Merge pull request #1371 from t-woerner/dns_over_tls

ipaserver, ipareplica and ipaclient roles: Add DNS over TLS support

.pre-commit-config.yaml

@@ -26,7 +26,7 @@ repos:
   - id: yamllint
     files: \.(yaml|yml)$
 - repo: https://github.com/pycqa/flake8
-  rev: 7.0.0
+  rev: 7.2.0
   hooks:
   - id: flake8
 - repo: https://github.com/pycqa/pylint

.yamllint

@@ -20,4 +20,9 @@ rules:
     max: 160
   # Disabled rules
   indentation: disable
-  comments: disable
+  comments:
+    min-spaces-from-content: 1
+  comments-indentation: disable
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true

README-group.md

@@ -8,8 +8,12 @@ The group module allows to ensure presence and absence of groups and members of
 
 The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group.
 
-## Note
-Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
+
+Notes
+-----
+
+* Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
+* Using `externalmember` or `idoverrideuser` is only supported with `ipaapi_context: server`. With 'client' context, module execution will fail.
 
 
 Features
@@ -213,7 +217,7 @@ Example playbook to add members from a trusted realm to an external group:
 ---
 - name: Playbook to handle groups.
   hosts: ipaserver
-  
+
   tasks:
   - name: Create an external group and add members from a trust to it.
     ipagroup:
@@ -276,6 +280,7 @@ Example playbook to ensure groups are absent:
       state: absent
 ```
 
+
 Variables
 =========
 
@@ -299,8 +304,8 @@ Variable | Description | Required
 `service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
 `membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
-`externalmember` \| `ipaexternalmember`  \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
-`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up.| no
+`externalmember` \| `ipaexternalmember`  \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. Requires "server" context. | no
+`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up. Requires "server" context. | no
 `rename` \| `new_name` | Rename the user object to the new name string. Only usable with `state: renamed`. | no
 `action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
 `state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | yes

README-idrange.md

@@ -68,23 +68,6 @@ Example playbook to ensure a local domain idrange is present:
       name: local_domain_id_range
       base_id: 150000
       range_size: 200000
-```
-
-Example playbook to ensure a local domain idrange is present, with RID and secondary RID base values:
-
-```yaml
----
-- name: Playbook to manage IPA idrange.
-  hosts: ipaserver
-  become: no
-
-  tasks:
-  - name: Ensure local idrange is present
-    ipaidrange:
-      ipaadmin_password: SomeADMINpassword
-      name: local_domain_id_range
-      base_id: 150000000
-      range_size: 200000
       rid_base: 1000000
       secondary_rid_base: 200000000
 ```
@@ -172,8 +155,8 @@ Variable | Description | Required
 `name` \| `cn` | The list of idrange name strings. | yes
 `base_id` \| `ipabaseid` | First Posix ID of the range. (int) | yes, if `state: present`
 `range_size` \| `ipaidrangesize` | Number of IDs in the range. (int) | yes, if `state: present`
-`rid_base` \| `ipabaserid` | First RID of the corresponding RID range. (int) | no
-`secondary_rid_base` \| `ipasecondarybaserid` | First RID of the secondary RID range. (int) | no
+`rid_base` \| `ipabaserid` | First RID of the corresponding RID range. (int) | yes, if `idrange_type: ipa-local` and `state: present` |
+`secondary_rid_base` \| `ipasecondarybaserid` | First RID of the secondary RID range. (int) | yes, if `idrange_type: ipa-local` and `state: present` |
 `dom_sid` \| `ipanttrusteddomainsid` | Domain SID of the trusted domain. | no
 `idrange_type` \| `iparangetype` | ID range type, one of `ipa-ad-trust`, `ipa-ad-trust-posix`, `ipa-local`. Only valid if idrange does not exist. | no
 `dom_name` \| `ipanttrusteddomainname` | Name of the trusted domain. Can only be used when `ipaapi_context: server`. | no

README.md

@@ -66,7 +66,7 @@ Supported Distributions
 -----------------------
 
 * RHEL/CentOS 7.4+
-* Fedora 26+
+* Fedora 40+
 * Ubuntu
 * Debian 10+ (ipaclient only, no server or replica!)
 
@@ -125,7 +125,7 @@ ansible-freeipa/plugins/module_utils to ~/.ansible/plugins/
 
 **RPM package**
 
-There are RPM packages available for Fedora 29+. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
+There are RPM packages available for Fedora. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
 
