Ubuntu does not have a FreeIPA server package since version 20.04. As
versions 16.04 (Xenial Xerus) and 18.04 (Bionic Beaver) will be
supported by Canonical until 2026 and 2028, repectively, we should keep
existing support for both versions in the ipaserver, ipareplica and
ipabackup roles until them.
This patch changes documentation to reflect that only those versions are
supported.
Indirect maps were not supported by ansible-freeipa ipaautomountmap.
This patch adds support for adding indirect automount maps using the
"parent" and "mount" parameters, if the map do not yet exist. An
existing map cannot be modified.
The "parent" parameter must match an existing automount map, and the
"mount" parameter is required if "parent" is used.
A new example playbook can be found at:
playbooks/automount/automount-map-indirect-map.yml
A new test playbook was added to test the feature:
tests/automount/test_automountmap_indirect.yml
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.
An additional check was added to verify that the values of the
user_auth_type list are valid for the used IPA version.
The parameter auth_ind has been updated in FreeIPA. The choice
idp have been missing and is now added.
An additional check was added to verify that the values of the
auth_ind list are valid for the used IPA version.
The parameter auth_ind has been updated in FreeIPA. The choice
idp have been missing and is now added.
An additional check was added to verify that the values of the
auth_ind list are valid for the used IPA version.
The parameter user_auth_type has been updated in FreeIPA. The choices
pkinit, hardened and idp have been missing and are now added.
An additional check was added to verify that the values of the
user_auth_type list are valid for the used IPA version.
New IPAAnsibleModule.ipa_command_invalid_param_choices method to return
invalid parameter choices for an IPA command.
This is needed to verify for example if userauthtype and authind are
supporting the idp value.
When runing tests using 'utils/run-tests.sh' from inside an existing
Python virtual environment the Ansible collections are not installed due
to the order of execution of the script. On a machine that does not have
the 'containers.*' collection the test fails as there is no container
connector available.
This patch moves the section that installs Ansible collections to run
after the virtual environment is configured, and then install the
collections (usually, only 'containers.podman'), allowing the tests to
be executed.
Since FreeIPA version 4.8.0 ipauser has support for smb-logon-script,
smb-profile-path, smb-home-dir, and smb-home-drive drive attributes.
On FreeIPA, these attributes are only available when modifying a user,
so if the user defined in the playbook does not exist, two calls to IPA
API are executed, a 'user_add' followed by a 'user_mod'.
(see https://github.com/freeipa/freeipa/blob/master/doc/designs/adtrust/samba-domain-controller.md
A new example playbook can be found at:
playbooks/user/smb-attributes.yml
A new test playbook can be found at:
tests/user/test_user_smb_attrs.yml
Host location and server location have very different meanings in IPA.
ipahost uses 'location' as an optional hint to where the host may be
physically located, ipaserever uses location to identify which DNS
location the server is part of.
This change updates documentation to make attribute description more
clear. Surrounding text have been changed to match text style as used in
other plugins.
This patch is related to: https://github.com/freeipa/freeipa/pull/6840
'virtualenv' is an external dependency with the same purpose of Python's
'venv' module. This patch removes the external dependency in favor of
the readily available package.
Most of ipapwpolicy parameters can be set to an empty string ("") so
that the policy is not applied to pwpolicy. This was not refelected on
the documentation.
This change adds 'or ""' to all the fields that can be disabled by
setting it to an empty string. Also, `data types were reviewed and fixed.
Modified handling of boolean values by using Ansible's 'boolean()' check
function so that a string can be used and either a bool value is
accepted or an empty string.
As the error message was changed to use the same Ansible message, tests
were also updated.
Export Ansible's 'boolean' parsing function so it can be used to verify
if a string can be handled as a truthy value, allowing module parameters
to use strings instead of bools, as strings can be cleared by using
empty strings.
This patch adds a new parameter to ipauser, 'gecos', which can be used
to set the 'gecos' field of an IPA user. The default behavior of
automatically set the GECOS field to "<first> <last>" is not modified,
it is only possible to change the field to a custom value.
No validation on the value provided is done, as it is with FreeIPA.
ansible-core 2.15 has been released on May 15th, 2023, and version 2.12
has reached EOL on May 22nd, 2023.
This patch updates the ansible-core versions used on upstream CI tests
to reflect Ansible's new releases.
The 'maxsequence' attribute was never applied as there was a typo when
it was set. By fixing the field name, 'maxsequence' is correclty set.
The failure was not seen before due to missing tests. The tests will be
added in a separate PR.
There is a new certificate management module placed in the plugins
folder:
plugins/modules/ipacert.py
The certificate module allows to request, revoke, release and retrieve
certificates for users, hosts and services.
Here is the documentation for the module:
README-cert.md
New example playbooks have been added:
playbooks/cert/cert-hold.yml
playbooks/cert/cert-release.yml
playbooks/cert/cert-request-host.yml
playbooks/cert/cert-request-service.yml
playbooks/cert/cert-request-user.yml
playbooks/cert/cert-retrieve.yml
playbooks/cert/cert-revoke.yml
New tests for the module can be found at:
tests/cert/test_cert_client_context.yml
tests/cert/test_cert_host.yml
tests/cert/test_cert_service.yml
tests/cert/test_cert_user.yml
The module has been co-authored by Sam Morris (@yrro) and Rafael
Guterres Jeffman (@rjeffman).
The tests test_services_absent.yml, test_services_present.yml and
test_services_present_slice.yml have been updated to use in memory data
for testing instead of loading json files. This made is simpler to use
variables from the playbook for example for fqdn host names.
New tests for certificates with and without trailing new lines have been
added for single service and multiple service handling.
Any leading or trailing whitespace is removed while adding the
certificates with serive_add_cert. To be able to compare the results
from service_show with the given certificates we have to remove the
white space also.
Adding an option to create multiple services in one go.
Adding tests (present/absent/without_skip_host_check)
Copied from PR #1054
Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>
If server FQDN matches the domain name, the installation will succeed,
but DNS records will not work. If 'setup_dns: true' is used, there will
be no A record for the host, only a NS record, and the PTR record will
point to the domain name.
Based on: https://github.com/freeipa/freeipa/pull/6853
Related to: https://pagure.io/freeipa/issue/9003
