The new container_save and container_load functions can be used to
save and load container images.
container_save
Save a container image to a local file.
Example: container_save "${name}"
container_load
Load a container image from an tar archive.
Example: local_image=$(container_load "${archive}")
The script utils/build-galaxy-release.sh has been renamed to
utils/build-collection.sh, the script provides the same options, but
requires an extra argument now:
build-collection.sh [options] rpm|aah|galaxy
The namespace and name are defined according to the argument:
rpm freeipa.ansible_freeipa - General use and RPMs
galaxy freeipa.ansible_freeipa - Ansible Galaxy
aah redhat.rhel_idm - Ansible AutomationHub
The generated file README-COLLECTION.md is set in galaxy.yml as the
documentation entry point for the collections generated with aah and galaxy
as Ansible AutomationHub and also Ansible Galaxy are not able to render the
documentation README files in the collection properly.
The commit also changes the calls of utils/build-galaxy-release.sh to
utils/build-collection.sh.
The firewalld zone verification tasks in ipaserver, ipareplica, and
ipabackup roles were triggering Ansible warnings due to variable
ipareplica_firewalld_zone not being defined when evaluating the task
name.
This fix remove the Jinja template from the task names and wrap the
tasks in a single block so the variable verification is done only once.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Adding an A/AAAA record to a host fails if there's not a reverse zone
set that the resulting PTR record can be added to, even if
create_reverse is false.
Changing the rule to create the reverse record fixes the issue.
Fixes: #1381
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
There is a new paskeyconfig management module placed in the plugins
folder:
plugins/modules/ipapasskeyconfig.py
The paskeyconfig module allows to retrieve and modify global passkey
configuration attributes.
Here is the documentation of the module:
README-passkeyconfig.md
New example playbooks have been added:
playbooks/passkeyconfig/passkeyconfig-retrieve.yml
playbooks/passkeyconfig/passkeyconfig-present.yml
New tests for the module can be found at:
tests/passkeyconfig/test_passkeyconfig.yml
tests/passkeyconfig/test_passkeyconfig_client_context.yml
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
When testing passkey attributes some version of IPA do not support it,
se we need a fact that states that the support is available for proper
testing.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
sysaccounts can now be used as a member for roles.
Example:
- name: Ensure role my-app role has sysaccount member my-app
iparole:
name: my-app role
sysaccount: my-app
action: member
New tests for the module:
tests/role/test_role_sysaccount_member.yml
The error message for an invalid profile has changes in dogtag. The new
message is "Certificate operation cannot be completed: Unable to get
enrollment template for <profile name>: Profile not found"
Therefore the test is additionally checking for "Profile not found" now.
There is a new sysaccount management module placed in the plugins folder:
plugins/modules/ipasysaccount.py
The sysaccount module allows to ensure presence or absence of system
accounts.
Here is the documentation for the module:
README-sysaccount.md
New sysaccount example playbooks:
playbooks/sysaccount/sysaccount-absent.yml
playbooks/sysaccount/sysaccount-disabled.yml
playbooks/sysaccount/sysaccount-enabled.yml
playbooks/sysaccount/sysaccount-present.yml
playbooks/sysaccount/sysaccount-privileged.yml
playbooks/sysaccount/sysaccount-unprivileged.yml
New tests for the module:
tests/sysaccount/test_sysaccount.yml
tests/sysaccount/test_sysaccount_client_context.yml
As the ansible_version variable may contain a version specification, we
need a version_name to correctly report the job label in Azure.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
By using the 'ansible-version' variable as '<2.17' allows 'pip' to
install the latest version of the 2.16 series, instead of version 2.16.0
in the case '==2.16'. This ensures we run the tests with the latest
supported version for the specific distro.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Modify nigtly pipelines to use the same distro-to-Ansible version map
so that the Ansible version matches the required version for the
specific distro. Nightly pipelines are the same used for Weekly tests.
This was required due to recent updates for Python 3.14 and Ansible
upstream versions.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
ansible-lint version series 24.y is not working with ansible-core 2.19 and
requires versions in series 25.y. Also, other tools were update to more
recent versions.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Although the available ansible-core package version for c9s is 2.14, the
upstream "pip" version of this package has a broken certificate and is
unusable against Galaxy.
This patch fixes the version to 2.16, as it is the same version for c8s
and c10s, and the oldest one available as packages for the CentOS
Streams.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
With Python 3.14, the required pytest version stopped working due to
breaking changes in AST.
This patch changes the test tool versions to the most recent one, by
requiring only the minimal version, but not setting a specific one.
Recent pytest version also requires that the search path for Python
modules is defined.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Pylint 4.0.1 seems to not understand that some of the constants used by
ansible-freeipa roles and modules are constants and not variables, and
complain about the naming style.
By adding these constant names to the "good-names" list avoid pylint
errors and don't require future unnecessary changes.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
A task in 'roles/ipaclient/tasks/install.yml' uses logic that
ansible-lint and jinja are unable to evaluate due to missing type. By
refactoring the task the tools are able to evaluate the task.
With the latest pylint version, an issue is raised by inheriting from
BaseInventoryPlugin, as the class has too many ancestors
(too-many-ancestors). This is caused by a class hierarchy that is too
deep, and is not under ansible-freeipa's control.
In recent Python setups, 'setuptools' may not be readily available, and,
as we depend on it, it should be a requirement.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Older versions of ansible-doc-test are failing due to code errors in the
parsing module. This is fixed by using newer versions.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
ansible-lint is complaining that Python 3.14 requries ansible-core 2.20,
even if other versions work on that Python version.
Woraround implemented is to pin the ansible-lint Python version to 3.13.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
After a PKI update the message returned for 'cert_show' in the case of
an inexistent certificate has changed, causing tests to fail.
