The SID is always generated in the command line installers in newer IPA
versions. This also needs to be done in the ipaserver and ipareplica roles.
For the IPA versions that are supporting this, the adtrust setup is always
executed to generated the SIDs, but only configures AD trust if
ipaserver_setup_adtrust or ipareplica_setup_adtrust is also enabled. A
check has been added to ipaserver_test and ipareplica_test to only enable
the SID generation for the IPA versions supporting this.
This is related to https://pagure.io/freeipa/8995
Fixes:
- https://bugzilla.redhat.com/show_bug.cgi?id=2110478
- https://bugzilla.redhat.com/show_bug.cgi?id=2110491
Due to an issue with python-dns, FreeIPA is raising an expection when
setting a DNS forwarder with a custom port. Separating the test for
ipadnsconfig that use forwarders with custom allows the other tests
to be correctly executed.
When running tests/sanity/sanity.sh locally, podman might be available
instead of Docker. Due to current configuration, only Docker is used by
sanity.sh.
This patch searches for the availability of docker, which is kept as
the default container engine to use, and use podman only if docker is
not found.
This change also allows the execution of the script from a directory
other than the repository root.
api_check_ipa_version was using packaging.version. IPA is using
pkg_resources.parse_version in ipaplatform.tasks.parse_ipa_version.
With this change tasks.parse_ipa_version from ipaplatform is used to
have exactly the same version comparison that also IPA has.
Additionally tasks is added to __all__.
Checking if some output is present or absent from standard streams was
done by simple string searching. Due to recent changes in FreeIPA, this
search is not effective due to capitalization differences in boolean
values output. Changing the string searching to regular expression
searches fixes this behavior for current and previous versions of
FreeIPA.
This patch also adds more information on the assert tests in case of an
error, so that it is easier to understand why the test failed.
The fallback function used to compare IPA versions was spliting the
version string into a tuple of strings, and the comparison of the tuple
would fail if comparing a field with one digit aginst a two-digit one,
for example, '8' with '10', as the string comparison would put '10'
before the '8'.
This patch forces the version fields to be converted to integers, so
a numerical comparison will be performed. If a version string field
cannot be converted to a number, than the string comparison will still
be used.
FreeIPA 4.9.10+ and 4.10 use proper mapping for boolean values, and
only searching for "TRUE" does not work anymore.
This patch fix ipadnszone plugin and IPAParamMapping class handling
of boolean values.
The generation of ipaserver_domain has issues: At first
ansible_facts['hostname'] instead of ansible_facts['fqdn'] is used
and second the first entry after the split operation is used and third
the final join is missing.
Python 3.11 dropped compat inspect.getargspec. As the roles and modules
need to support Python2 and Python3, the code for getargspec has been
copied from Python 3.10 and is added as a fallback as soon as getargspec
can not be imported from inspect. The copied getargspec is using
getfullargspec internally.
Fixes: #855 (Python's inspect.getargspec was removed in version 3.11)
With the support for Random Serial Numbers v3 in FreeIPA 4.10, the
attribute random_serial_numbers has been added to the installer options.
options._random_serial_numbers is generated by ca.install_check and
later used by ca.install in the _setup_ca module.
ca.install_check is using options.random_serial_numbers and generating
options._random_serial_numbers which is later used by ca.install in
ca.install the _setup_ca module.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2103928https://bugzilla.redhat.com/show_bug.cgi?id=2103924
With ansible-2.13 it is required to use jinja for list concatenation.
list: "[] + ['a'] + ['b']"
needs to become
list: "{{ [] + ['a'] + ['b'] }}"
copy_external_cert.yml needed to be changed.
As the current latest upstream version of ansible-core is 2.13.0, to
test against ansible-core 2.12 series we need to pin the version used
on the test.
This patch enables the already defined tests for ansible-core 2.12 that
were available but commented out.
There are new smartcard roles in the roles folder:
roles/ipasmartcard_server
roles/ipasmartcard_client
This roles allows to setup smartcard for servers and clients.
Here is the documentation for the roles:
roles/ipasmartcard_server/README.md
roles/ipasmartcard_client/README.md
New example playbooks have been added:
playbooks/install-smartcard-server.yml
playbooks/install-smartcard-replicas.yml
playbooks/install-smartcard-servers.yml
playbooks/install-smartcard-clients.yml
As an idrange has no members, when using `state: absent`, all
parameters but 'name' and 'state' are invalid. The list of invalid
parameters when 'state: absent', have been fixed to include some
missing parameters.
Provide a pipeline to test ansible-freeipa as an Ansible Galaxy
collection. The tests will use 'utils/build-galaxy-release.sh' to
create the galaxy release file, install it as a collection, and run
the tests in it, which were modified to use FQCN.
The tests will run only on 'fedora-latest' for each PR, and on all
platforms for nightly and weekly tests.
When ensuring presence of an idrange using dom_name instead of dom_sid,
the SID must be obtained so that the idrange can be created.
Related to RHBZ#2086993 and RHBZ#2086994.
When managing idranges, it might be needed to obtain the domain SID
from the domain name. As this method needs to use the IPA API object
and requires imorting some ipaserver modules, teh best place for this
method to be implemented is on ansible_module_utils.
When developing ansible-freeipa using a Python virtual environment,
some ansible-freeipa utility scripts failed to execute due to missing
tools.
This patch add the required tools and modules to requirements-dev.txt
and pin the versions to the same available in Fedora 36.
Due to an issue with IPA in Fedora 36, dnsconfig and dnsforwardzone
plugin tests must be disabled.
See FreeIPA issue: https://pagure.io/freeipa/issue/9158
pytest provide the means to skip tests based on patterns, but writing
these patterns for ansible-freeipa might not be feasible.
This PR allows the selection of playbook tests and modules that will
be executed with pytest using the environmentt variables IPA_ENABLED_TESTS
IPA_ENABLED_MODULES, IPA_DISABLED_TESTS or IPA_DISABLED_MODULES.
When using IPA_ENABLED_MODULES, all modules will be disabled, and only
the modules in the enabled list will be tested. If using the test
filter, IPA_ENABLED_TESTS, all tests are disabled, unless they are in
the enabled test lists.
If the IPA_DISABLED_* version is used, tests and modules are enabled by
default, and the list is used to disable the module or specific test.
To disable a test or module in Azure CI, edit the file
`tests/azure/variables` and add the desired tests or modules to the
parameter variables `enabled_modules`, 'enabled_tests`, `disabled_tests`
or `disable_modules`.
Note that, if added to the `master` branch, this will affect the tests
for every pipeline that it is include (including 'nightly'), so it should
be used with care.
It can be used with TEMP commits to enable only the desired tests,
speeding up upstream tests.
Recent versions of ansible-test require the existence of a CHANGELOG
file in the root of the collection. This changes extracts the changes
of the latest available release tag using `utils/changelog` and create
the CHANGELOG file with the result of the command.
The generated changelog will include the changes for the latest release
and, if present, the available changes that were not part of a release.
The --tag TAG option is now printing the changes for the given TAG and
not since the given tag. The new option --galaxy is printing the changelog
since the latest tag and also for the latest tag.
These changes are simplifying the generation of the changelog file that
is needed to pass the tests for galaxy and AutomationHub collections.
The current ansible-core available in Fedora and RHEL is 2.12 series.
This patch sets the version used for every PR CI to match this series.
Other versions should be used only in the nightly/weekly tests.
This patch adds the latest ansible-core as a test target in upstream
nightl/weekly CI.
As, currently, the latest available ansible-core is still 2.12.z, the
current ansible-core 2.12 targets were disabled. They should be enabled
when ansible-core 2.13 is available.
CentOS 8 images are not supported anymore, and we are using CentOS 8
Stream images.
This patch removes all configuration for CentOS 8 and updates test
README to point to the available container images.
As Ansible versions might change, and as we don't need to report which
version is used on every test, as the information is avaiable in case
it is needed, the jobs labels are changed to easier display which image
was used for testing.
The "-i" option can be used to install the generated collection using
the ansible-galaxy collection install command. It is using the force
flag to install the collection if there is already a collection with the
same name and namespace. The ansible-galaxy collection build command is
already using the force flag to create the collection.
There is a new idrange management module placed in the plugins folder:
plugins/modules/ipaidrange.py
The idrange module allows to ensure presence and absence of idranges.
Here is the documentation of the module:
README-idrange.md
New example playbooks have been added:
playbooks/idrange/idrange-absent.yml
playbooks/idrange/idrange-ad-posix-present.yml
playbooks/idrange/idrange-ad-present.yml
playbooks/idrange/idrange-present.yml
New tests for the module can be found at:
tests/idrange/test_idrange.yml
tests/idrange/test_idrange_client_context.yml
The group CLI option `idoverrideusers` was not supported by
ansible-freeipa, and this patch adds support to it.
Tests require an AD trust, and a user `aduser@ad.ipa.test` to exist, or
the user name must be provided (variable, CLI) through `test_ad_user`.
A new test playbook was added:
tests/group/test_group_idoverrideuser.yml
This patch applies several changes to the ipatrust test playbook:
* Add externally defined parameters so execution in local trust
environments can be configured. The available parameters are:
* winserver_admin_password: the Administrator password for the AD
server (default: 'SomeW1Npassword')
* winserver_domain: the AD server domain (default: 'windows.local')
* winserver realm: the AD server realm (by default, the uppercase
version of winserver_domain)
* ipaserver_domain: the FreeIPA server domain (default: 'ipa.test')
* ipaserver_realm: the FreeIPA server realm (by default, the
uppercase version of ipaserver_domain
* Modify trust verification to check for the existence of the trust as
it the output of `ipa trust-find`, instead of cheking for the number
of items returned, as the number might vary.
* Add idempotency tests by re-executing tasks and verifying that no
change was performed.
* Added tests to verify creation of trusts with different 'range_type'.
* Use a Kerberos cache for shell scripts, and destroy it on exit.
* Properly remove all `idrange` that might be created upon setting up a
trust.
This patch updates the ipatrust documentation about the 'trust_type'
parameter, and changes one password to be similar to the standard
passwords used in other modules.
This change allows clearing automountmap 'description' attribute by
passing an empty string ("") as the playbook parameter.
New test cases were added to check this behavior.
Due to a change in 'ansible_freeipa_module.compare_args_ipa', playbook
parameters using empty strings are correctly evaluated, and do not need
to be removed before comparison is performed.
A new test playbook, with tests for clearing attributes with an empty
string ("") is available at:
tests/user/test_user_empty_lists.yml
This change modifies the comparison of the retrieved IPA object and the
provided arguments on ansible_freeipa_module.compare_args_ipa when the
provider argument is an empty string.
If an attribute is not available in 'ipa', its value is considered to be
a list with an empty string (['']), possibly forcing the conversion of
the 'args' attribute to a list for comparison. This allows, for example,
the usage of empty strings which should compare as equals to inexistent
attributes (None), as is done in IPA API.
Failing to identify task files included by playbooks raised false
positives when runnnig ansible lint. This change force ansible-lint to
correctly identify YAML files named "env_*.yml" or "tasks_*.yml" as task
files that are imported by other playbooks, and treat them accordingly.
Modules ipadnsconfig and ipadnsforwardzone allow the setting of forward
policy for zone forwarders, but the parameter names differ between the
modules.
This patch ensures that the same parameter names can be used in each
module. To keep backwar compatibility in both modules, both
`forward_policy` and `forwardpolicy` are now supported.
Some example playbooks do not had the parameter `ipaadmin_password`
set, and some had a different value than the standard value
"SomeADMINpassword".
This patch fixes this difference in all example playbooks.
The parameters user_auth_type, pac_type and configstring are allowing to
use "" to reset to the default value or for configstring to set an empty
list.
The new check in params_get is not allowing to use empty strings in lists,
therefore allow_empty_string=True had to be added to the call.
A test has been added to verify that the empty strings are supported and
working.
Additionally empty pac_type, user_auth_type and domain_resolution_order
have been added to exit_args as if they have not been set.
The parameter auth_ind is allowing to use "" to reset to the default
value.
The new check in params_get is not allowing to use empty strings in lists,
therefore allow_empty_string=True had to be added to the call.
A test has been added to verify that the empty strings are supported and
working.
The parameters auth_ind and pac_type are allowing to use "" to reset to
the default value.
The new check in params_get is not allowing to use empty strings in lists,
therefore allow_empty_string=True had to be added to the call.
A test has been added to verify that the empty strings are supported and
working. An idempotency issue with pac_type has been found with the test
and fixed additionally.
The parameters userauthtype and sshpubkey allowing to use "" to reset to
the default value.
The new check in params_get is not allowing to use empty strings in lists,
therefore allow_empty_string=True had to be added to the call.
A test has been added to verify that the empty strings are supported and
working. An idempotency issue with sshpubkey has been found with the test
and fixed additionally.
So far it is possible to pass list parameters with empty strings to the
modules. The use of empty strings in list does not make a lot of sense,
though. The simple solution is to add a check to module_params_get for
empty strings in returned lists.
The option allow_empty_string can be set to True to allow an empty string
in the list with a list len of 1. The option defaults to False. It is
needed for some parameters the modules, like for example userauthtype in
the user module. It is using "" to reset to the default value.
module_params_get_lowercase has been changed to use module_params_get to
have one place to add the check.
Due to an issue in Ansible it is possible to use the empty string "" for
lists with choices, even if the empty list is not part of the choices.
Ansible issue https://github.com/ansible/ansible/issues/77108
This patch add the lines necessary to allow the use of the attribute
`delete_continue`, as it is a commom attribute, and if newer commom
attributes are added to IPAAnsibleModule in the future, the usage will
be similar.
Some modules should be compared in a case insensitive manner, and this
patch adds an example of a call to IPAAnsibleModule.params_get_lowercase
and a note on its usage.
This patch refactors the module template for modules with member
management, in a way that the addition of member management command
logic is not duplicated in different states or actions.
This idiom has been applied recently along with other fixes to modules
with idempotence issues reducing the modules code size and centering
code logic in specific blocks.
Allows the creation of IPAAnsibleModule objects with specific
`ipa_arguments` which are defined in a dictionary of argumets in
the base class.
Every module using `delete_continue` should provide the proper behavior
and the module must be instantiated with:
ansible_module = IPAAnsibleModule(
...,
ipa_arguments=["delete_continue"]
)
The plugin documentation must be extended with
'ipamodule_arguments.delete_continue'.
The correct name for upcoming release of CentOS is CentOS 9 Stream,
usually abbreviated to 'c9s'. As we need to differentiate from the
stream and the standard versions, this patch modifies the Azure
piipelines to use 'c9s' instead of 'CentOS 9'.
The test for dnsrecord creates a DNSSEC zone, and was forcing the task
to ignore errors using `ignore_errors: true`. The test environment
should be clean at that point, and without the zone, tests would fail,
so there is no need to keep the attribute set. If the task fails, it
should be fixed.
Newer Ansible versions will require at least Python 3.8 to be used,
and the build containers pipeline was requiring Python 3.6, which is
EOL.
This patch requests the latest Python version available for the
controller, and allows it to be configured to a specific version if,
and when, needed.
Add configuration to build a testing CentOS 8 stream image and to
execute upstream tests using that image in pull requests (Ansible
2.9) and on the nightly tests (all supported Ansible versions).
CentOS 9 Stream package pytho3-devel was not installable, and as it is
not required for the testing container, it was removed from the
Dockerfile used to create the image.
This disables the generation of the collection using the default
galaxy.yml. The installation of the generated collection fails with
invalid version A.B.C.
The collection is not used when building containers and the generated
collection is not using proper name and namespace in the collection files.
Currently the pipeline used to create test containers is using Python
3.6.15, and Ansible 2.12 requires, at least, Python 3.8.
This change adds a new parameter to build container template,
`python_version`, which is set by default to '3.x', meaning it will use
the latest Python version available (for version 3) if the parameter is
not explicitly set.
This disables the generation of the collection using the default
galaxy.yml. The installation of the generated collection fails with
invalid version A.B.C.
The collection is not used in the tests and the generated collection
is not using proper name and namespace in the collection files.
Note: utils/build-galaxy-releasesh needs to be used to generate the correct
collection.
Ensuring absence of members (services and targets) that do not exist may
not fail as they are not members for servicedelegationtarget and
servicedelegationrule.
servicedelegation_normalize_principals in ansible_freeipa_module has
been extended with a check_exists argument that defaults to False. state
== "present" is now given as this argument to turn on the element exists
check only if elements should be added.
The script now fixes the references for all doc_fragments in the
plugins/doc_fragments folder. So far it was only fixing the references
for ipamodule_base_docs.
PR #762 (automount location: add support for delete_continue) added an
other doc_fragment and the references have not been fixes as needed.
If a hbacrule member has any value, the only way to clear it is by
creating a task with 'state: absent' and 'action: member' and provide
a list with all the values for that member.
This patch allows the use of '<member>: []' with 'action: hbacrule'
to clear a hbacrule member.
A new test playbook can be found at:
tests/hbacrule/test_hbacrule_member_empty.yml
There is a new servicedelegationrule management module placed in the plugins
folder:
plugins/modules/ipaservicedelegationrule.py
The servicedelegationrule module allows to ensure presence and absence of
servicedelegationrules and servicedelegationrule members.
Here is the documentation of the module:
README-servicedelegationrule.md
New example playbooks have been added:
playbooks/servicedelegationrule/servicedelegationrule-absent.yml
playbooks/servicedelegationrule/servicedelegationrule-principal-member-absent.yml
playbooks/servicedelegationrule/servicedelegationrule-principal-member-present.yml
playbooks/servicedelegationrule/servicedelegationrule-target-member-absent.yml
playbooks/servicedelegationrule/servicedelegationrule-target-member-present.yml
playbooks/servicedelegationrule/servicedelegationrule-present.yml
New tests for the module:
tests/servicedelegationrule/test_servicedelegationrule.yml
tests/servicedelegationrule/test_servicedelegationrule_client_context.yml
tests/servicedelegationrule/test_servicedelegationrule_hostprincipal.yml
There is a new servicedelegationtarget management module placed in the plugins
folder:
plugins/modules/ipaservicedelegationtarget.py
The servicedelegationtarget module allows to ensure presence and absence of
servicedelegationtargets and servicedelegationtarget members.
Here is the documentation of the module:
README-servicedelegationtarget.md
New example playbooks have been added:
playbooks/servicedelegationtarget/servicedelegationtarget-absent.yml
playbooks/servicedelegationtarget/servicedelegationtarget-member-absent.yml
playbooks/servicedelegationtarget/servicedelegationtarget-member-present.yml
playbooks/servicedelegationtarget/servicedelegationtarget-present.yml
New tests for the module:
tests/servicedelegationtarget/test_servicedelegationtarget.yml
tests/servicedelegationtarget/test_servicedelegationtarget_client_context.yml
tests/servicedelegationtarget/test_servicedelegationtarget_hostprincipal.yml
This function will be used in servicedelegation target and rule modules
to normalize principals given in the tasks. These can be service and host
principals and also aliases.
Note: The use of host principals requires IPA 4.9.0 or later. fail_json
is called if the version is lower.
servicedelegation_normalize_principals contains two embedded fuctions.
One is normalize_principal_name that has been copied from
ipaserver/plugins/servicedelegation.py, the other is the generic
function _check_exists to be able to check if a host or service exists.
Similar to PR 286
This PR explicitly sets `no_log` option for `update_password` attribute to `False`, so that the warning on `no_log` not being set is not issued anymore. Ansible incorrectly issued the warning, as `update_password` does not carry sensitive information.
The service hostname needs to be gathered from ansibe_facts as it might
not be "ipaserver". ansible_facts['fqdn'] is now used as the service
hostname, therefore gather_facts had to be turned on.
When ensuring states 'undeleted', 'enabled', 'disabled', and 'unlocked'
the error messages for an unexistent user were not consistent.
This change changes the message for all states to "No user '%s'."
When trying to ensure 'state: absent' with 'preserved: yes' in ipauser,
after the first execution the playbook would fail with "user is already
present". Similar idempotence issue would happen when 'state: undelete'
was used.
This PR fixes both issues, and improve tests for the states where user
is preserved, enabled and disabled. The 'find_user' function now uses
IPA API 'user_show' instead of 'user_find' so that only the requested
user is actually returned.
As of verison 1.6.1 of ansible-freeipa, ipadnsconfig supports
'action: member' to manage DNS forwardes, and requires the use of this
action if 'state: present'.
This patch fixes the playbook examples.
The services returned by group_find are of type
ipapython.kerberos.Principal. Addtionally the services are case
insensitive. Therefore services need to be converted to a lowercase
sting for proper comparison.
test_group.yml has been extended with service tests.
Upstream tests were not testing one path of code related to variable
`deny_sudocmdgroup`, and a regression was added.
This patch fixes a call to the current configuration dictionary, and
add tests so that the code path is executed in the upstream tests.
The client context on server test is failing with a date that is
expired. The server context on server test is not failing.
Setting an expired date with the command line is possible though.
This patch adds support for 'action: member' for ipadnsconfig plugin,
impacting management of DNS forwarders setting.
Use of 'state: absent' now requires 'action: member'. With 'state:
present', orwarders can be either defined through 'action: dnsconfig'
or added using 'action: member'.
Tests have been updated to reflec the new behavior.
If one tries to set a list of forwarders which include an already
existing forwarder, the existing forwarder is removed, and the list
of configured forwarders contain only the new ones.
This patch fixes this behavior by setting a union of the currently
available forwarders and the list of forwarders provided in the
playbook.
Tests were added to ensure this behavior.
The host members of ipahostgroup need to be lowercase and FQDN to be
able to do a proper comparison with exising hosts in the hostgroup.
Fixes: #666 (ipahostgroup not idempotent and with error)
Due to a change in Ansible to depend on Python 3.8 it is needed to only
use bindings that are provided by Python and Ansible core. gssapi is
therefore not usable any more.
The kinit_keytab function was using gssapi and now has to use the kinit
command insead.
The main REAADME has been fixed to contain information about the
automount key and map modules, the reference to the hbacsvcgroup README
has been fixed and a new test has been added as a github workflow.
ERROR: Found 6 pylint issue(s) which need to be resolved:
ERROR: plugins/modules/ipaserver_prepare.py:395:4: invalid-name: Variable name "e" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/library/ipaserver_prepare.py:395:4: invalid-name: Variable name "e" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:333:12: invalid-name: Variable name "ds" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:348:12: invalid-name: Variable name "ds" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:361:12: invalid-name: Variable name "ip" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:364:12: invalid-name: Variable name "e" doesn't conform to snake_case naming style
e has been replaced with err, ds with _ds, ip with _ip.
Members of hbacrule must be compared in a case insensitive manner.
This patch fixes comparation of member parameters against existing
members by converting parameters to lowercase.
Also, there were some cases where a change with an empty set of members
was issued to IPA API, leading to a result of 'changed: yes' when
'changed: no' was expected. The fix involved a refactoring of the
member management code.
Add a task to FreeIPA facts task file to ensure that the variable
'ipaserver_domain' is set.
The value is set form `ansible_facts['fqdn'], if available, or set to
`ipa.test`, otherwise.
The official ShellCheck pre-commit hook uses a docker image, but it
is, sometimes, unavailable. This change will use the system installed
ShellCheck executable and does not depend on the image download.
We used a Github Action to run anisble-lint, but it has not have a
release since 2019, and has not been updated in a year. This action is
showing some issues when evaluating current playbooks.
This PR substitute the action previously used with a shell script
directly define in the workflow job. The ansible-core version was
pinned to the currently available on Fedora 25, 2.11.6.
The test playbook provided adds some tests to verify if capitalization
of role members does not influence on the module behavior. It also adds
some tests to verify check_mode.
IPA role members users, groups, hostgroups and privilege must be
compared in a case insensitive way, and either are stored in lowercase
or IPA API fixes the value for proper representation.
This patch forces all comparisons of this values to be performed in
lowercase, and also only modify the values if it is really needed.
Some attributes retrieved by the IPA API backend don't change, and are
used more than once, in different places of the code. IPA API domain
is one of these attributes.
This patch adds a cache to the attribute, so there is only one request
for the API, improving access time to the object and alowing multiple
calls with no efficiency penalty.
Service members in IPA role objects must be compared ignoring character
capitalization, but are stored in a case preserving manner.
This patch modifies the way service members are handled, creating a map
between a lowercase version of the service parameter and the parameter
itself, and using the map key to compare against existing services. The
mapped value is then added as role member, if necessary.
Removed custom code used to create add/del lists in iparole in favor
of ansible_freeipa_module functions, and custom result_handler, to
reduce code duplication, as these methods have equivalent shared
versions.
ERROR: plugins/modules/ipaautomountmap.py:118:30: E203: whitespace before ':'
ERROR: Found 1 compile issue(s) on python 2.6 which need to be resolved:
ERROR: plugins/modules/ipasudorule.py:382:63: SyntaxError: {ensure_fqdn(value.lower(), default_domain) for value in host}
This change configure pylint to ignore import modules that might not be
availble during development, and ignore names that are relevant in the
FreeIPA domain, even if they don't comply with PEP8.
This test is using the galaxy_importer from ansible project. The
configuration file galaxy-importer.cfg is copied from linux-system-roles
https://github.com/linux-system-roles/auto-maintenance/blob/master/\
lsr_role2collection/galaxy-importer.cfg
The tests script has extra code to parse the output of the importer to
highlight errors and to exit with a proper error code.
The test can be used locally also with "sh tests/sanity/sanity.sh"
New files:
- .github/workflows/ansible-test.yml
- tests/sanity/galaxy-importer.cfg
- tests/sanity/sanity.sh
The script is now using a build dir for the creation of the Ansible
Collection. Additionally only files known to the fit repo are pulled in
by default. The new "-a" option is pulling in all files from local repo.
The new -k" option can be used to keep the build dir for verification of
the changes to the files.
The colleciton is placed into the main repo dir and no git reset --hard
is used in the repo to preserve local changes.
There is a new automount key module placed in the plugins folder:
plugins/modules/ipaautomountkey.py
The server module allows to ensure presence and absence of automount
keys. The module requires an existing automount location and map to
place the key within.
Here is the documentation for the module:
README-automountkey.md
New example playbooks have been added:
playbooks/automount/automount-key-absent.yaml
playbooks/automount/automount-key-present.yaml
New tests for the module:
tests/automount/test_automountkey.yml
Currently, when adding an overlapping set of members causes playbook to
fail as the already existing members are added twice.
This patch refactors membership management by removing duplicate logic
and handling all changes to members in a single place. This change
removed code that was causing the execution failures.
There is a new server management module placed in the plugins folder:
plugins/modules/ipaautomountmap.py
The server module allows to ensure presence and absence of automount
maps. The module requires an existing automount location to place the
map within. It does not create any automount keys with in the map.
Here is the documentation for the module:
README-automountmap.md
New example playbooks have been added:
playbooks/automount/automount-map-absent.yaml
playbooks/automount/automount-map-present.yaml
New tests for the module:
tests/automount/test_automountmap.yml
Sometimes the first test of a batch fails because it fails to grant a
TGT from Kerberos KDC as it is not yet fully working. By waiting until
a TGT can be acquired, these failures will not happen anymore.
All ansible-freeipa modules which allow object renaming should support
'state: renamed'.
This patch adds suport for the missing state, and fixes cases where a
user could try to rename the object and set its members, which would
fail depending on the operation order.
Fix#566
Single hostnames can be used for sudorule_add_host and will match fqdn
in IPA internally. Simple host names have to be extended to be FQDN to
be able to compare them for sudorule_host_add and sudorule_host_remove.
Fixes#672
The Variables and also the Return Variables sections contained an extra
header with the module name. This is only needed if there are more than
one module in the README.
automount location was missing in README.md in the feature and also in
the README link section.
The links for location, permission, privilege and selfservice have been
wrongly using the ipa prefix for the module
The removal of group or hostgroup orphans has been added to the automember
module.
It can be ensured that orphans have been removed using action: orphans_removed
The automember_type needs to be set for this.
New examples have been added to README-automember.md
New playbooks:
- playbooks/automember/automember-group-orphans-removed.yml
- playbooks/automember/automember-hostgroup-orphans-removed.yml
New tests:
- tests/automember/test_automember_orphans_removed.yml
The fallback group and hostgroup for unmached entries can be set and
unset using default_group. If default_group is empty, then the default
group will be unset.
DN and ipa_get_based provided by ansible_freeipa_module are used in the
code.
New parameters:
- default_group: Default (fallback) group for all unmatched entries.
New parameters and examples have been added to README-automember.md
New playbooks:
- playbooks/automember/automember-default-group-not-set.yml
- playbooks/automember/automember-default-group-set.yml
- playbooks/automember/automember-default-hostgroup-not-set.yml
- playbooks/automember/automember-default-hostgroup-set.yml
New tests:
- tests/automember/test_automember_default_group.yml
There was state: rebuild before, but the code was incomplete and was not
able to run properly.
New parameters:
- users: Limit the rebuild to the given users only
- hosts: Limit the rebuild to the given hosts only
- no_wait: Don't wait for rebuilding membership
New parameters and examples have been added to README-automember.md
tests/automember/test_automember_client_context.yml has been using
state: rebuild and lacked the automember_type parameter.
grouping was used in functions and has been replaced by automember_type.
Some typos in examples have been fixed also.
New playbooks:
- playbooks/automember/automember-group-membership-all-users-rebuilt.yml
- playbooks/automember/automember-group-membership-users-rebuilt.yml
- playbooks/automember/automember-hostgroup-membership-all-hosts-rebuilt.yml
- playbooks/automember/automember-hostgroup-membership-hosts-rebuilt.yml
New tests:
- tests/automember/test_automember_rebuilt.yml
These functions have been added to get the basedb from api.env for use
with DN for example.
api_get_basedn is returning api.env.basedn
IPAAnsibleModule.ipa_get_basedn is a wrapper for api_get_basedn
These are indent issues, one item per line for argument_specs items
containing options dicts and missing or overflow spaces for comments
and dict delimiters.
These are skips for python 2.6 with import-2.6!skip and
compile-2.6!skip, ignores for the exit_raw_json function in
ansible_freeipa_module.py for use with ipavault, the ignore of using
automatic field numbering for the string format function, the use of
string split without maxsplits (not working in Python2), skips of the
shebang tests for scripts in tests and utils and the ignore of missing
collection_name for deprecate function calls in
ansible_freeipa_module.py.
This patch modifies the Python version used to be the latest available,
and add stages to execute the tests using ansible-core 2.12. As we
use Ubuntu 20.04, Python version 3.8 is avaiable.
Previously, ansible-core 2.12 was not available as it cannot be
installed with Python 3.6, which was the version used.
The example didn't work for me with the following error (on freeipa 4.9.8):
TASK [display default login shell] **************************************************************************************************
fatal: [freeipa1.example.org]: FAILED! => {"msg": "
The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'defaultlogin'
Using the correct variable defaultshell works for me.
The hbacsvc members of hbacsvcgroup must be compared in a case
insensitive manner. This patch fixes comparation of member parameters
against existing members by converting parameters to lowercase, as it
is how the hbacsvc members are stored for hbacsvcgroups.
Also, there were some cases where a change with an empty set of members
was issued to IPA API, leading to a result of 'changed: yes' when
'changed: no' was expected. The fix involved a refactoring of the
hbacsvcgroup member management code.
This PR refactors ipaservice to reduce the number of variables (in
favor of a 'struct') and to group member management code so that it
can be leveraged, and not partially duplicated, between the states
and actions.
Altough this code is less direct that the previous one, it will reduce
the number fo changes to be made if changes to member management is
required.
