The Variables and also the Return Variables sections contained an extra
header with the module name. This is only needed if there are more than
one module in the README.
automount location was missing in README.md in the feature and also in
the README link section.
The links for location, permission, privilege and selfservice have been
wrongly using the ipa prefix for the module
The removal of group or hostgroup orphans has been added to the automember
module.
It can be ensured that orphans have been removed using action: orphans_removed
The automember_type needs to be set for this.
New examples have been added to README-automember.md
New playbooks:
- playbooks/automember/automember-group-orphans-removed.yml
- playbooks/automember/automember-hostgroup-orphans-removed.yml
New tests:
- tests/automember/test_automember_orphans_removed.yml
The fallback group and hostgroup for unmached entries can be set and
unset using default_group. If default_group is empty, then the default
group will be unset.
DN and ipa_get_based provided by ansible_freeipa_module are used in the
code.
New parameters:
- default_group: Default (fallback) group for all unmatched entries.
New parameters and examples have been added to README-automember.md
New playbooks:
- playbooks/automember/automember-default-group-not-set.yml
- playbooks/automember/automember-default-group-set.yml
- playbooks/automember/automember-default-hostgroup-not-set.yml
- playbooks/automember/automember-default-hostgroup-set.yml
New tests:
- tests/automember/test_automember_default_group.yml
There was state: rebuild before, but the code was incomplete and was not
able to run properly.
New parameters:
- users: Limit the rebuild to the given users only
- hosts: Limit the rebuild to the given hosts only
- no_wait: Don't wait for rebuilding membership
New parameters and examples have been added to README-automember.md
tests/automember/test_automember_client_context.yml has been using
state: rebuild and lacked the automember_type parameter.
grouping was used in functions and has been replaced by automember_type.
Some typos in examples have been fixed also.
New playbooks:
- playbooks/automember/automember-group-membership-all-users-rebuilt.yml
- playbooks/automember/automember-group-membership-users-rebuilt.yml
- playbooks/automember/automember-hostgroup-membership-all-hosts-rebuilt.yml
- playbooks/automember/automember-hostgroup-membership-hosts-rebuilt.yml
New tests:
- tests/automember/test_automember_rebuilt.yml
These functions have been added to get the basedb from api.env for use
with DN for example.
api_get_basedn is returning api.env.basedn
IPAAnsibleModule.ipa_get_basedn is a wrapper for api_get_basedn
These are indent issues, one item per line for argument_specs items
containing options dicts and missing or overflow spaces for comments
and dict delimiters.
These are skips for python 2.6 with import-2.6!skip and
compile-2.6!skip, ignores for the exit_raw_json function in
ansible_freeipa_module.py for use with ipavault, the ignore of using
automatic field numbering for the string format function, the use of
string split without maxsplits (not working in Python2), skips of the
shebang tests for scripts in tests and utils and the ignore of missing
collection_name for deprecate function calls in
ansible_freeipa_module.py.
The example didn't work for me with the following error (on freeipa 4.9.8):
TASK [display default login shell] **************************************************************************************************
fatal: [freeipa1.example.org]: FAILED! => {"msg": "
The task includes an option with an undefined variable. The error was: 'dict object' has no attribute 'defaultlogin'
Using the correct variable defaultshell works for me.
This PR refactors ipaservice to reduce the number of variables (in
favor of a 'struct') and to group member management code so that it
can be leveraged, and not partially duplicated, between the states
and actions.
Altough this code is less direct that the previous one, it will reduce
the number fo changes to be made if changes to member management is
required.
When using ipaclient role under Debian 10 (Buster), it is required
that the python interpreter is set to Python 2.7 as freeipa-client
package pulls in Python 2.7 dependencies, and does not work with
Python 3.
This patch adds configuration to properly set python interpreter.
Based on the work by Marc Richter (@The-Judge on Github).
Fix issue #607.
Ubuntu Bionic Beaver must use python2 as Python interpreter due to
the way python-ipalib package is defined.
Before using the role for installation, one must install package
python2.7 before executing this role.
Based on the work by Manuel Laurent (@mlaurent205 on Github).
When managing ipaservice members, gen_add_del_lists, gen_add_list and
get_intersection_list should be used and the result tested for empty
sets so already existing or missing members are not added or removed
again.
This changes fixes this behavior, by applying these functions to all
ipaservice members.
`Shellcheck` is a linter tool for shell scripts that is also used in
Automation Hub.
This change adds a pre-commit hook to run shellcheck on shell scripts.
The hook uses a Docker image, which needs to be downloaded on the first
run. It works well with `podman`.
The link for plugins/modules/ipabackup_get_backup_dir.py from
roles/ipabackup/library/ipabackup_get_backup_dir.py was left over
after the script finished.
This patch add several deprecate warnings to FreeIPABaseModule, and
creates adapters to ease conversion of client classes to
IPAAnsibleModule.
There is no 'ipa_commands' management in IPAAnsibleModule, as 'command's
is a list of tuples containing '(command, name, args)', and should be
managed by the module itself. Commands with no arguments should use an
empty dictionary as 'args'.
The 'ipa_run' method should be replaced by:
```
exit_args = {}
ipaapi_context = self.params_get("ipaapi_context")
with self.ipa_connect(context=ipaapi_context):
self.check_ipa_params()
self.define_ipa_commands()
changed = self.execute_ipa_commands(
self.ipa_commands,
result_handler=my_custom_handler,
exit_args=exit_args
)
self.exit_json(changed=changed, **exit_args)
```
The 'process_command_result' method should be changed to a result
handler:
```
def my_result_handler(self, result, command, name, args, exit_args):
"""Process command result.""'
```
Use of 'ipa_params' should be replaced by IPAAnsibleModule.params_get.
If 'get_ipa_command_args' is used, then the mapping can be created with
class IPAParamMapping (formelly AnsibleFreeIPAParams), which also
enables the same property-like usage of 'ipa_params':
```
param_mapping = IPAParamMapping(module, mapping)
```
The goal is to have all ansible-freeipa modules using the same codebase,
reducing code duplication, and allowing better object composition, for
example, with the IPAParamMapping class.
Currently, upstream CI test documentation against different Ansible
versions, but playbook tests are only executed with Ansible 2.9 series.
This patch add support for running playbook tests against Ansible 2.9,
ansible-core 2.11, and against latest version of Ansible.
As running all the tests for every PR would take too long, the tests
for every PR use only Anisble 2.9, and are executed on Fedora-latest
and CentOS 7 and 8.
A new pipeline for nightly tests was added, which runs the tests in the
same distros, using Ansible 2.9, latest and Ansible-core 2.11.
Many module member attributes must be handled in a case insensitive
manner. To ease handling these cases, a function and a method to get
the module parameters converted to lowercase is provided.
If a task with 'action: automember' tried to modify an automember rule
and did not provide either 'inclusive' or 'exclusive' parameters, the
regex for the missing arguments would be removed.
This patch fixes this behavior to only modify those parameters that
were set on the task, and leave the missing parameters in the state
they were before the task.
Tests have been updated to verify expected behavior.
Reference: https://bugzilla.redhat.com/show_bug.cgi?id=1976922
When setting 'runasuser' or 'runasgroup' for a sudorule, either IPA or
external users and groups can be used, but only IPA users and groups
were being searched for when modifying the attributes, making this task
not idempotent if an external group or user was used..
This patch fixes this issue by comparing users and groups to the IPA
and external setting.
The IPA CLI commands are slightly confusing, as the sudorule-add and
sudorule-mod display separate options for internal and external users
and groups, but these options are deprecated and do not work anymore,
in favor of sudorule-add-runasuser and sudorule-add-runasgroup, which
don't diferentiate between internal and external users, from the CLI
user perspective.
This patch removes the custom command result handler in favor of the
IPAAnsibleModule default member handler and fixes creation of add and
del lists of permissions, fixing the behavior of the moudule execution
when 'check_mode: yes'.
When creating the lists to add/remove principal aliases, if the realm
was not specified, the alias would be used as it did not matched the
existing one, which has the realm part.
This patch fixes the add/del list creation by adding the current API
realm to each alias that does not have the realm part and then use
this modified list to be compared against the existing principal list.
This change also allows the use of the whole list in a single call to
the IPA API to add/remove the principals, instead of a call for every
one item in the list.
If roles have been used after vars, the name of the role was not changed
as the "vars:" section was turning off changeable. A "roles:" section is
now turning on changeable.
All modules should use the same description for IPA API connection
variables. This change add description for ipaapi_context and
ipaapi_ldap_cache variable to the module README templates.
The items in extends_documentation_fragments of the modules need to
have the proper galaxy prefix.
The documentation fragment
- ipamodule_base_docs
needs to be changed to
- ${collection_prefix}.ipamodule_base_docs
This patch adds support for configuring IPA API connection use of
LDAP cache. It adds a new variable 'ipaapi_ldap_cache' to the base
module, and provides the variable documentation in its doc fragment.
This change adds a keyword parameter to api_connect() which can be
used to configure IPA API connection, for example, controlling the
use of LDAP cache, by passing 'ldap_cache' as an argument.
Also, IPAAnsibleModule is modified to automatically filter all
parameters of the module starting with 'ipaapi_' to be used as
arguments to configure api_connect(). The argument name will have
the same name as the module parameter with 'ipaapi_' stripped off.
Almost all modules require an algorithm ta validade if the user
provided arguments for the playbook are valid for the requested
state and/or action.
This patch provides a function that tests if any of a list of
arguments were set, and fail with a standardized message, making
all modules fail in the same way.
When running the tests that can be executed either on server or client
context, without defining 'ipa_context', the context is automatically
identified.
Currently, the tests in upstream CI run only on a server, and the
context is identified as "server" context, and in order to run the test
using a client context 'ipa_context' must be set to 'client'.
This patch fixes all the client context tests by correctly setting
ipa_context when running the client context tests in a server host.
When running pylint against 'setup.py' it warns that an import is
not used. While it is not directly used, this is a fix for an issue
with older versions of Python, so this change tells pylint to ignore
the error.
As of September, 2021, Ansible-lint cannot evaluate task files which
included through `include_tasks`, as it fails syntax-check.
This change exclude evaluation of these files (`env_*`) when evaluating
files before commit (pre-commit).
This patch modifies configuration of both ansible-lint and yamllint
to check for more rules, resulting in a more strict verification.