 **Ansible Galaxy**
 

infra/azure/azure-pipelines.yml

@@ -3,7 +3,7 @@ trigger:
 - master
 
 pool:
-  vmImage: 'ubuntu-20.04'
+  vmImage: 'ubuntu-24.04'
 
 variables:
   ansible_version: "-core >=2.16,<2.17"

infra/azure/nightly.yml

@@ -10,7 +10,7 @@ schedules:
 trigger: none
 
 pool:
-  vmImage: 'ubuntu-20.04'
+  vmImage: 'ubuntu-24.04'
 
 variables:
   # We need to have two sets, as c8s is not supported by all ansible versions

infra/azure/pr-pipeline.yml

@@ -3,7 +3,7 @@ trigger:
 - master
 
 pool:
-  vmImage: 'ubuntu-20.04'
+  vmImage: 'ubuntu-24.04'
 
 variables:
   distros: "fedora-latest,c10s,c9s,c8s,fedora-rawhide"

infra/image/build.sh

@@ -119,13 +119,6 @@ then
         deployed=true
     fi
     echo
-
-    if $deployed; then
-        log info "= Enabling services ="
-        container_exec "${name}" systemctl enable fixnet
-        container_exec "${name}" systemctl enable fixipaip
-        echo
-    fi
     
     container_stop "${name}"
 

infra/image/dockerfile/c10s

@@ -1,4 +1,4 @@
-FROM quay.io/centos/centos:stream10-development
+FROM quay.io/centos/centos:stream10
 ENV container=podman
 
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
@@ -31,6 +31,8 @@ COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
+RUN systemctl enable fixnet.service
+RUN systemctl enable fixipaip.service
 
 STOPSIGNAL RTMIN+3
 

infra/image/dockerfile/c8s

@@ -34,6 +34,8 @@ COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
+RUN systemctl enable fixnet.service
+RUN systemctl enable fixipaip.service
 
 STOPSIGNAL RTMIN+3
 

infra/image/dockerfile/c9s

@@ -30,6 +30,8 @@ COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
+RUN systemctl enable fixnet.service
+RUN systemctl enable fixipaip.service
 
 STOPSIGNAL RTMIN+3
 

infra/image/dockerfile/fedora-latest

@@ -33,6 +33,8 @@ COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
+RUN systemctl enable fixnet.service
+RUN systemctl enable fixipaip.service
 
 STOPSIGNAL RTMIN+3
 

infra/image/dockerfile/fedora-rawhide

@@ -33,6 +33,8 @@ COPY system-service/fixipaip.sh /root/
 COPY system-service/fixnet.service /etc/systemd/system/
 COPY system-service/fixipaip.service /etc/systemd/system/
 RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
+RUN systemctl enable fixnet.service
+RUN systemctl enable fixipaip.service
 
 STOPSIGNAL RTMIN+3
 

infra/image/shcontainer

@@ -4,13 +4,20 @@
 SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
 TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"
 
+# shellcheck disable=SC1091
+. "${SCRIPTDIR}/shdefaults"
+
+# shellcheck disable=SC1091
 . "${TOPDIR}/utils/shfun"
 
 container_create() {
     local name=${1}
     local image=${2}
     shift 2
-    declare -a extra_opts=()
+    declare -a extra_opts
+    readarray -t extra_opts < \
+        <(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" \
+        <<< "$(printf '%s\n' "${CAP_DEFAULTS[@]}")")
     for opt in "$@"
     do
         [ -z "${opt}" ] && continue
@@ -19,6 +26,7 @@ container_create() {
             cpus=*) extra_opts+=("--${opt}") ;;
             memory=*) extra_opts+=("--${opt}") ;;
             capabilities=*) extra_opts+=("--cap-add=${opt##*=}") ;;
+            volume=*) extra_opts+=("--volume=${opt##*=}") ;;
             *) log error "container_create: Invalid option: ${opt}" ;;
         esac
     done
@@ -47,6 +55,19 @@ container_start() {
 
     log info "= Starting ${name} ="
     podman start "${name}"
+    # Add host entry to /etc/hosts
+    ip=$(podman inspect "${name}" --format "{{.NetworkSettings.IPAddress}}")
+    hostname=$(podman inspect "${name}" --format "{{.Config.Hostname}}")
+    if [ -n "${ip}" ] && [ -n "${hostname}" ]; then
+        cmd=$(cat <<EOF
+sed -i -E "/\s+${hostname}(\s|$)/d" /etc/hosts
+echo -e "$ip\t${hostname} ${hostname%%.*}" >> /etc/hosts
+EOF
+           )
+        podman exec "${name}" bash -c "$cmd"
+    fi
+    # Ensure /etc/shadow is readable
+    podman exec "${name}" bash -c "chmod u+r /etc/shadow"
     echo
 }
 
@@ -195,3 +216,15 @@ container_fetch() {
     podman cp "${name}:${source}" "${destination}"
     echo
 }
+
+container_tee() {
+    local name=${1}
+    local destination=${2}
+    tmpfile=$(mktemp /tmp/container-temp.XXXXXX)
+
+    log info "= Creating ${name}:${destination} from stdin ="
+    cat - > "${tmpfile}"
+    podman cp "${tmpfile}" "${name}:${destination}"
+    rm "${tmpfile}"
+    echo
+}

infra/image/shdefaults

@@ -0,0 +1,9 @@
+#!/bin/bash -eu
+# This file is meant to be source'd by other scripts
+
+# Set default capabilities options for freeipa containers.
+# Use +CAP to add the capability and -CAP to drop the capability.
+CAP_DEFAULTS=(
+    "+DAC_READ_SEARCH"  # Required for SSSD
+    "+SYS_PTRACE"       # Required for debugging
+)

infra/image/system-service/fixipaip.service

@@ -1,6 +1,7 @@
 [Unit]
 Description=Fix IPA server IP in IPA Server
 After=ipa.service
+PartOf=ipa.service
 