When using ipaclient role under Debian 10 (Buster), it is required
that the python interpreter is set to Python 2.7 as freeipa-client
package pulls in Python 2.7 dependencies, and does not work with
Python 3.
This patch adds configuration to properly set python interpreter.
Based on the work by Marc Richter (@The-Judge on Github).
Fix issue #607.
Ubuntu Bionic Beaver must use python2 as Python interpreter due to
the way python-ipalib package is defined.
Before using the role for installation, one must install package
python2.7 before executing this role.
Based on the work by Manuel Laurent (@mlaurent205 on Github).
When using group_tests, the pytest playbook was not receiving the
Ansible version to use, executing always with the latest available
version.
This patch fixes the behavior by passing the Ansible version to use
for tests to pytest_tests playbook.
When managing ipaservice members, gen_add_del_lists, gen_add_list and
get_intersection_list should be used and the result tested for empty
sets so already existing or missing members are not added or removed
again.
This changes fixes this behavior, by applying these functions to all
ipaservice members.
`Shellcheck` is a linter tool for shell scripts that is also used in
Automation Hub.
This change adds a pre-commit hook to run shellcheck on shell scripts.
The hook uses a Docker image, which needs to be downloaded on the first
run. It works well with `podman`.
The link for plugins/modules/ipabackup_get_backup_dir.py from
roles/ipabackup/library/ipabackup_get_backup_dir.py was left over
after the script finished.
This patch add several deprecate warnings to FreeIPABaseModule, and
creates adapters to ease conversion of client classes to
IPAAnsibleModule.
There is no 'ipa_commands' management in IPAAnsibleModule, as 'command's
is a list of tuples containing '(command, name, args)', and should be
managed by the module itself. Commands with no arguments should use an
empty dictionary as 'args'.
The 'ipa_run' method should be replaced by:
```
exit_args = {}
ipaapi_context = self.params_get("ipaapi_context")
with self.ipa_connect(context=ipaapi_context):
self.check_ipa_params()
self.define_ipa_commands()
changed = self.execute_ipa_commands(
self.ipa_commands,
result_handler=my_custom_handler,
exit_args=exit_args
)
self.exit_json(changed=changed, **exit_args)
```
The 'process_command_result' method should be changed to a result
handler:
```
def my_result_handler(self, result, command, name, args, exit_args):
"""Process command result.""'
```
Use of 'ipa_params' should be replaced by IPAAnsibleModule.params_get.
If 'get_ipa_command_args' is used, then the mapping can be created with
class IPAParamMapping (formelly AnsibleFreeIPAParams), which also
enables the same property-like usage of 'ipa_params':
```
param_mapping = IPAParamMapping(module, mapping)
```
The goal is to have all ansible-freeipa modules using the same codebase,
reducing code duplication, and allowing better object composition, for
example, with the IPAParamMapping class.
Currently, upstream CI test documentation against different Ansible
versions, but playbook tests are only executed with Ansible 2.9 series.
This patch add support for running playbook tests against Ansible 2.9,
ansible-core 2.11, and against latest version of Ansible.
As running all the tests for every PR would take too long, the tests
for every PR use only Anisble 2.9, and are executed on Fedora-latest
and CentOS 7 and 8.
A new pipeline for nightly tests was added, which runs the tests in the
same distros, using Ansible 2.9, latest and Ansible-core 2.11.
Many module member attributes must be handled in a case insensitive
manner. To ease handling these cases, a function and a method to get
the module parameters converted to lowercase is provided.
If a task with 'action: automember' tried to modify an automember rule
and did not provide either 'inclusive' or 'exclusive' parameters, the
regex for the missing arguments would be removed.
This patch fixes this behavior to only modify those parameters that
were set on the task, and leave the missing parameters in the state
they were before the task.
Tests have been updated to verify expected behavior.
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1976922
When setting 'runasuser' or 'runasgroup' for a sudorule, either IPA or
external users and groups can be used, but only IPA users and groups
were being searched for when modifying the attributes, making this task
not idempotent if an external group or user was used..
This patch fixes this issue by comparing users and groups to the IPA
and external setting.
The IPA CLI commands are slightly confusing, as the sudorule-add and
sudorule-mod display separate options for internal and external users
and groups, but these options are deprecated and do not work anymore,
in favor of sudorule-add-runasuser and sudorule-add-runasgroup, which
don't diferentiate between internal and external users, from the CLI
user perspective.
This patch removes the custom command result handler in favor of the
IPAAnsibleModule default member handler and fixes creation of add and
del lists of permissions, fixing the behavior of the moudule execution
when 'check_mode: yes'.
When creating the lists to add/remove principal aliases, if the realm
was not specified, the alias would be used as it did not matched the
existing one, which has the realm part.
This patch fixes the add/del list creation by adding the current API
realm to each alias that does not have the realm part and then use
this modified list to be compared against the existing principal list.
This change also allows the use of the whole list in a single call to
the IPA API to add/remove the principals, instead of a call for every
one item in the list.
If roles have been used after vars, the name of the role was not changed
as the "vars:" section was turning off changeable. A "roles:" section is
now turning on changeable.
All modules should use the same description for IPA API connection
variables. This change add description for ipaapi_context and
ipaapi_ldap_cache variable to the module README templates.
The items in extends_documentation_fragments of the modules need to
have the proper galaxy prefix.
The documentation fragment
- ipamodule_base_docs
needs to be changed to
- ${collection_prefix}.ipamodule_base_docs
This patch adds support for configuring IPA API connection use of
LDAP cache. It adds a new variable 'ipaapi_ldap_cache' to the base
module, and provides the variable documentation in its doc fragment.
This change adds a keyword parameter to api_connect() which can be
used to configure IPA API connection, for example, controlling the
use of LDAP cache, by passing 'ldap_cache' as an argument.
Also, IPAAnsibleModule is modified to automatically filter all
parameters of the module starting with 'ipaapi_' to be used as
arguments to configure api_connect(). The argument name will have
the same name as the module parameter with 'ipaapi_' stripped off.
Almost all modules require an algorithm ta validade if the user
provided arguments for the playbook are valid for the requested
state and/or action.
This patch provides a function that tests if any of a list of
arguments were set, and fail with a standardized message, making
all modules fail in the same way.
When running the tests that can be executed either on server or client
context, without defining 'ipa_context', the context is automatically
identified.
Currently, the tests in upstream CI run only on a server, and the
context is identified as "server" context, and in order to run the test
using a client context 'ipa_context' must be set to 'client'.
This patch fixes all the client context tests by correctly setting
ipa_context when running the client context tests in a server host.
When running pylint against 'setup.py' it warns that an import is
not used. While it is not directly used, this is a fix for an issue
with older versions of Python, so this change tells pylint to ignore
the error.
As of September, 2021, Ansible-lint cannot evaluate task files which
included through `include_tasks`, as it fails syntax-check.
This change exclude evaluation of these files (`env_*`) when evaluating
files before commit (pre-commit).
This patch modifies configuration of both ansible-lint and yamllint
to check for more rules, resulting in a more strict verification.
For ansible-lint verification of errors 301, 305 and 505 are skipped,
due to false positives. For the same reason, 'experimental' rules
are skipped.
ansible-lint error 306 is skipped since the fix is to set pipefail,
which is not available in all shells (for example dash, which runs
ansible-freeipa CI).
Yamllint disabled rules (comments, and indentation) would introduce a
huge amount of small changes, and are left for future changes, it
deemed necessary.
This patch fixes yamllint's "line too long" (line-lenght) warnings
by ensuring all lines in YAML files have, at most, 160 characters.
If a line cannot be written as a multiline block, line-length rule
evaluation is disabled for the specific line, both on yamllint and
on ansible-lint.
Update vault README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/vault/test_vault_client_context.yml
As `ipavault` only works in client context, an error is raised if it
is explicitly executed in a server context.
Update selfservice README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/selfservice/test_selfservice_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update service README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/service/test_service_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update user README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/user/test_user_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update trust README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/trust/test_trust_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update sudorule README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/sudorule/test_sudorule_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update sudocmdgroup README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/sudocmdgroup/test_sudocmdgroup_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update sudocmd README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/sudocmd/test_sudocmd_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update server README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/server/test_server_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update role README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/role/test_role_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update pwpolicy README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/pwpolicy/test_pwpolicy_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update privilege README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/privilege/test_privilege_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update permission README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/permission/test_permission_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Due to differences in data returned when running in a client context,
some values had to be modified so that comparision works and an
unnecessary call to IPA API is executed.
Update location README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/location/test_location_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update hostgroup README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/hostgroup/test_hostgroup_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update host README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/host/test_host_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update hbacsvcgroup README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/hbacsvcgroup/test_hbacsvcgroup_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update hbacsvc README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/hbacsvc/test_hbacsvc_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update hbacrule README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/hbacrule/test_hbacrule_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update group README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/group/test_group_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update dnszone README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/dnszone/test_dnszone_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Due to differences in data returned when running in a client context,
verification if zone is active had to be modified.
Update dnsrecord README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/dnsrecord/test_dnsrecord_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update dnsforwardzone README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/dnsforwardzone/test_dnsforwardzone_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Due to differences in data returned when running ipadnsforwardzone in
a client context, some values had to be modified so that comparision
works, avoiding unnecessary IPA API calls.
Update dnsconfig README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/dnsconfig/test_dnsconfig_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update delegation README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/delegation/test_delegation_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update config README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/config/test_config_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
As the tests for ipaconfig may render the server in an inconsistent
state if they fail, the tests in tests/config/test_config.yml were
wrapped in a way that if one test fails, the default FreeIPA
configuration is restored to the server.
Update automountlocation README file and add tests for executing plugin
with `ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/automountlocation/test_automountlocation_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
The doc strings for the examples have not been good enough to express
that the module is requiring an existing server and that is not able to
deploy a new server.
This patch fixes setting ipaserver_domain and ipaserver_realm facts for
iparole tests, fixing variable evaluation and allowing the tests to be
executed even if `gather_facts: no`.
Update automember README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/automember/test_automember_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
This patch adds a new fact `ipa_host_is_client`, available in the
include task file `env_freeipa_facts.yml`.
The variable `ipa_host_is_client` is set to TRUE if the client host
is not an IPA server (primary or replica). It can be used if a test
cannot be executed in a server, independent of the value set to
`ipaapi_context`.
Add a new configuration variable, `ipaapi_context` to IPAAnsibleModule
base specs, accepting only 'server' or 'client' values.
By using this variable, an user can select the environment context in
which the module will execute, server or client. This change will allow
configuration of the server without requiring login access (e.g. `ssh`)
to the server.
The default behavior is to use a `server` context, but this behavior
can be modified by the plugin, if it sets the `context` parameter when
connecting to IPA API.
ipaclient_setup_nss is using the nosssd_files dict if sssd is disabled
with no_sssd.
The nosssd_files dict is generated in ipaclient_test and used in
ipaclient_setup_nss. So far ipaclient_setup_nss was using nosssd_files
from ipaclient installer, which was always None.
As the server name was hard coded, when running tests for ipasever
module using a server not name as 'ipaserver', the tests would fail.
This patch allows the configuration of the server name using the
variable 'ipa_server_name', and if not provided, try to infer the name
from the ansible_hostname variable, or, if not possible, defaults to
'ipaserver'.
The same behavior is applied to 'ipasever_domain', with the default
being 'ipa.test'.
Currently, if a test fails during execution of ipaconfig playbook
tests, or if the failed task is the task reverting to the original
configuration fails, the testing host might be left in a state that
may cause other tests to fail due to the inconsistent configuration
state.
This patch ensures that if a test fails, a known configuration, the
same as used is the default installation of FreeIPA used in upstream
CI, is applied to the host, providing safe environment for testing.
The nonposix, posix and external parameters need to be mutually
exclusive. external was missing in this list. Only one of the three
parameters can be used.
external can not be set to no/false. This results in an error now.
if nonposix is used, posix is set as not nonposix. The nonposix
parameter is not used within the code anymore..
New tests have been added to tests the addition of users with for
nonposix and posix groups. The tests for the external group is not
active due to the need of an AD.
Fixes: #528 (Error creating nonposix group)
When retrieving IPA configuration using ipaconfig module, a few
variables were not returning, and some data had the wrong data format.
This patch fix both issues and apply some refactoring, as data was
being retrieved from IPA API in different places using different
methods.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
Use gen_add_list and gen_intersection_list for sudocmd member handling,
to reduce the add lists to only the new and del lists only to existing
entries.
This enables to remove the ignores for "already a member" and
"not a member" errors.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
This patch adds ansible-core version to 2.11 when evaluating
documentation with ansible-doc-test, so both 2.9 (ansible) and
2.11 (ansible-core) are covered when testing documentation,
along with the latest Ansible version available.
In the provided example for the class documentation, the parameters
passed to the `ipa_command` method were wrong, as a single list was
used instead of a parameter list.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
The staticmethod member_error_handler is handing the default member
related failures that can occur for modules with member support.
This can simply be enabled with fail_on_member_errors=True for
execute_ipa_commands.
An exception handler is also now usable with execute_ipa_commands. In
addition to the the exception it is also getting the same user defined
arguments that the result_handler is getting.
handle_result has been renamed in result_handler and handle_result_user_args
has been renamed to handlers_user_args.
Additionally the errors list does not need to be defined in the module.
The method execute_ipa_commands is doing this internally and is also
adding error: error to handlers_user_args if the handler is having errors
in the argspec and errors is not yet set in handlers_user_args.
Tests have been added to make sure that no user args for the handler
have been set without an own result or exception handler. Also the use of
fail_on_member_errors together with a result_andler is leading to an
error.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
Moved ipamodule_base_spec into IPAAnsibleModule.
This simplifies to add addtitional base vars to derived classes without
the need to dusplicae the code to extend argument_spec.
Removed execute_api_command.
This is not used anymore.
Removed get_ipamodule_base_vars.
This is not used anymore.
Removed self.ipaadmin_* and self.ccache_* from IPAAnsibleModule.__init__
These are not used and therefore can be removed.
execute_ipa_commands executes IPA API commands from the given command
list. With the handle_result and handle_result_user_args it is possible
to have a handling of the result return by the ipa commands for example
to return passwords.
Parameters
commands: list of string tuple
The list of commands in the form (name, command and args)
For commands that do not require a 'name', None needs be
used.
handle_result: function
The user function to handle results of the single commands
handle_result_user_args: dict (user args mapping)
The user args to pass to handle_result function
Example (ipauser module)
def handle_result(result, command, name, args, exit_args):
if "random" in args and command in ["user_add", "user_mod"] \
and "randompassword" in result["result"]:
exit_args.setdefault(name, {})["randompassword"] = \
result["result"]["randompassword"]
exit_args = {}
changed = module.execute_ipa_commands(commands, handle_result,
exit_args=exit_args)
if len(names) == 1:
ansible_module.exit_json(changed=changed,
user=exit_args[names[0]])
else:
ansible_module.exit_json(changed=changed, user=exit_args)
By making IPAAnsibleModule the base class of FreeIPABaseModule, instead
of AnsibleModule, some methods on FreeIPABaseModule can be removed and
suport for commom parameters in modules using the older class can use
the same commom parameters (ipaadmin_principal and ipaadmin_password)
as the other parameters. This will also allow easier deprecation of
FreeIPABaseModule, which is hard to maintain.
To be able to use IPAAnsibleModule as the base class, it was moved
within the file, to position before FreeIPABaseModule declaration.
This patch also modifies IPAAnsibleModule by:
* removing usage of `self` in methods not requiring it, turning
the methods into @statimethod;
* adding comments to all the methods in IPAAnsibleModule, which
makes it easier to understand what the individual methods do,
and what their parameters represent.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
Use IPAAnsibleModule and ipamodule_base_docs in the templates of
utils/new_module.
ipaadmin_password lines in the examples have been added, ipaadmin_
variables are handled by IPAAnsibleModule, ansible_module.params_get is
used to get the parameters and ansible_module.ipa_connect is used to
simplify the module.
ipamodule+member.py.in is additionally using gen_add_list and
gen_intersection_list to reduce the command calls to the changes only.
This class is an extended version of the Ansible Module that provides
IPA specific methods to simplify module generation.
Simple example:
from ansible.module_utils.ansible_freeipa_module import \
IPAAnsibleModule
def main():
ansible_module = IPAAnsibleModule(
argument_spec=dict(
name=dict(type="str", aliases=["cn"], default=None),
state=dict(type="str", default="present",
choices=["present", "absent"]),
),
)
# Get parameters
name = ansible_module.params_get("name")
state = ansible_module.params_get("state")
# Connect to IPA API
with ansible_module.ipa_connect():
# Execute command
if state == "present":
ansible_module.ipa_command(["command_add", name, {}])
else:
ansible_module.ipa_command(["command_del", name, {}])
# Done
ansible_module.exit_json(changed=True)
if __name__ == "__main__":
main()
ansible-freeipa modules should work without superuser privileges in
most cases, and to reflect this, the module tests should avoid using
`become: yes`.
This PR change the test playbook templates to use `become: no` by
default, so only modules that require superuser privileges will need
to change this variable.
This PR sets pylint to version 2.10.2 in all linter actions, and
fixes code in plugins so that this version new checks are either
satisfied or ignored if needed.
When loading variables in all ansible-freeipa roles, it is expected
that a file with these variables is present for each supported Linux
distribution, and then, based on the information about the distribution
provided by Ansible, the correct file is loaded.
Previously, only the facts `distribution` and dinstribution version
related facts were used, which required specific files, or links to
files for distributions in the same "family", which will probably have
the same variables set.
This change adds searching for files based on the `os_family` fact,
allowing distributions that follow the same family rules to be
supported, without any changes to the codebase. It is still possible
that a specific distribution configuration overrides the default
behavior, as `os_family` has lower priority than `distribution`.
For example, distributions on the `RedHat` family, like Oracle Linux,
Alma Linux, and Rocky Linux, work withoutadding new files, or links to
files, to fill the `vars`.
Fix issue #573. Fix issue #523.
When loading variables in all ansible-freeipa roles, it is expected
that a file with these variables is present for each supported Linux
distribution, and then, based on the information about the distribution
provided by Ansible, the correct file is loaded.
Previously, only the facts `distribution` and dinstribution version
related facts were used, which required specific files, or links to
files for distributions in the same "family", which will probably have
the same variables set.
This change adds searching for files based on the `os_family` fact,
allowing distributions that follow the same family rules to be
supported, without any changes to the codebase. It is still possible
that a specific distribution configuration overrides the default
behavior, as `os_family` has lower priority than `distribution`.
For example, distributions on the `RedHat` family, like Oracle Linux,
Alma Linux, and Rocky Linux, work withoutadding new files, or links to
files, to fill the `vars`.
Fix issue #573. Fix issue #523.
When loading variables in all ansible-freeipa roles, it is expected
that a file with these variables is present for each supported Linux
distribution, and then, based on the information about the distribution
provided by Ansible, the correct file is loaded.
Previously, only the facts `distribution` and dinstribution version
related facts were used, which required specific files, or links to
files for distributions in the same "family", which will probably have
the same variables set.
This change adds searching for files based on the `os_family` fact,
allowing distributions that follow the same family rules to be
supported, without any changes to the codebase. It is still possible
that a specific distribution configuration overrides the default
behavior, as `os_family` has lower priority than `distribution`.
For example, distributions on the `RedHat` family, like Oracle Linux,
Alma Linux, and Rocky Linux, work withoutadding new files, or links to
files, to fill the `vars`.
Fix issue #573. Fix issue #523.
When loading variables in all ansible-freeipa roles, it is expected
that a file with these variables is present for each supported Linux
distribution, and then, based on the information about the distribution
provided by Ansible, the correct file is loaded.
Previously, only the facts `distribution` and dinstribution version
related facts were used, which required specific files, or links to
files for distributions in the same "family", which will probably have
the same variables set.
This change adds searching for files based on the `os_family` fact,
allowing distributions that follow the same family rules to be
supported, without any changes to the codebase. It is still possible
that a specific distribution configuration overrides the default
behavior, as `os_family` has lower priority than `distribution`.
For example, distributions on the `RedHat` family, like Oracle Linux,
Alma Linux, and Rocky Linux, work withoutadding new files, or links to
files, to fill the `vars`.
Fix issue #573. Fix issue #523.
Some YAML files used in the project are not Ansible playbooks and
should not be evaluated by ansible-lint. This change add the paths
and files that should not be evaluated to an exclude list, that
affects linter operations in CI and pre-commit scripts.
There are common parameters in all modules like ipaadmin_principal and
ipaadmin_password. As this list of common parameters will be extended
soon, there is a need to reduce the code and documentation duplicates.
A ModuleDocFragment is added to provide the module documentation for the
common parameters. This is used in the modules with
extends_documentation_fragment.
ansible_freeipa_module has additional ipamodule_base_spec and
get_ipamodule_base_vars. ipamodule_base_spec extends argument_spec in
the module and get_ipamodule_base_vars is used to return a dict
containing the common parameters.
Use gen_add_list and gen_intersection_list for host, hostgroup, user,
group, allow_sudocmd, allow_sudocmdgroup, deny_sudocmd, deny_sudocmdgroup,
sudooption, runasuser, runasgroup and res_find member handling.
The functions are used to reduce the add lists to the new entries
only and the delete lists to the entries that are in the user and
the show list result.
This enables to remove the ignores for "already a member" and
"not a member" errors..
Single hostnames can be used for hbacrule_add_host and will match fqdn
in IPA internally. Simple host names have to be extended to be FQDN to
be able to compare them for _host_add and _host_remove.
Two new functions have been added to ansible_freeipa_module:
- api_get_domain - Get the domain from the api
- ensure_fqdn - Extend a single name with the domain
This fixes#617 - hbacrule_add_host: already a member
json_query is not part of Ansible Core. As this is the only used module
that is not in Core it has been replaced by constructig a new dict with
the needed user names from users dict using a loop and set_fact.
Modules that support `state: renamed` have `new_name` as an alias
for the `rename` variable. This patch makes ipapermission consistent
with other modules.
There is a new automount location management module placed in the plugins folder:
plugins/modules/ipaautomountlocation.py
This module allows to ensure presence and absence of automount locations
that act as containers for automount onjects in ipa.
Here is the documentation for the module:
README-automountlocation.md
New example playbooks have been added:
playbooks/automount/automount-location-absent.yml
playbooks/automount/automount-location-present.yml
New tests for the module:
tests/automount/test_automountlocation.yml
The automember_add_condition and automember_remove_condition commands
are not verifying condition keys in all cases. This is for example not
done in the removal case if a condition is not part of the automember
rule.
For consistent behaviour this needs to be done in the automember module
now. The condition keys are verified with the user and group aciattrs
returned by the API command json_metadata now.
Related: RHBZ#1976926
All ansible-freeipa modules should support 'check_mode: yes', but
the support for creating modules with this was absent in the base
class.
This patch adds such support, to use it, 'supports_check_mode=True'
must be passed to the constructor when creating the module object.
result["failed"] is used only for INCLUDE_RE, EXCLUDE_RE if entries could
not be added that are already there and it entries could not be removed
that are not there.
All other issues like invalid attributes etc. are handled as exceptions.
Therefore the error section is not here as in other modules.
Fixes RHBZ#1979626
Currently, we rebuild the container images everyday, at midnight,
which ensures that we have all the latest changes from every distro
supported in CI.
This approach works fine for the upstream CI, but if we want to use
the CI images to test modules in a local container, for example, as
proposed by PR #556, updating the images daily means that there will
be much more images download that would not be needed, as the public
cloud images of supported distros don't change so often.
This patch proposes to change the build rate from daily to weekly,
reducing the need to download images by users, while still using a
good update window.
It should be noted that, if required, the images can be rebuilt
manually, so any urgent fix is added to the CI images.
Instead of ignoring errors it is better that we specific evaluate
errors provided by negative tests. This patche removes the an
occurrence of 'ignore_errors: true' in ansible-freeipa tests.
The parameters in the inclusive and exclusive dicts are not defined and
also not checked. Therefore it is possible to have parameters in the
dicts that are not used.
The dicts for the inclusive and exclusive parameters are now defined and
also added to the description.
Ansible 2.11 does not like to have empty dependencies. It will fail to
install the collection with "'NoneType' object has no attribute 'items'"
error. The empty dependencies have been removed.
The requirements for ansible in requirements.txt have been removed also.
Fixes#571 (error installing freeipa-ansible_freeipa-0.3.6.tar.gz)
Up to now a python snippet was used to get IPA_BACKUP_DIR from ipaplatform
but this was not working when ansible_facts was false due to not getting
ansible_python_interpreter set.
The module version is also working if gather_facts is turned off.
This patch modify Github 'lint' workflow to execute each linter
verifications as a separate job. This will allow us to easily see
which linter has failed, and ensure that all are executed, even
if one fails.
There is a new automember management module placed in the plugins folder:
plugins/modules/ipaautomember.py
The automember module allows to ensure presence or absence of automember rules
and manage automember rule conditions.
Here is the documentation for the module:
README-automember.md
New example playbooks have been added:
playbooks/automember/automember-group-absent.yml
playbooks/automember/automember-group-present.yml
playbooks/automember/automember-hostgroup-absent.yml
playbooks/automember/automember-hostgroup-present.yml
playbooks/automember/automember-hostgroup-rule-absent.yml
playbooks/automember/automember-hostgroup-rule-present.yml
New tests for the module:
tests/automember/test_automember.yml
For failed_when result.failed should be used to make sure that
the task fails if there was an error.
For the "Duplicate names in users failure test" failed_when: not
result.failed has been added as this test needs to fail.
For failed_when result.failed should be used to make sure that
the task fails if there was an error.
Fixed also "User test cert members present again" task, it was failing
due to also having first and last parameters with action: member.
For failed_when result.failed should be used to make sure that
the task fails if there was an error.
Only renamed again may not use failed_when result.failed as the rename
can not be idempotent.
For failed_when result.failed should be used to make sure that
the task fails if there was an error.
failed_when result.failed can not be used for the unknown user test
with membermanager_user as this needs to fail.
For failed_when result.failed should be used to make sure that
the task fails if there was an error.
For the duplicate names in hosts test failed_when: not result.failed has
been added as this test needs to fail.
For test zones test1, test2 and test3 there is no verification if the
task is setting changed flag and also is not failing. Also the repeated
tests for idempotency are missing.
The test to make sure that the task set the changed flag and did not
fail was missing. Also the repeated task to make sure that the task did
not set the change flag.
The sudorule disabled test is lacking the register and failed_when
lines. The lines have been added to make sure that it is verified
that the task set the changed flag and does not fail.
Use gen_add_list and gen_intersection_list for host, hostgroup,
membermanager_user and membermanager_group member handling.
The functions are used to reduce the add lists to the new entries
only and the delete lists to the entries that are in the user and
the show list result.
This enables to remove the ignores for "already a member" and
"not a member" errors..
Use gen_add_list and gen_intersection_list for user, group, service,
externalmember, membermanager_user and membermanager_group member
handling.
The functions are used to reduce the add lists to the new entries
only and the delete lists to the entries that are in the user and
the show list result.
This enables to remove the ignores for "already a member" and
"not a member" errors..
All instances related to `ansible.module_utils.ansible_freeipa_module`,
which works. Future occurrences, if they happen, will likely not to be
a problem.
Although it is an interesting setup, it currently has too many false
positives, disable comments are not working for duplicate-code, and
there are some expected duplications in the modules.
The no_members parameter is added to args for the api command. But
no_members is never part of res_find from user-show, therefore this
parameter needs to be ignored in compare_args_ipa.
This is needed to prevent an error in the idempotency test where a
user is ensured again with the same settings.
The new argument ignore has been added to compare_args_ipa to ignore
attributes while comparing attributes of the user args and the object
args returned from IPA find or show command.
This code is using changes from
- Wolskie in PR #392
- jake2184 in PR #486
Currently user, group, host, hostgoup, hbacsvc and hbacsvcgroup members
are always added and removed with hbacrule_add_.. and hbacrule_remove_..
if they are given as parameters with action: member.
Now the module is using the new functions gen_intersection_list and
gen_add_list from ansible_freeipa_module to reduce the lists to the items
only that are needed to be added or removed.
The errors "already a member" and "not a member" are not ignored
anymore now while executing the comamnds.
Two new functions have been added for member management in plugins:
gen_add_list(user_list, res_list)
Generate the add list for addition of new members.
gen_intersection_list(user_list, res_list)
Generate the intersection list for removal of existing members.
gen_add_list should be used to add new members with action: members and
state: present. It is returning the difference of the user and res list
if the user list is not None.
gen_intersection_list should be used to remove existing members with
action: members and state: absent. It is returning the intersection of
the user and res list if the user list is not None.
The test preparation failed with "the connection plugin
'community.docker.docker' was not found" in "Setup test container".
"ansible-galaxy collection install community.docker" has been added
to
tests/azure/templates/playbook_tests.yml and
tests/azure/templates/pytest_tests.yml
When `auth-ind` was empty, and it was set to be cleared, it might have
triggered an uncessary change. This change add a test so that `auth-ind`
is set only if needed.
In current implementation, when using `smb: yes`, only a small subset
of the attributes can be used in the playbook. This happened due the
use of `service_add_smb`, which adds a new service and does not modify
an existing one, and not coping with attributes not supported by this
IPA API call.
The implementation was modified so that a service with `smb: true` is
treated like any other service, which, in effect, simplified and fixed
service search, and allowed for the use of the same attributes as with
any service. Although simplified, when using `smb: true` an extra
query is done against the LDAP server, as a second `service_show` is
performed.
Tests have been updated to reflect the new imprlementation.
A dnszone_mod call is always made to set the serial for a zone even if
this serial is set already.
A check is added to make sure that the serial is only set with
dnszone_mod if there is no serial set or if the serial is different.
The "DNS resource record not found" error occurs when a host arecord
or aaaarecord member is ensured to be absent and no dnsrecord entry
for the host exists.
The arecord or aaaarecord item are removed from dnsrecord_args if the
record is not defined in res_find_dnsrecord.
A repeated category reset of usercategory, hostcategory, cmdcaterory,
runasusercategory and hostcategory is resulting in the error
"no modifications to be performed".
The empty categories are now removed from the args if the category is
not set in the sudorule.
ANSIBLE_LIBRARY needs to be set properly for new Ansible version 4.0.0
to make sure that it is able to find the module that is checked.
For every file that needs to be checked, there is a separate ansible-doc
call. ANSIBLE_LIBRARY is set using os.path.dirname on the module_path.
With latest Ansible (4.0.0) it is needed to have a complete path for
ANSIBLE_LIBRARY. It is not good to hard code this in the
.pre-commit-config.yaml file for plugins and also all roles. Instead
it will be set in ansible-doc-test as it knows the path for each file
that is checked.
There is a new server management module placed in the plugins folder:
plugins/modules/ipaserver.py
The server module allows to ensure presence and absence of servers. The
module requires an existing server, the deployment of a new server can
not be done with the module.
DNSName has been added to ansible_freeipa_module in plugins/module_utils
as this is used for locations.
Here is the documentation for the module:
README-server.md
New example playbooks have been added:
playbooks/server/server-absent-continue.yml
playbooks/server/server-absent-force.yml
playbooks/server/server-absent-ignore_last_of_role.yml
playbooks/server/server-absent-ignore_topology_disconnect.yml
playbooks/server/server-absent.yml
playbooks/server/server-hidden.yml
playbooks/server/server-location.yml
playbooks/server/server-no-location.yml
playbooks/server/server-no-service-weight.yml
playbooks/server/server-not-hidden.yml
playbooks/server/server-present.yml
playbooks/server/server-service-weight.yml
New tests for the module:
tests/server/test_server.yml
Change in module_utils/ansible_freeipa_module:
DNSName is imported from ipapython.dnsutil and also added to __all__
Module was raising exceptions when trying to create a new privilege
with permissions. This change fixes the behavior and ensuure
idempotence with trying to create a privilege with the same values.
