In `ipapermission` plugin, Some attributtes were not being managed
when `action: member` was enabled.
This patch enable member management for `right`, `rawfilter`,
`filter, and fixes management of `memberof`.
Fix issue #489
When adding A or AAAA records using the compatibility mode with
Ansible's community general plugin, the reverse (PTR) record was
added, but the A/AAAA record was not. This patch fixes the behavior.
Fix issue #491
The attrs handling was not complete and did not support to ensure presence
or absence of attributes with action:member.
The includedattrs and excludedattrs parameters have not been added with
this change as the use of attrs will automatically set includedattrs and
excludedattrs. The includedattrs and excludedattrs parameters are only
usable for managed permissions and duplicating attrs.
The permission module may not handle privileges. An IPA internal only API
has been used for this. The prvilege variable and all related code paths
have been removed.
Fixes: #424 ([Permission Handling] Not able to add additional attributes
with existing attributes)
Fixes: #425 ([Permission Handling] Not able to add member privilege while
adding permission)
There are some issues using a combination of `lookup('file')` and the
`b64encode` filter in Ansible, making tests unstable. This change
removes the usage of b64encode when loading public and private keys
from files in the Vault test playbooks.
Added code to the ipa* plugins to support Ansible's check_mode, by
means of a clean exit before the execution of the actual list of
commands that would otherwise create/update/delete IPA servers
and/or its resources.
Current implementation does not allow the change of an existingi Vault
type. To allow it, data is retrieved from the current vault, the vault
is modifiend, and then, data is stored again in the new vault.
Due to changing the process of modifying a vault, this change also
fixes the update of asymmetric vault keys. To change the key used,
the task must provide the old private key, used to retrieve data,
and the new public_key, used to store the data again. A new alias
was added to public_key (new_public_key) and public_key_file
(new_public_key_file) so that the playbook better express the
intention of the tak.
Vault tests have been updated to better test against the new update
process, and a new test file has bee added:
tests/vault/test_vault_change_type.
In FreeIPA CLI, The attributes `allow_query` and `allow_transfer` can
hold IPv4 or IPv6 address or network address, and the values `none` and
`any`.
This patch adds support for network addresses, `none` and `any`, which
were not supported.
Fix issue #475.
When adding new members to a role, the existing members were removed.
The correct behavior for the "member" action is to add those members,
and substitute the existing ones. This patch fixes this behavior.
Fix#409, #411, #412, #413
According to the testinfra changelog, since version 6.0.0, testinfra
is know as pytest-testinfra, and the use of testinfra is deprecated.
This change will prevent future isses when updating requirements using
`pip`.
Ref: https://testinfra.readthedocs.io/en/latest/changelog.html
Bugbear is a plugin for Flake8 finding likely bugs and design problems.
It contain warnings that don't belong in pyflakes and pycodestyle, and
do not have a PEP or standard behind them.
Ref: https://github.com/PyCQA/flake8-bugbear
This patch disables ansible-lint `always_run` flag, as this was
making patches that did not change any YAML file take longer in
the pre-commit step, as ansible-lint was executed with no parameter,
thus, searching and evaluating all YAML files in the repository.
With this change, if no YAML file is modified, ansible-lint is skipped.
warning[SC2044]: For loops over find output are fragile. Use find -exec
or a while read loop.
warning[SC2164]: Use 'cd ... || exit' or 'cd ... || return' in case cd
fails.
The function get_commit was using the global merge variable instead of
the local commit variable. Therefore it returned the wrong commit
subject for merges without subject.
The parameter options.no_dnssec_validation was set using a bad
parameter name. This lead to not beeing able to turn off dnssec
validation in the replica deployment.
Fixes: #456 (ipareplica_no_dnssec_validation)
With the parameter `args: ['.']`, yamllint would run over every
file during pre-commit, including those not being commited, and it
would allow for false negatives, not allowing a commit, even if
commited yaml files had no issues, but another file, not par of the
commit, had.
By changing the yamllint parameter to `files: \.(yaml|yml)$` it
will only check files being commited, preventing false negatives,
and allowing for faster commits.
This PR fixes the creation of sudocmdgroups when the sudocmds are
specified, allowing groups to be created with sudocmd members in a
single task.
Fix issue #440.
Currently the script is failing with The given path '...' is not valid
if a path is not handled by the script. This is resulting in issues if
module_utils and action plugins are updated for example.
The solution is to simply ignore paths that are not handled.
The common_check function in the replica installer code has been changed
for the new memory checker code. With this the server and replica command
line installers got the option --skip-mem-check.
The server and replica role now also support the memory cheker and there
are new variables for server and replica:
ipaserver_mem_check - for ipaserver
ipareplica_mem_check - for ipaserver
These bool values default to yes and can be turned off in the inventory
or playbook if needed.
Related to freeipa PR https://pagure.io/freeipa/issue/8404 (Detect and
fail if not enough memory is available for installation)
Fixes: #450 (IPA Replica Installation Fails)
Altough configuring DNS and KRA support on the testing server node
provides broad coverage support, it does not represent all scenarios
where ansible-freeipa can be used, for example without DNS support.
This documentation updates removes the requirement for DNS and KRA
support, and highlights what is expected with different configurations.
When using ipahost module with servers where DNS was not configured
it failed to add hosts due to an exception raised on `dnsrecord_show`
that was not being correctly handled.
As the exception was being handled twice, the This patch simply removes
one of the handlers, allowing the exception to propagate to the caller,
where it is handled.
Fixes issue #434.
This PR adds a document with information on how to contribute to
ansible-freeipa development, showing the environment configuration,
available tools, and some guidelines that should be followed.
There was a failure when NAPTR or DLV records where updated,
if the record name had multiple entries. This patch fixes this
behavior, by using the requested record, not the retrieved one.
Tests have been updated to test for this issue on
tests/dnsrecord/test_dnsrecord.yml
Due to an issue with FreeIPA, when modifying the SOA serial attribute
along with other attributes, the value is ignored. In order to have
the value provided, the attribute is set is a later call to dnszone-mod
allowing it to retain the desired value.
Ref: https://pagure.io/freeipa/issue/8489
Examples of dnsforwarzone were using a single string rather than a
dict of values to set attribute `forwarders`. Both source code and
README examples were fixed.
Fix issue #446
The file lookup is by default setting `rstrip=True` which could lead
into a stripped new line. This is not happening always but resulted in
failed tests sometimes with certificates pasted to the b64encode filter.
For calls of lookup in the certificae tests `rstrip=False` has been
added to make sure that this is not happening any more. Not in
test_dnsrecord as lookup(..., rstrip=False) is adding a new line if
there was not a new line and this is an issue for dnsrecord. The user
and host tests have also been simplified to create the base64 encoded
file in the beginning and use this file then later on in the tests
without the need to use the b64encode filter.
Ref: https://github.com/ansible/ansible/issues/57521#issuecomment-502238000
This patch adds another lever of linter checking for ansible-freeipa
by enabling linters to run on the developer machine, before pushing
changes to be evaluated on the CI, allowing code fixes without
wating for CI to run the linters on the repository.
To enable pre-commit hooks, `pre-commit` is used, and was added to
requirements-dev.txt, and can be installed with pip
(`pip install -r requirements-dev.txt`). Once installed, on every
commit, YAML and python files on the commit will be evaluated.
If one needs to bypass the pre-commit linters, `git commit` can be
issued with `--no-verify`.
The linters will not be removed from the CI, as a commit can be
performed without running the checks.
When modifying a record, depending on how the playbook tasks were
arranged, it was possible to end with more records than expected.
This behavior was fixed by modifying the way records are searched
when a modification is requested. This change also allows less calls
find_dnsrecord.
Tests were modified to reflect the changes, and a new test playbook
was added:
tests/dnsrecord/test_dnsrecord_modify_record.yml
Currently the certifaictes are copied ot the server with the complete
path that is provided within the playbook. This could result in
unexpected file placements. Certificates should be placed in the /root
folder for the deployment.
Fixes#405 (copy_external_cert does not handle pathed items)
Information about the backup role and also the config, delegation, dns
config, location, permission, priviledge and self service modules have been
missing in the main README file.
This change add support for running ansible-doc-test on every
commit or PR, ensuring that roles and modules are able to produce
correct documentation with ansible-doc.
The currently used namespace and collection name are hard coded in
utils/build-galaxy-release.sh. They can now be defined as args 1 and 2
and default to freeipa and ansible_freeipa..
FreeIPA 4.8.7 has introduced bind type 'self' as a valid value, and
this PR adds checks so the module fails early if the value is used
with an unsupported version.
Tests and documentation have been updated to reflect the changes.
Some attribute values are only accepted for specific FreeIPA versions,
for example `self` for permission's `bindtype`. Although there are
options to check for command and parameter availability, there is no
check for verifying if a value should be accepted.
This patch add a function to evaluate the target FreeIPA host version,
by comparing a giver version to the current installed one.
The version evaluation uses Python packaging's version comparision,
which is compatible with PEP 440, if available. If not available, it
falls back to a string split, that will work for the most common cases,
but might fail for versions including strings with `rc` or `dev`, for
example.
Due to Ansible filtering out values in the output that might be match
values in sensible attributes that have `no_log` set, if a module need
to return data to the controller, it cannot rely on
`ansible_module.exit_json` if there is a chance that a partial match
may occur.
See: https://github.com/ansible/ansible/issues/71789
The change provided here uses the same implementation that is used on
Ansible's `AnsibleModule.exit_json`, without the data filtering layer,
so every attribute with be printed and, therefore, logged by Ansible.
This is needed for the Vault module, as we need to return values that
are explicit requested by the user and that might, at least partially,
match the values in attributes with `no_log` set.
Tests that reproduced the issue, and show it was fixed were provided
for all Vault types.
Up to now the snippets in the README files, the EXAMPLES in the modules
and also the tests playbooks have not been adapted while building the
collection.
These are the invoved python files:
utils/galaxyfy-README.py
utils/galaxyfy-module-EXAMPLES.py
utils/galaxyfy-playbook.py
utils/galaxyfy.py
utils/galaxyfy.py provides the function galaxyfy_playbook, which has been
extended and is used in galaxyfy-playbook.py, galaxyfy-README.py and
galaxyfy-module-EXAMPLES.py.
There is curently a merge commit without a subject, which leads into a
traceback in the changelog script.
The merge information provides the commit hash, which is now used to get
the subject later on using the generated commits hash.
There is a new backup role in the roles folder:
roles/ipabackup
This role allows to backup an IPA server, to copy a backup from the
server to the controller, to copy all backups from the server to the
controller, to remove a backup from the server, to remove all backups
from the server, to restore an IPA server locally and from the controller
and also to copy a backup from the controller to the server.
Here is the documentation for the role:
roles/ipabackup/README.md
New example playbooks have been added:
playbooks/backup-server.yml
playbooks/backup-server-to-controller.yml
playbooks/copy-backup-from-server.yml
playbooks/copy-all-backups-from-server.yml
playbooks/remove-backup-from-server.yml
playbooks/remove-all-backups-from-server.yml
playbooks/copy-backup-to-server.yml
playbooks/restore-server-from-controller.yml
playbooks/restore-server.yml
When using the ipavault module to retrieve stored data, this data is
often sensitive, and if `no_log` is not enabled on the playbook, the
sensitive data will be logged by Ansible.
This change in de documentation, and playbook examples, suggests the
use of `no_log: true` when using `state: retrieved` with ipavault.
There is a new permission management module placed in the plugins folder:
plugins/modules/ipapermission.py
The permission module allows to ensure presence of absence of permissions
and manage permission members.
Here is the documentation for the module:
README-permission.md
New example plabooks have been added:
playbooks/permission/permission-absent.yml
playbooks/permission/permission-allow-read-employeenum.yml
playbooks/permission/permission-member-absent.yml
playbooks/permission/permission-member-present.yml
playbooks/permission/permission-present.yml
playbooks/permission/permission-renamed.yml
New tests for the module:
tests/permission/test_permission.yml
This patch add support for adding external members to ipagroup which
have the `external` attribute set. It adds another attribute to the
module, `external_members`, which is a list of users or groups from
an external trust, to be added to the group.
This patch requires server-trust-ad to be tested, as such, the tests
have been guarded by a test block, for when such tests are available
in ansible-freeipa CI.
Fixes issue #418
This scrip can be used to generate the changelog text for a new
ansible-freeipa release on github.
usage: Usage: changelog [options] [<new version>]
optional arguments:
-h, --help show this help message and exit
--tag TAG git tag
If the script is used without a givn tag, it will show all the changes since
the last tag. If a tag (this can be a also a commit) is given, then all
changes since this commit are shown.
This script can check modules in roles and also plugins folder to have
a valid documentation section. It is using anisble-doc internally.
usage: Usage: ansible-doc-test [options] [path]
optional arguments:
-h, --help show this help message and exit
-v increase output verbosity
There are different verbose levels:
-v Shows the modules that are tested at the moment.
-vv Shows the modules and also the doc output.
You can use the script to check specific modules, roles or modules in roles.
Here are some examples:
Test specific module with verbose level 1:
$ utils/ansible-doc-test -vv plugins/modules/ipauser.py
Test all modules in plugins folder:
$ utils/ansible-doc-test -v plugins
Test ipaserver_prepare.py in ipaserver role:
$ utils/ansible-doc-test -v roles/ipaserver/library/ipaserver_prepare.py
Test all modules in ipaserver role:
$ utils/ansible-doc-test -v roles/ipaserver
Test all roles:
$ utils/ansible-doc-test -v roles
Test all roles and modules in plugins:
$ utils/ansible-doc-test -v
Public and private key files were created but not removed when testing
the Vault module. This was fixed by adding a task to remove them to
Vault's env_cleanup playbook.
This patch adds Ansible tasks to create and remove self-signed
certificates, instead of using previously created certificates.
The certificates are then `lookup`, instead of being used inline
in the playbooks.
Playbooks are easier to read and maintain with this changes, and
there is no need to change the playbooks, if a certificate expires.
ansible-doc is reporting several issues in modules. Most of them have benn
due to misspelled description key word or due to use of multi line text
without the | in the description line.
https://pagure.io/freeipa/issue/8458 moved more things to the ipalib and
ipalib.facts:
- sysrestore has been moved from ipalib.install to ipalib
- is_ipa_configured has been moved from ipaserver.install.installutils to
ipalib.facts
Fixes: #394 (TASK [ipaclient : Install - IPA client test] Error: module
'ipalib.install.sysrestore' has no attribute
'SYSRESTORE_STATEFILE')
When using changing passwords, using password files, the file name was
being used as the password, and not its content. This patch fixes the
behavior to use the contents of the password file.
Tests have been added to ensure the correct behavior.
The new variables ipa[server,replica]_firewalld_zone have been added to
be able to set the zone in which the needed services for IPA are enabled.
New tasks have been added to check if the zone is available in the runtime
and also permamanet environment.
The code to enable firewalld has been moved out of thee
ipa[server,replica]_install_packages blocks to make sure that the firewalld
service is also enabled if the package is already installed.
Fixes: issue #177 (How to set up firewalld zones?)
When retrieving data from a vault using `out` to store the data in a
file resulted is random characters being returned and logged. These
characters could generate a traceback print from Ansible's logger,
without breaking the script.
The reason for that is that the result from `vault_retrive` was being
processed when it was not needed, and data was beeing returned, when
it shouldn't.
This patch fixes this behavior by supressing the return data when `data`
is not available, and only raising an error if it should be available.
There is a new privilege management module placed in the plugins folder:
plugins/modules/ipaprivilege.py
The privilege module allows to ensure presence or absence of privilege
and manage privilege permission memebers.
Here is the documentation for the module:
README-privilege.md
New example playbooks have been added:
playbooks/privilege/privilege-absent.yml
playbooks/privilege/privilege-member-absent.yml
playbooks/privilege/privilege-member-present.yml
playbooks/privilege/privilege-present.yml
New tests for the module:
tests/privilege/test_privilege.yml
users.json is generated for the tests and not part of the repo any more.
This test was lacking the include to generate the file.
Related to: b7e1a99b6e
tests/user/test_users*.yml: Use extended dynamic users.json
There is a new trust management module placed in the plugins folder:
plugins/modules/trust.py
The trust module allows to ensure presence and absence of trusts.
Here is the documentation for the module:
README-trust.md
New example playbooks have been added:
playbooks/trust/add-trust.yml
playbooks/trust/del-trust.yml
New tests added for the module:
tests/hbacrule/test_trust.yml
In order to run the tests in idm-ci we need to configure the our pytest
tests environment variables. This PR configures that automatically if an
environment variable TWD is available and $TWD/config exists.
The scprit `lint_check.sh` under utils runs the same linters as the
Github Actions, with the same configuration.
The changes on setup.cfg are required if flake8-docstrings is used,
so its output is the same as pydocstlye.
Flake8 and Pydocstyle were already being used as checks on Azure
pipelines, and this change enable the use of both as Github actions
run on every push (on any fork) end every pull-request.
I uses `rjeffman/python-lint-action` to run both linters using the
project's configuration.
Ansible best practice is to not use `latest` for the `package` module
state. As we want to use it in the case of nss, this change will
disable checking for this case.
By running yamllint we add one more verification of quality to the
playbooks used on/provided by ansible-freeipa, that will be executed
on every push (even on forks) or pull-requests.
This patch provides the configuration needed to run yamllint on
the playbooks found in the `tests`, `playbooks` and `molecule`
directories, on every push or pull-request done on Github, using
ibiqlik/action-yamllint action version `v1`.
The current configuration for yamllint has many rules disable, so
the problems found can be fixed later. All rules after the comment
`# Disabled rules` should be enabled in the near future.
By running ansible-lint we check if playbooks provided in
ansible-freipa follow Ansible's best practices, nd the verification
will be performed on every push (even on forks) or pull-request.
This patch provides the configuration needed to run ansible-lint
to the playbooks found in the `tests`, `playbooks` and `molecule`
directories, on every push or pull-request done on Github, using
Ansible's Github Action ansible/ansible-lint-action.
Until now ansible-freeipa repository only had playbook tests. This
commit introduces the ability of creating TestCase classes connected to
the master host. This connection can be used to run commands in the
managed host after the ansible playbook execution is the allowing the
verification of the machine state.
When using virtual environment for development, Git reports that the
virtual environment itself in untracked. This change add commonly found
virtual environment directories to the list of ignored files/directories.