For ansible-lint verification of errors 301, 305 and 505 are skipped,
due to false positives. For the same reason, 'experimental' rules
are skipped.
ansible-lint error 306 is skipped since the fix is to set pipefail,
which is not available in all shells (for example dash, which runs
ansible-freeipa CI).
Yamllint disabled rules (comments, and indentation) would introduce a
huge amount of small changes, and are left for future changes, it
deemed necessary.
This patch fixes yamllint's "line too long" (line-lenght) warnings
by ensuring all lines in YAML files have, at most, 160 characters.
If a line cannot be written as a multiline block, line-length rule
evaluation is disabled for the specific line, both on yamllint and
on ansible-lint.
Update vault README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/vault/test_vault_client_context.yml
As `ipavault` only works in client context, an error is raised if it
is explicitly executed in a server context.
Update selfservice README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/selfservice/test_selfservice_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update service README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/service/test_service_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update user README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/user/test_user_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update trust README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/trust/test_trust_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update sudorule README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/sudorule/test_sudorule_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update sudocmdgroup README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/sudocmdgroup/test_sudocmdgroup_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update sudocmd README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/sudocmd/test_sudocmd_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update server README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/server/test_server_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update role README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/role/test_role_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update pwpolicy README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/pwpolicy/test_pwpolicy_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update privilege README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/privilege/test_privilege_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update permission README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/permission/test_permission_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Due to differences in data returned when running in a client context,
some values had to be modified so that comparision works and an
unnecessary call to IPA API is executed.
Update location README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/location/test_location_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update hostgroup README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/hostgroup/test_hostgroup_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update host README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/host/test_host_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update hbacsvcgroup README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/hbacsvcgroup/test_hbacsvcgroup_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update hbacsvc README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/hbacsvc/test_hbacsvc_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update hbacrule README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/hbacrule/test_hbacrule_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update group README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/group/test_group_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update dnszone README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/dnszone/test_dnszone_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Due to differences in data returned when running in a client context,
verification if zone is active had to be modified.
Update dnsrecord README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/dnsrecord/test_dnsrecord_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update dnsforwardzone README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/dnsforwardzone/test_dnsforwardzone_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Due to differences in data returned when running ipadnsforwardzone in
a client context, some values had to be modified so that comparision
works, avoiding unnecessary IPA API calls.
Update dnsconfig README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/dnsconfig/test_dnsconfig_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update delegation README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/delegation/test_delegation_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
Update config README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/config/test_config_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
As the tests for ipaconfig may render the server in an inconsistent
state if they fail, the tests in tests/config/test_config.yml were
wrapped in a way that if one test fails, the default FreeIPA
configuration is restored to the server.
Update automountlocation README file and add tests for executing plugin
with `ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/automountlocation/test_automountlocation_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
The doc strings for the examples have not been good enough to express
that the module is requiring an existing server and that is not able to
deploy a new server.
This patch fixes setting ipaserver_domain and ipaserver_realm facts for
iparole tests, fixing variable evaluation and allowing the tests to be
executed even if `gather_facts: no`.
Update automember README file and add tests for executing plugin with
`ipaapi_context` set to `client`.
A new test playbook can be found at:
tests/automember/test_automember_client_context.yml
The new test file can be executed in a FreeIPA client host that is
not a server. In this case, it should be defined in the `ipaclients`
group, in the inventory file.
This patch adds a new fact `ipa_host_is_client`, available in the
include task file `env_freeipa_facts.yml`.
The variable `ipa_host_is_client` is set to TRUE if the client host
is not an IPA server (primary or replica). It can be used if a test
cannot be executed in a server, independent of the value set to
`ipaapi_context`.
Add a new configuration variable, `ipaapi_context` to IPAAnsibleModule
base specs, accepting only 'server' or 'client' values.
By using this variable, an user can select the environment context in
which the module will execute, server or client. This change will allow
configuration of the server without requiring login access (e.g. `ssh`)
to the server.
The default behavior is to use a `server` context, but this behavior
can be modified by the plugin, if it sets the `context` parameter when
connecting to IPA API.
ipaclient_setup_nss is using the nosssd_files dict if sssd is disabled
with no_sssd.
The nosssd_files dict is generated in ipaclient_test and used in
ipaclient_setup_nss. So far ipaclient_setup_nss was using nosssd_files
from ipaclient installer, which was always None.
As the server name was hard coded, when running tests for ipasever
module using a server not name as 'ipaserver', the tests would fail.
This patch allows the configuration of the server name using the
variable 'ipa_server_name', and if not provided, try to infer the name
from the ansible_hostname variable, or, if not possible, defaults to
'ipaserver'.
The same behavior is applied to 'ipasever_domain', with the default
being 'ipa.test'.
Currently, if a test fails during execution of ipaconfig playbook
tests, or if the failed task is the task reverting to the original
configuration fails, the testing host might be left in a state that
may cause other tests to fail due to the inconsistent configuration
state.
This patch ensures that if a test fails, a known configuration, the
same as used is the default installation of FreeIPA used in upstream
CI, is applied to the host, providing safe environment for testing.
The nonposix, posix and external parameters need to be mutually
exclusive. external was missing in this list. Only one of the three
parameters can be used.
external can not be set to no/false. This results in an error now.
if nonposix is used, posix is set as not nonposix. The nonposix
parameter is not used within the code anymore..
New tests have been added to tests the addition of users with for
nonposix and posix groups. The tests for the external group is not
active due to the need of an AD.
Fixes: #528 (Error creating nonposix group)
When retrieving IPA configuration using ipaconfig module, a few
variables were not returning, and some data had the wrong data format.
This patch fix both issues and apply some refactoring, as data was
being retrieved from IPA API in different places using different
methods.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
Use gen_add_list and gen_intersection_list for sudocmd member handling,
to reduce the add lists to only the new and del lists only to existing
entries.
This enables to remove the ignores for "already a member" and
"not a member" errors.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
This patch adds ansible-core version to 2.11 when evaluating
documentation with ansible-doc-test, so both 2.9 (ansible) and
2.11 (ansible-core) are covered when testing documentation,
along with the latest Ansible version available.
In the provided example for the class documentation, the parameters
passed to the `ipa_command` method were wrong, as a single list was
used instead of a parameter list.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
execute_ipa_commands replces the check mode exit, the loop over the
generated commands and also in the member failure handling for modules
with member support.
The staticmethod member_error_handler is handing the default member
related failures that can occur for modules with member support.
This can simply be enabled with fail_on_member_errors=True for
execute_ipa_commands.
An exception handler is also now usable with execute_ipa_commands. In
addition to the the exception it is also getting the same user defined
arguments that the result_handler is getting.
handle_result has been renamed in result_handler and handle_result_user_args
has been renamed to handlers_user_args.
Additionally the errors list does not need to be defined in the module.
The method execute_ipa_commands is doing this internally and is also
adding error: error to handlers_user_args if the handler is having errors
in the argspec and errors is not yet set in handlers_user_args.
Tests have been added to make sure that no user args for the handler
have been set without an own result or exception handler. Also the use of
fail_on_member_errors together with a result_andler is leading to an
error.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
Moved ipamodule_base_spec into IPAAnsibleModule.
This simplifies to add addtitional base vars to derived classes without
the need to dusplicae the code to extend argument_spec.
Removed execute_api_command.
This is not used anymore.
Removed get_ipamodule_base_vars.
This is not used anymore.
Removed self.ipaadmin_* and self.ccache_* from IPAAnsibleModule.__init__
These are not used and therefore can be removed.
execute_ipa_commands executes IPA API commands from the given command
list. With the handle_result and handle_result_user_args it is possible
to have a handling of the result return by the ipa commands for example
to return passwords.
Parameters
commands: list of string tuple
The list of commands in the form (name, command and args)
For commands that do not require a 'name', None needs be
used.
handle_result: function
The user function to handle results of the single commands
handle_result_user_args: dict (user args mapping)
The user args to pass to handle_result function
Example (ipauser module)
def handle_result(result, command, name, args, exit_args):
if "random" in args and command in ["user_add", "user_mod"] \
and "randompassword" in result["result"]:
exit_args.setdefault(name, {})["randompassword"] = \
result["result"]["randompassword"]
exit_args = {}
changed = module.execute_ipa_commands(commands, handle_result,
exit_args=exit_args)
if len(names) == 1:
ansible_module.exit_json(changed=changed,
user=exit_args[names[0]])
else:
ansible_module.exit_json(changed=changed, user=exit_args)
By making IPAAnsibleModule the base class of FreeIPABaseModule, instead
of AnsibleModule, some methods on FreeIPABaseModule can be removed and
suport for commom parameters in modules using the older class can use
the same commom parameters (ipaadmin_principal and ipaadmin_password)
as the other parameters. This will also allow easier deprecation of
FreeIPABaseModule, which is hard to maintain.
To be able to use IPAAnsibleModule as the base class, it was moved
within the file, to position before FreeIPABaseModule declaration.
This patch also modifies IPAAnsibleModule by:
* removing usage of `self` in methods not requiring it, turning
the methods into @statimethod;
* adding comments to all the methods in IPAAnsibleModule, which
makes it easier to understand what the individual methods do,
and what their parameters represent.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
ipaadmin_variables are handled by IPAAnsibleModule,
ansible_module.params_get is used to get the parameters and
ansible_module.ipa_connect is used to simplify the module.
Use IPAAnsibleModule and ipamodule_base_docs in the templates of
utils/new_module.
ipaadmin_password lines in the examples have been added, ipaadmin_
variables are handled by IPAAnsibleModule, ansible_module.params_get is
used to get the parameters and ansible_module.ipa_connect is used to
simplify the module.
ipamodule+member.py.in is additionally using gen_add_list and
gen_intersection_list to reduce the command calls to the changes only.
This class is an extended version of the Ansible Module that provides
IPA specific methods to simplify module generation.
Simple example:
from ansible.module_utils.ansible_freeipa_module import \
IPAAnsibleModule
def main():
ansible_module = IPAAnsibleModule(
argument_spec=dict(
name=dict(type="str", aliases=["cn"], default=None),
state=dict(type="str", default="present",
choices=["present", "absent"]),
),
)
# Get parameters
name = ansible_module.params_get("name")
state = ansible_module.params_get("state")
# Connect to IPA API
with ansible_module.ipa_connect():
# Execute command
if state == "present":
ansible_module.ipa_command(["command_add", name, {}])
else:
ansible_module.ipa_command(["command_del", name, {}])
# Done
ansible_module.exit_json(changed=True)
if __name__ == "__main__":
main()
ansible-freeipa modules should work without superuser privileges in
most cases, and to reflect this, the module tests should avoid using
`become: yes`.