 [Service]
 Type=oneshot
@@ -9,4 +10,4 @@ StandardOutput=journal
 StandardError=journal
 
 [Install]
-WantedBy=default.target
+WantedBy=ipa.service

infra/image/system-service/fixipaip.sh

@@ -50,9 +50,9 @@ if [ -z "${FORWARDER}" ] || [ "${FORWARDER}" == "127.0.0.1" ]; then
 fi
 
 echo "Fix IPA:"
-echo "  HOSTNAME: '${HOSTNAME}'"
-echo "  IP: '${IP}'"
-echo "  PTR: '${PTR}'"
+echo "  HOSTNAME:  '${HOSTNAME}'"
+echo "  IP:        '${IP}'"
+echo "  PTR:       '${PTR}'"
 echo "  FORWARDER: '${FORWARDER}'"
 
 ZONES=$(ipa -e in_server=true dnszone-find --name-from-ip="${HOSTNAME}." \

infra/image/system-service/fixnet.service

@@ -1,8 +1,5 @@
 [Unit]
-Description=Fix server IP in IPA Server
-Wants=network.target
-After=network.target
-Before=ipa.service
+Description=Fix /etc/hosts and with local DNS also /etc/resolv.conf
 
 [Service]
 Type=oneshot
@@ -11,4 +8,4 @@ StandardOutput=journal
 StandardError=journal
 
 [Install]
-WantedBy=ipa.service
+WantedBy=container-ipa.target

infra/image/system-service/fixnet.sh

@@ -39,26 +39,35 @@ if [ -z "${IP}" ] || ! valid_ipv4 "${IP}" ; then
     exit 1
 fi
 
+DOMAIN=${HOSTNAME#*.}
+
 echo "Fix NET:"
 echo "  HOSTNAME: '${HOSTNAME}'"
-echo "  IP: '${IP}'"
+echo "  DOMAIN:   '${DOMAIN}'"
+echo "  IP:       '${IP}'"
 echo
 
-if grep -qE "^[^(#\s*)][0-9\.]+\s$HOSTNAME(\s|$)" /etc/hosts
-then
-    sed -i.bak -e "s/.*${HOSTNAME}/${IP}\t${HOSTNAME}/" /etc/hosts
-else
-    echo -e "$IP\t${HOSTNAME} ${HOSTNAME%%.*}" >> /etc/hosts
-fi
+# /etc/hosts
 
-cp -a /etc/resolv.conf /etc/resolv.conf.fixnet
-cat > /etc/resolv.conf <<EOF
-search ${HOSTNAME#*.}
-nameserver 127.0.0.1
-EOF
+sed -i -E "/\s+${HOSTNAME}(\s|$)/d" /etc/hosts
+echo -e "$IP\t${HOSTNAME} ${HOSTNAME%%.*}" >> /etc/hosts
 
 echo "/etc/hosts:"
 cat "/etc/hosts"
+
+# /etc/resolv.conf
+
+# If bind is not installed, exit
+[ -f "/etc/named.conf" ] || exit 0
+# If dyndb is not enabled for bind, exit
+grep -q '^dyndb "ipa"' "/etc/named.conf" || exit 0
+
+cp -a /etc/resolv.conf /etc/resolv.conf.fixnet
+cat > /etc/resolv.conf <<EOF
+search ${DOMAIN}
+nameserver 127.0.0.1
+EOF
+
 echo
 echo "/etc/resolv.conf:"
 cat "/etc/resolv.conf"

playbooks/dnszone/dnszone-all-params.yml

@@ -21,7 +21,7 @@
         - ip_address: 8.8.8.8
         - ip_address: 8.8.4.4
           port: 52
-      #serial: 1234
+      # serial: 1234
       refresh: 3600
       retry: 900
       expire: 1209600

playbooks/vault/vault-is-present-with-password-file.yml

@@ -11,7 +11,7 @@
       dest: "{{ ansible_facts['env'].HOME }}/password.txt"
       owner: "{{ ansible_user }}"
       group: "{{ ansible_user }}"
-      mode: 0600
+      mode: "0600"
   - name: Ensure symmetric vault exists with password from file.
     ipavault:
       ipaadmin_password: SomeADMINpassword

playbooks/vault/vault-is-present-with-public-key-file.yml

@@ -16,7 +16,7 @@
       dest: "{{ ansible_facts['env'].HOME }}/public.pem"
       owner: "{{ ansible_user }}"
       group: "{{ ansible_user }}"
-      mode: 0600
+      mode: "0600"
   - name: Ensure asymmetric vault exists with public key from file.
     ipavault:
       ipaadmin_password: SomeADMINpassword

plugins/module_utils/ansible_freeipa_module.py

@@ -589,6 +589,20 @@ def ensure_fqdn(name, domain):
     return name
 
 
+def convert_to_sid(items):
+    """Convert all items to SID, if possible."""
+    def get_sid(data):
+        try:
+            return get_trusted_domain_object_sid(data)
+        except ipalib_errors.NotFound:
+            return data
+    if items is None:
+        return None
+    if not isinstance(items, (list, tuple)):
+        items = [items]
+    return [get_sid(item) for item in items]
+
+
 def api_get_realm():
     return api.env.realm
 