The ipagroup attribute `membermanager` requires the use of IPA
version 4.8.4 or later. This change ensure that the tests are
executed only if a required version is found.
The config attributte maxhostname is only available after IPA
version 4.8.0. The tests for this attribute are now protected to
not run if a previous IPA version is found.
When running module ipavault with Python 2.7, due to differences in
the handling of unicode string than in Python 3, the vault_type type
was different than the required.
This patch changes the default value to force a unicode string in
the supported versions of Python, fixing the module when Python 2
is used.
When using ipadnsfowardzone with a target host that uses Python 2,
it fails to add new zones due to unicode and str being different on
that version. This patch fixes this behavior ensuring the module
works on both Python verisons 2.7 and 3.x.
Some attributes require a specific IPA version to be used, some were
not documented, some had different text.
This change standardize the text to show that some attributes require
a specific IPA version to be used, and add the versions where they
were not yet documented.
test_users_absent.yml was using users_absent.json. It has been adapted to
use users.json instead with an additional json_query to get only the names
from users_present.json.
create_users_json.yml has been added to create users.json if it is missing
containing 500 users. It is included by test_users_present.yml and
test_users_absent.yml.
users_present.sh has been renamed to users.sh and modified to create by
default users.json with 1000 users and additional with password and
passwordexpiration in two years.
jmespath has been added to pip install list in
tests/azure/templates/playbook_tests.yml to emable the use of json_query.
The requirement for jmespath has been added to tests/README.md.
Azure is building Centos and Fedora containers in every PR. We only need
to have containers builds on a nightly build so we are disabling the
default triggers from Azure.
The script will create the module in plugins/modules, the README, test and
playbook files.
Usage: new_module [options] <module name> <author name>
<author email address>
Create new ansible-freeipa module using templates.
Options:
-m Create module with member support
-f Force creation
-h Print this help
Example:
utils/new_module -m permission "My Name" myname@some.email
This script gets version and release from git describe --tags. It uses
utils/ansible-freeipa.spec.in and the variables to generate
ansible-freeipa.spec in the top folder.
An archive not including the spec file is created to generate the SRPM from.
Added a pipeline file (tests/azure/build-containers.yml) to build test
containers and upload them to quay.io. The pipeline will create
containers with IPA pre-installed for testing proposes on three
different Linux containers: CentOS 7, CentOS 8 and Fedora Latest.
Some attributes are not present in all supported versions of FreeIPA,
and this might cause tests to fail due to unsupported versions.
This patch add the means to test if a test can be executed based on
the target host FreeIPA version.
Since `name_from_ip` has a similar, but not equal, behavior to `name`,
and as the inferred DNS zone might depend on DNS configuration and
can be different than the user expects, it has some limited usage,
and the user must be aware of its effects.
This change to the documentation enhance the documentation including
more details on the attribute usage.
When adding a zone using the option name_from_ip, the user have
little control over the final name of the zone, and if this name
is to be used in further processing in a playbook it might lead to
errors if the inferred name does not match what the user wanted to.
By returning the actual inferred zone name, the name can be safely
used for other tasks in the playbook.
Modified support for processing result of IPA API commands so that
client code can define its own processing and add return values to
self.exit_args based on command result.
If a subclass need to process the result of IPA API commands it should
override the method `process_command_result`. The default implementation
will simply evaluate if `changed` should be true.
IPA CLI has an option `name_from_ip` that provide a name for a zone
from the reverse IP address, so that it can be used to, for example,
manage PTR DNS records.
This patch adds a similar attribute to ipadnszone module, where it
will try to find the proper zone name, using DNS resolve, or provide
a sane default, if a the zone name cannot be resolved.
The option `name_from_ip` must be used instead of `name` in playbooks,
and it is a string, and not a list.
A new example playbook was added:
playbooks/dnszone/dnszone-reverse-from-ip.yml
A new test playbook was added:
tests/dnszone/test_dnszone_name_from_ip.yml
Tests for module ipalocation failed due to missing ipaadmin_password.
Added the variable to the playbooks, and also fixed the examples and
documentation. Some playbooks had identation fixed to two spaces
instead of one for consistency with other modules.
A test was failing due to use of old ipavault module return structure
and some places on the documentation were alse referring to it. All
ocurrences were fixed.
When modifying an existing vault to change the value of `salt`, the
password must also change. It is fine to "change" the password to the
same value, thus only changing the salt value.
The generation of a random salt, when one was not provided, was in the
wrong place and being generated too late to be used properly. Also, the
generation of the value was duplicated.
In some scenarios, the value of the vault type is returned as a tuple,
rather than a string, this made some changes to existing vault to fail.
With this change, the vault type is correctly retrieved, if it was not
provided by the user.
There is a new location management module placed in the plugins folder:
plugins/modules/ipalocation.py
The location module allows to ensure presence or absence of locations.
Here is the documentation for the module:
README-location.md
New example playbooks have been added:
playbooks/location/location-absent.yml
playbooks/location/location-present.yml
New tests for the module:
tests/location/test_location.yml
There is a new selfservice management module placed in the plugins folder:
plugins/modules/ipaselfservice.py
The selfservice module allows to ensure presence and absence of selfservices
and manage selfservice attributes.
Here is the documentation for the module:
README-selfservice.md
New example playbooks have been added:
playbooks/selfservice/selfservice-absent.yml
playbooks/selfservice/selfservice-present.yml
playbooks/selfservice/selfservice-member-absent.yml
playbooks/selfservice/selfservice-member-present.yml
New tests for the module:
tests/selfservice/test_selfservice.yml
There is a new delegation management module placed in the plugins folder:
plugins/modules/ipadelegation.py
The delegation module allows to ensure presence and absence of delegations
and manage delegation attributes.
Here is the documentation for the module:
README-delegation.md
New example playbooks have been added:
playbooks/delegation/delegation-absent.yml
playbooks/delegation/delegation-present.yml
playbooks/delegation/delegation-member-absent.yml
playbooks/delegation/delegation-member-present.yml
New tests for the module:
tests/delegation/test_delegation.yml
The attribute `allow_retrieve_keytab_host` was not working due to
wrong processing of the input and verification if the values should
be updated. Both the issues are fixed by this change.
Tests were added to better verify service keytab members.
The ipavault module was returning a single string value when retrieving
data. To keep consistency with other modules, it should return a dict
with the `data` variable in it.
This change modifies the result of ipavault to be a dict and also fixes
relevant tests, examples and documentation.
FreeIPA 4.8.7 introduced an option to rename an existing hostgroup.
This patch adds support for renaming hostgroups if the option is
available on installed IPA version.
A new state `renamed` and a new option `rename` (alias: `new_name`)
was added to module `ipahostgroup` to allow renaming of host groups.
The implemented behavior is:
* Rename if `name` exists and `rename` doesn't.
* Do nothing if `name` does not exist and `rename` does, or if
`name` equals to `rename`. (result.changed is False)
* Fail if neither or both `name` and `rename` exist.
This PR allow ipadnszone module to ensure that multiple dns zones
are absent at once, to be consistent with other ansible-freeipa
modules.
To fix this issue, it was required that custom arguents must be
passed using keyword arguments so that `get_ipa_command_args()`
is kept generic.
The attribute `skip_host_check` was using dashes instead of
underscores, and the certificate examples could not be used
directly due to formatting. These changes fix both issues.
This change fixes a wrong parameter name in the documentation of
RESULT_VALUES, and also provide a correct YAML snippet to ensure
presence of an asymmetric vault with a formatted private key.
When a fail_json is called a SystemExit exeception is raised.
Since the FreeIPABaseModule has an internal context manager to deal
with exceptions this ContextManager captures the SystemExit. After
dealing destroying the kinit session the SystemExit must be raised again
to allow the fail_json to work properly.
The name "www.ansible.com" was used as a host, but this required
that DNS forwarding is enabled and configured to test serivces
for hosts that have an IP address but are not host objects in IPA.
This change set a a host name that lies in the testing domain, and has
an IP address defined, buth is not added as a host object,
so the forwarding DNS configuration is not needed for this test.
Added comment about problem with no_log in Azure CI. While running on CI
using ansible 2.10a the content of attributes with no_log=True is
replaced by ***** on ansible causing test failures.
* Moved azure CI definitions from azure-pipelines.yml to
tests/azure/azure-pipelines.yml.
* Updated azure CI definitions to run playbook tests using docker
containers.
* Adapted tests/test_playbook_runs.py script to allow tests to be
executed from a docker container.
* Added molecule scenarios to create/destroy test containers and
respective documentation in tests/README.md.
In some case the tests needs to have the class A, B and C of reverse DNS
set in order to function properly. Those missing classes where
added/updated in dnsrecord, services and host tests.
This patch adds suport for the IPA CLI option `posix` when modifying
an existing group. Also, enhances verification of `external` and
`posix/non-posix` groups to avoid unneded API failures (e.g. when
no change to the posix/external status is needed).
A new test was added:
tests/group/test_group_external_nonposix.yml
There is a new role management module placed in the plugins folder:
plugins/modules/iparole.py
The role module allows to ensure presence or absence of roles and
manage role members.
Here is the documentation for the module:
README-role.md
New example playbooks have been added:
playbooks/role/role-is-absent.yml
playbooks/role/role-is-present.yml
playbooks/role/role-member-group-absent.yml
playbooks/role/role-member-group-present.yml
playbooks/role/role-member-host-absent.yml
playbooks/role/role-member-host-present.yml
playbooks/role/role-member-hostgroup-absent.yml
playbooks/role/role-member-hostgroup-present.yml
playbooks/role/role-member-privilege-absent.yml
playbooks/role/role-member-privilege-present.yml
playbooks/role/role-member-service-absent.yml
playbooks/role/role-member-service-present.yml
playbooks/role/role-member-user-absent.yml
playbooks/role/role-member-user-present.yml
playbooks/role/role-members-absent.yml
playbooks/role/role-members-present.yml
playbooks/role/role-rename.yml
New tests for the module:
tests/role/test_role.yml
tests/role/test_role_service_member.yml
The password that is used in the script to generate the CA and also sign
the CSR is not strong enough in FIPS mode. In normal mode the password was
ok, though.
In FIPS mode the password needs to have at least one upper, lower, digit
and a special char.
The parameters master_host_name, config_setup_ca, dirman_password have not
been set for some modules. Also there was no ldap2 connection within
ipareplica_setup_kra. All this resulted in improper configuration where
for example KRA deployment failed in the end.
A conversion warning in ipareplica_setup_adtrust has also been fixed for
the setup_ca parameter.
Fixes#314 (IPA replica installation failure - DS enabled SSL - second part)
With the CA-less patches the types for the pkcs12 infos have been changed
to lists in the modules. This is resulting in a bad conversion from None
to [''] for the parameters. Because of this a normal replica deployment is
failing as [''] is not a valid value.
The install.yml files for ipareplica and also ipaserver have been changed
in the way that the pkcs12 values are checked if they are None. The
parameter will simply be omitted in this case and the parameter in the
module will become None by default.
Ansible is now also supporting discovered_python_interpreter for
action_plugins. task_vars needs to be non Null and contain a setting for
discovered_python_interpreter. The ipaclient_get_otp action_plugin
therefore needed to be adapted.
Due to use of some shell commands that required a Kerberos ticket,
the ipaservice test test_service_disable would no work if a ticket
was not granted before it ran. This patch adresses this issue by
acquiring a ticket for the `admin` user before it is needed, and
destroying the tickets by the end of the test execution.
If a unknown membermanager user presence will be ensured, the unknown user
error was ignored. This has been fixed in ipagroup. The code for the error
handling in ipagroup and ipahostgroup has been adapted because of this.
New tests for tests/[host]group/test_[host]group_membermnager.yml have been
added.
Allows changing passwords of symmetric waults, using a new variable
`new_password` (or the file-base version, `new_password_file`). The
old password must be passed using the `password` or `password_file`
variables that also received new aliases `old_password` and
`old_password_file`, respectively.
Tests were modyfied to reflect the changes.
It was possible to have several entries for names with the hosts and users
lists. This resulted sometimes in errors but also unexpected changes. A new
check has been added to make sure that the names in the users and hosts
lists are unique.
New tests have been added to verify this in the existing files:
- tests/host/test_hosts.yml
- tests/user/test_users.yml
This patch allows the modification of the forward zone policy in
an existing DNS Forward Zone, and fixes some issues with `enable`
and `disable` state that prevented correct behavior of `forwardpolicy`.
Services without certificates, but with keytabs were not being
disabled. This change allows execution of service_disable if
there is a certificate or if has_keytab is true.
A new test was added to verify the issue:
tests/service/test_service_disable.yml
This patch modify the was forwarders are configured, using two attributes,
`ip_address` and `port`, instead of IPA API internal string representation
of `IP port PORT`.
The ca-less PR introduced a bug when http_ca_cert is not set. The test
for loading the certificate is testing for None, but the string will only
be empty in this case.
Related: #298 (Install server and replicas without CA)
Current implementation of hbacrule and sudorule allow for a new rule
creation script to be partialy successful when a member is provided and
the respective member category is set to `all` (either users, hosts,
services, commands, and their group counterparts).
Since the creation of the rule is independent of the adittion of members,
the rule is succesfully created, but member addition fails, leaving with
a created rule that has no members on it.
This patch fixes both modules by verifying if user, host, service or
commands (and groups of members) are being added if the corresponding
category is set to `all`, when the state is `present` and the action is
not `member`. If so, it fails before the rule is created.
This patch add support for the attributes `maxtostname` and
`ca_renewal_master_server` attributes that were missing and
also provide a more complete set of tests.
This change split vault tests in several files, organized by vault
type and operation (vault vs. member) so that it is easier to add
new tests for issues and verify if tests are missing.
This patch adds support for retrieving data stored in an IPA vault by
adding a new valid state for ipavault: `retrieved`.
To allow the retrieval of data from assymetric vaults, the attributes
`private_key`, `private_key_files` and `out` were also added to the
module.
The private key files, `private.pem`, should be paired with the already
existing `public.pem` public key files.
Tests were updated to reflect changes and two new playbooks were added:
playbooks/vault/retrive-data-asymmetric-vault.yml
playbooks/vault/retrive-data-symmetric-vault.yml
This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.
Tests were updated to reflect the changes.
New example playbooks are added:
playbooks/vault/vault-is-present-with-password-file.yml
playbooks/vault/vault-is-present-with-public-key-file.yml
A group membership manager is a user or a group that can add members to
a group or remove members from a hostgroup.
This is related to https://pagure.io/freeipa/issue/8114
New parameters have been added to the module:
- `membermanager_user`: List of member manager users assigned to this
group. Only usable with IPA versions 4.8.4 and up.
- `membermanager_group`: List of member manager groups assigned to this
group. Only usable with IPA versions 4.8.4 and up.
These parameters behave like member parameters.
A new test has been added:
- tests/hostgroup/test_hostgroup_membermanager.yml
There is a new dnsrecord managem module placed in the plugins folder:
plugins/modules/ipadnsrecord.py
The dnsrecord module allows management of DNS records and is as compatible
as possible with the Ansible upstream `ipa_dnsrecord` module, but provide
some other features like multiple record management in one execution,
support for more DNS record types, and more.
Here is the documentation for the module:
README-dnsrecord
New example playbooks have been added:
playbooks/dnsrecord/ensure-dnsrecord-is-absent.yml
playbooks/dnsrecord/ensure-dnsrecord-is-present.yml
playbooks/dnsrecord/ensure-presence-multiple-records.yml
playbooks/dnsrecord/ensure-dnsrecord-with-reverse-is-present.yml
playbooks/dnsrecord/ensure-multiple-A-records-are-present.yml
playbooks/dnsrecord/ensure-A-and-AAAA-records-are-absent.yml
playbooks/dnsrecord/ensure-A-and-AAAA-records-are-present.yml
playbooks/dnsrecord/ensure-CNAME-record-is-absent.yml
playbooks/dnsrecord/ensure-CNAME-record-is-present.yml
playbooks/dnsrecord/ensure-MX-record-is-present.yml
playbooks/dnsrecord/ensure-PTR-record-is-present.yml
playbooks/dnsrecord/ensure-SRV-record-is-present.yml
playbooks/dnsrecord/ensure-SSHFP-record-is-present.yml
playbooks/dnsrecord/ensure-TLSA-record-is-present.yml
playbooks/dnsrecord/ensure-TXT-record-is-present.yml
playbooks/dnsrecord/ensure-URI-record-is-present.yml
New tests for the module can be found at:
tests/dnsrecord/test_dnsrecord.yml
tests/dnsrecord/test_compatibility_with_ansible_module.yml
tests/dnsrecord/test_dnsrecord_full_records.yml
A group membership manager is a user or a group that can add members to
a group or remove members from a group.
This is related to https://pagure.io/freeipa/issue/8114
New parameters have been added to the module:
- `membermanager_user`: List of member manager users assigned to this
group. Only usable with IPA versions 4.8.4 and up.
- `membermanager_group`: List of member manager groups assigned to this
group. Only usable with IPA versions 4.8.4 and up.
These parameters behave like member parameters.
A new test has been added:
- tests/group/test_group_membermanager.yml
A group membership manager is a user or a group that can add members to
a group or remove members from a hostgroup.
This is related to https://pagure.io/freeipa/issue/8114
New parameters have been added to the module:
- `membermanager_user`: List of member manager users assigned to this
group. Only usable with IPA versions 4.8.4 and up.
- `membermanager_group`: List of member manager groups assigned to this
group. Only usable with IPA versions 4.8.4 and up.
These parameters behave like member parameters.
A new test has been added:
- tests/hostgroup/test_hostgroup_membermanager.yml
This patch changes auth_ind variable to receive a list of values
instead of a single one, so that more than one value can be set
at once.
Tests have been updated to reflect the change.
When using a variable that is invalid for a given action, the `action`
was not being displayed in the error message, leading to a poor user
experience.
This patch changes auth_ind variable to receive a list of values
instead of a single one, so that more than one value can be set
at once.
Tests have been updated to reflect the change.
When using a variable that is invalid for a given action, the `action`
was not being displayed in the error message, leading to a poor user
experience.
This patch explicitly set `no_log` option for `update_password` attribute
to `False`, so that the warning on `no_log` not being set is not issued
anymore. Ansible incorrectly issued the warning, as `update_password` does
not carry sensitive information.
