internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-28 14:23:06 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: internet:v1.13.0
Branches Tags
internet:master internet:run_collection_playbooks internet:validate_emaildomain internet:0.4 internet:automember_verify_condition_keys internet:ipaautomember_documantation_fix internet:fix_image_build internet:t-woerner-permission-typo1 internet:fix-role-readme-title-1 internet:fix-role-readme-title internet:t-woerner-group-readme-external internet:fix_logger_info_calls
internet:v1.16.0 internet:v1.15.1 internet:v1.15.0 internet:v1.14.7 internet:v1.14.6 internet:v1.14.5 internet:v1.14.4 internet:v1.14.3 internet:v1.14.2 internet:v1.14.1 internet:v1.14.0 internet:v1.13.2 internet:v1.13.1 internet:v1.13.0 internet:v1.12.1 internet:v1.12.0 internet:v1.11.1 internet:v1.11.0 internet:v1.10.0 internet:v1.9.2 internet:v1.9.1 internet:v1.9.0 internet:v1.8.4 internet:v1.8.3 internet:v1.8.2 internet:v1.8.1 internet:v1.8.0 internet:v1.7.0 internet:v1.6.3 internet:v1.6.2 internet:v1.6.1 internet:v1.6.0 internet:v1.5.3 internet:v1.5.2 internet:v1.5.1 internet:v1.5.0 internet:v0.4.2 internet:v0.4.1 internet:v0.4.0 internet:v0.3.8 internet:v0.3.7 internet:v0.3.6 internet:v0.3.5 internet:v0.3.4 internet:v0.3.3 internet:v0.3.2 internet:v0.3.1 internet:v0.3.0 internet:v0.2.1 internet:v0.2.0 internet:v0.1.12 internet:v0.1.11 internet:v0.1.10 internet:v0.1.9 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0
...
compare: internet:v1.13.2
Branches Tags
internet:master internet:run_collection_playbooks internet:validate_emaildomain internet:0.4 internet:automember_verify_condition_keys internet:ipaautomember_documantation_fix internet:fix_image_build internet:t-woerner-permission-typo1 internet:fix-role-readme-title-1 internet:fix-role-readme-title internet:t-woerner-group-readme-external internet:fix_logger_info_calls
internet:v1.16.0 internet:v1.15.1 internet:v1.15.0 internet:v1.14.7 internet:v1.14.6 internet:v1.14.5 internet:v1.14.4 internet:v1.14.3 internet:v1.14.2 internet:v1.14.1 internet:v1.14.0 internet:v1.13.2 internet:v1.13.1 internet:v1.13.0 internet:v1.12.1 internet:v1.12.0 internet:v1.11.1 internet:v1.11.0 internet:v1.10.0 internet:v1.9.2 internet:v1.9.1 internet:v1.9.0 internet:v1.8.4 internet:v1.8.3 internet:v1.8.2 internet:v1.8.1 internet:v1.8.0 internet:v1.7.0 internet:v1.6.3 internet:v1.6.2 internet:v1.6.1 internet:v1.6.0 internet:v1.5.3 internet:v1.5.2 internet:v1.5.1 internet:v1.5.0 internet:v0.4.2 internet:v0.4.1 internet:v0.4.0 internet:v0.3.8 internet:v0.3.7 internet:v0.3.6 internet:v0.3.5 internet:v0.3.4 internet:v0.3.3 internet:v0.3.2 internet:v0.3.1 internet:v0.3.0 internet:v0.2.1 internet:v0.2.0 internet:v0.1.12 internet:v0.1.11 internet:v0.1.10 internet:v0.1.9 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0

47 Commits
v1.13.0 ... v1.13.2

Author SHA1 Message Date
Rafael Guterres Jeffman
16a4eb81ce Merge pull request #1264 from t-woerner/module_documentation_fixes 
Documentation fixes for issues found by ansible-test part of ansible-core 2.17.1
 2024-07-01 09:31:47 -03:00
Thomas Woerner
cd16490531 Role modules: Docs: Fix default value for string list parameters 
Fix default values for string list parameters where default is missing
in the DOCUMENTATION section, but is defined in argument_specs.
 2024-07-01 11:33:28 +02:00
Thomas Woerner
7b6bc32fa0 tests/utils.py: Fix missing whitespace around arithmetic operator (E226) 2024-07-01 11:31:13 +02:00
Thomas Woerner
6b3fb78db6 ipareplica_prepare: Documentation: Fixed name of ipa_client_installed 
The ipa_client_installed option was named as client_configured in the
DOCUMENTATION section.
 2024-07-01 11:17:52 +02:00
Thomas Woerner
67df9e83c7 ipaclient_setup_nss: Documentation: Add default for selinux_works 
The default value for selinux_works was missing in the DOCUMENTATION
section.
 2024-07-01 11:15:49 +02:00
Thomas Woerner
14be339af0 service: Docs: Fix required for name, add delete_continue to services 
DOCUMENTATOIN section: Fix required for name, add missing
delete_continue to services option.
 2024-07-01 10:39:04 +02:00
Thomas Woerner
76251ead2c idp: Drop no_log from docs section, allow to log token_uri and keys_uri 
The no_log tag is only allowed in the argument_spec, but not in the
DOCUMENTATION section. Set no_log=False for token_uri and
keys_uri=keys_uri in the argument_spec to enforce logging.
 2024-07-01 10:33:04 +02:00
Thomas Woerner
74028bd36c idoverrideuser: Docs: Fix sshpubkey element type, nomembers type 
The element type for sshpubkey was using 'element' instead of 'elements'
also the type for nomembers was wrong in the DOCUMENTATION section.
 2024-07-01 10:30:57 +02:00
Thomas Woerner
43217b9e70 cert: Fix short_description tag, add chain option, remove authors 
Several fixes for the DOCUMENTATION section: The short_description tag
was 'short description', the chain option was missing and the unknown
authers tag has been removed.
 2024-07-01 10:25:11 +02:00
Thomas Woerner
96209f6945 inventory/freeipa: Documentation: Fix version_added and drop plugin_type 
In the freeipa inventoty plugin, fix version to 1.13.0 and drop unknown
tag plugin_type.
 2024-07-01 10:23:21 +02:00
Thomas Woerner
7eac30127a ipamodule_base_docs: Documentation: Fix default for delete_continue 
The default setting for delete_continue was True instead of true for
delete_continue in the DOCUMENTATION section.
 2024-07-01 10:20:21 +02:00
Rafael Guterres Jeffman
719d1cd056 Merge pull request #1263 from t-woerner/tests_sanity_setuptools 
tests/sanity/sanity.sh: Install setuptools with pip
 2024-06-28 12:29:42 -03:00
Rafael Guterres Jeffman
832d44d986 Merge pull request #1262 from t-woerner/user_fix_idp_user_id_aliases 
user: Fix idp_user_id aliases
 2024-06-28 12:29:13 -03:00
Rafael Guterres Jeffman
82f403c0de Merge pull request #1261 from t-woerner/inventory_plugin_try_imports 
plugins/inventory/freeipa: Try imports for requests and urllib3
 2024-06-28 12:27:06 -03:00
Rafael Guterres Jeffman
fa4a90e628 Merge pull request #1259 from t-woerner/permission_DN_parameters_idempotency_fixes 
permission: Fix idempotency issues for DN parameters
 2024-06-28 12:26:45 -03:00
Rafael Guterres Jeffman
c38ff9b78c Merge pull request #1255 from t-woerner/service_readme_multi_services 
README-service.md: Add multi service handling
 2024-06-28 12:24:40 -03:00
Rafael Guterres Jeffman
85b1c54ce1 Merge pull request #1250 from t-woerner/convert_input_certificates 
Convert input certificates
 2024-06-28 12:24:07 -03:00
Rafael Guterres Jeffman
6d5f3f3274 Merge pull request #1248 from t-woerner/fix_batch_errors 
ansible_freeipa_module: Fix errors in batch mode
 2024-06-28 12:23:39 -03:00
Rafael Guterres Jeffman
1dba4ba408 Merge pull request #1246 from t-woerner/ipa_4_12_fixes 
Fixes for FreeIPA 4.12
 2024-06-28 12:23:20 -03:00
Thomas Woerner
e867373fc0 tests/sanity/sanity.sh: Install setuptools with pip 
setuptools might not be installed before importing and using
galaxy_importer. This could result in a backtrace by disabling
ANSIBLE_TEST_LOCAL_IMAGE in galaxy-importer.cfg to run latest tests.
 2024-06-28 17:08:16 +02:00
Thomas Woerner
c5c8cb3b04 user: Fix idp_user_id aliases 
The alias for idp_user_id was ipaidpconfiglink by mistake. It was
already correct (ipaidpsub) in the DOCUMENTATION section and also
in the README.
 2024-06-28 17:02:24 +02:00
Thomas Woerner
8944999657 service: Add multi service examples to EXAMPLES 
The EXAMPLES section only contained a very simple example for multi
service handling. The examples from the README have been added.
 2024-06-28 16:55:56 +02:00
Thomas Woerner
b7a04bc49b README-service.md: Add multi service handling 
The service READNE so far lacks the documentation of multi service
handling within a single task.