@@ -903,6 +917,13 @@ def get_trusted_domain_sid_from_name(dom_name):
     return unicode(sid) if sid is not None else None
 
 
+def get_trusted_domain_object_sid(object_name):
+    """Given an object name, returns de object SID."""
+    domain_validator = __get_domain_validator()
+    sid = domain_validator.get_trusted_domain_object_sid(object_name)
+    return unicode(sid) if sid is not None else None
+
+
 class IPAParamMapping(Mapping):
     """
     Provides IPA API mapping to playbook parameters or computed values.

plugins/modules/ipagroup.py

@@ -113,13 +113,14 @@ options:
       externalmember:
         description:
         - List of members of a trusted domain in DOM\\name or name@domain form.
+          Requires "server" context.
         required: false
         type: list
         elements: str
         aliases: ["ipaexternalmember", "external_member"]
       idoverrideuser:
         description:
-        - User ID overrides to add
+        - User ID overrides to add. Requires "server" context.
         required: false
         type: list
         elements: str
@@ -188,13 +189,14 @@ options:
   externalmember:
     description:
     - List of members of a trusted domain in DOM\\name or name@domain form.
+      Requires "server" context.
     required: false
     type: list
     elements: str
     aliases: ["ipaexternalmember", "external_member"]
   idoverrideuser:
     description:
-    - User ID overrides to add
+    - User ID overrides to add. Requires "server" context.
     required: false
     type: list
     elements: str
@@ -297,6 +299,7 @@ EXAMPLES = """
     posix: yes
 
 # Create an external group and add members from a trust to it.
+# Module will fail if running under 'client' context.
 - ipagroup:
     ipaadmin_password: SomeADMINpassword
     name: extgroup
@@ -327,7 +330,8 @@ RETURN = """
 from ansible.module_utils._text import to_text
 from ansible.module_utils.ansible_freeipa_module import \
     IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, \
-    gen_add_list, gen_intersection_list, api_check_param
+    gen_add_list, gen_intersection_list, api_check_param, \
+    convert_to_sid
 from ansible.module_utils import six
 if six.PY3:
     unicode = str
@@ -562,21 +566,29 @@ def main():
     # The simple solution is to switch to client context for ensuring
     # several groups simply if the user was not explicitly asking for
     # the server context no matter if mixed types are used.
-    context = None
+    context = ansible_module.params_get("ipaapi_context")
     if state == "present" and groups is not None and len(groups) > 1 \
        and not FIX_6741_DEEPCOPY_OBJECTCLASSES:
-        _context = ansible_module.params_get("ipaapi_context")
-        if _context is None:
+        if context is None:
             context = "client"
             ansible_module.debug(
                 "Switching to client context due to an unfixed issue in "
                 "your IPA version: https://pagure.io/freeipa/issue/9349")
-        elif _context == "server":
+        elif context == "server":
             ansible_module.fail_json(
                 msg="Ensuring several groups with server context is not "
                 "supported by your IPA version: "
                 "https://pagure.io/freeipa/issue/9349")
 
+    if (
+        (externalmember is not None
+         or idoverrideuser is not None)
+        and context == "client"
+    ):
+        ansible_module.fail_json(
+            msg="Cannot use externalmember in client context."
+        )
+
     # Use groups if names is None
     if groups is not None:
         names = groups
@@ -676,6 +688,23 @@ def main():
             # Make sure group exists
             res_find = find_group(ansible_module, name)
 
+            # external members must de handled as SID
+            externalmember = convert_to_sid(externalmember)
+
+            # idoverrides need to be compared through SID
+            idoverrideuser_sid = convert_to_sid(idoverrideuser)
+            res_idoverrideuser_sid = convert_to_sid(
+                (res_find or {}).get("member_idoverrideuser", []))
+            idoverride_set = dict(
+                list(zip(idoverrideuser_sid or [], idoverrideuser or [])) +
+                list(
+                    zip(
+                        res_idoverrideuser_sid or [],
+                        (res_find or {}).get("member_idoverrideuser", [])
+                    )
+                )
+            )
+
             user_add, user_del = [], []
             group_add, group_del = [], []
             service_add, service_del = [], []
@@ -723,11 +752,12 @@ def main():
                         res_find = {}
 