This PR change the test playbook templates to use `become: no` by
default, so only modules that require superuser privileges will need
to change this variable.
This PR sets pylint to version 2.10.2 in all linter actions, and
fixes code in plugins so that this version new checks are either
satisfied or ignored if needed.
When loading variables in all ansible-freeipa roles, it is expected
that a file with these variables is present for each supported Linux
distribution, and then, based on the information about the distribution
provided by Ansible, the correct file is loaded.
Previously, only the facts `distribution` and dinstribution version
related facts were used, which required specific files, or links to
files for distributions in the same "family", which will probably have
the same variables set.
This change adds searching for files based on the `os_family` fact,
allowing distributions that follow the same family rules to be
supported, without any changes to the codebase. It is still possible
that a specific distribution configuration overrides the default
behavior, as `os_family` has lower priority than `distribution`.
For example, distributions on the `RedHat` family, like Oracle Linux,
Alma Linux, and Rocky Linux, work withoutadding new files, or links to
files, to fill the `vars`.
Fix issue #573. Fix issue #523.
When loading variables in all ansible-freeipa roles, it is expected
that a file with these variables is present for each supported Linux
distribution, and then, based on the information about the distribution
provided by Ansible, the correct file is loaded.
Previously, only the facts `distribution` and dinstribution version
related facts were used, which required specific files, or links to
files for distributions in the same "family", which will probably have
the same variables set.
This change adds searching for files based on the `os_family` fact,
allowing distributions that follow the same family rules to be
supported, without any changes to the codebase. It is still possible
that a specific distribution configuration overrides the default
behavior, as `os_family` has lower priority than `distribution`.
For example, distributions on the `RedHat` family, like Oracle Linux,
Alma Linux, and Rocky Linux, work withoutadding new files, or links to
files, to fill the `vars`.
Fix issue #573. Fix issue #523.
When loading variables in all ansible-freeipa roles, it is expected
that a file with these variables is present for each supported Linux
distribution, and then, based on the information about the distribution
provided by Ansible, the correct file is loaded.
Previously, only the facts `distribution` and dinstribution version
related facts were used, which required specific files, or links to
files for distributions in the same "family", which will probably have
the same variables set.
This change adds searching for files based on the `os_family` fact,
allowing distributions that follow the same family rules to be
supported, without any changes to the codebase. It is still possible
that a specific distribution configuration overrides the default
behavior, as `os_family` has lower priority than `distribution`.
For example, distributions on the `RedHat` family, like Oracle Linux,
Alma Linux, and Rocky Linux, work withoutadding new files, or links to
files, to fill the `vars`.
Fix issue #573. Fix issue #523.
When loading variables in all ansible-freeipa roles, it is expected
that a file with these variables is present for each supported Linux
distribution, and then, based on the information about the distribution
provided by Ansible, the correct file is loaded.
Previously, only the facts `distribution` and dinstribution version
related facts were used, which required specific files, or links to
files for distributions in the same "family", which will probably have
the same variables set.
This change adds searching for files based on the `os_family` fact,
allowing distributions that follow the same family rules to be
supported, without any changes to the codebase. It is still possible
that a specific distribution configuration overrides the default
behavior, as `os_family` has lower priority than `distribution`.
For example, distributions on the `RedHat` family, like Oracle Linux,
Alma Linux, and Rocky Linux, work withoutadding new files, or links to
files, to fill the `vars`.
Fix issue #573. Fix issue #523.
Some YAML files used in the project are not Ansible playbooks and
should not be evaluated by ansible-lint. This change add the paths
and files that should not be evaluated to an exclude list, that
affects linter operations in CI and pre-commit scripts.
There are common parameters in all modules like ipaadmin_principal and
ipaadmin_password. As this list of common parameters will be extended
soon, there is a need to reduce the code and documentation duplicates.
A ModuleDocFragment is added to provide the module documentation for the
common parameters. This is used in the modules with
extends_documentation_fragment.
ansible_freeipa_module has additional ipamodule_base_spec and
get_ipamodule_base_vars. ipamodule_base_spec extends argument_spec in
the module and get_ipamodule_base_vars is used to return a dict
containing the common parameters.
Use gen_add_list and gen_intersection_list for host, hostgroup, user,
group, allow_sudocmd, allow_sudocmdgroup, deny_sudocmd, deny_sudocmdgroup,
sudooption, runasuser, runasgroup and res_find member handling.
The functions are used to reduce the add lists to the new entries
only and the delete lists to the entries that are in the user and
the show list result.
This enables to remove the ignores for "already a member" and
"not a member" errors..
Single hostnames can be used for hbacrule_add_host and will match fqdn
in IPA internally. Simple host names have to be extended to be FQDN to
be able to compare them for _host_add and _host_remove.
Two new functions have been added to ansible_freeipa_module:
- api_get_domain - Get the domain from the api
- ensure_fqdn - Extend a single name with the domain
This fixes#617 - hbacrule_add_host: already a member
json_query is not part of Ansible Core. As this is the only used module
that is not in Core it has been replaced by constructig a new dict with
the needed user names from users dict using a loop and set_fact.
Modules that support `state: renamed` have `new_name` as an alias
for the `rename` variable. This patch makes ipapermission consistent
with other modules.
There is a new automount location management module placed in the plugins folder:
plugins/modules/ipaautomountlocation.py
This module allows to ensure presence and absence of automount locations
that act as containers for automount onjects in ipa.
Here is the documentation for the module:
README-automountlocation.md
New example playbooks have been added:
playbooks/automount/automount-location-absent.yml
playbooks/automount/automount-location-present.yml
New tests for the module:
tests/automount/test_automountlocation.yml
The automember_add_condition and automember_remove_condition commands
are not verifying condition keys in all cases. This is for example not
done in the removal case if a condition is not part of the automember
rule.
For consistent behaviour this needs to be done in the automember module
now. The condition keys are verified with the user and group aciattrs
returned by the API command json_metadata now.
Related: RHBZ#1976926
All ansible-freeipa modules should support 'check_mode: yes', but
the support for creating modules with this was absent in the base
class.
This patch adds such support, to use it, 'supports_check_mode=True'
must be passed to the constructor when creating the module object.
result["failed"] is used only for INCLUDE_RE, EXCLUDE_RE if entries could
not be added that are already there and it entries could not be removed
that are not there.
All other issues like invalid attributes etc. are handled as exceptions.
Therefore the error section is not here as in other modules.
Fixes RHBZ#1979626
Currently, we rebuild the container images everyday, at midnight,
which ensures that we have all the latest changes from every distro
supported in CI.
This approach works fine for the upstream CI, but if we want to use
the CI images to test modules in a local container, for example, as
proposed by PR #556, updating the images daily means that there will
be much more images download that would not be needed, as the public
cloud images of supported distros don't change so often.
This patch proposes to change the build rate from daily to weekly,
reducing the need to download images by users, while still using a
good update window.
It should be noted that, if required, the images can be rebuilt
manually, so any urgent fix is added to the CI images.
Instead of ignoring errors it is better that we specific evaluate
errors provided by negative tests. This patche removes the an
occurrence of 'ignore_errors: true' in ansible-freeipa tests.
The parameters in the inclusive and exclusive dicts are not defined and
also not checked. Therefore it is possible to have parameters in the
dicts that are not used.
The dicts for the inclusive and exclusive parameters are now defined and
also added to the description.
Ansible 2.11 does not like to have empty dependencies. It will fail to
install the collection with "'NoneType' object has no attribute 'items'"
error. The empty dependencies have been removed.
The requirements for ansible in requirements.txt have been removed also.
Fixes#571 (error installing freeipa-ansible_freeipa-0.3.6.tar.gz)
Up to now a python snippet was used to get IPA_BACKUP_DIR from ipaplatform
but this was not working when ansible_facts was false due to not getting
ansible_python_interpreter set.
The module version is also working if gather_facts is turned off.
This patch modify Github 'lint' workflow to execute each linter
verifications as a separate job. This will allow us to easily see
which linter has failed, and ensure that all are executed, even
if one fails.
There is a new automember management module placed in the plugins folder:
plugins/modules/ipaautomember.py
The automember module allows to ensure presence or absence of automember rules
and manage automember rule conditions.
Here is the documentation for the module:
README-automember.md
New example playbooks have been added:
playbooks/automember/automember-group-absent.yml
playbooks/automember/automember-group-present.yml
playbooks/automember/automember-hostgroup-absent.yml
playbooks/automember/automember-hostgroup-present.yml
playbooks/automember/automember-hostgroup-rule-absent.yml
playbooks/automember/automember-hostgroup-rule-present.yml
New tests for the module:
tests/automember/test_automember.yml
For failed_when result.failed should be used to make sure that
the task fails if there was an error.
For the "Duplicate names in users failure test" failed_when: not
result.failed has been added as this test needs to fail.
For failed_when result.failed should be used to make sure that
the task fails if there was an error.
Fixed also "User test cert members present again" task, it was failing
due to also having first and last parameters with action: member.
For failed_when result.failed should be used to make sure that
the task fails if there was an error.
Only renamed again may not use failed_when result.failed as the rename
can not be idempotent.
For failed_when result.failed should be used to make sure that
the task fails if there was an error.
failed_when result.failed can not be used for the unknown user test
with membermanager_user as this needs to fail.
For failed_when result.failed should be used to make sure that
the task fails if there was an error.
For the duplicate names in hosts test failed_when: not result.failed has
been added as this test needs to fail.
For test zones test1, test2 and test3 there is no verification if the
task is setting changed flag and also is not failing. Also the repeated
tests for idempotency are missing.
The test to make sure that the task set the changed flag and did not
fail was missing. Also the repeated task to make sure that the task did
not set the change flag.
The sudorule disabled test is lacking the register and failed_when
lines. The lines have been added to make sure that it is verified
that the task set the changed flag and does not fail.
Use gen_add_list and gen_intersection_list for host, hostgroup,
membermanager_user and membermanager_group member handling.
The functions are used to reduce the add lists to the new entries
only and the delete lists to the entries that are in the user and
the show list result.
This enables to remove the ignores for "already a member" and
"not a member" errors..