Tests for this behavior have been appended to:
tests/privilege/test_privilege.yml
There were no test for the arguments of compare_args_ipa() to check
if they were `None`, and they were used in contexts where `None`
would raise exceptions.
A test was added to return `False` if only one of the parameters is
`None`, and `True` if both are None.
IPA translates exception messages and Ansible uses controller's
language to execute plugins on target hosts, and since ansible-freeipa
uses Exceptions messages to detect some errors and/or states, using any
language that has a translation for the required messages may cause the
plugin to misbehave.
This patch modifies ansible_freeipa_module in plugin/module_utils to
force the use of "C" as the language by setting the environment variable
LANGUAGE.
Tests were added to verify the correct behavior:
tests/environment/test_locale.yml
The first test will fail, if ansible_freeipa_module is not patched, with
the message:
host_show failed: nonexistent: host nicht gefunden
This issue is not present if the language selected does not provide
a translation for the eror message.
This patch does not fix encoding issues that might occur in certain
releases (e.g.: CentOS 8.3).
Fix#516
Tests for service certificates were still using pre-generated
certificate files. This patch uses the same approach as other tests,
it generates a certficate, when needed, and use file lookup.
The Github workflow Ubuntu images do not provide Ansible pre-installed
anymore, and this patch forces its installation through Python's pip.
Different jobs were created to test documentation with different
versions of Ansible, currently 2.9 and the latest available.
In CentOS 8 and also Fedora the configuration and start of chrony
fails with
Fatal error : adjtimex(0x8001) failed : Operation not permitted
For more information: https://bugzilla.redhat.com/show_bug.cgi?id=1772053
NTP will not be needed before a separate namespace is used for clocks.
Without this change the "Import variables specific to distribution"
tasks fail with "Could not find file on the Ansible Controller..."
on environments with inject facts disabled.
This changes the tests to run with ansible with
inject_facts_as_vars = false and fixes other roles and playbooks.
Due to commit f3f9672d527008dc741ac90aa465bac842eea08d (ipa-rmkeytab: Check
return value of krb5_kt_(start|end)_seq_get) in IPA 4.9.2 there is a new
error reported for ipa-rmkeytab in case of a non existing keytab file.
Using ipa-rmkeytab now results in the error #7 in this case.
The client role is using ipa-rmkeytab and needs to ignore error #7 also.
Fixes: #510 (ipa-client installation with OTP is failed with error code 7
(keytab: /usr/sbin/ipa-rmkeytab returned 7))
The example playbooks for ipaselfservice were using the wrong module,
ipadelegation. This patch changes the references from ipadelegation
to ipaselfservice on these example playbooks.
Also, the attributes were changed, so the same attributes are used
throughout the examples.
Building containers for CentOS and Fedora were failing due to image
download failure. The container build process was fixed by changing
the base images.
Without explicit installation, Ansible was failing to run on
Azure pipelines. This change explicitly install the latest
Ansible version available through `pip`.
In the near future, Github will use Ubuntu 20.04, for workflows, and
this change will keep the upstream CI environment consistent between
Github and Azure.
Fixed names of sudorule member objects, as they did not match the names provided by IdM.
From: To:
member_host memberhost_host
member_hostgroup memberhost_hostgroup
member_user memberuser_user
member_group memberuser_group
Fixes: #500
A wrong variable was used inside of the while IFS read loops. This
prevented that the modules, playbooks, tasks, example playbooks and also
tests have been adapted for the galaxy release naming scheme.
In `ipapermission` plugin, Some attributtes were not being managed
when `action: member` was enabled.
This patch enable member management for `right`, `rawfilter`,
`filter, and fixes management of `memberof`.
Fix issue #489
When adding A or AAAA records using the compatibility mode with
Ansible's community general plugin, the reverse (PTR) record was
added, but the A/AAAA record was not. This patch fixes the behavior.
Fix issue #491
The attrs handling was not complete and did not support to ensure presence
or absence of attributes with action:member.
The includedattrs and excludedattrs parameters have not been added with
this change as the use of attrs will automatically set includedattrs and
excludedattrs. The includedattrs and excludedattrs parameters are only
usable for managed permissions and duplicating attrs.
The permission module may not handle privileges. An IPA internal only API
has been used for this. The prvilege variable and all related code paths
have been removed.
Fixes: #424 ([Permission Handling] Not able to add additional attributes
with existing attributes)
Fixes: #425 ([Permission Handling] Not able to add member privilege while
adding permission)
There are some issues using a combination of `lookup('file')` and the
`b64encode` filter in Ansible, making tests unstable. This change
removes the usage of b64encode when loading public and private keys
from files in the Vault test playbooks.
Added code to the ipa* plugins to support Ansible's check_mode, by
means of a clean exit before the execution of the actual list of
commands that would otherwise create/update/delete IPA servers
and/or its resources.
Current implementation does not allow the change of an existingi Vault
type. To allow it, data is retrieved from the current vault, the vault
is modifiend, and then, data is stored again in the new vault.
Due to changing the process of modifying a vault, this change also
fixes the update of asymmetric vault keys. To change the key used,
the task must provide the old private key, used to retrieve data,
and the new public_key, used to store the data again. A new alias
was added to public_key (new_public_key) and public_key_file
(new_public_key_file) so that the playbook better express the
intention of the tak.
Vault tests have been updated to better test against the new update
process, and a new test file has bee added:
tests/vault/test_vault_change_type.
In FreeIPA CLI, The attributes `allow_query` and `allow_transfer` can
hold IPv4 or IPv6 address or network address, and the values `none` and
`any`.
This patch adds support for network addresses, `none` and `any`, which
were not supported.
Fix issue #475.
When adding new members to a role, the existing members were removed.
The correct behavior for the "member" action is to add those members,
and substitute the existing ones. This patch fixes this behavior.
Fix#409, #411, #412, #413
According to the testinfra changelog, since version 6.0.0, testinfra
is know as pytest-testinfra, and the use of testinfra is deprecated.
This change will prevent future isses when updating requirements using
`pip`.
Ref: https://testinfra.readthedocs.io/en/latest/changelog.html
Bugbear is a plugin for Flake8 finding likely bugs and design problems.
It contain warnings that don't belong in pyflakes and pycodestyle, and
do not have a PEP or standard behind them.
Ref: https://github.com/PyCQA/flake8-bugbear
This patch disables ansible-lint `always_run` flag, as this was
making patches that did not change any YAML file take longer in
the pre-commit step, as ansible-lint was executed with no parameter,
thus, searching and evaluating all YAML files in the repository.
With this change, if no YAML file is modified, ansible-lint is skipped.
warning[SC2044]: For loops over find output are fragile. Use find -exec
or a while read loop.
warning[SC2164]: Use 'cd ... || exit' or 'cd ... || return' in case cd
fails.
The function get_commit was using the global merge variable instead of
the local commit variable. Therefore it returned the wrong commit
subject for merges without subject.
The parameter options.no_dnssec_validation was set using a bad
parameter name. This lead to not beeing able to turn off dnssec
validation in the replica deployment.
Fixes: #456 (ipareplica_no_dnssec_validation)
With the parameter `args: ['.']`, yamllint would run over every
file during pre-commit, including those not being commited, and it
would allow for false negatives, not allowing a commit, even if
commited yaml files had no issues, but another file, not par of the
commit, had.
By changing the yamllint parameter to `files: \.(yaml|yml)$` it
will only check files being commited, preventing false negatives,
and allowing for faster commits.
This PR fixes the creation of sudocmdgroups when the sudocmds are
specified, allowing groups to be created with sudocmd members in a
single task.
Fix issue #440.
Currently the script is failing with The given path '...' is not valid
if a path is not handled by the script. This is resulting in issues if
module_utils and action plugins are updated for example.
The solution is to simply ignore paths that are not handled.
The common_check function in the replica installer code has been changed
for the new memory checker code. With this the server and replica command
line installers got the option --skip-mem-check.
The server and replica role now also support the memory cheker and there
are new variables for server and replica:
ipaserver_mem_check - for ipaserver
ipareplica_mem_check - for ipaserver
These bool values default to yes and can be turned off in the inventory
or playbook if needed.
Related to freeipa PR https://pagure.io/freeipa/issue/8404 (Detect and
fail if not enough memory is available for installation)
Fixes: #450 (IPA Replica Installation Fails)
Altough configuring DNS and KRA support on the testing server node
provides broad coverage support, it does not represent all scenarios
where ansible-freeipa can be used, for example without DNS support.
This documentation updates removes the requirement for DNS and KRA
support, and highlights what is expected with different configurations.
When using ipahost module with servers where DNS was not configured
it failed to add hosts due to an exception raised on `dnsrecord_show`
that was not being correctly handled.
As the exception was being handled twice, the This patch simply removes
one of the handlers, allowing the exception to propagate to the caller,
where it is handled.
Fixes issue #434.
This PR adds a document with information on how to contribute to
ansible-freeipa development, showing the environment configuration,
available tools, and some guidelines that should be followed.
There was a failure when NAPTR or DLV records where updated,
if the record name had multiple entries. This patch fixes this
behavior, by using the requested record, not the retrieved one.
Tests have been updated to test for this issue on
tests/dnsrecord/test_dnsrecord.yml
Due to an issue with FreeIPA, when modifying the SOA serial attribute
along with other attributes, the value is ignored. In order to have
the value provided, the attribute is set is a later call to dnszone-mod
allowing it to retain the desired value.
Ref: https://pagure.io/freeipa/issue/8489
Examples of dnsforwarzone were using a single string rather than a
dict of values to set attribute `forwarders`. Both source code and
README examples were fixed.
Fix issue #446
The file lookup is by default setting `rstrip=True` which could lead
into a stripped new line. This is not happening always but resulted in
failed tests sometimes with certificates pasted to the b64encode filter.
For calls of lookup in the certificae tests `rstrip=False` has been
added to make sure that this is not happening any more. Not in
test_dnsrecord as lookup(..., rstrip=False) is adding a new line if
there was not a new line and this is an issue for dnsrecord. The user
and host tests have also been simplified to create the base64 encoded
file in the beginning and use this file then later on in the tests
without the need to use the b64encode filter.
Ref: https://github.com/ansible/ansible/issues/57521#issuecomment-502238000
This patch adds another lever of linter checking for ansible-freeipa
by enabling linters to run on the developer machine, before pushing
changes to be evaluated on the CI, allowing code fixes without
wating for CI to run the linters on the repository.
To enable pre-commit hooks, `pre-commit` is used, and was added to
requirements-dev.txt, and can be installed with pip
(`pip install -r requirements-dev.txt`). Once installed, on every
commit, YAML and python files on the commit will be evaluated.
If one needs to bypass the pre-commit linters, `git commit` can be
issued with `--no-verify`.
The linters will not be removed from the CI, as a commit can be
performed without running the checks.
When modifying a record, depending on how the playbook tasks were
arranged, it was possible to end with more records than expected.
This behavior was fixed by modifying the way records are searched
when a modification is requested. This change also allows less calls
find_dnsrecord.
Tests were modified to reflect the changes, and a new test playbook
was added:
tests/dnsrecord/test_dnsrecord_modify_record.yml
Currently the certifaictes are copied ot the server with the complete
path that is provided within the playbook. This could result in
unexpected file placements. Certificates should be placed in the /root
folder for the deployment.
Fixes#405 (copy_external_cert does not handle pathed items)
Information about the backup role and also the config, delegation, dns
config, location, permission, priviledge and self service modules have been
missing in the main README file.
This change add support for running ansible-doc-test on every
commit or PR, ensuring that roles and modules are able to produce
correct documentation with ansible-doc.
The currently used namespace and collection name are hard coded in
utils/build-galaxy-release.sh. They can now be defined as args 1 and 2
and default to freeipa and ansible_freeipa..
FreeIPA 4.8.7 has introduced bind type 'self' as a valid value, and
this PR adds checks so the module fails early if the value is used
with an unsupported version.
Tests and documentation have been updated to reflect the changes.
Some attribute values are only accepted for specific FreeIPA versions,
for example `self` for permission's `bindtype`. Although there are
options to check for command and parameter availability, there is no
check for verifying if a value should be accepted.
This patch add a function to evaluate the target FreeIPA host version,
by comparing a giver version to the current installed one.
The version evaluation uses Python packaging's version comparision,
which is compatible with PEP 440, if available. If not available, it
falls back to a string split, that will work for the most common cases,
but might fail for versions including strings with `rc` or `dev`, for
example.
Due to Ansible filtering out values in the output that might be match
values in sensible attributes that have `no_log` set, if a module need
to return data to the controller, it cannot rely on
`ansible_module.exit_json` if there is a chance that a partial match
may occur.
See: https://github.com/ansible/ansible/issues/71789
The change provided here uses the same implementation that is used on
Ansible's `AnsibleModule.exit_json`, without the data filtering layer,
so every attribute with be printed and, therefore, logged by Ansible.
This is needed for the Vault module, as we need to return values that
are explicit requested by the user and that might, at least partially,
match the values in attributes with `no_log` set.
Tests that reproduced the issue, and show it was fixed were provided
for all Vault types.
Up to now the snippets in the README files, the EXAMPLES in the modules
and also the tests playbooks have not been adapted while building the
collection.
These are the invoved python files:
utils/galaxyfy-README.py
utils/galaxyfy-module-EXAMPLES.py
utils/galaxyfy-playbook.py
utils/galaxyfy.py
utils/galaxyfy.py provides the function galaxyfy_playbook, which has been
extended and is used in galaxyfy-playbook.py, galaxyfy-README.py and
galaxyfy-module-EXAMPLES.py.
There is curently a merge commit without a subject, which leads into a
traceback in the changelog script.
The merge information provides the commit hash, which is now used to get
the subject later on using the generated commits hash.
There is a new backup role in the roles folder:
roles/ipabackup
This role allows to backup an IPA server, to copy a backup from the
server to the controller, to copy all backups from the server to the
controller, to remove a backup from the server, to remove all backups
from the server, to restore an IPA server locally and from the controller
and also to copy a backup from the controller to the server.
Here is the documentation for the role:
roles/ipabackup/README.md
New example playbooks have been added:
playbooks/backup-server.yml
playbooks/backup-server-to-controller.yml
playbooks/copy-backup-from-server.yml
playbooks/copy-all-backups-from-server.yml
playbooks/remove-backup-from-server.yml
playbooks/remove-all-backups-from-server.yml
playbooks/copy-backup-to-server.yml
playbooks/restore-server-from-controller.yml
playbooks/restore-server.yml
When using the ipavault module to retrieve stored data, this data is
often sensitive, and if `no_log` is not enabled on the playbook, the
sensitive data will be logged by Ansible.
This change in de documentation, and playbook examples, suggests the
use of `no_log: true` when using `state: retrieved` with ipavault.
There is a new permission management module placed in the plugins folder:
plugins/modules/ipapermission.py
The permission module allows to ensure presence of absence of permissions
and manage permission members.
Here is the documentation for the module:
README-permission.md
New example plabooks have been added:
playbooks/permission/permission-absent.yml
playbooks/permission/permission-allow-read-employeenum.yml
playbooks/permission/permission-member-absent.yml
playbooks/permission/permission-member-present.yml
playbooks/permission/permission-present.yml
playbooks/permission/permission-renamed.yml
New tests for the module:
tests/permission/test_permission.yml
This patch add support for adding external members to ipagroup which
have the `external` attribute set. It adds another attribute to the
module, `external_members`, which is a list of users or groups from
an external trust, to be added to the group.
This patch requires server-trust-ad to be tested, as such, the tests
have been guarded by a test block, for when such tests are available
in ansible-freeipa CI.
Fixes issue #418
This scrip can be used to generate the changelog text for a new
ansible-freeipa release on github.
usage: Usage: changelog [options] [<new version>]
optional arguments:
-h, --help show this help message and exit
--tag TAG git tag
If the script is used without a givn tag, it will show all the changes since
the last tag. If a tag (this can be a also a commit) is given, then all
changes since this commit are shown.
This script can check modules in roles and also plugins folder to have
a valid documentation section. It is using anisble-doc internally.
usage: Usage: ansible-doc-test [options] [path]
optional arguments:
-h, --help show this help message and exit
-v increase output verbosity
There are different verbose levels:
-v Shows the modules that are tested at the moment.
-vv Shows the modules and also the doc output.
You can use the script to check specific modules, roles or modules in roles.
Here are some examples:
Test specific module with verbose level 1:
$ utils/ansible-doc-test -vv plugins/modules/ipauser.py
Test all modules in plugins folder:
$ utils/ansible-doc-test -v plugins
Test ipaserver_prepare.py in ipaserver role:
$ utils/ansible-doc-test -v roles/ipaserver/library/ipaserver_prepare.py
Test all modules in ipaserver role:
$ utils/ansible-doc-test -v roles/ipaserver
Test all roles:
$ utils/ansible-doc-test -v roles
Test all roles and modules in plugins:
$ utils/ansible-doc-test -v
Public and private key files were created but not removed when testing
the Vault module. This was fixed by adding a task to remove them to
Vault's env_cleanup playbook.
This patch adds Ansible tasks to create and remove self-signed
certificates, instead of using previously created certificates.
The certificates are then `lookup`, instead of being used inline
in the playbooks.
Playbooks are easier to read and maintain with this changes, and
there is no need to change the playbooks, if a certificate expires.
ansible-doc is reporting several issues in modules. Most of them have benn
due to misspelled description key word or due to use of multi line text
without the | in the description line.
https://pagure.io/freeipa/issue/8458 moved more things to the ipalib and
ipalib.facts:
- sysrestore has been moved from ipalib.install to ipalib
- is_ipa_configured has been moved from ipaserver.install.installutils to
ipalib.facts
Fixes: #394 (TASK [ipaclient : Install - IPA client test] Error: module
'ipalib.install.sysrestore' has no attribute
'SYSRESTORE_STATEFILE')
When using changing passwords, using password files, the file name was
being used as the password, and not its content. This patch fixes the
behavior to use the contents of the password file.
Tests have been added to ensure the correct behavior.
The new variables ipa[server,replica]_firewalld_zone have been added to
be able to set the zone in which the needed services for IPA are enabled.
New tasks have been added to check if the zone is available in the runtime
and also permamanet environment.
The code to enable firewalld has been moved out of thee
ipa[server,replica]_install_packages blocks to make sure that the firewalld
service is also enabled if the package is already installed.
Fixes: issue #177 (How to set up firewalld zones?)
When retrieving data from a vault using `out` to store the data in a
file resulted is random characters being returned and logged. These
characters could generate a traceback print from Ansible's logger,
without breaking the script.
The reason for that is that the result from `vault_retrive` was being
processed when it was not needed, and data was beeing returned, when
it shouldn't.
This patch fixes this behavior by supressing the return data when `data`
is not available, and only raising an error if it should be available.
There is a new privilege management module placed in the plugins folder:
plugins/modules/ipaprivilege.py
The privilege module allows to ensure presence or absence of privilege
and manage privilege permission memebers.
Here is the documentation for the module:
README-privilege.md
New example playbooks have been added:
playbooks/privilege/privilege-absent.yml
playbooks/privilege/privilege-member-absent.yml
playbooks/privilege/privilege-member-present.yml
playbooks/privilege/privilege-present.yml
New tests for the module:
tests/privilege/test_privilege.yml
users.json is generated for the tests and not part of the repo any more.
This test was lacking the include to generate the file.
Related to: b7e1a99b6e
tests/user/test_users*.yml: Use extended dynamic users.json
There is a new trust management module placed in the plugins folder:
plugins/modules/trust.py
The trust module allows to ensure presence and absence of trusts.
Here is the documentation for the module:
README-trust.md
New example playbooks have been added:
playbooks/trust/add-trust.yml
playbooks/trust/del-trust.yml
New tests added for the module:
tests/hbacrule/test_trust.yml
In order to run the tests in idm-ci we need to configure the our pytest
tests environment variables. This PR configures that automatically if an
environment variable TWD is available and $TWD/config exists.
The scprit `lint_check.sh` under utils runs the same linters as the
Github Actions, with the same configuration.
The changes on setup.cfg are required if flake8-docstrings is used,
so its output is the same as pydocstlye.
Flake8 and Pydocstyle were already being used as checks on Azure
pipelines, and this change enable the use of both as Github actions
run on every push (on any fork) end every pull-request.
I uses `rjeffman/python-lint-action` to run both linters using the
project's configuration.
Ansible best practice is to not use `latest` for the `package` module
state. As we want to use it in the case of nss, this change will
disable checking for this case.
By running yamllint we add one more verification of quality to the
playbooks used on/provided by ansible-freeipa, that will be executed
on every push (even on forks) or pull-requests.
This patch provides the configuration needed to run yamllint on
the playbooks found in the `tests`, `playbooks` and `molecule`
directories, on every push or pull-request done on Github, using
ibiqlik/action-yamllint action version `v1`.
The current configuration for yamllint has many rules disable, so
the problems found can be fixed later. All rules after the comment
`# Disabled rules` should be enabled in the near future.
By running ansible-lint we check if playbooks provided in
ansible-freipa follow Ansible's best practices, nd the verification
will be performed on every push (even on forks) or pull-request.
This patch provides the configuration needed to run ansible-lint
to the playbooks found in the `tests`, `playbooks` and `molecule`
directories, on every push or pull-request done on Github, using
Ansible's Github Action ansible/ansible-lint-action.
Until now ansible-freeipa repository only had playbook tests. This
commit introduces the ability of creating TestCase classes connected to
the master host. This connection can be used to run commands in the
managed host after the ansible playbook execution is the allowing the
verification of the machine state.
When using virtual environment for development, Git reports that the
virtual environment itself in untracked. This change add commonly found
virtual environment directories to the list of ignored files/directories.
The ipagroup attribute `membermanager` requires the use of IPA
version 4.8.4 or later. This change ensure that the tests are
executed only if a required version is found.
The config attributte maxhostname is only available after IPA
version 4.8.0. The tests for this attribute are now protected to
not run if a previous IPA version is found.
When running module ipavault with Python 2.7, due to differences in
the handling of unicode string than in Python 3, the vault_type type
was different than the required.
This patch changes the default value to force a unicode string in
the supported versions of Python, fixing the module when Python 2
is used.
When using ipadnsfowardzone with a target host that uses Python 2,
it fails to add new zones due to unicode and str being different on
that version. This patch fixes this behavior ensuring the module
works on both Python verisons 2.7 and 3.x.
Some attributes require a specific IPA version to be used, some were
not documented, some had different text.
This change standardize the text to show that some attributes require
a specific IPA version to be used, and add the versions where they
were not yet documented.
test_users_absent.yml was using users_absent.json. It has been adapted to
use users.json instead with an additional json_query to get only the names
from users_present.json.
create_users_json.yml has been added to create users.json if it is missing
containing 500 users. It is included by test_users_present.yml and
test_users_absent.yml.
users_present.sh has been renamed to users.sh and modified to create by
default users.json with 1000 users and additional with password and
passwordexpiration in two years.
jmespath has been added to pip install list in
tests/azure/templates/playbook_tests.yml to emable the use of json_query.
The requirement for jmespath has been added to tests/README.md.
Azure is building Centos and Fedora containers in every PR. We only need
to have containers builds on a nightly build so we are disabling the
default triggers from Azure.
The script will create the module in plugins/modules, the README, test and
playbook files.
Usage: new_module [options] <module name> <author name>
<author email address>
Create new ansible-freeipa module using templates.
Options:
-m Create module with member support
-f Force creation
-h Print this help
Example:
utils/new_module -m permission "My Name" myname@some.email
This script gets version and release from git describe --tags. It uses
utils/ansible-freeipa.spec.in and the variables to generate
ansible-freeipa.spec in the top folder.
An archive not including the spec file is created to generate the SRPM from.
Added a pipeline file (tests/azure/build-containers.yml) to build test
containers and upload them to quay.io. The pipeline will create
containers with IPA pre-installed for testing proposes on three
different Linux containers: CentOS 7, CentOS 8 and Fedora Latest.
Some attributes are not present in all supported versions of FreeIPA,
and this might cause tests to fail due to unsupported versions.
This patch add the means to test if a test can be executed based on
the target host FreeIPA version.
Since `name_from_ip` has a similar, but not equal, behavior to `name`,
and as the inferred DNS zone might depend on DNS configuration and
can be different than the user expects, it has some limited usage,
and the user must be aware of its effects.
This change to the documentation enhance the documentation including
more details on the attribute usage.
When adding a zone using the option name_from_ip, the user have
little control over the final name of the zone, and if this name
is to be used in further processing in a playbook it might lead to
errors if the inferred name does not match what the user wanted to.
By returning the actual inferred zone name, the name can be safely
used for other tasks in the playbook.
Modified support for processing result of IPA API commands so that
client code can define its own processing and add return values to
self.exit_args based on command result.
If a subclass need to process the result of IPA API commands it should
override the method `process_command_result`. The default implementation
will simply evaluate if `changed` should be true.
IPA CLI has an option `name_from_ip` that provide a name for a zone
from the reverse IP address, so that it can be used to, for example,
manage PTR DNS records.
This patch adds a similar attribute to ipadnszone module, where it
will try to find the proper zone name, using DNS resolve, or provide
a sane default, if a the zone name cannot be resolved.
The option `name_from_ip` must be used instead of `name` in playbooks,
and it is a string, and not a list.
A new example playbook was added:
playbooks/dnszone/dnszone-reverse-from-ip.yml
A new test playbook was added:
tests/dnszone/test_dnszone_name_from_ip.yml
Tests for module ipalocation failed due to missing ipaadmin_password.
Added the variable to the playbooks, and also fixed the examples and
documentation. Some playbooks had identation fixed to two spaces
instead of one for consistency with other modules.
A test was failing due to use of old ipavault module return structure
and some places on the documentation were alse referring to it. All
ocurrences were fixed.
When modifying an existing vault to change the value of `salt`, the
password must also change. It is fine to "change" the password to the
same value, thus only changing the salt value.
The generation of a random salt, when one was not provided, was in the
wrong place and being generated too late to be used properly. Also, the
generation of the value was duplicated.
In some scenarios, the value of the vault type is returned as a tuple,
rather than a string, this made some changes to existing vault to fail.
With this change, the vault type is correctly retrieved, if it was not
provided by the user.
There is a new location management module placed in the plugins folder:
plugins/modules/ipalocation.py
The location module allows to ensure presence or absence of locations.
Here is the documentation for the module:
README-location.md
New example playbooks have been added:
playbooks/location/location-absent.yml
playbooks/location/location-present.yml
New tests for the module:
tests/location/test_location.yml
There is a new selfservice management module placed in the plugins folder:
plugins/modules/ipaselfservice.py
The selfservice module allows to ensure presence and absence of selfservices
and manage selfservice attributes.
Here is the documentation for the module:
README-selfservice.md
New example playbooks have been added:
playbooks/selfservice/selfservice-absent.yml
playbooks/selfservice/selfservice-present.yml
playbooks/selfservice/selfservice-member-absent.yml
playbooks/selfservice/selfservice-member-present.yml
New tests for the module:
tests/selfservice/test_selfservice.yml
There is a new delegation management module placed in the plugins folder:
plugins/modules/ipadelegation.py
The delegation module allows to ensure presence and absence of delegations
and manage delegation attributes.
Here is the documentation for the module:
README-delegation.md
New example playbooks have been added:
playbooks/delegation/delegation-absent.yml
playbooks/delegation/delegation-present.yml
playbooks/delegation/delegation-member-absent.yml
playbooks/delegation/delegation-member-present.yml
New tests for the module:
tests/delegation/test_delegation.yml
The attribute `allow_retrieve_keytab_host` was not working due to
wrong processing of the input and verification if the values should
be updated. Both the issues are fixed by this change.
Tests were added to better verify service keytab members.
The ipavault module was returning a single string value when retrieving
data. To keep consistency with other modules, it should return a dict
with the `data` variable in it.
This change modifies the result of ipavault to be a dict and also fixes
relevant tests, examples and documentation.
FreeIPA 4.8.7 introduced an option to rename an existing hostgroup.
This patch adds support for renaming hostgroups if the option is
available on installed IPA version.
A new state `renamed` and a new option `rename` (alias: `new_name`)
was added to module `ipahostgroup` to allow renaming of host groups.
The implemented behavior is:
* Rename if `name` exists and `rename` doesn't.
* Do nothing if `name` does not exist and `rename` does, or if
`name` equals to `rename`. (result.changed is False)
* Fail if neither or both `name` and `rename` exist.
This PR allow ipadnszone module to ensure that multiple dns zones
are absent at once, to be consistent with other ansible-freeipa
modules.
To fix this issue, it was required that custom arguents must be
passed using keyword arguments so that `get_ipa_command_args()`
is kept generic.
The attribute `skip_host_check` was using dashes instead of
underscores, and the certificate examples could not be used
directly due to formatting. These changes fix both issues.
This change fixes a wrong parameter name in the documentation of
RESULT_VALUES, and also provide a correct YAML snippet to ensure
presence of an asymmetric vault with a formatted private key.
When a fail_json is called a SystemExit exeception is raised.
Since the FreeIPABaseModule has an internal context manager to deal
with exceptions this ContextManager captures the SystemExit. After
dealing destroying the kinit session the SystemExit must be raised again
to allow the fail_json to work properly.
The name "www.ansible.com" was used as a host, but this required
that DNS forwarding is enabled and configured to test serivces
for hosts that have an IP address but are not host objects in IPA.
This change set a a host name that lies in the testing domain, and has
an IP address defined, buth is not added as a host object,
so the forwarding DNS configuration is not needed for this test.
Added comment about problem with no_log in Azure CI. While running on CI
using ansible 2.10a the content of attributes with no_log=True is
replaced by ***** on ansible causing test failures.
* Moved azure CI definitions from azure-pipelines.yml to
tests/azure/azure-pipelines.yml.
* Updated azure CI definitions to run playbook tests using docker
containers.
* Adapted tests/test_playbook_runs.py script to allow tests to be
executed from a docker container.
* Added molecule scenarios to create/destroy test containers and
respective documentation in tests/README.md.
In some case the tests needs to have the class A, B and C of reverse DNS
set in order to function properly. Those missing classes where
added/updated in dnsrecord, services and host tests.
This patch adds suport for the IPA CLI option `posix` when modifying
an existing group. Also, enhances verification of `external` and
`posix/non-posix` groups to avoid unneded API failures (e.g. when
no change to the posix/external status is needed).
A new test was added:
tests/group/test_group_external_nonposix.yml
There is a new role management module placed in the plugins folder:
plugins/modules/iparole.py
The role module allows to ensure presence or absence of roles and
manage role members.
Here is the documentation for the module:
README-role.md
New example playbooks have been added:
playbooks/role/role-is-absent.yml
playbooks/role/role-is-present.yml
playbooks/role/role-member-group-absent.yml
playbooks/role/role-member-group-present.yml
playbooks/role/role-member-host-absent.yml
playbooks/role/role-member-host-present.yml
playbooks/role/role-member-hostgroup-absent.yml
playbooks/role/role-member-hostgroup-present.yml
playbooks/role/role-member-privilege-absent.yml
playbooks/role/role-member-privilege-present.yml
playbooks/role/role-member-service-absent.yml
playbooks/role/role-member-service-present.yml
playbooks/role/role-member-user-absent.yml
playbooks/role/role-member-user-present.yml
playbooks/role/role-members-absent.yml
playbooks/role/role-members-present.yml
playbooks/role/role-rename.yml
New tests for the module:
tests/role/test_role.yml
tests/role/test_role_service_member.yml
The password that is used in the script to generate the CA and also sign
the CSR is not strong enough in FIPS mode. In normal mode the password was
ok, though.