The fix is only required for the tests, as the behavior has not changed.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The ansible-core version used in the CI pipelines has been updated
from 2.16 to 2.18 to keep the testing environment current.
Additionally, the pull request pipeline has been enhanced to test
against the specific ansible-core versions that are packaged with the
latest stable distributions. This will help ensure that the roles remain
compatible with the versions users are likely to have installed.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The hostname command is needed to be able to execute fixnet.service. It
has been missing from some docker files and therefore the script failed
in the -base images. The server images have not been affected as
ipa-client has a requirement for hostname.
Fedora 43 and 44 switched to systemd 258 rc4. The dbus-broker service
of systemd 258 does not start any more without enabling the capability
SYS_ADMIN.
The capabilities AUDIT_WRITE, SETUID and SETGID should be enough, but
they are not sufficient to be able to start the service.
With final systemd 258 it should be tested if the capability can be
removed again.
ansible-core 2.19 is not automatically converting empty and non empty lists
to bool values. Conditionals must have a boolean result.
The solution is to evaluate the length of the lists instead.
ansible-core 2.19 is not automatically converting empty and non empty lists
to bool values. Conditionals must have a boolean result.
The solution is to evaluate the length of the lists instead.
In ansible-core 2.19 there's no automatic coercion from None or empty
strings to the boolean value "false", so we need to compare the result
of the filter 'regex_search' to 'None' and the empty string to evaluate
if any match occurred.
In fixing this issue, it was found that the tests were incorrectly
evaluating the results, and the comparisons were fixed.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The new argument was introduced with the IPA change e6445b8 to disable
the previous Unbound configuration before setting up new configuration
for DNS over TLS.
Related: https://pagure.io/freeipa/issue/9814
This change adds support for DNS over TLS to the ipareplica role.
New variables
ipareplica_dot_forwarders
List of DNS over TLS forwarders. Required if ipareplica_dns_over_tls
is enabled. (list of strings)
required: false
ipareplica_dns_over_tls | ipaclient_dns_over_tls
Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later.
(bool, default: false)
required: false
ipareplica_dns_over_tls_cert
Certificate to use for DNS over TLS. If empty, a new certificate will
be requested from IPA CA. (string)
required: false
ipareplica_dns_over_tls_key
Key for certificate specified in ipareplica_dns_over_tls_cert. (string)
required: false
ipareplica_dns_policy
Encrypted DNS policy. Only usable if `ipareplica_dns_over_tls` is
enabled. (choice: relaxed, enforced, default: relaxed)
required: false
New distribution specific variable
ipareplica_packages_dot
List of IPA packages needed for DNS over TLS.
This change adds support for DNS over TLS to the ipaserver role.
New variables
ipaserver_dot_forwarders
List of DNS over TLS forwarders. Required if ipaserver_dns_over_tls
is enabled. (list of strings)
required: false
ipaserver_dns_over_tls | ipaclient_dns_over_tls
Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later.
(bool, default: false)
required: false
ipaserver_dns_over_tls_cert
Certificate to use for DNS over TLS. If empty, a new certificate will
be requested from IPA CA. (string)
required: false
ipaserver_dns_over_tls_key
Key for certificate specified in ipaserver_dns_over_tls_cert. (string)
required: false
ipaserver_dns_policy
Encrypted DNS policy. Only usable if `ipaserver_dns_over_tls` is
enabled. (choice: relaxed, enforced, default: relaxed)
required: false
New distribution specific variable
ipaserver_packages_dot
List of IPA packages needed for DNS over TLS.
This change adds support for DNS over TLS to the ipaclient role.
New variables
ipaclient_dns_over_tls
Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later.
(bool, default: false)
required: false
ipaclient_no_dnssec_validation
Disable DNSSEC validation for DNS over TLS. This turns off DNSSEC
validation for unbound. Only usable if `ipaserver_dns_over_tls` is
enabled. (bool, default: false)
reqiured: false
New distribution specific variable
ipaclient_packages_dot
List of IPA packages needed for DNS over TLS.
The resolver configuratoin for DNS over TLS is not part of this change
and will be added later on. Therefore it is needed to configure the
resolver for DNS over TLS before starting the deployment with ipaclient
role. This is essential for using an IPA DNS server with DoT and enforced
DNS policy so that only DoT is usable.
When running under Mitogen, ipa_server and ipa_replica breaks execution
by overwriting sys.stdout with sys.stdout.
With Mitogen, sys.stdout != sys.stdout at this point in the code, and
changing it in this manner results in access to closed file descriptors
for future invocations. Generally, it is recommended not to use
sys.stdout and instead explicitly cache the current value of sys.stdout.
As ansible-core 2.19 'upper' and 'lower' filters make lists into strings
and these strings are not interpreted as lists when running the plugins,
it is needed to use 'map(<filter>)' to apply the filter to all entries
of a list.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
In ansible-core, templates and expressions must use trusted sources,
such as playbooks or roles, and module results are considered untrusted
sources.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
In ansible-core 2.19, when clauses (when, failed_when, etc) do not
convert values to bool automatically, also, templating with "|bool" does
not work too, so an actual value comparison is required.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
When adding a new idrange of type 'ipa-local', the 'base_id',
'range_size', 'rid_base' and 'secondary_rid_base' are required so that
range entries are correctly set when SID are enabled.
Fixes: https://issues.redhat.com/browse/RHEL-79820
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The services are now active by default and do not need to be activated
after IPA has been deployed.
The fixnet service is always activated and removes all lines containing
the hostname from /etc/hosts and adds a new line with the IP and the
hostname with and without domain. If IPA is deployed with DNS (the
config file /etc/named.conf exists and there is a '^dyndb "ipa"' line
in /etc/named.conf) then /etc/resolv.conf is also changed to use the
local DNS server.