Use gen_add_list and gen_intersection_list for user, group, service,
externalmember, membermanager_user and membermanager_group member
handling.
The functions are used to reduce the add lists to the new entries
only and the delete lists to the entries that are in the user and
the show list result.
This enables to remove the ignores for "already a member" and
"not a member" errors..
All instances related to `ansible.module_utils.ansible_freeipa_module`,
which works. Future occurrences, if they happen, will likely not to be
a problem.
Although it is an interesting setup, it currently has too many false
positives, disable comments are not working for duplicate-code, and
there are some expected duplications in the modules.
The no_members parameter is added to args for the api command. But
no_members is never part of res_find from user-show, therefore this
parameter needs to be ignored in compare_args_ipa.
This is needed to prevent an error in the idempotency test where a
user is ensured again with the same settings.
The new argument ignore has been added to compare_args_ipa to ignore
attributes while comparing attributes of the user args and the object
args returned from IPA find or show command.
This code is using changes from
- Wolskie in PR #392
- jake2184 in PR #486
Currently user, group, host, hostgoup, hbacsvc and hbacsvcgroup members
are always added and removed with hbacrule_add_.. and hbacrule_remove_..
if they are given as parameters with action: member.
Now the module is using the new functions gen_intersection_list and
gen_add_list from ansible_freeipa_module to reduce the lists to the items
only that are needed to be added or removed.
The errors "already a member" and "not a member" are not ignored
anymore now while executing the comamnds.
Two new functions have been added for member management in plugins:
gen_add_list(user_list, res_list)
Generate the add list for addition of new members.
gen_intersection_list(user_list, res_list)
Generate the intersection list for removal of existing members.
gen_add_list should be used to add new members with action: members and
state: present. It is returning the difference of the user and res list
if the user list is not None.
gen_intersection_list should be used to remove existing members with
action: members and state: absent. It is returning the intersection of
the user and res list if the user list is not None.
The test preparation failed with "the connection plugin
'community.docker.docker' was not found" in "Setup test container".
"ansible-galaxy collection install community.docker" has been added
to
tests/azure/templates/playbook_tests.yml and
tests/azure/templates/pytest_tests.yml
When `auth-ind` was empty, and it was set to be cleared, it might have
triggered an uncessary change. This change add a test so that `auth-ind`
is set only if needed.
In current implementation, when using `smb: yes`, only a small subset
of the attributes can be used in the playbook. This happened due the
use of `service_add_smb`, which adds a new service and does not modify
an existing one, and not coping with attributes not supported by this
IPA API call.
The implementation was modified so that a service with `smb: true` is
treated like any other service, which, in effect, simplified and fixed
service search, and allowed for the use of the same attributes as with
any service. Although simplified, when using `smb: true` an extra
query is done against the LDAP server, as a second `service_show` is
performed.
Tests have been updated to reflect the new imprlementation.
A dnszone_mod call is always made to set the serial for a zone even if
this serial is set already.
A check is added to make sure that the serial is only set with
dnszone_mod if there is no serial set or if the serial is different.
The "DNS resource record not found" error occurs when a host arecord
or aaaarecord member is ensured to be absent and no dnsrecord entry
for the host exists.
The arecord or aaaarecord item are removed from dnsrecord_args if the
record is not defined in res_find_dnsrecord.
A repeated category reset of usercategory, hostcategory, cmdcaterory,
runasusercategory and hostcategory is resulting in the error
"no modifications to be performed".
The empty categories are now removed from the args if the category is
not set in the sudorule.
ANSIBLE_LIBRARY needs to be set properly for new Ansible version 4.0.0
to make sure that it is able to find the module that is checked.
For every file that needs to be checked, there is a separate ansible-doc
call. ANSIBLE_LIBRARY is set using os.path.dirname on the module_path.
With latest Ansible (4.0.0) it is needed to have a complete path for
ANSIBLE_LIBRARY. It is not good to hard code this in the
.pre-commit-config.yaml file for plugins and also all roles. Instead
it will be set in ansible-doc-test as it knows the path for each file
that is checked.
There is a new server management module placed in the plugins folder:
plugins/modules/ipaserver.py
The server module allows to ensure presence and absence of servers. The
module requires an existing server, the deployment of a new server can
not be done with the module.
DNSName has been added to ansible_freeipa_module in plugins/module_utils
as this is used for locations.
Here is the documentation for the module:
README-server.md
New example playbooks have been added:
playbooks/server/server-absent-continue.yml
playbooks/server/server-absent-force.yml
playbooks/server/server-absent-ignore_last_of_role.yml
playbooks/server/server-absent-ignore_topology_disconnect.yml
playbooks/server/server-absent.yml
playbooks/server/server-hidden.yml
playbooks/server/server-location.yml
playbooks/server/server-no-location.yml
playbooks/server/server-no-service-weight.yml
playbooks/server/server-not-hidden.yml
playbooks/server/server-present.yml
playbooks/server/server-service-weight.yml
New tests for the module:
tests/server/test_server.yml
Change in module_utils/ansible_freeipa_module:
DNSName is imported from ipapython.dnsutil and also added to __all__
Module was raising exceptions when trying to create a new privilege
with permissions. This change fixes the behavior and ensuure
idempotence with trying to create a privilege with the same values.
Tests for this behavior have been appended to:
tests/privilege/test_privilege.yml
There were no test for the arguments of compare_args_ipa() to check
if they were `None`, and they were used in contexts where `None`
would raise exceptions.
A test was added to return `False` if only one of the parameters is
`None`, and `True` if both are None.
IPA translates exception messages and Ansible uses controller's
language to execute plugins on target hosts, and since ansible-freeipa
uses Exceptions messages to detect some errors and/or states, using any
language that has a translation for the required messages may cause the
plugin to misbehave.
This patch modifies ansible_freeipa_module in plugin/module_utils to
force the use of "C" as the language by setting the environment variable
LANGUAGE.
Tests were added to verify the correct behavior:
tests/environment/test_locale.yml
The first test will fail, if ansible_freeipa_module is not patched, with
the message:
host_show failed: nonexistent: host nicht gefunden
This issue is not present if the language selected does not provide
a translation for the eror message.
This patch does not fix encoding issues that might occur in certain
releases (e.g.: CentOS 8.3).
Fix#516
Tests for service certificates were still using pre-generated
certificate files. This patch uses the same approach as other tests,
it generates a certficate, when needed, and use file lookup.
The Github workflow Ubuntu images do not provide Ansible pre-installed
anymore, and this patch forces its installation through Python's pip.
Different jobs were created to test documentation with different
versions of Ansible, currently 2.9 and the latest available.
In CentOS 8 and also Fedora the configuration and start of chrony
fails with
Fatal error : adjtimex(0x8001) failed : Operation not permitted
For more information: https://bugzilla.redhat.com/show_bug.cgi?id=1772053
NTP will not be needed before a separate namespace is used for clocks.
Without this change the "Import variables specific to distribution"
tasks fail with "Could not find file on the Ansible Controller..."
on environments with inject facts disabled.
This changes the tests to run with ansible with
inject_facts_as_vars = false and fixes other roles and playbooks.
Due to commit f3f9672d527008dc741ac90aa465bac842eea08d (ipa-rmkeytab: Check
return value of krb5_kt_(start|end)_seq_get) in IPA 4.9.2 there is a new
error reported for ipa-rmkeytab in case of a non existing keytab file.
Using ipa-rmkeytab now results in the error #7 in this case.
The client role is using ipa-rmkeytab and needs to ignore error #7 also.
Fixes: #510 (ipa-client installation with OTP is failed with error code 7
(keytab: /usr/sbin/ipa-rmkeytab returned 7))
The example playbooks for ipaselfservice were using the wrong module,
ipadelegation. This patch changes the references from ipadelegation
to ipaselfservice on these example playbooks.
Also, the attributes were changed, so the same attributes are used
throughout the examples.
Building containers for CentOS and Fedora were failing due to image
download failure. The container build process was fixed by changing
the base images.
Without explicit installation, Ansible was failing to run on
Azure pipelines. This change explicitly install the latest
Ansible version available through `pip`.
In the near future, Github will use Ubuntu 20.04, for workflows, and
this change will keep the upstream CI environment consistent between
Github and Azure.
Fixed names of sudorule member objects, as they did not match the names provided by IdM.
From: To:
member_host memberhost_host
member_hostgroup memberhost_hostgroup
member_user memberuser_user
member_group memberuser_group
Fixes: #500
A wrong variable was used inside of the while IFS read loops. This
prevented that the modules, playbooks, tasks, example playbooks and also
tests have been adapted for the galaxy release naming scheme.
In `ipapermission` plugin, Some attributtes were not being managed
when `action: member` was enabled.
This patch enable member management for `right`, `rawfilter`,
`filter, and fixes management of `memberof`.
Fix issue #489
When adding A or AAAA records using the compatibility mode with
Ansible's community general plugin, the reverse (PTR) record was
added, but the A/AAAA record was not. This patch fixes the behavior.
Fix issue #491
The attrs handling was not complete and did not support to ensure presence
or absence of attributes with action:member.
The includedattrs and excludedattrs parameters have not been added with
this change as the use of attrs will automatically set includedattrs and
excludedattrs. The includedattrs and excludedattrs parameters are only
usable for managed permissions and duplicating attrs.
The permission module may not handle privileges. An IPA internal only API
has been used for this. The prvilege variable and all related code paths
have been removed.
Fixes: #424 ([Permission Handling] Not able to add additional attributes
with existing attributes)
Fixes: #425 ([Permission Handling] Not able to add member privilege while
adding permission)
There are some issues using a combination of `lookup('file')` and the
`b64encode` filter in Ansible, making tests unstable. This change
removes the usage of b64encode when loading public and private keys
from files in the Vault test playbooks.
Added code to the ipa* plugins to support Ansible's check_mode, by
means of a clean exit before the execution of the actual list of
commands that would otherwise create/update/delete IPA servers
and/or its resources.
Current implementation does not allow the change of an existingi Vault
type. To allow it, data is retrieved from the current vault, the vault
is modifiend, and then, data is stored again in the new vault.
Due to changing the process of modifying a vault, this change also
fixes the update of asymmetric vault keys. To change the key used,
the task must provide the old private key, used to retrieve data,
and the new public_key, used to store the data again. A new alias
was added to public_key (new_public_key) and public_key_file
(new_public_key_file) so that the playbook better express the
intention of the tak.
