.
Here is the documentation of the module:
README-servicedelegationtarget.md
New example playbooks have been added:
playbooks/servicedelegationtarget/servicedelegationtarget-absent.yml
playbooks/servicedelegationtarget/servicedelegationtarget-member-absent.yml
playbooks/servicedelegationtarget/servicedelegationtarget-member-present.yml
playbooks/servicedelegationtarget/servicedelegationtarget-present.yml
New tests for the module:
tests/servicedelegationtarget/test_servicedelegationtarget.yml
tests/servicedelegationtarget/test_servicedelegationtarget_client_context.yml
tests/servicedelegationtarget/test_servicedelegationtarget_hostprincipal.yml
As of verison 1.6.1 of ansible-freeipa, ipadnsconfig supports
'action: member' to manage DNS forwardes, and requires the use of this
action if 'state: present'.
This patch fixes the playbook examples.
There is a new automount key module placed in the plugins folder:
plugins/modules/ipaautomountkey.py
The server module allows to ensure presence and absence of automount
keys. The module requires an existing automount location and map to
place the key within.
Here is the documentation for the module:
README-automountkey.md
New example playbooks have been added:
playbooks/automount/automount-key-absent.yaml
playbooks/automount/automount-key-present.yaml
New tests for the module:
tests/automount/test_automountkey.yml
There is a new server management module placed in the plugins folder:
plugins/modules/ipaautomountmap.py
The server module allows to ensure presence and absence of automount
maps. The module requires an existing automount location to place the
map within. It does not create any automount keys with in the map.
Here is the documentation for the module:
README-automountmap.md
New example playbooks have been added:
playbooks/automount/automount-map-absent.yaml
playbooks/automount/automount-map-present.yaml
New tests for the module:
tests/automount/test_automountmap.yml
The removal of group or hostgroup orphans has been added to the automember
module.
It can be ensured that orphans have been removed using action: orphans_removed
The automember_type needs to be set for this.
New examples have been added to README-automember.md
New playbooks:
- playbooks/automember/automember-group-orphans-removed.yml
- playbooks/automember/automember-hostgroup-orphans-removed.yml
New tests:
- tests/automember/test_automember_orphans_removed.yml
The fallback group and hostgroup for unmached entries can be set and
unset using default_group. If default_group is empty, then the default
group will be unset.
DN and ipa_get_based provided by ansible_freeipa_module are used in the
code.
New parameters:
- default_group: Default (fallback) group for all unmatched entries.
New parameters and examples have been added to README-automember.md
New playbooks:
- playbooks/automember/automember-default-group-not-set.yml
- playbooks/automember/automember-default-group-set.yml
- playbooks/automember/automember-default-hostgroup-not-set.yml
- playbooks/automember/automember-default-hostgroup-set.yml
New tests:
- tests/automember/test_automember_default_group.yml
There was state: rebuild before, but the code was incomplete and was not
able to run properly.
New parameters:
- users: Limit the rebuild to the given users only
- hosts: Limit the rebuild to the given hosts only
- no_wait: Don't wait for rebuilding membership
New parameters and examples have been added to README-automember.md
tests/automember/test_automember_client_context.yml has been using
state: rebuild and lacked the automember_type parameter.
grouping was used in functions and has been replaced by automember_type.
Some typos in examples have been fixed also.
New playbooks:
- playbooks/automember/automember-group-membership-all-users-rebuilt.yml
- playbooks/automember/automember-group-membership-users-rebuilt.yml
- playbooks/automember/automember-hostgroup-membership-all-hosts-rebuilt.yml
- playbooks/automember/automember-hostgroup-membership-hosts-rebuilt.yml
New tests:
- tests/automember/test_automember_rebuilt.yml
This patch fixes yamllint's "line too long" (line-lenght) warnings
by ensuring all lines in YAML files have, at most, 160 characters.
If a line cannot be written as a multiline block, line-length rule
evaluation is disabled for the specific line, both on yamllint and
on ansible-lint.
There is a new automount location management module placed in the plugins folder:
plugins/modules/ipaautomountlocation.py
This module allows to ensure presence and absence of automount locations
that act as containers for automount onjects in ipa.
Here is the documentation for the module:
README-automountlocation.md
New example playbooks have been added:
playbooks/automount/automount-location-absent.yml
playbooks/automount/automount-location-present.yml
New tests for the module:
tests/automount/test_automountlocation.yml
There is a new automember management module placed in the plugins folder:
plugins/modules/ipaautomember.py
The automember module allows to ensure presence or absence of automember rules
and manage automember rule conditions.