The alias for the continue parameter was also added.

Fixes: #1113
 2024-06-28 16:55:40 +02:00
Thomas Woerner
935bef4b9f Merge pull request #1130 from rjeffman/ansible_support_2_14_plus 
Bump minimum supported Ansible version
 2024-06-28 16:48:27 +02:00
Thomas Woerner
8e139e2fe9 plugins/inventory/freeipa: Try imports for requests and urllib3 
The bindings for requests and urllib3 might not be available, especially
in the ansible-test fake execution test (next version). These imports are
now in a try exception clause to make sure that the fake execution test
will be passing and also that there is a better error message if the
bindings are missing.

urllib3.exceptions.InsecureRequestWarning is now also only disabled if
no certificate has been given for the verification of the connection.
 2024-06-28 16:35:44 +02:00
Rafael Guterres Jeffman
332d41dc46 ansible-freeipa.spec: Bump minimum supported Ansible version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.

This patch updates the minimum supported Ansible version and the list
of available modules.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
ab94ff07a0 utils/templates: Bump minimum supported Ansible version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
5a5b3c1655 ipasmartcard_*: Bump minimum supported Ansible version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
74663b877a ipabackup: Bump minimum supported Ansible version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
2f06f194f1 ipaserver: Bump minimum supported Ansible version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
3148c10480 ipareplica: Bump minimum supported Ansible version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
f4187a1453 ipaclient: Bump minimum supported Ansible version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
7126dec0f3 README-*: Bump minimum Ansible supported version to 2.15 
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.

This patch includes the change to the version number in the collection
and all plugin README files. The collection README was also update to
remove text that related only to previous Ansible versions.
 2024-06-28 10:51:44 -03:00
Rafael Guterres Jeffman
3d241e55b4 Set collection ansible-core minimum version to 2.15 2024-06-28 10:51:27 -03:00
Thomas Woerner
173acf282b permission: Fix idempotency issues for DN parameters 
The parameters

- subtree (ipapermlocation)
- target (ipapermtarget)
- targetto (ipapermtargetto)
- targetfrom (ipapermtargetfrom)

have not been idempotent as the result returned from permission_show was
a DN and not a string.

The find_permission function has been exetended to convert the values
for these parameters to strings.

Fixes: #1257
 2024-06-26 14:57:28 +02:00
Thomas Woerner
39ba225784 ansible_freeipa_module: Fix errors in batch mode 
The error string returned by execute_ipa_commands in batch mode
additionally contains the whole parameter list for the command. This is
different to non batch mode execution and breaks tests that are checking
the returned error message.

A left over debug message also have been removed from the error
processing.
 2024-06-25 17:31:45 +02:00
Thomas Woerner
b7ccd8fed5 ipauser: Use new convert_input_certificates 
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
 2024-06-25 16:07:05 +02:00
Thomas Woerner
ef94b703df ipaidoverrideusere: Use new convert_input_certificates 
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
 2024-06-25 16:07:05 +02:00
Thomas Woerner
0dc58be3f6 ipahost: Use new convert_input_certificates 
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
 2024-06-25 16:07:05 +02:00
Thomas Woerner
b64da1dbb7 ipaservice: Use new convert_input_certificates 
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
 2024-06-25 16:07:05 +02:00
Thomas Woerner
84b5d33c62 ansible_freeipa_module: New function convert_input_certificates 
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.

New function:
- convert_input_certificates(module, certs, state)
 2024-06-25 16:06:59 +02:00
Thomas Woerner
5ac7143f42 ipareplica: After an HSM replica install ensure all certs are visible 
FreeIPA commit ea0bf4020ce0b1e32572e128e9323c5af60ec93d

    After an HSM replica install ensure all certs are visible

    If a certificate on a token does not have NSS trust set then
    it won't be visible in the softoken. This can be disconcerting
    for those used to seeing all the certificates.

    Loop through the possibilities and set no trust (or Peer) for
    all the certificates on the token.

    Also ensure that the CA certificate has the correct nickname.

    Related: https://pagure.io/freeipa/issue/9273
 2024-06-20 15:21:36 +02:00
Thomas Woerner
07d91e02d1 ipareplica: Refactor CA file handling 
replicainstall.install_ca_cert has been removed, paths.IPA_CERTUPDATE is
called instead if the client was configured before deploying with
iparepica role.

FreeIPA commit 8f25b2a74a587548976f3d29f0b69d566d70125d

    Refactor CA file handling in replica installer

    Clean up and remove obsolete code from ipa-replica-install. For several
    versions replica installer first ensures that a host is an IPA client,
    then promotes the client to a replica. The client installer code sets up
    CA stores like IPA_CA_CRT already.
 2024-06-20 15:21:36 +02:00
Thomas Woerner
127d758100 ipareplica_install_ca_certs: Do not return unchanged config attributes 
The config attributes config_master_host_name and also config_ca_host_name
are not changed within ipareplica_install_ca_certs, therefore it is not
needed to return them and also to use the returned values for following
tasks.
 2024-06-20 15:21:36 +02:00
Thomas Woerner
4ff6e35c28 ipaserver: Set hsm attributes to None for now 
The HSM parameters

    token_name
    token_library_path
    token_password
    token_password_file

are set to None to enable deployment with IPA 4.12 as a workaround till
HSM can be fully supported by the ipaserver role.
 2024-06-20 15:21:36 +02:00
Rafael Guterres Jeffman
a1230cabc6 Merge pull request #1242 from t-woerner/fix_build_galaxy_release_sh_offline2 
utils/build-galaxy-release.sh: Fix unary operator expected (v2)
 2024-05-27 11:00:03 -03:00
Thomas Woerner
411f5f3467 utils/build-galaxy-release.sh: Fix unary operator expected (v2) 
This fixes a bad tests if offline is not set:
utils/build-galaxy-release.sh: line 130: [: -ne: unary operator expected

Fixes f17f83d6bd
 2024-05-27 15:39:35 +02:00
95 changed files with 497 additions and 154 deletions
Expand all files Collapse all files

2
README-automember.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-automountkey.md
View File

@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountkey module.
Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-automountlocation.md
View File

@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountlocation module.
Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-automountmap.md
View File

@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipaautomountmap module.
Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-cert.md
View File

@@ -25,7 +25,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
* Some tool to generate a certificate signing request (CSR) might be needed, like `openssl`.
**Node**