Vault tests have been updated to better test against the new update
process, and a new test file has bee added:
tests/vault/test_vault_change_type.
In FreeIPA CLI, The attributes `allow_query` and `allow_transfer` can
hold IPv4 or IPv6 address or network address, and the values `none` and
`any`.
This patch adds support for network addresses, `none` and `any`, which
were not supported.
Fix issue #475.
When adding new members to a role, the existing members were removed.
The correct behavior for the "member" action is to add those members,
and substitute the existing ones. This patch fixes this behavior.
Fix#409, #411, #412, #413
According to the testinfra changelog, since version 6.0.0, testinfra
is know as pytest-testinfra, and the use of testinfra is deprecated.
This change will prevent future isses when updating requirements using
`pip`.
Ref: https://testinfra.readthedocs.io/en/latest/changelog.html
Bugbear is a plugin for Flake8 finding likely bugs and design problems.
It contain warnings that don't belong in pyflakes and pycodestyle, and
do not have a PEP or standard behind them.
Ref: https://github.com/PyCQA/flake8-bugbear
This patch disables ansible-lint `always_run` flag, as this was
making patches that did not change any YAML file take longer in
the pre-commit step, as ansible-lint was executed with no parameter,
thus, searching and evaluating all YAML files in the repository.
With this change, if no YAML file is modified, ansible-lint is skipped.
warning[SC2044]: For loops over find output are fragile. Use find -exec
or a while read loop.
warning[SC2164]: Use 'cd ... || exit' or 'cd ... || return' in case cd
fails.
The function get_commit was using the global merge variable instead of
the local commit variable. Therefore it returned the wrong commit
subject for merges without subject.
The parameter options.no_dnssec_validation was set using a bad
parameter name. This lead to not beeing able to turn off dnssec
validation in the replica deployment.
Fixes: #456 (ipareplica_no_dnssec_validation)
With the parameter `args: ['.']`, yamllint would run over every
file during pre-commit, including those not being commited, and it
would allow for false negatives, not allowing a commit, even if
commited yaml files had no issues, but another file, not par of the
commit, had.
By changing the yamllint parameter to `files: \.(yaml|yml)$` it
will only check files being commited, preventing false negatives,
and allowing for faster commits.
This PR fixes the creation of sudocmdgroups when the sudocmds are
specified, allowing groups to be created with sudocmd members in a
single task.
Fix issue #440.
Currently the script is failing with The given path '...' is not valid
if a path is not handled by the script. This is resulting in issues if
module_utils and action plugins are updated for example.
The solution is to simply ignore paths that are not handled.
The common_check function in the replica installer code has been changed
for the new memory checker code. With this the server and replica command
line installers got the option --skip-mem-check.
The server and replica role now also support the memory cheker and there
are new variables for server and replica:
ipaserver_mem_check - for ipaserver
ipareplica_mem_check - for ipaserver
These bool values default to yes and can be turned off in the inventory
or playbook if needed.
Related to freeipa PR https://pagure.io/freeipa/issue/8404 (Detect and
fail if not enough memory is available for installation)
Fixes: #450 (IPA Replica Installation Fails)
Altough configuring DNS and KRA support on the testing server node
provides broad coverage support, it does not represent all scenarios
where ansible-freeipa can be used, for example without DNS support.
This documentation updates removes the requirement for DNS and KRA
support, and highlights what is expected with different configurations.
When using ipahost module with servers where DNS was not configured
it failed to add hosts due to an exception raised on `dnsrecord_show`
that was not being correctly handled.
As the exception was being handled twice, the This patch simply removes
one of the handlers, allowing the exception to propagate to the caller,
where it is handled.
Fixes issue #434.
This PR adds a document with information on how to contribute to
ansible-freeipa development, showing the environment configuration,
available tools, and some guidelines that should be followed.
There was a failure when NAPTR or DLV records where updated,
if the record name had multiple entries. This patch fixes this
behavior, by using the requested record, not the retrieved one.
Tests have been updated to test for this issue on
tests/dnsrecord/test_dnsrecord.yml
Due to an issue with FreeIPA, when modifying the SOA serial attribute
along with other attributes, the value is ignored. In order to have
the value provided, the attribute is set is a later call to dnszone-mod
allowing it to retain the desired value.
Ref: https://pagure.io/freeipa/issue/8489
Examples of dnsforwarzone were using a single string rather than a
dict of values to set attribute `forwarders`. Both source code and
README examples were fixed.
Fix issue #446
The file lookup is by default setting `rstrip=True` which could lead
into a stripped new line. This is not happening always but resulted in
failed tests sometimes with certificates pasted to the b64encode filter.
For calls of lookup in the certificae tests `rstrip=False` has been
added to make sure that this is not happening any more. Not in
test_dnsrecord as lookup(..., rstrip=False) is adding a new line if
there was not a new line and this is an issue for dnsrecord. The user
and host tests have also been simplified to create the base64 encoded
file in the beginning and use this file then later on in the tests
without the need to use the b64encode filter.
Ref: https://github.com/ansible/ansible/issues/57521#issuecomment-502238000
This patch adds another lever of linter checking for ansible-freeipa
by enabling linters to run on the developer machine, before pushing
changes to be evaluated on the CI, allowing code fixes without
wating for CI to run the linters on the repository.
To enable pre-commit hooks, `pre-commit` is used, and was added to
requirements-dev.txt, and can be installed with pip
(`pip install -r requirements-dev.txt`). Once installed, on every
commit, YAML and python files on the commit will be evaluated.
If one needs to bypass the pre-commit linters, `git commit` can be
issued with `--no-verify`.
The linters will not be removed from the CI, as a commit can be
performed without running the checks.
When modifying a record, depending on how the playbook tasks were
arranged, it was possible to end with more records than expected.
This behavior was fixed by modifying the way records are searched
when a modification is requested. This change also allows less calls
find_dnsrecord.
Tests were modified to reflect the changes, and a new test playbook
was added:
tests/dnsrecord/test_dnsrecord_modify_record.yml
Currently the certifaictes are copied ot the server with the complete
path that is provided within the playbook. This could result in
unexpected file placements. Certificates should be placed in the /root
folder for the deployment.
Fixes#405 (copy_external_cert does not handle pathed items)
Information about the backup role and also the config, delegation, dns
config, location, permission, priviledge and self service modules have been
missing in the main README file.
This change add support for running ansible-doc-test on every
commit or PR, ensuring that roles and modules are able to produce
correct documentation with ansible-doc.
The currently used namespace and collection name are hard coded in
utils/build-galaxy-release.sh. They can now be defined as args 1 and 2
and default to freeipa and ansible_freeipa..
FreeIPA 4.8.7 has introduced bind type 'self' as a valid value, and
this PR adds checks so the module fails early if the value is used
with an unsupported version.
Tests and documentation have been updated to reflect the changes.
Some attribute values are only accepted for specific FreeIPA versions,
for example `self` for permission's `bindtype`. Although there are
options to check for command and parameter availability, there is no
check for verifying if a value should be accepted.
This patch add a function to evaluate the target FreeIPA host version,
by comparing a giver version to the current installed one.
The version evaluation uses Python packaging's version comparision,
which is compatible with PEP 440, if available. If not available, it
falls back to a string split, that will work for the most common cases,
but might fail for versions including strings with `rc` or `dev`, for
example.
Due to Ansible filtering out values in the output that might be match
values in sensible attributes that have `no_log` set, if a module need
to return data to the controller, it cannot rely on
`ansible_module.exit_json` if there is a chance that a partial match
may occur.
See: https://github.com/ansible/ansible/issues/71789
The change provided here uses the same implementation that is used on
Ansible's `AnsibleModule.exit_json`, without the data filtering layer,
so every attribute with be printed and, therefore, logged by Ansible.
This is needed for the Vault module, as we need to return values that
are explicit requested by the user and that might, at least partially,
match the values in attributes with `no_log` set.
Tests that reproduced the issue, and show it was fixed were provided
for all Vault types.
Up to now the snippets in the README files, the EXAMPLES in the modules
and also the tests playbooks have not been adapted while building the
collection.
These are the invoved python files:
utils/galaxyfy-README.py
utils/galaxyfy-module-EXAMPLES.py
utils/galaxyfy-playbook.py
utils/galaxyfy.py
utils/galaxyfy.py provides the function galaxyfy_playbook, which has been
extended and is used in galaxyfy-playbook.py, galaxyfy-README.py and
galaxyfy-module-EXAMPLES.py.
There is curently a merge commit without a subject, which leads into a
traceback in the changelog script.
The merge information provides the commit hash, which is now used to get
the subject later on using the generated commits hash.
There is a new backup role in the roles folder:
roles/ipabackup
This role allows to backup an IPA server, to copy a backup from the
server to the controller, to copy all backups from the server to the
controller, to remove a backup from the server, to remove all backups
from the server, to restore an IPA server locally and from the controller
and also to copy a backup from the controller to the server.
Here is the documentation for the role:
roles/ipabackup/README.md
New example playbooks have been added:
playbooks/backup-server.yml
playbooks/backup-server-to-controller.yml
playbooks/copy-backup-from-server.yml
playbooks/copy-all-backups-from-server.yml
playbooks/remove-backup-from-server.yml
playbooks/remove-all-backups-from-server.yml
playbooks/copy-backup-to-server.yml
playbooks/restore-server-from-controller.yml
playbooks/restore-server.yml
When using the ipavault module to retrieve stored data, this data is
often sensitive, and if `no_log` is not enabled on the playbook, the
sensitive data will be logged by Ansible.
This change in de documentation, and playbook examples, suggests the
use of `no_log: true` when using `state: retrieved` with ipavault.
There is a new permission management module placed in the plugins folder:
plugins/modules/ipapermission.py
The permission module allows to ensure presence of absence of permissions
and manage permission members.
Here is the documentation for the module:
README-permission.md
New example plabooks have been added:
playbooks/permission/permission-absent.yml
playbooks/permission/permission-allow-read-employeenum.yml
playbooks/permission/permission-member-absent.yml
playbooks/permission/permission-member-present.yml
playbooks/permission/permission-present.yml
playbooks/permission/permission-renamed.yml
New tests for the module:
tests/permission/test_permission.yml
This patch add support for adding external members to ipagroup which
have the `external` attribute set. It adds another attribute to the
module, `external_members`, which is a list of users or groups from
an external trust, to be added to the group.
