Github actions checkout v3.1.0 and setup-python v4.3.0 use deprecated
Node.js 16.
Bumping version to checkout v4.1.1 and setup-python v5.1.0 fixes the
workflows, as both use the recommended Node.js 20.
The checkout depth has been set to 1 (shallow copy) for all tasks that
do not require git history to be available.
delete_continue defaults to None. The use of continue: None is resulting
in an error with the batch command. Therefore only set continue if it is
not None.
These are manager, principal, certificate and certmapdata.
The result_handler function has been adapted and the exception_handler
function has been removed.
A new function has been added:
convert_certificate
The changed state returned from ipaclient_configure_dns_resolver was
always True. The internal functions (copies from FreeIPA code) have been
fixed to return a changed state.
Fixes: #1217 (ipaclient: Configure DNS resolver always reports as changed)
Two new options have been added to enable the offline build within rpm:
-o <A.B.C> Build offline without using git, using version A.B.C
Also enables -a
-p <path> Installation the generated collection in the path, the
ansible_collections sub directory will be created and will
contain the collection: ansible_collections/<namespace>/<name>
Also enables -i
The usage text has been fixed also for specifying namespace and name.
The collection variable has been renamed to name.
Example usage:
utils/build-galaxy-release.sh -o 1.12.1 \
-p %{buildroot}%{_datadir}/ansible/collections \
freeipa ansible_freeipa
Use IPAChangeConf and realm_to_ldapi_uri to create IPA_DEFAULT_CONF.
With realm_to_ldapi_uri the ldap_uri is correctly using /run instead of
/var/run.
Before IPA_DEFAULT_CONF was created using file operations.
The custodia setup is executed twice. At first in
ipaserver_setup_custodia and then additionally in ipaserver_setup_ca.
The custodia setup code in ipaserver_setup_ca.py has been adapted to fit
the code in ipaserver_setup_custodia.py.
The extra Setup custodia step in the server roles has been removed
together with ipaserver_setup_custodia.py.
If ipaserver_domain is not given, the domain name is generated from the
host fqdn.
This generated value was so far not returned, but the empty given value
instead.
The generated certificates have been X.509 v1. This is not supported any
more. Only X.509 v3 is supported.
A new certificates/extensions.conf file has been added to make v3
certificates.
The existing certificates/pkinit/extensions.conf has been renamed to
certificates/pkinit-extensions.conf with additional changes. For example
"[kdc_cert]" had to be removed for v3.
The extensions config files are using environment variables, which are
set by the generate-certificates.sh script before calling openssl.
The script generate-certificates.sh has been reworked for a simpler
structure, also new options have been added: "ca" and "cleanup".
This patch force processing of permission, attribute and group
attributes in lower case, to match behavior of IPA CLI, transforming
all of them into lowercase characters.
The new behavior fixes idempotence issues when mixing different
capitalization in different tasks for the same attribute.
A new test playbook is avaiable at:
tests/delegation/test_delegation_member_case_insensitive.yml
Some attributes for ipagroup objects are stored using lower case letters
and should be converted upon retrieving parameter data.
This patch adds the missing conversion and provides a new test playbook:
tests/group/test_group_case_insensitive.yml
ipahostgroup parameters 'host', 'hostgroup', 'membermanager_user' and
'membermanager_group' must be compared in a case insensitive manner
and stored as lower case strings.
This patch fixes the comparison and storage of this parameters, and
change the handling of members to use the same structure as in newer
modules.
Two new tests files were added:
tests/hostgroup/test_hostgroup_case_insensitive.yml
tests/hostgroup/test_hostgroup_membermanager_case_insensitive.yml
The config tests are currently setting the pac type to empty or without
MS-PAC type. This results in failed authorization for IPA API.
An issue has been opened for FreeIPA to address this:
https://pagure.io/freeipa/issue/9527
As FreeIPA now requires MS-PAC to be set in ipaKrbAuthzData to trigger
PAC generation, there's a timing issue that causes API malfunction which
is long enough to cause the client part insallation to fail.
By restarting KDC after DS password is set, we force cached values to be
refreshed, allowing the API to work correctly.
Resolves: https://github.com/freeipa/ansible-freeipa/issues/1200
This is "Fix ipa-client-automount install/uninstall with new install
states" https://github.com/freeipa/freeipa/pull/7100 for ansible-freeipa:
Issue 8384 introduced a new installation state for the statestore
to identify when client/server installation is completely finished
rather than relying on has_files().
The problem is that ipa-client-automount may be called during
ipa-client-install and since installation is not complete at that
point the automount install was failing with "IPA client not
configured".
Add a new state, 'automount', to designate that automount installation
is in process. If check_client_configuration() fails it checks to
see if [installation] automount is True. If so it continues with the
installation.
This also addresses an issue where the filestore and statestore are
shared between the client and automount installers but the client
wasn't refreshing state after automount completed. This resulted in
an incomplete state and index file of backed-up files which caused
files to not be restored on uninstall and the state file to be
orphaned.
Fixes: https://pagure.io/freeipa/issue/9487
FreeIPA provides a default hbacsvcgroup named "Sudo", with capital 'S',
that is different from every other hbacsvcgroup, which are all
represented by lower case letters.
As data from IPA API was not modified, this causes an idempotence error
when using different capitalization with the 'hbacsvcgroup' parameter.
This patch fixes the issue by using the CaseInsensitive comparator to
create the hbacsvcgroup list.
Tests were update to make sure a regression is not included in the
future.