                     # if we just created/modified the group, update res_find
-                    res_find.setdefault("objectclass", [])
+                    classes = list(res_find.setdefault("objectclass", []))
                     if external and not is_external_group(res_find):
-                        res_find["objectclass"].append("ipaexternalgroup")
+                        classes.append("ipaexternalgroup")
                     if posix and not is_posix_group(res_find):
-                        res_find["objectclass"].append("posixgroup")
+                        classes.append("posixgroup")
+                    res_find["objectclass"] = classes
 
                     member_args = gen_member_args(
                         user, group, service, externalmember, idoverrideuser
@@ -752,11 +782,19 @@ def main():
                             )
                         )
 
+                        # There are multiple ways to name an AD User, and any
+                        # can be used in idoverrides, so we create the add/del
+                        # lists based on SID, and then use the given user name
+                        # to the idoverride.
                         (idoverrides_add,
                          idoverrides_del) = gen_add_del_lists(
-                            idoverrideuser,
-                            res_find.get("member_idoverrideuser")
-                        )
+                            idoverrideuser_sid, res_idoverrideuser_sid)
+                        idoverrides_add = [
+                            idoverride_set[sid] for sid in set(idoverrides_add)
+                        ]
+                        idoverrides_del = [
+                            idoverride_set[sid] for sid in set(idoverrides_del)
+                        ]
 
                     membermanager_user_add, membermanager_user_del = \
                         gen_add_del_lists(
@@ -790,7 +828,10 @@ def main():
                         )
                     )
                     idoverrides_add = gen_add_list(
-                        idoverrideuser, res_find.get("member_idoverrideuser"))
+                        idoverrideuser_sid, res_idoverrideuser_sid)
+                    idoverrides_add = [
+                        idoverride_set[sid] for sid in set(idoverrides_add)
+                    ]
 
                     membermanager_user_add = gen_add_list(
                         membermanager_user,
@@ -829,7 +870,10 @@ def main():
                         )
                     )
                     idoverrides_del = gen_intersection_list(
-                        idoverrideuser, res_find.get("member_idoverrideuser"))
+                        idoverrideuser_sid, res_idoverrideuser_sid)
+                    idoverrides_del = [
+                        idoverride_set[sid] for sid in set(idoverrides_del)
+                    ]
 
                     membermanager_user_del = gen_intersection_list(
                         membermanager_user, res_find.get("membermanager_user"))
@@ -872,7 +916,7 @@ def main():
                 if len(externalmember_del) > 0:
                     del_member_args["ipaexternalmember"] = \
                         externalmember_del
-            elif externalmember or external:
+            elif externalmember:
                 ansible_module.fail_json(
                     msg="Cannot add external members to a "
                         "non-external group."

plugins/modules/ipaidrange.py

@@ -281,6 +281,14 @@ def main():
 
     # Connect to IPA API
     with ansible_module.ipa_connect():
+        # set required fields
+        required = ["base_id", "range_size"]
+        requires_baserid = (
+            ansible_module.ipa_command_param_exists("config_mod", "enable_sid")
+            and idrange_type in [None, "ipa-local"]
+        )
+        if requires_baserid:
+            required.extend(["rid_base", "secondary_rid_base"])
 
         commands = []
         for name in names:
@@ -321,6 +329,18 @@ def main():
                             del args["iparangetype"]
                         commands.append([name, "idrange_mod", args])
                 else:
+                    # Check if required parameters were given
+                    missing_params = [
+                        pname for pname in required
+                        if ansible_module.params_get(pname) is None
+                    ]
+                    if missing_params:
+                        ansible_module.fail_json(
+                            msg=(
+                                "Missing required parameters: %s"
+                                % (", ".join(missing_params))
+                            )
+                        )
                     commands.append([name, "idrange_add", args])
 
             elif state == "absent":

requirements-dev.txt

@@ -1,7 +1,7 @@
 -r requirements-tests.txt
 ipdb==0.13.4
 pre-commit==2.20.0
-flake8==7.0.0
+flake8
 flake8-bugbear
 pylint>=3.2
 wrapt==1.14.1

roles/ipabackup/README.md

@@ -34,7 +34,7 @@ Supported Distributions
 
 * RHEL/CentOS 7.6+
 * CentOS Stream 8+
-* Fedora 26+
+* Fedora 40+
 * Ubuntu 16.04 and 18.04
 
 

roles/ipaclient/README.md

@@ -25,7 +25,7 @@ Supported Distributions
 
 * RHEL/CentOS 7.4+
 * CentOS Stream 8+
-* Fedora 26+
+* Fedora 40+
 * Ubuntu
 * Debian
 