This patch requires server-trust-ad to be tested, as such, the tests
have been guarded by a test block, for when such tests are available
in ansible-freeipa CI.
Fixes issue #418
This scrip can be used to generate the changelog text for a new
ansible-freeipa release on github.
usage: Usage: changelog [options] [<new version>]
optional arguments:
-h, --help show this help message and exit
--tag TAG git tag
If the script is used without a givn tag, it will show all the changes since
the last tag. If a tag (this can be a also a commit) is given, then all
changes since this commit are shown.
This script can check modules in roles and also plugins folder to have
a valid documentation section. It is using anisble-doc internally.
usage: Usage: ansible-doc-test [options] [path]
optional arguments:
-h, --help show this help message and exit
-v increase output verbosity
There are different verbose levels:
-v Shows the modules that are tested at the moment.
-vv Shows the modules and also the doc output.
You can use the script to check specific modules, roles or modules in roles.
Here are some examples:
Test specific module with verbose level 1:
$ utils/ansible-doc-test -vv plugins/modules/ipauser.py
Test all modules in plugins folder:
$ utils/ansible-doc-test -v plugins
Test ipaserver_prepare.py in ipaserver role:
$ utils/ansible-doc-test -v roles/ipaserver/library/ipaserver_prepare.py
Test all modules in ipaserver role:
$ utils/ansible-doc-test -v roles/ipaserver
Test all roles:
$ utils/ansible-doc-test -v roles
Test all roles and modules in plugins:
$ utils/ansible-doc-test -v
Public and private key files were created but not removed when testing
the Vault module. This was fixed by adding a task to remove them to
Vault's env_cleanup playbook.
This patch adds Ansible tasks to create and remove self-signed
certificates, instead of using previously created certificates.
The certificates are then `lookup`, instead of being used inline
in the playbooks.
Playbooks are easier to read and maintain with this changes, and
there is no need to change the playbooks, if a certificate expires.
ansible-doc is reporting several issues in modules. Most of them have benn
due to misspelled description key word or due to use of multi line text
without the | in the description line.
When using changing passwords, using password files, the file name was
being used as the password, and not its content. This patch fixes the
behavior to use the contents of the password file.
Tests have been added to ensure the correct behavior.
2020-09-16 20:37:16 -03:00
588 changed files with 19002 additions and 7888 deletions
The automember module allows to ensure presence or absence of automember rules and manage automember rule conditions.
Features
--------
* Automember management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaautomember module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure group automember rule is present with no conditions.
```yaml
---
- name:Playbook to ensure a group automember rule is present with no conditions
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
name:admins
description:"my automember rule"
automember_type:group
```
Example playbook to make sure group automember rule is present with conditions:
```yaml
---
- name:Playbook to add a group automember rule with two conditions
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
name:admins
description:"my automember rule"
automember_type:group
inclusive:
- key:mail
expression:'@example.com$'
exclusive:
- key:uid
expression:"1234"
```
Example playbook to delete a group automember rule:
```yaml
- name:Playbook to delete a group automember rule
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
name:admins
description:"my automember rule"
automember_type:group
state:absent
```
Example playbook to add an inclusive condition to an existing rule
```yaml
- name:Playbook to add an inclusive condition to an existing rule
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
name:"My domain hosts"
description:"my automember condition"
automember_type:hostgroup
action:member
inclusive:
- key:fqdn
expression:".*.mydomain.com"
```
Example playbook to ensure group membership for all users has been rebuilt
```yaml
- name:Playbook to ensure group membership for all users has been rebuilt
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
automember_type:group
state:rebuilt
```
Example playbook to ensure group membership for given users has been rebuilt
```yaml
- name:Playbook to ensure group membership for given users has been rebuilt
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
users:
- user1
- user2
state:rebuilt
```
Example playbook to ensure hostgroup membership for all hosts has been rebuilt
```yaml
- name:Playbook to ensure hostgroup membership for all hosts has been rebuilt
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
automember_type:hostgroup
state:rebuilt
```
Example playbook to ensure hostgroup membership for given hosts has been rebuilt
```yaml
- name:Playbook to ensure hostgroup membership for given hosts has been rebuilt
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
hosts:
- host1.mydomain.com
- host2.mydomain.com
state:rebuilt
```
Example playbook to ensure default group fallback_group for all unmatched group entries is set
```yaml
- name:Playbook to ensure default group fallback_group for all unmatched group entries is set
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
automember_type:group
default_group:fallback_group
```
Example playbook to ensure default group for all unmatched group entries is not set
```yaml
- name:Playbook to ensure default group for all unmatched group entries is not set
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
default_group:""
automember_type:group
state:absent
```
Example playbook to ensure default hostgroup fallback_hostgroup for all unmatched group entries
```yaml
- name:Playbook to ensure default hostgroup fallback_hostgroup for all unmatched group entries
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
automember_type:hostgroup
default_group:fallback_hostgroup
```
Example playbook to ensure default hostgroup for all unmatched group entries is not set
```yaml
- name:Playbook to ensure default hostgroup for all unmatched group entries is not set
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
automember_type:hostgroup
default_group:""
state:absent
```
Example playbook to ensure all orphan automember group rules are removed:
```yaml
- name:Playbook to ensure all orphan automember group rules are removed
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
automember_type:group
state:orphans_removed
```
Example playbook to ensure all orphan automember hostgroup rules are removed:
```yaml
- name:Playbook to ensure all orphan automember hostgroup rules are removed
hosts:ipaserver
become:yes
gather_facts:no
tasks:
- ipaautomember:
ipaadmin_password:SomeADMINpassword
automember_type:hostgroup
state:orphans_removed
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | Automember rule. | yes
`description` | A description of this auto member rule. | no
`automember_type` | Grouping to which the rule applies. It can be one of `group`, `hostgroup`. | yes
`inclusive` | List of dictionaries in the format of `{'key': attribute, 'expression': inclusive_regex}` | no
`exclusive` | List of dictionaries in the format of `{'key': attribute, 'expression': exclusive_regex}` | no
`users` | Users to rebuild membership for. | no
`hosts` | Hosts to rebuild membership for. | no
`no_wait` | Don't wait for rebuilding membership. | no
`default_group` | Default (fallback) group for all unmatched entries. Use the empty string "" for ensuring the default group is not set. | no
`action` | Work on automember or member level. It can be one of `member` or `automember` and defaults to `automember`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, 'rebuilt'. 'orphans_removed' default: `present`. | no
The automountlocation module allows the addition and removal of locations for automount maps
It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
Features
--------
* Automount location management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaautomountlocation module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure presence of an automount location:
```yaml
---
- name:Playbook to add an automount location
hosts:ipaserver
become:true
tasks:
- name:ensure a automount location named DMZ exists
ipaautomountlocation:
ipaadmin_password:SomeADMINpassword
name:DMZ
state:present
```
Example playbook to ensure presence of multiple automount locations:
```yaml
---
- name:Playbook to add an automount location
hosts:ipaserver
become:true
tasks:
- name:ensure a automount location named DMZ exists
ipaautomountlocation:
ipaadmin_password:SomeADMINpassword
name:
- DMZ
- PROD
- development
- test
state:present
```
Example playbook to ensure absence of an automount location:
```yaml
---
- name:Playbook to ensure an automount location is absent
hosts:ipaserver
become:true
tasks:
- name:ensure automount locations LOCATION1 and LOCATION2 do not exist
ipaautomountlocation:
ipaadmin_password:SomeADMINpassword
name:
- LOCATION1
- LOCATION2
state:absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` \| `location` | List of one or more automountlocation names. | yes
`state` | The state to ensure. It can be one of `present`, or `absent`, default: `present`. | no
@@ -56,12 +56,12 @@ Example playbook to read config options:
register:result
- name:display default login shell
debug:
msg:'{{result.config.defaultlogin }}'
msg:'{{result.config.defaultshell }}'
- name:ensure defaultloginshell and maxusernamelength are set as required
ipaconfig:
ipaadmin_password:password
defaultlogin:/bin/bash
defaultshell:/bin/bash
maxusername:64
```
@@ -82,15 +82,14 @@ Example playbook to read config options:
Variables
=========
ipauser
-------
**General Variables:**
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`maxusername` \| `ipamaxusernamelength` | Set the maximum username length (1 to 255) | no
`maxhostname` \| `ipamaxhostnamelength` | Set the maximum hostname length between 64-255. Only usable with IPA versions 4.8.0 and up. | no
`homedirectory` \| `ipahomesrootdir` | Set the default location of home directories | no
@@ -135,13 +135,12 @@ Example playbook to make sure delegation "basic manager attributes" is absent:
Variables
---------
ipadelegation
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `aciname` | The list of delegation name strings. | yes
`permission` \| `permissions` | The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
`attribute` \| `attrs` | The attribute list to which the delegation applies. | no
@@ -119,13 +119,12 @@ Example playbook to disallow synchronization of forward (A, AAAA) and reverse (P
Variables
=========
ipadnsconfig
------------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
| `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
| `port` - The custom port that should be used on this server. | no
@@ -47,13 +47,13 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
become:true
tasks:
- name:ensure presence of forwardzone for DNS requests for example.com to 8.8.8.8
- name:ensure presence of forwardzone with a single forwarder DNS server
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
state:present
name:example.com
forwarders:
- 8.8.8.8
- ip_address:8.8.8.8
forwardpolicy:first
skip_overlap_check:true
@@ -63,14 +63,14 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
name:example.com
state:disabled
- name:ensure presence of multiple upstream DNS servers for example.com
- name:ensure presence of forwardzone with multiple forwarder DNS server
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
state:present
name:example.com
forwarders:
- 8.8.8.8
- 4.4.4.4
- ip_address:8.8.8.8
- ip_address:4.4.4.4
- name:ensure presence of another forwarder to any existing ones for example.com
ipadnsforwardzone:
@@ -78,10 +78,19 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
state:present
name:example.com
forwarders:
- 1.1.1.1
- ip_address:1.1.1.1
action:member
- name:ensure the forwarder for example.com does not exists (delete it if needed)
- name:ensure presence of forwardzone with single forwarder DNS server on non-stardard port
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
state:present
name:example.com
forwarders:
- ip_address:4.4.4.4
port:8053
- name:ensure the forward zone is absent
ipadnsforwardzone:
ipaadmin_password:SomeADMINpassword
name:example.com
@@ -91,13 +100,12 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
Variables
=========
ipagroup
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | Zone name (FQDN). | yes if `state` == `present`
`forwarders` \| `idnsforwarders` | Per-zone forwarders. A custom port can be specified for each forwarder. Options | no
| `ip_address`: The forwarder IP address. | yes
@@ -242,13 +242,12 @@ Example playbook to ensure multiple DNS records are absent:
Variables
=========
ipadnsrecord
------------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`zone_name` \| `dnszone` | The DNS zone name to which DNS record needs to be managed. You can use one global zone name for multiple records. | no
required: true
`records` | The list of dns records dicts. Each `records` dict entry can contain **record variables**. | no
@@ -84,7 +84,6 @@ Example playbook to create a DNS zone with all currently supported variables:
- ip_address:8.8.8.8
- ip_address:8.8.4.4
port:52
serial:1234
refresh:3600
retry:900
expire:1209600
@@ -196,13 +195,12 @@ Example playbook to create a zone for reverse DNS lookup, from an IP address, gi
Variables
=========
ipadnszone
----------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `zone_name` | The zone name string or list of strings. | no
`name_from_ip` | Derive zone name from reverse of IP (PTR). Can only be used with `state: present`. | no
`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
`dnszone` | DNS Zone dict with zone name infered from `name_from_ip`. <br>Options: | If `state` is `present`, `name_from_ip` is used, and a zone was created.