This patch fixes handling of password and public_key files, parameter
validation depending on vault type, usage of `salt` attribute and data
retrieval.
Tests were updated to reflect the changes.
New example playbooks are added:
playbooks/vault/vault-is-present-with-password-file.yml
playbooks/vault/vault-is-present-with-public-key-file.yml
playbooks/vault/retrive-data-asymmetric-vault.yml
playbooks/vault/retrive-data-symmetric-vault.yml
plugins/modules/ipaconfig.py
The config module allows the user change global config settings.
The config module is as compatible as possible to the Ansible upstream
ipa_config module, but adds many extra variables.
Here is the documentation for the module:
README-config.md
With the encoded _http_ca_cert from ipaserver_test it is possible to revert
back to the IPA upstream code to write the pkcs12 http certificates.
The passed _http_ca_cert only needs to be decoded with decode_certificate.
The function load_pkcs12 should not be skipped to verify the given
certificates. After the certificates have been verified and the temporary
certificate copies have been generated, these files are copied to
/etc/ipa/.tmp_pkcs12_* as the temporary files will simply be removed as
soon as the file descriptors have been closed.
Additionally the [http,dirsrv,pkinit]_pkcs12_info is recreated to point to
the copied temporary files.
With this revertion the need to change other modules has been rediced to
the minium, the IPA upstream code can simply be used.
The passed back certificates [http,dirsrv,pkinit]_ca_cert are encoded using
encode_certificate.
The encode_certificate and decode_certificate are needed to encode and
decode a certificate in the way that it can be passed back from a module
and imported back into a usable certificate in another module.
For newer IPA versions the certificate is normally an IPACertificate for
older IPA versions it is simply a bytes array. But in both cases it needs
to be converted not to break Ansible.
The certificates should not be pre-generated as they will expire at some
point. Simply generate them for each test run using the domain used in the
test. Copy the certificate files each time into the test server after
removing the old ones.
Since ipahost uses dnsrecord-show, it raises an error when DNS zone is
not found, but it should not be an ipahost concern.
This patch fixes this behavior by returning no record if DNS zone is
not found, so processing resumes as if there is no record for the host.
It fixes behavior when `state: absent` and dnszone does not exist, so,
host should not exist either, and the ipahost answer is correct and
indifferent to DNS Zone state.
This patch explicitly set `no_log` option for `update_password` attribute
to `False`, so that the warning on `no_log` not being set is not issued
anymore. Ansible incorrectly issued the warning, as `update_password` does
not carry sensitive information.
The `services` member and ownership atttributes were missing from
vault module. This change adds them.
Handling of owner and ownergroups needed to be changed to fix `services`
and, due to this, have also been fixed.
Running test_playbook_runs.py would result of running only the
last collected test but showing the name of the other tests instead.
To fix that the test_path was moved to an argument set by a method
decorator.
IPA CLI allows the creation of vaults without specifying user, service or a
shared vault, defaulting to create a user vault for the `admin` user. The
vault module, required that one of user, service or shared was explicitly
provided, and this patch makes the module behave like the CLI command.
Tests were added to reflect this change.
certmapdata was not processed properly. The certificate was not loaded and
therefore the `issuer` and `subject` could not be compared to the
certmapdata entries in the user record. The function `load_cert_from_str`
from ansible_freeipa_moduleis used for this.
Additionally there was no way to use the certmapdata data format. This
is now possible with the `data` option in the certmapdata dict.
Example: "data: X509:<I>dc=com,dc=example,CN=ca<S>dc=com,dc=example,CN=test"
`data` may not be used together with `certificate`, `issuer` and `subject`
in the same record.
Given certmapdata for the ipauser module is now converted to the internal
data representation using also the new function `DN_x500_text` from
`ansible_freeipa_module`.
New functions `convert_certmapdata` and `check_certmapdata` have been added
to ipauser.
tests/user/certmapdata/test_user_certmapdata.yml has been extended with
additional tasks to verify more complex issuer and subjects and also using
the data format.
This function can be used to check if a command is available in the API.
This is used in ipauser module to check if user_add_certmapdata is available
in the API.
This function is needed to properly convert issuer and subject from a
certificate or the issuer and subject parameters in ipauser for certmapdata
to the data representation where the items in DN are reversed.
The function additionally provides a fallback solution for IPA < 4.5.
Certmapdata is not supported for IPA < 4.5, but the conversion is done
before the API version can be checked.
For certmapdata processing in ipauser it is needed to be able to load a cert
from a string given in the task to be able to get the issuer and subject of
the certificate. The format of the certifiacte here is lacking the markers
for the begin and end of the certificate. Therefore load_pem_x509_certificate
can not be used directly. Also in IPA < 4.5 it is needed to load the
certificate with load_certificate instead of load_pem_x509_certificate. The
function is implementing this properly.
group_remove_member is not able to handle services in old IPA releases.
In one case the check was missing and the removal of a user from a group
failed because of this with an older IPA version. The missing check has
been added.
Fixes#257 (ipagroup fails to remove user from group ipausers)
The host_find command had to be replaced to get the "has_password" and
"has_keytab" return values. This commit replaces the dnsrecord_find
with the dnsrecord_show command to have consistent find functions in
the module.
If random is enabled and update_password is limited to "create_only", the
random password may only be changed if the host does not exist yet.
Additionally the generation of the random password will fail, if the host
is already enrolled if update_password is "always" (default value). An
error will be reported early in this case now.
The command host_show is now used instead of host_find, as `has_password`
and `has_keytab` are only returned by host_show, but not by host_find. The
find_host function has been adapated for this change.
Resolves: #253 (ipahost is not idempotent)
The find_user function was not using encode_certificate for certificates
that are stored in the user record. This could lead to some issues with
older ipa releases and Python 2.
Because of a missing check member attributes (for use with action: member)
are cleared when a non-member attribute is changed. The fix simply adds a
check for None (parameter not set) to gen_add_del_lists in
ansible_freeipa_module to make sure that the parameter is only changed if
it should be changed.
All places where the add and removal lists have been generated manually
have been changed to also use gen_add_del_lists.
Resolves: #252 (The "Manager" attribute is removed when updating any user
attribute)
Even after obtaining Kerberos TGT with temp_kinit(), when connecting to
the IPA API with context `ansible-freeipa`, the API commands complained
that Kerberos credentials were not available. This patch fixes this
behavior.
In the case that the admin password has been set and become was not set
the call to backend.connect in api_connect failed. The solution is simply
to set os.environ["KRB5CCNAME"] in temp_kinit after kinit_password has
been called using the temporary ccache. os.environ["KRB5CCNAME"] is not
used automatically by api.Backend.[ldap2,rpcclient].connect. Afterwards
os.environ["KRB5CCNAME"] is unset in temp_kdestroy if ccache_name is not
None.
Fixes: #249 (Kerberos errors while using the modules with a non-sudoer user)
This patch allows the removal of option `all` from user, host, group,
runasuser, and runasgroup categories, by allowing an empty string as
a valid choice for each option.
The namespace and colleciton name have been hard coded. Now variables are
used for them. The project prefix and collection prefix are now passed to
galaxyify-playbook.py.
The use of "default: idstart+199999" in the description of the idmax
parameter was resulting in the galaxy import error:
Cannot parse "DOCUMENTATION": mapping values are not allowed here in
"<unicode string>", line 52, column 58: ... value for the IDs range
(default: idstart+199999)
The ":" has simply been removed to fix this issue.
When accessing an instance of AnsibleFreeIPAParams with .get the obj was
by-passing the call to _afm_convert which was the primaty reason why it
was created.
Also the class now extends Mapping instead of dict.
There is a new management module placed in the plugins folder:
plugins/modules/ipadnszone.py
The dnszone module allows to manage DNS zones.
Here is the documentation for the module:
README-dnszone.md
New example playbooks have been added:
playbooks/dnszone/disable-zone-forwarders.yml
playbooks/dnszone/dnszone-absent.yml
playbooks/dnszone/dnszone-all-params.yml
playbooks/dnszone/dnszone-disable.yml
playbooks/dnszone/dnszone-enable.yml
playbooks/dnszone/dnszone-present.yml
New tests for the module:
tests/dnszone/test_dnszone.yml
tests/dnszone/test_dnszone_mod.yml
The import of ansible_ipa_server, ansible_ipa_replica and ansible_ipa_client
might result in a permission denied error for the log file. It seems that
for collections the module utils seem to be loaded before the needed
permissions are aquired now.
The fix simply adds a wrapper for standard_logging_setup that is called in
all the modules of the server, replica and client roles to do the loggin
setup as one of the first steps of the module execution and not before.
Due to setting aaaa_extra_create_reverse or a_extra_create_reverse when not
needed, host module fails to add a host with reverse address. This patch
fixes the behavior by only adding *_extra_create_reverse when needed.
There is a new vaultcontainer management module placed in the plugins folder:
plugins/modules/ipadnsconfig.py
The dnsconfig module allows to modify global DNS configuration.
Here is the documentation for the module:
README-dnsconfig.md
New example playbooks have been added:
playbooks/dnsconfig/set_configuration.yml
playbooks/dnsconfig/disable-global-forwarders.yml
playbooks/dnsconfig/disallow-reverse-sync.yml
New tests for the module:
tests/dnsconfig/test_dnsconfig.yml
There is a new service management module placed in the pluginsfolder:
plugins/modules/ipaservice.py
The service module allows to ensure presence and absence of services, and
manage members and certificates of the service.
Here is the documentation for the module:
README-service.md
New example playbooks have been added:
playbooks/service/service-host-is-absent.yml
playbooks/service/service-host-is-present.yml
playbooks/service/service-is-absent.yml
playbooks/service/service-is-disabled.yml
playbooks/service/service-is-present-with-all-attributes.yml
playbooks/service/service-is-present-without-host-object.yml
playbooks/service/service-is-present.yml
playbooks/service/service-member-allow_create_keytab-absent.yml
playbooks/service/service-member-allow_create_keytab-present.yml
playbooks/service/service-member-allow_retrieve_keytab-absent.yml
playbooks/service/service-member-allow_retrieve_keytab-present.yml
playbooks/service/service-member-certificate-absent.yml
playbooks/service/service-member-certificate-present.yml
playbooks/service/service-member-principal-absent.yml
playbooks/service/service-member-principal-present.yml
New tests added for the module:
tests/service/test-service.yml
One test did not use the admin password as the rest of the tests.
This caused the tests/pwpolicy/test_pwpolicy.yml suite to fail.
Changing the password to the same as in others fixes the issue.
Signed-off-by: Petr Vobornik <pvoborni@redhat.com>
For beeing able to catch ipalib.errors.NotFound errors in ipahost it is
needed to import ipalib.errors. ipalib.errors is now imported as
ipalib_errors to not have name conflicts with the errors list used in some
of the modules.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1804838
If no IP address is given and either DNS is not configured or if the zone is
not found then ipahost may not fail in dnsrecord_find.
The error happened for example by ensuring the absence of a host that is not
part of the domain or for a host that has been added with force and is using
a domain that is not served by the DNS server in the domain. It also
happened if there was no DNS server in the domain at all.
A new test case has been added to test_host_ipaddresses.yml
The fix requires ipalib_errors provided by ansible_freeipa_module.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1804838
The check to make sure that member can not be used on non existing hosts
has bee missing. Also the reverse flag for the dnsrecord_add call was None
if the varaible was not set.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1803026
This change is needed to properly handle base64 encoding of certificates
stored as bytes, under Python 3, as used by IPA service. It does not
affect Python 2.7 as bytes are identical to str in this version of the
language.
When retireving certificates stored by FreeIPA service data is returned
as bytes, under Python 3, and encoding then breaks, as there is no
bytes.public_bytes method. In Python 3, encoding with base64 will be the
same for strings and bytes.
host1 was used instead of host5 in the repeated host5 test. This lead to an
error with the new IP address handling in ipahost. It was correctly
reporting a change for host1 which resulted in a failed test.
ipahost was so far ignoring IP addresses when the host already existed.
This happened because host_mod is not providing functionality to do this.
Now ipaddress is a list and it is possible to ensure a host with several
IP addresses (these can be IPv4 and IPv6). Also it is possible to ensure
presence and absence of IP addresses for an exising host using action
member.
There are no IP address conclict checks as this would lead into issues with
updating an existing host that already is using a duplicate IP address for
example for round-robin (RR). Also this might lead into issues with ensuring
a new host with several IP addresses in this case. Also to ensure a list of
hosts with changing the IP address of one host to another in the list would
result in issues here.
New example playbooks have been added:
playbooks/host/host-present-with-several-ip-addresses.yml
playbooks/host/host-member-ipaddresses-absent.yml
playbooks/host/host-member-ipaddresses-present.yml
A new test has been added for verification:
tests/host/test_host_ipaddresses.yml
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1783976https://bugzilla.redhat.com/show_bug.cgi?id=1783979
Bool types are not iterable. Therefore the comparison using sets was failing
with a TypeError. This prevented to change the bool parameters for hosts.
A test for the host module has been added to verify that the bool parameters
can be modified.
New test:
tests/host/test_host_bool_params.yml
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1784514
Most tests have simply been using the Tests as name, but this there is a
lack of information in automated runs. The name should be similar to the
test file name.
Changing members (host, hostgroup, hbacsvc, hbacsvcgroup, user, group) with
action hbacrule was not working due to the use of the wrong parameter
prefix. This has been fixed and the old members are removed correctly now.
The test script has been reworked completely to verify the fix.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1787996
If the name is not set, the policy global_policy is now used. It was needed
before to explicitly name the global_policy. Also a check has been added
to fail early if global_policy is used with state absent.
The README for pwpolicy has been extended with an example for global_policy
and also the description of the name variable.
The test has also been extended to check a change of maxlife for
global_policy and that global_policy can not be used with state: absent
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1797532
This patch adds the following attributes to ipasudorule:
- order
- sudooption
- runasuser
- runasgroup
It also fixes behavior of sudocmd assigned to the the sudorule, with the
adittion of the attributes:
- allow_sudocmds
- deny_sudocmds
- allow_sudocmdgroups
- deny_sudocmdgroups
README-sudorule and tests have been updated to comply with the changes.
Use ipaserver_realm as a fallback if ipareplica_realm is not defined. This
had been done for ipareplica_domain and ipaserver_domain, but was missing
for ipareplica_realm and ipaserver_realm.
Related: #114 (ipareplica 'Env' object has no attribute 'realm')
This fixes the issue https://github.com/freeipa/ansible-freeipa/issues/185, where the python script was launching an exception
There was a lack of verification that the input string (for the description) was a text string
The failure message if member parameters like certificate, managedby_host,
principal, allow_create_keytab_* and allow_retrieve_keytab_* are used
without member action for state absent has been enhanced to propose the
member action.
It was not possible to reset the userauthtype. The empty string has been
added to userauthtype for this.
Also ipauser will only depend on given first and last name if the user
does not exist yet. For the update operation these parameters are not
needed anymore.
The choices for the auth_ind parameter have been wrong. The choices are now
['radius', 'otp', 'pkinit', 'hardened', '']. The empty string has been added
to be able to rest auth_ind for the host entry.
There is a new vault management module placed in the plugins folder:
plugins/modules/ipavault.py
The vault module allows to ensure presence and absence of vaults, manage
members and owner of the vault, and archive data in the vault.
Here is the documentation for the module:
README-vault.md
New example playbooks have been added:
playbooks/vault/data-archive-in-asymmetric-vault.yml
playbooks/vault/data-archive-in-symmetric-vault.yml
playbooks/vault/ensure-asymetric-vault-is-absent.yml
playbooks/vault/ensure-asymetric-vault-is-present.yml
playbooks/vault/ensure-service-vault-is-absent.yml
playbooks/vault/ensure-service-vault-is-present.yml
playbooks/vault/ensure-shared-vault-is-absent.yml
playbooks/vault/ensure-shared-vault-is-present.yml
playbooks/vault/ensure-standard-vault-is-absent.yml
playbooks/vault/ensure-standard-vault-is-present.yml
playbooks/vault/ensure-symetric-vault-is-absent.yml
playbooks/vault/ensure-symetric-vault-is-present.yml
playbooks/vault/ensure-vault-is-present-with-members.yml
playbooks/vault/ensure-vault-member-group-is-absent.yml
playbooks/vault/ensure-vault-member-group-is-present.yml
playbooks/vault/ensure-vault-member-user-is-absent.yml
playbooks/vault/ensure-vault-member-user-is-present.yml
playbooks/vault/ensure-vault-owner-is-absent.yml
playbooks/vault/ensure-vault-owner-is-present.yml
New tests added for the module:
tests/vault/test_vault.yml
dependencoies may not be an empty dict like in the past, but it may also not
be missing. It simply needs to be empty.
Fixes#146 (ansible-freeipa collection not installable by 2.9 ansible-galaxy collection install)
If there is no domain set for email addresses, extend the email addresses
with the default email domain that is gathered from the config_show output.
This fixes RHBZ#1747413 ([ansible-freeipa] user module throwing an error if..)
There are some commands in the IPA API that do not require
arguments, and current implementation does not allow these
commands to be execute.
This patch adds api_command_no_name to allow the execution
of such commands, which is required, for example, to create
a vaultcontainer management module.
The use of zone_overlay_check for the domain name validation is not good
for a repeated execution of the server deployment where setup_dns is
enabled. The zone overlay check will fail with "DNS zone X already exists
in DNS". zone_overlay_check is later on used in dns.install_check so it is
not needed to do it here also.
Fixes issues #164 (domain option validator should not call zone overlap..)
ipareplica role by default tries to configure firewalld but it didn't
check if firewalld related packages were installed.
Similar to DNS and trust to AD features, install firewalld-related
packages before trying to configure firewalld.
Additionally, enable and start firewalld.service because otherwise
firewall-cmd cannot communicate with firewalld itself (it is not
starting on demand).
If and administrator considers not to use firewalld, a default for
ipareplica_setup_firewalld variable has to be set to 'no'.
Fixes: https://github.com/freeipa/ansible-freeipa/issues/116
ipaserver role by default tries to configure firewalld but it didn't
check if firewalld related packages were installed.
Similar to DNS and trust to AD features, install firewalld-related
packages before trying to configure firewalld.
Additionally, enable and start firewalld.service because otherwise
firewall-cmd cannot communicate with firewalld itself (it is not
starting on demand).
If and administrator considers not to use firewalld, a default for
ipaserver_setup_firewalld variable has to be set to 'no'.