2
README-config.md
View File

@@ -25,7 +25,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-delegation.md
View File

@@ -23,7 +23,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-dnsconfig.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-dnsforwardzone.md
View File

@@ -21,7 +21,7 @@ FreeIPA versions 4.4.0 and up are supported by the ipadnsforwardzone module.
Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-dnsrecord.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-dnszone.md
View File

@@ -23,7 +23,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**

2
README-group.md
View File

@@ -29,7 +29,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-hbacrule.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-hbacsvc.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-hbacsvcgroup.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-host.md
View File

@@ -24,7 +24,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-hostgroup.md
View File

@@ -26,7 +26,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-idoverridegroup.md
View File

@@ -29,7 +29,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-idoverrideuser.md
View File

@@ -29,7 +29,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-idp.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-idrange.md
View File

@@ -37,7 +37,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-idview.md
View File

@@ -29,7 +29,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-inventory-plugin-freeipa.md
View File

@@ -25,7 +25,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-location.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-netgroup.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-permission.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-privilege.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-pwpolicy.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-role.md
View File

@@ -25,7 +25,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-selfservice.md
View File

@@ -23,7 +23,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-server.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

75
README-service.md
View File

@@ -25,7 +25,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FReeIPA version (see above)
@@ -282,6 +282,65 @@ Example playbook to allow users, groups, hosts or hostgroups to retrieve a keyta
```
Example playbook to ensure presence of serveral services in a single task:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
tasks:
- name: Ensure services are present
ipaservice:
ipaadmin_password: SomeADMINpassword
services:
- name: HTTP/www.example.com
principal:
- host/host1.example.com
- name: mysvc/www.example.com
pac_type: NONE
ok_as_delegate: yes
ok_to_auth_as_delegate: yes
- name: HTTP/www.example.com
allow_create_keytab_user:
- user01
- user02
allow_create_keytab_group:
- group01
- group02
allow_create_keytab_host:
- host1.example.com
- host2.example.com
allow_create_keytab_hostgroup:
- hostgroup01
- hostgroup02
- name: mysvc/host2.example.com
auth_ind: otp,radius
```
Example playbook to ensure presence of serveral services in a single task with `member` `action`:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
- name: Ensure service host members are present
ipaservice:
ipaadmin_password: SomeADMINpassword
services:
- name: HTTP/www1.example.com
host: host1.example.com
- name: HTTP/www2.example.com
host: host2.example.com
action: member
```
Variables
---------
@@ -291,7 +350,15 @@ Variable | Description | Required
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `service` | The list of service name strings. | yes
`name` \| `service` | The list of service name strings. `name` with *service variables* or `services` containing *service variables* need to be used. | no
`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
**Service Variables:**
Variable | Description | Required
-------- | ----------- | --------
`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, `hardened`, `idp` or `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset auth_ind to the initial value. | no
@@ -310,11 +377,9 @@ Variable | Description | Required
`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
`continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
`smb` | Service is an SMB service. If set, `cifs/` will be prefixed to the service name if needed. | no
`netbiosname` | NETBIOS name for the SMB service. Only with `smb: yes`. | no
`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
`continue` \| `delete_continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
Authors

2
README-servicedelegationrule.md
View File

@@ -24,7 +24,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-servicedelegationtarget.md
View File

@@ -24,7 +24,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-sudocmd.md
View File

@@ -24,7 +24,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-sudocmdgroup.md
View File

@@ -24,7 +24,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-sudorule.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-topology.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-trust.md
View File

@@ -21,7 +21,7 @@ Requirements
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**

2
README-user.md
View File

@@ -24,7 +24,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README-vault.md
View File

@@ -24,7 +24,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
README.md
View File

@@ -74,7 +74,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
meta/runtime.yml
View File

@@ -1,2 +1,2 @@
---
requires_ansible: ">=2.13"
requires_ansible: ">=2.15.0"

2
plugins/doc_fragments/ipamodule_base_docs.py
View File

@@ -56,5 +56,5 @@ options:
Continuous mode. Don't stop on errors. Valid only if `state` is `absent`.
aliases: ["continue"]
type: bool
default: True
default: true
"""

21
plugins/inventory/freeipa.py
View File

@@ -32,8 +32,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
name: freeipa
plugin_type: inventory
version_added: "1.13"
version_added: "1.13.0"
short_description: Compiles a dynamic inventory from IPA domain
description: |
Compiles a dynamic inventory from IPA domain, filters servers by role(s).
@@ -92,12 +91,14 @@ verify: ca.crt
"""
import os
import requests
try:
from requests.packages import urllib3
import requests
except ImportError:
requests = None
try:
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
except ImportError:
urllib3 = None
from ansible import constants
from ansible.errors import AnsibleParserError
@@ -125,6 +126,11 @@ class InventoryModule(BaseInventoryPlugin):
self._read_config_data(path) # This also loads the cache
self.get_option("plugin")
if requests is None:
raise AnsibleParserError("The required Python library "
"'requests' could not be imported.")
ipaadmin_principal = self.get_option("ipaadmin_principal")
ipaadmin_password = self.get_option("ipaadmin_password")
server = self.get_option("server")
@@ -137,6 +143,11 @@ class InventoryModule(BaseInventoryPlugin):
raise AnsibleParserError("ERROR: Could not load %s" % verify)
else:
verify = False
# Disable certificate verification warning without certificate
# as long as urllib3 could have been loaded.
if urllib3 is not None:
urllib3.disable_warnings(
urllib3.exceptions.InsecureRequestWarning)
self.inventory.add_group(inventory_group)

35
plugins/module_utils/ansible_freeipa_module.py
View File

@@ -54,6 +54,7 @@ import tempfile
import shutil
import socket
import base64
import binascii
import ast
import time
from datetime import datetime
@@ -644,6 +645,7 @@ def encode_certificate(cert):
Encode a certificate using base64.
It also takes FreeIPA and Python versions into account.
