When setting the default email domain, there was no validation on the
provide value. Using ipapython.validate.Email applies the same
validation method as implemented in IPA.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The test has been changed with the management fix for AD objects. The
conditional was lacking brackets and therefore did not properly work.
The brackets have been added.
Related: https://issues.redhat.com/browse/RHEL-70023
This patch removes 'vars' files from roles for unsupported distributions
and change minimum supported Fedora to version 40+.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Current version of ansible-list pre-commit hook required changes in the
ansible-freeipa yamllint configuration and these changes triggered
issues in the current playbooks on roles and tests.
This patch adds the required changes to yaml lint configuration and
fixes the affected playbooks.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
When using AD objects, a user expects to use the more human readable
form, like "user@ad.domain", but this impose some dificulties on
evaluating which object is being referenced as AD has several forms to
refer to the same object.
Each object is AD is identified uniquely by its SID, and this is the
identifier that IPA stores in its database. When managing AD objects,
IPA finds its SID and works with that value.
ansible-freeipa tried to process these objects using the human readable
values, and it cause idempontence error when ensuring the values were
present or modified, and, at least in some cases, prevented the objects
to be made absent, as the object list created didn't match the SID to
the value used as module parameter.
By using SID to process the AD objects in ipagroup, the addition or
removal of members works and idempotence of these members is ensured.
The only issue with thils approach is that it only works no server
nodes. In client nodes, the conversion to SID is not available and the
same issues that existed before will still be present.
Tests were updated to reflect these changes, a new test, specific to
idempotence issues of AD objects was added:
tests/group/test_group_ad_users.yml
Resolves: https://issues.redhat.com/browse/RHEL-70023
When running test_idoverrideuser_client_context.yml on a client host, it
tried to run a task that does not have the required fields and fails
the test.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This patch improves tests/env_freeipa_facts.yml by ensuring
ipaserver_realm is set, making AD server availability discoverable, and
allowing playbooks to run with 'gather_facts: false' by gathering
minimal facts.
When managing AD objects the SID of the objects are stored in FreeIPA
database, but a user would still use the human readable values, like
"AD\\user" or "user@ad.domain". This can cause idempotence issues in
many cases, and prevent some actions to be performed, like ensure
absence of the object.
The methods added allow the conversion of one or multiple objects, and
will be used by any module that manages AD objects.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The IP addresses set with ipareplica_ip_addresses have not been passed
to ipaclient role for client deployment part. This resulted in not
setting the IP addresses.
The description for ipareplica_ip_addresses in the ipareplica README and
also the role modules was wrong and have been fixed to "List of IPA
replica IP addresses".
Related: https://pagure.io/freeipa/issue/7405
Resolves: https://github.com/freeipa/ansible-freeipa/issues/1244
When handling users and hosts is ipasudorule we were missing nome entry
attributes returned from FreeIPA, which would cause the add/del lists to
be incorrectly generated.
By adding the proper lists, both attributes are handled correctly.
A new test to verify the fix is added:
tests/sudorule/test_sudorule_user_host_external.yml
Fixes https://issues.redhat.com/browse/RHEL-68439
ansible-test sanity test "metaclass-boilerplate" fails now to recognize
the line "__metaclass__ = type" if there is a pylint disable comment
appended to the same line to not fail on using bad class naming.
The pylint disable comment has been moved to an extra preceding line and
an additional enable commend has been added after the metaclass line.
This change reduces the size of the Ansible collection and removes unused
files.
While creating the collection, the role plugins have been linked into the
global plugin folders, but a subsequent sed call replaced the links with
changed files. The original files have also been changed with another sed
call in the same way. This resulted in the duplication of the changed
files.
The plugins of the roles are now moved into the global plugin folders and
only changed there. The now empty plugin folders in the roles are
removed.
When creating the lists of external members, the attribute
'ipaexternalmember' also needs to be added to the list of external
members that are part of the group object for external groups.
A test to verify the correct behavior was added and the test suite for
group external members have been cleaned up with 'yes' values changed to
'true' and the use of module_defaults.
When a revoked certificate with reason 6 (certificateHold) is revoked
with reason 8 (removeFromCRL), the effect is that the certificate is
valid again, as it is the same procedure as 'state: release'.
This is, at least, the behavior with IPA CLI comands, which is
implemented by this patch.
A new test is added to verify this behavior:
tests/cert/test_cert_remove_hold_with_removeFromCRL.yml
Modify the plugin templates so that the code generated does not hide
errors when querying IPA wih *_show command by handlig only the exeption
where an object is not found.
When searching for objects with *_show IPA API command, most plugins
were hiding errors other than "ipalib_errors.NotFound" by handling the
broad exception Exception instead.
This patch uses "ipalib_errors.NotFound" whenever "*_show" is used so
that the only exception handled is when an object is not found. Other
errors will not be handled making the module break as expected.
This adds the capabilities SYS_ADMIN and SYSLOG to the container_create
call in build.sh as long as server deployment has been enabled.
The privileged option has been removed as it is no longer needed.
The hostnamectl-wrapper for the container has been removed as it is no
longer needed.
The client part deployment fails in the configuration of NIS. The command
/usr/bin/nisdomainname is failing in a container in this task as the
container is not privileged.
The hostnamectl-wrapper is copied from the freeipa-container container
project to replace /usr/bin/nisdomainname in the container.
container_copy can be used to copy a file to the container,
container_fetch can be used to copy a file from the container.
For more information, please have a look at the podman-cp man page.
Unless there's a real need to use privileged access or to gather Ansible
facts upfront, we should always set "become: false" and
"gather_facts: false". In the case that only a few Ansible facts are
required, 'ansible.builtin.setup' with 'gather_subset' should be used.
As the YAML 1.2 standard dictates, boolean values should only use 'true'
or 'false' values.
This patch fixes these issues in the 'sudorule' test suite.
Currently, ipasudorule must add or modify a single sudorule at a time,
incurring in more load in the server if there are many rules to be
processed.
This patch adds suport for adding multiple sudorules in one playbook
task by using the parameter 'sudorules' and defining a list of sudorules
configurations to be ensured.
As multiple sudorules will be processed, the patch also enables batch
mode processing of sudorules, trying to reduce the load on the server.
Test 'tests/sudorule/test_sudorule_client_context.yml' was modified to
include tasks with 'sudorules' to be executed both on the server or on
the client context.
New tests were added to the sudorule test suite:
tests/sudorule/test_sudorules.yml
tests/sudorule/test_sudorules_member_case_insensitive.yml
This patch adds the class EntryFactory to the ansible-freeipa module
utils. This class allows the handling of modules with multiple object
entries as list of objects. When the multi-object parameter is not used,
it creates a list of a single object, allowing for the same code idiom
to be used.
The entries created can be used both as objects, by acessing the values
as properties, or as dictionaires, by accessing the elements as
key-value pairs.
This patch modify the pipelines to create stages using the 'each'
expression on Azure pipelines, so that the configuration and the list of
distributions can be set using variables.
Testing CentOS 8 Stream and Galaxy collections still need to be handled
in a separate group, although, the pipeline configuration becomes easily
changed, specially when updating Ansible versions.
Pydocstyle has been deprecated is no longer in development. It is also
not a requirement for Ansible tests.
This patch removes pydocstyle from current checks performed.
All scripts related to the Azure CI now reside on inrfa/azure, but the
scripts that evaluate the changes made against ansible-freeipa's main
development branch.