Fixes: https://github.com/freeipa/ansible-freeipa/issues/116
The ipahost management module was not able to add several hosts at once.
Addtionally there have been settings missing.
ansible_freeipa_module has been extended to provide two additional functions
that are needed to simplify the extension of the ipahost module:
gen_add_del_lists(user_list, res_list)
encode_certificate(cert)
gen_add_del_lists will generate the lists for the addition and removal of
members using the provided user and ipa settings.
encode_certificate will encode a certificate using base64 with also taking
FreeIPA and Python versions into account.
The missing settings in ipahost have been:
certificate
managedby_host
principal
create_keytab_[user,group,host,hostgroup]
retrieve_keytab_[user,group,host,hostgroup]
sshpubkey
userclass
auth_ind
requires_pre_auth
ok_as_delegate
ok_to_auth_as_delegate
The README-host.md file has been updated to provide information about the
new settings and also the members. Also examples for the new things have
been added.
New example playbooks have been added:
playbooks/host/add-host.yml
playbooks/host/host-member-allow_create_keytab-absent.yml
playbooks/host/host-member-allow_create_keytab-present.yml
playbooks/host/host-member-allow_retrieve_keytab-absent.yml
playbooks/host/host-member-allow_retrieve_keytab-present.yml
playbooks/host/host-member-certificate-absent.yml
playbooks/host/host-member-certificate-present.yml
playbooks/host/host-member-managedby_host-absent.yml
playbooks/host/host-member-managedby_host-present.yml
playbooks/host/host-member-principal-absent.yml
playbooks/host/host-member-principal-present.yml
playbooks/host/host-present-with-allow_create_keytab.yml
playbooks/host/host-present-with-allow_retrieve_keytab.yml
playbooks/host/host-present-with-certificate.yml
playbooks/host/host-present-with-managedby_host.yml
playbooks/host/host-present-with-principal.yml
playbooks/host/host-present-with-randompassword.yml
playbooks/host/host-present.yml
playbooks/host/hosts-member-certificate-absent.yml
playbooks/host/hosts-member-certificate-present.yml
playbooks/host/hosts-member-managedby_host-absent.yml
playbooks/host/hosts-member-managedby_host-present.yml
playbooks/host/hosts-member-principal-absent.yml
playbooks/host/hosts-member-principal-present.yml
playbooks/host/hosts-present-with-certificate.yml
playbooks/host/hosts-present-with-managedby_host.yml
playbooks/host/hosts-present-with-randompasswords.yml
New tests have been added for the module:
tests/host/certificate/cert1.der
tests/host/certificate/cert1.pem
tests/host/certificate/cert2.der
tests/host/certificate/cert2.pem
tests/host/certificate/cert3.der
tests/host/certificate/cert3.pem
tests/host/certificate/private1.key
tests/host/certificate/private2.key
tests/host/certificate/private3.key
tests/host/certificate/test_host_certificate.yml
tests/host/certificate/test_hosts_certificate.yml
tests/host/test_host.yml
tests/host/test_host_allow_create_keytab.yml
tests/host/test_host_allow_retrieve_keytab.yml
tests/host/test_host_managedby_host.yml
tests/host/test_host_principal.yml
tests/host/test_host_random.yml
tests/host/test_hosts.yml
tests/host/test_hosts_managedby_host.yml
tests/host/test_hosts_principal.yml
The files for RHEL-8 (RedHat-8.yml) have simply been linked to CentOS-8.yml
for the ipaserver, ipareplica and ipaclient roles.
Fixes issue #121 (roles/*/vars needs CentOS-8.yml files)
The use of gssapi.creds.Credentials is not good if krb5 ticket forwarding
is used. It will fail. gssapi.Credentials with usage and store is the proper
way to do this.
The random password is only returned if random is yes and the host did
not exist or update_password is yes.
If only one host is handled by the module, the returned dict is containing
this dict:
{ "randompassword": "<the host random password>" }
If several hosts are handled by the module (future feature):
{ "<host>": { "randompassword": "<the host random password>" } }
Fixes issue #134 (ipahost does not return the random password)
The random password is only returned if random is yes and user did not exist
or update_password is yes.
If only one user is handled by the module, the returned dict is containing
this dict:
{ "randompassword": "<the user random password>" }
If several users are handled by the module:
{ "<user>": { "randompassword": "<the user random password>" } }
This is related to issue #134 (ipahost does not return the random password)
The sssd options in the ipaclient role missed a 's' in the role. The readme
of the role used the proper names with 3 's'. The names in the role have
been fixed and if the old setting are used, they will be used in the first
place.
Also utils/ansible-ipa-client-install has been adaped to use the proper
option names now.
This fixes issue #145 (The ipaclient role misspells sssd)
Add command and information about ansible-galaxy collection install. Installing collections
using the ansible-galaxy command is only supported with ansible 2.9+. The mazer tool can
be used for to install the collection for ansible 2.8:
There is a new sudorule (Sudo Rule) management module placed in the plugins
folder:
plugins/modules/ipasudorule.py
The sudorule module allows to ensure presence and absence of Sudo Rules.
Here is the documentation for the module:
README-sudorule.md
New example playbooks have been added:
playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
playbooks/sudorule/ensure-sudorule-is-absent.yml
playbooks/sudorule/ensure-sudorule-is-disabled.yml
playbooks/sudorule/ensure-sudorule-is-enabled.yml
playbooks/sudorule/ensure-sudorule-is-present.yml
playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
New tests added for the module:
tests/hbacrule/test_sudorule.yml
The changed flag returned by ipahostgroup calls have not always been correct.
The use of the module with IPA version 4.6 on RHEL-7 resulted in encoding
errors. All this has been fixed.
Addtitionally new test cases have been added to make sure that the issues
are solved.
There is a new hbacrule (HBAC Rule) management module placed in the plugins
folder:
plugins/modules/ipahbacrule.py
The hbacrule module allows to ensure presence and absence of HBAC Rules.
Here is the documentation for the module:
README-hbacrule.md
New example playbooks have been added:
playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
New tests added for the module:
tests/hbacrule/test_hbacrule.yml
The information about the version limitation of the passwordexpiration
parameter has been missing. The parameter is only usable for IPA versions
4.7 and up.
The changed flag returned by ipagroup calls have not been correct. This
change fixes this. Addtitionally new test cases have been added to make
sure that the changed flag is correct.
group_add_member is only supporting services in more recent IPA versions.
This is 4.7+. Code has been added to detect if services are supported by
the used IPA version and used in the parameters of the module. In this case
an error is printed.
Additionally all parameters will be get from the module using
module_params_get provided by ansible_freeipa_module. Additional to_text
conversions have been removed as they are not needed anymore with this.
There is a new hbacsvcgroup (HBAC Service Group) management module placed
in the plugins folder:
plugins/modules/ipahbacsvcgroup.py
The hbacsvc module allows to ensure presence and absence of HBAC Service
Groups.
Here is the documentation for the module:
README-hbacsvcgroup.md
New example playbooks have been added:
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml
New tests added for the module:
tests/hbacsvcgroup/test_hbacsvcgroup.yml
There is a new hbacsvc (HBAC Service) management module placed in the plugins
folder:
plugins/modules/ipahbacsvc.py
The hbacsvc module allows to ensure presence and absence of HBAC Services.
Here is the documentation for the module:
README-hbacsvc.md
New example playbooks have been added:
playbooks/hbacsvc/ensure-hbacsvc-absent.yml
playbooks/hbacsvc/ensure-hbacsvc-present.yml
New tests added for pwpolicy:
tests/hbacsvc/test_hbacsvc.yml
There is a new pwpolicy management module placed in the plugins folder:
plugins/modules/ipapwpolicy.py
The pwpolicy module allows to ensure presence and absence of pwpolicies for
groups.
Here is the documentation for the module:
README-pwpolicy.md
New example playbooks have been added:
playbooks/pwpolicy/pwpolicy_absent.yml
playbooks/pwpolicy/pwpolicy_present.yml
New tests added for pwpolicy:
tests/pwpolicy/test_pwpolicy.yml
With IPA 4.5 integers for examle in pwpolicy_find are returned as
integer values. The internally generated value will be converted from
integer to string (using to_text) if the value from find call result
is a string (or unicode for Python2).
There is a new sudocmdgroup management module placed in the plugins folder:
plugins/modules/ipasudocmdgroup.py
The sudocmdgroup module allows to add or remove sudo command groups..
The sudocmdgroup module is as compatible as possible to the Ansible upstream
ipa_sudocmdgroup module, and additionally offers to ensure member presence
and absence.
Here is the documentation for the module:
README-sudocmdgroup.md
New example playbooks have been added:
playbooks/sudocmd/ensure-sudocmdgroup-is-absent.yml
playbooks/sudocmd/ensure-sudocmdgroup-is-present.yml
playbooks/sudocmd/ensure-sudocmd-is-absent-in-sudocmdgroup.yml
playbooks/sudocmd/ensure-sudocmd-is-present-in-sudocmdgroup.yml
A test playbook is provided in:
tests/sudocmdgroup/test_sudocmdgroup.yml
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
There is a new sudocmd management module placed in the plugins folder:
plugins/modules/ipasudocmd.py
The sudocmd module allows to add or remove sudo commands.
The sudocmd module is as compatible as possible to the Ansible upstream
ipa_sudocmd module.
Here is the documentation for the module:
README-sudocmd.md
New example playbooks have been added:
playbooks/sudocmd/ensure-sudocmd-is-absent.yml
playbooks/sudocmd/ensure-sudocmd-is-present.yml
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The ipauser module now supports all user settings and additionally to ensure
the presence of several users with the new users setting. The users setting
can also be used with other states, but it has to be limited to only contain
the name of the users.
There updated user management module is placed in the plugins folder:
plugins/modules/ipauser.py
The user module now additionally allows to handle these user settings:
initials
principalexpiration
random
city
userstate
postalcode
mobile
pager
fax
orgunit
manager
carlicense
sshpubkey
userauthtype
userclass
radius
radiususer
departmentnumber
employeenumber
employeetype
preferredlanguage
certificate
certmapdata
noprivate
nomembers
Here is the updated documentation for the module:
README-user.md
New example playbooks have been added:
playbooks/user/user_certificate_absent.yml
playbooks/user/user_certificate_present.yml
playbooks/user/user_present.yml
playbooks/user/users_absent.yml
playbooks/user/users_certificate_absent.yml
playbooks/user/users_certificate_present.yml
playbooks/user/users_present.yml
plugins/modules/ipauser.py
New tests added for ipauser:
tests/user/certificate/cert1.der
tests/user/certificate/cert1.pem
tests/user/certificate/cert2.der
tests/user/certificate/cert2.pem
tests/user/certificate/cert3.der
tests/user/certificate/cert3.pem
tests/user/certificate/private1.key
tests/user/certificate/private2.key
tests/user/certificate/private3.key
tests/user/certificate/test_user_certificate.yml
tests/user/certificate/test_users_certificate.yml
tests/user/certmapdata/test_user_certmapdata.yml
tests/user/certmapdata/test_user_certmapdata_issuer_subject.yml
tests/user/certmapdata/test_users_certmapdata.yml
tests/user/test_user.yml
tests/user/test_users.yml
tests/user/test_users_absent.yml
tests/user/test_users_invalid_cert.yml
tests/user/test_users_present.yml
tests/user/test_users_present_slice.yml
tests/user/users_absent.json
tests/user/users_absent.sh
tests/user/users_present.json
tests/user/users_present.sh
The function api_get_realm is returning the realm of a connected FreeIPA
api. This is needed for proper principal checks in the extended ipauser
module that supports principals now.
The conversion is needed because older FreeIPA versions are returning
tuples in some cases instead of lists. To be able to compare them the
conversion to a list is needed.
The module_params_get function can and should be used as a replacement of
ansible_module.params.get. For Python2 it is needed to convert parameters
to unicode. Otherwise there will be an error in the FreeIPA API command.
The private function _afm_convert has been added to do the conversion
recursively.
api_check_param can be used to verify if params are available for a command
in the used FreeIPA version. The function has been added as api is normally
not imported into modules.
api_command is always used within try clause, therefore it is not needed
to have an extra try clause within api_command. Additionally it is needed
to get the dofferent errors in the next level.
The ipagroup module was not using the failed and completed items in the dict
that is returned with api_command. But it was creating add and remove
lists for users, groups and services. This is not needed if the failures
"already a member" and "not a member" in the result failures are ignored.
Only other failures are reported.
The serial numbers have not been set for the creation of the CA and also
to sign the request. Because of this the local time has been used, which
resulted sometimes in the use of the same time stamp for the CA and the
signing reuqest. The import failed then with same issuer and serial number
error.
The cat to generate the chain.crt has been replaces with openssl x509 calls.
Some comments have also been added.
The script in external-signed-ca-with-manual-copy has been replaced with a
link to the external-signed-ca-with-automatic-copy directory.
The states member_present and member_absent are not used and should also not
be used. This is a remain of the first try to ensure absence and presence
of users (members) in the group. This has been replaced with the setting
action: member.
There is a new hostgroup management module placed in the plugins folder:
plugins/modules/ipahostgroup.py
The hostgroup module allows to add, remove and disable hosts.
The hostgroup module is as compatible as possible to the Ansible upstream
ipa_hostgroup module, but addtionally offers to ensure member presence and
absence.
Here is the documentation for the module:
README-hostgroup.md
New example playbooks have been added:
playbooks/hostgroup/ensure-hostgroup-is-absent.yml
playbooks/hostgroup/ensure-hostgroup-is-present.yml
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
There is a new hostgroup management module placed in the plugins folder:
plugins/modules/ipahostgroup.py
The hostgroup module allows to add, remove and disable hosts.
The hostgroup module is as compatible as possible to the Ansible upstream
ipa_hostgroup module, but addtionally offers to ensure member presence and
absence.
Here is the documentation for the module:
README-hostgroup.md
New example playbooks have been added:
playbooks/hostgroup/ensure-hostgroup-is-absent.yml
playbooks/hostgroup/ensure-hostgroup-is-present.yml
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
With Ansible there is no add or remove user, there is only ensure presence
or absence of users. The descriptions have been adapted to make sure that
the description is correct now.
There is a new user management module placed in the plugins folder:
plugins/modules/ipauser.py
The host module allows to add, remove and disable hosts.
The host module is as compatible as possible to the Ansible upstream
ipa_host` module, but addtionally offers to disable hosts.
Here is the documentation for the module:
README-host.md
New example playbooks have been added:
playbooks/host/add-host.yml
playbooks/host/delete-host.yml
playbooks/host/disable-host.yml
configure_nsswitch_database has been removed with the freeipa commit
41ef8fba31
The 4.4 compatibility hack leads to a ALREADY installed error in
ipaclient_test because of the removal. This affects ipaclient and
ipareplica roles and also the ipaclient deployment part in ipaserver.
configure_nsswitch_database is not used any more in ipaclient role modules
and therefore simply can be removed from ansible_ipa_client.
The GSSAPI can be enabled in the management modules with either the
KRB5CCNAME or the KRB5_CLIENT_KTNAME environment variable.
For KRB5CCNAME it is needed to create a ccache file
kinit admin@TEST.LOCAL -c /root/admin.ccache
that is transferred to the nodes (here into /root) and activated in the
playbook with
environment:
KRB5CCNAME: /root/admin.ccache
For KRB5_CLIENT_KTNAME a admin keytab has to be generated
ipa-getkeytab -s ipaserver.test.local -p admin@TEST.LOCAL -k \
/root/admin.keytab
that is transferred to the nodes (here into /root) and activated in the
playbook with
environment:
KRB5_CLIENT_KTNAME: /root/admin.keytab
It will be needed to set ipaadmin_principal if the admin principal is not
admin.
The management modules can be used without a password in this case.
This option is the same as the --become-method option with ansible-playbook.
If this option is set, become_method will be set in the generated playbook.
If the --playbook-dir option is used, the inventory and playbook files will
be generated in this directory. The files will not be removed after the
playbook processing ended.
If the directory does not exist an error message will be printed and the
utility will not continue.
These settings are file descriptors if external certificates are used and
are not used later in the roles. Therefore these settings have been removed.
Fixes: #110 (Ansible error with external certificates)
The used code for continuous output from the ansible-playbook call was
only working for Python2. The output has only been printed when the command
finised. This code has been replaced with code that is working with Python2
and Python3.
These are utils scripts to do a server,replica or client deployment and
undeployment using the ansible roles. A client inventory and playbook is
generated by the script which is then used with ansible-playbook.
The command line options or the normal command line installers
ipa-server-install, ipa-replica-install and ipa-client-install are all
supported also by these scripts.
Additonally to the commadn line of the normal installers it is needed to
add the fqdn of the host to be installed.
It is needed that the ansible-freeipa roles are available and also usable
by ansible.
Currently it is ignored if the entry for reinitialized can not be found if
the name or left and right are not correct. Now there is a failure in this
case.
Fixes: #107 (Reinitialize are failed to find the node in ipatopology ..)
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
With adding the domain and ca suffixes with `suffix: domain+ca` only ca
has been added as the suffix was only used from the last command. The
suffix is now stored together with the command and the argument. This
will fix this error.
Fixes: #106 (Last suffix adding twice in the list of topology segments)
In the README these settings have been single values instead of string
lists:
ipareplica_http_cert_file
ipareplica_pkinit_cert_file
instead of
ipareplica_http_cert_files
ipareplica_pkinit_cert_files
This script will to the following steps:
- Fix the galaxy release in galaxy.yml
- Remove emacs backup files
- Link module_utils, modules and action_plugins from roles to plugins/..
- Fix import prefix for module_utils
- Fix module prefixes in playbooks and example playbooks
- Build release using mazer
- Clean up again
The documentation of the module paramaters have been updated. The parameter
list has been updated and all parameters are providing a description and
the required argument has been updated to reflect current setting in the
module.
This one was missed in the big module update.
The check for the existence of get_custodia_instance in custodiainstance
is not sufficient for the use od create_replica in CustodiaInstance. A new
check for create_replica in CustodiaInstance has been added.
The documentation of the module paramaters have been updated. The parameter
list has been updated and all parameters are providing a description and
the required argument has been updated to reflect current setting in the
modules.
All module_utils are now providing the __all__ structure. Alse the imports
in the modules have been updated to only import freeipa sturctures from
module_utils.
