There is a new management module placed in the plugins folder:
plugins/modules/ipadnszone.py
The dnszone module allows to manage DNS zones.
Here is the documentation for the module:
README-dnszone.md
New example playbooks have been added:
playbooks/dnszone/disable-zone-forwarders.yml
playbooks/dnszone/dnszone-absent.yml
playbooks/dnszone/dnszone-all-params.yml
playbooks/dnszone/dnszone-disable.yml
playbooks/dnszone/dnszone-enable.yml
playbooks/dnszone/dnszone-present.yml
New tests for the module:
tests/dnszone/test_dnszone.yml
tests/dnszone/test_dnszone_mod.yml
Due to setting aaaa_extra_create_reverse or a_extra_create_reverse when not
needed, host module fails to add a host with reverse address. This patch
fixes the behavior by only adding *_extra_create_reverse when needed.
There is a new vaultcontainer management module placed in the plugins folder:
plugins/modules/ipadnsconfig.py
The dnsconfig module allows to modify global DNS configuration.
Here is the documentation for the module:
README-dnsconfig.md
New example playbooks have been added:
playbooks/dnsconfig/set_configuration.yml
playbooks/dnsconfig/disable-global-forwarders.yml
playbooks/dnsconfig/disallow-reverse-sync.yml
New tests for the module:
tests/dnsconfig/test_dnsconfig.yml
There is a new service management module placed in the pluginsfolder:
plugins/modules/ipaservice.py
The service module allows to ensure presence and absence of services, and
manage members and certificates of the service.
Here is the documentation for the module:
README-service.md
New example playbooks have been added:
playbooks/service/service-host-is-absent.yml
playbooks/service/service-host-is-present.yml
playbooks/service/service-is-absent.yml
playbooks/service/service-is-disabled.yml
playbooks/service/service-is-present-with-all-attributes.yml
playbooks/service/service-is-present-without-host-object.yml
playbooks/service/service-is-present.yml
playbooks/service/service-member-allow_create_keytab-absent.yml
playbooks/service/service-member-allow_create_keytab-present.yml
playbooks/service/service-member-allow_retrieve_keytab-absent.yml
playbooks/service/service-member-allow_retrieve_keytab-present.yml
playbooks/service/service-member-certificate-absent.yml
playbooks/service/service-member-certificate-present.yml
playbooks/service/service-member-principal-absent.yml
playbooks/service/service-member-principal-present.yml
New tests added for the module:
tests/service/test-service.yml
One test did not use the admin password as the rest of the tests.
This caused the tests/pwpolicy/test_pwpolicy.yml suite to fail.
Changing the password to the same as in others fixes the issue.
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
If no IP address is given and either DNS is not configured or if the zone is
not found then ipahost may not fail in dnsrecord_find.
The error happened for example by ensuring the absence of a host that is not
part of the domain or for a host that has been added with force and is using
a domain that is not served by the DNS server in the domain. It also
happened if there was no DNS server in the domain at all.
A new test case has been added to test_host_ipaddresses.yml
The fix requires ipalib_errors provided by ansible_freeipa_module.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1804838
host1 was used instead of host5 in the repeated host5 test. This lead to an
error with the new IP address handling in ipahost. It was correctly
reporting a change for host1 which resulted in a failed test.
ipahost was so far ignoring IP addresses when the host already existed.
This happened because host_mod is not providing functionality to do this.
Now ipaddress is a list and it is possible to ensure a host with several
IP addresses (these can be IPv4 and IPv6). Also it is possible to ensure
presence and absence of IP addresses for an exising host using action
member.
There are no IP address conclict checks as this would lead into issues with
updating an existing host that already is using a duplicate IP address for
example for round-robin (RR). Also this might lead into issues with ensuring
a new host with several IP addresses in this case. Also to ensure a list of
hosts with changing the IP address of one host to another in the list would
result in issues here.
New example playbooks have been added:
playbooks/host/host-present-with-several-ip-addresses.yml
playbooks/host/host-member-ipaddresses-absent.yml
playbooks/host/host-member-ipaddresses-present.yml
A new test has been added for verification:
tests/host/test_host_ipaddresses.yml
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1783976https://bugzilla.redhat.com/show_bug.cgi?id=1783979
Bool types are not iterable. Therefore the comparison using sets was failing
with a TypeError. This prevented to change the bool parameters for hosts.
A test for the host module has been added to verify that the bool parameters
can be modified.