This patch move these scripts to the proper locations.
ansible-core versions 2.15 and 2.16 and used for all pipelines, but
version 2.17 is not used for CentOS 8 Stream, as platform python on
this version is 3.6 which is not supported in this ansible-core version.
Several optimizations have been done to the pipelines, to make them
closer to what can be reproduced, with the existing scripts, in a
development environment:
- Use start.sh and build.sh scripts to build and start containers
- Use variables to configure different stages instead of using separate
files
- Use a commom 'prepare_environment' to create the environment for every
pipeline
- Use a single file defining testing steps (run_tests.yml)
- Remove Centos 7 pipelines
- Reduce the number of pipelines in the test matrix due to the amount of
time that tests were using
- Use Azure "loop" (each) to create test groups
The above changes make the pipelines easier to understand and modify.
For some time now, we had some issues with molecule when building test
images for ansible-freeipa, and replaced the image creation with custom
build scripts that use commom container tools (like Dockerfiles and the
build command).
As there's no more tasks that require the use of molecule, this patch
removes the last bits used by it, and fixes documentation and lint
scripts and configuration.
When using containers to test ansible-freeipa there's a need to deal
with 'podman' the development environment and the Azure environment. In
the Azure environment, with Ubuntu hosts, using 'cap-add' does not allow
FreeIPA to be installed on the containers, and they need to be executed
with privileged mode. On the other hand, on development environments,
such as recent Fedora hosts, there's no need to run the container with
extra privileges.
This patch modifies the utility function 'container_create' to allow the
usage of key-value argumes such as "cpus=4" and "privileged", that will
be used in the container creation.
The currently available options are "privileged", "cpus", "memory" and
"hostname". By default "cpus=2" and "hostname=ipaserver.test.local".
Also, too make the image build script more self-contained, if the
required Ansible collections are not installed, they will be temporarily
installed so that the image can be built.
To force setting the IPA_ENABLE_* variables to run all tests, source the
script using '-I' or set the environment variable SKIP_GIT_TESTS to
'True'.
This will allow the correct selection of Azure pipelines tests to be
based on a single environment variable, what will reduce the number of
test running templates to a singe file.
It seems that in recent versions, a minimum of 2048 bits for RSA keys
are required to request a certificate. This seems to be enforced by
crypto policies.
By adjusting the key size all ipacert tests pass.
So far a datetime object was created for the expiration dates
krbpasswordexpiration and krbprincipalexpiration. This resulted in also
sending these objects to the API. With this change, the dates are
converted into strings using the LDAP_GENERALIZED_TIME_FORMAT defined in
ipalib.constants. This way only strings are used with the IPA API.
A new function has been added to ansible_freeipa_module:
- date_string: Convert datetime to gernalized time format string
This fuction is used on the result of user_show to convert the
expiration dates to the gernalized time format string.
The existing function date_format in ansible_freeipa_module has been
renamed to convert_date and fixed in the way that it also uses
date_string to return a gernalized time format string and not a
datetime object. This function was only used in the ipauser module so
far.
The new generate_test_data.yml is creating the test data with
ansible.builtin.shell and is not calling shell scripts any more. The
generation in the yml file and also the set_fact calls make sure that
the test data is used.
The help has been fixed for the -s option and the comments about how to
start the container later on has been removed as there will be a script
that is handling this..
This reduces the number of started services in the container. The
fixipaip.service needed to be adapted to ensure that the service is
started properly.
The dockerfiles have been adapted for this change also.
This change also removed ansible_python_interpreter setting in the
inventory as the interpreter should be discovered by ansible for the
distributions.
The dockerfiles have been adapted to not force the installation of
python3 for CentOS-Stream 8, 9 and 10.
The script will try to get the latest image from quay to start it. With
the -l option it will try to use a local image first. This is for example
useful to test changes in the images build script locally.
This also adds infra/image/shcontainer. Some of the content is copied
from utils/shcontainer.
The DNS forwarder is set while deploying the IPA server. This forwarder
might not be correct later on.
The old /etc/resolv.conf is copied to /etc/resolv.conf.fixnet by the
fixnet service and later on the fixipaip service is trying to get the
nameserver from the copied file. If the retrieval failed of if the
namesever is 127.0.0.1, then the nameserver will be set to 8.8.8.8.
After fixing the IP addresses for the forward and reverse zone, also the
forwarder is set for the dnsserver "${HOSTNAME}".
Checks for IPv4 addresses have been added and reverse zone handling
for fixipaip.sh
The services are logging StandardOutput and StandardError to journal
now.
This patch removes 'molecule' as a dependency for tests, by using the
scripts under `utils` to setup the environment.
By not using molecule, we have more flexibility on using either docker
or podman as the container engine, and makes it easy to reproduce the
environment on different distros, allowing for a more consistent error
reproduction off Azure.
On some systems it is required or desired to run Ansible with a specific
Python interpreter. This patch allows the selection of the Python binary
to use for the pytest playbook tests by setting the environment variable
IPA_PYTHON_PATH. Set it the the full path of the Python interpreter.
To modify Azure tests and depend on shell scripts and pytest instead
of molecule, the run-tests.sh script has been rewritten to depend on
bash functions and on a bash script that prepare and start a testing
container.
This patch adds a new script, 'utils/setup_test_container.sh' that
can be used to start a new container, using either podman or docker,
based on the available ansible-freeipa images. The new container can
then be used to run ansible-freeipa tests against it.
Also the following files with bash functions were added, and are
used by both scripts:
utils/shansible: Functions to run playbooks in the container
utils/shcontainer: Functions to setup/run a container
utils/shfun: Generic shell helper functions (e.g.: log)
If the deployment was enabled and failed, the script still continued
without failing. If podman was missing it failed without a proper error.
The script now fails and does not enable the services and also does not
commit after the failed deployment. Also is fails if podman is missing.
As the scripts 'utils/run-tests.sh' and 'utils/setup_test_container.sh'
use some scripts as function libraries, this change forces shellcheck to
also verify those scripts.
As we do not use molecule features, using a Dockerfile and the
ansible-freeipa deployment roles is enough to create the container
testing images.
This patch removes the usage of molecule in favor of the custom
ansible-freeipa image building script, which allow us to have a similar
process for creating images both on the ustream CI, or on a developer's
environment.
Also, CentOS 7 is removed from the build script, as it in not possible
to run CentOS 7 containers with current versions of systemd.
This patch modifies the image building script by adding:
- An usage message.
- An option "-I" to NOT install IPA to the generated container.
- An opiton "-c NAME" to both set the name and use an existing container
to ONLY install IPA.
- Rename "scenario" to "DISTRO" as "scenario" should be used for the
container scenario usage, rather than the distro (I'll change the name
also in the Azure scripts)
- Use 'log' (from shlog) to print messages.
Add two shell libaries with utilities to write shell scripts.
The 'utils/shlog' file provides macro names for ANSI escape sequences to
control color output on terminals, a 'log' functions with pre-defined
behavior for ERROR, WARN, DEBUG, INFO and SUCCESS level messages, and
the 'quiet' function which executes a command and hides its output.
The 'utils/shfun' file provides an interruptinon handler for SIGINT, and
the following functions:
- run_if_exists: run a command if it is available
- cleanup: cleanup environment, possibly stopping a container and a
Python virtual environment.
- start_virtual_environmnt: initiates a Python virtual environment
- in_python_virtualenv: test if the script is running inside a Python
virtual environment
- die: abort the script with an error message end exit code 1
New files:
- utils/shlog
- utils/shfun
The new image builder is not using molecule and uses podman directly for
the generation of the ansible-test images.