The fixipaip service is now also always activated, but only started IF
IPA has been deployed and the ipa service was started before.
infra/image/build.sh is not actvating the services anymore, the services
are now actiavted in alll dockerfiles.
The management of hosts is deactivated in container_create to not copy
all entries from the host system to the container. The host entry is now
created in container_start to fix IPA deployment using this container.
This change finally drops the misspelled ipassd_ compat vars from the
ipaclient role. The PR #147 from 2019 already renamed the ipassd_
variables to ipasssd_.
Related: #1346 - ipaclient role install sssd options broken
The tests hosts are generated with IP addresses in env_setup, but
removed without update_dns turned on. Therefore the IP addresses are not
removed from DNS.
This results in a failure if the host test test_host_ipaddresses is run
afterwards.
This change addresses https://github.com/freeipa/ansible-freeipa/issues/1356#issuecomment-2891804763 by explicitly setting `options.dns_over_tls = False` to ensure the attribute is always defined when running ipaclient ansible role.
On RHEL 9 systems (or any environment where `ipasssd_enable_dns_updates: true`), the `ipaclient` python module references `dns_over_tls` without first checking its existence, which results in the following `AttributeError: 'installer_obj' object has no attribute 'dns_over_tls'`:
TASK \[freeipa.ansible\_freeipa.ipaclient : Install - Configure SSSD] \*\*\*\*\*\*\*\*\*\*\*\*
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: AttributeError:
'installer\_obj' object has no attribute 'dns\_over\_tls'
fatal: \[vm-test-rhel9]: FAILED! => {"changed": false, "module\_stderr": "Traceback (most recent call last):\n File "
<stdin>", line 107, in <module>\n File "<stdin>", line 99, in \_ansiballz\_main\n File "<stdin>", line 47, in invoke\_module\n
File "/usr/lib64/python3.9/runpy.py", line 225, in run\_module\n return \_run\_module\_code(code, init\_globals,
run\_name, mod\_spec)\n File "/usr/lib64/python3.9/runpy.py", line 97, in \_run\_module\_code\n \_run\_code(code,
mod\_globals, init\_globals,\n File "/usr/lib64/python3.9/runpy.py", line 87, in \_run\_code\n exec(code, run\_globals)\n
File "/tmp/ansible\_freeipa.ansible\_freeipa.ipaclient\_setup\_sssd\_payload\_zkyct7sn/ansible\_freeipa.ansible\_freeipa.ipacli. ent\_setup\_sssd\_payload.zip/ansible\_collections/freeipa/ansible\_freeipa/plugins/modules/ipaclient\_setup\_sssd.py",
line 190, in <module>\n File "/tmp/ansible\_freeipa.ansible\_freeipa.ipaclient\_setup\_sssd\_payload\_zkyct7sn/ansible\_freeipa.ansible\_freeipa.ipacli. ent\_setup\_sssd\_payload.zip/ansible\_collections/freeipa/ansible\_freeipa/plugins/modules/ipaclient\_setup\_sssd.py",
line 181, in main\n File "/usr/lib/python3.9/site-packages/ipaclient/install/client.py", line 1005, in configure\_sssd\_conf\n
if options.dns\_over\_tls:\nAttributeError: 'installer\_obj' object has no attribute 'dns\_over\_tls'\n", "module\_stdout": "",
"msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}
To prevent this, the attribute `options.dns_over_tls` is now initialised to false in `roles/ipaclient/library/ipaclient_setup_sssd.py`.This fix is inspired by a similar pattern in [[PR #1340](https://github.com/freeipa/ansible-freeipa/pull/1340/files)](https://github.com/freeipa/ansible-freeipa/pull/1340/files).
This failure has been observed in versions `1.14.6` and `1.14.5` of the [ansible_freeipa collection](https://galaxy.ansible.com/ui/repo/published/freeipa/ansible_freeipa/) from Ansible Galaxy.
Signed-off-by: Jose Angel Morena <jmorenas@redhat.com>
readarray expects to get an item per line to be added to the array.
Printing one item per line with printf fixes this to get the proper
formatting for "${CAP_DEFAULTS[@]}" as a valid input for readarray.
Debugging is now enabled by default in the containers that are
generated with container_create. "+SYS_PTRACE" has been added to
CAP_DEFAULTS in shdefaults for this.
SSSD 2.10+ runs under non-privileged user 'sssd' and relies on system
capabilities to get access to certain resources like /etc/krb5.keytab.
Not having these capabilities result in SSSD not starting.
Podman has reduced the capabilities granted to containers, and to be
able to start SSSD it is needed to add DAC_READ_SEARCH back.
This patch adds file infra/images/shdefaults to store the defaults used
by ansible-freeipa shell utilities in a contral location.
See: https://github.com/containers/podman/discussions/24904#discussioncomment-11718823
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This change adds support for volumes to container_create. Now it can be
used like in this example:
container_create "${name}" "${local_image}" "hostname=${hostname}" \
"${capabilities:+capabilities=$capabilities}" \
volume=$PWD:/root/src
The new function container_tee has been added to enable creation of
fiiles with content from stdin like in this example:
cat <<EOF | container_tee "${name}" "/root/.gdbinit"
set debuginfod enabled on
set follow-fork-mode child
EOF
Python's module "pkg_resources" API has been deprecated in Python 3.12
and will be removed in a future release, and recent FreeIPA versions
provide a replacement for pkg_resources.parse_version.
To remove ansible-freeipa dependency on pkg_resources and not add a
dependency on the 'packaging' module, which is not available in the
standard Python distribution, we'll try to import the funcion used in
FreeIPA to parse versions, and fallback to pkg_resources when it fails.
As an equivalent class is needed, a fallback function is not provided
and execution will fail if neither the FreeIPA nor the pkg_resources
parse_version function are available.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The shadow file in a Fedora or CentOS Stream container is not readable
any more using Ubuntu 24.04.