Use and generation of dirsrv_pkcs12_info, http_pkcs12_info and
pkinit_pkcs12_info has been fixed in:
- ipaserver_setup_ds
- ipaserver_setup_http
- ipaserver_test
Some errors have been printed to the error log only and fail_json only got
an empty string as error message. This made the causes of the errors hard
to get.
These two varibles in the dns binding are initialized in the installation
check in the install_check parts of ipareplica_prepare and used later on
in the dns configuration in ipareplica_setup_dns.
The description of ipaclient_on_master in the ipaclient README was
providing the information that the flag is also used for relicas. This
is not correct and has been removed.
When OTP is used for installation of a client or the client part of
a replica and also there is no DNS record for the client, then
ipaclient_get_otp fails in the host_add call.
With the force mode the host_add call will ignore the missing DNS
record and will properly add the host. The host information and also
the DNS record will be updated while deploying the client according
to the given settings.
Fixes: #74 (ipaclient fails when ipaclient_use_otp is true and client ..)
Since 4.7.1 it is needed to use CustodiaModes.FIRST_MASTER instead of
CustodiaModes.MASTER_PEER for the get_custodia_instance.
This has been fixed already in ipaserver_setup_ca and also
ipaserver_setup_custodia, but was missed in ipaserver_setup_kra.
Fixes: #92 (KRA install fails in tasks: [ipaserver : Install - Setup KRA])
There is a new group management module placed in the plugins folder:
plugins/modules/ipagroup.py
The group module allows to add, remove, enable, disable, unlock und undelete
groups.
The group module is as compatible as possible to the Ansible upstream
`ipa_group` module, but addtionally offers to add users to a group and also
to remove users from a group.
Here is the documentation for the module:
README-group.md
New example playbooks have been added:
playbooks/user/add-groups-to-group.yml
playbooks/user/add-user-to-group.yml
playbooks/user/add-group.yml
playbooks/user/delete-group.yml
There is a new user management module placed in the plugins folder:
plugins/modules/ipauser.py
The user module allows to add, remove, enable, disable, unlock und undelete
users.
The user module is as compatible as possible to the Ansible upstream
`ipa_user` module, but addtionally offers to preserve delete, enable,
disable, unlock and undelete users.
Here is the documentation for the module:
README-user.md
New example playbooks have been added:
playbooks/user/add-user.yml
playbooks/user/delete-user.yml
playbooks/user/enable-user.yml
playbooks/user/disable-user.yml
playbooks/user/delete-preserve--user.yml
playbooks/user/undelete-user.yml
date_format parses the supported date formats and creates a datetime object.
compare_args_ipa compares generated args with args returned by IPA command
find_ functions.
sync_time is not using options anymore, but has two new arguments. These
are ntp_servers and ntp_pool. The options argument is not used anymore.
This requires to use inspect on sync_time to be able to detect if the old
or the new function is available.
The call for get_time_source has been added, but is documented out as the
call is only useful in interactive mode.
ipaserver_test now returns ntp_servers and ntp_pool, which are then used
for ipaserver_setup_ntp.
sync_time is not using options anymore, but has two new arguments. These
are ntp_servers and ntp_pool. The options argument is not used anymore.
This requires to use inspect on sync_time to be able to detect if the old
or the new function is available.
The call for get_time_source has been added, but is documented out as the
call is only useful in interactive mode.
ipaclient_test now returns ntp_servers and ntp_pool, which are then used
for ipaclient_setup_ntp.
If kinit_password call failed because of wrong password or even because
kinit was not found, there was a very unspecific error message. Now these
errors will be properly reported.
Fixes: RHBZ#1727277
The raises of RuntimeError, ValueError and ScriptError are currently not
properly handled in ipaserver_prepare. This results in a trace back error
shown in Ansible instead of only showing the error message.
This happened for example if a nameserver is in /etc/resolv.conf that is
not reachable.
The use of password will conflict with the user password setting and is
not really descriptive. ipaadmin_principal and ipaadmin_password are also
used in the roles.
This adds support for the --external-ca option to ipaserver. Lots of
additional tests and checks from ServerInstallInterface.__init__ have
been added to ipaserver_test. Also duplicate tests cna checks have been
removed.
Installer settings in ansible_ipa_server module_util are now also set
to the defaults that are used in Installable, ServerInstallInterface,
ServerMasterInstall, ADTrustInstallInterface and Uninstall.
The /root/ipa.csr file generated on the node in ca.install_step_0 will
be copied to the controller as "{{ inventory_hostname }}-ipa.csr".
The new task file copy_external_cert.yml has been added to copy the
generated certificate defined in ipaserver_external_cert_files to the node
to continue with ca.install_step_1.
The tasks/install.yml file has been adapted to make sure that the steps
that will be done in step two will be skipped after step one has been
done.
These two settings are not set using the krb.init_info method, but used in
krb.enable_ssl.
The configuration of PKINIT fails in IPA 4.7.0 because of the issue
https://pagure.io/freeipa/issue/7655 where auto detection of the
master is not properly working. With the missing setting of krb.master_fqdn
the not workint auto detection has been triggered, which resulted in
failed PKINIT enablement.
Some settings for kra have not been correct for kra with the change to
use single Custodia instance in the installer (freeipa 994f71ac8).
These modules have been adapted:
ipareplica_custodia_import_dm_password
ipareplica_enable_ipa
ipareplica_setup_ca
ipareplica_setup_custodia
ipareplica_setup_kra
This is related to freeipa#0f31564b35aac250456233f98730811560eda664
During ipa-replica-install, http installation first creates a service
principal for http/hostname (locally on the soon-to-be-replica), then
waits for this entry to be replicated on the master picked for the
install.
In a later step, the installer requests a certificate for HTTPd. The local
certmonger first tries the master defined in xmlrpc_uri (which is
pointing to the soon-to-be-replica), but fails because the service is not
up yet. Then certmonger tries to find a master by using the DNS and looking
for a ldap service. This step can pick a different master, where the
principal entry has not always be replicated yet.
As the certificate request adds the principal if it does not exist, we can
end by re-creating the principal and have a replication conflict.
The replication conflict later causes kerberos issues, preventing
from installing a new replica.
The proposed fix forces xmlrpc_uri to point to the same master as the one
picked for the installation, in order to make sure that the master already
contains the principal entry.
https://pagure.io/freeipa/issue/7041
This has not been done so far in the ansible_ipa_client, but only in the
modules where it was really needed. But as these places are getting more
with 4.7.90, this setting makes it into the module_utils.
The config module allows the setting of global config parameters within IPA. If no parameters are specified it returns the list of all current parameters.
The config module is as compatible as possible to the Ansible upstream `ipa_config` module, but adds many additional parameters
Features
--------
* IPA server configuration management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaconfig module.
Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to read config options:
```yaml
---
- name:Playbook to handle global config options
hosts:ipaserver
become:true
tasks:
- name:return current values of the global configuration options
ipaconfig:
ipaadmin_password:password
register:result
- name:display default login shell
debug:
msg:'{{result.config.defaultlogin }}'
- name:ensure defaultloginshell and maxusernamelength are set as required
ipaconfig:
ipaadmin_password:password
defaultlogin:/bin/bash
maxusername:64
```
```yaml
---
- name:Playbook to ensure some config options are set
hosts:ipaserver
become:true
tasks:
- name:set defaultlogin and maxusername
ipaconfig:
ipaadmin_password:password
defaultlogin:/bin/bash
maxusername:64
```
Variables
=========
ipauser
-------
**General Variables:**
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`maxusername` \| `ipamaxusernamelength` | Set the maximum username length (1 to 255) | no
`maxhostname` \| `ipamaxhostnamelength` | Set the maximum hostname length between 64-255. Only usable with IPA versions 4.8.0 and up. | no
`homedirectory` \| `ipahomesrootdir` | Set the default location of home directories | no
`defaultshell` \| `ipadefaultloginshell` | Set the default shell for new users | no
`defaultgroup` \| `ipadefaultprimarygroup` | Set the default group for new users | no
`emaildomain`\| `ipadefaultemaildomain` | Set the default e-mail domain | false
`searchtimelimit` \| `ipasearchtimelimit` | Set maximum amount of time (seconds) for a search -1 to 2147483647 (-1 or 0 is unlimited) | no
`searchrecordslimit` \| `ipasearchrecordslimit` | Set maximum number of records to search -1 to 2147483647 (-1 or 0 is unlimited) | no
`usersearch` \| `ipausersearchfields` | Set list of fields to search when searching for users | no
`groupsearch` \| `ipagroupsearchfields` | Set list of fields to search in when searching for groups | no
`groupobjectclasses` \| `ipagroupobjectclasses` | Set default group objectclasses (list) | no
`userobjectclasses` \| `ipauserobjectclasses` | Set default user objectclasses (list) | no
`pwdexpnotify` \| `ipapwdexpadvnotify` | Set number of days's notice of impending password expiration (0 to 2147483647) | no
`configstring` \| `ipaconfigstring` | Set extra hashes to generate in password plug-in (choices:`AllowNThash`, `KDC:Disable Last Success`, `KDC:Disable Lockout`, `KDC:Disable Default Preauth for SPNs`). Use `""` to clear this variable. | no
`selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | no
`selinuxusermapdefault`\| `ipaselinuxusermapdefault` | Set default SELinux user when no match is found in SELinux map rule | no
`pac_type` \| `ipakrbauthzdata` | set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`). Use `""` to clear this variable. | no
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
Return Values
=============
Variable | Description | Returned When
-------- | ----------- | -------------
`config` | config dict <br/>Fields: | No values to configure are specified
| `maxusername` |
| `maxhostname` |
| `homedirectory` |
| `defaultshell` |
| `defaultgroup` |
| `emaildomain` |
| `searchtimelimit` |
| `searchrecordslimit` |
| `usersearch` |
| `groupsearch` |
| `enable_migration` |
| `groupobjectclasses` |
| `userobjectclasses` |
| `pwdexpnotify` |
| `configstring` |
| `selinuxusermapdefault` |
| `selinuxusermaporder` |
| `pac_type` |
| `user_auth_type` |
| `domain_resolution_order` |
| `ca_renewal_master_server` |
All returned fields take the same form as their namesake input parameters
The dnsforwardzone module allows the addition and removal of dns forwarders from the IPA DNS config.
It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
Features
--------
* DNS zone management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipadnsforwardzone module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure presence of a forwardzone to ipa DNS:
```yaml
---
- name:Playbook to handle add a forwarder
hosts:ipaserver
become:true
tasks:
- name:ensure presence of forwardzone with a single forwarder DNS server
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
state:present
name:example.com
forwarders:
- ip_address:8.8.8.8
forwardpolicy:first
skip_overlap_check:true
- name:ensure the forward zone is disabled
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
name:example.com
state:disabled
- name:ensure presence of forwardzone with multiple forwarder DNS server
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
state:present
name:example.com
forwarders:
- ip_address:8.8.8.8
- ip_address:4.4.4.4
- name:ensure presence of another forwarder to any existing ones for example.com
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
state:present
name:example.com
forwarders:
- ip_address:1.1.1.1
action:member
- name:ensure presence of forwardzone with single forwarder DNS server on non-stardard port
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
state:present
name:example.com
forwarders:
- ip_address:4.4.4.4
port:8053
- name:ensure the forward zone is absent
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
name:example.com
state:absent
```
Variables
=========
ipagroup
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | Zone name (FQDN). | yes if `state` == `present`
`forwarders` \| `idnsforwarders` | Per-zone forwarders. A custom port can be specified for each forwarder. Options | no
| `ip_address`: The forwarder IP address. | yes
| `port`: The forwarder IP port. | no
`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
`skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
`permission` | Allow DNS Forward Zone to be managed. (bool) | no
`action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | yes
The dnsrecord module allows management of DNS records and is as compatible as possible with the Ansible upstream `ipa_dnsrecord` module, but provide some other features like multiple record management in one execution and support for more DNS record types.
Features
--------
* DNS record management.
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipadnsrecord module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.example.com
```
Example playbook to ensure an AAAA record is present:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
name:host01
zone_name:example.com
record_type:'AAAA'
record_value:'::1'
```
Example playbook to ensure an AAAA record is present, with a TTL of 300:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
name:host01
zone_name:example.com
record_type:'AAAA'
record_value:'::1'
record_ttl:300
```
Example playbook to ensure an AAAA record is present, with a reverse PTR record:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
name:host02
zone_name:example.com
record_type:'AAAA'
record_value:'fd00::0002'
create_reverse:yes
```
Example playbook to ensure a LOC record is present, given its individual attributes:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
name:host03
loc_lat_deg:52
loc_lat_min:22
loc_lat_sec:23.000
loc_lat_dir:N
loc_lon_deg:4
loc_lon_min:53
loc_lon_sec:32.00
loc_lon_dir:E
loc_altitude:-2.00
loc_size:1.00
loc_h_precision:10000
loc_v_precision:10
```
Example playbook to ensure multiple DNS records are present:
```yaml
---
ipadnsrecord:
ipaadmin_password:SomeADMINpassword
records:
- name:host02
zone_name:example.com
record_type:A
record_value:
- "{{ ipv4_prefix }}.112"
- "{{ ipv4_prefix }}.122"
- name:host02
zone_name:example.com
record_type:AAAA
record_value:::1
```
Example playbook to ensure multiple CNAME records are present:
```yaml
---
- name:Ensure that 'host03' and 'host04' have CNAME records.
ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
records:
- name:host03
cname_hostname:host03.example.com
- name:host04
cname_hostname:host04.example.com
```
Example playbook to ensure NS record is absent:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
name:host04
ns_hostname:host04
state:absent
```
Example playbook to ensure LOC record is present, with fields:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
name:host04
loc_lat_deg:52
loc_lat_min:22
loc_lat_sec:23.000
loc_lat_dir:N
loc_lon_deg:4
loc_lon_min:53
loc_lon_sec:32.000
loc_lon_dir:E
loc_altitude:-2.00
loc_size:0.00
loc_h_precision:10000
loc_v_precision:10
```
Change value of an existing LOC record:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
name:host04
loc_size:1.00
loc_rec:522223N45332E -2 0 10000 10
```
Example playbook to ensure multiple A records are present:
```yaml
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
name:host04
a_rec:
- 192.168.122.221
- 192.168.122.222
- 192.168.122.223
- 192.168.122.224
```
Example playbook to ensure A and AAAA records are present, with reverse records (PTR):
```yaml
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
name:host01
a_rec:
- 192.168.122.221
- 192.168.122.222
aaaa_rec:
- fd00:;0001
- fd00::0002
create_reverse:yes
```
Example playbook to ensure multiple A and AAAA records are present, but only A records have reverse records:
```yaml
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
name:host01
a_ip_address:192.168.122.221
aaaa_ip_address:fd00::0001
a_create_reverse:yes
```
Example playbook to ensure multiple DNS records are absent:
```yaml
---
- ipadnsrecord:
ipaadmin_password:SomeADMINpassword
zone_name:example.com
records:
- name:host01
del_all:yes
- name:host02
del_all:yes
- name:host03
del_all:yes
- name:host04
del_all:yes
- name:_ftp._tcp
del_all:yes
- name:_sip._udp
del_all:yes
state:absent
```
Variables
=========
ipadnsrecord
------------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`zone_name` \| `dnszone` | The DNS zone name to which DNS record needs to be managed. You can use one global zone name for multiple records. | no
required: true
`records` | The list of dns records dicts. Each `records` dict entry can contain **record variables**. | no
| **Record variables** | no
**Record variables** | Used when defining a single record. | no
`state` | The state to ensure. It can be one of `present` or `absent`, and defaults to `present`. | yes
**Record Variables:**
Variable | Description | Required
-------- | ----------- | --------
`zone_name` \| `dnszone` | The DNS zone name to which DNS record needs to be managed. You can use one global zone name for multiple records. When used on a `records` dict, overrides the global `zone_name`. | yes
`name` \| `record_name` | The DNS record name to manage. | yes
`record_type` | The type of DNS record. Supported values are `A`, `AAAA`, `A6`, `AFSDB`, `CERT`, `CNAME`, `DLV`, `DNAME`, `DS`, `KX`, `LOC`, `MX`, `NAPTR`, `NS`, `PTR`, `SRV`, `SSHFP`, `TLSA`, `TXT`, `URI`, and defaults to `A`. | no
`record_value` | Manage DNS record name with this values. | no
`record_ttl` | Set the TTL for the record. (int) | no
`del_all` | Delete all associated records. (bool) | no
`a_rec` \| `a_record` | Raw A record. | no
`aaaa_rec` \| `aaaa_record` | Raw AAAA record. | no
`a6_rec` \| `a6_record` | Raw A6 record data. | no
`afsdb_rec` \| `afsdb_record` | Raw AFSDB record. | no
`cert_rec` \| `cert_record` | Raw CERT record. | no
`cname_rec` \| `cname_record` | Raw CNAME record. | no
`dlv_rec` \| `dlv_record` | Raw DLV record. | no
`dname_rec` \| `dname_record` | Raw DNAM record. | no
`ds_rec` \| `ds_record` | Raw DS record. | no
`kx_rec` \| `kx_record` | Raw KX record. | no
`loc_rec` \| `loc_record` | Raw LOC record. | no
`mx_rec` \| `mx_record` | Raw MX record. | no
`naptr_rec` \| `naptr_record` | Raw NAPTR record. | no
`ns_rec` \| `ns_record` | Raw NS record. | no
`ptr_rec` \| `ptr_record` | Raw PTR record. | no
`srv_rec` \| `srv_record` | Raw SRV record. | no
`sshfp_rec` \| `sshfp_record` | Raw SSHFP record. | no
`tlsa_rec` \| `tlsa_record` | Raw TLSA record. | no
`txt_rec` \| `txt_record` | Raw TXT record. | no
`uri_rec` \| `uri_record` | Raw URI record. | no
`ip_address` | IP adress for A or AAAA records. Set `record_type` to `A` or `AAAA`. | no
`create_reverse` \| `reverse` | Create reverse records for `A` and `AAAA` record types. There is no equivalent to remove reverse records. (bool) | no
`a_ip_address` | IP adress for A records. Set `record_type` to `A`. | no
`a_create_reverse` | Create reverse records only for `A` records. There is no equivalent to remove reverse records. (bool) | no
`aaaa_ip_address` | IP adress for AAAA records. Set `record_type``AAAA`. | no
`aaaa_create_reverse` | Create reverse records only for `AAAA` record types. There is no equivalent to remove reverse records. (bool) | no
`a6_data` | A6 record. Set `record_type` to `A6`. | no
`afsdb_subtype` | AFSDB Subtype. Set `record_type` to `AFSDB`. (int) | no
`afsdb_hostname` | AFSDB Hostname. Set `record_type` to `AFSDB`. | no
`cert_type` | CERT Certificate Type. Set `record_type` to `CERT`. (int) | no
`cert_key_tag` | CERT Key Tag. Set `record_type` to `CERT`. (int) | no
`cert_algorithm` | CERT Algorithm. Set `record_type` to `CERT`. (int) | no
`cert_certificate_or_crl` | CERT Certificate or Certificate Revocation List (CRL). Set `record_type` to `CERT`. | no
`cname_hostname` | A hostname which this alias hostname points to. Set `record_type` to `CNAME`. | no
`dlv_key_tag` | DS Key Tag. Set `record_type` to `DLV`. (int) | no
`dlv_algorithm` | DLV Algorithm. Set `record_type` to `DLV`. (int) | no
`dlv_digest_type` | DLV Digest Type. Set `record_type` to `DLV`. (int) | no
`dlv_digest` | DLV Digest. Set `record_type` to `DLV`. | no
`dname_target` | DNAME Target. Set `record_type` to `DNAME`. | no
`ds_key_tag` | DS Key Tag. Set `record_type` to `DS`. (int) | no
`ds_algorithm` | DS Algorithm. Set `record_type` to `DS`. (int) | no
`ds_digest_type` | DS Digest Type. Set `record_type` to `DS`. (int) | no
`ds_digest` | DS Digest. Set `record_type` to `DS`. | no
`kx_preference` | Preference given to this exchanger. Lower values are more preferred. Set `record_type` to `KX`. (int) | no
`kx_exchanger` | A host willing to act as a key exchanger. Set `record_type` to `KX`. | no
`loc_lat_deg` | LOC Degrees Latitude. Set `record_type` to `LOC`. (int) | no
`loc_lat_min` | LOC Minutes Latitude. Set `record_type` to `LOC`. (int) | no
`loc_lat_sec` | LOC Seconds Latitude. Set `record_type` to `LOC`. (float) | no
`loc_lat_dir` | LOC Direction Latitude. Valid values are `N` or `S`. Set `record_type` to `LOC`. (int) | no
`loc_lon_deg` | LOC Degrees Longitude. Set `record_type` to `LOC`. (int) | no
`loc_lon_min` | LOC Minutes Longitude. Set `record_type` to `LOC`. (int) | no
`loc_lon_sec` | LOC Seconds Longitude. Set `record_type` to `LOC`. (float) | no
`loc_lon_dir` | LOC Direction Longitude. Valid values are `E` or `W`. Set `record_type` to `LOC`. (int) | no
`loc_altitude` | LOC Altitude. Set `record_type` to `LOC`. (float) | no
`loc_size` | LOC Size. Set `record_type` to `LOC`. (float) | no
`loc_h_precision` | LOC Horizontal Precision. Set `record_type` to `LOC`. (float) | no
`loc_v_precision` | LOC Vertical Precision. Set `record_type` to `LOC`. (float) | no
`mx_preference` | Preference given to this exchanger. Lower values are more preferred. Set `record_type` to `MX`. (int) | no
`mx_exchanger` | A host willing to act as a mail exchanger. Set `record_type` to `LOC`. | no
`naptr_order` | NAPTR Order. Set `record_type` to `NAPTR`. (int) | no
`naptr_preference` | NAPTR Preference. Set `record_type` to `NAPTR`. (int) | no
`naptr_flags` | NAPTR Flags. Set `record_type` to `NAPTR`. | no
`naptr_service` | NAPTR Service. Set `record_type` to `NAPTR`. | no
`naptr_regexp` | NAPTR Regular Expression. Set `record_type` to `NAPTR`. | no
`naptr_replacement` | NAPTR Replacement. Set `record_type` to `NAPTR`. | no
`ns_hostname` | NS Hostname. Set `record_type` to `NS`. | no
`ptr_hostname` | The hostname this reverse record points to. . Set `record_type` to `PTR`. | no
`srv_priority` | Lower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach. Set `record_type` to `SRV`. (int) | no
`srv_weight` | Relative weight for entries with the same priority. Set `record_type` to `SRV`. (int) | no
`srv_port` | SRV Port. Set `record_type` to `SRV`. (int) | no
`srv_target` | The domain name of the target host or '.' if the service is decidedly not available at this domain. Set `record_type` to `SRV`. | no
`sshfp_algorithm` | SSHFP Algorithm. Set `record_type` to `SSHFP`. (int) | no
`sshfp_fp_type` | SSHFP Fingerprint Type. Set `record_type` to `SSHFP`. (int) | no
`sshfp_fingerprint`| SSHFP Fingerprint. Set `record_type` to `SSHFP`. (int) | no
`txt_data` | TXT Text Data. Set `record_type` to `TXT`. | no
`tlsa_cert_usage` | TLSA Certificate Usage. Set `record_type` to `TLSA`. (int) | no
`tlsa_selector` | TLSA Selector. Set `record_type` to `TLSA`. (int) | no
`tlsa_matching_type` | TLSA Matching Type. Set `record_type` to `TLSA`. (int) | no
`tlsa_cert_association_data` | TLSA Certificate Association Data. Set `record_type` to `TLSA`. | no
`uri_target` | Target Uniform Resource Identifier according to RFC 3986. Set `record_type` to `URI`. | no
`uri_priority` | Lower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach. Set `record_type` to `URI`. (int) | no
`uri_weight` | Relative weight for entries with the same priority. Set `record_type` to `URI`. (int) | no
The dnszone module allows to configure zones in DNS server.
Features
--------
* Add, remove, modify, enable or disable DNS zones.
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by ipadnszone module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
-----
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to create a simple DNS zone:
```yaml
---
- name:dnszone present
hosts:ipaserver
become:true
tasks:
- name:Ensure zone is present.
ipadnszone:
ipaadmin_password:SomeADMINpassword
name:testzone.local
state:present
```
Example playbook to create a DNS zone with all currently supported variables:
```yaml
---
- name:dnszone present
hosts:ipaserver
become:true
tasks:
- name:Ensure zone is present.
ipadnszone:
ipaadmin_password:SomeADMINpassword
name:testzone.local
allow_sync_ptr:true
dynamic_update:true
dnssec:true
allow_transfer:
- 1.1.1.1
- 2.2.2.2
allow_query:
- 1.1.1.1
- 2.2.2.2
forwarders:
- ip_address:8.8.8.8
- ip_address:8.8.4.4
port:52
serial:1234
refresh:3600
retry:900
expire:1209600
minimum:3600
ttl:60
default_ttl:90
name_server:ipaserver.test.local.
admin_email:admin.admin@example.com
nsec3param_rec:"1 7 100 0123456789abcdef"
skip_overlap_check:true
skip_nameserver_check:true
state:present
```
Example playbook to disable a zone:
```yaml
---
- name:Playbook to disable DNS zone
hosts:ipaserver
become:true
tasks:
- name:Disable zone.
ipadnszone:
ipaadmin_password:SomeADMINpassword
name:testzone.local
state:disabled
```
Example playbook to enable a zone:
```yaml
---
- name:Playbook to enable DNS zone
hosts:ipaserver
become:true
tasks:
- name:Enable zone.
ipadnszone:
ipaadmin_password:SomeADMINpassword
name:testzone.local
state:enabled
```
Example playbook to remove a zone:
```yaml
---
- name:Playbook to remove DNS zone
hosts:ipaserver
become:true
tasks:
- name:Remove zone.
ipadnszone:
ipaadmin_password:SomeADMINpassword
name:testzone.local
state:absent
```
Example playbook to create a zone for reverse DNS lookup, from an IP address:
```yaml
---
- name:dnszone present
hosts:ipaserver
become:true
tasks:
- name:Ensure zone for reverse DNS lookup is present.
ipadnszone:
ipaadmin_password:SomeADMINpassword
name_from_ip:192.168.1.2
state:present
```
Note that, on the previous example the zone created with `name_from_ip` might be "1.168.192.in-addr.arpa.", "168.192.in-addr.arpa.", or "192.in-addr.arpa.", depending on the DNS response the system get while querying for zones, and for this reason, when creating a zone using `name_from_ip`, the inferred zone name is returned to the controller, in the attribute `dnszone.name`. Since the zone inferred might not be what a user expects, `name_from_ip` can only be used with `state: present`. To have more control over the zone name, the prefix length for the IP address can be provided.
Example playbook to create a zone for reverse DNS lookup, from an IP address, given the prefix length and displaying the resulting zone name:
```yaml
---
- name:dnszone present
hosts:ipaserver
become:true
tasks:
- name:Ensure zone for reverse DNS lookup is present.
ipadnszone:
ipaadmin_password:SomeADMINpassword
name_from_ip:192.168.1.2/24
state:present
register:result
- name:Display inferred zone name.
debug:
msg:"Zone name: {{ result.dnszone.name }}"
```
Variables
=========
ipadnszone
----------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `zone_name` | The zone name string or list of strings. | no
`name_from_ip` | Derive zone name from reverse of IP (PTR). Can only be used with `state: present`. | no
`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
| `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
| `port` - The custom port that should be used on this server. | no
`forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`. | no
`allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | no
`state` | The state to ensure. It can be one of `present`, `enabled`, `disabled` or `absent`, default: `present`. | yes
`name_server`| Authoritative nameserver domain name | no
`admin_email`| Administrator e-mail address | no
`update_policy`| BIND update policy | no
`dynamic_update` \| `dynamicupdate` | Allow dynamic updates | no
`dnssec`| Allow inline DNSSEC signing of records in the zone | no
`allow_transfer`| List of IP addresses or networks which are allowed to transfer the zone | no
`allow_query`| List of IP addresses or networks which are allowed to issue queries | no
`serial`| SOA record serial number | no
`refresh`| SOA record refresh time | no
`retry`| SOA record retry time | no
`expire`| SOA record expire time | no
`minimum`| How long should negative responses be cached | no
`ttl`| Time to live for records at zone apex | no
`default_ttl`| Time to live for records without explicit TTL definition | no
`nsec3param_rec`| NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt | no
`skip_overlap_check`| Force DNS zone creation even if it will overlap with an existing zone | no
`skip_nameserver_check` | Force DNS zone creation even if nameserver is not resolvable | no
Return Values
=============
ipadnszone
----------
Variable | Description | Returned When
-------- | ----------- | -------------
`dnszone` | DNS Zone dict with zone name infered from `name_from_ip`. <br>Options: | If `state` is `present`, `name_from_ip` is used, and a zone was created.
| `name` - The name of the zone created, inferred from `name_from_ip`. | Always
The group module allows to ensure presence and absence of groups and members of groups.
The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group.
Features
--------
* Group management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipagroup module.
Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to add groups:
```yaml
---
- name:Playbook to handle groups
hosts:ipaserver
become:true
tasks:
# Create group ops with gid 1234
- ipagroup:
ipaadmin_password:SomeADMINpassword
name:ops
gidnumber:1234
# Create group sysops
- ipagroup:
ipaadmin_password:SomeADMINpassword
name:sysops
user:
- pinky
# Create group appops
- ipagroup:
ipaadmin_password:SomeADMINpassword
name:appops
```
Example playbook to add users to a group:
```yaml
---
- name:Playbook to handle groups
hosts:ipaserver
become:true
tasks:
# Add user member brain to group sysops
- ipagroup:
ipaadmin_password:SomeADMINpassword
name:sysops
action:member
user:
- brain
```
`action` controls if a the group or member will be handled. To add or remove members, set `action` to `member`.
Example playbook to add group members to a group:
```yaml
---
- name:Playbook to handle groups
hosts:ipaserver
become:true
tasks:
# Add group members sysops and appops to group sysops
- ipagroup:
ipaadmin_password:SomeADMINpassword
name:ops
group:
- sysops
- appops
```
Example playbook to add members from a trusted realm to an external group:
```yaml
--
- name:Playbook to handle groups.
hosts:ipaserver
became:true
- name:Create an external group and add members from a trust to it.
ipagroup:
ipaadmin_password:SomeADMINpassword
name:extgroup
external:yes
externalmember:
- WINIPA\\Web Users
- WINIPA\\Developers
```
Example playbook to remove groups:
```yaml
---
- name:Playbook to handle groups
hosts:ipaserver
become:true
tasks:
# Remove goups sysops, appops and ops
- ipagroup:
ipaadmin_password:SomeADMINpassword
name:sysops,appops,ops
state:absent
```
Variables
=========
ipagroup
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | The list of group name strings. | no
`description` | The group description string. | no
`gid` \| `gidnumber` | The GID integer. | no
`posix` | Create a non-POSIX group or change a non-POSIX to a posix group. (bool) | no
`nonposix` | Create as a non-POSIX group. (bool) | no
`external` | Allow adding external non-IPA members from trusted domains. (bool) | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`user` | List of user name strings assigned to this group. | no
`group` | List of group name strings assigned to this group. | no
`service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
`membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`externalmember` \| `ipaexternalmember` \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
`action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
The hbacrule (HBAC Rule) module allows to ensure presence and absence of HBAC Rules and host, hostgroups, HBAC Services, HBAC Service Groups, users, and user groups as members of HBAC Rule.
Features
--------
* HBAC Rule management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipahbacrule module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure HBAC Rule login exists:
```yaml
---
- name:Playbook to handle hbacrules
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Rule login is present
- ipahbacrule:
ipaadmin_password:SomeADMINpassword
name:login
```
Example playbook to make sure HBAC Rule login exists with the only HBAC Service sshd:
```yaml
---
- name:Playbook to handle hbacrules
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Rule login is present with the only HBAC Service sshd
- ipahbacrule:
ipaadmin_password:SomeADMINpassword
name:login
hbacsvc:
- sshd
```
Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
```yaml
---
- name:Playbook to handle hbacrules
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Service sshd is present in HBAC Rule login
- ipahbacrule:
ipaadmin_password:SomeADMINpassword
name:login
hbacsvc:
- sshd
action:member
```
Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
```yaml
---
- name:Playbook to handle hbacrules
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Service sshd is present in HBAC Rule login
- ipahbacrule:
ipaadmin_password:SomeADMINpassword
name:login
hbacsvc:
- sshd
action:member
state:absent
```
Example playbook to make sure HBAC Rule login is absent:
```yaml
---
- name:Playbook to handle hbacrules
hbacsvcs:ipaserver
become:true
tasks:
# Ensure HBAC Rule login is present
- ipahbacrule:
ipaadmin_password:SomeADMINpassword
name:login
state:absent
```
Variables
=========
ipahbacrule
---------------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | The list of hbacrule name strings. | yes
`description` | The hbacrule description string. | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all", ""] | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this hbacrule. | no
`hostgroup` | List of host group name strings assigned to this hbacrule. | no
`hbacsvc` | List of HBAC Service name strings assigned to this hbacrule. | no
`hbacsvcgroup` | List of HBAC Service Group name strings assigned to this hbacrule. | no
`user` | List of user name strings assigned to this hbacrule. | no
`group` | List of user group name strings assigned to this hbacrule. | no
`action` | Work on hbacrule or member level. It can be on of `member` or `hbacrule` and defaults to `hbacrule`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
The host module allows to ensure presence, absence and disablement of hosts.
The host module is as compatible as possible to the Ansible upstream `ipa_host` module, but additionally offers to disable hosts.
Features
--------
* Host management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipahost module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure host presence:
```yaml
---
- name:Playbook to handle hosts
hosts:ipaserver
become:true
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
description:Example host
ip_address:192.168.0.123
locality:Lab
ns_host_location:Lab
ns_os_version:CentOS 7
ns_hardware_platform:Lenovo T61
mac_address:
- "08:00:27:E3:B1:2D"
- "52:54:00:BD:97:1E"
state:present
```
Compared to `ipa host-add` command no IP address conflict check is done as the ipahost module supports to have several IPv4 and IPv6 addresses for a host.
Example playbook to ensure host presence with several IP addresses:
```yaml
---
- name:Playbook to handle hosts
hosts:ipaserver
become:true
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
description:Example host
ip_address:
- 192.168.0.123
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b3
- fe80::20c:29ff:fe02:a1b4
locality:Lab
ns_host_location:Lab
ns_os_version:CentOS 7
ns_hardware_platform:Lenovo T61
mac_address:
- "08:00:27:E3:B1:2D"
- "52:54:00:BD:97:1E"
state:present
```
Example playbook to ensure IP addresses are present for a host:
```yaml
---
- name:Playbook to handle hosts
hosts:ipaserver
become:true
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
ip_address:
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b4
action:member
state:present
```
Example playbook to ensure IP addresses are absent for a host:
```yaml
---
- name:Playbook to handle hosts
hosts:ipaserver
become:true
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
ip_address:
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b4
action:member
state:absent
```
Example playbook to ensure host presence without DNS:
```yaml
---
- name:Playbook to handle hosts
hosts:ipaserver
become:true
tasks:
# Ensure host is present without DNS
- ipahost:
ipaadmin_password:SomeADMINpassword
name:host02.example.com
description:Example host
force:yes
```
Example playbook to ensure host presence with a random password:
```yaml
---
- name:Ensure host with random password
hosts:ipaserver
become:true
tasks:
- name:Host host01.example.com present with random password
ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
random:yes
force:yes
update_password:on_create
register:ipahost
- name:Print generated random password
debug:
var:ipahost.host.randompassword
```
Please remember that a new random password will be generated for an existing but not enrolled host if `update_password` is not limited to `on_create`. For an already enrolled host the task will fail with `update_password` default setting `always`.
Example playbook to ensure presence of several hosts with a random password:
```yaml
---
- name:Ensure hosts with random password
hosts:ipaserver
become:true
tasks:
- name:Hosts host01.example.com and host01.example.com present with random passwords
ipahost:
ipaadmin_password:SomeADMINpassword
hosts:
- name:host01.example.com
random:yes
force:yes
update_password:on_create
- name:host02.example.com
random:yes
force:yes
update_password:on_create
register:ipahost
- name:Print generated random password for host01.example.com
Please remember that a new random password will be generated for an existing but not enrolled host if `update_password` is not limited to `on_create`. For an already enrolled host the task will fail with `update_password` default setting `always`.