Two additional services are installed to simplify the use of the
container in the test:
- fixnet.service uses /root/fixnet.sh to fix IP address of the server in
/etc/hosts and to set localhost as the nameserver.
This service is executed before IPA is started. This eliminates the
need to restart the IPA server after the container has been started
and the IPs have been fixed.
- fixipaip.service uses /root/fixipaip.sh to fix the IP address of the
IPA dnsrecords of server and ipa-ca.
With these services it is now only needed to wait till all services in
the container are started. There is no need to restart the IPA server
anymore. Simply use something like this before starting the tests:
while [ -n "$(podman exec ansible-test systemctl list-jobs | grep -vi 'no jobs running')" ]; do echo "waiting.."; sleep 5; done
New files
- infra/image/build.sh
- infra/image/dockerfile/c8s
- infra/image/dockerfile/c9s
- infra/image/dockerfile/c10s
- infra/image/dockerfile/fedora-latest
- infra/image/dockerfile/fedora-rawhide
- infra/image/inventory
- infra/image/system-service/fixipaip.service
- infra/image/system-service/fixipaip.sh
- infra/image/system-service/fixnet.service
- infra/image/system-service/fixnet.sh
The tests test_users_present.yml and test_users_absent.yml has been
merged into test_users_present_absent.yml to fix the independent test
order execution.
The test test_users_present_slice.yml has been renamed to
test_users_present_absent_slice.yml.
Both tests are cleaning up possible exiting entries before running the tests
and are verifying the present and absent task result.
Truncate stdout and stderr in the way that it hopefully shows all
important information. At least 15 lines of stdout (Ansible tasks) and
remaining from stderr to fill up to maxlen size.
The test log mostly only showed lines from stderr as the log was a
concatenation of stdout and stderr and only the last 2500 chars of this
have been used. This was hiding the test result from stdout and failures
have not beeen visible.
The no_log tag is only allowed in the argument_spec, but not in the
DOCUMENTATION section. Set no_log=False for token_uri and
keys_uri=keys_uri in the argument_spec to enforce logging.
Several fixes for the DOCUMENTATION section: The short_description tag
was 'short description', the chain option was missing and the unknown
authers tag has been removed.
setuptools might not be installed before importing and using
galaxy_importer. This could result in a backtrace by disabling
ANSIBLE_TEST_LOCAL_IMAGE in galaxy-importer.cfg to run latest tests.
The service READNE so far lacks the documentation of multi service
handling within a single task.
The alias for the continue parameter was also added.
Fixes: #1113
The bindings for requests and urllib3 might not be available, especially
in the ansible-test fake execution test (next version). These imports are
now in a try exception clause to make sure that the fake execution test
will be passing and also that there is a better error message if the
bindings are missing.
urllib3.exceptions.InsecureRequestWarning is now also only disabled if
no certificate has been given for the verification of the connection.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
This patch updates the minimum supported Ansible version and the list
of available modules.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
This patch includes the change to the version number in the collection
and all plugin README files. The collection README was also update to
remove text that related only to previous Ansible versions.
The parameters
- subtree (ipapermlocation)
- target (ipapermtarget)
- targetto (ipapermtargetto)
- targetfrom (ipapermtargetfrom)
have not been idempotent as the result returned from permission_show was
a DN and not a string.
The find_permission function has been exetended to convert the values
for these parameters to strings.
Fixes: #1257
The error string returned by execute_ipa_commands in batch mode
additionally contains the whole parameter list for the command. This is
different to non batch mode execution and breaks tests that are checking
the returned error message.
A left over debug message also have been removed from the error
processing.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
New function:
- convert_input_certificates(module, certs, state)
FreeIPA commit ea0bf4020ce0b1e32572e128e9323c5af60ec93d
After an HSM replica install ensure all certs are visible
If a certificate on a token does not have NSS trust set then
it won't be visible in the softoken. This can be disconcerting
for those used to seeing all the certificates.
Loop through the possibilities and set no trust (or Peer) for
all the certificates on the token.
Also ensure that the CA certificate has the correct nickname.
Related: https://pagure.io/freeipa/issue/9273
replicainstall.install_ca_cert has been removed, paths.IPA_CERTUPDATE is
called instead if the client was configured before deploying with
iparepica role.
FreeIPA commit 8f25b2a74a587548976f3d29f0b69d566d70125d
Refactor CA file handling in replica installer
Clean up and remove obsolete code from ipa-replica-install. For several
versions replica installer first ensures that a host is an IPA client,
then promotes the client to a replica. The client installer code sets up
CA stores like IPA_CA_CRT already.
The config attributes config_master_host_name and also config_ca_host_name
are not changed within ipareplica_install_ca_certs, therefore it is not
needed to return them and also to use the returned values for following
tasks.
The HSM parameters
token_name
token_library_path
token_password
token_password_file
are set to None to enable deployment with IPA 4.12 as a workaround till
HSM can be fully supported by the ipaserver role.
pylint doesn't know that some functions may terminate execution, like,
AnsibleModule's fail_json, and assume that, depending on the code path,
some variables may not be initialized when used.
This change ensure that variables are always initialized independent of
the code path.
New versions of pylint ignore Python 2 functions and types, evaluating
'unicode' as "undefined". ansible-freeipa will always define 'unicode'
when running under Python 3, and it is always defined under Python 2.
This patch fixes these false positives.
Github actions checkout v3.1.0 and setup-python v4.3.0 use deprecated
Node.js 16.
Bumping version to checkout v4.1.1 and setup-python v5.1.0 fixes the
workflows, as both use the recommended Node.js 20.
The checkout depth has been set to 1 (shallow copy) for all tasks that
do not require git history to be available.
The use of the batch command is enabled for execute_ipa_commands.
Additionally keeponly is set to ["randompassword"] as this is the only
parameter that is used from the data returned from the commands.
The use of the batch command is enabled for execute_ipa_commands.
Additionally keeponly is set to [] as nothing is used from the data returned
from the commands.
The use of the batch command is enabled for execute_ipa_commands.
Additionally keeponly is set to [] as nothing is used from the data returned
from the commands.
The use of the batch command is enabled for execute_ipa_commands.
Additionally keeponly is set to ["randompassword"] as this is the only
parameter that is used from the data returned from the commands.
The method execute_ipa_commands has been extended to handle multi
commands with the batch command.
New constants for execute_ipa_commands debugging:
DEBUG_COMMAND_ALL = 0b1111
DEBUG_COMMAND_LIST = 0b0001
Print the while command list
DEBUG_COMMAND_COUNT = 0b0010
Print the command number
DEBUG_COMMAND_BATCH = 0b0100
Print information about the batch slice size and currently executed
batch slice
New parameters have been added to execute_ipa_commands:
batch: bool
Enable batch command use to speed up processing
batch_slice_size: integer
Maximum mumber of commands processed in a slice with the batch
command
keeponly: list of string
The attributes to keep in the results returned.
Default: None (Keep all)
debug: integer
Enable debug output for the exection using DEBUG_COMMAND_*
Batch mode can be enabled within the module with setting batch to True
for execute_ipa_commands.
Fixes: #1128 (batch command support)
delete_continue defaults to None. The use of continue: None is resulting
in an error with the batch command. Therefore only set continue if it is
not None.
These are manager, principal, certificate and certmapdata.
The result_handler function has been adapted and the exception_handler
function has been removed.
A new function has been added:
convert_certificate
The changed state returned from ipaclient_configure_dns_resolver was
always True. The internal functions (copies from FreeIPA code) have been
fixed to return a changed state.