@@ -109,6 +109,24 @@ Example playbook to add group members to a group:
- appops
```
Example playbook to add members from a trusted realm to an external group:
```yaml
--
- name:Playbook to handle groups.
hosts:ipaserver
became:true
- name:Create an external group and add members from a trust to it.
ipagroup:
ipaadmin_password:SomeADMINpassword
name:extgroup
external:yes
externalmember:
- WINIPA\\Web Users
- WINIPA\\Developers
```
Example playbook to remove groups:
```yaml
@@ -129,25 +147,25 @@ Example playbook to remove groups:
Variables
=========
ipagroup
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of group name strings. | no
`description` | The group description string. | no
`gid` \| `gidnumber` | The GID integer. | no
`posix` | Create a non-POSIX group or change a non-POSIX to a posix group. (bool) | no
`nonposix` | Create as a non-POSIX group. (bool) | no
`external` | Allow adding external non-IPA members from trusted domains. (bool) | no
`posix` | Create a non-POSIX group or change a non-POSIX to a posix group.`nonposix`, `posix` and `external` are mutually exclusive. (bool) | no
`nonposix` | Create as a non-POSIX group.`nonposix`, `posix` and `external` are mutually exclusive. (bool) | no
`external` | Allow adding external non-IPA members from trusted domains.`nonposix`, `posix` and `external` are mutually exclusive. (bool) | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`user` | List of user name strings assigned to this group. | no
`group` | List of group name strings assigned to this group. | no
`service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
`membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`externalmember` \| `ipaexternalmember` \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
`action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
@@ -129,13 +129,12 @@ Example playbook to make sure HBAC Rule login is absent:
Variables
=========
ipahbacrule
---------------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of hbacrule name strings. | yes
`description` | The hbacrule description string. | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
@@ -91,13 +91,12 @@ Example playbook to make sure HBAC Services for http and tftp are absent
Variables
=========
ipahbacsvc
----------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` \| `service` | The list of hbacsvc name strings. | no
`description` | The hbacsvc description string. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
@@ -129,13 +129,12 @@ Example playbook to make sure HBAC Service Group login is absent:
Variables
=========
ipahbacsvcgroup
---------------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of hbacsvcgroup name strings. | no
`description` | The hbacsvcgroup description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
@@ -266,10 +266,10 @@ Example playbook to ensure presence of member managedby_host for serveral hosts:
ipahost:
ipaadmin_password:SomeADMINpassword
hosts:
- name:host01.exmaple.com
managedby_host:server.exmaple.com
- name:host02.exmaple.com
managedby_host:server.exmaple.com
- name:host01.example.com
managedby_host:server.example.com
- name:host02.example.com
managedby_host:server.example.com
action:member
```
@@ -313,13 +313,12 @@ Example playbook to ensure a host is absent:
Variables
=========
ipahost
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `fqdn` | The list of host name strings. `name` with *host variables* or `hosts` containing *host variables* need to be used. | no
**Host variables** | Only used with `name` variable in the first level. | no
`hosts` | The list of host dicts. Each `hosts` dict entry can contain **host variables**.<br>There is one required option in the `hosts` dict:| no
@@ -143,13 +143,12 @@ Example playbook to make sure host-group databases is absent:
Variables
=========
ipahostgroup
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of hostgroup name strings. | no
`description` | The hostgroup description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
@@ -74,13 +74,12 @@ Example playbook to make sure location "my_location1" is absent:
Variables
---------
ipalocation
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `idnsname` | The list of location name strings. | yes
`description` | The IPA location string | false
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
The permission module allows to ensure presence and absence of permissions and permission members.
Features
--------
* Permission management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipapermission module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure permission "MyPermission" is present:
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure permission MyPermission is present
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
object_type:host
right:all
```
Example playbook to ensure permission "MyPermission" is present with attr carlicense:
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure permission "MyPermission" is present with attr carlicense
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
object_type:host
right:all
attrs:
- carlicense
```
Example playbook to ensure attr gecos is present in permission "MyPermission":
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure attr gecos is present in permission "MyPermission"
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
attrs:
- gecos
action:member
```
Example playbook to ensure attr gecos is absent in permission "MyPermission":
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure attr gecos is present in permission "MyPermission"
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
attrs:
- gecos
action:member
state:absent
```
Example playbook to make sure permission "MyPermission" is absent:
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure permission "MyPermission" is absent
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
state:absent
```
Example playbook to make sure permission "MyPermission" is renamed to "MyNewPermission":
```yaml
---
- name:Playbook to handle IPA permissions
hosts:ipaserver
become:yes
tasks:
- name:Ensure permission "MyPermission" is renamed to "MyNewPermission
ipapermission:
ipaadmin_password:SomeADMINpassword
name:MyPermission
rename:MyNewPermission
state:renamed
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The permission name string. | yes
`right` \| `ipapermright` | Rights to grant. It can be a list of one or more of `read`, `search`, `compare`, `write`, `add`, `delete`, and `all` default: `all` | no
`attrs` | All attributes to which the permission applies. | no
`bindtype` \| `ipapermbindruletype` | Bind rule type. It can be one of `permission`, `all`, `self`, or `anonymous` defaults to `permission` for new permissions. Bind rule type `self` can only be used on IPA versions 4.8.7 or up.| no
`subtree` \| `ipapermlocation` | Subtree to apply permissions to | no
`filter` \| `extratargetfilter` | Extra target filter | no
`rawfilter` \| `ipapermtargetfilter` | All target filters | no
`target` \| `ipapermtarget` | Optional DN to apply the permission to | no
`targetto` \| `ipapermtargetto` | Optional DN subtree where an entry can be moved to | no
`targetfrom` \| `ipapermtargetfrom` | Optional DN subtree from where an entry can be moved | no
`memberof` | Target members of a group (sets memberOf targetfilter) | no
`targetgroup` | User group to apply permissions to (sets target) | no
`object_type` | Type of IPA object (sets subtree and objectClass targetfilter) | no
`no_members` | Suppress processing of membership | no
`rename` \| `new_name` | Rename the permission object | no
`action` | Work on permission or member level. It can be on of `member` or `permission` and defaults to `permission`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, or `renamed` default: `present`. | no
The `includedattrs` and `excludedattrs` variables are only usable for managed permisions and are not exposed by the module. Using `attrs` for managed permissions will result in the automatic generation of `includedattrs` and `excludedattrs` in the IPA server.
@@ -126,13 +126,12 @@ Example playbook to make sure privilege "DNS Special Privilege" is absent:
Variables
---------
ipaprivilege
------------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin`. | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node. | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of privilege name strings. | yes
`description` | Privilege description. | no
`rename` \| `new_name` | Rename the privilege object. | no
@@ -81,7 +81,7 @@ Example playbook to ensure maxlife is set to 49 in global policy:
become:true
tasks:
# Ensure absence of pwpolicies for group ops
# Ensure maxlife is set to 49 in global policy
- ipapwpolicy:
ipaadmin_password:SomeADMINpassword
maxlife:49
@@ -91,13 +91,12 @@ Example playbook to ensure maxlife is set to 49 in global policy:
Variables
=========
ipapwpolicy
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
`maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
`minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no
@@ -238,17 +238,16 @@ Example playbook to ensure that different members are not associated with a role
Variables
---------
iparole
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of role name strings. | yes
`description` | A description for the role. | no
`rename` | Rename the role object. | no
`privileges` | Privileges associated to this role. | no
`rename` \| `new_name` | Rename the role object. | no
`privilege` | Privileges associated to this role. | no
`user` | List of users to be assigned or not assigned to the role. | no
`group` | List of groups to be assigned or not assigned to the role. | no
`host` | List of hosts to be assigned or not assigned to the role. | no
@@ -131,13 +131,12 @@ Example playbook to make sure selfservice "Users can manage their own name detai
Variables
---------
ipaselfservice
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `aciname` | The list of selfservice name strings. | yes
`permission` \| `permissions` | The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
`attribute` \| `attrs` | The attribute list to which the selfservice applies. | no
The server module allows to ensure presence and absence of servers. The module requires an existing server, the deployment of a new server can not be done with the module.
Features
--------
* Server management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaserver module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure server "server.example.com" is already present in the topology:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
```
This task is not deploying a new server, it is only checking if the server eists. It will therefore fail if the server does not exist.