New test:
tests/host/test_host_bool_params.yml
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1784514
Most tests have simply been using the Tests as name, but this there is a
lack of information in automated runs. The name should be similar to the
test file name.
Changing members (host, hostgroup, hbacsvc, hbacsvcgroup, user, group) with
action hbacrule was not working due to the use of the wrong parameter
prefix. This has been fixed and the old members are removed correctly now.
The test script has been reworked completely to verify the fix.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1787996
If the name is not set, the policy global_policy is now used. It was needed
before to explicitly name the global_policy. Also a check has been added
to fail early if global_policy is used with state absent.
The README for pwpolicy has been extended with an example for global_policy
and also the description of the name variable.
The test has also been extended to check a change of maxlife for
global_policy and that global_policy can not be used with state: absent
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1797532
This patch adds the following attributes to ipasudorule:
- order
- sudooption
- runasuser
- runasgroup
It also fixes behavior of sudocmd assigned to the the sudorule, with the
adittion of the attributes:
- allow_sudocmds
- deny_sudocmds
- allow_sudocmdgroups
- deny_sudocmdgroups
README-sudorule and tests have been updated to comply with the changes.
There is a new vault management module placed in the plugins folder:
plugins/modules/ipavault.py
The vault module allows to ensure presence and absence of vaults, manage
members and owner of the vault, and archive data in the vault.
Here is the documentation for the module:
README-vault.md
New example playbooks have been added:
playbooks/vault/data-archive-in-asymmetric-vault.yml
playbooks/vault/data-archive-in-symmetric-vault.yml
playbooks/vault/ensure-asymetric-vault-is-absent.yml
playbooks/vault/ensure-asymetric-vault-is-present.yml
playbooks/vault/ensure-service-vault-is-absent.yml
playbooks/vault/ensure-service-vault-is-present.yml
playbooks/vault/ensure-shared-vault-is-absent.yml
playbooks/vault/ensure-shared-vault-is-present.yml
playbooks/vault/ensure-standard-vault-is-absent.yml
playbooks/vault/ensure-standard-vault-is-present.yml
playbooks/vault/ensure-symetric-vault-is-absent.yml
playbooks/vault/ensure-symetric-vault-is-present.yml
playbooks/vault/ensure-vault-is-present-with-members.yml
playbooks/vault/ensure-vault-member-group-is-absent.yml
playbooks/vault/ensure-vault-member-group-is-present.yml
playbooks/vault/ensure-vault-member-user-is-absent.yml
playbooks/vault/ensure-vault-member-user-is-present.yml
playbooks/vault/ensure-vault-owner-is-absent.yml
playbooks/vault/ensure-vault-owner-is-present.yml
New tests added for the module:
tests/vault/test_vault.yml
The ipahost management module was not able to add several hosts at once.
Addtionally there have been settings missing.
ansible_freeipa_module has been extended to provide two additional functions
that are needed to simplify the extension of the ipahost module:
gen_add_del_lists(user_list, res_list)
encode_certificate(cert)
gen_add_del_lists will generate the lists for the addition and removal of
members using the provided user and ipa settings.
encode_certificate will encode a certificate using base64 with also taking
FreeIPA and Python versions into account.
The missing settings in ipahost have been:
certificate
managedby_host
principal
create_keytab_[user,group,host,hostgroup]
retrieve_keytab_[user,group,host,hostgroup]
sshpubkey
userclass
auth_ind
requires_pre_auth
ok_as_delegate
ok_to_auth_as_delegate
The README-host.md file has been updated to provide information about the
new settings and also the members. Also examples for the new things have
been added.