Fixes: #1217 (ipaclient: Configure DNS resolver always reports as changed)
Two new options have been added to enable the offline build within rpm:
-o <A.B.C> Build offline without using git, using version A.B.C
Also enables -a
-p <path> Installation the generated collection in the path, the
ansible_collections sub directory will be created and will
contain the collection: ansible_collections/<namespace>/<name>
Also enables -i
The usage text has been fixed also for specifying namespace and name.
The collection variable has been renamed to name.
Example usage:
utils/build-galaxy-release.sh -o 1.12.1 \
-p %{buildroot}%{_datadir}/ansible/collections \
freeipa ansible_freeipa
Use IPAChangeConf and realm_to_ldapi_uri to create IPA_DEFAULT_CONF.
With realm_to_ldapi_uri the ldap_uri is correctly using /run instead of
/var/run.
Before IPA_DEFAULT_CONF was created using file operations.
The custodia setup is executed twice. At first in
ipaserver_setup_custodia and then additionally in ipaserver_setup_ca.
The custodia setup code in ipaserver_setup_ca.py has been adapted to fit
the code in ipaserver_setup_custodia.py.
The extra Setup custodia step in the server roles has been removed
together with ipaserver_setup_custodia.py.
If ipaserver_domain is not given, the domain name is generated from the
host fqdn.
This generated value was so far not returned, but the empty given value
instead.
The generated certificates have been X.509 v1. This is not supported any
more. Only X.509 v3 is supported.
A new certificates/extensions.conf file has been added to make v3
certificates.
The existing certificates/pkinit/extensions.conf has been renamed to
certificates/pkinit-extensions.conf with additional changes. For example
"[kdc_cert]" had to be removed for v3.
The extensions config files are using environment variables, which are
set by the generate-certificates.sh script before calling openssl.
The script generate-certificates.sh has been reworked for a simpler
structure, also new options have been added: "ca" and "cleanup".
This patch force processing of permission, attribute and group
attributes in lower case, to match behavior of IPA CLI, transforming
all of them into lowercase characters.
The new behavior fixes idempotence issues when mixing different
capitalization in different tasks for the same attribute.
A new test playbook is avaiable at:
tests/delegation/test_delegation_member_case_insensitive.yml
Some attributes for ipagroup objects are stored using lower case letters
and should be converted upon retrieving parameter data.
This patch adds the missing conversion and provides a new test playbook:
tests/group/test_group_case_insensitive.yml
ipahostgroup parameters 'host', 'hostgroup', 'membermanager_user' and
'membermanager_group' must be compared in a case insensitive manner
and stored as lower case strings.
This patch fixes the comparison and storage of this parameters, and
change the handling of members to use the same structure as in newer
modules.
Two new tests files were added:
tests/hostgroup/test_hostgroup_case_insensitive.yml
tests/hostgroup/test_hostgroup_membermanager_case_insensitive.yml
The config tests are currently setting the pac type to empty or without
MS-PAC type. This results in failed authorization for IPA API.
An issue has been opened for FreeIPA to address this:
https://pagure.io/freeipa/issue/9527
As FreeIPA now requires MS-PAC to be set in ipaKrbAuthzData to trigger
PAC generation, there's a timing issue that causes API malfunction which
is long enough to cause the client part insallation to fail.
By restarting KDC after DS password is set, we force cached values to be
refreshed, allowing the API to work correctly.
Resolves: https://github.com/freeipa/ansible-freeipa/issues/1200
This is "Fix ipa-client-automount install/uninstall with new install
states" https://github.com/freeipa/freeipa/pull/7100 for ansible-freeipa:
Issue 8384 introduced a new installation state for the statestore
to identify when client/server installation is completely finished
rather than relying on has_files().
The problem is that ipa-client-automount may be called during
ipa-client-install and since installation is not complete at that
point the automount install was failing with "IPA client not
configured".
Add a new state, 'automount', to designate that automount installation
is in process. If check_client_configuration() fails it checks to
see if [installation] automount is True. If so it continues with the
installation.
This also addresses an issue where the filestore and statestore are
shared between the client and automount installers but the client
wasn't refreshing state after automount completed. This resulted in
an incomplete state and index file of backed-up files which caused
files to not be restored on uninstall and the state file to be
orphaned.
Fixes: https://pagure.io/freeipa/issue/9487
FreeIPA provides a default hbacsvcgroup named "Sudo", with capital 'S',
that is different from every other hbacsvcgroup, which are all
represented by lower case letters.
As data from IPA API was not modified, this causes an idempotence error
when using different capitalization with the 'hbacsvcgroup' parameter.
This patch fixes the issue by using the CaseInsensitive comparator to
create the hbacsvcgroup list.
Tests were update to make sure a regression is not included in the
future.
This is "ipa-client-install: enable SELinux for SSSD"
https://github.com/freeipa/freeipa/pull/6978 for ansible-freeipa:
For passkeys (FIDO2) support, SSSD uses libfido2 library which needs
access to USB devices. Add SELinux booleans handling to ipa-client-install
so that correct SELinux booleans can be enabled and disabled during
install and uninstall. Ignore and record a warning when SELinux policy
does not support the boolean.
Fixes: https://pagure.io/freeipa/issue/9434
On IPA CLI sudorule-add/del-runasuser accept 'group' as a parameter,
and this option was missing in ansible-freeipa ipasudorule module.
This patch adds a new parameter 'runasuser_group' to allow setting
Groups of RunAs Users, as allowed by CLI and WebUI.
New example playboks can be found at:
playbooks/sudorule/ensure-sudorule-runasusesr-group-is-absent.yml
playbooks/sudorule/ensure-sudorule-runasusesr-group-is-present.yml
FreeIPA suports renaming groupobjects with the CLI parameter "rename",
and this parameter was missing in ansible-freeipa ipagroup module.
This patch adds support for a new state 'renamed' and the 'rename'
parameter.
Tests were updated to cope with the changes.
- Replace outdated noqa 503 with noqa no-handler
- Drop outdated and not needed noqa 505 for include_vars
- Drop outdated noqa deprecated-command-syntax for
ansible.builtin.shell using cmd tag
These warnings have been reported by utils/lint_check.sh using
ansible-lint 6.22.1.
FreeIPA suports renaming user objects with the CLI parameter "rename",
and this parameter was missing in ansible-freeipa ipauser module.
This patch adds support for a new state 'renamed' and the 'rename'
parameter.
Tests were updated to cope with the changes.
Related to RHBZ#2234379, RHBZ#2234380
Fixes#1103
IPA DNS Zones management can be delegated by adding a "Manage DNS zone"
permission. The CLI commands that manage these permissions are
dnszone-add-permission and dnszone-remove-permission.
The ansible-freeipa module ipadnszone did not have this capability, and
it now support dnszone per-zone management delegation by setting the
module parameter 'permission'. If set to 'true' the permission will be
assigned to the zone, if set to false the permission will be removed.
Some parameters, in modules, have a specific data type, but allow the
use of an empty string to clear the parameter.
By providing a method to retrieve the parameter with the correct data
type, or optionally an empty string, allows for consistency of parameter
handling between different modules.
The parameter 'allow_empty_string' in 'module_params_get' is used to
allow an item in a list to be an empty string. The problem is that the
naming is misleading, as it is checking a list item rather than a
string.
This patch rename the parameter to 'allow_empty_list_item' so that it
more clearly refers to list itens instead of standalone strings, and do
not collide with future parameters that may test for empty strings which
are not part of lists.