Example playbook to ensure presence of host member principal:
```yaml
---
- name:Host present with principal
hosts:ipaserver
become:true
tasks:
- name:Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com
ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
principal:
- host/testhost01.example.com
- host/myhost01.example.com
action:member
```
Example playbook to ensure presence of host member certificate:
```yaml
- name:Host present with certificate
hosts:ipaserver
become:true
tasks:
- name:Host host01.example.com present with certificate
ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
certificate:
- MIIC/zCCAeegAwIBAg...
action:member
```
Example playbook to ensure presence of member managedby_host for serveral hosts:
```yaml
---
- name:Host present with managedby_host
hosts:ipaserver
become:true
tasks:
ipahost:
ipaadmin_password:SomeADMINpassword
hosts:
- name:host01.exmaple.com
managedby_host:server.exmaple.com
- name:host02.exmaple.com
managedby_host:server.exmaple.com
action:member
```
Example playbook to disable a host:
```yaml
---
- name:Playbook to handle hosts
hosts:ipaserver
become:true
tasks:
# Ensure host is disabled
- ipahost:
ipaadmin_password:SomeADMINpassword
name:host01.example.com
update_dns:yes
state:disabled
```
`update_dns` controls if the DNS entries will be updated in this case. For `state` present it is controlling the update of the DNS SSHFP records, but not the the other DNS records.
Example playbook to ensure a host is absent:
```yaml
---
- name:Playbook to handle hosts
hosts:ipaserver
become:true
tasks:
# Ensure host is absent
- ipahost:
ipaadmin_password:password1
name:host01.example.com
state:absent
```
Variables
=========
ipahost
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `fqdn` | The list of host name strings. `name` with *host variables* or `hosts` containing *host variables* need to be used. | no
**Host variables** | Only used with `name` variable in the first level. | no
`hosts` | The list of host dicts. Each `hosts` dict entry can contain **host variables**.<br>There is one required option in the `hosts` dict:| no
| `name` \| `fqdn` - The user name string of the entry. | yes
| **Host variables** | no
`update_password` | Set password for a host in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
`action` | Work on host or member level. It can be on of `member` or `host` and defaults to `host`. | no
`state` | The state to ensure. It can be one of `present`, `absent` or `disabled`, default: `present`. | yes
**Host Variables:**
Variable | Description | Required
-------- | ----------- | --------
`description` | The host description. | no
`locality` | Host locality (e.g. "Baltimore, MD"). | no
`os` \| `ns_os_version` | Host operating system and version (e.g. "Fedora 9"). | no
`password` \| `user_password` \| `userpassword` | Password used in bulk enrollment for absent or not enrolled hosts. | no
`random` \| `random_password` | Initiate the generation of a random password to be used in bulk enrollment for absent or not enrolled hosts. | no
`certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
`managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
`principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no
`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host. | no
`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host. | no
`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host. | no
`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host. | no
`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host. | no
`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host. | no
`mac_address` \| `macaddress` | List of hardware MAC addresses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
`userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no
`force` | Force host name even if not in DNS. | no
`reverse` | Reverse DNS detection. | no
`ip_address` \| `ipaddress` | The host IP address list. It can contain IPv4 and IPv6 addresses. No conflict check for IP addresses is done. | no
`update_dns` | For existing hosts: DNS SSHFP records are updated with `state` present and all DNS entries for a host removed with `state` absent. | no
Return Values
=============
ipahost
-------
There are only return values if one or more random passwords have been generated.
Variable | Description | Returned When
-------- | ----------- | -------------
`host` | Host dict with random password. (dict) <br>Options: | If random is yes and host did not exist or update_password is yes
| `randompassword` - The generated random password | If only one host is handled by the module
| `name` - The host name of the host that got a new random password. (dict) <br> Options: <br> `randompassword` - The generated random password | If several hosts are handled by the module
The hostgroup module allows to ensure presence and absence of hostgroups and members of hostgroups.
The hostgroup module is as compatible as possible to the Ansible upstream `ipa_hostgroup` module, but additionally offers to make sure that hosts are present or absent in a hostgroup.
Features
--------
* Hostgroup management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipahostgroup module.
Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure hostgroup databases exists:
```yaml
---
- name:Playbook to handle hostgroups
hosts:ipaserver
become:true
tasks:
# Ensure host-group databases is present
- ipahostgroup:
ipaadmin_password:SomeADMINpassword
name:databases
host:
- db.example.com
hostgroup:
- mysql-server
- oracle-server
```
Example playbook to make sure that hosts and hostgroups are present in existing databases hostgroup:
```yaml
---
- name:Playbook to handle hostgroups
hosts:ipaserver
become:true
tasks:
# Ensure hosts and hostgroups are present in existing databases hostgroup
- ipahostgroup:
ipaadmin_password:SomeADMINpassword
name:databases
host:
- db.example.com
hostgroup:
- mysql-server
- oracle-server
action:member
```
`action` controls if a the hostgroup or member will be handled. To add or remove members, set `action` to `member`.
Example playbook to make sure hosts and hostgroups are absent in databases hostgroup:
```yaml
---
- name:Playbook to handle hostgroups
hosts:ipaserver
become:true
tasks:
# Ensure hosts and hostgroups are absent in databases hostgroup
- ipahostgroup:
ipaadmin_password:SomeADMINpassword
name:databases
host:
- db.example.com
hostgroup:
- mysql-server
- oracle-server
action:member
state:absent
```
Example playbook to rename an existing playbook:
```yaml
---
- name:Playbook to handle hostgroups
hosts:ipaserver
become:true
tasks:
# Ensure host-group databases is absent
- ipahostgroup:
ipaadmin_password:SomeADMINpassword
name:databases
rename:datalake
state:renamed
```
Example playbook to make sure host-group databases is absent:
```yaml
---
- name:Playbook to handle hostgroups
hosts:ipaserver
become:true
tasks:
# Ensure host-group databases is absent
- ipahostgroup:
ipaadmin_password:SomeADMINpassword
name:databases
state:absent
```
Variables
=========
ipahostgroup
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | The list of hostgroup name strings. | no
`description` | The hostgroup description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this hostgroup. | no
`hostgroup` | List of hostgroup name strings assigned to this hostgroup. | no
`membermanager_user` | List of member manager users assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
`membermanager_group` | List of member manager groups assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
`rename` \| `new_name` | Rename hostgroup to the provided name. Only usable with IPA versions 4.8.7 and up. | no
`action` | Work on hostgroup or member level. It can be on of `member` or `hostgroup` and defaults to `hostgroup`. | no
`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
The permission module allows to ensure presence and absence of permissions and permission members.
Features
--------
* Permission management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipapermission module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure permission "MyPermission" is present:
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure permission MyPermission is present
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
object_type:host
right:all
```
Example playbook to ensure permission "MyPermission" is present with attr carlicense:
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure permission "MyPermission" is present with attr carlicense
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
object_type:host
right:all
attrs:
- carlicense
```
Example playbook to ensure attr gecos is present in permission "MyPermission":
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure attr gecos is present in permission "MyPermission"
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
attrs:
- gecos
action:member
```
Example playbook to ensure attr gecos is absent in permission "MyPermission":
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure attr gecos is present in permission "MyPermission"
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
attrs:
- gecos
action:member
state:absent
```
Example playbook to make sure permission "MyPermission" is absent:
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure permission "MyPermission" is absent
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
state:absent
```
Example playbook to make sure permission "MyPermission" is renamed to "MyNewPermission":
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure permission "MyPermission" is renamed to "MyNewPermission
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
rename:MyNewPermission
state:renamed
```
Variables
---------
ipapermission
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | The permission name string. | yes
`right` \| `ipapermright` | Rights to grant. It can be a list of one or more of `read`, `search`, `compare`, `write`, `add`, `delete`, and `all` default: `all` | no
`attrs` | All attributes to which the permission applies. | no
`bindtype` \| `ipapermbindruletype` | Bind rule type. It can be one of `permission`, `all`, `self`, or `anonymous` defaults to `permission` for new permissions. Bind rule type `self` can only be used on IPA versions 4.8.7 or up.| no
`subtree` \| `ipapermlocation` | Subtree to apply permissions to | no
`filter` \| `extratargetfilter` | Extra target filter | no
`rawfilter` \| `ipapermtargetfilter` | All target filters | no
`target` \| `ipapermtarget` | Optional DN to apply the permission to | no
`targetto` \| `ipapermtargetto` | Optional DN subtree where an entry can be moved to | no
`targetfrom` \| `ipapermtargetfrom` | Optional DN subtree from where an entry can be moved | no
`memberof` | Target members of a group (sets memberOf targetfilter) | no
`targetgroup` | User group to apply permissions to (sets target) | no
`object_type` | Type of IPA object (sets subtree and objectClass targetfilter) | no
`no_members` | Suppress processing of membership | no
`rename` | Rename the permission object | no
`action` | Work on permission or member level. It can be on of `member` or `permission` and defaults to `permission`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, or `renamed` default: `present`. | no
The `includedattrs` and `excludedattrs` variables are only usable for managed permisions and are not exposed by the module. Using `attrs` for managed permissions will result in the automatic generation of `includedattrs` and `excludedattrs` in the IPA server.
Example playbook to add a principal to the service:
```yaml
---
- name:Playbook to manage IPA service.
hosts:ipaserver
become:true
gather_facts:false
tasks:
# Principal host/principal.example.com present in service.
- ipaservice:
ipaadmin_password:SomeADMINpassword
name:HTTP/www.example.com
principal:host/principal.example.com
action:member
```
Example playbook to enable a host to manage service:
```yaml
---
- name:Playbook to manage IPA service.
hosts:ipaserver
become:true
gather_facts:false
tasks:
# Ensure host can manage service, again.
- ipaservice:
ipaadmin_password:SomeADMINpassword
name:HTTP/www.example.com
host:host1.example.com
action:member
```
Example playbook to allow users, groups, hosts or hostgroups to create a keytab of this service:
```yaml
---
- name:Playbook to manage IPA service.
hosts:ipaserver
become:true
gather_facts:false
tasks:
# Allow users, groups, hosts or host groups to create a keytab of this service.
- ipaservice:
ipaadmin_password:SomeADMINpassword
name:HTTP/www.example.com
allow_create_keytab_user:
- user01
- user02
allow_create_keytab_group:
- group01
- group02
allow_create_keytab_host:
- host1.example.com
- host2.example.com
allow_create_keytab_hostgroup:
- hostgroup01
- hostgroup02
action:member
```
Example playbook to allow users, groups, hosts or hostgroups to retrieve a keytab of this service:
```yaml
---
- name:Playbook to manage IPA service.
hosts:ipaserver
become:true
gather_facts:false
tasks:
# Allow users, groups, hosts or host groups to retrieve a keytab of this service.
- ipaservice:
ipaadmin_password:SomeADMINpassword
name:HTTP/www.example.com
allow_retrieve_keytab_user:
- user01
- user02
allow_retrieve_keytab_group:
- group01
- group02
allow_retrieve_keytab_host:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
allow_retrieve_keytab_hostgroup:
- hostgroup01
- hostgroup02
action:member
```
Variables
---------
ipaservice
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `service` | The list of service name strings. | yes
`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
`skip_host_check` | Force service to be created even when host object does not exist to manage it. Only usable with IPA versions 4.7.0 and up. Default to false. (bool)| no
`force` | Force principal name even if host not in DNS. Default to false. (bool) | no
`host` \| `managedby_host`| Hosts that can manage the service. | no
`principal` \| `krbprincipalname` | List of principal aliases for the service. | no
`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group`| Groups allowed to create a keytab of this host. | no
`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host`| Hosts allowed to create a keytab of this host. | no
`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_group`| Host groups allowed to create a keytab of this host. | no
`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retrieve a keytab of this host. | no
`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
`continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
The sudocmdgroup module allows to ensure presence and absence of sudocmdgroups and members of sudocmdgroups.
The sudocmdgroup module is as compatible as possible to the Ansible upstream `ipa_sudocmdgroup` module, but additionally offers to make sure that sudocmds are present or absent in a sudocmdgroup.
Features
--------
* Sudocmdgroup management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipasudocmdgroup module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure sudocmdgroup is present:
```yaml
---
- name:Playbook to handle sudocmdgroups
hosts:ipaserver
become:true
tasks:
# Ensure sudocmdgroup is present
- ipasudocmdgroup:
ipaadmin_password:SomeADMINpassword
name:group01
description:Group of important commands
```
Example playbook to make sure that a sudo command and sudocmdgroups are present in existing sudocmdgroup:
```yaml
---
- name:Playbook to handle sudocmdgroups
hosts:ipaserver
become:true
tasks:
# Ensure sudo commands are present in existing sudocmdgroup
- ipasudocmdgroup:
ipaadmin_password:SomeADMINpassword
name:group01
sudocmd:
- /usr/bin/su
- /usr/bin/less
action:member
```
`action` controls if the sudocmdgroup or member will be handled. To add or remove members, set `action` to `member`.
Example playbook to make sure that a sudo command and sudocmdgroups are absent in sudocmdgroup:
```yaml
---
- name:Playbook to handle sudocmdgroups
hosts:ipaserver
become:true
tasks:
# Ensure sudocmds are absent in existing sudocmdgroup
- ipasudocmdgroup:
ipaadmin_password:SomeADMINpassword
name:group01
sudocmd:
- /usr/bin/su
- /usr/bin/less
action:member
state:absent
```
Example playbook to make sure sudocmdgroup is absent:
```yaml
---
- name:Playbook to handle sudocmdgroups
hosts:ipaserver
become:true
tasks:
# Ensure sudocmdgroup is absent
- ipasudocmdgroup:
ipaadmin_password:SomeADMINpassword
name:group01
state:absent
```
Variables
=========
ipasudocmdgroup
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | The list of sudocmdgroup name strings. | no
`description` | The sudocmdgroup description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`sudocmd` | List of sudocmdgroup name strings assigned to this sudocmdgroup. | no
`action` | Work on sudocmdgroup or member level. It can be on of `member` or `sudocmdgroup` and defaults to `sudocmdgroup`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
The sudorule (Sudo Rule) module allows to ensure presence and absence of Sudo Rules and host, hostgroups, users, and user groups as members of Sudo Rule.
Features
--------
* Sudo Rule management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipasudorule module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure Sudo Rule is present:
```yaml
---
- name:Playbook to handle sudorules
hosts:ipaserver
become:true
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password:SomeADMINpassword
name:testrule1
```
Example playbook to make sure sudocmds are present in Sudo Rule:
```yaml
---
- name:Playbook to handle sudorules
hosts:ipaserver
become:true
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password:SomeADMINpassword
name:testrule1
allow_sudocmd:
- /sbin/ifconfig
action:member
```
Example playbook to make sure sudocmds are not present in Sudo Rule:
```yaml
---
- name:Playbook to handle sudorules
hosts:ipaserver
become:true
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password:SomeADMINpassword
name:testrule1
allow_sudocmd:
- /sbin/ifconfig
action:member
state:absent
```
Example playbook to make sure Sudo Rule is absent:
```yaml
---
- name:Playbook to handle sudorules
hosts:ipaserver
become:true
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password:SomeADMINpassword
name:testrule1
state:absent
```
Variables
=========
ipasudorule
---------------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | The list of sudorule name strings. | yes
`description` | The sudorule description string. | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
`cmdcategory` \| `cmdcat` | Command category the rule applies to. Choices: ["all", ""] | no
`runasusercategory` \| `rusasusercat` | RunAs User category the rule applies to. Choices: ["all", ""] | no
`runasgroupcategory` \| `runasgroupcat` | RunAs Group category the rule applies to. Choices: ["all", ""] | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this sudorule. | no
`hostgroup` | List of host group name strings assigned to this sudorule. | no
`user` | List of user name strings assigned to this sudorule. | no
`group` | List of user group name strings assigned to this sudorule. | no
`allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no
`deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no
`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no
`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no
`sudooption` \| `option` | List of options to the sudorule | no
`order` | Integer to order the sudorule | no
`runasuser` | List of users for Sudo to execute as. | no
`runasgroup` | List of groups for Sudo to execute as. | no
`action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
These modules allow to manage the topology. That means that topology segments can be added, removed and reinitialized. Also it is possible to verify topology suffixes.
These modules allow to manage the topology. That means that it can made sure that topology segments are present, absent or reinitialized. Also it is possible to verify topology suffixes.
Features
@@ -39,7 +39,7 @@ ipaserver.test.local
```
Example playbook to add a topology segment wiht default name (cn):
Example playbook to add a topology segment with default name (cn):
```yaml
---
@@ -50,13 +50,13 @@ Example playbook to add a topology segment wiht default name (cn):
tasks:
- name:Add topology segment
ipatopologysegment:
password:MyPassword123
ipaadmin_password:SomeADMINpassword
suffix:domain
left:ipareplica1.test.local
right:ipareplica2.test.local
state:present
```
The name (cn) can also be set if it should not be the default `{left}-to-{rkight}`.
The name (cn) can also be set if it should not be the default `{left}-to-{right}`.
Example playbook to delete a topology segment:
@@ -70,7 +70,7 @@ Example playbook to delete a topology segment:
tasks:
- name:Delete topology segment
ipatopologysegment:
password:MyPassword123
ipaadmin_password:SomeADMINpassword
suffix:domain
left:ipareplica1.test.local
right:ipareplica2.test.local
@@ -90,7 +90,7 @@ Example playbook to reinitialize a topology segment:
tasks:
- name:Reinitialize topology segment
ipatopologysegment:
password:MyPassword123
ipaadmin_password:SomeADMINpassword
suffix:domain
left:ipareplica1.test.local
right:ipareplica2.test.local
@@ -111,12 +111,12 @@ Example playbook to verify a topology suffix:
tasks:
- name:Verify topology suffix
ipatopologysuffix:
password:MyPassword123
ipaadmin_password:SomeADMINpassword
suffix:domain
state:verified
```
Example playbook to add a list of topology segments:
Example playbook to add or remove or check or reinitialize a list of topology segments:
```yaml
---
@@ -136,15 +136,15 @@ Example playbook to add a list of topology segments:
tasks:
- name:Add topology segment
ipatopologysegment:
password:"{{ ipaadmin_password }}"
ipaadmin_password:"{{ ipaadmin_password }}"
suffix:"{{ item.suffix }}"
name:"{{ item.name | default(omit) }}"
left:"{{ item.left }}"
right:"{{ item.right }}"
#state: present
state:present
#state: absent
#state: checked
state:reinitialized
#state: reinitialized
loop:"{{ ipatopology_segments | default([]) }}"
```
@@ -157,8 +157,8 @@ ipatopologysegment
Variable | Description | Required
-------- | ----------- | --------
`principal` | The admin principal is a string and defaults to `admin` | no
`password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`suffix` | The topology suffix to be used, this can either be `domain`, `ca` or `domain+ca` | yes
`name` \| `cn` | The topology segment name (cn) is the unique identifier for a segment. | no
`left` \| `leftnode` | The left replication node string - an IPA server | no
The user module allows to ensure presence, absence, disablement, unlocking and undeletion of users.