Here is the documentation for the module:
README-automember.md
New example playbooks have been added:
playbooks/automember/automember-group-absent.yml
playbooks/automember/automember-group-present.yml
playbooks/automember/automember-hostgroup-absent.yml
playbooks/automember/automember-hostgroup-present.yml
playbooks/automember/automember-hostgroup-rule-absent.yml
playbooks/automember/automember-hostgroup-rule-present.yml
New tests for the module:
tests/automember/test_automember.yml
There is a new server management module placed in the plugins folder:
plugins/modules/ipaserver.py
The server module allows to ensure presence and absence of servers. The
module requires an existing server, the deployment of a new server can
not be done with the module.
DNSName has been added to ansible_freeipa_module in plugins/module_utils
as this is used for locations.
Here is the documentation for the module:
README-server.md
New example playbooks have been added:
playbooks/server/server-absent-continue.yml
playbooks/server/server-absent-force.yml
playbooks/server/server-absent-ignore_last_of_role.yml
playbooks/server/server-absent-ignore_topology_disconnect.yml
playbooks/server/server-absent.yml
playbooks/server/server-hidden.yml
playbooks/server/server-location.yml
playbooks/server/server-no-location.yml
playbooks/server/server-no-service-weight.yml
playbooks/server/server-not-hidden.yml
playbooks/server/server-present.yml
playbooks/server/server-service-weight.yml
New tests for the module:
tests/server/test_server.yml
Change in module_utils/ansible_freeipa_module:
DNSName is imported from ipapython.dnsutil and also added to __all__
Without this change the "Import variables specific to distribution"
tasks fail with "Could not find file on the Ansible Controller..."
on environments with inject facts disabled.
This changes the tests to run with ansible with
inject_facts_as_vars = false and fixes other roles and playbooks.
The example playbooks for ipaselfservice were using the wrong module,
ipadelegation. This patch changes the references from ipadelegation
to ipaselfservice on these example playbooks.
Also, the attributes were changed, so the same attributes are used
throughout the examples.
There is a new backup role in the roles folder:
roles/ipabackup
This role allows to backup an IPA server, to copy a backup from the
server to the controller, to copy all backups from the server to the
controller, to remove a backup from the server, to remove all backups
from the server, to restore an IPA server locally and from the controller
and also to copy a backup from the controller to the server.
Here is the documentation for the role:
roles/ipabackup/README.md
New example playbooks have been added:
playbooks/backup-server.yml
playbooks/backup-server-to-controller.yml
playbooks/copy-backup-from-server.yml
playbooks/copy-all-backups-from-server.yml
playbooks/remove-backup-from-server.yml
playbooks/remove-all-backups-from-server.yml
playbooks/copy-backup-to-server.yml
playbooks/restore-server-from-controller.yml
playbooks/restore-server.yml
When using the ipavault module to retrieve stored data, this data is
often sensitive, and if `no_log` is not enabled on the playbook, the
sensitive data will be logged by Ansible.
This change in de documentation, and playbook examples, suggests the
use of `no_log: true` when using `state: retrieved` with ipavault.
There is a new permission management module placed in the plugins folder:
plugins/modules/ipapermission.py
The permission module allows to ensure presence of absence of permissions
and manage permission members.
Here is the documentation for the module:
README-permission.md
New example plabooks have been added:
playbooks/permission/permission-absent.yml
playbooks/permission/permission-allow-read-employeenum.yml
playbooks/permission/permission-member-absent.yml
playbooks/permission/permission-member-present.yml
playbooks/permission/permission-present.yml
playbooks/permission/permission-renamed.yml
New tests for the module:
tests/permission/test_permission.yml
There is a new privilege management module placed in the plugins folder:
plugins/modules/ipaprivilege.py
The privilege module allows to ensure presence or absence of privilege
and manage privilege permission memebers.
Here is the documentation for the module:
README-privilege.md
New example playbooks have been added:
playbooks/privilege/privilege-absent.yml
playbooks/privilege/privilege-member-absent.yml
playbooks/privilege/privilege-member-present.yml
playbooks/privilege/privilege-present.yml
New tests for the module:
tests/privilege/test_privilege.yml
There is a new trust management module placed in the plugins folder:
plugins/modules/trust.py
The trust module allows to ensure presence and absence of trusts.
Here is the documentation for the module:
README-trust.md
New example playbooks have been added:
playbooks/trust/add-trust.yml
playbooks/trust/del-trust.yml
New tests added for the module:
tests/hbacrule/test_trust.yml
When adding a zone using the option name_from_ip, the user have
little control over the final name of the zone, and if this name
is to be used in further processing in a playbook it might lead to
errors if the inferred name does not match what the user wanted to.
By returning the actual inferred zone name, the name can be safely
used for other tasks in the playbook.