After the change for a single job to run PR tests, and if there is any
change to ansible_module_utils, all the playbook tests are executed,
and the result is a failure due to timeout.
This PR increases the timeout so that a PR with changes to
ansible_module_utils can have the tests executed.
By the first quarter of 2024, all collections must pass ansible-lint
tests run with version 6.22.x. This PR ensure that all ansible-freeipa
tests depending on ansible-lint use a valid version of it.
When deploying an IPA client with ipaclient, if an error occured while
getting an OTP, no error message is logged, as the task that logs the
error is not excuted due to the previous taks failure.
By adding a 'rescue' section to the code block and moving the error
reporting to this new section, we ensure that the proper error messages
will be reported.
With ansible-core 2.14.12 using jinja2 templating in conditional
statements with ansible_facts['fqdn'] is marked as unsafe and results in
a failure.
The issues with using jinja2 templating in conditional statements for
asserts have been solved and a new server_fqdn fact has been added for
ansible_facts['fqdn'].
The uri parameters auth_uri, dev_auth_uri, token_uri, userinfo_uri and
keys_uri have not been validated before. Also the base_url was not
normalized. The auth_uri, dev_auth_uri, token_uri and userinfo_uri need
to be set for new entries, but might be empty or empty string for reset
or updates.
The ipaidpclientsecret needs to be decoded from binary string in
find_idp result to not trigger no change ipd_mod calls.
The code for validate_uri and base_url normalization has been copied
from the ipaserver idp plugin.
ansible_freeipa_module:
urlparse from urllib.parse with a fallback to six.moves.urllib.parse is
imported and also exported. urlparse is needed for validate_uri in ipaidp
module.
Resolves: RHEL-17954, RHEL-17955, RHEL-17957 and RHEL-17958
If a playbook to ensure the existence of a user contains 'random:false'
and 'update_password: always' is executed twice, the second execution
will raise an exception due to "No modifications to perform", as there
is actually nothing to modify.
The fix for the issue is to remove 'random' if it is not set to true, as
setting it to 'false' would have no effect on the user object.
Related: https://issues.redhat.com/browse/RHEL-4934
The reset of the minlength parameter failed with an internal error so
far. This has been fixed in IPA and therefore requires to fix the test
in ansible-freeipa also.
Related: https://pagure.io/freeipa/issue/9297
All tasks for idoverrideuser and idoverridegroup with state absent
failed with "'continue' is required" when delete_continue was not set.
This happended as delete_continue was internally None and continue: None
was provided to the API.
The fix is simply to use '"continue": delete_continue or False' so that
continue is set to False in this case.
When testing ipahost through the test playbooks, if there are previous
DNS A/AAAA records, the test fails due to a false positive idempotence
issue.
This patch ensures that all DNS records for the test hosts are absent
before test execution.
This issue could be seen in the 2023-11-06 Azure Nightly pipeline
execution.
When running ansible-freeipa's Azure pipelines for nightly and weekly
tests, due to the amount of tests to execute, tests are grouped and
executed in parallel jobs.
Due to a still unkonwn issue, depending on the order the tests are
executed, some random failures may occur and debugging them is hard due
to current implementation of the tests.
This patch adds support for replicating the tests of a specific Azure
test group once the seed used to create groups and the group number are
provided, allowing the test failures to be replicated on the developer's
workstation where it can be more easily debugged.
A new option is added to 'utils/run-tests.sh', '-A SEED.G' that is used
to define the seed and group to replicate the tests. The seed is a date,
with the format "YYYYMMDD", so, for example '-A 20230611.2' would
execute the same tests, in the same order as the second group of tests
for date 2023-06-11. To aid in usability 'YYYY-MM-DD' may also be used.
When using '-A' neither '-s' (test suites) or specific tests (positional
arguments) can be used.
Also, to help fixing tests, an option to stop the tests on the first
test failure ('-x') was added to the script.
ansible-lint 6.21+ and pylint 3.0+ will be required for Ansible
collections to be approved on Ansible Galaxy.
This patch updates pre-commit and upstream linters to use the required
versions.
The ipaclient_automount_location variable was badly named as
ipaautomount_location. Additionally it was not documented in the role
README file.
Fixes: #1166 (.. automount-location to the ipa-client role)
The task to apply an unknown (invalid) host to an idview was not failing
as expected and only reported no change.
A new host verification step has been added to fail before trying to
apply invalid hosts. unapplying an invalid host is not failing as the
invalid host is indeed not applied.
The result_handler is not needed anymore as the idempotency issues with
members have been fixed already for this module.
Related: #685 hbacsvcgroup: Fix member management idempotence issues.
hbacsvcgroup names are converted to lower case while creation with
hbacsvcgroup_add.
The hbacsvcgroup for sudo is builtin with the name "Sudo" though. This
breaks the lower case comparison. Therefore all memberservice_hbacsvcgroup
items are converted to lower case if "Sudo" is in the list.
In the current build container pipeline, all steps are serialized in a
single job, and if one of the jobs fail to build, due to broken
dependent image, or some Azure glitch, like slow connection, the only
way to rebuild the failed container is to rebuild all containers.
By building containers in parallel jobs, if a container fails to build
it is possible to restart only the failed job.
Altough most of ansible-freeipa documentation and playbooks use
'ipaserver' as the group for the first server deployed for a realm, the
ipareplica role only supported the use of groups["ipaservers"] as an
alternative to set ipareplica_servers.
Also supporting groups.ipaserver, as already supported by the ipaclient
role, make ansible-freeipa playbooks more consistent and current
documentation and examples easier to follow when deploying a cluster
with a server and a replica.
The usual scenario for PR checks is to execute only a few tests, and
searching for the results in several jobs makes it harder to find
issues.
By using a single job run the tests would take some more time to
complete, although not much, as only a small subset is executed, and
test verification would be easier and less error prone.
Dependind on how long it took for the jobs to start, a different seed
would be used to group tests and tests could either repeat or not be
selected at all.
By using a seed based on the day the test run reduces the chance of
using different random seeds, and still allow for the tests to be
executed in a different order.
The execution in different order is important to identify tests that
work or fail only if executed after other tests.
Due to an error on processing Ansible key 'import_tasks' the script that
creates a list of modules to test is broken making some modules to be
not tested.
By fixing the handling of 'import_tasks' and module import, the list is
correct again and the list of modules to be tested now include the ones
which depend on the modified module.
The release version 6.21.0 of ansible-lint introduced a bug that breaks
the reporting of 'warning' messages. [1]
This patch pins ansible-lint version to the latest one in the 6.20
series, so that it can still be used to check pull requests.
[1]: https://github.com/ansible/ansible-lint/issues/3853
Azure Ubuntu images have Python 3.12 available, and as we did not pin
the requested Python version, the latest available one was used, causing
image preparation and tests to fail.
This patch pins Python version to 3.11 until test can be executed with
Python 3.12 and later.
There is a new idp management module placed in the plugins folder:
plugins/modules/ipaidp.py
The idp module allows to ensure presence or absence of external Identity
Providers.
Here is the documentation for the module:
README-idp.md
New idp example playbooks:
playbooks/idp/idp-present.yml
playbooks/idp/idp-absent.yml
New tests for the module:
tests/idp/test_idp.yml
tests/idp/test_idp_client_context.yml
Recently it was announced that Ansible 2.9 will be supported for some
time, and this patch ensures that we run the nightly tests against this
version of Ansible.
Recently, a change in the deployment roles forced the change to the
minimum version of ansible-core, and the change was unnoticed until
reported.