@@ -202,6 +202,8 @@ Variable | Description | Required
 `ipaclient_request_cert` | The bool value defines if the certificate for the machine wil be requested. The certificate will be stored in /etc/ipa/nssdb under the nickname "Local IPA host". . `ipaclient_request_cert` defaults to `no`. The option is deprecated and will be removed in a future release. | no
 `ipaclient_keytab` | The string value contains the path on the node of a backup host keytab from a previous enrollment. | no
 `ipaclient_automount_location` | Automount location | no
+`ipaclient_dns_over_tls` | Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later. (bool, default: false) | no
+`ipaclient_no_dnssec_validation` | Disable DNSSEC validation for DNS over TLS. This turns off DNSSEC validation for unbound. Ignored if `ipaserver_dns_over_tls` is not enabled. (bool, default: false) | no
 
 
 Server Variables

roles/ipaclient/defaults/main.yml

@@ -26,6 +26,8 @@ ipasssd_enable_dns_updates: no
 ipasssd_no_krb5_offline_passwords: no
 ipasssd_preserve_sssd: no
 ipaclient_request_cert: no
+ipaclient_dns_over_tls: no
+ipaclient_no_dnssec_validation: no
 
 ### packages ###
 ipaclient_install_packages: yes

roles/ipaclient/library/ipaclient_setup_nss.py

@@ -86,6 +86,16 @@ options:
     type: bool
     required: no
     default: no
+  dns_over_tls:
+    description: Configure DNS over TLS
+    type: bool
+    default: no
+    required: no
+  no_dnssec_validation:
+    description: Disable DNSSEC validation for DNS over TLS
+    type: bool
+    default: no
+    required: no
   enable_dns_updates:
     description: |
       Configures the machine to attempt dns updates when the ip address
@@ -212,7 +222,9 @@ def main():
             mkhomedir=dict(required=False, type='bool'),
             on_master=dict(required=False, type='bool'),
             dnsok=dict(required=False, type='bool', default=False),
-
+            dns_over_tls=dict(required=False, type='bool', default=False),
+            no_dnssec_validation=dict(required=False, type='bool',
+                                      default=False),
             enable_dns_updates=dict(required=False, type='bool'),
             all_ip_addresses=dict(required=False, type='bool', default=False),
             ip_addresses=dict(required=False, type='list', elements='str',
@@ -249,6 +261,8 @@ def main():
     options.mkhomedir = module.params.get('mkhomedir')
     options.on_master = module.params.get('on_master')
     dnsok = module.params.get('dnsok')
+    options.dns_over_tls = module.params.get('dns_over_tls')
+    options.no_dnssec_validation = module.params.get('no_dnssec_validation')
 
     fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
     statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE)
@@ -256,6 +270,7 @@ def main():
     os.environ['KRB5CCNAME'] = paths.IPA_DNS_CCACHE
 
     options.dns_updates = module.params.get('enable_dns_updates')
+    options.dns_over_tls = module.params.get('dns_over_tls')
     options.all_ip_addresses = module.params.get('all_ip_addresses')
     options.ip_addresses = ansible_module_get_parsed_ip_addresses(module)
     options.request_cert = module.params.get('request_cert')
@@ -279,6 +294,7 @@ def main():
     options.no_sssd = False
     options.sssd = not options.no_sssd
     options.no_ac = False
+    options.dns_over_tls = module.params.get('dns_over_tls')
     nosssd_files = module.params.get('nosssd_files')
     selinux_works = module.params.get('selinux_works')
     krb_name = module.params.get('krb_name')
@@ -339,17 +355,19 @@ def main():
                                                       ca_subject)
         ca_certs_trust = [(c, n,
                            certstore.key_policy_to_trust_flags(t, True, u))
-                          for (c, n, t, u) in ca_certs]
+                          for (c, n, t, u) in [x[0:4] for x in ca_certs]]
 
         if hasattr(paths, "KDC_CA_BUNDLE_PEM"):
             x509.write_certificate_list(
-                [c for c, n, t, u in ca_certs if t is not False],
+                [c for c, n, t, u in [x[0:4] for x in ca_certs]
+                    if t is not False],
                 paths.KDC_CA_BUNDLE_PEM,
                 # mode=0o644
             )
         if hasattr(paths, "CA_BUNDLE_PEM"):
             x509.write_certificate_list(
-                [c for c, n, t, u in ca_certs if t is not False],
+                [c for c, n, t, u in [x[0:4] for x in ca_certs]
+                    if t is not False],
                 paths.CA_BUNDLE_PEM,
                 # mode=0o644
             )
@@ -376,7 +394,12 @@ def main():
             ssh_config_dir = paths.SSH_CONFIG_DIR
         else:
             ssh_config_dir = services.knownservices.sshd.get_config_dir()
-        update_ssh_keys(hostname, ssh_config_dir, options.create_sshfp)
+        argspec_update_ssh_keys = getargspec(update_ssh_keys)
+        # Hotfix for https://github.com/freeipa/freeipa/pull/7343
+        if "options" in argspec_update_ssh_keys.args:
+            update_ssh_keys(hostname, ssh_config_dir, options, cli_server[0])
+        else:
+            update_ssh_keys(hostname, ssh_config_dir, options.create_sshfp)
 
         try:
             os.remove(CCACHE_FILE)