An extra call to ensure that the shadow file is readable again has been
added to container_start.
This patch fixes an issue reported by flake8 7.2.0 and enables a pylint
test that was disable, both related to the use of 'global'.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Upstream flake8 lint test is executed with the latest available version
in pip, but the requirements-dev.txt had a pinned version, making flake8
error to be found too late.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
FreeIPA fix for https://pagure.io/freeipa/issue/9652 now produces five
elements tuple when iterating over CA certificate list, the last element
being the serial number. We do not need it, so extract only the first
four elements (certificate, nickname, trusted, EKU).
The regression was introduced by FreeIPA commit
f91b677ada376034b25d50e78475237c5976770e.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This is a hotfix to allow deployments of clients, replicas and servers
with the dns_over_tls PR for freeipa: https://github.com/freeipa/freeipa/pull/7343/
ipaclient: client.update_ssh_keys has changed parameters,
options.dns_over_tls needs to be set for ipaclient_setup_nss.
ipareplica, ipaserver: Set new parameters globally in module_utils so
far: options.dns_over_tls, options.dns_over_tls_key, options.dns_over_tls_cert,
options.dot_forwarders and options.dns_policy.
The enablement for DNS over TLS for the deployment roles will be done later on.
The test has been changed with the management fix for AD objects. The
conditional was lacking brackets and therefore did not properly work.
The brackets have been added.
Related: https://issues.redhat.com/browse/RHEL-70023
This patch removes 'vars' files from roles for unsupported distributions
and change minimum supported Fedora to version 40+.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
Current version of ansible-list pre-commit hook required changes in the
ansible-freeipa yamllint configuration and these changes triggered
issues in the current playbooks on roles and tests.
This patch adds the required changes to yaml lint configuration and
fixes the affected playbooks.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
When using AD objects, a user expects to use the more human readable
form, like "user@ad.domain", but this impose some dificulties on
evaluating which object is being referenced as AD has several forms to
refer to the same object.
Each object is AD is identified uniquely by its SID, and this is the
identifier that IPA stores in its database. When managing AD objects,
IPA finds its SID and works with that value.
ansible-freeipa tried to process these objects using the human readable
values, and it cause idempontence error when ensuring the values were
present or modified, and, at least in some cases, prevented the objects
to be made absent, as the object list created didn't match the SID to
the value used as module parameter.
By using SID to process the AD objects in ipagroup, the addition or
removal of members works and idempotence of these members is ensured.
The only issue with thils approach is that it only works no server
nodes. In client nodes, the conversion to SID is not available and the
same issues that existed before will still be present.
Tests were updated to reflect these changes, a new test, specific to
idempotence issues of AD objects was added:
tests/group/test_group_ad_users.yml
Resolves: https://issues.redhat.com/browse/RHEL-70023
When running test_idoverrideuser_client_context.yml on a client host, it
tried to run a task that does not have the required fields and fails
the test.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This patch improves tests/env_freeipa_facts.yml by ensuring
ipaserver_realm is set, making AD server availability discoverable, and
allowing playbooks to run with 'gather_facts: false' by gathering
minimal facts.
When managing AD objects the SID of the objects are stored in FreeIPA
database, but a user would still use the human readable values, like
"AD\\user" or "user@ad.domain". This can cause idempotence issues in
many cases, and prevent some actions to be performed, like ensure
absence of the object.
The methods added allow the conversion of one or multiple objects, and
will be used by any module that manages AD objects.
Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
The IP addresses set with ipareplica_ip_addresses have not been passed
to ipaclient role for client deployment part. This resulted in not
setting the IP addresses.
The description for ipareplica_ip_addresses in the ipareplica README and
also the role modules was wrong and have been fixed to "List of IPA
replica IP addresses".
Related: https://pagure.io/freeipa/issue/7405
Resolves: https://github.com/freeipa/ansible-freeipa/issues/1244
When handling users and hosts is ipasudorule we were missing nome entry
attributes returned from FreeIPA, which would cause the add/del lists to
be incorrectly generated.
By adding the proper lists, both attributes are handled correctly.
A new test to verify the fix is added:
tests/sudorule/test_sudorule_user_host_external.yml
Fixes https://issues.redhat.com/browse/RHEL-68439
ansible-test sanity test "metaclass-boilerplate" fails now to recognize
the line "__metaclass__ = type" if there is a pylint disable comment
appended to the same line to not fail on using bad class naming.
The pylint disable comment has been moved to an extra preceding line and
an additional enable commend has been added after the metaclass line.
This change reduces the size of the Ansible collection and removes unused
files.
While creating the collection, the role plugins have been linked into the
global plugin folders, but a subsequent sed call replaced the links with
changed files. The original files have also been changed with another sed
call in the same way. This resulted in the duplication of the changed
files.
The plugins of the roles are now moved into the global plugin folders and
only changed there. The now empty plugin folders in the roles are
removed.
When creating the lists of external members, the attribute
'ipaexternalmember' also needs to be added to the list of external
members that are part of the group object for external groups.
A test to verify the correct behavior was added and the test suite for
group external members have been cleaned up with 'yes' values changed to
'true' and the use of module_defaults.
When a revoked certificate with reason 6 (certificateHold) is revoked
with reason 8 (removeFromCRL), the effect is that the certificate is
valid again, as it is the same procedure as 'state: release'.
This is, at least, the behavior with IPA CLI comands, which is
implemented by this patch.
A new test is added to verify this behavior:
tests/cert/test_cert_remove_hold_with_removeFromCRL.yml
Modify the plugin templates so that the code generated does not hide
errors when querying IPA wih *_show command by handlig only the exeption
where an object is not found.
When searching for objects with *_show IPA API command, most plugins
were hiding errors other than "ipalib_errors.NotFound" by handling the
broad exception Exception instead.