In FIPS mode the password needs to have at least one upper, lower, digit
and a special char.
The parameters master_host_name, config_setup_ca, dirman_password have not
been set for some modules. Also there was no ldap2 connection within
ipareplica_setup_kra. All this resulted in improper configuration where
for example KRA deployment failed in the end.
A conversion warning in ipareplica_setup_adtrust has also been fixed for
the setup_ca parameter.
Fixes#314 (IPA replica installation failure - DS enabled SSL - second part)
With the CA-less patches the types for the pkcs12 infos have been changed
to lists in the modules. This is resulting in a bad conversion from None
to [''] for the parameters. Because of this a normal replica deployment is
failing as [''] is not a valid value.
The install.yml files for ipareplica and also ipaserver have been changed
in the way that the pkcs12 values are checked if they are None. The
parameter will simply be omitted in this case and the parameter in the
module will become None by default.
Ansible is now also supporting discovered_python_interpreter for
action_plugins. task_vars needs to be non Null and contain a setting for
discovered_python_interpreter. The ipaclient_get_otp action_plugin
therefore needed to be adapted.
Due to use of some shell commands that required a Kerberos ticket,
the ipaservice test test_service_disable would no work if a ticket
was not granted before it ran. This patch adresses this issue by
acquiring a ticket for the `admin` user before it is needed, and
destroying the tickets by the end of the test execution.
If a unknown membermanager user presence will be ensured, the unknown user
error was ignored. This has been fixed in ipagroup. The code for the error
handling in ipagroup and ipahostgroup has been adapted because of this.
New tests for tests/[host]group/test_[host]group_membermnager.yml have been
added.
Allows changing passwords of symmetric waults, using a new variable
`new_password` (or the file-base version, `new_password_file`). The
old password must be passed using the `password` or `password_file`
variables that also received new aliases `old_password` and
`old_password_file`, respectively.
Tests were modyfied to reflect the changes.
It was possible to have several entries for names with the hosts and users
lists. This resulted sometimes in errors but also unexpected changes. A new
check has been added to make sure that the names in the users and hosts
lists are unique.
New tests have been added to verify this in the existing files:
- tests/host/test_hosts.yml
- tests/user/test_users.yml
This patch allows the modification of the forward zone policy in
an existing DNS Forward Zone, and fixes some issues with `enable`
and `disable` state that prevented correct behavior of `forwardpolicy`.
Services without certificates, but with keytabs were not being
disabled. This change allows execution of service_disable if
there is a certificate or if has_keytab is true.
A new test was added to verify the issue:
tests/service/test_service_disable.yml
This patch modify the was forwarders are configured, using two attributes,
`ip_address` and `port`, instead of IPA API internal string representation
of `IP port PORT`.
The ca-less PR introduced a bug when http_ca_cert is not set. The test
for loading the certificate is testing for None, but the string will only
be empty in this case.
Related: #298 (Install server and replicas without CA)
Current implementation of hbacrule and sudorule allow for a new rule
creation script to be partialy successful when a member is provided and
the respective member category is set to `all` (either users, hosts,
services, commands, and their group counterparts).
Since the creation of the rule is independent of the adittion of members,
the rule is succesfully created, but member addition fails, leaving with
a created rule that has no members on it.
This patch fixes both modules by verifying if user, host, service or
commands (and groups of members) are being added if the corresponding
category is set to `all`, when the state is `present` and the action is
not `member`. If so, it fails before the rule is created.
This patch add support for the attributes `maxtostname` and
`ca_renewal_master_server` attributes that were missing and
also provide a more complete set of tests.
This change split vault tests in several files, organized by vault
type and operation (vault vs. member) so that it is easier to add
new tests for issues and verify if tests are missing.
This patch adds support for retrieving data stored in an IPA vault by
adding a new valid state for ipavault: `retrieved`.
To allow the retrieval of data from assymetric vaults, the attributes
`private_key`, `private_key_files` and `out` were also added to the
module.
The private key files, `private.pem`, should be paired with the already
existing `public.pem` public key files.
Tests were updated to reflect changes and two new playbooks were added:
playbooks/vault/retrive-data-asymmetric-vault.yml
playbooks/vault/retrive-data-symmetric-vault.yml
This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.
Tests were updated to reflect the changes.
New example playbooks are added:
playbooks/vault/vault-is-present-with-password-file.yml
playbooks/vault/vault-is-present-with-public-key-file.yml
A group membership manager is a user or a group that can add members to
a group or remove members from a hostgroup.
This is related to https://pagure.io/freeipa/issue/8114
New parameters have been added to the module:
- `membermanager_user`: List of member manager users assigned to this
group. Only usable with IPA versions 4.8.4 and up.
- `membermanager_group`: List of member manager groups assigned to this
group. Only usable with IPA versions 4.8.4 and up.
These parameters behave like member parameters.
A new test has been added:
- tests/hostgroup/test_hostgroup_membermanager.yml
There is a new dnsrecord managem module placed in the plugins folder:
plugins/modules/ipadnsrecord.py
The dnsrecord module allows management of DNS records and is as compatible
as possible with the Ansible upstream `ipa_dnsrecord` module, but provide
some other features like multiple record management in one execution,
support for more DNS record types, and more.
Here is the documentation for the module:
README-dnsrecord
New example playbooks have been added:
playbooks/dnsrecord/ensure-dnsrecord-is-absent.yml
playbooks/dnsrecord/ensure-dnsrecord-is-present.yml
playbooks/dnsrecord/ensure-presence-multiple-records.yml
playbooks/dnsrecord/ensure-dnsrecord-with-reverse-is-present.yml
playbooks/dnsrecord/ensure-multiple-A-records-are-present.yml
playbooks/dnsrecord/ensure-A-and-AAAA-records-are-absent.yml
playbooks/dnsrecord/ensure-A-and-AAAA-records-are-present.yml
playbooks/dnsrecord/ensure-CNAME-record-is-absent.yml
playbooks/dnsrecord/ensure-CNAME-record-is-present.yml
playbooks/dnsrecord/ensure-MX-record-is-present.yml
playbooks/dnsrecord/ensure-PTR-record-is-present.yml
playbooks/dnsrecord/ensure-SRV-record-is-present.yml
playbooks/dnsrecord/ensure-SSHFP-record-is-present.yml
playbooks/dnsrecord/ensure-TLSA-record-is-present.yml
playbooks/dnsrecord/ensure-TXT-record-is-present.yml
playbooks/dnsrecord/ensure-URI-record-is-present.yml
New tests for the module can be found at:
tests/dnsrecord/test_dnsrecord.yml
tests/dnsrecord/test_compatibility_with_ansible_module.yml
tests/dnsrecord/test_dnsrecord_full_records.yml
A group membership manager is a user or a group that can add members to
a group or remove members from a group.
This is related to https://pagure.io/freeipa/issue/8114
New parameters have been added to the module:
- `membermanager_user`: List of member manager users assigned to this
group. Only usable with IPA versions 4.8.4 and up.
- `membermanager_group`: List of member manager groups assigned to this
group. Only usable with IPA versions 4.8.4 and up.
These parameters behave like member parameters.
A new test has been added:
- tests/group/test_group_membermanager.yml
A group membership manager is a user or a group that can add members to
a group or remove members from a hostgroup.
This is related to https://pagure.io/freeipa/issue/8114
New parameters have been added to the module:
- `membermanager_user`: List of member manager users assigned to this
group. Only usable with IPA versions 4.8.4 and up.
- `membermanager_group`: List of member manager groups assigned to this
group. Only usable with IPA versions 4.8.4 and up.
These parameters behave like member parameters.
A new test has been added:
- tests/hostgroup/test_hostgroup_membermanager.yml
This patch changes auth_ind variable to receive a list of values
instead of a single one, so that more than one value can be set
at once.
Tests have been updated to reflect the change.
When using a variable that is invalid for a given action, the `action`
was not being displayed in the error message, leading to a poor user
experience.
This patch changes auth_ind variable to receive a list of values
instead of a single one, so that more than one value can be set
at once.
Tests have been updated to reflect the change.
When using a variable that is invalid for a given action, the `action`
was not being displayed in the error message, leading to a poor user
experience.
This patch explicitly set `no_log` option for `update_password` attribute
to `False`, so that the warning on `no_log` not being set is not issued
anymore. Ansible incorrectly issued the warning, as `update_password` does
not carry sensitive information.
This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.
Tests were updated to reflect the changes.
New example playbooks are added:
playbooks/vault/vault-is-present-with-password-file.yml
playbooks/vault/vault-is-present-with-public-key-file.yml
playbooks/vault/retrive-data-asymmetric-vault.yml
playbooks/vault/retrive-data-symmetric-vault.yml
plugins/modules/ipaconfig.py
The config module allows the user change global config settings.
The config module is as compatible as possible to the Ansible upstream
ipa_config module, but adds many extra variables.
Here is the documentation for the module:
README-config.md
With the encoded _http_ca_cert from ipaserver_test it is possible to revert
back to the IPA upstream code to write the pkcs12 http certificates.
The passed _http_ca_cert only needs to be decoded with decode_certificate.
The function load_pkcs12 should not be skipped to verify the given
certificates. After the certificates have been verified and the temporary
certificate copies have been generated, these files are copied to
/etc/ipa/.tmp_pkcs12_* as the temporary files will simply be removed as
soon as the file descriptors have been closed.
Additionally the [http,dirsrv,pkinit]_pkcs12_info is recreated to point to
the copied temporary files.
With this revertion the need to change other modules has been rediced to
the minium, the IPA upstream code can simply be used.
The passed back certificates [http,dirsrv,pkinit]_ca_cert are encoded using
encode_certificate.
The encode_certificate and decode_certificate are needed to encode and
decode a certificate in the way that it can be passed back from a module
and imported back into a usable certificate in another module.
For newer IPA versions the certificate is normally an IPACertificate for
older IPA versions it is simply a bytes array. But in both cases it needs
to be converted not to break Ansible.
The certificates should not be pre-generated as they will expire at some
point. Simply generate them for each test run using the domain used in the
test. Copy the certificate files each time into the test server after
removing the old ones.
Since ipahost uses dnsrecord-show, it raises an error when DNS zone is
not found, but it should not be an ipahost concern.
This patch fixes this behavior by returning no record if DNS zone is
not found, so processing resumes as if there is no record for the host.
It fixes behavior when `state: absent` and dnszone does not exist, so,
host should not exist either, and the ipahost answer is correct and
indifferent to DNS Zone state.
This patch explicitly set `no_log` option for `update_password` attribute
to `False`, so that the warning on `no_log` not being set is not issued
anymore. Ansible incorrectly issued the warning, as `update_password` does
not carry sensitive information.
The `services` member and ownership atttributes were missing from
vault module. This change adds them.
Handling of owner and ownergroups needed to be changed to fix `services`
and, due to this, have also been fixed.
Running test_playbook_runs.py would result of running only the
last collected test but showing the name of the other tests instead.
To fix that the test_path was moved to an argument set by a method
decorator.
IPA CLI allows the creation of vaults without specifying user, service or a
shared vault, defaulting to create a user vault for the `admin` user. The
vault module, required that one of user, service or shared was explicitly
provided, and this patch makes the module behave like the CLI command.
Tests were added to reflect this change.
certmapdata was not processed properly. The certificate was not loaded and
therefore the `issuer` and `subject` could not be compared to the
certmapdata entries in the user record. The function `load_cert_from_str`
from ansible_freeipa_moduleis used for this.
Additionally there was no way to use the certmapdata data format. This
is now possible with the `data` option in the certmapdata dict.
Example: "data: X509:<I>dc=com,dc=example,CN=ca<S>dc=com,dc=example,CN=test"
`data` may not be used together with `certificate`, `issuer` and `subject`
in the same record.
Given certmapdata for the ipauser module is now converted to the internal
data representation using also the new function `DN_x500_text` from
`ansible_freeipa_module`.
New functions `convert_certmapdata` and `check_certmapdata` have been added
to ipauser.
tests/user/certmapdata/test_user_certmapdata.yml has been extended with
additional tasks to verify more complex issuer and subjects and also using
the data format.
This function can be used to check if a command is available in the API.
This is used in ipauser module to check if user_add_certmapdata is available
in the API.
This function is needed to properly convert issuer and subject from a
certificate or the issuer and subject parameters in ipauser for certmapdata
to the data representation where the items in DN are reversed.
The function additionally provides a fallback solution for IPA < 4.5.
Certmapdata is not supported for IPA < 4.5, but the conversion is done
before the API version can be checked.
For certmapdata processing in ipauser it is needed to be able to load a cert
from a string given in the task to be able to get the issuer and subject of
the certificate. The format of the certifiacte here is lacking the markers
for the begin and end of the certificate. Therefore load_pem_x509_certificate
can not be used directly. Also in IPA < 4.5 it is needed to load the
certificate with load_certificate instead of load_pem_x509_certificate. The
function is implementing this properly.
group_remove_member is not able to handle services in old IPA releases.
In one case the check was missing and the removal of a user from a group
failed because of this with an older IPA version. The missing check has
been added.
Fixes#257 (ipagroup fails to remove user from group ipausers)
The host_find command had to be replaced to get the "has_password" and
"has_keytab" return values. This commit replaces the dnsrecord_find
with the dnsrecord_show command to have consistent find functions in
the module.
If random is enabled and update_password is limited to "create_only", the
random password may only be changed if the host does not exist yet.
Additionally the generation of the random password will fail, if the host
is already enrolled if update_password is "always" (default value). An
error will be reported early in this case now.
The command host_show is now used instead of host_find, as `has_password`
and `has_keytab` are only returned by host_show, but not by host_find. The
find_host function has been adapated for this change.
Resolves: #253 (ipahost is not idempotent)
The find_user function was not using encode_certificate for certificates
that are stored in the user record. This could lead to some issues with
older ipa releases and Python 2.
Because of a missing check member attributes (for use with action: member)
are cleared when a non-member attribute is changed. The fix simply adds a
check for None (parameter not set) to gen_add_del_lists in
ansible_freeipa_module to make sure that the parameter is only changed if
it should be changed.
All places where the add and removal lists have been generated manually
have been changed to also use gen_add_del_lists.
Resolves: #252 (The "Manager" attribute is removed when updating any user
attribute)
Even after obtaining Kerberos TGT with temp_kinit(), when connecting to
the IPA API with context `ansible-freeipa`, the API commands complained
that Kerberos credentials were not available. This patch fixes this
behavior.
In the case that the admin password has been set and become was not set
the call to backend.connect in api_connect failed. The solution is simply
to set os.environ["KRB5CCNAME"] in temp_kinit after kinit_password has
been called using the temporary ccache. os.environ["KRB5CCNAME"] is not
used automatically by api.Backend.[ldap2,rpcclient].connect. Afterwards
os.environ["KRB5CCNAME"] is unset in temp_kdestroy if ccache_name is not
None.
Fixes: #249 (Kerberos errors while using the modules with a non-sudoer user)
This patch allows the removal of option `all` from user, host, group,
runasuser, and runasgroup categories, by allowing an empty string as
a valid choice for each option.
The namespace and colleciton name have been hard coded. Now variables are
used for them. The project prefix and collection prefix are now passed to
galaxyify-playbook.py.
The use of "default: idstart+199999" in the description of the idmax
parameter was resulting in the galaxy import error:
Cannot parse "DOCUMENTATION": mapping values are not allowed here in
"<unicode string>", line 52, column 58: ... value for the IDs range
(default: idstart+199999)
The ":" has simply been removed to fix this issue.
When accessing an instance of AnsibleFreeIPAParams with .get the obj was
by-passing the call to _afm_convert which was the primaty reason why it
was created.
Also the class now extends Mapping instead of dict.
There is a new management module placed in the plugins folder:
plugins/modules/ipadnszone.py
The dnszone module allows to manage DNS zones.
Here is the documentation for the module:
README-dnszone.md
New example playbooks have been added:
playbooks/dnszone/disable-zone-forwarders.yml
playbooks/dnszone/dnszone-absent.yml
playbooks/dnszone/dnszone-all-params.yml
playbooks/dnszone/dnszone-disable.yml
playbooks/dnszone/dnszone-enable.yml
playbooks/dnszone/dnszone-present.yml
New tests for the module:
tests/dnszone/test_dnszone.yml
tests/dnszone/test_dnszone_mod.yml
The import of ansible_ipa_server, ansible_ipa_replica and ansible_ipa_client
might result in a permission denied error for the log file. It seems that
for collections the module utils seem to be loaded before the needed
permissions are aquired now.
The fix simply adds a wrapper for standard_logging_setup that is called in
all the modules of the server, replica and client roles to do the loggin
setup as one of the first steps of the module execution and not before.
Due to setting aaaa_extra_create_reverse or a_extra_create_reverse when not
needed, host module fails to add a host with reverse address. This patch
fixes the behavior by only adding *_extra_create_reverse when needed.
There is a new vaultcontainer management module placed in the plugins folder:
plugins/modules/ipadnsconfig.py
The dnsconfig module allows to modify global DNS configuration.
Here is the documentation for the module:
README-dnsconfig.md
New example playbooks have been added:
playbooks/dnsconfig/set_configuration.yml
playbooks/dnsconfig/disable-global-forwarders.yml
playbooks/dnsconfig/disallow-reverse-sync.yml
New tests for the module:
tests/dnsconfig/test_dnsconfig.yml
There is a new service management module placed in the pluginsfolder:
plugins/modules/ipaservice.py
The service module allows to ensure presence and absence of services, and
manage members and certificates of the service.
Here is the documentation for the module:
README-service.md
New example playbooks have been added:
playbooks/service/service-host-is-absent.yml
playbooks/service/service-host-is-present.yml
playbooks/service/service-is-absent.yml
playbooks/service/service-is-disabled.yml
playbooks/service/service-is-present-with-all-attributes.yml
playbooks/service/service-is-present-without-host-object.yml
playbooks/service/service-is-present.yml
playbooks/service/service-member-allow_create_keytab-absent.yml
playbooks/service/service-member-allow_create_keytab-present.yml
playbooks/service/service-member-allow_retrieve_keytab-absent.yml
playbooks/service/service-member-allow_retrieve_keytab-present.yml
playbooks/service/service-member-certificate-absent.yml
playbooks/service/service-member-certificate-present.yml
playbooks/service/service-member-principal-absent.yml
playbooks/service/service-member-principal-present.yml
New tests added for the module:
tests/service/test-service.yml
One test did not use the admin password as the rest of the tests.
This caused the tests/pwpolicy/test_pwpolicy.yml suite to fail.
Changing the password to the same as in others fixes the issue.
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
For beeing able to catch ipalib.errors.NotFound errors in ipahost it is
needed to import ipalib.errors. ipalib.errors is now imported as
ipalib_errors to not have name conflicts with the errors list used in some
of the modules.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1804838
If no IP address is given and either DNS is not configured or if the zone is
not found then ipahost may not fail in dnsrecord_find.
The error happened for example by ensuring the absence of a host that is not
part of the domain or for a host that has been added with force and is using
a domain that is not served by the DNS server in the domain. It also
happened if there was no DNS server in the domain at all.
A new test case has been added to test_host_ipaddresses.yml
The fix requires ipalib_errors provided by ansible_freeipa_module.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1804838
The check to make sure that member can not be used on non existing hosts
has bee missing. Also the reverse flag for the dnsrecord_add call was None
if the varaible was not set.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1803026
This change is needed to properly handle base64 encoding of certificates
stored as bytes, under Python 3, as used by IPA service. It does not
affect Python 2.7 as bytes are identical to str in this version of the
language.
When retireving certificates stored by FreeIPA service data is returned
as bytes, under Python 3, and encoding then breaks, as there is no
bytes.public_bytes method. In Python 3, encoding with base64 will be the
same for strings and bytes.
host1 was used instead of host5 in the repeated host5 test. This lead to an
error with the new IP address handling in ipahost. It was correctly
reporting a change for host1 which resulted in a failed test.
ipahost was so far ignoring IP addresses when the host already existed.
This happened because host_mod is not providing functionality to do this.
Now ipaddress is a list and it is possible to ensure a host with several
IP addresses (these can be IPv4 and IPv6). Also it is possible to ensure
presence and absence of IP addresses for an exising host using action
member.
There are no IP address conclict checks as this would lead into issues with
updating an existing host that already is using a duplicate IP address for
example for round-robin (RR). Also this might lead into issues with ensuring
a new host with several IP addresses in this case. Also to ensure a list of
hosts with changing the IP address of one host to another in the list would
result in issues here.
New example playbooks have been added:
playbooks/host/host-present-with-several-ip-addresses.yml
playbooks/host/host-member-ipaddresses-absent.yml
playbooks/host/host-member-ipaddresses-present.yml
A new test has been added for verification:
tests/host/test_host_ipaddresses.yml
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1783976https://bugzilla.redhat.com/show_bug.cgi?id=1783979
Bool types are not iterable. Therefore the comparison using sets was failing
with a TypeError. This prevented to change the bool parameters for hosts.
A test for the host module has been added to verify that the bool parameters
can be modified.
New test:
tests/host/test_host_bool_params.yml
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1784514
Most tests have simply been using the Tests as name, but this there is a
lack of information in automated runs. The name should be similar to the
test file name.
Changing members (host, hostgroup, hbacsvc, hbacsvcgroup, user, group) with
action hbacrule was not working due to the use of the wrong parameter
prefix. This has been fixed and the old members are removed correctly now.
The test script has been reworked completely to verify the fix.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1787996
If the name is not set, the policy global_policy is now used. It was needed
before to explicitly name the global_policy. Also a check has been added
to fail early if global_policy is used with state absent.
The README for pwpolicy has been extended with an example for global_policy
and also the description of the name variable.
The test has also been extended to check a change of maxlife for
global_policy and that global_policy can not be used with state: absent
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1797532
This patch adds the following attributes to ipasudorule:
- order
- sudooption
- runasuser
- runasgroup
It also fixes behavior of sudocmd assigned to the the sudorule, with the
adittion of the attributes:
- allow_sudocmds
- deny_sudocmds
- allow_sudocmdgroups
- deny_sudocmdgroups
README-sudorule and tests have been updated to comply with the changes.
Use ipaserver_realm as a fallback if ipareplica_realm is not defined. This
had been done for ipareplica_domain and ipaserver_domain, but was missing
for ipareplica_realm and ipaserver_realm.
Related: #114 (ipareplica 'Env' object has no attribute 'realm')
This fixes the issue https://github.com/freeipa/ansible-freeipa/issues/185, where the python script was launching an exception
There was a lack of verification that the input string (for the description) was a text string
The failure message if member parameters like certificate, managedby_host,
principal, allow_create_keytab_* and allow_retrieve_keytab_* are used
without member action for state absent has been enhanced to propose the
member action.
It was not possible to reset the userauthtype. The empty string has been
added to userauthtype for this.
Also ipauser will only depend on given first and last name if the user
does not exist yet. For the update operation these parameters are not
needed anymore.
The choices for the auth_ind parameter have been wrong. The choices are now
['radius', 'otp', 'pkinit', 'hardened', '']. The empty string has been added
to be able to rest auth_ind for the host entry.
There is a new vault management module placed in the plugins folder:
plugins/modules/ipavault.py
The vault module allows to ensure presence and absence of vaults, manage
members and owner of the vault, and archive data in the vault.
Here is the documentation for the module:
README-vault.md
New example playbooks have been added:
playbooks/vault/data-archive-in-asymmetric-vault.yml
playbooks/vault/data-archive-in-symmetric-vault.yml
playbooks/vault/ensure-asymetric-vault-is-absent.yml
playbooks/vault/ensure-asymetric-vault-is-present.yml
playbooks/vault/ensure-service-vault-is-absent.yml
playbooks/vault/ensure-service-vault-is-present.yml
playbooks/vault/ensure-shared-vault-is-absent.yml
playbooks/vault/ensure-shared-vault-is-present.yml
playbooks/vault/ensure-standard-vault-is-absent.yml
playbooks/vault/ensure-standard-vault-is-present.yml
playbooks/vault/ensure-symetric-vault-is-absent.yml
playbooks/vault/ensure-symetric-vault-is-present.yml
playbooks/vault/ensure-vault-is-present-with-members.yml
playbooks/vault/ensure-vault-member-group-is-absent.yml
playbooks/vault/ensure-vault-member-group-is-present.yml
playbooks/vault/ensure-vault-member-user-is-absent.yml
playbooks/vault/ensure-vault-member-user-is-present.yml
playbooks/vault/ensure-vault-owner-is-absent.yml
playbooks/vault/ensure-vault-owner-is-present.yml
New tests added for the module:
tests/vault/test_vault.yml
dependencoies may not be an empty dict like in the past, but it may also not
be missing. It simply needs to be empty.
Fixes#146 (ansible-freeipa collection not installable by 2.9 ansible-galaxy collection install)
If there is no domain set for email addresses, extend the email addresses
with the default email domain that is gathered from the config_show output.
This fixes RHBZ#1747413 ([ansible-freeipa] user module throwing an error if..)
There are some commands in the IPA API that do not require
arguments, and current implementation does not allow these
commands to be execute.
This patch adds api_command_no_name to allow the execution
of such commands, which is required, for example, to create
a vaultcontainer management module.
The use of zone_overlay_check for the domain name validation is not good
for a repeated execution of the server deployment where setup_dns is
enabled. The zone overlay check will fail with "DNS zone X already exists
in DNS". zone_overlay_check is later on used in dns.install_check so it is
not needed to do it here also.
Fixes issues #164 (domain option validator should not call zone overlap..)
ipareplica role by default tries to configure firewalld but it didn't
check if firewalld related packages were installed.
Similar to DNS and trust to AD features, install firewalld-related
packages before trying to configure firewalld.
Additionally, enable and start firewalld.service because otherwise
firewall-cmd cannot communicate with firewalld itself (it is not
starting on demand).
If and administrator considers not to use firewalld, a default for
ipareplica_setup_firewalld variable has to be set to 'no'.
Fixes: https://github.com/freeipa/ansible-freeipa/issues/116
ipaserver role by default tries to configure firewalld but it didn't
check if firewalld related packages were installed.
Similar to DNS and trust to AD features, install firewalld-related
packages before trying to configure firewalld.
Additionally, enable and start firewalld.service because otherwise
firewall-cmd cannot communicate with firewalld itself (it is not
starting on demand).
If and administrator considers not to use firewalld, a default for
ipaserver_setup_firewalld variable has to be set to 'no'.
Fixes: https://github.com/freeipa/ansible-freeipa/issues/116
The ipahost management module was not able to add several hosts at once.
Addtionally there have been settings missing.
ansible_freeipa_module has been extended to provide two additional functions
that are needed to simplify the extension of the ipahost module:
gen_add_del_lists(user_list, res_list)
encode_certificate(cert)
gen_add_del_lists will generate the lists for the addition and removal of
members using the provided user and ipa settings.
encode_certificate will encode a certificate using base64 with also taking
FreeIPA and Python versions into account.
The missing settings in ipahost have been:
certificate
managedby_host
principal
create_keytab_[user,group,host,hostgroup]
retrieve_keytab_[user,group,host,hostgroup]
sshpubkey
userclass
auth_ind
requires_pre_auth
ok_as_delegate
ok_to_auth_as_delegate
The README-host.md file has been updated to provide information about the
new settings and also the members. Also examples for the new things have
been added.
New example playbooks have been added:
playbooks/host/add-host.yml
playbooks/host/host-member-allow_create_keytab-absent.yml
playbooks/host/host-member-allow_create_keytab-present.yml
playbooks/host/host-member-allow_retrieve_keytab-absent.yml
playbooks/host/host-member-allow_retrieve_keytab-present.yml
playbooks/host/host-member-certificate-absent.yml
playbooks/host/host-member-certificate-present.yml
playbooks/host/host-member-managedby_host-absent.yml
playbooks/host/host-member-managedby_host-present.yml
playbooks/host/host-member-principal-absent.yml
playbooks/host/host-member-principal-present.yml
playbooks/host/host-present-with-allow_create_keytab.yml
playbooks/host/host-present-with-allow_retrieve_keytab.yml
playbooks/host/host-present-with-certificate.yml
playbooks/host/host-present-with-managedby_host.yml
playbooks/host/host-present-with-principal.yml
playbooks/host/host-present-with-randompassword.yml
playbooks/host/host-present.yml
playbooks/host/hosts-member-certificate-absent.yml
playbooks/host/hosts-member-certificate-present.yml
playbooks/host/hosts-member-managedby_host-absent.yml
playbooks/host/hosts-member-managedby_host-present.yml
playbooks/host/hosts-member-principal-absent.yml
playbooks/host/hosts-member-principal-present.yml
playbooks/host/hosts-present-with-certificate.yml
playbooks/host/hosts-present-with-managedby_host.yml
playbooks/host/hosts-present-with-randompasswords.yml
New tests have been added for the module:
tests/host/certificate/cert1.der
tests/host/certificate/cert1.pem
tests/host/certificate/cert2.der
tests/host/certificate/cert2.pem
tests/host/certificate/cert3.der
tests/host/certificate/cert3.pem
tests/host/certificate/private1.key
tests/host/certificate/private2.key
tests/host/certificate/private3.key
tests/host/certificate/test_host_certificate.yml
tests/host/certificate/test_hosts_certificate.yml
tests/host/test_host.yml
tests/host/test_host_allow_create_keytab.yml
tests/host/test_host_allow_retrieve_keytab.yml
tests/host/test_host_managedby_host.yml
tests/host/test_host_principal.yml
tests/host/test_host_random.yml
tests/host/test_hosts.yml
tests/host/test_hosts_managedby_host.yml
tests/host/test_hosts_principal.yml
The files for RHEL-8 (RedHat-8.yml) have simply been linked to CentOS-8.yml
for the ipaserver, ipareplica and ipaclient roles.
Fixes issue #121 (roles/*/vars needs CentOS-8.yml files)
The use of gssapi.creds.Credentials is not good if krb5 ticket forwarding
is used. It will fail. gssapi.Credentials with usage and store is the proper
way to do this.
The random password is only returned if random is yes and the host did
not exist or update_password is yes.
If only one host is handled by the module, the returned dict is containing
this dict:
{ "randompassword": "<the host random password>" }
If several hosts are handled by the module (future feature):
{ "<host>": { "randompassword": "<the host random password>" } }
Fixes issue #134 (ipahost does not return the random password)
The random password is only returned if random is yes and user did not exist
or update_password is yes.
If only one user is handled by the module, the returned dict is containing
this dict:
{ "randompassword": "<the user random password>" }
If several users are handled by the module:
{ "<user>": { "randompassword": "<the user random password>" } }
This is related to issue #134 (ipahost does not return the random password)
The sssd options in the ipaclient role missed a 's' in the role. The readme
of the role used the proper names with 3 's'. The names in the role have
been fixed and if the old setting are used, they will be used in the first
place.
Also utils/ansible-ipa-client-install has been adaped to use the proper
option names now.
This fixes issue #145 (The ipaclient role misspells sssd)
Add command and information about ansible-galaxy collection install. Installing collections
using the ansible-galaxy command is only supported with ansible 2.9+. The mazer tool can
be used for to install the collection for ansible 2.8:
There is a new sudorule (Sudo Rule) management module placed in the plugins
folder:
plugins/modules/ipasudorule.py
The sudorule module allows to ensure presence and absence of Sudo Rules.