roles/ipaclient/library/ipaclient_setup_sssd.py

@@ -91,6 +91,11 @@ options:
       changes
     type: bool
     required: no
+  dns_over_tls:
+    description: Configure DNS over TLS
+    type: bool
+    default: no
+    required: no
   preserve_sssd:
     description: Preserve old SSSD configuration if possible
     type: bool
@@ -140,6 +145,7 @@ def main():
             fixed_primary=dict(required=False, type='bool'),
             permit=dict(required=False, type='bool'),
             enable_dns_updates=dict(required=False, type='bool'),
+            dns_over_tls=dict(required=False, type='bool', default=False),
             preserve_sssd=dict(required=False, type='bool'),
             no_krb5_offline_passwords=dict(required=False, type='bool'),
         ),
@@ -169,11 +175,13 @@ def main():
     options.primary = module.params.get('fixed_primary')
     options.permit = module.params.get('permit')
     options.dns_updates = module.params.get('enable_dns_updates')
+    options.dns_over_tls = module.params.get('dns_over_tls')
     options.preserve_sssd = module.params.get('preserve_sssd')
 
     options.no_krb5_offline_passwords = module.params.get(
         'no_krb5_offline_passwords')
     options.krb5_offline_passwords = not options.no_krb5_offline_passwords
+    options.dns_over_tls = False
 
     fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
     client_domain = hostname[hostname.find(".") + 1:]

roles/ipaclient/library/ipaclient_test.py

@@ -124,6 +124,16 @@ options:
     type: bool
     required: no
     default: no
+  dns_over_tls:
+    description: Configure DNS over TLS
+    type: bool
+    default: no
+    required: no
+  no_dnssec_validation:
+    description: Disable DNSSEC validation for DNS over TLS
+    type: bool
+    default: no
+    required: no
   enable_dns_updates:
     description:
       Configures the machine to attempt dns updates when the ip address
@@ -248,7 +258,8 @@ from ansible.module_utils.ansible_ipa_client import (
     CLIENT_INSTALL_ERROR, tasks, check_ldap_conf, timeconf, constants,
     validate_hostname, nssldap_exists, gssapi, remove_file,
     check_ip_addresses, ipadiscovery, print_port_conf_info,
-    IPA_PYTHON_VERSION, getargspec
+    IPA_PYTHON_VERSION, getargspec, services,
+    CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION
 )
 
 
@@ -328,6 +339,9 @@ def main():
                               default=None),
             all_ip_addresses=dict(required=False, type='bool', default=False),
             on_master=dict(required=False, type='bool', default=False),
+            dns_over_tls=dict(required=False, type='bool', default=False),
+            no_dnssec_validation=dict(required=False, type='bool',
+                                      default=False),
             # sssd
             enable_dns_updates=dict(required=False, type='bool',
                                     default=False),
@@ -356,6 +370,8 @@ def main():
     options.ip_addresses = module.params.get('ip_addresses')
     options.all_ip_addresses = module.params.get('all_ip_addresses')
     options.on_master = module.params.get('on_master')
+    options.dns_over_tls = module.params.get('dns_over_tls')
+    options.no_dnssec_validation = module.params.get('no_dnssec_validation')
     options.enable_dns_updates = module.params.get('enable_dns_updates')
 
     # Get domain from first server if domain is not set, but if there are
@@ -365,6 +381,16 @@ def main():
             options.domain_name = options.servers[0][
                 options.servers[0].find(".") + 1:]
 
+    if options.dns_over_tls \
+       and not services.knownservices["unbound"].is_installed():
+        module.fail_json(
+            msg="To enable DNS over TLS, package ipa-client-encrypted-dns "
+            "must be installed.")
+    if options.dns_over_tls and not CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION:
+        module.fail_json(
+            msg="Important patches for DNS over TLS are missing in your IPA "
+            "version.")
+
     try:
         self = options
 

roles/ipaclient/module_utils/ansible_ipa_client.py

@@ -231,8 +231,6 @@ try:
                         cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
                         filename, client_domain, client_hostname, force=False,
                         configure_sssd=True):
-                    # pylint: disable=global-variable-not-assigned
-                    global options
                     options.force = force
                     options.sssd = configure_sssd
                     return ipa_client_install.configure_krb5_conf(
@@ -312,6 +310,15 @@ try:
         except ImportError:
             configure_selinux_for_client = None
 