This patch uses "ipalib_errors.NotFound" whenever "*_show" is used so
that the only exception handled is when an object is not found. Other
errors will not be handled making the module break as expected.
This adds the capabilities SYS_ADMIN and SYSLOG to the container_create
call in build.sh as long as server deployment has been enabled.
The privileged option has been removed as it is no longer needed.
The hostnamectl-wrapper for the container has been removed as it is no
longer needed.
The client part deployment fails in the configuration of NIS. The command
/usr/bin/nisdomainname is failing in a container in this task as the
container is not privileged.
The hostnamectl-wrapper is copied from the freeipa-container container
project to replace /usr/bin/nisdomainname in the container.
container_copy can be used to copy a file to the container,
container_fetch can be used to copy a file from the container.
For more information, please have a look at the podman-cp man page.
Unless there's a real need to use privileged access or to gather Ansible
facts upfront, we should always set "become: false" and
"gather_facts: false". In the case that only a few Ansible facts are
required, 'ansible.builtin.setup' with 'gather_subset' should be used.
As the YAML 1.2 standard dictates, boolean values should only use 'true'
or 'false' values.
This patch fixes these issues in the 'sudorule' test suite.
Currently, ipasudorule must add or modify a single sudorule at a time,
incurring in more load in the server if there are many rules to be
processed.
This patch adds suport for adding multiple sudorules in one playbook
task by using the parameter 'sudorules' and defining a list of sudorules
configurations to be ensured.
As multiple sudorules will be processed, the patch also enables batch
mode processing of sudorules, trying to reduce the load on the server.
Test 'tests/sudorule/test_sudorule_client_context.yml' was modified to
include tasks with 'sudorules' to be executed both on the server or on
the client context.
New tests were added to the sudorule test suite:
tests/sudorule/test_sudorules.yml
tests/sudorule/test_sudorules_member_case_insensitive.yml
This patch adds the class EntryFactory to the ansible-freeipa module
utils. This class allows the handling of modules with multiple object
entries as list of objects. When the multi-object parameter is not used,
it creates a list of a single object, allowing for the same code idiom
to be used.
The entries created can be used both as objects, by acessing the values
as properties, or as dictionaires, by accessing the elements as
key-value pairs.
This patch modify the pipelines to create stages using the 'each'
expression on Azure pipelines, so that the configuration and the list of
distributions can be set using variables.
Testing CentOS 8 Stream and Galaxy collections still need to be handled
in a separate group, although, the pipeline configuration becomes easily
changed, specially when updating Ansible versions.
Pydocstyle has been deprecated is no longer in development. It is also
not a requirement for Ansible tests.
This patch removes pydocstyle from current checks performed.
All scripts related to the Azure CI now reside on inrfa/azure, but the
scripts that evaluate the changes made against ansible-freeipa's main
development branch.
This patch move these scripts to the proper locations.
ansible-core versions 2.15 and 2.16 and used for all pipelines, but
version 2.17 is not used for CentOS 8 Stream, as platform python on
this version is 3.6 which is not supported in this ansible-core version.
Several optimizations have been done to the pipelines, to make them
closer to what can be reproduced, with the existing scripts, in a
development environment:
- Use start.sh and build.sh scripts to build and start containers
- Use variables to configure different stages instead of using separate
files
- Use a commom 'prepare_environment' to create the environment for every
pipeline
- Use a single file defining testing steps (run_tests.yml)
- Remove Centos 7 pipelines
- Reduce the number of pipelines in the test matrix due to the amount of
time that tests were using
- Use Azure "loop" (each) to create test groups
The above changes make the pipelines easier to understand and modify.
For some time now, we had some issues with molecule when building test
images for ansible-freeipa, and replaced the image creation with custom
build scripts that use commom container tools (like Dockerfiles and the
build command).
As there's no more tasks that require the use of molecule, this patch
removes the last bits used by it, and fixes documentation and lint
scripts and configuration.
When using containers to test ansible-freeipa there's a need to deal
with 'podman' the development environment and the Azure environment. In
the Azure environment, with Ubuntu hosts, using 'cap-add' does not allow
FreeIPA to be installed on the containers, and they need to be executed
with privileged mode. On the other hand, on development environments,
such as recent Fedora hosts, there's no need to run the container with
extra privileges.
This patch modifies the utility function 'container_create' to allow the
usage of key-value argumes such as "cpus=4" and "privileged", that will
be used in the container creation.
The currently available options are "privileged", "cpus", "memory" and
"hostname". By default "cpus=2" and "hostname=ipaserver.test.local".
Also, too make the image build script more self-contained, if the
required Ansible collections are not installed, they will be temporarily
installed so that the image can be built.
To force setting the IPA_ENABLE_* variables to run all tests, source the
script using '-I' or set the environment variable SKIP_GIT_TESTS to
'True'.
This will allow the correct selection of Azure pipelines tests to be
based on a single environment variable, what will reduce the number of
test running templates to a singe file.
It seems that in recent versions, a minimum of 2048 bits for RSA keys
are required to request a certificate. This seems to be enforced by
crypto policies.
By adjusting the key size all ipacert tests pass.
So far a datetime object was created for the expiration dates
krbpasswordexpiration and krbprincipalexpiration. This resulted in also
sending these objects to the API. With this change, the dates are
converted into strings using the LDAP_GENERALIZED_TIME_FORMAT defined in
ipalib.constants. This way only strings are used with the IPA API.
A new function has been added to ansible_freeipa_module:
- date_string: Convert datetime to gernalized time format string
This fuction is used on the result of user_show to convert the
expiration dates to the gernalized time format string.
The existing function date_format in ansible_freeipa_module has been
renamed to convert_date and fixed in the way that it also uses
date_string to return a gernalized time format string and not a
datetime object. This function was only used in the ipauser module so
far.