New example playbooks have been added:
playbooks/host/add-host.yml
playbooks/host/host-member-allow_create_keytab-absent.yml
playbooks/host/host-member-allow_create_keytab-present.yml
playbooks/host/host-member-allow_retrieve_keytab-absent.yml
playbooks/host/host-member-allow_retrieve_keytab-present.yml
playbooks/host/host-member-certificate-absent.yml
playbooks/host/host-member-certificate-present.yml
playbooks/host/host-member-managedby_host-absent.yml
playbooks/host/host-member-managedby_host-present.yml
playbooks/host/host-member-principal-absent.yml
playbooks/host/host-member-principal-present.yml
playbooks/host/host-present-with-allow_create_keytab.yml
playbooks/host/host-present-with-allow_retrieve_keytab.yml
playbooks/host/host-present-with-certificate.yml
playbooks/host/host-present-with-managedby_host.yml
playbooks/host/host-present-with-principal.yml
playbooks/host/host-present-with-randompassword.yml
playbooks/host/host-present.yml
playbooks/host/hosts-member-certificate-absent.yml
playbooks/host/hosts-member-certificate-present.yml
playbooks/host/hosts-member-managedby_host-absent.yml
playbooks/host/hosts-member-managedby_host-present.yml
playbooks/host/hosts-member-principal-absent.yml
playbooks/host/hosts-member-principal-present.yml
playbooks/host/hosts-present-with-certificate.yml
playbooks/host/hosts-present-with-managedby_host.yml
playbooks/host/hosts-present-with-randompasswords.yml
New tests have been added for the module:
tests/host/certificate/cert1.der
tests/host/certificate/cert1.pem
tests/host/certificate/cert2.der
tests/host/certificate/cert2.pem
tests/host/certificate/cert3.der
tests/host/certificate/cert3.pem
tests/host/certificate/private1.key
tests/host/certificate/private2.key
tests/host/certificate/private3.key
tests/host/certificate/test_host_certificate.yml
tests/host/certificate/test_hosts_certificate.yml
tests/host/test_host.yml
tests/host/test_host_allow_create_keytab.yml
tests/host/test_host_allow_retrieve_keytab.yml
tests/host/test_host_managedby_host.yml
tests/host/test_host_principal.yml
tests/host/test_host_random.yml
tests/host/test_hosts.yml
tests/host/test_hosts_managedby_host.yml
tests/host/test_hosts_principal.yml
The random password is only returned if random is yes and the host did
not exist or update_password is yes.
If only one host is handled by the module, the returned dict is containing
this dict:
{ "randompassword": "<the host random password>" }
If several hosts are handled by the module (future feature):
{ "<host>": { "randompassword": "<the host random password>" } }
Fixes issue #134 (ipahost does not return the random password)
The random password is only returned if random is yes and user did not exist
or update_password is yes.
If only one user is handled by the module, the returned dict is containing
this dict:
{ "randompassword": "<the user random password>" }
If several users are handled by the module:
{ "<user>": { "randompassword": "<the user random password>" } }
This is related to issue #134 (ipahost does not return the random password)
There is a new sudorule (Sudo Rule) management module placed in the plugins
folder:
plugins/modules/ipasudorule.py
The sudorule module allows to ensure presence and absence of Sudo Rules.
Here is the documentation for the module:
README-sudorule.md
New example playbooks have been added:
playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
playbooks/sudorule/ensure-sudorule-is-absent.yml
playbooks/sudorule/ensure-sudorule-is-disabled.yml
playbooks/sudorule/ensure-sudorule-is-enabled.yml
playbooks/sudorule/ensure-sudorule-is-present.yml
playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
New tests added for the module:
tests/hbacrule/test_sudorule.yml
The changed flag returned by ipahostgroup calls have not always been correct.
The use of the module with IPA version 4.6 on RHEL-7 resulted in encoding
errors. All this has been fixed.
Addtitionally new test cases have been added to make sure that the issues
are solved.
There is a new hbacrule (HBAC Rule) management module placed in the plugins
folder:
plugins/modules/ipahbacrule.py
The hbacrule module allows to ensure presence and absence of HBAC Rules.
Here is the documentation for the module:
README-hbacrule.md
New example playbooks have been added:
playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
New tests added for the module:
tests/hbacrule/test_hbacrule.yml
The changed flag returned by ipagroup calls have not been correct. This
change fixes this. Addtitionally new test cases have been added to make
sure that the changed flag is correct.
There is a new hbacsvcgroup (HBAC Service Group) management module placed
in the plugins folder:
plugins/modules/ipahbacsvcgroup.py
The hbacsvc module allows to ensure presence and absence of HBAC Service
Groups.
Here is the documentation for the module:
README-hbacsvcgroup.md
New example playbooks have been added:
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml
New tests added for the module:
tests/hbacsvcgroup/test_hbacsvcgroup.yml
There is a new hbacsvc (HBAC Service) management module placed in the plugins
folder:
plugins/modules/ipahbacsvc.py
The hbacsvc module allows to ensure presence and absence of HBAC Services.