This is used to convert the certificates returned by find and show.
"""
if isinstance(cert, (str, unicode, bytes)):
encoded = base64.b64encode(cert)
@@ -654,6 +656,33 @@ def encode_certificate(cert):
return encoded
def convert_input_certificates(module, certs, state):
"""
Convert certificates.
Remove all newlines and white spaces from the certificates.
This is used on input parameter certificates of modules.
"""
if certs is None:
return None
_certs = []
for cert in certs:
try:
_cert = base64.b64encode(base64.b64decode(cert)).decode("ascii")
except (TypeError, binascii.Error) as e:
# Idempotency: Do not fail for an invalid cert for state absent.
# The invalid certificate can not be set in FreeIPA.
if state == "absent":
continue
module.fail_json(
msg="Certificate %s: Base64 decoding failed: %s" %
(repr(cert), str(e)))
_certs.append(_cert)
return _certs
def load_cert_from_str(cert):
cert = cert.strip()
if not cert.startswith("-----BEGIN CERTIFICATE-----"):
@@ -1485,7 +1514,6 @@ class IPAAnsibleModule(AnsibleModule):
filter(lambda x: x[0] in keeponly,
_res.items())
)
self.tm_warn("res: %s" % repr(res))
if "error" not in res or res["error"] is None:
if result_handler is not None:
@@ -1498,10 +1526,9 @@ class IPAAnsibleModule(AnsibleModule):
changed = True
else:
_errors.append(
"%s %s %s: %s" %
"%s: %s: %s" %
(batch_args[ri]["method"],
repr(batch_args[ri]["params"][0][0]),
repr(batch_args[ri]["params"][1]),
str(batch_args[ri]["params"][0][0]),
res["error"]))
# clear batch command list (python2 compatible)
del batch_args[:]

7
plugins/modules/ipacert.py
View File

@@ -34,7 +34,7 @@ ANSIBLE_METADATA = {
DOCUMENTATION = """
---
module: ipacert
short description: Manage FreeIPA certificates
short_description: Manage FreeIPA certificates
description: Manage FreeIPA certificates
extends_documentation_fragment:
- ipamodule_base_docs
@@ -67,6 +67,10 @@ options:
description: Name of the issuing certificate authority.
type: str
required: false
chain:
description: Include certificate chain in output.
type: bool
required: false
serial_number:
description: |
Certificate serial number. Cannot be used with `state: requested`.
@@ -102,7 +106,6 @@ options:
required: true
type: str
author:
authors:
- Sam Morris (@yrro)
- Rafael Guterres Jeffman (@rjeffman)
"""

16
plugins/modules/ipahost.py
View File

@@ -510,7 +510,8 @@ host:
from ansible.module_utils.ansible_freeipa_module import \
IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, \
encode_certificate, is_ipv4_addr, is_ipv6_addr, ipalib_errors, \
gen_add_list, gen_intersection_list, normalize_sshpubkey
gen_add_list, gen_intersection_list, normalize_sshpubkey, \
convert_input_certificates
from ansible.module_utils import six
if six.PY3:
unicode = str
@@ -682,13 +683,6 @@ def check_authind(module, auth_ind):
"by your IPA version" % "','".join(_invalid))
def convert_certificate(certificate):
if certificate is None:
return None
return [cert.strip() for cert in certificate]
# pylint: disable=unused-argument
def result_handler(module, result, command, name, args, exit_args,
single_host):
@@ -894,7 +888,8 @@ def main():
auth_ind, requires_pre_auth, ok_as_delegate, ok_to_auth_as_delegate,
force, reverse, ip_address, update_dns, update_password)
certificate = convert_certificate(certificate)
certificate = convert_input_certificates(ansible_module, certificate,
state)
if sshpubkey is not None:
sshpubkey = [str(normalize_sshpubkey(key)) for key in sshpubkey]
@@ -982,7 +977,8 @@ def main():
ok_to_auth_as_delegate, force, reverse, ip_address,
update_dns, update_password)
certificate = convert_certificate(certificate)
certificate = convert_input_certificates(ansible_module,
certificate, state)
if sshpubkey is not None:
sshpubkey = [str(normalize_sshpubkey(key)) for

10
plugins/modules/ipaidoverrideuser.py
View File

@@ -87,7 +87,7 @@ options:
sshpubkey:
description: List of SSH public keys
type: list
element: str
elements: str
required: False
aliases: ["ipasshpubkey"]
certificate:
@@ -113,7 +113,7 @@ options:
description: |
Suppress processing of membership attributes.
Valid only if `state` is `absent`.
type: str
type: bool
required: False
aliases: ["no_members"]
action:
@@ -315,7 +315,7 @@ RETURN = """
from ansible.module_utils.ansible_freeipa_module import \
IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, gen_add_list, \
gen_intersection_list, encode_certificate
gen_intersection_list, encode_certificate, convert_input_certificates
from ansible.module_utils import six
if six.PY3:
@@ -479,8 +479,8 @@ def main():
ansible_module.params_fail_used_invalid(invalid, state, action)
if certificate is not None:
certificate = [cert.strip() for cert in certificate]
certificate = convert_input_certificates(ansible_module, certificate,
state)
# Init

5
plugins/modules/ipaidp.py
View File

@@ -82,7 +82,6 @@ options:
description: OAuth 2.0 client secret
required: false
type: str
no_log: true
aliases: ["ipaidpclientsecret"]
scope:
description: OAuth 2.0 scope. Multiple scopes separated by space
@@ -362,11 +361,11 @@ def main():
dev_auth_uri=dict(required=False, type="str", default=None,
aliases=["ipaidpdevauthendpoint"]),
token_uri=dict(required=False, type="str", default=None,
aliases=["ipaidptokenendpoint"]),
aliases=["ipaidptokenendpoint"], no_log=False),
userinfo_uri=dict(required=False, type="str", default=None,
aliases=["ipaidpuserinfoendpoint"]),
keys_uri=dict(required=False, type="str", default=None,
aliases=["ipaidpkeysendpoint"]),
aliases=["ipaidpkeysendpoint"], no_log=False),
issuer_url=dict(required=False, type="str", default=None,
aliases=["ipaidpissuerurl"]),
client_id=dict(required=False, type="str", default=None,

9
plugins/modules/ipapermission.py
View File

@@ -154,7 +154,7 @@ RETURN = """
from ansible.module_utils.ansible_freeipa_module import \
IPAAnsibleModule, compare_args_ipa
IPAAnsibleModule, compare_args_ipa, to_text
def find_permission(module, name):
@@ -164,7 +164,12 @@ def find_permission(module, name):
except Exception: # pylint: disable=broad-except
# An exception is raised if permission name is not found.
return None
return _result["result"]
_res = _result["result"]
for param in ["ipapermlocation", "ipapermtarget", "ipapermtargetto",
"ipapermtargetfrom"]:
if param in _res:
_res[param] = [to_text(elem) for elem in _res[param]]
return _res
def gen_args(right, attrs, bindtype, subtree,

64
plugins/modules/ipaservice.py
View File

@@ -44,7 +44,7 @@ options:
description: The service to manage
type: list
elements: str
required: true
required: false
aliases: ["service"]
services:
description: The list of service dicts.
@@ -167,6 +167,13 @@ options:
type: list
elements: str
aliases: ["ipaallowedtoperform_read_keys_hostgroup"]
delete_continue:
description:
Continuous mode. Don't stop on errors.
Valid only if `state` is `absent`.
required: false
type: bool
aliases: ["continue"]
certificate:
description: Base-64 encoded service certificate.
required: false
@@ -370,6 +377,43 @@ EXAMPLES = """
host:
- host1.example.com
- name: HTTP/www.service.com
# Ensure multiple services are present
- ipaservice:
ipaadmin_password: SomeADMINpassword
services:
- name: HTTP/www.example.com
principal:
- host/host1.example.com
- name: mysvc/www.example.com
pac_type: NONE
ok_as_delegate: yes
ok_to_auth_as_delegate: yes
- name: HTTP/www.example.com
allow_create_keytab_user:
- user01
- user02
allow_create_keytab_group:
- group01
- group02
allow_create_keytab_host:
- host1.example.com
- host2.example.com
allow_create_keytab_hostgroup:
- hostgroup01
- hostgroup02
- name: mysvc/host2.example.com
auth_ind: otp,radius
# Ensure service host members are present
- ipaservice:
ipaadmin_password: SomeADMINpassword
services:
- name: HTTP/www1.example.com
host: host1.example.com
- name: HTTP/www2.example.com
host: host2.example.com
action: member
"""
RETURN = """
@@ -378,7 +422,7 @@ RETURN = """
from ansible.module_utils.ansible_freeipa_module import \
IPAAnsibleModule, compare_args_ipa, encode_certificate, \
gen_add_del_lists, gen_add_list, gen_intersection_list, ipalib_errors, \
api_get_realm, to_text
api_get_realm, to_text, convert_input_certificates
from ansible.module_utils import six
if six.PY3:
unicode = str
@@ -601,12 +645,6 @@ def main():
# service attributes
principal = ansible_module.params_get("principal")
certificate = ansible_module.params_get("certificate")
# Any leading or trailing whitespace is removed while adding the
# certificate with serive_add_cert. To be able to compare the results
# from service_show with the given certificates we have to remove the
# white space also.
if certificate is not None:
certificate = [cert.strip() for cert in certificate]
pac_type = ansible_module.params_get(
"pac_type", allow_empty_list_item=True)
auth_ind = ansible_module.params_get(
@@ -636,6 +674,8 @@ def main():
ansible_module.fail_json(msg="At least one name or services is "
"required")
check_parameters(ansible_module, state, action, names)
certificate = convert_input_certificates(ansible_module, certificate,
state)
# Use services if names is None
if services is not None:
@@ -669,12 +709,8 @@ def main():
service_set.add(name)
principal = service.get("principal")
certificate = service.get("certificate")
# Any leading or trailing whitespace is removed while adding
# the certificate with serive_add_cert. To be able to compare
# the results from service_show with the given certificates
# we have to remove the white space also.
if certificate is not None:
certificate = [cert.strip() for cert in certificate]
certificate = convert_input_certificates(ansible_module,
certificate, state)
pac_type = service.get("pac_type")
auth_ind = service.get("auth_ind")
check_authind(ansible_module, auth_ind)

18
plugins/modules/ipauser.py
View File

@@ -741,7 +741,8 @@ user:
from ansible.module_utils.ansible_freeipa_module import \
IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, date_format, \
encode_certificate, load_cert_from_str, DN_x500_text, to_text, \
ipalib_errors, gen_add_list, gen_intersection_list
ipalib_errors, gen_add_list, gen_intersection_list, \
convert_input_certificates
from ansible.module_utils import six
if six.PY3:
unicode = str
@@ -961,13 +962,6 @@ def extend_emails(email, default_email_domain):
return email
def convert_certificate(certificate):
if certificate is None:
return None
return [cert.strip() for cert in certificate]
def convert_certmapdata(certmapdata):
if certmapdata is None:
return None
@@ -1110,7 +1104,7 @@ def main():
nomembers=dict(type='bool', default=None),
idp=dict(type="str", default=None, aliases=['ipaidpconfiglink']),
idp_user_id=dict(type="str", default=None,
aliases=['ipaidpconfiglink']),
aliases=['ipaidpsub']),
rename=dict(type="str", required=False, default=None,
aliases=["new_name"]),
)
@@ -1260,7 +1254,8 @@ def main():
preserve, update_password, smb_logon_script, smb_profile_path,
smb_home_dir, smb_home_drive, idp, idp_user_id, rename,
)
certificate = convert_certificate(certificate)
certificate = convert_input_certificates(ansible_module, certificate,
state)
certmapdata = convert_certmapdata(certmapdata)
# Init
@@ -1371,7 +1366,8 @@ def main():
update_password, smb_logon_script, smb_profile_path,
smb_home_dir, smb_home_drive, idp, idp_user_id, rename,
)
certificate = convert_certificate(certificate)
certificate = convert_input_certificates(ansible_module,
certificate, state)
certmapdata = convert_certmapdata(certmapdata)
# Check API specific parameters

2
roles/ipabackup/README.md
View File

@@ -42,7 +42,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
roles/ipabackup/meta/main.yml
View File

@@ -6,7 +6,7 @@ galaxy_info:
description: A role to backup and restore an IPA server
company: Red Hat, Inc
license: GPLv3
min_ansible_version: "2.13"
min_ansible_version: "2.15"
platforms:
- name: Fedora
versions:

2
roles/ipaclient/README.md
View File

@@ -34,7 +34,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

1
roles/ipaclient/library/ipaclient_setup_nss.py
View File

@@ -156,6 +156,7 @@ options:
description: True if selinux status check passed
required: false
type: bool
default: false
krb_name:
description: The krb5 config file name
type: str

2
roles/ipaclient/meta/main.yml
View File

@@ -6,7 +6,7 @@ galaxy_info:
description: A role to join a machine to an IPA domain
company: Red Hat, Inc
license: GPLv3
min_ansible_version: "2.13"
min_ansible_version: "2.15"
platforms:
- name: Fedora
versions:

2
roles/ipareplica/README.md
View File

@@ -36,7 +36,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

3
roles/ipareplica/library/ipareplica_create_ipa_conf.py
View File

@@ -51,6 +51,7 @@ options:
type: list
elements: str
required: no
default: []
domain:
description: Primary DNS domain of the IPA deployment
type: str
@@ -70,6 +71,7 @@ options:
type: list
elements: str
required: no
default: []
no_host_dns:
description: Do not use DNS for hostname lookup during installation
type: bool
@@ -97,6 +99,7 @@ options:
type: list
elements: str
required: no
default: []
force_join:
description: Force client enrollment even if already enrolled
type: bool

5
roles/ipareplica/library/ipareplica_enable_ipa.py
View File

@@ -90,7 +90,7 @@ from ansible.module_utils.ansible_ipa_replica import (
check_imports, AnsibleModuleLog, setup_logging, installer, DN, paths,
gen_env_boostrap_finalize_core, constants, api_bootstrap_finalize,
gen_ReplicaConfig, gen_remote_api, api, redirect_stdout, service,
find_providing_servers, services
find_providing_servers, services, clean_up_hsm_nicknames
)
@@ -168,6 +168,9 @@ def main():
# Everything installed properly, activate ipa service.
services.knownservices.ipa.enable()
if options.setup_ca and clean_up_hsm_nicknames is not None:
clean_up_hsm_nicknames(api)
# Print a warning if CA role is only installed on one server
if len(ca_servers) == 1:
msg = u'''

8
roles/ipareplica/library/ipareplica_install_ca_certs.py
View File

@@ -51,6 +51,7 @@ options:
type: list
elements: str
required: no
default: []
domain:
description: Primary DNS domain of the IPA deployment
type: str
@@ -70,6 +71,7 @@ options:
type: list
elements: str
required: no
default: []
no_host_dns:
description: Do not use DNS for hostname lookup during installation
type: bool
@@ -97,6 +99,7 @@ options:
type: list
elements: str
required: no
default: []
force_join:
description: Force client enrollment even if already enrolled
type: bool
@@ -156,6 +159,7 @@ options:
type: list
elements: str
required: no
default: []
author:
- Thomas Woerner (@t-woerner)
'''
@@ -333,9 +337,7 @@ def main():
# done #
ansible_module.exit_json(changed=True,
config_master_host_name=config.master_host_name,
config_ca_host_name=config.ca_host_name)
ansible_module.exit_json(changed=True)
if __name__ == '__main__':

34
roles/ipareplica/library/ipareplica_prepare.py
View File

@@ -53,6 +53,7 @@ options:
type: list
elements: str
required: no
default: []
domain:
description: Primary DNS domain of the IPA deployment
type: str
@@ -77,6 +78,7 @@ options:
type: list
elements: str
required: no
default: []
no_host_dns:
description: Do not use DNS for hostname lookup during installation
type: bool
@@ -104,6 +106,7 @@ options:
type: list
elements: str
required: no
default: []
dirsrv_cert_name:
description: Name of the Directory Server SSL certificate to install
type: str
@@ -118,6 +121,7 @@ options:
type: list
elements: str
required: no
default: []
http_cert_name:
description: Name of the Apache Server SSL certificate to install
type: str
@@ -132,6 +136,7 @@ options:
type: list
elements: str
required: no
default: []
pkinit_cert_name:
description: Name of the Kerberos KDC SSL certificate to install
type: str
@@ -182,6 +187,7 @@ options:
type: list
elements: str
required: no
default: []
no_reverse:
description: Do not create new reverse DNS zone
type: bool
@@ -197,6 +203,7 @@ options:
type: list
elements: str
required: no
default: []
no_forwarders:
description: Do not add any DNS forwarders, use root servers instead
type: bool
@@ -250,6 +257,10 @@ options:
type: bool
default: no
required: no
ipa_client_installed:
description: Was client configured already
type: bool
required: yes
author:
- Thomas Woerner (@t-woerner)
'''
@@ -275,7 +286,8 @@ from ansible.module_utils.ansible_ipa_replica import (
check_domain_level_is_supported, errors, ScriptError, setup_logging,
logger, check_dns_resolution, service, find_providing_server, ca, kra,
dns, no_matching_interface_for_ip_address_warning, adtrust,
constants, api, redirect_stdout, replica_conn_check, tasks
constants, api, redirect_stdout, replica_conn_check, tasks,
install_ca_cert
)
from ansible.module_utils import six
@@ -353,6 +365,7 @@ def main():
skip_conncheck=dict(required=False, type='bool'),
sid_generation_always=dict(required=False, type='bool',
default=False),
ipa_client_installed=dict(required=True, type='bool'),
),
supports_check_mode=False,
)
@@ -436,6 +449,7 @@ def main():
# options._random_serial_numbers is generated by ca.install_check and
# later used by ca.install in the _setup_ca module.
options._random_serial_numbers = False
ipa_client_installed = ansible_module.params.get('ipa_client_installed')
# init #
@@ -601,10 +615,20 @@ def main():
ansible_log.debug("-- CA_CRT --")
cafile = paths.IPA_CA_CRT
if not os.path.isfile(cafile):
ansible_module.fail_json(
msg="CA cert file is not available! Please reinstall"
"the client and try again.")
if install_ca_cert is not None:
if not os.path.isfile(cafile):
ansible_module.fail_json(
msg="CA cert file is not available! Please reinstall"
"the client and try again.")
else:
if ipa_client_installed:
# host was already an IPA client, refresh client cert stores to
# ensure we have up to date CA certs.
try:
ipautil.run([paths.IPA_CERTUPDATE])
except ipautil.CalledProcessError:
ansible_module.fail_json(
msg="ipa-certupdate failed to refresh certs.")
ansible_log.debug("-- REMOTE_API --")

1
roles/ipareplica/library/ipareplica_setup_ca.py
View File

@@ -127,6 +127,7 @@ options:
type: list
elements: str
required: no
default: []
author:
- Thomas Woerner (@t-woerner)
'''

1
roles/ipareplica/library/ipareplica_setup_dns.py
View File

@@ -61,6 +61,7 @@ options:
type: list
elements: str
required: no
default: []
forward_policy:
description: DNS forwarding policy for global forwarders
type: str

4
roles/ipareplica/library/ipareplica_setup_ds.py
View File

@@ -51,6 +51,7 @@ options:
type: list
elements: str
required: no
default: []
domain:
description: Primary DNS domain of the IPA deployment
type: str
@@ -70,6 +71,7 @@ options:
type: list
elements: str
required: no
default: []
no_host_dns:
description: Do not use DNS for hostname lookup during installation
type: bool
@@ -108,6 +110,7 @@ options:
type: list
elements: str
required: no
default: []
force_join:
description: Force client enrollment even if already enrolled
type: bool
@@ -176,6 +179,7 @@ options:
type: list
elements: str
required: no
default: []
author:
- Thomas Woerner (@t-woerner)
'''

3
roles/ipareplica/library/ipareplica_setup_kra.py
View File

@@ -51,6 +51,7 @@ options:
type: list
elements: str
required: no
default: []
domain:
description: Primary DNS domain of the IPA deployment
type: str
@@ -70,6 +71,7 @@ options:
type: list
elements: str
required: no
default: []
no_host_dns:
description: Do not use DNS for hostname lookup during installation
type: bool
@@ -101,6 +103,7 @@ options:
type: list
elements: str
required: no
default: []
force_join:
description: Force client enrollment even if already enrolled
type: bool

13
roles/ipareplica/library/ipareplica_test.py
View File

@@ -42,6 +42,7 @@ options:
type: list
elements: str
required: no
default: []
domain:
description: Primary DNS domain of the IPA deployment
type: str
@@ -51,6 +52,7 @@ options:
type: list
elements: str
required: no
default: []
realm:
description: Kerberos realm name of the IPA deployment
type: str
@@ -66,6 +68,7 @@ options:
type: list
elements: str
required: no
default: []
hidden_replica:
description: Install a hidden replica
type: bool
@@ -112,18 +115,21 @@ options:
type: list
elements: str
required: no
default: []
http_cert_files:
description:
File containing the Apache Server SSL certificate and private key
type: list
elements: str
required: no
default: []
pkinit_cert_files:
description:
File containing the Kerberos KDC SSL certificate and private key
type: list
elements: str
required: no
default: []
no_ntp:
description: Do not configure ntp
type: bool
@@ -134,6 +140,7 @@ options:
type: list
elements: str
required: no
default: []
ntp_pool:
description: ntp server pool to use
type: str
@@ -153,6 +160,7 @@ options:
type: list
elements: str
required: no
default: []
no_forwarders:
description: Do not add any DNS forwarders, use root servers instead
type: bool
@@ -191,7 +199,7 @@ from ansible.module_utils.ansible_ipa_replica import (
paths, sysrestore, ansible_module_get_parsed_ip_addresses, service,
redirect_stdout, create_ipa_conf, ipautil,
x509, validate_domain_name, common_check,
IPA_PYTHON_VERSION, getargspec, adtrustinstance
IPA_PYTHON_VERSION, getargspec, adtrustinstance, install_ca_cert
)
@@ -542,7 +550,8 @@ def main():
# additional
client_enrolled=client_enrolled,
change_master_for_certmonger=change_master_for_certmonger,
sid_generation_always=sid_generation_always
sid_generation_always=sid_generation_always,
install_ca_certs=install_ca_cert is not None
)

2
roles/ipareplica/meta/main.yml
View File

@@ -6,7 +6,7 @@ galaxy_info:
description: A role to setup an IPA domain replica
company: Red Hat, Inc
license: GPLv3
min_ansible_version: "2.13"
min_ansible_version: "2.15"
platforms:
- name: Fedora
versions:

14
roles/ipareplica/module_utils/ansible_ipa_replica.py
View File

@@ -49,7 +49,7 @@ __all__ = ["contextlib", "dnsexception", "dnsresolver", "dnsreversename",
"dnsname", "kernel_keyring", "krbinstance", "getargspec",
"adtrustinstance", "paths", "api", "dsinstance", "ipaldap", "Env",
"ipautil", "installutils", "IPA_PYTHON_VERSION", "NUM_VERSION",
"ReplicaConfig", "create_api"]
"ReplicaConfig", "create_api", "clean_up_hsm_nicknames"]
import sys
import logging
@@ -144,7 +144,7 @@ try:
from ipaserver.install.replication import (
ReplicationManager, replica_conn_check)
from ipaserver.install.server.replicainstall import (
make_pkcs12_info, install_replica_ds, install_krb, install_ca_cert,
make_pkcs12_info, install_replica_ds, install_krb,
install_http, install_dns_records, create_ipa_conf, check_dirsrv,
check_dns_resolution, configure_certmonger,
remove_replica_info_dir,
@@ -157,6 +157,16 @@ try:
# ensure_enrolled,
promotion_check_ipa_domain
)
try:
from ipaserver.install.server.replicainstall import \
install_ca_cert
except ImportError:
install_ca_cert = None
try:
from ipaserver.install.server.replicainstall import \
clean_up_hsm_nicknames
except ImportError:
clean_up_hsm_nicknames = None
import SSSDConfig
from subprocess import CalledProcessError

30
roles/ipareplica/tasks/install.yml
View File

@@ -209,6 +209,7 @@
server: "{{ result_ipareplica_test.server }}"
skip_conncheck: "{{ ipareplica_skip_conncheck }}"
sid_generation_always: "{{ result_ipareplica_test.sid_generation_always }}"