The user module is as compatible as possible to the Ansible upstream `ipa_user` module, but additionally offers to preserve delete, enable, disable, unlock and undelete users.
Features
--------
* User management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipauser module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure a user is present:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Ensure user pinky is present
- ipauser:
ipaadmin_password:SomeADMINpassword
name:pinky
first:pinky
last:Acme
uid:10001
gid:100
phone:"+555123457"
email:pinky@acme.com
passwordexpiration:"2023-01-19 23:59:59"
password:"no-brain"
update_password:on_create
# Ensure user brain is present
- ipauser:
ipaadmin_password:SomeADMINpassword
name:brain
first:brain
last:Acme
```
`update_password` controls if a password for a user will be set in present state only on creation or every time (always).
These two `ipauser` module calls can be combined into one with the `users` variable:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Ensure users pinky and brain are present
- ipauser:
ipaadmin_password:SomeADMINpassword
users:
- name:pinky
first:pinky
last:Acme
uid:10001
gid:100
phone:"+555123457"
email:pinky@acme.com
passwordexpiration:"2023-01-19 23:59:59"
password:"no-brain"
- name:brain
first:brain
last:Acme
update_password:on_create
```
You can also alternatively use a json file containing the users, here `users_present.json`:
```json
{
"users":[
{
"name":"user1",
"first":"First 1",
"last":"Last 1"
},
{
"name":"user2",
"first":"First 2",
"last":"Last 2"
},
...
]
}
```
And ensure the presence of the users with this example playbook:
```yaml
---
- name:Tests
hosts:ipaserver
become:true
gather_facts:false
tasks:
- name:Include users_present.json
include_vars:
file:users_present.json
- name:Users present
ipauser:
ipaadmin_password:SomeADMINpassword
users:"{{ users }}"
```
Ensure user pinky is present with a generated random password and print the random password:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Ensure user pinky is present with a random password
- ipauser:
ipaadmin_password:SomeADMINpassword
name:brain
first:brain
last:Acme
random:yes
register:ipauser
- name:Print generated random password
debug:
var:ipauser.user.randompassword
```
Ensure users pinky and brain are present with a generated random password and print the random passwords:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Ensure users pinky and brain are present with random password
- ipauser:
ipaadmin_password:SomeADMINpassword
users:
- name:pinky
first:pinky
last:Acme
uid:10001
gid:100
phone:"+555123457"
email:pinky@acme.com
passwordexpiration:"2023-01-19 23:59:59"
password:"no-brain"
- name:brain
first:brain
last:Acme
register:ipauser
- name:Print generated random password of pinky
debug:
var:ipauser.user.pinky.randompassword
- name:Print generated random password of brain
debug:
var:ipauser.user.brain.randompassword
```
Example playbook to delete a user, but preserve it:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Remove but preserve user pinky
- ipauser:
ipaadmin_password:SomeADMINpassword
name:pinky
preserve:yes
state:absent
```
This can also be done with the `users` variable containing only names, this can be combined into one module call:
Example playbook to delete a user, but preserve it using the `users` variable:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Remove but preserve user pinky
- ipauser:
ipaadmin_password:SomeADMINpassword
users:
- name:pinky
preserve:yes
state:absent
```
This can also be done as an alternative with the `users` variable containing only names.
Example playbook to undelete a preserved user.
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Undelete preserved user pinky
- ipauser:
ipaadmin_password:SomeADMINpassword
name:pinky
state:undeleted
```
This can also be done as an alternative with the `users` variable containing only names.
Example playbook to disable a user:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Disable user pinky
- ipauser:
ipaadmin_password:SomeADMINpassword
name:pinky
state:disabled
```
This can also be done as an alternative with the `users` variable containing only names.
Example playbook to enable users:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Enable user pinky and brain
- ipauser:
ipaadmin_password:SomeADMINpassword
name:pinky,brain
state:enabled
```
This can also be done as an alternative with the `users` variable containing only names.
Example playbook to unlock users:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Unlock user pinky and brain
- ipauser:
ipaadmin_password:SomeADMINpassword
name:pinky,brain
state:unlocked
```
Example playbook to ensure users are absent:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Ensure users pinky and brain are absent
- ipauser:
ipaadmin_password:SomeADMINpassword
name:pinky,brain
state:absent
```
This can also be done as an alternative with the `users` variable containing only names.
Example playbook to ensure users are absent:
```yaml
---
- name:Playbook to handle users
hosts:ipaserver
become:true
tasks:
# Ensure users pinky and brain are absent
- ipauser:
ipaadmin_password:SomeADMINpassword
users:
- name:pinky
- name:brain
state:absent
```
Variables
=========
ipauser
-------
**General Variables:**
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` | The list of user name strings. `name` with *user variables* or `users` containing *user variables* need to be used. | no
**User variables** | Only used with `name` variable in the first level. | no
`users` | The list of user dicts. Each `users` dict entry can contain **user variables**.<br>There is one required option in the `users` dict:| no
| `name` - The user name string of the entry. | yes
| **User variables** | no
`preserve` | Delete a user, keeping the entry available for future use. (bool) | no
`update_password` | Set password for a user in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
`preserve` | Delete a user, keeping the entry available for future use. (bool) | no
`action` | Work on user or member level. It can be on of `member` or `user` and defaults to `user`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `unlocked` or `undeleted`, default: `present`. Only `names` or `users` with only `name` set are allowed if state is not `present`. | yes
**User Variables:**
Variable | Description | Required
-------- | ----------- | --------
`first` \| `givenname` | The first name string. | no
`last` \| `sn` | The last name string. | no
`fullname` \| `cn` | The full name string. | no
`displayname` | The display name string. | no
`homedir` | The home directory string. | no
`shell` \| `loginshell` | The login shell string. | no
`email` | List of email address strings. | no
`principal` \| `principalnam` \| `krbprincipalname` | The kerberos principal sptring. | no
`principalexpiration` \| `krbprincipalexpiration` | The kerberos principal expiration date. Possible formats: `YYYYMMddHHmmssZ`, `YYYY-MM-ddTHH:mm:ssZ`, `YYYY-MM-ddTHH:mmZ`, `YYYY-MM-ddZ`, `YYYY-MM-dd HH:mm:ssZ` or `YYYY-MM-dd HH:mmZ`. The trailing 'Z' can be skipped. | no
`passwordexpiration` \| `krbpasswordexpiration` | The kerberos password expiration date. Possible formats: `YYYYMMddHHmmssZ`, `YYYY-MM-ddTHH:mm:ssZ`, `YYYY-MM-ddTHH:mmZ`, `YYYY-MM-ddZ`, `YYYY-MM-dd HH:mm:ssZ` or `YYYY-MM-dd HH:mmZ`. The trailing 'Z' can be skipped. Only usable with IPA versions 4.7 and up. | no
`password` | The user password string. | no
`random` | Generate a random user password | no
`uid` \| `uidnumber` | The UID integer. | no
`gid` \| `gidnumber` | The GID integer. | no
`city` | City | no
`userstate` \| `st` | State/Province | no
`postalcode` \| `zip` | Postalcode/ZIP | no
`phone` \| `telephonenumber` | List of telephone number strings, | no
`mobile` | List of mobile telephone number strings. | no
`pager` | List of pager number strings. | no
`fax` \| `facsimiletelephonenumber` | List of fax number strings. | no
`orgunit` | The Organisation unit. | no
`title` | The job title string. | no
`manager` | List of manager user names. | no
`carlicense` | List of car licenses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp` and ``. Use empty string to reset userauthtype to the initial value. | no
`userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
`radius` | RADIUS proxy configuration | no
`radiususer` | RADIUS proxy username | no
`departmentnumber` | Department Number | no
`employeenumber` | Employee Number | no
`employeetype` | Employee Type | no
`preferredlanguage` | Preferred Language | no
`certificate` | List of base-64 encoded user certificates. | no
`certmapdata` | List of certificate mappings. Either `data` or `certificate` or `issuer` together with `subject` need to be specified. Only usable with IPA versions 4.5 and up. <br>Options: | no
| `certificate` - Base-64 encoded user certificate, not usable with other certmapdata options. | no
| `issuer` - Issuer of the certificate, only usable together with `usbject` option. | no
| `subject` - Subject of the certificate, only usable together with `issuer` option. | no
| `data` - Certmap data, not usable with other certmapdata options. | no
`noprivate` | Do not create user private group. (bool) | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
Return Values
=============
ipauser
-------
There are only return values if one or more random passwords have been generated.
Variable | Description | Returned When
-------- | ----------- | -------------
`user` | User dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
| `randompassword` - The generated random password | If only one user is handled by the module
| `name` - The user name of the user that got a new random password. (dict) <br> Options: <br> `randompassword` - The generated random password | If several users are handled by the module
The vault module allows to ensure presence and absence of vault and members of vaults.
The vault module is as compatible as possible to the Ansible upstream `ipa_vault` module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
Features
--------
* Vault management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipavault module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
* KRA service must be enabled
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure vault is present (by default, vault type is `symmetric`):
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
password:SomeVAULTpassword
description:A standard private vault.
```
Example playbook to make sure that a vault and its members are present:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
users:user01
```
`action` controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set `action` to `member`.
Example playbook to make sure that a vault member is present in vault:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
users:user01
action:member
```
Example playbook to make sure that a vault owner is absent in vault:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
owner:user01
action:member
state:absent
```
Example playbook to make sure vault data is present in a symmetric vault:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
password:SomeVAULTpassword
data:>
Data archived.
More data archived.
action:member
```
When retrieving data from a vault, it is recommended that `no_log: yes` is used, so that sensitive data stored in a vault is not logged by Ansible. The data is returned in a dict `vault`, in the field `data` (e.g. `result.vault.data`). An example playbook to retrieve data from a symmetric vault:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- name:Retrieve data from vault and register it in 'ipavault'
ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
password:SomeVAULTpassword
state:retrieved
no_log:yes
register:ipavault
- name:Print retrieved data from vault
debug:
var:ipavault.vault.data
```
Example playbook to make sure vault data is absent in a symmetric vault:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
password:SomeVAULTpassword
action:member
state:absent
```
Example playbook to change the password of a symmetric:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
old_password:SomeVAULTpassword
new_password:SomeNEWpassword
```
Example playbook to make sure vault is absent:
```yaml
---
- name:Playbook to handle vaults
hosts:ipaserver
become:true
tasks:
- ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
state:absent
register:result
- debug:
msg:"{{ result.vault.data }}"
```
Variables
=========
ipavault
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | The list of vault name strings. | yes
`description` | The vault description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`new_password_file` | File containing Base64 encoded new Vault password. | no
`public_key ` \| `vault_public_key` \| `old_password_file` | Base64 encoded vault public key. | no
`public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
`private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no
`private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
`salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no
`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
`user` \| `username` | Any user can own one or more user vaults. | no
`service` | Any service can own one or more service vaults. | no
`shared` | Vault is shared. Default to false. (bool) | no
`users` | Users that are members of the vault. | no
`groups` | Groups that are member of the vault. | no
`services` | Services that are member of the vault. | no
`data` \|`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
`in` \| `datafile_in` | Path to file with data to be stored in the vault. | no
`out` \| `datafile_out` | Path to file to store data retrieved from the vault. | no
`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
`state` | The state to ensure. It can be one of `present`, `absent` or `retrieved`, default: `present`. | no
Return Values
=============
ipavault
--------
There is only a return value if `state` is `retrieved`.
Variable | Description | Returned When
-------- | ----------- | -------------
`vault` | Vault dict with archived data. (dict) <br>Options: | If `state` is `retrieved` and `out` is not defined.
| `data` - The vault data. | Always
Notes
=====
ipavault uses a client context to execute, and it might affect execution time.
This repository contains [Ansible](https://www.ansible.com/) roles and playbooks to install and uninstall [FreeIPA](https://www.freeipa.org/) `servers`, `replicas` and `clients`. Also modules for topology management.
This repository contains [Ansible](https://www.ansible.com/) roles and playbooks to install and uninstall [FreeIPA](https://www.freeipa.org/) `servers`, `replicas` and `clients`. Also modules for group, host, topology and user management.
**Note**: The ansible playbooks and roles require a configured ansible environment where the ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
@@ -11,12 +11,38 @@ Features
* Cluster deployments: Server, replicas and clients in one playbook
* One-time-password (OTP) support for client installation
* Repair mode for clients
* Backup and restore, also to and from controller
* Modules for config management
* Modules for delegation management
* Modules for dns config management
* Modules for dns forwarder management
* Modules for dns record management
* Modules for dns zone management
* Modules for group management
* Modules for hbacrule management
* Modules for hbacsvc management
* Modules for hbacsvcgroup management
* Modules for host management
* Modules for hostgroup management
* Modules for location management
* Modules for permission management
* Modules for privilege management
* Modules for pwpolicy management
* Modules for role management
* Modules for self service management
* Modules for service management
* Modules for sudocmd management
* Modules for sudocmdgroup management
* Modules for sudorule management
* Modules for topology management
* Modules fot trust management
* Modules for user management
* Modules for vault management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.6 and up are supported by all roles.
FreeIPA versions 4.6 and up are supported by all roles.
The client role supports versions 4.4 and up, the server role is working with versions 4.5 and up, the replica role is currently only working with versions 4.6 and up.
@@ -26,12 +52,14 @@ Supported Distributions
* RHEL/CentOS 7.4+
* Fedora 26+
* Ubuntu
* Debian 10+ (ipaclient only, no server or replica!)
Requirements
------------
**Controller**
* Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)
* /usr/bin/kinit is required on the controller if a one time password (OTP) is used
* python3-gssapi is required on the controller if a one time password (OTP) is used with keytab to install the client.
**Node**
@@ -41,11 +69,11 @@ Requirements
Limitations
-----------
**External CA**
**External signed CA**
External CA support is not supported or working. The currently needed two step process is an issue for the processing in the role. The configuration of the server is partly done already and needs to be continued after the CSR has been handled. This is for example breaking the deployment of a server with replicas or clients in one playbook.
External signed CA is now supported. But the currently needed two step process is an issue for the processing in a simple playbook.
Work is planned to have a new method to handle CSR for external CAs in a separate step before starting the server installation.
Work is planned to have a new method to handle CSR for external signed CAs in a separate step before starting the server installation.
Usage
@@ -54,19 +82,61 @@ Usage
How to use ansible-freeipa
--------------------------
The simplest method for now is to clone this repository on the contoller from github directly and to start the deployment from the ansible-freeipa directory:
**GIT repo**
The simplest method for now is to clone this repository on the controller from github directly and to start the deployment from the ansible-freeipa directory:
You can use the roles directly within the top directory of the git repo, but to be able to use the management modules in the plugins subdirectory, you have to either adapt `ansible.cfg` or create links for the roles, modules or directories.
ansible-freeipa/plugins/modules to ~/.ansible/plugins/
ansible-freeipa/plugins/module_utils to ~/.ansible/plugins/
```
**RPM package**
There are RPM packages available for Fedora 29+. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
**Ansible galaxy**
This command will get the whole collection from galaxy:
Installing collections using the ansible-galaxy command is only supported with ansible 2.9+.
The mazer tool can be used for to install the collection for ansible 2.8:
```bash
mazer install freeipa.ansible_freeipa
```
Ansible galaxy does not support the use of dash ('-') in a name and is automatically replacing this with an underscore ('\_'). Therefore the name is `ansible_freeipa`. The ansible_freeipa collection will be placed in the directory `~/.ansible/collections/ansible_collections/freeipa/ansible_freeipa` where it will be automatically be found for this user.
The needed adaptions of collection prefixes for `modules` and `module_utils` will be done with ansible-freeipa release `0.1.6` for galaxy.
The roles provided by ansible-freeipa are not available in ansible galaxy so far.
Ansible inventory file
----------------------
The most important parts of the inventory file is the definition of the nodes, settings and the topology. Please remember to use [Ansible vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) for passwords. The examples here are not using vault for better readability.
The most important parts of the inventory file is the definition of the nodes, settings and the management modules. Please remember to use [Ansible vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) for passwords. The examples here are not using vault for better readability.
**Master server**
@@ -84,7 +154,7 @@ ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
```
The admin principle is ```admin``` by default. Please set ```ipaadmin_principal``` if you need to change it.
The admin principal is ```admin``` by default. Please set ```ipaadmin_principal``` if you need to change it.
You can also add more setting here, like for example to enable the DNS server or to set auto-forwarders:
```yaml
@@ -100,8 +170,9 @@ ipaserver_install_packages=no
ipaserver_setup_firewalld=no
```
The installation of packages and also the configuration of the firewall are by default enabled.
Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
For more server settings, please have a look at the [server role documentation](SERVER.md).
For more server settings, please have a look at the [server role documentation](roles/ipaserver/README.md).
**Replica**
@@ -175,8 +246,9 @@ ipareplica_setup_firewalld=no
```
The installation of packages and also the configuration of the firewall are by default enabled.
Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
For more replica settings, please have a look at the [replica role documentation](REPLICA.md).
For more replica settings, please have a look at the [replica role documentation](roles/ipareplica/README.md).
**Client**
@@ -215,7 +287,7 @@ To enable the generation of the one-time-password:
ipaclient_use_otp=yes
```
For more client settings, please have a look at the [client role documentation](CLIENT.md).
For more client settings, please have a look at the [client role documentation](roles/ipaclient/README.md).
**Cluster**
@@ -308,7 +380,7 @@ If Ansible vault is used for passwords, then it is needed to adapt the playbooks
state: present
```
It is also needed to provide the vault passowrd file on the ansible-playbook command line:
It is also needed to provide the vault password file on the ansible-playbook command line:
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