Here is the documentation for the module:
README-sudorule.md
New example playbooks have been added:
playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
playbooks/sudorule/ensure-sudorule-is-absent.yml
playbooks/sudorule/ensure-sudorule-is-disabled.yml
playbooks/sudorule/ensure-sudorule-is-enabled.yml
playbooks/sudorule/ensure-sudorule-is-present.yml
playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
New tests added for the module:
tests/hbacrule/test_sudorule.yml
The changed flag returned by ipahostgroup calls have not always been correct.
The use of the module with IPA version 4.6 on RHEL-7 resulted in encoding
errors. All this has been fixed.
Addtitionally new test cases have been added to make sure that the issues
are solved.
There is a new hbacrule (HBAC Rule) management module placed in the plugins
folder:
plugins/modules/ipahbacrule.py
The hbacrule module allows to ensure presence and absence of HBAC Rules.
Here is the documentation for the module:
README-hbacrule.md
New example playbooks have been added:
playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
New tests added for the module:
tests/hbacrule/test_hbacrule.yml
The information about the version limitation of the passwordexpiration
parameter has been missing. The parameter is only usable for IPA versions
4.7 and up.
The changed flag returned by ipagroup calls have not been correct. This
change fixes this. Addtitionally new test cases have been added to make
sure that the changed flag is correct.
group_add_member is only supporting services in more recent IPA versions.
This is 4.7+. Code has been added to detect if services are supported by
the used IPA version and used in the parameters of the module. In this case
an error is printed.
Additionally all parameters will be get from the module using
module_params_get provided by ansible_freeipa_module. Additional to_text
conversions have been removed as they are not needed anymore with this.
There is a new hbacsvcgroup (HBAC Service Group) management module placed
in the plugins folder:
plugins/modules/ipahbacsvcgroup.py
The hbacsvc module allows to ensure presence and absence of HBAC Service
Groups.
Here is the documentation for the module:
README-hbacsvcgroup.md
New example playbooks have been added:
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml
New tests added for the module:
tests/hbacsvcgroup/test_hbacsvcgroup.yml
There is a new hbacsvc (HBAC Service) management module placed in the plugins
folder:
plugins/modules/ipahbacsvc.py
The hbacsvc module allows to ensure presence and absence of HBAC Services.
Here is the documentation for the module:
README-hbacsvc.md
New example playbooks have been added:
playbooks/hbacsvc/ensure-hbacsvc-absent.yml
playbooks/hbacsvc/ensure-hbacsvc-present.yml
New tests added for pwpolicy:
tests/hbacsvc/test_hbacsvc.yml
There is a new pwpolicy management module placed in the plugins folder:
plugins/modules/ipapwpolicy.py
The pwpolicy module allows to ensure presence and absence of pwpolicies for
groups.
Here is the documentation for the module:
README-pwpolicy.md
New example playbooks have been added:
playbooks/pwpolicy/pwpolicy_absent.yml
playbooks/pwpolicy/pwpolicy_present.yml
New tests added for pwpolicy:
tests/pwpolicy/test_pwpolicy.yml
With IPA 4.5 integers for examle in pwpolicy_find are returned as
integer values. The internally generated value will be converted from
integer to string (using to_text) if the value from find call result
is a string (or unicode for Python2).
There is a new sudocmdgroup management module placed in the plugins folder:
plugins/modules/ipasudocmdgroup.py
The sudocmdgroup module allows to add or remove sudo command groups..
The sudocmdgroup module is as compatible as possible to the Ansible upstream
ipa_sudocmdgroup module, and additionally offers to ensure member presence
and absence.
Here is the documentation for the module:
README-sudocmdgroup.md
New example playbooks have been added:
playbooks/sudocmd/ensure-sudocmdgroup-is-absent.yml
playbooks/sudocmd/ensure-sudocmdgroup-is-present.yml
playbooks/sudocmd/ensure-sudocmd-is-absent-in-sudocmdgroup.yml
playbooks/sudocmd/ensure-sudocmd-is-present-in-sudocmdgroup.yml
A test playbook is provided in:
tests/sudocmdgroup/test_sudocmdgroup.yml
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
There is a new sudocmd management module placed in the plugins folder:
plugins/modules/ipasudocmd.py
The sudocmd module allows to add or remove sudo commands.
The sudocmd module is as compatible as possible to the Ansible upstream
ipa_sudocmd module.
Here is the documentation for the module:
README-sudocmd.md
New example playbooks have been added:
playbooks/sudocmd/ensure-sudocmd-is-absent.yml
playbooks/sudocmd/ensure-sudocmd-is-present.yml
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The ipauser module now supports all user settings and additionally to ensure
the presence of several users with the new users setting. The users setting
can also be used with other states, but it has to be limited to only contain
the name of the users.
There updated user management module is placed in the plugins folder:
plugins/modules/ipauser.py
The user module now additionally allows to handle these user settings:
initials
principalexpiration
random
city
userstate
postalcode
mobile
pager
fax
orgunit
manager
carlicense
sshpubkey
userauthtype
userclass
radius
radiususer
departmentnumber
employeenumber
employeetype
preferredlanguage
certificate
certmapdata
noprivate
nomembers
Here is the updated documentation for the module:
README-user.md
New example playbooks have been added:
playbooks/user/user_certificate_absent.yml
playbooks/user/user_certificate_present.yml
playbooks/user/user_present.yml
playbooks/user/users_absent.yml
playbooks/user/users_certificate_absent.yml
playbooks/user/users_certificate_present.yml
playbooks/user/users_present.yml
plugins/modules/ipauser.py
New tests added for ipauser:
tests/user/certificate/cert1.der
tests/user/certificate/cert1.pem
tests/user/certificate/cert2.der
tests/user/certificate/cert2.pem
tests/user/certificate/cert3.der
tests/user/certificate/cert3.pem
tests/user/certificate/private1.key
tests/user/certificate/private2.key
tests/user/certificate/private3.key
tests/user/certificate/test_user_certificate.yml
tests/user/certificate/test_users_certificate.yml
tests/user/certmapdata/test_user_certmapdata.yml
tests/user/certmapdata/test_user_certmapdata_issuer_subject.yml
tests/user/certmapdata/test_users_certmapdata.yml
tests/user/test_user.yml
tests/user/test_users.yml
tests/user/test_users_absent.yml
tests/user/test_users_invalid_cert.yml
tests/user/test_users_present.yml
tests/user/test_users_present_slice.yml
tests/user/users_absent.json
tests/user/users_absent.sh
tests/user/users_present.json
tests/user/users_present.sh
The function api_get_realm is returning the realm of a connected FreeIPA
api. This is needed for proper principal checks in the extended ipauser
module that supports principals now.
The conversion is needed because older FreeIPA versions are returning
tuples in some cases instead of lists. To be able to compare them the
conversion to a list is needed.
The module_params_get function can and should be used as a replacement of
ansible_module.params.get. For Python2 it is needed to convert parameters
to unicode. Otherwise there will be an error in the FreeIPA API command.
The private function _afm_convert has been added to do the conversion
recursively.
api_check_param can be used to verify if params are available for a command
in the used FreeIPA version. The function has been added as api is normally
not imported into modules.
api_command is always used within try clause, therefore it is not needed
to have an extra try clause within api_command. Additionally it is needed
to get the dofferent errors in the next level.
The ipagroup module was not using the failed and completed items in the dict
that is returned with api_command. But it was creating add and remove
lists for users, groups and services. This is not needed if the failures
"already a member" and "not a member" in the result failures are ignored.
Only other failures are reported.
The serial numbers have not been set for the creation of the CA and also
to sign the request. Because of this the local time has been used, which
resulted sometimes in the use of the same time stamp for the CA and the
signing reuqest. The import failed then with same issuer and serial number
error.
The cat to generate the chain.crt has been replaces with openssl x509 calls.
Some comments have also been added.
The script in external-signed-ca-with-manual-copy has been replaced with a
link to the external-signed-ca-with-automatic-copy directory.
The states member_present and member_absent are not used and should also not
be used. This is a remain of the first try to ensure absence and presence
of users (members) in the group. This has been replaced with the setting
action: member.
There is a new hostgroup management module placed in the plugins folder:
plugins/modules/ipahostgroup.py
The hostgroup module allows to add, remove and disable hosts.
The hostgroup module is as compatible as possible to the Ansible upstream
ipa_hostgroup module, but addtionally offers to ensure member presence and
absence.
Here is the documentation for the module:
README-hostgroup.md
New example playbooks have been added:
playbooks/hostgroup/ensure-hostgroup-is-absent.yml
playbooks/hostgroup/ensure-hostgroup-is-present.yml
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
There is a new hostgroup management module placed in the plugins folder:
plugins/modules/ipahostgroup.py
The hostgroup module allows to add, remove and disable hosts.
The hostgroup module is as compatible as possible to the Ansible upstream
ipa_hostgroup module, but addtionally offers to ensure member presence and
absence.
Here is the documentation for the module:
README-hostgroup.md
New example playbooks have been added:
playbooks/hostgroup/ensure-hostgroup-is-absent.yml
playbooks/hostgroup/ensure-hostgroup-is-present.yml
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
With Ansible there is no add or remove user, there is only ensure presence
or absence of users. The descriptions have been adapted to make sure that
the description is correct now.
There is a new user management module placed in the plugins folder:
plugins/modules/ipauser.py
The host module allows to add, remove and disable hosts.
The host module is as compatible as possible to the Ansible upstream
ipa_host` module, but addtionally offers to disable hosts.
Here is the documentation for the module:
README-host.md
New example playbooks have been added:
playbooks/host/add-host.yml
playbooks/host/delete-host.yml
playbooks/host/disable-host.yml
configure_nsswitch_database has been removed with the freeipa commit
41ef8fba31
The 4.4 compatibility hack leads to a ALREADY installed error in
ipaclient_test because of the removal. This affects ipaclient and
ipareplica roles and also the ipaclient deployment part in ipaserver.
configure_nsswitch_database is not used any more in ipaclient role modules
and therefore simply can be removed from ansible_ipa_client.
The GSSAPI can be enabled in the management modules with either the
KRB5CCNAME or the KRB5_CLIENT_KTNAME environment variable.
For KRB5CCNAME it is needed to create a ccache file
kinit admin@TEST.LOCAL -c /root/admin.ccache
that is transferred to the nodes (here into /root) and activated in the
playbook with
environment:
KRB5CCNAME: /root/admin.ccache
For KRB5_CLIENT_KTNAME a admin keytab has to be generated
ipa-getkeytab -s ipaserver.test.local -p admin@TEST.LOCAL -k \
/root/admin.keytab
that is transferred to the nodes (here into /root) and activated in the
playbook with
environment:
KRB5_CLIENT_KTNAME: /root/admin.keytab
It will be needed to set ipaadmin_principal if the admin principal is not
admin.
The management modules can be used without a password in this case.
This option is the same as the --become-method option with ansible-playbook.
If this option is set, become_method will be set in the generated playbook.
If the --playbook-dir option is used, the inventory and playbook files will
be generated in this directory. The files will not be removed after the
playbook processing ended.
If the directory does not exist an error message will be printed and the
utility will not continue.
These settings are file descriptors if external certificates are used and
are not used later in the roles. Therefore these settings have been removed.
Fixes: #110 (Ansible error with external certificates)
The used code for continuous output from the ansible-playbook call was
only working for Python2. The output has only been printed when the command
finised. This code has been replaced with code that is working with Python2
and Python3.
These are utils scripts to do a server,replica or client deployment and
undeployment using the ansible roles. A client inventory and playbook is
generated by the script which is then used with ansible-playbook.
The command line options or the normal command line installers
ipa-server-install, ipa-replica-install and ipa-client-install are all
supported also by these scripts.
Additonally to the commadn line of the normal installers it is needed to
add the fqdn of the host to be installed.
It is needed that the ansible-freeipa roles are available and also usable
by ansible.
Currently it is ignored if the entry for reinitialized can not be found if
the name or left and right are not correct. Now there is a failure in this
case.
Fixes: #107 (Reinitialize are failed to find the node in ipatopology ..)
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
With adding the domain and ca suffixes with `suffix: domain+ca` only ca
has been added as the suffix was only used from the last command. The
suffix is now stored together with the command and the argument. This
will fix this error.
Fixes: #106 (Last suffix adding twice in the list of topology segments)
In the README these settings have been single values instead of string
lists:
ipareplica_http_cert_file
ipareplica_pkinit_cert_file
instead of
ipareplica_http_cert_files
ipareplica_pkinit_cert_files
This script will to the following steps:
- Fix the galaxy release in galaxy.yml
- Remove emacs backup files
- Link module_utils, modules and action_plugins from roles to plugins/..
- Fix import prefix for module_utils
- Fix module prefixes in playbooks and example playbooks
- Build release using mazer
- Clean up again
The documentation of the module paramaters have been updated. The parameter
list has been updated and all parameters are providing a description and
the required argument has been updated to reflect current setting in the
module.
This one was missed in the big module update.
The check for the existence of get_custodia_instance in custodiainstance
is not sufficient for the use od create_replica in CustodiaInstance. A new
check for create_replica in CustodiaInstance has been added.
The documentation of the module paramaters have been updated. The parameter
list has been updated and all parameters are providing a description and
the required argument has been updated to reflect current setting in the
modules.
All module_utils are now providing the __all__ structure. Alse the imports
in the modules have been updated to only import freeipa sturctures from
module_utils.
Use and generation of dirsrv_pkcs12_info, http_pkcs12_info and
pkinit_pkcs12_info has been fixed in:
- ipaserver_setup_ds
- ipaserver_setup_http
- ipaserver_test
Some errors have been printed to the error log only and fail_json only got
an empty string as error message. This made the causes of the errors hard
to get.
These two varibles in the dns binding are initialized in the installation
check in the install_check parts of ipareplica_prepare and used later on
in the dns configuration in ipareplica_setup_dns.
The description of ipaclient_on_master in the ipaclient README was
providing the information that the flag is also used for relicas. This
is not correct and has been removed.
When OTP is used for installation of a client or the client part of
a replica and also there is no DNS record for the client, then
ipaclient_get_otp fails in the host_add call.
With the force mode the host_add call will ignore the missing DNS
record and will properly add the host. The host information and also
the DNS record will be updated while deploying the client according
to the given settings.
Fixes: #74 (ipaclient fails when ipaclient_use_otp is true and client ..)
Since 4.7.1 it is needed to use CustodiaModes.FIRST_MASTER instead of
CustodiaModes.MASTER_PEER for the get_custodia_instance.
This has been fixed already in ipaserver_setup_ca and also
ipaserver_setup_custodia, but was missed in ipaserver_setup_kra.
Fixes: #92 (KRA install fails in tasks: [ipaserver : Install - Setup KRA])
There is a new group management module placed in the plugins folder:
plugins/modules/ipagroup.py
The group module allows to add, remove, enable, disable, unlock und undelete
groups.
The group module is as compatible as possible to the Ansible upstream
`ipa_group` module, but addtionally offers to add users to a group and also
to remove users from a group.
Here is the documentation for the module:
README-group.md
New example playbooks have been added:
playbooks/user/add-groups-to-group.yml
playbooks/user/add-user-to-group.yml
playbooks/user/add-group.yml
playbooks/user/delete-group.yml
There is a new user management module placed in the plugins folder:
plugins/modules/ipauser.py
The user module allows to add, remove, enable, disable, unlock und undelete
users.
The user module is as compatible as possible to the Ansible upstream
`ipa_user` module, but addtionally offers to preserve delete, enable,
disable, unlock and undelete users.
Here is the documentation for the module:
README-user.md
New example playbooks have been added:
playbooks/user/add-user.yml
playbooks/user/delete-user.yml
playbooks/user/enable-user.yml
playbooks/user/disable-user.yml
playbooks/user/delete-preserve--user.yml
playbooks/user/undelete-user.yml
date_format parses the supported date formats and creates a datetime object.
compare_args_ipa compares generated args with args returned by IPA command
find_ functions.
sync_time is not using options anymore, but has two new arguments. These
are ntp_servers and ntp_pool. The options argument is not used anymore.
This requires to use inspect on sync_time to be able to detect if the old
or the new function is available.
The call for get_time_source has been added, but is documented out as the
call is only useful in interactive mode.
ipaserver_test now returns ntp_servers and ntp_pool, which are then used
for ipaserver_setup_ntp.
sync_time is not using options anymore, but has two new arguments. These
are ntp_servers and ntp_pool. The options argument is not used anymore.
This requires to use inspect on sync_time to be able to detect if the old
or the new function is available.
The call for get_time_source has been added, but is documented out as the
call is only useful in interactive mode.
ipaclient_test now returns ntp_servers and ntp_pool, which are then used
for ipaclient_setup_ntp.
If kinit_password call failed because of wrong password or even because
kinit was not found, there was a very unspecific error message. Now these
errors will be properly reported.
Fixes: RHBZ#1727277
The raises of RuntimeError, ValueError and ScriptError are currently not
properly handled in ipaserver_prepare. This results in a trace back error
shown in Ansible instead of only showing the error message.
This happened for example if a nameserver is in /etc/resolv.conf that is
not reachable.
The use of password will conflict with the user password setting and is
not really descriptive. ipaadmin_principal and ipaadmin_password are also
used in the roles.
This adds support for the --external-ca option to ipaserver. Lots of
additional tests and checks from ServerInstallInterface.__init__ have
been added to ipaserver_test. Also duplicate tests cna checks have been
removed.
Installer settings in ansible_ipa_server module_util are now also set
to the defaults that are used in Installable, ServerInstallInterface,
ServerMasterInstall, ADTrustInstallInterface and Uninstall.
The /root/ipa.csr file generated on the node in ca.install_step_0 will
be copied to the controller as "{{ inventory_hostname }}-ipa.csr".
The new task file copy_external_cert.yml has been added to copy the
generated certificate defined in ipaserver_external_cert_files to the node
to continue with ca.install_step_1.
The tasks/install.yml file has been adapted to make sure that the steps
that will be done in step two will be skipped after step one has been
done.
These two settings are not set using the krb.init_info method, but used in
krb.enable_ssl.
The configuration of PKINIT fails in IPA 4.7.0 because of the issue
https://pagure.io/freeipa/issue/7655 where auto detection of the
master is not properly working. With the missing setting of krb.master_fqdn
the not workint auto detection has been triggered, which resulted in
failed PKINIT enablement.
Some settings for kra have not been correct for kra with the change to
use single Custodia instance in the installer (freeipa 994f71ac8).
These modules have been adapted:
ipareplica_custodia_import_dm_password
ipareplica_enable_ipa
ipareplica_setup_ca
ipareplica_setup_custodia
ipareplica_setup_kra
This is related to freeipa#0f31564b35aac250456233f98730811560eda664
During ipa-replica-install, http installation first creates a service
principal for http/hostname (locally on the soon-to-be-replica), then
waits for this entry to be replicated on the master picked for the
install.
In a later step, the installer requests a certificate for HTTPd. The local
certmonger first tries the master defined in xmlrpc_uri (which is
pointing to the soon-to-be-replica), but fails because the service is not
up yet. Then certmonger tries to find a master by using the DNS and looking
for a ldap service. This step can pick a different master, where the
principal entry has not always be replicated yet.
As the certificate request adds the principal if it does not exist, we can
end by re-creating the principal and have a replication conflict.
The replication conflict later causes kerberos issues, preventing
from installing a new replica.
The proposed fix forces xmlrpc_uri to point to the same master as the one
picked for the installation, in order to make sure that the master already
contains the principal entry.
https://pagure.io/freeipa/issue/7041
This has not been done so far in the ansible_ipa_client, but only in the
modules where it was really needed. But as these places are getting more
with 4.7.90, this setting makes it into the module_utils.
It is now possible to use domain+ca as suffix, That means that the segment
will be handled for the suffixes domain and also ca.
The new state checked is returning two lists found and not-found. If a
segment exists, the ckecked suffix is added to the found list. If a segment
from suffix is not found, it is added to the not-found list.
New example playbooks have been added:
playbooks/topology/add-topologysegments.yml
playbooks/topology/check-topologysegments.yml
playbooks/topology/delete-topologysegments.yml
The cluster playbook has been extended by the
The module ipareplica_master_password has been a copy from ipaserver role
and still contained code to read the cache file. This is not needed for
the replica. Therefore there is no need also to provide the dm password
to ipareplica_master_password any more.
Currently the error message of ipaclient_get_otp is not visble if it failed
due to the use of no_log. The no_log option is needed and useful if the
one-time password has successfully been generated, but is bad if there was
an error while generating the password, for example if a clock skew has been
detected.
There is now a new task to print the error message if ipaclient_get_otp. The
task for ipaclient_get_otp has been marked with "ignore_errors: yes" and
the new task "Install - Report error for OTP generation" will always fail
and only be used if result_ipaclient_get_otp is failed.
ipaadmin_keytab has been supported only with with ipaclient_use_otp. But
it can also be used without for ipa-join.
Important is that ipaadmin_keytab needs to be placed on the cliend node
and ipaadmin_keytab needs to be a full path. Otherwise the file will not
be found.
Password and keytab do not need to be set explicitely to an empty string
when they are not set. Also there is no need to have string length checks
in the role tasks.
With the deactivation of the Python2/3 test the handling of
ansible_python_interpreter needs to be removed as the setting might
not exist and is not changed in with the Python2/3 test any more.
The use of squash_actions to invoke a package module, such as “yum”, to
only invoke the module once is deprecated, and will be removed in
Ansible 2.11.
Instead of relying on implicit squashing, tasks should instead supply
the list directly to the name, pkg or package parameter of the module.
See [1] for a reference to the upstream documentation.
The ipa-krb5 and ipa-sssd modules include *_packages variables in both
defaults/ and vars/, additionally, the list of packages in ipa-sssd differs
from one to the other.
Unify list of packages into vars/
[1]: https://docs.ansible.com/ansible/latest/porting_guides/porting_guide_2.7.html#using-a-loop-on-a-package-module-via-squash-actions
2019-06-04 12:42:19 +02:00
772 changed files with 70645 additions and 4999 deletions
The automember module allows to ensure presence or absence of automember rules and manage automember rule conditions.
Features
--------
* Automember management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaautomember module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure group automember rule is present with no conditions.
```yaml
---
- name:Playbook to ensure a group automember rule is present with no conditions
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
name:admins
description:"my automember rule"
automember_type:group
```
Example playbook to make sure group automember rule is present with conditions:
```yaml
---
- name:Playbook to add a group automember rule with two conditions
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
name:admins
description:"my automember rule"
automember_type:group
inclusive:
- key:mail
expression:'@example.com$'
exclusive:
- key:uid
expression:"1234"
```
Example playbook to delete a group automember rule:
```yaml
- name:Playbook to delete a group automember rule
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
name:admins
description:"my automember rule"
automember_type:group
state:absent
```
Example playbook to add an inclusive condition to an existing rule
```yaml
- name:Playbook to add an inclusive condition to an existing rule
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
name:"My domain hosts"
description:"my automember condition"
automember_type:hostgroup
action:member
inclusive:
- key:fqdn
expression:".*.mydomain.com"
```
Example playbook to ensure group membership for all users has been rebuilt
```yaml
- name:Playbook to ensure group membership for all users has been rebuilt
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
automember_type:group
state:rebuilt
```
Example playbook to ensure group membership for given users has been rebuilt
```yaml
- name:Playbook to ensure group membership for given users has been rebuilt
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
users:
- user1
- user2
state:rebuilt
```
Example playbook to ensure hostgroup membership for all hosts has been rebuilt
```yaml
- name:Playbook to ensure hostgroup membership for all hosts has been rebuilt
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
automember_type:hostgroup
state:rebuilt
```
Example playbook to ensure hostgroup membership for given hosts has been rebuilt
```yaml
- name:Playbook to ensure hostgroup membership for given hosts has been rebuilt
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
hosts:
- host1.mydomain.com
- host2.mydomain.com
state:rebuilt
```
Example playbook to ensure default group fallback_group for all unmatched group entries is set
```yaml
- name:Playbook to ensure default group fallback_group for all unmatched group entries is set
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
automember_type:group
default_group:fallback_group
```
Example playbook to ensure default group for all unmatched group entries is not set
```yaml
- name:Playbook to ensure default group for all unmatched group entries is not set
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
default_group:""
automember_type:group
state:absent
```
Example playbook to ensure default hostgroup fallback_hostgroup for all unmatched group entries
```yaml
- name:Playbook to ensure default hostgroup fallback_hostgroup for all unmatched group entries
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
automember_type:hostgroup
default_group:fallback_hostgroup
```
Example playbook to ensure default hostgroup for all unmatched group entries is not set
```yaml
- name:Playbook to ensure default hostgroup for all unmatched group entries is not set
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
automember_type:hostgroup
default_group:""
state:absent
```
Example playbook to ensure all orphan automember group rules are removed:
```yaml
- name:Playbook to ensure all orphan automember group rules are removed
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
automember_type:group
state:orphans_removed
```
Example playbook to ensure all orphan automember hostgroup rules are removed:
```yaml
- name:Playbook to ensure all orphan automember hostgroup rules are removed
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
automember_type:hostgroup
state:orphans_removed
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | Automember rule. | yes
`description` | A description of this auto member rule. | no
`automember_type` | Grouping to which the rule applies. It can be one of `group`, `hostgroup`. | yes
`inclusive` | List of dictionaries in the format of `{'key': attribute, 'expression': inclusive_regex}` | no
`exclusive` | List of dictionaries in the format of `{'key': attribute, 'expression': exclusive_regex}` | no
`users` | Users to rebuild membership for. | no
`hosts` | Hosts to rebuild membership for. | no
`no_wait` | Don't wait for rebuilding membership. | no
`default_group` | Default (fallback) group for all unmatched entries. Use the empty string "" for ensuring the default group is not set. | no
`action` | Work on automember or member level. It can be one of `member` or `automember` and defaults to `automember`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, 'rebuilt'. 'orphans_removed' default: `present`. | no
The automountlocation module allows the addition and removal of locations for automount maps
It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
Features
--------
* Automount location management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaautomountlocation module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure presence of an automount location:
```yaml
---
- name:Playbook to add an automount location
hosts:ipaserver
become:true
tasks:
- name:ensure a automount location named DMZ exists
ipaautomountlocation:
ipaadmin_password:SomeADMINpassword
name:DMZ
state:present
```
Example playbook to ensure presence of multiple automount locations:
```yaml
---
- name:Playbook to add an automount location
hosts:ipaserver
become:true
tasks:
- name:ensure a automount location named DMZ exists
ipaautomountlocation:
ipaadmin_password:SomeADMINpassword
name:
- DMZ
- PROD
- development
- test
state:present
```
Example playbook to ensure absence of an automount location:
```yaml
---
- name:Playbook to ensure an automount location is absent
hosts:ipaserver
become:true
tasks:
- name:ensure automount locations LOCATION1 and LOCATION2 do not exist
ipaautomountlocation:
ipaadmin_password:SomeADMINpassword
name:
- LOCATION1
- LOCATION2
state:absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` \| `location` | List of one or more automountlocation names. | yes
`state` | The state to ensure. It can be one of `present`, or `absent`, default: `present`. | no
The config module allows the setting of global config parameters within IPA. If no parameters are specified it returns the list of all current parameters.
The config module is as compatible as possible to the Ansible upstream `ipa_config` module, but adds many additional parameters
Features
--------
* IPA server configuration management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaconfig module.
Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to read config options:
```yaml
---
- name:Playbook to handle global config options
hosts:ipaserver
become:true
tasks:
- name:return current values of the global configuration options
ipaconfig:
ipaadmin_password:password
register:result
- name:display default login shell
debug:
msg:'{{ result.config.defaultshell }}'
- name:ensure defaultloginshell and maxusernamelength are set as required
ipaconfig:
ipaadmin_password:password
defaultshell:/bin/bash
maxusername:64
```
```yaml
---
- name:Playbook to ensure some config options are set
hosts:ipaserver
become:true
tasks:
- name:set defaultlogin and maxusername
ipaconfig:
ipaadmin_password:password
defaultlogin:/bin/bash
maxusername:64
```
Variables
=========
**General Variables:**
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`maxusername` \| `ipamaxusernamelength` | Set the maximum username length (1 to 255) | no
`maxhostname` \| `ipamaxhostnamelength` | Set the maximum hostname length between 64-255. Only usable with IPA versions 4.8.0 and up. | no
`homedirectory` \| `ipahomesrootdir` | Set the default location of home directories | no
`defaultshell` \| `ipadefaultloginshell` | Set the default shell for new users | no
`defaultgroup` \| `ipadefaultprimarygroup` | Set the default group for new users | no
`emaildomain`\| `ipadefaultemaildomain` | Set the default e-mail domain | false
`searchtimelimit` \| `ipasearchtimelimit` | Set maximum amount of time (seconds) for a search -1 to 2147483647 (-1 or 0 is unlimited) | no
`searchrecordslimit` \| `ipasearchrecordslimit` | Set maximum number of records to search -1 to 2147483647 (-1 or 0 is unlimited) | no
`usersearch` \| `ipausersearchfields` | Set list of fields to search when searching for users | no
`groupsearch` \| `ipagroupsearchfields` | Set list of fields to search in when searching for groups | no
`groupobjectclasses` \| `ipagroupobjectclasses` | Set default group objectclasses (list) | no
`userobjectclasses` \| `ipauserobjectclasses` | Set default user objectclasses (list) | no
`pwdexpnotify` \| `ipapwdexpadvnotify` | Set number of days's notice of impending password expiration (0 to 2147483647) | no
`configstring` \| `ipaconfigstring` | Set extra hashes to generate in password plug-in (choices:`AllowNThash`, `KDC:Disable Last Success`, `KDC:Disable Lockout`, `KDC:Disable Default Preauth for SPNs`). Use `""` to clear this variable. | no
`selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | no
`selinuxusermapdefault`\| `ipaselinuxusermapdefault` | Set default SELinux user when no match is found in SELinux map rule | no
`pac_type` \| `ipakrbauthzdata` | set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`). Use `""` to clear this variable. | no
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
Return Values
=============
Variable | Description | Returned When
-------- | ----------- | -------------
`config` | config dict <br/>Fields: | No values to configure are specified
| `maxusername` |
| `maxhostname` |
| `homedirectory` |
| `defaultshell` |
| `defaultgroup` |
| `emaildomain` |
| `searchtimelimit` |
| `searchrecordslimit` |
| `usersearch` |
| `groupsearch` |
| `enable_migration` |
| `groupobjectclasses` |
| `userobjectclasses` |
| `pwdexpnotify` |
| `configstring` |
| `selinuxusermapdefault` |
| `selinuxusermaporder` |
| `pac_type` |
| `user_auth_type` |
| `domain_resolution_order` |
| `ca_renewal_master_server` |
All returned fields take the same form as their namesake input parameters
The delegation module allows to ensure presence, absence of delegations and delegation attributes.