Here is the documentation for the module:
README-hbacsvc.md
New example playbooks have been added:
playbooks/hbacsvc/ensure-hbacsvc-absent.yml
playbooks/hbacsvc/ensure-hbacsvc-present.yml
New tests added for pwpolicy:
tests/hbacsvc/test_hbacsvc.yml
There is a new pwpolicy management module placed in the plugins folder:
plugins/modules/ipapwpolicy.py
The pwpolicy module allows to ensure presence and absence of pwpolicies for
groups.
Here is the documentation for the module:
README-pwpolicy.md
New example playbooks have been added:
playbooks/pwpolicy/pwpolicy_absent.yml
playbooks/pwpolicy/pwpolicy_present.yml
New tests added for pwpolicy:
tests/pwpolicy/test_pwpolicy.yml
There is a new sudocmdgroup management module placed in the plugins folder:
plugins/modules/ipasudocmdgroup.py
The sudocmdgroup module allows to add or remove sudo command groups..
The sudocmdgroup module is as compatible as possible to the Ansible upstream
ipa_sudocmdgroup module, and additionally offers to ensure member presence
and absence.
Here is the documentation for the module:
README-sudocmdgroup.md
New example playbooks have been added:
playbooks/sudocmd/ensure-sudocmdgroup-is-absent.yml
playbooks/sudocmd/ensure-sudocmdgroup-is-present.yml
playbooks/sudocmd/ensure-sudocmd-is-absent-in-sudocmdgroup.yml
playbooks/sudocmd/ensure-sudocmd-is-present-in-sudocmdgroup.yml
A test playbook is provided in:
tests/sudocmdgroup/test_sudocmdgroup.yml
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
There is a new sudocmd management module placed in the plugins folder:
plugins/modules/ipasudocmd.py
The sudocmd module allows to add or remove sudo commands.
The sudocmd module is as compatible as possible to the Ansible upstream
ipa_sudocmd module.
Here is the documentation for the module:
README-sudocmd.md
New example playbooks have been added:
playbooks/sudocmd/ensure-sudocmd-is-absent.yml
playbooks/sudocmd/ensure-sudocmd-is-present.yml
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The ipauser module now supports all user settings and additionally to ensure
the presence of several users with the new users setting. The users setting
can also be used with other states, but it has to be limited to only contain
the name of the users.
There updated user management module is placed in the plugins folder:
plugins/modules/ipauser.py
The user module now additionally allows to handle these user settings:
initials
principalexpiration
random
city
userstate
postalcode
mobile
pager
fax
orgunit
manager
carlicense
sshpubkey
userauthtype
userclass
radius
radiususer
departmentnumber
employeenumber
employeetype
preferredlanguage
certificate
certmapdata
noprivate
nomembers
Here is the updated documentation for the module:
README-user.md
New example playbooks have been added:
playbooks/user/user_certificate_absent.yml
playbooks/user/user_certificate_present.yml
playbooks/user/user_present.yml
playbooks/user/users_absent.yml
playbooks/user/users_certificate_absent.yml
playbooks/user/users_certificate_present.yml
playbooks/user/users_present.yml
plugins/modules/ipauser.py
New tests added for ipauser:
tests/user/certificate/cert1.der
tests/user/certificate/cert1.pem
tests/user/certificate/cert2.der
tests/user/certificate/cert2.pem
tests/user/certificate/cert3.der
tests/user/certificate/cert3.pem
tests/user/certificate/private1.key
tests/user/certificate/private2.key
tests/user/certificate/private3.key
tests/user/certificate/test_user_certificate.yml
tests/user/certificate/test_users_certificate.yml
tests/user/certmapdata/test_user_certmapdata.yml
tests/user/certmapdata/test_user_certmapdata_issuer_subject.yml
tests/user/certmapdata/test_users_certmapdata.yml
tests/user/test_user.yml
tests/user/test_users.yml
tests/user/test_users_absent.yml
tests/user/test_users_invalid_cert.yml
tests/user/test_users_present.yml
tests/user/test_users_present_slice.yml
tests/user/users_absent.json
tests/user/users_absent.sh
tests/user/users_present.json
tests/user/users_present.sh
The serial numbers have not been set for the creation of the CA and also
to sign the request. Because of this the local time has been used, which
resulted sometimes in the use of the same time stamp for the CA and the
signing reuqest. The import failed then with same issuer and serial number
error.
The cat to generate the chain.crt has been replaces with openssl x509 calls.
Some comments have also been added.
The script in external-signed-ca-with-manual-copy has been replaced with a
link to the external-signed-ca-with-automatic-copy directory.