The new generate_test_data.yml is creating the test data with
ansible.builtin.shell and is not calling shell scripts any more. The
generation in the yml file and also the set_fact calls make sure that
the test data is used.
The help has been fixed for the -s option and the comments about how to
start the container later on has been removed as there will be a script
that is handling this..
This reduces the number of started services in the container. The
fixipaip.service needed to be adapted to ensure that the service is
started properly.
The dockerfiles have been adapted for this change also.
This change also removed ansible_python_interpreter setting in the
inventory as the interpreter should be discovered by ansible for the
distributions.
The dockerfiles have been adapted to not force the installation of
python3 for CentOS-Stream 8, 9 and 10.
The script will try to get the latest image from quay to start it. With
the -l option it will try to use a local image first. This is for example
useful to test changes in the images build script locally.
This also adds infra/image/shcontainer. Some of the content is copied
from utils/shcontainer.
The DNS forwarder is set while deploying the IPA server. This forwarder
might not be correct later on.
The old /etc/resolv.conf is copied to /etc/resolv.conf.fixnet by the
fixnet service and later on the fixipaip service is trying to get the
nameserver from the copied file. If the retrieval failed of if the
namesever is 127.0.0.1, then the nameserver will be set to 8.8.8.8.
After fixing the IP addresses for the forward and reverse zone, also the
forwarder is set for the dnsserver "${HOSTNAME}".
Checks for IPv4 addresses have been added and reverse zone handling
for fixipaip.sh
The services are logging StandardOutput and StandardError to journal
now.
This patch removes 'molecule' as a dependency for tests, by using the
scripts under `utils` to setup the environment.
By not using molecule, we have more flexibility on using either docker
or podman as the container engine, and makes it easy to reproduce the
environment on different distros, allowing for a more consistent error
reproduction off Azure.
On some systems it is required or desired to run Ansible with a specific
Python interpreter. This patch allows the selection of the Python binary
to use for the pytest playbook tests by setting the environment variable
IPA_PYTHON_PATH. Set it the the full path of the Python interpreter.
To modify Azure tests and depend on shell scripts and pytest instead
of molecule, the run-tests.sh script has been rewritten to depend on
bash functions and on a bash script that prepare and start a testing
container.
This patch adds a new script, 'utils/setup_test_container.sh' that
can be used to start a new container, using either podman or docker,
based on the available ansible-freeipa images. The new container can
then be used to run ansible-freeipa tests against it.
Also the following files with bash functions were added, and are
used by both scripts:
utils/shansible: Functions to run playbooks in the container
utils/shcontainer: Functions to setup/run a container
utils/shfun: Generic shell helper functions (e.g.: log)
If the deployment was enabled and failed, the script still continued
without failing. If podman was missing it failed without a proper error.
The script now fails and does not enable the services and also does not
commit after the failed deployment. Also is fails if podman is missing.
As the scripts 'utils/run-tests.sh' and 'utils/setup_test_container.sh'
use some scripts as function libraries, this change forces shellcheck to
also verify those scripts.
As we do not use molecule features, using a Dockerfile and the
ansible-freeipa deployment roles is enough to create the container
testing images.
This patch removes the usage of molecule in favor of the custom
ansible-freeipa image building script, which allow us to have a similar
process for creating images both on the ustream CI, or on a developer's
environment.
Also, CentOS 7 is removed from the build script, as it in not possible
to run CentOS 7 containers with current versions of systemd.
This patch modifies the image building script by adding:
- An usage message.
- An option "-I" to NOT install IPA to the generated container.
- An opiton "-c NAME" to both set the name and use an existing container
to ONLY install IPA.
- Rename "scenario" to "DISTRO" as "scenario" should be used for the
container scenario usage, rather than the distro (I'll change the name
also in the Azure scripts)
- Use 'log' (from shlog) to print messages.
Add two shell libaries with utilities to write shell scripts.
The 'utils/shlog' file provides macro names for ANSI escape sequences to
control color output on terminals, a 'log' functions with pre-defined
behavior for ERROR, WARN, DEBUG, INFO and SUCCESS level messages, and
the 'quiet' function which executes a command and hides its output.
The 'utils/shfun' file provides an interruptinon handler for SIGINT, and
the following functions:
- run_if_exists: run a command if it is available
- cleanup: cleanup environment, possibly stopping a container and a
Python virtual environment.
- start_virtual_environmnt: initiates a Python virtual environment
- in_python_virtualenv: test if the script is running inside a Python
virtual environment
- die: abort the script with an error message end exit code 1
New files:
- utils/shlog
- utils/shfun
The new image builder is not using molecule and uses podman directly for
the generation of the ansible-test images.
Two additional services are installed to simplify the use of the
container in the test:
- fixnet.service uses /root/fixnet.sh to fix IP address of the server in
/etc/hosts and to set localhost as the nameserver.
This service is executed before IPA is started. This eliminates the
need to restart the IPA server after the container has been started
and the IPs have been fixed.
- fixipaip.service uses /root/fixipaip.sh to fix the IP address of the
IPA dnsrecords of server and ipa-ca.
With these services it is now only needed to wait till all services in
the container are started. There is no need to restart the IPA server
anymore. Simply use something like this before starting the tests:
while [ -n "$(podman exec ansible-test systemctl list-jobs | grep -vi 'no jobs running')" ]; do echo "waiting.."; sleep 5; done
New files
- infra/image/build.sh
- infra/image/dockerfile/c8s
- infra/image/dockerfile/c9s
- infra/image/dockerfile/c10s
- infra/image/dockerfile/fedora-latest
- infra/image/dockerfile/fedora-rawhide
- infra/image/inventory
- infra/image/system-service/fixipaip.service
- infra/image/system-service/fixipaip.sh
- infra/image/system-service/fixnet.service
- infra/image/system-service/fixnet.sh
The tests test_users_present.yml and test_users_absent.yml has been
merged into test_users_present_absent.yml to fix the independent test
order execution.