Features
--------
* Delegation management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipadelegation module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure delegation "basic manager attributes" is present:
```yaml
---
- name:Playbook to manage IPA delegation.
hosts:ipaserver
become:yes
tasks:
- ipadelegation:
ipaadmin_password:SomeADMINpassword
name:"basic manager attributes"
permission:read
attribute:
- businesscategory
- employeetype
group:managers
membergroup:employees
```
Example playbook to make sure delegation "basic manager attributes" is absent:
```yaml
---
- name:Playbook to manage IPA delegation.
hosts:ipaserver
become:yes
tasks:
- ipadelegation:
ipaadmin_password:SomeADMINpassword
name:"basic manager attributes"
state:absent
```
Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are present:
```yaml
---
- name:Playbook to manage IPA delegation.
hosts:ipaserver
become:yes
tasks:
- ipadelegation:
ipaadmin_password:SomeADMINpassword
name:"basic manager attributes"
attribute:
- employeenumber
- employeetype
action:member
```
Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are absent:
```yaml
---
- name:Playbook to manage IPA delegation.
hosts:ipaserver
become:yes
tasks:
- ipadelegation:
ipaadmin_password:SomeADMINpassword
name:"basic manager attributes"
attribute:
- employeenumber
- employeetype
action:member
state:absent
```
Example playbook to make sure delegation "basic manager attributes" is absent:
```yaml
---
- name:Playbook to manage IPA delegation.
hosts:ipaserver
become:yes
tasks:
- ipadelegation:
ipaadmin_password:SomeADMINpassword
name:"basic manager attributes"
state:absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `aciname` | The list of delegation name strings. | yes
`permission` \| `permissions` | The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
`attribute` \| `attrs` | The attribute list to which the delegation applies. | no
`membergroup` \| `memberof` | The user group to apply delegation to. | no
`group` | User group ACI grants access to. | no
`action` | Work on delegation or member level. It can be on of `member` or `delegation` and defaults to `delegation`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
The dnsconfig module allows to modify global DNS configuration.
Features
--------
* Global DNS configuration
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipadnsconfig module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to set global DNS configuration:
```yaml
---
- name:Playbook to handle global DNS configuration
hosts:ipaserver
become:true
tasks:
# Set dnsconfig.
- ipadnsconfig:
forwarders:
- ip_address:8.8.4.4
- ip_address:2001:4860:4860::8888
port:53
forward_policy:only
allow_sync_ptr:yes
```
Example playbook to ensure a global forwarder, with a custom port, is absent:
```yaml
---
- name:Playbook to handle global DNS configuration
hosts:ipaserver
become:true
tasks:
# Ensure global forwarder with a custom port is absent.
- ipadnsconfig:
forwarders:
- ip_address:2001:4860:4860::8888
port:53
action:member
state:absent
```
Example playbook to disable global forwarders:
```yaml
---
- name:Playbook to disable global DNS forwarders
hosts:ipaserver
become:true
tasks:
# Disable global forwarders.
- ipadnsconfig:
forward_policy:none
```
Example playbook to change global forward policy:
```yaml
---
- name:Playbook to change global forward policy
hosts:ipaserver
become:true
tasks:
# Disable global forwarders.
- ipadnsconfig:
forward_policy:first
```
Example playbook to disallow synchronization of forward (A, AAAA) and reverse (PTR) records:
```yaml
---
- name:Playbook to disallow reverse synchronization.
hosts:ipaserver
become:true
tasks:
# Disable global forwarders.
- ipadnsconfig:
allow_sync_ptr:no
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
| `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
| `port` - The custom port that should be used on this server. | no
`forward_policy` \| `forwardpolicy` | The global forwarding policy. It can be one of `only`, `first`, or `none`. | no
`allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | yes
`action` | Work on dnsconfig or member level. It can be one of `member` or `dnsconfig` and defaults to `dnsconfig`. Only `forwarders` can be managed with `action: member`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. `absent` can only be used with `action: member` and `forwarders`. | yes
The dnsforwardzone module allows the addition and removal of dns forwarders from the IPA DNS config.
It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
Features
--------
* DNS zone management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipadnsforwardzone module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure presence of a forwardzone to ipa DNS:
```yaml
---
- name:Playbook to handle add a forwarder
hosts:ipaserver
become:true
tasks:
- name:ensure presence of forwardzone with a single forwarder DNS server
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
state:present
name:example.com
forwarders:
- ip_address:8.8.8.8
forwardpolicy:first
skip_overlap_check:true
- name:ensure the forward zone is disabled
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
name:example.com
state:disabled
- name:ensure presence of forwardzone with multiple forwarder DNS server
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
state:present
name:example.com
forwarders:
- ip_address:8.8.8.8
- ip_address:4.4.4.4
- name:ensure presence of another forwarder to any existing ones for example.com
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
state:present
name:example.com
forwarders:
- ip_address:1.1.1.1
action:member
- name:ensure presence of forwardzone with single forwarder DNS server on non-stardard port
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
state:present
name:example.com
forwarders:
- ip_address:4.4.4.4
port:8053
- name:ensure the forward zone is absent
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
name:example.com
state:absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | Zone name (FQDN). | yes if `state` == `present`
`forwarders` \| `idnsforwarders` | Per-zone forwarders. A custom port can be specified for each forwarder. Options | no
| `ip_address`: The forwarder IP address. | yes
| `port`: The forwarder IP port. | no
`forwardpolicy` \| `idnsforwardpolicy` \| `forward_policy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
`skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
`permission` | Allow DNS Forward Zone to be managed. (bool) | no
`action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | yes
The dnsrecord module allows management of DNS records and is as compatible as possible with the Ansible upstream `ipa_dnsrecord` module, but provide some other features like multiple record management in one execution and support for more DNS record types.
Features
--------
* DNS record management.
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipadnsrecord module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.example.com
```
Example playbook to ensure an AAAA record is present:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
name:host01
zone_name:example.com
record_type:'AAAA'
record_value:'::1'
```
Example playbook to ensure an AAAA record is present, with a TTL of 300:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
name:host01
zone_name:example.com
record_type:'AAAA'
record_value:'::1'
record_ttl:300
```
Example playbook to ensure an AAAA record is present, with a reverse PTR record:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
name:host02
zone_name:example.com
record_type:'AAAA'
record_value:'fd00::0002'
create_reverse:yes
```
Example playbook to ensure a LOC record is present, given its individual attributes:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
name:host03
loc_lat_deg:52
loc_lat_min:22
loc_lat_sec:23.000
loc_lat_dir:N
loc_lon_deg:4
loc_lon_min:53
loc_lon_sec:32.00
loc_lon_dir:E
loc_altitude:-2.00
loc_size:1.00
loc_h_precision:10000
loc_v_precision:10
```
Example playbook to ensure multiple DNS records are present:
```yaml
---
ipadnsrecord:
ipaadmin_password:SomeADMINpassword
records:
- name:host02
zone_name:example.com
record_type:A
record_value:
- "{{ ipv4_prefix }}.112"
- "{{ ipv4_prefix }}.122"
- name:host02
zone_name:example.com
record_type:AAAA
record_value:::1
```
Example playbook to ensure multiple CNAME records are present:
```yaml
---
- name:Ensure that 'host03' and 'host04' have CNAME records.
ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
records:
- name:host03
cname_hostname:host03.example.com
- name:host04
cname_hostname:host04.example.com
```
Example playbook to ensure NS record is absent:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
name:host04
ns_hostname:host04
state:absent
```
Example playbook to ensure LOC record is present, with fields:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
name:host04
loc_lat_deg:52
loc_lat_min:22
loc_lat_sec:23.000
loc_lat_dir:N
loc_lon_deg:4
loc_lon_min:53
loc_lon_sec:32.000
loc_lon_dir:E
loc_altitude:-2.00
loc_size:0.00
loc_h_precision:10000
loc_v_precision:10
```
Change value of an existing LOC record:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
name:host04
loc_size:1.00
loc_rec:522223N45332E -2 0 10000 10
```
Example playbook to ensure multiple A records are present:
```yaml
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
name:host04
a_rec:
- 192.168.122.221
- 192.168.122.222
- 192.168.122.223
- 192.168.122.224
```
Example playbook to ensure A and AAAA records are present, with reverse records (PTR):
```yaml
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
name:host01
a_rec:
- 192.168.122.221
- 192.168.122.222
aaaa_rec:
- fd00:;0001
- fd00::0002
create_reverse:yes
```
Example playbook to ensure multiple A and AAAA records are present, but only A records have reverse records:
```yaml
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
name:host01
a_ip_address:192.168.122.221
aaaa_ip_address:fd00::0001
a_create_reverse:yes
```
Example playbook to ensure multiple DNS records are absent:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
records:
- name:host01
del_all:yes
- name:host02
del_all:yes
- name:host03
del_all:yes
- name:host04
del_all:yes
- name:_ftp._tcp
del_all:yes
- name:_sip._udp
del_all:yes
state:absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`zone_name` \| `dnszone` | The DNS zone name to which DNS record needs to be managed. You can use one global zone name for multiple records. | no
required: true
`records` | The list of dns records dicts. Each `records` dict entry can contain **record variables**. | no
| **Record variables** | no
**Record variables** | Used when defining a single record. | no
`state` | The state to ensure. It can be one of `present` or `absent`, and defaults to `present`. | yes
**Record Variables:**
Variable | Description | Required
-------- | ----------- | --------
`zone_name` \| `dnszone` | The DNS zone name to which DNS record needs to be managed. You can use one global zone name for multiple records. When used on a `records` dict, overrides the global `zone_name`. | yes
`name` \| `record_name` | The DNS record name to manage. | yes
`record_type` | The type of DNS record. Supported values are `A`, `AAAA`, `A6`, `AFSDB`, `CERT`, `CNAME`, `DLV`, `DNAME`, `DS`, `KX`, `LOC`, `MX`, `NAPTR`, `NS`, `PTR`, `SRV`, `SSHFP`, `TLSA`, `TXT`, `URI`, and defaults to `A`. | no
`record_value` | Manage DNS record name with this values. | no
`record_ttl` | Set the TTL for the record. (int) | no
`del_all` | Delete all associated records. (bool) | no
`a_rec` \| `a_record` | Raw A record. | no
`aaaa_rec` \| `aaaa_record` | Raw AAAA record. | no
`a6_rec` \| `a6_record` | Raw A6 record data. | no
`afsdb_rec` \| `afsdb_record` | Raw AFSDB record. | no
`cert_rec` \| `cert_record` | Raw CERT record. | no
`cname_rec` \| `cname_record` | Raw CNAME record. | no
`dlv_rec` \| `dlv_record` | Raw DLV record. | no
`dname_rec` \| `dname_record` | Raw DNAM record. | no
`ds_rec` \| `ds_record` | Raw DS record. | no
`kx_rec` \| `kx_record` | Raw KX record. | no
`loc_rec` \| `loc_record` | Raw LOC record. | no
`mx_rec` \| `mx_record` | Raw MX record. | no
`naptr_rec` \| `naptr_record` | Raw NAPTR record. | no
`ns_rec` \| `ns_record` | Raw NS record. | no
`ptr_rec` \| `ptr_record` | Raw PTR record. | no
`srv_rec` \| `srv_record` | Raw SRV record. | no
`sshfp_rec` \| `sshfp_record` | Raw SSHFP record. | no
`tlsa_rec` \| `tlsa_record` | Raw TLSA record. | no
`txt_rec` \| `txt_record` | Raw TXT record. | no
`uri_rec` \| `uri_record` | Raw URI record. | no
`ip_address` | IP adress for A or AAAA records. Set `record_type` to `A` or `AAAA`. | no
`create_reverse` \| `reverse` | Create reverse records for `A` and `AAAA` record types. There is no equivalent to remove reverse records. (bool) | no
`a_ip_address` | IP adress for A records. Set `record_type` to `A`. | no
`a_create_reverse` | Create reverse records only for `A` records. There is no equivalent to remove reverse records. (bool) | no
`aaaa_ip_address` | IP adress for AAAA records. Set `record_type``AAAA`. | no
`aaaa_create_reverse` | Create reverse records only for `AAAA` record types. There is no equivalent to remove reverse records. (bool) | no
`a6_data` | A6 record. Set `record_type` to `A6`. | no
`afsdb_subtype` | AFSDB Subtype. Set `record_type` to `AFSDB`. (int) | no
`afsdb_hostname` | AFSDB Hostname. Set `record_type` to `AFSDB`. | no
`cert_type` | CERT Certificate Type. Set `record_type` to `CERT`. (int) | no
`cert_key_tag` | CERT Key Tag. Set `record_type` to `CERT`. (int) | no
`cert_algorithm` | CERT Algorithm. Set `record_type` to `CERT`. (int) | no
`cert_certificate_or_crl` | CERT Certificate or Certificate Revocation List (CRL). Set `record_type` to `CERT`. | no
`cname_hostname` | A hostname which this alias hostname points to. Set `record_type` to `CNAME`. | no
`dlv_key_tag` | DS Key Tag. Set `record_type` to `DLV`. (int) | no
`dlv_algorithm` | DLV Algorithm. Set `record_type` to `DLV`. (int) | no
`dlv_digest_type` | DLV Digest Type. Set `record_type` to `DLV`. (int) | no
`dlv_digest` | DLV Digest. Set `record_type` to `DLV`. | no
`dname_target` | DNAME Target. Set `record_type` to `DNAME`. | no
`ds_key_tag` | DS Key Tag. Set `record_type` to `DS`. (int) | no
`ds_algorithm` | DS Algorithm. Set `record_type` to `DS`. (int) | no
`ds_digest_type` | DS Digest Type. Set `record_type` to `DS`. (int) | no
`ds_digest` | DS Digest. Set `record_type` to `DS`. | no
`kx_preference` | Preference given to this exchanger. Lower values are more preferred. Set `record_type` to `KX`. (int) | no
`kx_exchanger` | A host willing to act as a key exchanger. Set `record_type` to `KX`. | no
`loc_lat_deg` | LOC Degrees Latitude. Set `record_type` to `LOC`. (int) | no
`loc_lat_min` | LOC Minutes Latitude. Set `record_type` to `LOC`. (int) | no
`loc_lat_sec` | LOC Seconds Latitude. Set `record_type` to `LOC`. (float) | no
`loc_lat_dir` | LOC Direction Latitude. Valid values are `N` or `S`. Set `record_type` to `LOC`. (int) | no
`loc_lon_deg` | LOC Degrees Longitude. Set `record_type` to `LOC`. (int) | no
`loc_lon_min` | LOC Minutes Longitude. Set `record_type` to `LOC`. (int) | no
`loc_lon_sec` | LOC Seconds Longitude. Set `record_type` to `LOC`. (float) | no
`loc_lon_dir` | LOC Direction Longitude. Valid values are `E` or `W`. Set `record_type` to `LOC`. (int) | no
`loc_altitude` | LOC Altitude. Set `record_type` to `LOC`. (float) | no
`loc_size` | LOC Size. Set `record_type` to `LOC`. (float) | no
`loc_h_precision` | LOC Horizontal Precision. Set `record_type` to `LOC`. (float) | no
`loc_v_precision` | LOC Vertical Precision. Set `record_type` to `LOC`. (float) | no
`mx_preference` | Preference given to this exchanger. Lower values are more preferred. Set `record_type` to `MX`. (int) | no
`mx_exchanger` | A host willing to act as a mail exchanger. Set `record_type` to `LOC`. | no
`naptr_order` | NAPTR Order. Set `record_type` to `NAPTR`. (int) | no
`naptr_preference` | NAPTR Preference. Set `record_type` to `NAPTR`. (int) | no
`naptr_flags` | NAPTR Flags. Set `record_type` to `NAPTR`. | no
`naptr_service` | NAPTR Service. Set `record_type` to `NAPTR`. | no
`naptr_regexp` | NAPTR Regular Expression. Set `record_type` to `NAPTR`. | no
`naptr_replacement` | NAPTR Replacement. Set `record_type` to `NAPTR`. | no
`ns_hostname` | NS Hostname. Set `record_type` to `NS`. | no
`ptr_hostname` | The hostname this reverse record points to. . Set `record_type` to `PTR`. | no
`srv_priority` | Lower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach. Set `record_type` to `SRV`. (int) | no
`srv_weight` | Relative weight for entries with the same priority. Set `record_type` to `SRV`. (int) | no
`srv_port` | SRV Port. Set `record_type` to `SRV`. (int) | no
`srv_target` | The domain name of the target host or '.' if the service is decidedly not available at this domain. Set `record_type` to `SRV`. | no
`sshfp_algorithm` | SSHFP Algorithm. Set `record_type` to `SSHFP`. (int) | no
`sshfp_fp_type` | SSHFP Fingerprint Type. Set `record_type` to `SSHFP`. (int) | no
`sshfp_fingerprint`| SSHFP Fingerprint. Set `record_type` to `SSHFP`. (int) | no
`txt_data` | TXT Text Data. Set `record_type` to `TXT`. | no
`tlsa_cert_usage` | TLSA Certificate Usage. Set `record_type` to `TLSA`. (int) | no
`tlsa_selector` | TLSA Selector. Set `record_type` to `TLSA`. (int) | no
`tlsa_matching_type` | TLSA Matching Type. Set `record_type` to `TLSA`. (int) | no
`tlsa_cert_association_data` | TLSA Certificate Association Data. Set `record_type` to `TLSA`. | no
`uri_target` | Target Uniform Resource Identifier according to RFC 3986. Set `record_type` to `URI`. | no
`uri_priority` | Lower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach. Set `record_type` to `URI`. (int) | no
`uri_weight` | Relative weight for entries with the same priority. Set `record_type` to `URI`. (int) | no
The dnszone module allows to configure zones in DNS server.
Features
--------
* Add, remove, modify, enable or disable DNS zones.
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by ipadnszone module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
-----
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to create a simple DNS zone:
```yaml
---
- name:dnszone present
hosts:ipaserver
become:true
tasks:
- name:Ensure zone is present.
ipadnszone:
ipaadmin_password:SomeADMINpassword
name:testzone.local
state:present
```
Example playbook to create a DNS zone with all currently supported variables:
```yaml
---
- name:dnszone present
hosts:ipaserver
become:true
tasks:
- name:Ensure zone is present.
ipadnszone:
ipaadmin_password:SomeADMINpassword
name:testzone.local
allow_sync_ptr:true
dynamic_update:true
dnssec:true
allow_transfer:
- 1.1.1.1
- 2.2.2.2
allow_query:
- 1.1.1.1
- 2.2.2.2
forwarders:
- ip_address:8.8.8.8
- ip_address:8.8.4.4
port:52
refresh:3600
retry:900
expire:1209600
minimum:3600
ttl:60
default_ttl:90
name_server:ipaserver.test.local.
admin_email:admin.admin@example.com
nsec3param_rec:"1 7 100 0123456789abcdef"
skip_overlap_check:true
skip_nameserver_check:true
state:present
```
Example playbook to disable a zone:
```yaml
---
- name:Playbook to disable DNS zone
hosts:ipaserver
become:true
tasks:
- name:Disable zone.
ipadnszone:
ipaadmin_password:SomeADMINpassword
name:testzone.local
state:disabled
```
Example playbook to enable a zone:
```yaml
---
- name:Playbook to enable DNS zone
hosts:ipaserver
become:true
tasks:
- name:Enable zone.
ipadnszone:
ipaadmin_password:SomeADMINpassword
name:testzone.local
state:enabled
```
Example playbook to remove a zone:
```yaml
---
- name:Playbook to remove DNS zone
hosts:ipaserver
become:true
tasks:
- name:Remove zone.
ipadnszone:
ipaadmin_password:SomeADMINpassword
name:testzone.local
state:absent
```
Example playbook to create a zone for reverse DNS lookup, from an IP address:
```yaml
---
- name:dnszone present
hosts:ipaserver
become:true
tasks:
- name:Ensure zone for reverse DNS lookup is present.
ipadnszone:
ipaadmin_password:SomeADMINpassword
name_from_ip:192.168.1.2
state:present
```
Note that, on the previous example the zone created with `name_from_ip` might be "1.168.192.in-addr.arpa.", "168.192.in-addr.arpa.", or "192.in-addr.arpa.", depending on the DNS response the system get while querying for zones, and for this reason, when creating a zone using `name_from_ip`, the inferred zone name is returned to the controller, in the attribute `dnszone.name`. Since the zone inferred might not be what a user expects, `name_from_ip` can only be used with `state: present`. To have more control over the zone name, the prefix length for the IP address can be provided.
Example playbook to create a zone for reverse DNS lookup, from an IP address, given the prefix length and displaying the resulting zone name:
```yaml
---
- name:dnszone present
hosts:ipaserver
become:true
tasks:
- name:Ensure zone for reverse DNS lookup is present.
ipadnszone:
ipaadmin_password:SomeADMINpassword
name_from_ip:192.168.1.2/24
state:present
register:result
- name:Display inferred zone name.
debug:
msg:"Zone name: {{ result.dnszone.name }}"
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `zone_name` | The zone name string or list of strings. | no
`name_from_ip` | Derive zone name from reverse of IP (PTR). Can only be used with `state: present`. | no
`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
| `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
| `port` - The custom port that should be used on this server. | no
`forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`. | no
`allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | no
`state` | The state to ensure. It can be one of `present`, `enabled`, `disabled` or `absent`, default: `present`. | yes
`name_server`| Authoritative nameserver domain name | no
`admin_email`| Administrator e-mail address | no
`update_policy`| BIND update policy | no
`dynamic_update` \| `dynamicupdate` | Allow dynamic updates | no
`dnssec`| Allow inline DNSSEC signing of records in the zone | no
`allow_transfer`| List of IP addresses or networks which are allowed to transfer the zone | no
`allow_query`| List of IP addresses or networks which are allowed to issue queries | no
`refresh`| SOA record refresh time | no
`retry`| SOA record retry time | no
`expire`| SOA record expire time | no
`minimum`| How long should negative responses be cached | no
`ttl`| Time to live for records at zone apex | no
`default_ttl`| Time to live for records without explicit TTL definition | no
`nsec3param_rec`| NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt | no
`skip_overlap_check`| Force DNS zone creation even if it will overlap with an existing zone | no
`skip_nameserver_check` | Force DNS zone creation even if nameserver is not resolvable | no
Return Values
=============
Variable | Description | Returned When
-------- | ----------- | -------------
`dnszone` | DNS Zone dict with zone name infered from `name_from_ip`. <br>Options: | If `state` is `present`, `name_from_ip` is used, and a zone was created.
| `name` - The name of the zone created, inferred from `name_from_ip`. | Always
The group module allows to ensure presence and absence of groups and members of groups.
The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group.
Features
--------
* Group management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipagroup module.
Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to add groups:
```yaml
---
- name:Playbook to handle groups
hosts:ipaserver
become:true
tasks:
# Create group ops with gid 1234
- ipagroup:
ipaadmin_password:SomeADMINpassword
name:ops
gidnumber:1234
# Create group sysops
- ipagroup:
ipaadmin_password:SomeADMINpassword
name:sysops
user:
- pinky
# Create group appops
- ipagroup:
ipaadmin_password:SomeADMINpassword
name:appops
```
Example playbook to add users to a group:
```yaml
---
- name:Playbook to handle groups
hosts:ipaserver
become:true
tasks:
# Add user member brain to group sysops
- ipagroup:
ipaadmin_password:SomeADMINpassword
name:sysops
action:member
user:
- brain
```
`action` controls if a the group or member will be handled. To add or remove members, set `action` to `member`.
Example playbook to add group members to a group:
```yaml
---
- name:Playbook to handle groups
hosts:ipaserver
become:true
tasks:
# Add group members sysops and appops to group ops
- ipagroup:
ipaadmin_password:SomeADMINpassword
name:ops
group:
- sysops
- appops
```
Example playbook to add members from a trusted realm to an external group:
```yaml
--
- name:Playbook to handle groups.
hosts:ipaserver
became:true
- name:Create an external group and add members from a trust to it.
ipagroup:
ipaadmin_password:SomeADMINpassword
name:extgroup
external:yes
externalmember:
- WINIPA\\Web Users
- WINIPA\\Developers
```
Example playbook to remove groups:
```yaml
---
- name:Playbook to handle groups
hosts:ipaserver
become:true
tasks:
# Remove goups sysops, appops and ops
- ipagroup:
ipaadmin_password:SomeADMINpassword
name:sysops,appops,ops
state:absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of group name strings. | no
`description` | The group description string. | no
`gid` \| `gidnumber` | The GID integer. | no
`posix` | Create a non-POSIX group or change a non-POSIX to a posix group. `nonposix`, `posix` and `external` are mutually exclusive. (bool) | no
`nonposix` | Create as a non-POSIX group. `nonposix`, `posix` and `external` are mutually exclusive. (bool) | no
`external` | Allow adding external non-IPA members from trusted domains. `nonposix`, `posix` and `external` are mutually exclusive. (bool) | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`user` | List of user name strings assigned to this group. | no
`group` | List of group name strings assigned to this group. | no
`service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
`membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`externalmember` \| `ipaexternalmember` \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up.| no
`action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
The hbacrule (HBAC Rule) module allows to ensure presence and absence of HBAC Rules and host, hostgroups, HBAC Services, HBAC Service Groups, users, and user groups as members of HBAC Rule.
Features
--------
* HBAC Rule management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipahbacrule module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure HBAC Rule login exists:
```yaml
---
- name:Playbook to handle hbacrules
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Rule login is present
- ipahbacrule:
ipaadmin_password:SomeADMINpassword
name:login
```
Example playbook to make sure HBAC Rule login exists with the only HBAC Service sshd:
```yaml
---
- name:Playbook to handle hbacrules
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Rule login is present with the only HBAC Service sshd
- ipahbacrule:
ipaadmin_password:SomeADMINpassword
name:login
hbacsvc:
- sshd
```
Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
```yaml
---
- name:Playbook to handle hbacrules
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Service sshd is present in HBAC Rule login
- ipahbacrule:
ipaadmin_password:SomeADMINpassword
name:login
hbacsvc:
- sshd
action:member
```
Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
```yaml
---
- name:Playbook to handle hbacrules
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Service sshd is present in HBAC Rule login
- ipahbacrule:
ipaadmin_password:SomeADMINpassword
name:login
hbacsvc:
- sshd
action:member
state:absent
```
Example playbook to make sure HBAC Rule login is absent:
```yaml
---
- name:Playbook to handle hbacrules
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Rule login is present
- ipahbacrule:
ipaadmin_password:SomeADMINpassword
name:login
state:absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of hbacrule name strings. | yes
`description` | The hbacrule description string. | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all", ""] | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this hbacrule. | no
`hostgroup` | List of host group name strings assigned to this hbacrule. | no
`hbacsvc` | List of HBAC Service name strings assigned to this hbacrule. | no
`hbacsvcgroup` | List of HBAC Service Group name strings assigned to this hbacrule. | no
`user` | List of user name strings assigned to this hbacrule. | no
`group` | List of user group name strings assigned to this hbacrule. | no
`action` | Work on hbacrule or member level. It can be on of `member` or `hbacrule` and defaults to `hbacrule`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
The hbacsvc (HBAC Service) module allows to ensure presence and absence of HBAC Services.
Features
--------
* HBACsvc management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipahbacsvc module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure HBAC Service for http is present
```yaml
---
- name:Playbook to handle HBAC Services
hosts:ipaserver
become:true
tasks:
# Ensure HBAC Service for http is present
- ipahbacsvc:
ipaadmin_password:SomeADMINpassword
name:http
description:Web service
```
Example playbook to make sure HBAC Service for tftp is present
```yaml
---
- name:Playbook to handle HBAC Services
hosts:ipaserver
become:true
tasks:
# Ensure HBAC Service for tftp is present
- ipahbacsvc:
ipaadmin_password:SomeADMINpassword
name:tftp
description:TFTPWeb service
```
Example playbook to make sure HBAC Services for http and tftp are absent
```yaml
---
- name:Playbook to handle HBAC Services
hosts:ipaserver
become:true
tasks:
# Ensure HBAC Service for http and tftp are absent
- ipahbacsvc:
ipaadmin_password:SomeADMINpassword
name:http,tftp
state:absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` \| `service` | The list of hbacsvc name strings. | no
`description` | The hbacsvc description string. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
The hbacsvcgroup (HBAC Service Group) module allows to ensure presence and absence of HBAC Service Groups and members of the groups.
Features
--------
* HBAC Service Group management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipahbacsvcgroup module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure HBAC Service Group login exists:
```yaml
---
- name:Playbook to handle hbacsvcgroups
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Service Group login is present
- ipahbacsvcgroup:
ipaadmin_password:SomeADMINpassword
name:login
```
Example playbook to make sure HBAC Service Group login exists with the only HBAC Service sshd:
```yaml
---
- name:Playbook to handle hbacsvcgroups
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Service Group login is present with the only HBAC Service sshd
- ipahbacsvcgroup:
ipaadmin_password:SomeADMINpassword
name:login
hbacsvc:
- sshd
```
Example playbook to make sure HBAC Service sshd is present in HBAC Service Group login:
```yaml
---
- name:Playbook to handle hbacsvcgroups
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Service sshd is present in HBAC Service Group login
- ipahbacsvcgroup:
ipaadmin_password:SomeADMINpassword
name:login
hbacsvc:
- sshd
action:member
```
Example playbook to make sure HBAC Service sshd is absent in HBAC Service Group login:
```yaml
---
- name:Playbook to handle hbacsvcgroups
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Service sshd is present in HBAC Service Group login
- ipahbacsvcgroup:
ipaadmin_password:SomeADMINpassword
name:login
hbacsvc:
- sshd
action:member
state:absent
```
Example playbook to make sure HBAC Service Group login is absent:
```yaml
---
- name:Playbook to handle hbacsvcgroups
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Service Group login is present
- ipahbacsvcgroup:
ipaadmin_password:SomeADMINpassword
name:login
state:absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of hbacsvcgroup name strings. | no
`description` | The hbacsvcgroup description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`hbacsvc` | List of hbacsvc name strings assigned to this hbacsvcgroup. | no
`action` | Work on hbacsvcgroup or member level. It can be on of `member` or `hbacsvcgroup` and defaults to `hbacsvcgroup`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
The host module allows to ensure presence, absence and disablement of hosts.
The host module is as compatible as possible to the Ansible upstream `ipa_host` module, but additionally offers to disable hosts.
Features
--------
* Host management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipahost module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure host presence:
```yaml
---
- name:Playbook to handle hosts
hosts:ipaserver
become:true
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
description:Example host
ip_address:192.168.0.123
locality:Lab
ns_host_location:Lab
ns_os_version:CentOS 7
ns_hardware_platform:Lenovo T61
mac_address:
- "08:00:27:E3:B1:2D"
- "52:54:00:BD:97:1E"
state:present
```
Compared to `ipa host-add` command no IP address conflict check is done as the ipahost module supports to have several IPv4 and IPv6 addresses for a host.
Example playbook to ensure host presence with several IP addresses:
```yaml
---
- name:Playbook to handle hosts
hosts:ipaserver
become:true
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
description:Example host
ip_address:
- 192.168.0.123
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b3
- fe80::20c:29ff:fe02:a1b4
locality:Lab
ns_host_location:Lab
ns_os_version:CentOS 7
ns_hardware_platform:Lenovo T61
mac_address:
- "08:00:27:E3:B1:2D"
- "52:54:00:BD:97:1E"
state:present
```
Example playbook to ensure IP addresses are present for a host:
```yaml
---
- name:Playbook to handle hosts
hosts:ipaserver
become:true
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
ip_address:
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b4
action:member
state:present
```
Example playbook to ensure IP addresses are absent for a host:
```yaml
---
- name:Playbook to handle hosts
hosts:ipaserver
become:true
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
ip_address:
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b4
action:member
state:absent
```
Example playbook to ensure host presence without DNS:
```yaml
---
- name:Playbook to handle hosts
hosts:ipaserver
become:true
tasks:
# Ensure host is present without DNS
- ipahost:
ipaadmin_password:SomeADMINpassword
name:host02.example.com
description:Example host
force:yes
```
Example playbook to ensure host presence with a random password:
```yaml
---
- name:Ensure host with random password
hosts:ipaserver
become:true
tasks:
- name:Host host01.example.com present with random password
ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
random:yes
force:yes
update_password:on_create
register:ipahost
- name:Print generated random password
debug:
var:ipahost.host.randompassword
```
Please remember that a new random password will be generated for an existing but not enrolled host if `update_password` is not limited to `on_create`. For an already enrolled host the task will fail with `update_password` default setting `always`.