With this patch, we ensure all PRs checks are executed against the
minimun supported ansible-core version, so we can ensure that both
documentation and role metadata are correct and still valid.
There is a new idoverridegroup management module placed in the plugins
folder:
plugins/modules/ipaidoverridegroup.py
The idoverridegroup module allows to ensure presence and absence of
idoverrides for groups.
Here is the documentation for the module:
README-idoverridegroup.md
New example playbooks have been added:
playbooks/idoverridegroup/idoverridegroup-absent.yml
playbooks/idoverridegroup/idoverridegroup-present.yml
New tests for the module can be found at:
tests/idoverridegroup/test_idoverridegroup.yml
tests/idoverridegroup/test_idoverridegroup_client_context.yml
There is a new idoverrideuser management module placed in the plugins
folder:
plugins/modules/ipaidoverrideuser.py
The idoverrideuser module allows to ensure presence and absence of
idoverrides for users and certificate members.
Here is the documentation for the module:
README-idoverrideuser.md
New example playbooks have been added:
playbooks/idoverrideuser/idoverrideuser-absent.yml
playbooks/idoverrideuser/idoverrideuser-certificate-absent.yml
playbooks/idoverrideuser/idoverrideuser-certificate-present.yml
playbooks/idoverrideuser/idoverrideuser-present.yml
New tests for the module can be found at:
tests/idoverrideuser/test_idoverrideuser.yml
tests/idoverrideuser/test_idoverrideuser_client_context.yml
The use of del os.environ assumes that the environment variable exists.
If the variable does not exist, this call will result in a traceback.
The solution is to use os.environ.pop(VARIABLE, None) instead.
This is the ansible-freeipa fix for https://pagure.io/freeipa/issue/9446
(Nightly test failure for replica installation with --setup-ca)
Changing the use of 'Exception' to 'RuntimeError' has the benefits of
making the error more specific and meaningful for what is being reported
and to remove warnings from linters (pylint).
The same change is applied to all deployment roles.
In recent pylint versions, use of broad exceptions for both raise and
try/except blocks raise a linter warning. As its use is justifiable in
the case of ipavault, the warnings are disabled where they occur.
Recent pylint versions warn against the use of an 'else' in a
'try-except' block if using a 'return' on the 'except' part is is the
idom used by ansible-freeipa when retrieving IPA data objects.
This change removes the usage of the 'else:' in such cases, and modify
the templates so that new modules do not have the same issue in the
future.
Recent pylint versions warns when a dictionaire is created using
'dict()' instead of '{...}'. Using 'dict()' in ansible-freeipa modules
actually enhances readability, so this change disables the check for
'use-dict-literal' in pylint.
As ansible-freeipa roles do not support version 2.8 anymore, change the
minimum supported version to 2.13, which is the currently minimum
available and supported Ansible version.
This patch fixes documentation on all plugin READMEs, spec file and
module templates.
Currently, the minimum supported Ansible version is 2.13, and
ansible-freeipa roles does not work with any version less than 2.9,
altough ansible-freeipa documentation states that the minimum version to
use is 2.8.
This patch fixes documentation and roles metadata to require that the
minimum Ansible version used is 2.13.
There is a new idview management module placed in the plugins folder:
plugins/modules/ipaidview.py
The idview module allows to ensure presence and absence of idviews and
idview host members.
Here is the documentation for the module:
README-idview.md
New example playbooks have been added:
playbooks/idview/idview-absent.yml
playbooks/idview/idview-host-applied.yml
playbooks/idview/idview-host-unapplied.yml
playbooks/idview/idview-present.yml
New tests for the module can be found at:
tests/idview/test_idview.yml
tests/idview/test_idview_client_context.yml
Currently, there is a hard coded timeout in galaxy-importer that
prevents larger collections to execute the ansible-lint step [1].
This patch modifies the calls to ansible-lint on development tools and
upstream CI to use the same arguments as galaxy-importer and disables
the execution of the ansible-lint step for the Ansible's sanity test.
Requested ansible-lint version for tools is also updated, as a more
recent one is required.
This change will not allow development using an environment using Python
2.7, due to newer ansible-lint requirements. Roles and modules tests
against target nodes using Python 2.7 is still possible.
[1]: https://github.com/ansible/galaxy-importer/pull/231
The revocation example playbook on README was wrong as it didn't have a
'reason' set, and the parameter must be used with 'state: revoked'.
This patch fixes the example and adds a new example using a reason
mnemonic instead of a reason number.
@@ -8,8 +8,12 @@ The group module allows to ensure presence and absence of groups and members of
The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group.
## Note
Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
Notes
-----
* Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
* Using `externalmember` or `idoverrideuser` is only supported with `ipaapi_context: server`. With 'client' context, module execution will fail.
Features
@@ -29,7 +33,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.8+
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
@@ -130,6 +134,45 @@ And ensure the presence of the groups with this example playbook:
groups:"{{ groups }}"
```
Example playbook to rename a group:
```yaml
---
- name:Playbook to rename a single group
hosts:ipaserver
become:false
gather_facts:false
tasks:
- name:Rename group appops to webops
ipagroup:
ipaadmin_password:SomeADMINpassword
name:appops
rename:webops
state:renamed
```
Several groups can also be renamed with a single task, as in the example playbook:
```yaml
---
- name:Playbook to rename multiple groups
hosts:ipaserver
become:false
gather_facts:false
tasks:
- name:Rename group1 to newgroup1 and group2 to newgroup2
ipagroup:
ipaadmin_password:SomeADMINpassword
groups:
- name:group1
rename:newgroup1
- name:group2
rename:newgroup2
state:renamed
```
Example playbook to add users to a group:
```yaml
@@ -174,7 +217,7 @@ Example playbook to add members from a trusted realm to an external group:
---
- name:Playbook to handle groups.
hosts:ipaserver
tasks:
- name:Create an external group and add members from a trust to it.
ipagroup:
@@ -237,6 +280,7 @@ Example playbook to ensure groups are absent:
`service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
`membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`externalmember` \| `ipaexternalmember` \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up.| no
`externalmember` \| `ipaexternalmember` \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. Requires "server" context. | no
`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up. Requires "server" context. | no
`rename` \| `new_name` | Rename the user object to the new name string. Only usable with `state: renamed`. | no
`action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
`state` | The state to ensure. It can be one of `present` or`absent`, default: `present`. | yes
`state` | The state to ensure. It can be one of `present`,`absent` or `renamed`, default: `present`. | yes
The idoverridegroup module allows to ensure presence and absence of idoverridegroups and idoverridegroup members.
Use Cases
---------
With idoverridegroup it is possible to manage group attributes within ID views. These attributes are for example the group name or gid.