The test test_users_present_slice.yml has been renamed to
test_users_present_absent_slice.yml.
Both tests are cleaning up possible exiting entries before running the tests
and are verifying the present and absent task result.
Truncate stdout and stderr in the way that it hopefully shows all
important information. At least 15 lines of stdout (Ansible tasks) and
remaining from stderr to fill up to maxlen size.
The test log mostly only showed lines from stderr as the log was a
concatenation of stdout and stderr and only the last 2500 chars of this
have been used. This was hiding the test result from stdout and failures
have not beeen visible.
The no_log tag is only allowed in the argument_spec, but not in the
DOCUMENTATION section. Set no_log=False for token_uri and
keys_uri=keys_uri in the argument_spec to enforce logging.
Several fixes for the DOCUMENTATION section: The short_description tag
was 'short description', the chain option was missing and the unknown
authers tag has been removed.
setuptools might not be installed before importing and using
galaxy_importer. This could result in a backtrace by disabling
ANSIBLE_TEST_LOCAL_IMAGE in galaxy-importer.cfg to run latest tests.
The service READNE so far lacks the documentation of multi service
handling within a single task.
The alias for the continue parameter was also added.
Fixes: #1113
The bindings for requests and urllib3 might not be available, especially
in the ansible-test fake execution test (next version). These imports are
now in a try exception clause to make sure that the fake execution test
will be passing and also that there is a better error message if the
bindings are missing.
urllib3.exceptions.InsecureRequestWarning is now also only disabled if
no certificate has been given for the verification of the connection.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
This patch updates the minimum supported Ansible version and the list
of available modules.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
ansible-freeipa roles do not work with Ansible 2.8 anymore, so the
minimum supported version is changed to 2.15, the oldest supported
Ansible version as of today.
This patch includes the change to the version number in the collection
and all plugin README files. The collection README was also update to
remove text that related only to previous Ansible versions.
The parameters
- subtree (ipapermlocation)
- target (ipapermtarget)
- targetto (ipapermtargetto)
- targetfrom (ipapermtargetfrom)
have not been idempotent as the result returned from permission_show was
a DN and not a string.
The find_permission function has been exetended to convert the values
for these parameters to strings.
Fixes: #1257
The error string returned by execute_ipa_commands in batch mode
additionally contains the whole parameter list for the command. This is
different to non batch mode execution and breaks tests that are checking
the returned error message.
A left over debug message also have been removed from the error
processing.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
Certificates given by ansible could have leading and trailing white
space, but also multi line input is possible that also could have
leading and training white space and newlines.
New function:
- convert_input_certificates(module, certs, state)
FreeIPA commit ea0bf4020ce0b1e32572e128e9323c5af60ec93d
After an HSM replica install ensure all certs are visible
If a certificate on a token does not have NSS trust set then
it won't be visible in the softoken. This can be disconcerting
for those used to seeing all the certificates.
Loop through the possibilities and set no trust (or Peer) for
all the certificates on the token.
Also ensure that the CA certificate has the correct nickname.
Related: https://pagure.io/freeipa/issue/9273
replicainstall.install_ca_cert has been removed, paths.IPA_CERTUPDATE is
called instead if the client was configured before deploying with
iparepica role.
FreeIPA commit 8f25b2a74a587548976f3d29f0b69d566d70125d
Refactor CA file handling in replica installer
Clean up and remove obsolete code from ipa-replica-install. For several
versions replica installer first ensures that a host is an IPA client,
then promotes the client to a replica. The client installer code sets up
CA stores like IPA_CA_CRT already.
The config attributes config_master_host_name and also config_ca_host_name
are not changed within ipareplica_install_ca_certs, therefore it is not
needed to return them and also to use the returned values for following
tasks.
The HSM parameters
token_name
token_library_path
token_password
token_password_file
are set to None to enable deployment with IPA 4.12 as a workaround till
HSM can be fully supported by the ipaserver role.
`selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | no
`selinuxusermapdefault`\| `ipaselinuxusermapdefault` | Set default SELinux user when no match is found in SELinux map rule | no
`pac_type` \| `ipakrbauthzdata` | set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`). Use `""` to clear this variable. | no
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `pkinit`, `hardened`, `idp`, `disabled`, `""`). An additional check ensures that only types can be used that are supported by the IPA version. Use `""` to clear this variable. | no
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `pkinit`, `hardened`, `idp`,`passkey`,`disabled`, `""`). An additional check ensures that only types can be used that are supported by the IPA version. Use `""` to clear this variable. | no
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
`enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no
@@ -8,8 +8,12 @@ The group module allows to ensure presence and absence of groups and members of
The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group.
## Note
Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
Notes
-----
* Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
* Using `externalmember` or `idoverrideuser` is only supported with `ipaapi_context: server`. With 'client' context, module execution will fail.
Features
@@ -29,7 +33,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
@@ -213,7 +217,7 @@ Example playbook to add members from a trusted realm to an external group:
---
- name:Playbook to handle groups.
hosts:ipaserver
tasks:
- name:Create an external group and add members from a trust to it.
ipagroup:
@@ -276,6 +280,7 @@ Example playbook to ensure groups are absent:
`service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
`membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`externalmember` \| `ipaexternalmember` \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up.| no
`externalmember` \| `ipaexternalmember` \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. Requires "server" context. | no
`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up. Requires "server" context. | no
`rename` \| `new_name` | Rename the user object to the new name string. Only usable with `state: renamed`. | no
`action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | yes
`mac_address` \| `macaddress` | List of hardware MAC addresses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
`userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. An additional check ensures that only types can be used that are supported by the IPA version. Choices: ["radius", "otp", "pkinit", "hardened", "idp", ""] | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. An additional check ensures that only types can be used that are supported by the IPA version. Choices: ["radius", "otp", "pkinit", "hardened", "idp", "passkey", ""] | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no
The passkeyconfig module allows to manage FreeIPA passkey configuration settings.