Example playbook to ensure presence of several hosts with a random password:
```yaml
---
- name:Ensure hosts with random password
hosts:ipaserver
become:true
tasks:
- name:Hosts host01.example.com and host01.example.com present with random passwords
ipahost:
ipaadmin_password:SomeADMINpassword
hosts:
- name:host01.example.com
random:yes
force:yes
update_password:on_create
- name:host02.example.com
random:yes
force:yes
update_password:on_create
register:ipahost
- name:Print generated random password for host01.example.com
Please remember that a new random password will be generated for an existing but not enrolled host if `update_password` is not limited to `on_create`. For an already enrolled host the task will fail with `update_password` default setting `always`.
Example playbook to ensure presence of host member principal:
```yaml
---
- name:Host present with principal
hosts:ipaserver
become:true
tasks:
- name:Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com
ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
principal:
- host/testhost01.example.com
- host/myhost01.example.com
action:member
```
Example playbook to ensure presence of host member certificate:
```yaml
- name:Host present with certificate
hosts:ipaserver
become:true
tasks:
- name:Host host01.example.com present with certificate
ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
certificate:
- MIIC/zCCAeegAwIBAg...
action:member
```
Example playbook to ensure presence of member managedby_host for serveral hosts:
```yaml
---
- name:Host present with managedby_host
hosts:ipaserver
become:true
tasks:
ipahost:
ipaadmin_password:SomeADMINpassword
hosts:
- name:host01.example.com
managedby_host:server.example.com
- name:host02.example.com
managedby_host:server.example.com
action:member
```
Example playbook to disable a host:
```yaml
---
- name:Playbook to handle hosts
hosts:ipaserver
become:true
tasks:
# Ensure host is disabled
- ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
update_dns:yes
state:disabled
```
`update_dns` controls if the DNS entries will be updated in this case. For `state` present it is controlling the update of the DNS SSHFP records, but not the the other DNS records.
Example playbook to ensure a host is absent:
```yaml
---
- name:Playbook to handle hosts
hosts:ipaserver
become:true
tasks:
# Ensure host is absent
- ipahost:
ipaadmin_password:password1
name:host01.example.com
state:absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `fqdn` | The list of host name strings. `name` with *host variables* or `hosts` containing *host variables* need to be used. | no
**Host variables** | Only used with `name` variable in the first level. | no
`hosts` | The list of host dicts. Each `hosts` dict entry can contain **host variables**.<br>There is one required option in the `hosts` dict:| no
| `name` \| `fqdn` - The user name string of the entry. | yes
| **Host variables** | no
`update_password` | Set password for a host in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
`action` | Work on host or member level. It can be on of `member` or `host` and defaults to `host`. | no
`state` | The state to ensure. It can be one of `present`, `absent` or `disabled`, default: `present`. | yes
**Host Variables:**
Variable | Description | Required
-------- | ----------- | --------
`description` | The host description. | no
`locality` | Host locality (e.g. "Baltimore, MD"). | no
`os` \| `ns_os_version` | Host operating system and version (e.g. "Fedora 9"). | no
`password` \| `user_password` \| `userpassword` | Password used in bulk enrollment for absent or not enrolled hosts. | no
`random` \| `random_password` | Initiate the generation of a random password to be used in bulk enrollment for absent or not enrolled hosts. | no
`certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
`managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
`principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no
`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host. | no
`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host. | no
`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host. | no
`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host. | no
`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host. | no
`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host. | no
`mac_address` \| `macaddress` | List of hardware MAC addresses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
`userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no
`force` | Force host name even if not in DNS. | no
`reverse` | Reverse DNS detection. | no
`ip_address` \| `ipaddress` | The host IP address list. It can contain IPv4 and IPv6 addresses. No conflict check for IP addresses is done. | no
`update_dns` | For existing hosts: DNS SSHFP records are updated with `state` present and all DNS entries for a host removed with `state` absent. | no
Return Values
=============
There are only return values if one or more random passwords have been generated.
Variable | Description | Returned When
-------- | ----------- | -------------
`host` | Host dict with random password. (dict) <br>Options: | If random is yes and host did not exist or update_password is yes
| `randompassword` - The generated random password | If only one host is handled by the module
| `name` - The host name of the host that got a new random password. (dict) <br> Options: <br> `randompassword` - The generated random password | If several hosts are handled by the module
The hostgroup module allows to ensure presence and absence of hostgroups and members of hostgroups.
The hostgroup module is as compatible as possible to the Ansible upstream `ipa_hostgroup` module, but additionally offers to make sure that hosts are present or absent in a hostgroup.
Features
--------
* Hostgroup management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipahostgroup module.
Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure hostgroup databases exists:
```yaml
---
- name:Playbook to handle hostgroups
hosts:ipaserver
become:true
tasks:
# Ensure host-group databases is present
- ipahostgroup:
ipaadmin_password:SomeADMINpassword
name:databases
host:
- db.example.com
hostgroup:
- mysql-server
- oracle-server
```
Example playbook to make sure that hosts and hostgroups are present in existing databases hostgroup:
```yaml
---
- name:Playbook to handle hostgroups
hosts:ipaserver
become:true
tasks:
# Ensure hosts and hostgroups are present in existing databases hostgroup
- ipahostgroup:
ipaadmin_password:SomeADMINpassword
name:databases
host:
- db.example.com
hostgroup:
- mysql-server
- oracle-server
action:member
```
`action` controls if a the hostgroup or member will be handled. To add or remove members, set `action` to `member`.
Example playbook to make sure hosts and hostgroups are absent in databases hostgroup:
```yaml
---
- name:Playbook to handle hostgroups
hosts:ipaserver
become:true
tasks:
# Ensure hosts and hostgroups are absent in databases hostgroup
- ipahostgroup:
ipaadmin_password:SomeADMINpassword
name:databases
host:
- db.example.com
hostgroup:
- mysql-server
- oracle-server
action:member
state:absent
```
Example playbook to rename an existing playbook:
```yaml
---
- name:Playbook to handle hostgroups
hosts:ipaserver
become:true
tasks:
# Ensure host-group databases is absent
- ipahostgroup:
ipaadmin_password:SomeADMINpassword
name:databases
rename:datalake
state:renamed
```
Example playbook to make sure host-group databases is absent:
```yaml
---
- name:Playbook to handle hostgroups
hosts:ipaserver
become:true
tasks:
# Ensure host-group databases is absent
- ipahostgroup:
ipaadmin_password:SomeADMINpassword
name:databases
state:absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of hostgroup name strings. | no
`description` | The hostgroup description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this hostgroup. | no
`hostgroup` | List of hostgroup name strings assigned to this hostgroup. | no
`membermanager_user` | List of member manager users assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
`membermanager_group` | List of member manager groups assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
`rename` \| `new_name` | Rename hostgroup to the provided name. Only usable with IPA versions 4.8.7 and up. | no
`action` | Work on hostgroup or member level. It can be on of `member` or `hostgroup` and defaults to `hostgroup`. | no
`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
The idrange module allows the management of ID ranges.
In general it is not necessary to modify or delete ID ranges. If there is no other way to achieve a certain configuration than to modify or delete an ID range it should be done with great care. Because UIDs are stored in the file system and are used for access control it might be possible that users are allowed to access files of other users if an ID range got deleted and reused for a different domain.
Use cases
---------
* Add an ID range from a transitively trusted domain
If the trusted domain (A) trusts another domain (B) as well and this trust is transitive 'ipa trust-add domain-A' will only create a range for domain A. The ID range for domain B must be added manually.
* Add an additional ID range for the local domain
If the ID range of the local domain is exhausted, i.e. no new IDs can be assigned to Posix users or groups by the DNA plugin, a new range has to be created to allow new users and groups to be added. (Currently there is no connection between this range CLI and the DNA plugin, but a future version might be able to modify the configuration of the DNS plugin as well).
Features
--------
* ID Range management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaidrange module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure a local domain idrange is present:
```yaml
---
- name:Playbook to manage IPA idrange.
hosts:ipaserver
become:no
tasks:
- name:Ensure an ID Range for the local domain is present.
ipaidrange:
ipaadmin_password:SomeADMINpassword
name:local_domain_id_range
base_id:150000
range_size:200000
```
Example playbook to ensure a local domain idrange is present, with RID and secondary RID base values:
```yaml
---
- name:Playbook to manage IPA idrange.
hosts:ipaserver
become:no
tasks:
- name:Ensure local idrange is present
ipaidrange:
ipaadmin_password:SomeADMINpassword
name:local_domain_id_range
base_id:150000000
range_size:200000
rid_base:1000000
secondary_rid_base:200000000
```
Example playbook to ensure an AD-trust idrange is present, with range type 'trust-ad' and using domain SID:
```yaml
---
- name:Playbook to manage IPA idrange.
hosts:ipaserver
become:no
tasks:
- name:Ensure AD-trust idrange is present
ipaidrange:
ipaadmin_password:SomeADMINpassword
name:ad_id_range
base_id:150000000
range_size:200000
idrange_type:ipa-ad-trust
dom_sid:S-1-5-21-2870384104-3340008087-3140804251
```
Example playbook to ensure an AD-trust idrange is present, with range type 'trust-ad-posix' and using domain SID:
```yaml
---
- name:Playbook to manage IPA idrange.
hosts:ipaserver
become:no
tasks:
- name:Ensure AD-trust idrange is present
ipaidrange:
name:ad_posix_id_range
base_id:150000000
range_size:200000
idrange_type:ipa-ad-trust-posix
dom_name:ad.ipa.test
```
Example playbook to ensure an AD-trust idrange has auto creation of groups set to 'hybrid':
Example playbook to make sure an idrange is absent:
```yaml
---
- name:Playbook to manage IPA idrange.
hosts:ipaserver
become:no
tasks:
- name:Ensure ID range 'ad_id_range' is absent.
ipaidrange:
ipaadmin_password:SomeADMINpassword
name:ad_id_range
state:absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of idrange name strings. | yes
`base_id` \| `ipabaseid` | First Posix ID of the range. (int) | yes, if `state: present`
`range_size` \| `ipaidrangesize` | Number of IDs in the range. (int) | yes, if `state: present`
`rid_base` \| `ipabaserid` | First RID of the corresponding RID range. (int) | no
`secondary_rid_base` \| `ipasecondarybaserid` | First RID of the secondary RID range. (int) | no
`dom_sid` \| `ipanttrusteddomainsid` | Domain SID of the trusted domain. | no
`idrange_type` \| `iparangetype` | ID range type, one of `ipa-ad-trust`, `ipa-ad-trust-posix`, `ipa-local`. Only valid if idrange does not exist. | no
`dom_name` \| `ipanttrusteddomainname` | Name of the trusted domain. Can only be used when `ipaapi_context: server`. | no
`auto_private_groups` \| `ipaautoprivategroups` | Auto creation of private groups, one of `true`, `false`, `hybrid`. | no
`delete_continue` \| `continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
Notes
=====
DNA plugin in 389-ds will allocate IDs based on the ranges configured for the local domain. Currently the DNA plugin *cannot* be reconfigured itself based on the local ranges set via this family of commands.
Manual configuration change has to be done in the DNA plugin configuration for the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be modified to match the new range.
The location module allows to ensure presence and absence of locations.
Features
--------
* Location management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipalocation module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure location "my_location1" is present:
```yaml
---
- name:Playbook to manage IPA location.
hosts:ipaserver
become:yes
tasks:
- ipalocation:
ipaadmin_password:SomeADMINpassword
name:my_location1
description:My Location 1
```
Example playbook to make sure location "my_location1" is absent:
```yaml
---
- name:Playbook to manage IPA location.
hosts:ipaserver
become:yes
tasks:
- ipalocation:
ipaadmin_password:SomeADMINpassword
name:my_location1
state:absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `idnsname` | The list of location name strings. | yes
`description` | The IPA location string | false
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
The permission module allows to ensure presence and absence of permissions and permission members.
Features
--------
* Permission management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipapermission module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure permission "MyPermission" is present:
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure permission MyPermission is present
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
object_type:host
right:all
```
Example playbook to ensure permission "MyPermission" is present with attr carlicense:
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure permission "MyPermission" is present with attr carlicense
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
object_type:host
right:all
attrs:
- carlicense
```
Example playbook to ensure attr gecos is present in permission "MyPermission":
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure attr gecos is present in permission "MyPermission"
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
attrs:
- gecos
action:member
```
Example playbook to ensure attr gecos is absent in permission "MyPermission":
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure attr gecos is present in permission "MyPermission"
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
attrs:
- gecos
action:member
state:absent
```
Example playbook to make sure permission "MyPermission" is absent:
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure permission "MyPermission" is absent
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
state:absent
```
Example playbook to make sure permission "MyPermission" is renamed to "MyNewPermission":
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure permission "MyPermission" is renamed to "MyNewPermission
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
rename:MyNewPermission
state:renamed
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The permission name string. | yes
`right` \| `ipapermright` | Rights to grant. It can be a list of one or more of `read`, `search`, `compare`, `write`, `add`, `delete`, and `all` default: `all` | no
`attrs` | All attributes to which the permission applies. | no
`bindtype` \| `ipapermbindruletype` | Bind rule type. It can be one of `permission`, `all`, `self`, or `anonymous` defaults to `permission` for new permissions. Bind rule type `self` can only be used on IPA versions 4.8.7 or up.| no
`subtree` \| `ipapermlocation` | Subtree to apply permissions to | no
`filter` \| `extratargetfilter` | Extra target filter | no
`rawfilter` \| `ipapermtargetfilter` | All target filters | no
`target` \| `ipapermtarget` | Optional DN to apply the permission to | no
`targetto` \| `ipapermtargetto` | Optional DN subtree where an entry can be moved to | no
`targetfrom` \| `ipapermtargetfrom` | Optional DN subtree from where an entry can be moved | no
`memberof` | Target members of a group (sets memberOf targetfilter) | no
`targetgroup` | User group to apply permissions to (sets target) | no
`object_type` | Type of IPA object (sets subtree and objectClass targetfilter) | no
`no_members` | Suppress processing of membership | no
`rename` \| `new_name` | Rename the permission object | no
`action` | Work on permission or member level. It can be on of `member` or `permission` and defaults to `permission`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, or `renamed` default: `present`. | no
The `includedattrs` and `excludedattrs` variables are only usable for managed permisions and are not exposed by the module. Using `attrs` for managed permissions will result in the automatic generation of `includedattrs` and `excludedattrs` in the IPA server.
The privilege module allows to ensure presence and absence of privileges and privilege members.
Features
--------
* Privilege management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaprivilege module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure privilege "Broad Privilege" is present:
```yaml
---
- name:Playbook to manage IPA privilege.
hosts:ipaserver
become:yes
tasks:
- ipaprivilege:
ipaadmin_password:SomeADMINpassword
name:Broad Privilege
description:Broad Privilege
```
Example playbook to make sure privilege "Broad Privilege" member permission has multiple values:
```yaml
---
- name:Playbook to manage IPA privilege permission member.
hosts:ipaserver
become:yes
tasks:
- ipaprivilege:
ipaadmin_password:SomeADMINpassword
name:Broad Privilege
permission:
- "Write IPA Configuration"
- "System: Write DNS Configuration"
- "System: Update DNS Entries"
action:member
```
Example playbook to make sure privilege "Broad Privilege" member permission 'Write IPA Configuration' is absent:
```yaml
---
- name:Playbook to manage IPA privilege permission member.
hosts:ipaserver
become:yes
tasks:
- ipaprivilege:
ipaadmin_password:SomeADMINpassword
name:Broad Privilege
permission:
- "Write IPA Configuration"
action:member
state:absent
```
Example playbook to rename privilege "Broad Privilege" to "DNS Special Privilege":
```yaml
---
- name:Playbook to manage IPA privilege.
hosts:ipaserver
become:yes
tasks:
- ipaprivilege:
ipaadmin_password:SomeADMINpassword
name:Broad Privilege
rename:DNS Special Privilege
state:renamed
```
Example playbook to make sure privilege "DNS Special Privilege" is absent:
```yaml
---
- name:Playbook to manage IPA privilege.
hosts:ipaserver
become:yes
- name:Ensure privilege Broad Privilege is absent
ipaadmin_password:SomeADMINpassword
name:DNS Special Privilege
state:absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin`. | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node. | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of privilege name strings. | yes
`description` | Privilege description. | no
`rename` \| `new_name` | Rename the privilege object. | no
`permission` | Permissions to be added to the privilege. | no
`action` | Work on privilege or member level. It can be one of `member` or `privilege` and defaults to `privilege`. | no
`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
The pwpolicy module allows to ensure presence and absence of pwpolicies.
Features
--------
* Pwpolicy management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipapwpolicy module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure presence of pwpolicies for exisiting group ops:
```yaml
tasks:
- name:Ensure presence of pwpolicies for group ops
ipapwpolicy:
ipaadmin_password:SomeADMINpassword
name:ops
minlife:7
maxlife:49
history:5
priority:1
lockouttime:300
minlength:8
maxfail:3
```
Example playbook to ensure absence of pwpolicies for group ops:
```yaml
---
- name:Playbook to handle pwpolicies
hosts:ipaserver
become:true
tasks:
# Ensure absence of pwpolicies for group ops
- ipapwpolicy:
ipaadmin_password:SomeADMINpassword
name:ops
state:absent
```
Example playbook to ensure maxlife is set to 49 in global policy:
```yaml
---
- name:Playbook to handle pwpolicies
hosts:ipaserver
become:true
tasks:
# Ensure maxlife is set to 49 in global policy
- ipapwpolicy:
ipaadmin_password:SomeADMINpassword
maxlife:49
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
`maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
`minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no
`history` \| `krbpwdhistorylength` | Password history size. (int) | no
`minclasses` \| `krbpwdmindiffchars` | Minimum number of character classes. (int) | no
`minlength` \| `krbpwdminlength` | Minimum length of password. (int) | no
`priority` \| `cospriority` | Priority of the policy, higher number means lower priority. (int) | no
`maxfail` \| `krbpwdmaxfailure` | Consecutive failures before lockout. (int) | no
`failinterval` \| `krbpwdfailurecountinterval` | Period after which failure count will be reset in seconds. (int) | no
`lockouttime` \| `krbpwdlockoutduration` | Period for which lockout is enforced in seconds. (int) | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
The role module allows to ensure presence, absence of roles and members of roles.
The role module is as compatible as possible to the Ansible upstream `ipa_role` module, but additionally offers role member management.
Features
--------
* Role management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the iparole module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure role is present with all members:
```yaml
---
- name:Playbook to manage IPA role with members.
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- iparole:
ipaadmin_password:SomeADMINpassword
name:somerole
user:
- pinky
group:
- group01
host:
- host01.example.com
hostgroup:
- hostgroup01
privilege:
- Group Administrators
- User Administrators
service:
- service01
```
Example playbook to rename a role:
```yaml
- iparole:
ipaadmin_password:SomeADMINpassword
name:somerole
rename:anotherrole
```
Example playbook to make sure role is absent:
```yaml
---
- name:Playbook to manage IPA role.
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- iparole:
ipaadmin_password:SomeADMINpassword
name:somerole
state:absent
```
Example playbook to ensure a user is a member of a role:
```yaml
---
- name:Playbook to manage IPA role member.
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- iparole:
ipaadmin_password:SomeADMINpassword
name:somerole
user:
- pinky
action:member
```
Example playbook to ensure a group is a member of a role:
```yaml
---
- name:Playbook to manage IPA role member.
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- iparole:
ipaadmin_password:SomeADMINpassword
name:somerole
host:
- host01.example.com
action:member
```
Example playbook to ensure a host is a member of a role:
```yaml
---
- name:Playbook to manage IPA role member.
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- iparole:
ipaadmin_password:SomeADMINpassword
name:somerole
host:
- host01.example.com
action:member
```
Example playbook to ensure a hostgroup is a member of a role:
```yaml
---
- name:Playbook to manage IPA role member.
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- iparole:
ipaadmin_password:SomeADMINpassword
name:somerole
hostgroup:
- hostgroup01
action:member
```
Example playbook to ensure a service is a member of a role:
```yaml
---
- name:Playbook to manage IPA role member.
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- iparole:
ipaadmin_password:SomeADMINpassword
name:somerole
service:
- service01
action:member
```
Example playbook to ensure a privilege is a member of a role:
```yaml
---
- name:Playbook to manage IPA role member.
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- iparole:
ipaadmin_password:SomeADMINpassword
name:somerole
privilege:
- Group Administrators
- User Administrators
action:member
```
Example playbook to ensure that different members are not associated with a role.
```yaml
---
- name:Playbook to manage IPA role member.
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- iparole:
ipaadmin_password:SomeADMINpassword
name:somerole
user:
- pinky
group:
- group01
host:
- host01.example.com
hostgroup:
- hostgroup01
privilege:
- Group Administrators
- User Administrators
service:
- service01
action:member
state:absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of role name strings. | yes
`description` | A description for the role. | no
`rename` \| `new_name` | Rename the role object. | no
`privilege` | Privileges associated to this role. | no
`user` | List of users to be assigned or not assigned to the role. | no
`group` | List of groups to be assigned or not assigned to the role. | no
`host` | List of hosts to be assigned or not assigned to the role. | no
`hostgroup` | List of hostgroups to be assigned or not assigned to the role. | no
`service` | List of services to be assigned or not assigned to the role. | no
`action` | Work on role or member level. It can be on of `member` or `role` and defaults to `role`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
The selfservice module allows to ensure presence, absence of selfservices and selfservice attributes.
Features
--------
* Selfservice management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaselfservice module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure selfservice "Users can manage their own name details" is present:
```yaml
---
- name:Playbook to manage IPA selfservice.
hosts:ipaserver
become:yes
tasks:
- ipaselfservice:
ipaadmin_password:SomeADMINpassword
name:"Users can manage their own name details"
permission:read
attribute:
- title
- initials
```
Example playbook to make sure selfservice "Users can manage their own name details" is absent:
```yaml
---
- name:Playbook to manage IPA selfservice.
hosts:ipaserver
become:yes
tasks:
- ipaselfservice:
ipaadmin_password:SomeADMINpassword
name:"Users can manage their own name details"
state:absent
```
Example playbook to make sure "Users can manage their own name details" member attribute initials is present:
```yaml
---
- name:Playbook to manage IPA selfservice.
hosts:ipaserver
become:yes
tasks:
- ipaselfservice:
ipaadmin_password:SomeADMINpassword
name:"Users can manage their own name details"
attribute:
- initials
action:member
```
Example playbook to make sure "Users can manage their own name details" member attribute initials is absent:
```yaml
---
- name:Playbook to manage IPA selfservice.
hosts:ipaserver
become:yes
tasks:
- ipaselfservice:
ipaadmin_password:SomeADMINpassword
name:"Users can manage their own name details"
attribute:
- initials
action:member
state:absent
```
Example playbook to make sure selfservice "Users can manage their own name details" is absent:
```yaml
---
- name:Playbook to manage IPA selfservice.
hosts:ipaserver
become:yes
tasks:
- ipaselfservice:
ipaadmin_password:SomeADMINpassword
name:"Users can manage their own name details"
state:absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `aciname` | The list of selfservice name strings. | yes
`permission` \| `permissions` | The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
`attribute` \| `attrs` | The attribute list to which the selfservice applies. | no
`action` | Work on selfservice or member level. It can be on of `member` or `selfservice` and defaults to `selfservice`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
The server module allows to ensure presence and absence of servers. The module requires an existing server, the deployment of a new server can not be done with the module.
Features
--------
* Server management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaserver module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure server "server.example.com" is already present in the topology:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
```
This task is not deploying a new server, it is only checking if the server eists. It will therefore fail if the server does not exist.
Example playbook to make sure server "server.example.com" has location mylocation:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
location:mylocation
```
Example playbook to make sure server "server.example.com" does not have a location:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
location:""
```
Example playbook to make sure server "server.example.com" has service weight 1:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
service_weight:1
```
Example playbook to make sure server "server.example.com" does not have a service weight:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
service_weight:-1
```
Example playbook to make sure server "server.example.com" is hidden:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
hidden:yes
```
Example playbook to make sure server "server.example.com" is not hidden:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
hidden:no
```
Example playbook to make sure server "server.example.com" is absent from the topology:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
state:absent
```
Example playbook to make sure server "server.example.com" is absent from the topology in continuous mode to ignore errors:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
continue:yes
state:absent
```
Example playbook to make sure server "server.example.com" is absent from the topology with skipping the last of role check:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
ignore_last_of_role:yes
state:absent
```
Example playbook to make sure server "server.example.com" is absent from the topology with skipping the topology disconnect check:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
ignore_topology_disconnect:yes
state:absent
```
Example playbook to make sure server "server.example.com" is absent from the domain in force mode even if it does not exist:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
force:yes
state:absent
```
This task will always report a change.
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of server name strings. | yes
`location` \| `ipalocation_location` | The server location string. Only in state: present. "" for location reset. | no
`service_weight` \| `ipaserviceweight` | Weight for server services. Type Values 0 to 65535, -1 for weight reset. Only in state: present. (int) | no
`hidden` | Set hidden state of a server. Only in state: present. (bool) | no
`no_members` | Suppress processing of membership attributes. Only in state: present. (bool) | no
`delete_continue` \| `continue` | Continuous mode: Don't stop on errors. Only in state: absent. (bool) | no
`ignore_last_of_role` | Skip a check whether the last CA master or DNS server is removed. Only in state: absent. (bool) | no
`ignore_topology_disconnect` | Ignore topology connectivity problems after removal. Only in state: absent. (bool) | no
`force` | Force server removal even if it does not exist. Will always result in changed. Only in state: absent. (bool) | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. `present` is only working with existing servers. | no
Example playbook to add a principal to the service:
```yaml
---
- name:Playbook to manage IPA service.
hosts:ipaserver
become:true
gather_facts:false
tasks:
# Principal host/principal.example.com present in service.
- ipaservice:
ipaadmin_password:SomeADMINpassword
name:HTTP/www.example.com
principal:host/principal.example.com
action:member
```
Example playbook to enable a host to manage service:
```yaml
---
- name:Playbook to manage IPA service.
hosts:ipaserver
become:true
gather_facts:false
tasks:
# Ensure host can manage service, again.
- ipaservice:
ipaadmin_password:SomeADMINpassword
name:HTTP/www.example.com
host:host1.example.com
action:member
```
Example playbook to allow users, groups, hosts or hostgroups to create a keytab of this service:
```yaml
---
- name:Playbook to manage IPA service.
hosts:ipaserver
become:true
gather_facts:false
tasks:
# Allow users, groups, hosts or host groups to create a keytab of this service.
- ipaservice:
ipaadmin_password:SomeADMINpassword
name:HTTP/www.example.com
allow_create_keytab_user:
- user01
- user02
allow_create_keytab_group:
- group01
- group02
allow_create_keytab_host:
- host1.example.com
- host2.example.com
allow_create_keytab_hostgroup:
- hostgroup01
- hostgroup02
action:member
```
Example playbook to allow users, groups, hosts or hostgroups to retrieve a keytab of this service:
```yaml
---
- name:Playbook to manage IPA service.
hosts:ipaserver
become:true
gather_facts:false
tasks:
# Allow users, groups, hosts or host groups to retrieve a keytab of this service.
- ipaservice:
ipaadmin_password:SomeADMINpassword
name:HTTP/www.example.com
allow_retrieve_keytab_user:
- user01
- user02
allow_retrieve_keytab_group:
- group01
- group02
allow_retrieve_keytab_host:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
allow_retrieve_keytab_hostgroup:
- hostgroup01
- hostgroup02
action:member
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `service` | The list of service name strings. | yes
`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit` or `hardened`. Use empty string to reset auth_ind to the initial value. | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
`skip_host_check` | Force service to be created even when host object does not exist to manage it. Only usable with IPA versions 4.7.0 and up. Default to false. (bool)| no
`force` | Force principal name even if host not in DNS. Default to false. (bool) | no
`host` \| `managedby_host`| Hosts that can manage the service. | no
`principal` \| `krbprincipalname` | List of principal aliases for the service. | no
`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group`| Groups allowed to create a keytab of this host. | no
`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host`| Hosts allowed to create a keytab of this host. | no
`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_group`| Host groups allowed to create a keytab of this host. | no
`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retrieve a keytab of this host. | no
`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
`continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
`smb` | Service is an SMB service. If set, `cifs/` will be prefixed to the service name if needed. | no
`netbiosname` | NETBIOS name for the SMB service. Only with `smb: yes`. | no
`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
The servicedelegationrule module allows to ensure presence and absence of servicedelegationrules and servicedelegationrule members.
Features
--------
* Servicedelegationrule management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaservicedelegationrule module.
Host princpals are only usable with IPA versions 4.9.0 and up.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure servicedelegationrule delegation-rule is present:
```yaml
---
- name:Playbook to manage IPA servicedelegationrule
hosts:ipaserver
become:no
tasks:
- name:Ensure servicedelegationrule delegation-rule is present
ipaservicedelegationrule:
ipaadmin_password:SomeADMINpassword
name:delegation-rule
```
Example playbook to make sure servicedelegationrule delegation-rule member principal test/example.com is present:
```yaml
---
- name:Playbook to manage IPA servicedelegationrule
hosts:ipaserver
become:no
tasks:
- name:Ensure servicedelegationrule delegation-rule member principal test/example.com is present
ipaservicedelegationrule:
ipaadmin_password:SomeADMINpassword
name:delegation-rule
principal:test/example.com
action:member
```
Example playbook to make sure servicedelegationrule delegation-rule member principal test/example.com is absent:
```yaml
---
- name:Playbook to manage IPA servicedelegationrule
hosts:ipaserver
become:no
tasks:
- name:Ensure servicedelegationrule delegation-rule member principal test/example.com is absent
ipaservicedelegationrule:
ipaadmin_password:SomeADMINpassword
name:delegation-rule
principal:test/example.com
action:member
state:absent
state:absent
```
Example playbook to make sure servicedelegationrule delegation-rule member target delegation-target is present:
```yaml
---
- name:Playbook to manage IPA servicedelegationrule
hosts:ipaserver
become:no
tasks:
- name:Ensure servicedelegationrule delegation-rule member target delegation-target is present
ipaservicedelegationrule:
ipaadmin_password:SomeADMINpassword
name:delegation-rule
target:delegation-target
action:member
```
Example playbook to make sure servicedelegationrule delegation-rule member target delegation-target is absent:
```yaml
---
- name:Playbook to manage IPA servicedelegationrule
hosts:ipaserver
become:no
tasks:
- name:Ensure servicedelegationrule delegation-rule member target delegation-target is absent
ipaservicedelegationrule:
ipaadmin_password:SomeADMINpassword
name:delegation-rule
target:delegation-target
action:member
state:absent
state:absent
```
Example playbook to make sure servicedelegationrule delegation-rule is absent:
```yaml
---
- name:Playbook to manage IPA servicedelegationrule
hosts:ipaserver
become:no
tasks:
- name:Ensure servicedelegationrule delegation-rule is absent
ipaservicedelegationrule:
ipaadmin_password:SomeADMINpassword
name:delegation-rule
state:absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of servicedelegationrule name strings. | yes
`principal` | The list of principals. A principal can be of the format: fqdn, fqdn@REALM, service/fqdn, service/fqdn@REALM, host/fqdn, host/fqdn@REALM, alias$, alias$@REALM, where fqdn and fqdn@REALM are host principals and the same as host/fqdn and host/fqdn@REALM. Host princpals are only usable with IPA versions 4.9.0 and up. | no
`target` \| `servicedelegationtarget` | The list of service delegation targets. | no
`action` | Work on servicedelegationrule or member level. It can be on of `member` or `servicedelegationrule` and defaults to `servicedelegationrule`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
The servicedelegationtarget module allows to ensure presence and absence of servicedelegationtargets and servicedelegationtarget members.