Features
--------
* Idoverridegroup management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaidoverridegroup module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure test group test_group is present in idview test_idview
```yaml
---
- name:Playbook to manage idoverridegroup
hosts:ipaserver
become:false
tasks:
- name:Ensure test group test_group is present in idview test_idview.
ipaidoverridegroup:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_group
```
Example playbook to make sure test group test_group is present in idview test_idview with description
```yaml
---
- name:Playbook to manage idoverridegroup
hosts:ipaserver
become:false
tasks:
- name:Ensure test group test_group is present in idview test_idview with description
ipaidoverridegroup:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_group
description:"test_group description"
```
Example playbook to make sure test group test_group is present in idview test_idview without description
```yaml
---
- name:Playbook to manage idoverridegroup
hosts:ipaserver
become:false
tasks:
- name:Ensure test group test_group is present in idview test_idview without description
ipaidoverridegroup:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_group
description:""
```
Example playbook to make sure test group test_group is present in idview test_idview with internal name test_123_group
```yaml
---
- name:Playbook to manage idoverridegroup
hosts:ipaserver
become:false
tasks:
- name:Ensure test group test_group is present in idview test_idview with internal name test_123_group
ipaidoverridegroup:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_group
name:test_123_group
```
Example playbook to make sure test group test_group is present in idview test_idview without internal name
```yaml
---
- name:Playbook to manage idoverridegroup
- name:Ensure test group test_group is present in idview test_idview without internal name
hosts:ipaserver
become:false
tasks:
- ipaidoverridegroup:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_group
name:""
```
Example playbook to make sure test group test_group is present in idview test_idview with gid 20001
```yaml
---
- name:Playbook to manage idoverridegroup
hosts:ipaserver
become:false
tasks:
- name:Ensure test group test_group is present in idview test_idview with gid 20001
ipaidoverridegroup:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_group
gid:20001
```
Example playbook to make sure test group test_group is present in idview test_idview without gid
```yaml
---
- name:Playbook to manage idoverridegroup
hosts:ipaserver
become:false
tasks:
- name:Ensure test group test_group is present in idview test_idview without gid
ipaidoverridegroup:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_group
gid:""
```
Example playbook to make sure test group test_group is present in idview test_idview with enabling falling back to AD DC LDAP when resolving AD trusted objects. (For two-way trusts only.)
```yaml
---
- name:Playbook to manage idoverridegroup
hosts:ipaserver
become:false
tasks:
- name:Ensure test group test_group is present in idview test_idview with fallback_to_ldap enabled
ipaidoverridegroup:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_group
fallback_to_ldap:true
```
Example playbook to make sure test group test_group is absent in idview test_idview
```yaml
---
- name:Playbook to manage idoverridegroup
hosts:ipaserver
become:false
tasks:
- name:Ensure test group test_group is absent in idview test_idview
ipaidoverridegroup:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_group
continue:true
state:absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
`idview` \| `idviewcn` | The doverridegroup idview string. | yes
`anchor` \| `ipaanchoruuid` | The list of anchors to override. | yes
`description` \| `desc` | Description | no
`name` \| `group_name` \| `cn` | The group. | no
`gid` \| `gidnumber` | Group ID Number (int or "") | no
`fallback_to_ldap` | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. | no
`delete_continue` \| `continue` | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
The idoverrideuser module allows to ensure presence and absence of idoverrideusers and idoverrideuser members.
Use Cases
---------
With idoverrideuser it is possible to manage user attributes within ID views. These attributes are for example the login name, home directory, certificate for authentication or SSH keys.
Features
--------
* Idoverrideuser management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaidoverrideuser module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure test user test_user is present in idview test_idview
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview.
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
```
Example playbook to make sure test user test_user is present in idview test_idview with description
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview with description
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
description:"test_user description"
```
Example playbook to make sure test user test_user is present in idview test_idview without description
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview without description
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
description:""
```
Example playbook to make sure test user test_user is present in idview test_idview with internal name test_123_user
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview with internal name test_123_user
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
name:test_123_user
```
Example playbook to make sure test user test_user is present in idview test_idview without internal name
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview without internal name
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
name:""
```
Example playbook to make sure test user test_user is present in idview test_idview with uid 20001
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview with uid 20001
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
uid:20001
```
Example playbook to make sure test user test_user is present in idview test_idview without uid
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview without uid
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
uid:""
```
Example playbook to make sure test user test_user is present in idview test_idview with gecos "Gecos Test"
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview with gecos "Gecos Test"
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
gecos:Gecos Test
```
Example playbook to make sure test user test_user is present in idview test_idview without gecos
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview without gecos
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
gecos:""
```
Example playbook to make sure test user test_user is present in idview test_idview with gidnumber
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview with gidnumber
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
gidnumber:20001
```
Example playbook to make sure test user test_user is present in idview test_idview without gidnumber
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview without gidnumber
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
gidnumber:""
```
Example playbook to make sure test user test_user is present in idview test_idview with homedir /Users
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview with homedir /Users
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
homedir:/Users
```
Example playbook to make sure test user test_user is present in idview test_idview without homedir
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview without homedir
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
homedir:""
```
Example playbook to make sure test user test_user is present in idview test_idview with shell
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview with shell
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
shell:/bin/someshell
```
Example playbook to make sure test user test_user is present in idview test_idview without shell
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview without shell
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
shell:""
```
Example playbook to make sure test user test_user is present in idview test_idview with sshpubkey
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview with sshpubkey
Example playbook to make sure test user test_user is present in idview test_idview without certificates
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview without certificates
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
certificate:[]
```
Example playbook to make sure test user test_user is present in idview test_idview with enabling falling back to AD DC LDAP when resolving AD trusted objects. (For two-way trusts only.)
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is present in idview test_idview with fallback_to_ldap enabled
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
fallback_to_ldap:true
```
Example playbook to make sure test user test_user is absent in idview test_idview
```yaml
---
- name:Playbook to manage idoverrideuser
hosts:ipaserver
become:false
tasks:
- name:Ensure test user test_user is absent in idview test_idview
ipaidoverrideuser:
ipaadmin_password:SomeADMINpassword
idview:test_idview
anchor:test_user
continue:true
state:absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
`idview` \| `idviewcn` | The doverrideuser idview string. | yes
`anchor` \| `ipaanchoruuid` | The list of anchors to override. | yes
`description` \| `desc` | Description | no
`name` \| `login` | The user (internally uid) | no
`uid` \| `uidnumber` | User ID Number (int or "") | no
`gecos` | GECOS | no
`gidnumber` | Group ID Number (int or ""). | no
`homedir` \| `homedirectory` | Home directory. | no
`shell` \| `loginshell` | Login shell. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
`certificate` \| `usercertificate` | List of Base-64 encoded user certificates. This variable can also be used with `action: member`. | no
`fallback_to_ldap` | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. | no
`delete_continue` \| `continue` | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
`nomembers` \| `no_members` | Suppress processing of membership attributes. Valid only if `state` is `absent`. | no
`action` | Work on idoverrideuser or member level. It can be on of `member` or `idoverrideuser` and defaults to `idoverrideuser`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
Example playbook to make sure google idp my-google-idp is present using provider:
```yaml
---
- name:Playbook to manage IPA idp.
hosts:ipaserver
become:false
tasks:
- name:Ensure google idp my-google-idp is present using provider
ipaidp:
ipaadmin_password:SomeADMINpassword
name:my-google-idp
provider:google
client_id:my-google-client-id
```
Example playbook to make sure idps my-keycloak-idp, my-github-idp and my-google-idp are absent:
```yaml
---
- name:Playbook to manage IPA idp.
hosts:ipaserver
become:false
tasks:
- name:Ensure idps my-keycloak-idp, my-github-idp and my-google-idp are absent
ipaidp:
ipaadmin_password:SomeADMINpassword
name:
- my-keycloak-idp
- my-github-idp
- my-google-idp
delete_continue:true
state:absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | false
`name` \| `cn` | The list of idp name strings. | yes
scope \| ipaidpscope | OAuth 2.0 scope string. Multiple scopes separated by space. | no
idp_user_id \| ipaidpsub | Attribute string for user identity in OAuth 2.0 userinfo. | no
provider \| ipaidpprovider | Pre-defined template string. This provides the provider defaults, which can be overridden with the other IdP options. Choices: ["google","github","microsoft","okta","keycloak"] | no
organization \| ipaidporg | Organization ID string or Realm name for IdP provider templates. | no
base_url \| ipaidpbaseurl | Base URL string for IdP provider templates. | no
rename \| new_name | New name for the Identity Provider server object. Only with `state: renamed`. | no
delete_continue \| continue | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `renamed`, default: `present`. | no
The idview module allows to ensure presence and absence of idviews and idview host members.