Features
--------
* Passkeyconfig management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipapasskeyconfig module.
Requirements
------------
**Controller**
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
By default, user verification for passkey authentication is turned on (`true`). Example playbook to ensure that the requirement for user verification for passkey authentication is turned off:
```yaml
---
- name:Playbook to manage IPA passkeyconfig.
hosts:ipaserver
become:false
tasks:
- name:Ensure require_user_verification is false
ipapasskeyconfig:
ipaadmin_password:SomeADMINpassword
require_user_verification:false
```
Example playbook to get current passkeyconfig:
```yaml
---
- name:Playbook to get IPA passkeyconfig.
hosts:ipaserver
become:false
tasks:
- name:Retrieve current passkey configuration
ipapasskeyconfig:
ipaadmin_password:SomeADMINpassword
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
`require_user_verification` \| `iparequireuserverification` | Require user verification for passkey authentication. (bool) | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `service` | The list of service name strings. | yes
`name` \| `service` | The list of service name strings. `name` with *service variables* or `services` containing *service variables* need to be used. | no
`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
**Service Variables:**
Variable | Description | Required
-------- | ----------- | --------
`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, `hardened`, `idp` or `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset auth_ind to the initial value. | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, `hardened`, `idp`, `passkey` or `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset auth_ind to the initial value. | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of sudorule name strings. | yes
`name` \| `cn` | The list of sudorule name strings. | no
`sudorules` | The list of sudorule dicts. Each `sudorule` dict entry can contain sudorule variables.<br>There is one required option in the `sudorule` dict:| no
| `name` - The sudorule name string of the entry. | yes
`description` | The sudorule description string. | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
The sysaccount module allows to ensure presence and absence of system accounts.
Features
--------
* Sysaccount management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipasysaccount module.
Requirements
------------
**Controller**
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure sysaccount "my-app" is present with random password:
```yaml
---
- name:Playbook to manage IPA sysaccount.
hosts:ipaserver
become:false
tasks:
- name:Ensure sysaccount "my-app" is present with random password
ipasysaccount:
ipaadmin_password:SomeADMINpassword
name:my-app
random:true
register:result
- name:Print generated random password
debug:
var:result.sysaccount.randompassword
```
Example playbook to make sure sysaccount "my-app" is present with given password:
```yaml
---
- name:Playbook to manage IPA sysaccount.
hosts:ipaserver
become:false
tasks:
- name:Ensure sysaccount "my-app" is present with given password
ipasysaccount:
ipaadmin_password:SomeADMINpassword
name:my-app
password:SomeAPPpassword
```
Example playbook to make sure sysaccount "my-app" is absent:
```yaml
---
- name:Playbook to manage IPA sysaccount.
hosts:ipaserver
become:false
tasks:
- name:Ensure sysaccount "my-app" is absent
ipasysaccount:
ipaadmin_password:SomeADMINpassword
name:my-app
state:absent
```
Example playbook to ensure existing sysaccount my-app is privileged
```yaml
---
- name:Playbook to manage IPA sysaccount.
hosts:ipaserver
become:false
tasks:
- name:Ensure existing sysaccount my-app is privileged
ipasysaccount:
ipaadmin_password:SomeADMINpassword
name:my-app
privileged:true
```
Example playbook to ensure existing sysaccount my-app is not privileged
```yaml
---
- name:Playbook to manage IPA sysaccount.
hosts:ipaserver
become:false
tasks:
- name:Ensure existing sysaccount my-app is not privileged
ipasysaccount:
ipaadmin_password:SomeADMINpassword
name:my-app
privileged:false
```
Example playbook to ensure existing sysaccount my-app is disabled
```yaml
---
- name:Playbook to manage IPA sysaccount.
hosts:ipaserver
become:false
tasks:
- name:Ensure existing sysaccount my-app is disabled
ipasysaccount:
ipaadmin_password:SomeADMINpassword
name:my-app
state:disabled
```
Example playbook to ensure existing sysaccount my-app is enabled
```yaml
---
- name:Playbook to manage IPA sysaccount.
hosts:ipaserver
become:false
tasks:
- name:Ensure existing sysaccount my-app is enabled
ipasysaccount:
ipaadmin_password:SomeADMINpassword
name:my-app
state:enabled
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
`name` \| `login` | The list of sysaccount name strings - internally uid. (list of strings) | yes
`description` | A description for the sysaccount. (string) | no
`privileged` | Allow password updates without reset. This flag is not replicated. It is needed to set privileged on all servers, where it is needed. (bool) | no
`random` | Generate a random user password. (bool) | no
`password` \| `userpassword` | Set the password. (string) | no
`update_password` | Set password for a sysaccount in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, 'enabled', 'disabled', default: `present`. | no
Return Values
=============
There are only return values if a random passwords has been generated.
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
`userauthtype` \| `ipauserauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp`, `pkinit`, `hardened`, `idp` and `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset userauthtype to the initial value. | no
`userauthtype` \| `ipauserauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp`, `pkinit`, `hardened`, `idp`, `passkey` and `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset userauthtype to the initial value. | no
`userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
* Debian 10+ (ipaclient only, no server or replica!)
@@ -74,7 +76,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.13+
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
@@ -125,7 +127,7 @@ ansible-freeipa/plugins/module_utils to ~/.ansible/plugins/
**RPM package**
There are RPM packages available for Fedora 29+. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
There are RPM packages available for Fedora. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