ipa_client_installed: "{{ result_ipareplica_test.client_enrolled }}"
register: result_ipareplica_prepare
- name: Install - Add to ipaservers
@@ -276,6 +277,7 @@
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
config_ips: "{{ result_ipareplica_prepare.config_ips }}"
register: result_ipareplica_install_ca_certs
when: result_ipareplica_test.install_ca_certs
- name: Install - Setup DS
ipareplica_setup_ds:
@@ -312,7 +314,7 @@
dirman_password: "{{ __derived_dirman_password }}"
config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
config_ips: "{{ result_ipareplica_prepare.config_ips }}"
register: result_ipareplica_setup_ds
@@ -339,7 +341,7 @@
### additional ###
server: "{{ result_ipareplica_test.server }}"
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
@@ -362,7 +364,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_pkinit_pkcs12_info: "{{ result_ipareplica_prepare._pkinit_pkcs12_info if result_ipareplica_prepare._pkinit_pkcs12_info != None else omit }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
@@ -393,7 +395,7 @@
### additional ###
server: "{{ result_ipareplica_test.server }}"
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
@@ -406,7 +408,7 @@
dirman_password: "{{ __derived_dirman_password }}"
setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
master:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
when: result_ipareplica_test.change_master_for_certmonger
- name: Install - DS enable SSL
@@ -420,7 +422,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
@@ -441,7 +443,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
@@ -473,7 +475,7 @@
### additional ###
server: "{{ result_ipareplica_test.server }}"
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name: "{{ result_ipareplica_prepare.config_ca_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
installer_ccache: "{{ result_ipareplica_prepare.installer_ccache }}"
@@ -498,7 +500,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
@@ -549,9 +551,9 @@
dirman_password: "{{ __derived_dirman_password }}"
config_setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
config_ca_host_name:
"{{ result_ipareplica_install_ca_certs.config_ca_host_name }}"
"{{ result_ipareplica_prepare.config_ca_host_name }}"
config_ips: "{{ result_ipareplica_prepare.config_ips }}"
when: result_ipareplica_prepare._ca_enabled
@@ -565,7 +567,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
@@ -585,7 +587,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_enabled: "{{ result_ipareplica_prepare._ca_enabled }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
@@ -645,7 +647,7 @@
subject_base: "{{ result_ipareplica_prepare.subject_base }}"
### additional ###
config_master_host_name:
"{{ result_ipareplica_install_ca_certs.config_master_host_name }}"
"{{ result_ipareplica_prepare.config_master_host_name }}"
ccache: "{{ result_ipareplica_prepare.ccache }}"
_ca_file: "{{ result_ipareplica_prepare._ca_file }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"

2
roles/ipaserver/README.md
View File

@@ -33,7 +33,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

11
roles/ipaserver/library/ipaserver_prepare.py
View File

@@ -55,6 +55,7 @@ options:
type: list
elements: str
required: no
default: []
domain:
description: Primary DNS domain of the IPA deployment
type: str
@@ -74,6 +75,7 @@ options:
type: list
elements: str
required: no
default: []
no_host_dns:
description: Do not use DNS for hostname lookup during installation
type: bool
@@ -114,6 +116,7 @@ options:
type: list
elements: str
required: no
default: []
subject_base:
description:
The certificate subject base (default O=<realm-name>).
@@ -134,6 +137,7 @@ options:
type: list
elements: str
required: no
default: []
no_reverse:
description: Do not create new reverse DNS zone
type: bool
@@ -149,6 +153,7 @@ options:
type: list
elements: str
required: no
default: []
no_forwarders:
description: Do not add any DNS forwarders, use root servers instead
type: bool
@@ -326,6 +331,12 @@ def main():
# ssl certificate
# options.dirsrv_cert_files = ansible_module.params.get(
# 'dirsrv_cert_files')
# hsm
if hasattr(ca, "hsm_version"):
options.token_name = None
options.token_library_path = None
options.token_password = None
options.token_password_file = None
# client
# options.no_ntp = ansible_module.params.get('no_ntp')
# certificate system

2
roles/ipaserver/library/ipaserver_set_ds_password.py
View File

@@ -96,6 +96,7 @@ options:
type: list
elements: str
required: no
default: []
subject_base:
description:
The certificate subject base (default O=<realm-name>).
@@ -113,6 +114,7 @@ options:
type: list
elements: str
required: no
default: []
domainlevel:
description: The domain level
type: int

8
roles/ipaserver/library/ipaserver_setup_ca.py
View File

@@ -54,6 +54,7 @@ options:
type: list
elements: str
required: no
default: []
domain:
description: Primary DNS domain of the IPA deployment
type: str
@@ -182,6 +183,7 @@ options:
type: list
elements: str
required: no
default: []
no_reverse:
description: Do not create new reverse DNS zone
type: bool
@@ -305,6 +307,12 @@ def main():
options.dirsrv_cert_files = ansible_module.params.get('dirsrv_cert_files')
options._dirsrv_pkcs12_info = ansible_module.params.get(
'_dirsrv_pkcs12_info')
# hsm
if hasattr(ca, "hsm_version"):
options.token_name = None
options.token_library_path = None
options.token_password = None
options.token_password_file = None
# certificate system
options.external_ca = ansible_module.params.get('external_ca')
options.external_ca_type = ansible_module.params.get('external_ca_type')

1
roles/ipaserver/library/ipaserver_setup_dns.py
View File

@@ -42,6 +42,7 @@ options:
type: list
elements: str
required: no
default: []
domain:
description: Primary DNS domain of the IPA deployment
type: str

2
roles/ipaserver/library/ipaserver_setup_ds.py
View File

@@ -87,6 +87,7 @@ options:
type: list
elements: str
required: no
default: []
_dirsrv_pkcs12_info:
description: The installer _dirsrv_pkcs12_info setting
type: list
@@ -99,6 +100,7 @@ options:
type: list
elements: str
required: no
default: []
subject_base:
description:
The certificate subject base (default O=<realm-name>).

5
roles/ipaserver/library/ipaserver_setup_http.py
View File

@@ -66,17 +66,20 @@ options:
type: list
elements: str
required: no
default: []
reverse_zones:
description: The reverse DNS zones to use
type: list
elements: str
required: no
default: []
http_cert_files:
description:
File containing the Apache Server SSL certificate and private key
type: list
elements: str
required: no
default: []
setup_adtrust:
description: Configure AD trust capability
type: bool
@@ -124,6 +127,7 @@ options:
type: list
elements: str
required: no
default: []
subject_base:
description:
The certificate subject base (default O=<realm-name>).
@@ -166,6 +170,7 @@ options:
type: list
elements: str
required: no
default: []
no_reverse:
description: Do not create new reverse DNS zone
type: bool

8
roles/ipaserver/library/ipaserver_setup_kra.py
View File

@@ -74,7 +74,7 @@ RETURN = '''
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_ipa_server import (
check_imports, AnsibleModuleLog, setup_logging, options,
api_Backend_ldap2, redirect_stdout, api, custodiainstance, kra
api_Backend_ldap2, redirect_stdout, api, custodiainstance, kra, ca
)
@@ -106,6 +106,12 @@ def main():
options.pki_config_override = ansible_module.params.get(
'pki_config_override')
options.promote = False # first master, no promotion
# hsm
if hasattr(ca, "hsm_version"):
options.token_name = None
options.token_library_path = None
options.token_password = None
options.token_password_file = None
# init ##########################################################

3