Features
--------
* Servicedelegationtarget management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaservicedelegationtarget module.
Host princpals are only usable with IPA versions 4.9.0 and up.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure servicedelegationtarget delegation-target is present:
```yaml
---
- name:Playbook to manage IPA servicedelegationtarget
hosts:ipaserver
become:no
tasks:
- name:Ensure servicedelegationtarget delegation-target is present
ipaservicedelegationtarget:
ipaadmin_password:SomeADMINpassword
name:delegation-target
```
Example playbook to make sure servicedelegationtarget delegation-target member principal test/example.com is present:
```yaml
---
- name:Playbook to manage IPA servicedelegationtarget
hosts:ipaserver
become:no
tasks:
- name:Ensure servicedelegationtarget delegation-target member principal test/example.com is present
ipaservicedelegationtarget:
ipaadmin_password:SomeADMINpassword
name:delegation-target
principal:test/example.com
action:member
```
Example playbook to make sure servicedelegationtarget delegation-target member principal test/example.com is absent:
```yaml
---
- name:Playbook to manage IPA servicedelegationtarget
hosts:ipaserver
become:no
tasks:
- name:Ensure servicedelegationtarget delegation-target member principal test/example.com is absent
ipaservicedelegationtarget:
ipaadmin_password:SomeADMINpassword
name:delegation-target
principal:test/example.com
action:member
state:absent
state:absent
```
Example playbook to make sure servicedelegationtarget delegation-target is absent:
```yaml
---
- name:Playbook to manage IPA servicedelegationtarget
hosts:ipaserver
become:no
tasks:
- name:Ensure servicedelegationtarget delegation-target is absent
ipaservicedelegationtarget:
ipaadmin_password:SomeADMINpassword
name:delegation-target
state:absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of servicedelegationtarget name strings. | yes
`principal` | The list of principals. A principal can be of the format: fqdn, fqdn@REALM, service/fqdn, service/fqdn@REALM, host/fqdn, host/fqdn@REALM, alias$, alias$@REALM, where fqdn and fqdn@REALM are host principals and the same as host/fqdn and host/fqdn@REALM. Host princpals are only usable with IPA versions 4.9.0 and up. | no
`action` | Work on servicedelegationtarget or member level. It can be on of `member` or `servicedelegationtarget` and defaults to `servicedelegationtarget`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
The sudocmd module allows to ensure presence and absence of sudo command.
The sudocmd module is as compatible as possible to the Ansible upstream `ipa_sudocmd` module.
Features
--------
* Sudo command management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipa_sudocmd module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure sudocmd exists:
```yaml
---
- name:Playbook to handle sudocmd
hosts:ipaserver
become:true
tasks:
# Ensure sudocmd is present
- ipasudocmd:
ipaadmin_password:SomeADMINpassword
name:/usr/bin/su
state:present
```
Example playbook to make sure sudocmd is absent:
```yaml
---
- name:Playbook to handle sudocmd
hosts:ipaserver
become:true
tasks:
# Ensure sudocmd are absent
- ipasudocmd:
ipaadmin_password:SomeADMINpassword
name:/usr/bin/su
state:absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `sudocmd` | The sudo command strings. | yes
`description` | The command description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
The sudocmdgroup module allows to ensure presence and absence of sudocmdgroups and members of sudocmdgroups.
The sudocmdgroup module is as compatible as possible to the Ansible upstream `ipa_sudocmdgroup` module, but additionally offers to make sure that sudocmds are present or absent in a sudocmdgroup.
Features
--------
* Sudocmdgroup management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipasudocmdgroup module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure sudocmdgroup is present:
```yaml
---
- name:Playbook to handle sudocmdgroups
hosts:ipaserver
become:true
tasks:
# Ensure sudocmdgroup is present
- ipasudocmdgroup:
ipaadmin_password:SomeADMINpassword
name:group01
description:Group of important commands
```
Example playbook to make sure that a sudo command and sudocmdgroups are present in existing sudocmdgroup:
```yaml
---
- name:Playbook to handle sudocmdgroups
hosts:ipaserver
become:true
tasks:
# Ensure sudo commands are present in existing sudocmdgroup
- ipasudocmdgroup:
ipaadmin_password:SomeADMINpassword
name:group01
sudocmd:
- /usr/bin/su
- /usr/bin/less
action:member
```
`action` controls if the sudocmdgroup or member will be handled. To add or remove members, set `action` to `member`.
Example playbook to make sure that a sudo command and sudocmdgroups are absent in sudocmdgroup:
```yaml
---
- name:Playbook to handle sudocmdgroups
hosts:ipaserver
become:true
tasks:
# Ensure sudocmds are absent in existing sudocmdgroup
- ipasudocmdgroup:
ipaadmin_password:SomeADMINpassword
name:group01
sudocmd:
- /usr/bin/su
- /usr/bin/less
action:member
state:absent
```
Example playbook to make sure sudocmdgroup is absent:
```yaml
---
- name:Playbook to handle sudocmdgroups
hosts:ipaserver
become:true
tasks:
# Ensure sudocmdgroup is absent
- ipasudocmdgroup:
ipaadmin_password:SomeADMINpassword
name:group01
state:absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of sudocmdgroup name strings. | no
`description` | The sudocmdgroup description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`sudocmd` | List of sudocmdgroup name strings assigned to this sudocmdgroup. | no
`action` | Work on sudocmdgroup or member level. It can be on of `member` or `sudocmdgroup` and defaults to `sudocmdgroup`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
The sudorule (Sudo Rule) module allows to ensure presence and absence of Sudo Rules and host, hostgroups, users, and user groups as members of Sudo Rule.
Features
--------
* Sudo Rule management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipasudorule module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure Sudo Rule is present:
```yaml
---
- name:Playbook to handle sudorules
hosts:ipaserver
become:true
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password:SomeADMINpassword
name:testrule1
```
Example playbook to make sure sudocmds are present in Sudo Rule:
```yaml
---
- name:Playbook to handle sudorules
hosts:ipaserver
become:true
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password:SomeADMINpassword
name:testrule1
allow_sudocmd:
- /sbin/ifconfig
action:member
```
Example playbook to make sure sudocmds are not present in Sudo Rule:
```yaml
---
- name:Playbook to handle sudorules
hosts:ipaserver
become:true
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password:SomeADMINpassword
name:testrule1
allow_sudocmd:
- /sbin/ifconfig
action:member
state:absent
```
Example playbook to make sure Sudo Rule is absent:
```yaml
---
- name:Playbook to handle sudorules
hosts:ipaserver
become:true
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password:SomeADMINpassword
name:testrule1
state:absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of sudorule name strings. | yes
`description` | The sudorule description string. | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
`cmdcategory` \| `cmdcat` | Command category the rule applies to. Choices: ["all", ""] | no
`runasusercategory` \| `runasusercat` | RunAs User category the rule applies to. Choices: ["all", ""] | no
`runasgroupcategory` \| `runasgroupcat` | RunAs Group category the rule applies to. Choices: ["all", ""] | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this sudorule. | no
`hostgroup` | List of host group name strings assigned to this sudorule. | no
`user` | List of user name strings assigned to this sudorule. | no
`group` | List of user group name strings assigned to this sudorule. | no
`allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no
`deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no
`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no
`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no
`sudooption` \| `options` | List of options to the sudorule | no
`order` \| `sudoorder` | Integer to order the sudorule | no
`runasuser` | List of users for Sudo to execute as. | no
`runasgroup` | List of groups for Sudo to execute as. | no
`action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
These modules allow to manage the topology. That means that topology segments can be added, removed and reinitialized. Also it is possible to verify topology suffixes.
These modules allow to manage the topology. That means that it can made sure that topology segments are present, absent or reinitialized. Also it is possible to verify topology suffixes.
Features
@@ -39,7 +39,7 @@ ipaserver.test.local
```
Example playbook to add a topology segment wiht default name (cn):
Example playbook to add a topology segment with default name (cn):
```yaml
---
@@ -50,13 +50,13 @@ Example playbook to add a topology segment wiht default name (cn):
tasks:
- name:Add topology segment
ipatopologysegment:
password:MyPassword123
ipaadmin_password:SomeADMINpassword
suffix:domain
left:ipareplica1.test.local
right:ipareplica2.test.local
state:present
```
The name (cn) can also be set if it should not be the default `{left}-to-{rkight}`.
The name (cn) can also be set if it should not be the default `{left}-to-{right}`.
Example playbook to delete a topology segment:
@@ -70,7 +70,7 @@ Example playbook to delete a topology segment:
tasks:
- name:Delete topology segment
ipatopologysegment:
password:MyPassword123
ipaadmin_password:SomeADMINpassword
suffix:domain
left:ipareplica1.test.local
right:ipareplica2.test.local
@@ -90,7 +90,7 @@ Example playbook to reinitialize a topology segment:
tasks:
- name:Reinitialize topology segment
ipatopologysegment:
password:MyPassword123
ipaadmin_password:SomeADMINpassword
suffix:domain
left:ipareplica1.test.local
right:ipareplica2.test.local
@@ -111,11 +111,43 @@ Example playbook to verify a topology suffix:
tasks:
- name:Verify topology suffix
ipatopologysuffix:
password:MyPassword123
ipaadmin_password:SomeADMINpassword
suffix:domain
state:verified
```
Example playbook to add or remove or check or reinitialize a list of topology segments:
`principal` | The admin principal is a string and defaults to `admin` | no
`password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`suffix` | The topology suffix to be used, this can either be `domain` or `ca` | yes
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`suffix` | The topology suffix to be used, this can either be `domain`, `ca` or `domain+ca` | yes
`name` \| `cn` | The topology segment name (cn) is the unique identifier for a segment. | no
`left` \| `leftnode` | The left replication node string - an IPA server | no
`right` \| `rightnode` | The right replication node string - an IPA server | no
`direction` | The direction a segment will be reinitialized. It can either be `left-to-right` or `right-to-left` and only used with `state: reinitialized` |
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled` or `reinitialized` | yes
`direction` | The direction a segment will be reinitialized. It can either be `left-to-right` or `right-to-left` and only used with `state: reinitialized` | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `checked` or `reinitialized` | yes
`principal` | The admin principal is a string and defaults to `admin` | no
`password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`suffix` | The topology suffix to be used, this can either be `domain` or `ca` | yes
`state` | The state to ensure. It can only be `verified` | yes
The trust module allows to ensure presence and absence of a domain trust.
Features
--------
* Trust management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipatrust module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
* samba-4
* ipa-server-trust-ad
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure a one-way trust is present:
Omitting the two_way option implies the default of one-way
```yaml
---
- name:Playbook to ensure a one-way trust is present
hosts:ipaserver
become:true
tasks:
- name:ensure the one-way trust present
ipatrust:
realm:ad.example.test
admin:Administrator
password:secret_password
state:present
```
Example playbook to ensure a two-way trust is present using a shared-secret:
```yaml
---
- name:Playbook to ensure a two-way trust is present
hosts:ipaserver
become:true
tasks:
- name:ensure the two-way trust is present
ipatrust:
realm:ad.example.test
trust_secret:my_share_Secret
two_way:True
state:present
```
Example playbook to ensure a trust is absent:
```yaml
---
- name:Playbook to ensure a trust is absent
hosts:ipaserver
become:true
tasks:
- name:ensure the trust is absent
ipatrust:
realm:ad.example.test
state:absent
```
This will only delete the ipa-side of the trust and it does NOT delete the id-range that matches the trust,
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`realm` | The realm name string. | yes
`admin` | Active Directory domain administrator string. | no
`password` | Active Directory domain administrator's password string. | no
`server` | Domain controller for the Active Directory domain string. | no
`trust_secret` | Shared secret for the trust string. | no
`trust_type` | Trust type. Currently, only 'ad' for Active Directory is supported. | no
`base_id` | First posix id for the trusted domain integer. | no
`range_size` | Size of the ID range reserved for the trusted domain integer. | no
`range_type` | Type of trusted domain ID range, It can be one of `ipa-ad-trust` or `ipa-ad-trust-posix`and defaults to `ipa-ad-trust`. | no
`two_way` | Establish bi-directional trust. By default trust is inbound one-way only. (bool) | no
`external` | Establish external trust to a domain in another forest. The trust is not transitive beyond the domain. (bool) | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
The user module allows to ensure presence, absence, disablement, unlocking and undeletion of users.
The user module is as compatible as possible to the Ansible upstream `ipa_user` module, but additionally offers to preserve delete, enable, disable, unlock and undelete users.
Features
--------
* User management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipauser module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure a user is present:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Ensure user pinky is present
- ipauser:
ipaadmin_password:SomeADMINpassword
name:pinky
first:pinky
last:Acme
uid:10001
gid:100
phone:"+555123457"
email:pinky@acme.com
passwordexpiration:"2023-01-19 23:59:59"
password:"no-brain"
update_password:on_create
# Ensure user brain is present
- ipauser:
ipaadmin_password:SomeADMINpassword
name:brain
first:brain
last:Acme
```
`update_password` controls if a password for a user will be set in present state only on creation or every time (always).
These two `ipauser` module calls can be combined into one with the `users` variable:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Ensure users pinky and brain are present
- ipauser:
ipaadmin_password:SomeADMINpassword
users:
- name:pinky
first:pinky
last:Acme
uid:10001
gid:100
phone:"+555123457"
email:pinky@acme.com
passwordexpiration:"2023-01-19 23:59:59"
password:"no-brain"
- name:brain
first:brain
last:Acme
update_password:on_create
```
You can also alternatively use a json file containing the users, here `users_present.json`:
```json
{
"users":[
{
"name":"user1",
"first":"First 1",
"last":"Last 1"
},
{
"name":"user2",
"first":"First 2",
"last":"Last 2"
},
...
]
}
```
And ensure the presence of the users with this example playbook:
```yaml
---
- name:Tests
hosts:ipaserver
become:true
gather_facts:false
tasks:
- name:Include users_present.json
include_vars:
file:users_present.json
- name:Users present
ipauser:
ipaadmin_password:SomeADMINpassword
users:"{{ users }}"
```
Ensure user pinky is present with a generated random password and print the random password:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Ensure user pinky is present with a random password
- ipauser:
ipaadmin_password:SomeADMINpassword
name:brain
first:brain
last:Acme
random:yes
register:ipauser
- name:Print generated random password
debug:
var:ipauser.user.randompassword
```
Ensure users pinky and brain are present with a generated random password and print the random passwords:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Ensure users pinky and brain are present with random password
- ipauser:
ipaadmin_password:SomeADMINpassword
users:
- name:pinky
first:pinky
last:Acme
uid:10001
gid:100
phone:"+555123457"
email:pinky@acme.com
passwordexpiration:"2023-01-19 23:59:59"
password:"no-brain"
- name:brain
first:brain
last:Acme
register:ipauser
- name:Print generated random password of pinky
debug:
var:ipauser.user.pinky.randompassword
- name:Print generated random password of brain
debug:
var:ipauser.user.brain.randompassword
```
Example playbook to delete a user, but preserve it:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Remove but preserve user pinky
- ipauser:
ipaadmin_password:SomeADMINpassword
name:pinky
preserve:yes
state:absent
```
This can also be done with the `users` variable containing only names, this can be combined into one module call:
Example playbook to delete a user, but preserve it using the `users` variable:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Remove but preserve user pinky
- ipauser:
ipaadmin_password:SomeADMINpassword
users:
- name:pinky
preserve:yes
state:absent
```
This can also be done as an alternative with the `users` variable containing only names.
Example playbook to undelete a preserved user.
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Undelete preserved user pinky
- ipauser:
ipaadmin_password:SomeADMINpassword
name:pinky
state:undeleted
```
This can also be done as an alternative with the `users` variable containing only names.
Example playbook to disable a user:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Disable user pinky
- ipauser:
ipaadmin_password:SomeADMINpassword
name:pinky
state:disabled
```
This can also be done as an alternative with the `users` variable containing only names.
Example playbook to enable users:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Enable user pinky and brain
- ipauser:
ipaadmin_password:SomeADMINpassword
name:pinky,brain
state:enabled
```
This can also be done as an alternative with the `users` variable containing only names.
Example playbook to unlock users:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Unlock user pinky and brain
- ipauser:
ipaadmin_password:SomeADMINpassword
name:pinky,brain
state:unlocked
```
Example playbook to ensure users are absent:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Ensure users pinky and brain are absent
- ipauser:
ipaadmin_password:SomeADMINpassword
name:pinky,brain
state:absent
```
This can also be done as an alternative with the `users` variable containing only names.
Example playbook to ensure users are absent:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Ensure users pinky and brain are absent
- ipauser:
ipaadmin_password:SomeADMINpassword
users:
- name:pinky
- name:brain
state:absent
```
Variables
=========
**General Variables:**
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` | The list of user name strings. `name` with *user variables* or `users` containing *user variables* need to be used. | no
**User variables** | Only used with `name` variable in the first level. | no
`users` | The list of user dicts. Each `users` dict entry can contain **user variables**.<br>There is one required option in the `users` dict:| no
| `name` - The user name string of the entry. | yes
| **User variables** | no
`preserve` | Delete a user, keeping the entry available for future use. (bool) | no
`update_password` | Set password for a user in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
`preserve` | Delete a user, keeping the entry available for future use. (bool) | no
`action` | Work on user or member level. It can be on of `member` or `user` and defaults to `user`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `unlocked` or `undeleted`, default: `present`. Only `names` or `users` with only `name` set are allowed if state is not `present`. | yes
**User Variables:**
Variable | Description | Required
-------- | ----------- | --------
`first` \| `givenname` | The first name string. | no
`last` \| `sn` | The last name string. | no
`fullname` \| `cn` | The full name string. | no
`displayname` | The display name string. | no
`homedir` | The home directory string. | no
`shell` \| `loginshell` | The login shell string. | no
`email` | List of email address strings. | no
`principal` \| `principalnam` \| `krbprincipalname` | The kerberos principal sptring. | no
`principalexpiration` \| `krbprincipalexpiration` | The kerberos principal expiration date. Possible formats: `YYYYMMddHHmmssZ`, `YYYY-MM-ddTHH:mm:ssZ`, `YYYY-MM-ddTHH:mmZ`, `YYYY-MM-ddZ`, `YYYY-MM-dd HH:mm:ssZ` or `YYYY-MM-dd HH:mmZ`. The trailing 'Z' can be skipped. | no
`passwordexpiration` \| `krbpasswordexpiration` | The kerberos password expiration date. Possible formats: `YYYYMMddHHmmssZ`, `YYYY-MM-ddTHH:mm:ssZ`, `YYYY-MM-ddTHH:mmZ`, `YYYY-MM-ddZ`, `YYYY-MM-dd HH:mm:ssZ` or `YYYY-MM-dd HH:mmZ`. The trailing 'Z' can be skipped. Only usable with IPA versions 4.7 and up. | no
`password` | The user password string. | no
`random` | Generate a random user password | no
`uid` \| `uidnumber` | The UID integer. | no
`gid` \| `gidnumber` | The GID integer. | no
`city` | City | no
`userstate` \| `st` | State/Province | no
`postalcode` \| `zip` | Postalcode/ZIP | no
`phone` \| `telephonenumber` | List of telephone number strings, | no
`mobile` | List of mobile telephone number strings. | no
`pager` | List of pager number strings. | no
`fax` \| `facsimiletelephonenumber` | List of fax number strings. | no
`orgunit` | The Organisation unit. | no
`title` | The job title string. | no
`manager` | List of manager user names. | no
`carlicense` | List of car licenses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp` and ``. Use empty string to reset userauthtype to the initial value. | no
`userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
`radius` | RADIUS proxy configuration | no
`radiususer` | RADIUS proxy username | no
`departmentnumber` | Department Number | no
`employeenumber` | Employee Number | no
`employeetype` | Employee Type | no
`preferredlanguage` | Preferred Language | no
`certificate` | List of base-64 encoded user certificates. | no
`certmapdata` | List of certificate mappings. Either `data` or `certificate` or `issuer` together with `subject` need to be specified. Only usable with IPA versions 4.5 and up. <br>Options: | no
| `certificate` - Base-64 encoded user certificate, not usable with other certmapdata options. | no
| `issuer` - Issuer of the certificate, only usable together with `usbject` option. | no
| `subject` - Subject of the certificate, only usable together with `issuer` option. | no
| `data` - Certmap data, not usable with other certmapdata options. | no
`noprivate` | Do not create user private group. (bool) | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
Return Values
=============
There are only return values if one or more random passwords have been generated.
Variable | Description | Returned When
-------- | ----------- | -------------
`user` | User dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
| `randompassword` - The generated random password | If only one user is handled by the module
| `name` - The user name of the user that got a new random password. (dict) <br> Options: <br> `randompassword` - The generated random password | If several users are handled by the module
The vault module allows to ensure presence and absence of vault and members of vaults.
The vault module is as compatible as possible to the Ansible upstream `ipa_vault` module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
Features
--------
* Vault management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipavault module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
* KRA service must be enabled
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure vault is present (by default, vault type is `symmetric`):
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
password:SomeVAULTpassword
description:A standard private vault.
```
Example playbook to make sure that a vault and its members are present:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
users:user01
```
`action` controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set `action` to `member`.
Example playbook to make sure that a vault member is present in vault:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
users:user01
action:member
```
Example playbook to make sure that a vault owner is absent in vault:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
owner:user01
action:member
state:absent
```
Example playbook to make sure vault data is present in a symmetric vault:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
password:SomeVAULTpassword
data:>
Data archived.
More data archived.
action:member
```
When retrieving data from a vault, it is recommended that `no_log: yes` is used, so that sensitive data stored in a vault is not logged by Ansible. The data is returned in a dict `vault`, in the field `data` (e.g. `result.vault.data`). An example playbook to retrieve data from a symmetric vault:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- name:Retrieve data from vault and register it in 'ipavault'
ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
password:SomeVAULTpassword
state:retrieved
no_log:yes
register:ipavault
- name:Print retrieved data from vault
debug:
var:ipavault.vault.data
```
Example playbook to make sure vault data is absent in a symmetric vault:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
password:SomeVAULTpassword
action:member
state:absent
```
Example playbook to change the password of a symmetric:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
old_password:SomeVAULTpassword
new_password:SomeNEWpassword
```
Example playbook to make sure vault is absent:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
state:absent
register:result
- debug:
msg:"{{ result.vault.data }}"
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Currently only `client` is supported by this module, and use of `server` will raise a failure. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of vault name strings. | yes
`description` | The vault description string. | no
`new_password_file` | File containing Base64 encoded new Vault password. | no
`public_key ` \| `vault_public_key` \| `ipavaultpublickey` | Base64 encoded vault public key. | no
`public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
`private_key `\| `vault_private_key` \| `ipavaultprivatekey` | Base64 encoded vault private key. Used only to retrieve data. | no
`private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
`salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no
`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
`username` \| `user` | Any user can own one or more user vaults. | no
`service` | Any service can own one or more service vaults. | no
`shared` | Vault is shared. Default to false. (bool) | no
`users` | List of users that are members of the vault. | no
`groups` | List of groups that are member of the vault. | no
`services` | List of services that are member of the vault. | no
`owners` \| `ownerusers` | List of users that are owners of the vault. | no
`ownergroups` | List of groups that are owners of the vault. | no
`ownerservices` | List of services that are owners of the vault. | no
`data` \|`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
`in` \| `datafile_in` | Path to file with data to be stored in the vault. | no
`out` \| `datafile_out` | Path to file to store data retrieved from the vault. | no
`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
`state` | The state to ensure. It can be one of `present`, `absent` or `retrieved`, default: `present`. | no
Return Values
=============
There is only a return value if `state` is `retrieved`.
Variable | Description | Returned When
-------- | ----------- | -------------
`vault` | Vault dict with archived data. (dict) <br>Options: | If `state` is `retrieved` and `out` is not defined.
| `data` - The vault data. | Always
Notes
=====
ipavault uses a client context to execute, and it might affect execution time.
This repository contains [Ansible](https://www.ansible.com/) roles and playbooks to install and uninstall [FreeIPA](https://www.freeipa.org/) `servers`, `replicas` and `clients`.
This repository contains [Ansible](https://www.ansible.com/) roles and playbooks to install and uninstall [FreeIPA](https://www.freeipa.org/) `servers`, `replicas` and `clients`. Also modules for group, host, topology and user management.
**Note**: The ansible playbooks and roles require a configured ansible environment where the ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
**Note**: The Ansible playbooks and roles require a configured Ansible environment where the Ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
Features
--------
@@ -11,12 +11,47 @@ Features
* Cluster deployments: Server, replicas and clients in one playbook
* One-time-password (OTP) support for client installation
* Repair mode for clients
* Backup and restore, also to and from controller
* Smartcard setup for servers and clients
* Modules for automembership rule management
* Modules for automount key management
* Modules for automount location management
* Modules for automount map management
* Modules for config management
* Modules for delegation management
* Modules for dns config management
* Modules for dns forwarder management
* Modules for dns record management
* Modules for dns zone management
* Modules for group management
* Modules for hbacrule management
* Modules for hbacsvc management
* Modules for hbacsvcgroup management
* Modules for host management
* Modules for hostgroup management
* Modules for idrange management
* Modules for location management
* Modules for permission management
* Modules for privilege management
* Modules for pwpolicy management
* Modules for role management
* Modules for self service management
* Modules for server management
* Modules for service management
* Modules for service delegation rule management
* Modules for service delegation target management
* Modules for sudocmd management
* Modules for sudocmdgroup management
* Modules for sudorule management
* Modules for topology management
* Modules for trust management
* Modules for user management
* Modules for vault management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.6 and up are supported by all roles.
FreeIPA versions 4.6 and up are supported by all roles.
The client role supports versions 4.4 and up, the server role is working with versions 4.5 and up, the replica role is currently only working with versions 4.6 and up.
@@ -26,13 +61,14 @@ Supported Distributions
* RHEL/CentOS 7.4+
* Fedora 26+
* Ubuntu
* Debian 10+ (ipaclient only, no server or replica!)
Requirements
------------
**Controller**
* Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)
*python3-gssapi is required on the controller if a one time password (OTP) is used with keytab to install the client.
*/usr/bin/kinit is required on the controller if a one time password (OTP) is used
**Node**
* Supported FreeIPA version (see above)
@@ -41,11 +77,11 @@ Requirements
Limitations
-----------
**External CA**
**External signed CA**
External CA support is not supported or working. The currently needed two step process is an issue for the processing in the role. The configuration of the server is partly done already and needs to be continued after the CSR has been handled. This is for example breaking the deployment of a server with replicas or clients in one playbook.
External signed CA is now supported. But the currently needed two step process is an issue for the processing in a simple playbook.
Work is planned to have a new method to handle CSR for external CAs in a separate step before starting the server installation.
Work is planned to have a new method to handle CSR for external signed CAs in a separate step before starting the server installation.
Usage
@@ -54,19 +90,61 @@ Usage
How to use ansible-freeipa
--------------------------
The simplest method for now is to clone this repository on the contoller from github directly and to start the deployment from the ansible-freeipa directory:
**GIT repo**
The simplest method for now is to clone this repository on the controller from github directly and to start the deployment from the ansible-freeipa directory:
You can use the roles directly within the top directory of the git repo, but to be able to use the management modules in the plugins subdirectory, you have to either adapt `ansible.cfg` or create links for the roles, modules or directories.
ansible-freeipa/plugins/modules to ~/.ansible/plugins/
ansible-freeipa/plugins/module_utils to ~/.ansible/plugins/
```
**RPM package**
There are RPM packages available for Fedora 29+. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
**Ansible Galaxy**
This command will get the whole collection from galaxy:
Installing collections using the ansible-galaxy command is only supported with ansible 2.9+.
The mazer tool can be used for to install the collection for ansible 2.8:
```bash
mazer install freeipa.ansible_freeipa
```
Ansible galaxy does not support the use of dash ('-') in a name and is automatically replacing this with an underscore ('\_'). Therefore the name is `ansible_freeipa`. The ansible_freeipa collection will be placed in the directory `~/.ansible/collections/ansible_collections/freeipa/ansible_freeipa` where it will be automatically be found for this user.
The needed adaptions of collection prefixes for `modules` and `module_utils` will be done with ansible-freeipa release `0.1.6` for galaxy.
The roles provided by ansible-freeipa are not available in ansible galaxy so far.
Ansible inventory file
----------------------
The most important parts of the inventory file is the definition of the nodes, settings and the topology. Please remember to use [Ansible vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) for passwords. The examples here are not using vault for better readability.
The most important parts of the inventory file is the definition of the nodes, settings and the management modules. Please remember to use [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) for passwords. The examples here are not using vault for better readability.
**Master server**
@@ -84,7 +162,7 @@ ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
```
The admin principle is ```admin``` by default. Please set ```ipaadmin_principal``` if you need to change it.
The admin principal is ```admin``` by default. Please set ```ipaadmin_principal``` if you need to change it.
You can also add more setting here, like for example to enable the DNS server or to set auto-forwarders:
```yaml
@@ -100,8 +178,9 @@ ipaserver_install_packages=no
ipaserver_setup_firewalld=no
```
The installation of packages and also the configuration of the firewall are by default enabled.
Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
For more server settings, please have a look at the [server role documentation](SERVER.md).
For more server settings, please have a look at the [server role documentation](roles/ipaserver/README.md).
**Replica**
@@ -175,8 +254,9 @@ ipareplica_setup_firewalld=no
```
The installation of packages and also the configuration of the firewall are by default enabled.
Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
For more replica settings, please have a look at the [replica role documentation](REPLICA.md).
For more replica settings, please have a look at the [replica role documentation](roles/ipareplica/README.md).
**Client**
@@ -208,14 +288,15 @@ ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
```
For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the controller using the (first) server. It is needed to have the Python gssapi bindings installed on the controller for this.
For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the controller using the (first) server.
To enable the generation of the one-time-password:
```yaml
[ipaclients:vars]
ipaclient_use_otp=yes
```
For more client settings, please have a look at the [client role documentation](CLIENT.md).
For more client settings, please have a look at the [client role documentation](roles/ipaclient/README.md).
**Cluster**
@@ -234,10 +315,46 @@ ipaserver_realm=TEST.LOCAL
```
All these settings will be available in the ```[ipaserver]```, ```[ipareplicas]``` and ```[ipaclient]``` groups.
**Topology**
With this playbook it is possible to add a list of topology segments using the `ipatopologysegment` module.
The playbooks needed to deploy or undeploy server, replicas and clients are part of the repository and placed in the playbooks folder. There are also playbooks to deploy and undeploy clusters. With them it is only needed to add an inventory file:
The playbooks needed to deploy or undeploy servers, replicas and clients are part of the repository and placed in the playbooks folder. There are also playbooks to deploy and undeploy clusters. With them it is only needed to add an inventory file:
- name:Ensure delegation "basic manager attributes" member attributes employeenumber and employeetype are absent
ipadelegation:
ipaadmin_password:SomeADMINpassword
name:"basic manager attributes"
attribute:
- employeenumber
- employeetype
action:member
state:absent
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