Use Cases
---------
With ID views it is possible to override user or group attributes for users stored in the LDAP server. For example the login name, home directory, certificate for authentication or SSH keys. An ID view is client-side and specifies new values for user or group attributes and also the client host or hosts on which the values apply.
The ID view and the applied hosts are managed with idview, the user attributes are managed with idoverrideuser and the group attributes with idoverridegroup.
Features
--------
* Idview management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaidview module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure idview "test_idview" is present:
```yaml
---
- name:Playbook to manage IPA idview.
hosts:ipaserver
become:false
tasks:
- ipaidview:
ipaadmin_password:SomeADMINpassword
name:test_idview
```
Example playbook to make sure idview "test_idview" member host "testhost.example.com" is present:
```yaml
---
- name:Playbook to manage IPA idview host member.
hosts:ipaserver
become:false
tasks:
- ipaidview:
ipaadmin_password:SomeADMINpassword
name:test_idview
host:testhost.example.com
action:member
```
Example playbook to make sure idview "test_idview" member host "testhost.example.com" is absent:
```yaml
---
- name:Playbook to manage IPA idview host member.
hosts:ipaserver
become:false
tasks:
- ipaidview:
ipaadmin_password:SomeADMINpassword
name:test_idview
host:testhost.example.com
action:member
state:absent
```
Example playbook to make sure idview "test_idview" is present with domain_resolution_order for "ad.example.com:ipa.example.com":
Example playbook to make sure idview "test_idview" is absent:
```yaml
---
- name:Playbook to manage IPA idview.
hosts:ipaserver
become:false
tasks:
- ipaidview:
ipaadmin_password:SomeADMINpassword
name:test_idview
state:absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
`name` \| `cn` | The list of idview name strings. | yes
`description` \| `desc` | The description string of the idview. | no
`domain_resolution_order` \| `ipadomainresolutionorder` | Colon-separated list of domains used for short name qualification. | no
`host` \| `hosts` | List of hosts to apply the ID View to. A host can only be applied to a single idview at any time. Applying a host that is already applied to a different idview will change the idview the host is applied to to the new one. | no
`rename` \| `new_name` | Rename the ID view object to the new name string. Only usable with `state: renamed`. | no
`delete_continue` \| `continue` | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
`action` | Work on idview or member level. It can be on of `member` or `idview` and defaults to `idview`. | no
`state` | The state to ensure. It can be one of `present`, `absent` and `renamed`, default: `present`. | no
The inventory plugin compiles a dynamic inventory from IPA domain. The servers can be filtered by their role(s).
This plugin is using the Python requests binding, that is only available for Python 3.7 and up.
Features
--------
* Dynamic inventory
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.6.0 and up are supported by the inventory plugin.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Configuration
=============
The inventory plugin is automatically enabled from the Ansible collection or from the top directory of the git repo if the `plugins` folder is linked to `~/.ansible`.
If `ansible.cfg` was modified to point to the roles and modules with `roles_path`, `library` and `module_utils` tag, then it is needed to set `inventory_plugins` also:
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`server` | The FQDN of server to start the scan. (string) | yes
`verify` | The server TLS certificate file for verification (/etc/ipa/ca.crt). Turned off if not set. (string) | yes
`role` | The role(s) of the server. If several roles are given, only servers that have all the roles are returned. (list of strings) (choices: "IPA master", "CA server", "KRA server", "DNS server", "AD trust controller", "AD trust agent") | no
`inventory_group` | The inventory group to create. The default group name is "ipaservers". | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `service` | The list of service name strings. | yes
`name` \| `service` | The list of service name strings. `name` with *service variables* or `services` containing *service variables* need to be used. | no
`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
**Service Variables:**
Variable | Description | Required
-------- | ----------- | --------
`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, `hardened`, `idp` or `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset auth_ind to the initial value. | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of sudorule name strings. | yes
`name` \| `cn` | The list of sudorule name strings. | no
`sudorules` | The list of sudorule dicts. Each `sudorule` dict entry can contain sudorule variables.<br>There is one required option in the `sudorule` dict:| no
| `name` - The sudorule name string of the entry. | yes
`description` | The sudorule description string. | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
`update_password` | Set password for a user in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
`preserve` | Delete a user, keeping the entry available for future use. (bool) | no
`action` | Work on user or member level. It can be on of `member` or `user` and defaults to `user`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `unlocked` or `undeleted`, default: `present`. Only `names` or `users` with only `name` set are allowed if state is not `present`. | yes
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `renamed`, `unlocked` or `undeleted`, default: `present`. Only `names` or `users` with only `name` set are allowed if state is not `present`. | yes
`smb_profile_path:` \| `ipantprofilepath` | SMB profile path, in UNC format. Requires FreeIPA version 4.8.0+. | no
`smb_home_dir` \| `ipanthomedirectory` | SMB Home Directory, in UNC format. Requires FreeIPA version 4.8.0+. | no
`smb_home_drive` \| `ipanthomedirectorydrive` | SMB Home Directory Drive, a single upercase letter (A-Z) followed by a colon (:), for example "U:". Requires FreeIPA version 4.8.0+. | no
`rename` \| `new_name` | Rename the user object to the new name string. Only usable with `state: renamed`. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
Return Values
=============
@@ -477,5 +492,5 @@ Variable | Description | Returned When
@@ -119,7 +125,7 @@ ansible-freeipa/plugins/module_utils to ~/.ansible/plugins/
**RPM package**
There are RPM packages available for Fedora 29+. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
There are RPM packages available for Fedora. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
**Ansible Galaxy**
@@ -129,18 +135,8 @@ This command will get the whole collection from galaxy:
Installing collections using the ansible-galaxy command is only supported with ansible 2.9+.
The mazer tool can be used for to install the collection for ansible 2.8:
```bash
mazer install freeipa.ansible_freeipa
```
Ansible galaxy does not support the use of dash ('-') in a name and is automatically replacing this with an underscore ('\_'). Therefore the name is `ansible_freeipa`. The ansible_freeipa collection will be placed in the directory `~/.ansible/collections/ansible_collections/freeipa/ansible_freeipa` where it will be automatically be found for this user.
The needed adaptions of collection prefixes for `modules` and `module_utils` will be done with ansible-freeipa release `0.1.6` for galaxy.
Ansible inventory file
----------------------
@@ -450,7 +446,11 @@ Modules in plugin/modules
* [ipahbacsvcgroup](README-hbacsvcgroup.md)
* [ipahost](README-host.md)
* [ipahostgroup](README-hostgroup.md)
* [idoverridegroup](README-idoverridegroup.md)
* [idoverrideuser](README-idoverrideuser.md)
* [idp](README-idp.md)
* [idrange](README-idrange.md)
* [idview](README-idview.md)
* [ipalocation](README-location.md)
* [ipanetgroup](README-netgroup.md)
* [ipapermission](README-permission.md)
@@ -472,3 +472,8 @@ Modules in plugin/modules
* [ipavault](README-vault.md)
If you want to write a new module please read [writing a new module](plugins/modules/README.md).
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