Example playbook to make sure server "server.example.com" has location mylocation:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
location:mylocation
```
Example playbook to make sure server "server.example.com" does not have a location:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
location:""
```
Example playbook to make sure server "server.example.com" has service weight 1:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
service_weight:1
```
Example playbook to make sure server "server.example.com" does not have a service weight:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
service_weight:-1
```
Example playbook to make sure server "server.example.com" is hidden:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
hidden:yes
```
Example playbook to make sure server "server.example.com" is not hidden:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
hidden:no
```
Example playbook to make sure server "server.example.com" is absent from the topology:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
state:absent
```
Example playbook to make sure server "server.example.com" is absent from the topology in continuous mode to ignore errors:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
continue:yes
state:absent
```
Example playbook to make sure server "server.example.com" is absent from the topology with skipping the last of role check:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
ignore_last_of_role:yes
state:absent
```
Example playbook to make sure server "server.example.com" is absent from the topology with skipping the topology disconnect check:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
ignore_topology_disconnect:yes
state:absent
```
Example playbook to make sure server "server.example.com" is absent from the domain in force mode even if it does not exist:
```yaml
---
- name:Playbook to manage IPA server.
hosts:ipaserver
become:yes
tasks:
- ipaserver:
ipaadmin_password:SomeADMINpassword
name:server.example.com
force:yes
state:absent
```
This task will always report a change.
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of server name strings. | yes
`location` \| `ipalocation_location` | The server location string. Only in state: present. "" for location reset. | no
`service_weight` \| `ipaserviceweight` | Weight for server services. Type Values 0 to 65535, -1 for weight reset. Only in state: present. (int) | no
`hidden` | Set hidden state of a server. Only in state: present. (bool) | no
`no_members` | Suppress processing of membership attributes. Only in state: present. (bool) | no
`delete_continue` \| `continue` | Continuous mode: Don't stop on errors. Only in state: absent. (bool) | no
`ignore_last_of_role` | Skip a check whether the last CA master or DNS server is removed. Only in state: absent. (bool) | no
`ignore_topology_disconnect` | Ignore topology connectivity problems after removal. Only in state: absent. (bool) | no
`force` | Force server removal even if it does not exist. Will always result in changed. Only in state: absent. (bool) | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. `present` is only working with existing servers. | no
@@ -285,12 +285,12 @@ Example playbook to allow users, groups, hosts or hostgroups to retrieve a keyta
Variables
---------
ipaservice
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `service` | The list of service name strings. | yes
`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
@@ -67,7 +67,7 @@ Example playbook to make sure sudocmd is absent:
tasks:
# Ensure sudocmd are absent
- ipahostgroup:
- ipasudocmd:
ipaadmin_password:SomeADMINpassword
name:/usr/bin/su
state:absent
@@ -76,13 +76,12 @@ Example playbook to make sure sudocmd is absent:
Variables
=========
ipasudocmd
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `sudocmd` | The sudo command strings. | yes
`description` | The command description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
@@ -116,13 +116,12 @@ Example playbook to make sure sudocmdgroup is absent:
Variables
=========
ipasudocmdgroup
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of sudocmdgroup name strings. | no
`description` | The sudocmdgroup description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
@@ -113,19 +113,18 @@ Example playbook to make sure Sudo Rule is absent:
Variables
=========
ipasudorule
---------------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of sudorule name strings. | yes
`description` | The sudorule description string. | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
`cmdcategory` \| `cmdcat` | Command category the rule applies to. Choices: ["all", ""] | no
`runasusercategory` \| `rusasusercat` | RunAs User category the rule applies to. Choices: ["all", ""] | no
`runasusercategory` \| `runasusercat` | RunAs User category the rule applies to. Choices: ["all", ""] | no
`runasgroupcategory` \| `runasgroupcat` | RunAs Group category the rule applies to. Choices: ["all", ""] | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this sudorule. | no
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`suffix` | The topology suffix to be used, this can either be `domain`, `ca` or `domain+ca` | yes
`name` \| `cn` | The topology segment name (cn) is the unique identifier for a segment. | no
`left` \| `leftnode` | The left replication node string - an IPA server | no
`right` \| `rightnode` | The right replication node string - an IPA server | no
`direction` | The direction a segment will be reinitialized. It can either be `left-to-right` or `right-to-left` and only used with `state: reinitialized` |
`direction` | The direction a segment will be reinitialized. It can either be `left-to-right` or `right-to-left` and only used with `state: reinitialized` | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `checked` or `reinitialized` | yes
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`suffix` | The topology suffix to be used, this can either be `domain` or `ca` | yes
`state` | The state to ensure. It can only be `verified` | yes
@@ -94,13 +94,12 @@ This will only delete the ipa-side of the trust and it does NOT delete the id-ra
Variables
=========
ipatrust
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`realm` | The realm name string. | yes
`admin` | Active Directory domain administrator string. | no
`password` | Active Directory domain administrator's password string. | no
@@ -356,15 +356,14 @@ Example playbook to ensure users are absent:
Variables
=========
ipauser
-------
**General Variables:**
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` | The list of user name strings. `name` with *user variables* or `users` containing *user variables* need to be used. | no
**User variables** | Only used with `name` variable in the first level. | no
`users` | The list of user dicts. Each `users` dict entry can contain **user variables**.<br>There is one required option in the `users` dict:| no
@@ -130,7 +130,7 @@ Example playbook to make sure vault data is present in a symmetric vault:
action:member
```
Example playbook to retrieve vault data from a symmetric vault:
When retrieving data from a vault, it is recommended that `no_log: yes` is used, so that sensitive data stored in a vault is not logged by Ansible. The data is returned in a dict `vault`, in the field `data` (e.g. `result.vault.data`). An example playbook to retrieve data from a symmetric vault:
```yaml
---
@@ -139,12 +139,19 @@ Example playbook to retrieve vault data from a symmetric vault:
become:true
tasks:
- ipavault:
- name:Retrieve data from vault and register it in 'ipavault'
ipavault:
ipaadmin_password:SomeADMINpassword
name:symvault
username:admin
password:SomeVAULTpassword
state:retrieved
no_log:yes
register:ipavault
- name:Print retrieved data from vault
debug:
var:ipavault.vault.data
```
Example playbook to make sure vault data is absent in a symmetric vault:
@@ -203,32 +210,33 @@ Example playbook to make sure vault is absent:
Variables
=========
ipavault
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Currently only `client` is supported by this module, and use of `server` will raise a failure. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of vault name strings. | yes
`description` | The vault description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`new_password_file` | File containing Base64 encoded new Vault password. | no
`public_key ` \| `vault_public_key` \| `old_password_file` | Base64 encoded vault public key. | no
`public_key ` \| `vault_public_key` \| `ipavaultpublickey` | Base64 encoded vault public key. | no
`public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
`private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no
`private_key `\| `vault_private_key` \| `ipavaultprivatekey` | Base64 encoded vault private key. Used only to retrieve data. | no
`private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
`salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no
`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
`user` \| `username` | Any user can own one or more user vaults. | no
`username` \| `user` | Any user can own one or more user vaults. | no
`service` | Any service can own one or more service vaults. | no
`shared` | Vault is shared. Default to false. (bool) | no
`users` | Users that are members of the vault. | no
`groups` | Groups that are member of the vault. | no
`services` | Services that are member of the vault. | no
`users` | List of users that are members of the vault. | no
`groups` | List of groups that are member of the vault. | no
`services` | List of services that are member of the vault. | no
`owners` \| `ownerusers` | List of users that are owners of the vault. | no
`ownergroups` | List of groups that are owners of the vault. | no
`ownerservices` | List of services that are owners of the vault. | no
`data` \|`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
`in` \| `datafile_in` | Path to file with data to be stored in the vault. | no
`out` \| `datafile_out` | Path to file to store data retrieved from the vault. | no
This repository contains [Ansible](https://www.ansible.com/) roles and playbooks to install and uninstall [FreeIPA](https://www.freeipa.org/) `servers`, `replicas` and `clients`. Also modules for group, host, topology and user management.
**Note**: The ansible playbooks and roles require a configured ansible environment where the ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
**Note**: The Ansible playbooks and roles require a configured Ansible environment where the Ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
Features
--------
@@ -11,6 +11,12 @@ Features
* Cluster deployments: Server, replicas and clients in one playbook
* One-time-password (OTP) support for client installation
* Repair mode for clients
* Backup and restore, also to and from controller
* Modules for automembership rule management
* Modules for automount location management
* Modules for config management
* Modules for delegation management
* Modules for dns config management
* Modules for dns forwarder management
* Modules for dns record management
* Modules for dns zone management
@@ -20,14 +26,19 @@ Features
* Modules for hbacsvcgroup management
* Modules for host management
* Modules for hostgroup management
* Modules for location management
* Modules for permission management
* Modules for privilege management
* Modules for pwpolicy management
* Modules for role management
* Modules for self service management
* Modules for server management
* Modules for service management
* Modules for sudocmd management
* Modules for sudocmdgroup management
* Modules for sudorule management
* Modules for topology management
* Modules fot trust management
* Modules for trust management
* Modules for user management
* Modules for vault management
@@ -104,7 +115,7 @@ ansible-freeipa/plugins/module_utils to ~/.ansible/plugins/
There are RPM packages available for Fedora 29+. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
**Ansible galaxy**
**Ansible Galaxy**
This command will get the whole collection from galaxy:
@@ -128,7 +139,7 @@ The needed adaptions of collection prefixes for `modules` and `module_utils` wil
Ansible inventory file
----------------------
The most important parts of the inventory file is the definition of the nodes, settings and the management modules. Please remember to use [Ansible vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) for passwords. The examples here are not using vault for better readability.
The most important parts of the inventory file is the definition of the nodes, settings and the management modules. Please remember to use [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) for passwords. The examples here are not using vault for better readability.
**Master server**
@@ -146,7 +157,7 @@ ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
```
The admin principle is ```admin``` by default. Please set ```ipaadmin_principal``` if you need to change it.
The admin principal is ```admin``` by default. Please set ```ipaadmin_principal``` if you need to change it.
You can also add more setting here, like for example to enable the DNS server or to set auto-forwarders:
```yaml
@@ -272,7 +283,7 @@ ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
```
For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the controller using the (first) server. It is needed to have the Pythongssapi bindings installed on the controller for this.
For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the controller using the (first) server. It is needed to have the python-gssapi bindings installed on the controller for this.
To enable the generation of the one-time-password:
```yaml
[ipaclients:vars]
@@ -337,7 +348,7 @@ With this playbook it is possible to add a list of topology segments using the `
Playbooks
=========
The playbooks needed to deploy or undeploy server, replicas and clients are part of the repository and placed in the playbooks folder. There are also playbooks to deploy and undeploy clusters. With them it is only needed to add an inventory file:
The playbooks needed to deploy or undeploy servers, replicas and clients are part of the repository and placed in the playbooks folder. There are also playbooks to deploy and undeploy clusters. With them it is only needed to add an inventory file:
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