roles/ipaserver/library/ipaserver_setup_krb.py
View File

@@ -66,11 +66,13 @@ options:
type: list
elements: str
required: no
default: []
reverse_zones:
description: The reverse DNS zones to use
type: list
elements: str
required: no
default: []
setup_adtrust:
description: Configure AD trust capability
type: bool
@@ -113,6 +115,7 @@ options:
type: list
elements: str
required: no
default: []
subject_base:
description:
The certificate subject base (default O=<realm-name>).

3
roles/ipaserver/library/ipaserver_test.py
View File

@@ -73,6 +73,7 @@ options:
type: list
elements: str
required: no
default: []
no_host_dns:
description: Do not use DNS for hostname lookup during installation
type: bool
@@ -223,6 +224,7 @@ options:
type: list
elements: str
required: no
default: []
no_reverse:
description: Do not create new reverse DNS zone
type: bool
@@ -242,6 +244,7 @@ options:
type: list
elements: str
required: no
default: []
no_forwarders:
description: Do not add any DNS forwarders, use root servers instead
type: bool

2
roles/ipaserver/meta/main.yml
View File

@@ -6,7 +6,7 @@ galaxy_info:
description: A role to setup an iPA domain server
company: Red Hat, Inc
license: GPLv3
min_ansible_version: "2.13"
min_ansible_version: "2.15"
platforms:
- name: Fedora
versions:

2
roles/ipasmartcard_client/README.md
View File

@@ -32,7 +32,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

1
roles/ipasmartcard_client/library/ipasmartcard_client_validate_ca_certs.py
View File

@@ -44,6 +44,7 @@ options:
type: list
elements: str
required: no
default: []
author:
- Thomas Woerner (@t-woerner)
'''

2
roles/ipasmartcard_client/meta/main.yml
View File

@@ -6,7 +6,7 @@ galaxy_info:
description: A role to setup IPA server(s) for Smart Card authentication
company: Red Hat, Inc
license: GPLv3
min_ansible_version: "2.13"
min_ansible_version: "2.15"
platforms:
- name: Fedora
versions:

2
roles/ipasmartcard_server/README.md
View File

@@ -34,7 +34,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

1
roles/ipasmartcard_server/library/ipasmartcard_server_validate_ca_certs.py
View File

@@ -44,6 +44,7 @@ options:
type: list
elements: str
required: no
default: []
author:
- Thomas Woerner (@t-woerner)
'''

2
roles/ipasmartcard_server/meta/main.yml
View File

@@ -6,7 +6,7 @@ galaxy_info:
description: A role to setup IPA server(s) for Smart Card authentication
company: Red Hat, Inc
license: GPLv3
min_ansible_version: "2.13"
min_ansible_version: "2.15"
platforms:
- name: Fedora
versions:

98
tests/permission/test_permission.yml
View File

@@ -247,6 +247,104 @@
register: result
failed_when: result.changed or result.failed
- name: Ensure permission perm-test-1 is present with subtree
ipapermission:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: perm-test-1
right: write
subtree: "cn=computers,cn=accounts,dc={{ ipaserver_domain | replace('.', ',dc=') }}"
attrs: locality
register: result
failed_when: not result.changed or result.failed
- name: Ensure permission perm-test-1 is present with subtree again
ipapermission:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: perm-test-1
right: write
subtree: "cn=computers,cn=accounts,dc={{ ipaserver_domain | replace('.', ',dc=') }}"
attrs: locality
register: result
failed_when: result.changed or result.failed
- name: Ensure permission perm-test-1 with target is present
ipapermission:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: perm-test-1
right: write
target: "cn=computers,cn=accounts,dc={{ ipaserver_domain | replace('.', ',dc=') }}"
attrs: locality
register: result
failed_when: not result.changed or result.failed
- name: Ensure permission perm-test-1 with target is present, again
ipapermission:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: perm-test-1
right: write
target: "cn=computers,cn=accounts,dc={{ ipaserver_domain | replace('.', ',dc=') }}"
attrs: locality
register: result
failed_when: result.changed or result.failed
- name: Ensure permission perm-test-1 with targetto is present
ipapermission:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: perm-test-1
right: write
targetto: "cn=computers,cn=accounts,dc={{ ipaserver_domain | replace('.', ',dc=') }}"
attrs: locality
register: result
failed_when: not result.changed or result.failed
- name: Ensure permission perm-test-1 with targetto is present, again
ipapermission:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: perm-test-1
right: write
targetto: "cn=computers,cn=accounts,dc={{ ipaserver_domain | replace('.', ',dc=') }}"
attrs: locality
register: result
failed_when: result.changed or result.failed
- name: Ensure permission perm-test-1 with targetfrom is present
ipapermission:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: perm-test-1
right: write
targetfrom: "cn=computers,cn=accounts,dc={{ ipaserver_domain | replace('.', ',dc=') }}"
attrs: locality
register: result
failed_when: not result.changed or result.failed
- name: Ensure permission perm-test-1 with targetfrom is present, again
ipapermission:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: perm-test-1
right: write
targetfrom: "cn=computers,cn=accounts,dc={{ ipaserver_domain | replace('.', ',dc=') }}"
attrs: locality
register: result
failed_when: result.changed or result.failed
- name: Ensure permission perm-test-1 with object_type and right is present
ipapermission:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: perm-test-1
object_type: host
right: all
register: result
failed_when: not result.changed or result.failed
- name: Ensure attributes carlicense and displayname are present in permission "System{{ ':' }} Update DNS Entries"
ipapermission:
ipaadmin_password: SomeADMINpassword

1
tests/sanity/sanity.sh
View File

@@ -13,6 +13,7 @@ python -m venv "$VENV"
source "$VENV"/bin/activate
python -m pip install --upgrade pip
pip install setuptools
pip install galaxy_importer
rm -f "$ANSIBLE_COLLECTION"-*.tar.gz

12
tests/utils.py
View File

@@ -306,14 +306,14 @@ class AnsibleFreeIPATestCase(TestCase):
if res.rc != 0:
for output in expected_output:
assert self.__is_text_on_data(output, res.stderr), (
f"\n{'='*40}\nExpected: {output}\n{'='*40}\n"
+ f"Output:\n{res.stderr}{'='*40}\n"
f"\n{'=' * 40}\nExpected: {output}\n{'=' * 40}\n"
+ f"Output:\n{res.stderr}{'=' * 40}\n"
)
else:
for output in expected_output:
assert self.__is_text_on_data(output, res.stdout), (
f"\n{'='*40}\nExpected: {output}\n{'='*40}\n"
+ f"Output:\n{res.stdout}{'='*40}\n"
f"\n{'=' * 40}\nExpected: {output}\n{'=' * 40}\n"
+ f"Output:\n{res.stdout}{'=' * 40}\n"
)
kdestroy(self.master)
@@ -325,8 +325,8 @@ class AnsibleFreeIPATestCase(TestCase):
res = self.master.run(cmd)
for member in members:
assert not self.__is_text_on_data(member, res.stdout), (
f"\n{'='*40}\nExpected: {member}\n{'='*40}\n"
+ f"Output:\n{res.stdout}{'='*40}\n"
f"\n{'=' * 40}\nExpected: {member}\n{'=' * 40}\n"
+ f"Output:\n{res.stdout}{'=' * 40}\n"
)
kdestroy(self.master)

2
utils/ansible-freeipa.spec.in
View File

@@ -90,7 +90,7 @@ Supported Distributions
Requirements
Controller
- Ansible version: 2.13+
- Ansible version: 2.15+
- /usr/bin/kinit is required on the controller if a one time password (OTP)
is used

2
utils/build-galaxy-release.sh
View File

@@ -128,7 +128,7 @@ find . -name "*~" -exec rm {} \;
find . -name "__py*__" -exec rm -rf {} \;
if [ "$offline" != "" ]; then
if [ "$offline" != "1" ]; then
echo "Creating CHANGELOG.rst..."
"$(dirname "$0")/changelog" --galaxy > CHANGELOG.rst
echo -e "\033[ACreating CHANGELOG.rst... \033[32;1mDONE\033[0m"

2
utils/templates/README-module+member.md.in
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)

2
utils/templates/README-module.md.in
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)