+        try:
+            CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION = False
+            from ipaclient.install.client import ClientInstallInterface
+        except ImportError:
+            pass
+        else:
+            if hasattr(ClientInstallInterface, "no_dnssec_validation"):
+                CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION = True
+
         logger = logging.getLogger("ipa-client-install")
         root_logger = logger
 

roles/ipaclient/tasks/install.yml

@@ -1,11 +1,23 @@
 ---
 # tasks file for ipaclient
 
-- name: Install - Ensure that IPA client packages are installed
-  ansible.builtin.package:
-    name: "{{ ipaclient_packages }}"
-    state: present
+- name: Install - Package installation
   when: ipaclient_install_packages | bool
+  block:
+
+  - name: Install - Set packages for installation
+    ansible.builtin.set_fact:
+      _ipapackages: "{{ ipaclient_packages }}"
+
+  - name: Install - Set packages for installlation, add DOT
+    ansible.builtin.set_fact:
+      _ipapackages: "{{ _ipapackages + ipaclient_packages_dot }}"
+    when: ipaclient_dns_over_tls | bool
+
+  - name: Install - Ensure that packages are installed
+    ansible.builtin.package:
+      name: "{{ _ipapackages }}"
+      state: present
 
 - name: Install - Set ipaclient_servers
   ansible.builtin.set_fact:
@@ -38,7 +50,7 @@
       msg: "ipaclient_domain or ipaserver_domain is required for ipaclient_configure_dns_resolver"
     when: ipaserver_domain is not defined and ipaclient_domain is not defined
 
-  - name: Install - Fail on missing ipaclient_servers
+  - name: Install - Fail on missing ipaclient_dns_servers
     ansible.builtin.fail:
       msg: "ipaclient_dns_servers is required for ipaclient_configure_dns_resolver"
     when: ipaclient_dns_servers is not defined
@@ -69,9 +81,10 @@
     ip_addresses: "{{ ipaclient_ip_addresses | default(omit) }}"
     all_ip_addresses: "{{ ipaclient_all_ip_addresses }}"
     on_master: "{{ ipaclient_on_master }}"
+    dns_over_tls: "{{ ipaclient_dns_over_tls }}"
+    no_dnssec_validation: "{{ ipaclient_no_dnssec_validation }}"
     ### sssd ###
-    enable_dns_updates: "{{ ipassd_enable_dns_updates
-                            | default(ipasssd_enable_dns_updates) }}"
+    enable_dns_updates: "{{ ipasssd_enable_dns_updates }}"
   register: result_ipaclient_test
 
 - name: Install - Client deployment
@@ -152,7 +165,7 @@
       ansible.builtin.copy:
         src: "{{ ipaadmin_keytab }}"
         dest: "{{ keytab_temp.path }}"
-        mode: 0600
+        mode: "0600"
       delegate_to: "{{ result_ipaclient_test.servers[0] }}"
       when: ipaadmin_keytab is defined
 
@@ -321,16 +334,12 @@
         no_sshd: "{{ ipaclient_no_sshd }}"
         no_sudo: "{{ ipaclient_no_sudo }}"
         all_ip_addresses: "{{ ipaclient_all_ip_addresses }}"
-        fixed_primary: "{{ ipassd_fixed_primary
-                           | default(ipasssd_fixed_primary) }}"
-        permit: "{{ ipassd_permit | default(ipasssd_permit) }}"
-        enable_dns_updates: "{{ ipassd_enable_dns_updates
-                                | default(ipasssd_enable_dns_updates) }}"
-        preserve_sssd: "{{ ipassd_preserve_sssd
-                           | default(ipasssd_preserve_sssd) }}"
-        no_krb5_offline_passwords:
-          "{{ ipassd_no_krb5_offline_passwords
-              | default(ipasssd_no_krb5_offline_passwords) }}"
+        fixed_primary: "{{ ipasssd_fixed_primary }}"
+        permit: "{{ ipasssd_permit }}"
+        enable_dns_updates: "{{ ipasssd_enable_dns_updates }}"
+        dns_over_tls: "{{ ipaclient_dns_over_tls }}"
+        preserve_sssd: "{{ ipasssd_preserve_sssd }}"
+        no_krb5_offline_passwords: "{{ ipasssd_no_krb5_offline_passwords }}"
 
     - name: Install - IPA API calls for remaining enrollment parts
       ipaclient_api:
@@ -365,23 +374,20 @@
         ca_enabled: "{{ result_ipaclient_api.ca_enabled }}"
         on_master: "{{ ipaclient_on_master }}"
         dnsok: "{{ result_ipaclient_test.dnsok }}"
-        enable_dns_updates: "{{ ipassd_enable_dns_updates
-                                | default(ipasssd_enable_dns_updates) }}"
+        enable_dns_updates: "{{ ipasssd_enable_dns_updates }}"
+        dns_over_tls: "{{ ipaclient_dns_over_tls }}"
+        no_dnssec_validation: "{{ ipaclient_no_dnssec_validation }}"
         all_ip_addresses: "{{ ipaclient_all_ip_addresses }}"
         ip_addresses: "{{ ipaclient_ip_addresses | default(omit) }}"
         request_cert: "{{ ipaclient_request_cert }}"
-        preserve_sssd: "{{ ipassd_preserve_sssd
-                           | default(ipasssd_preserve_sssd) }}"
+        preserve_sssd: "{{ ipasssd_preserve_sssd }}"
         no_ssh: "{{ ipaclient_no_ssh }}"
         no_sshd: "{{ ipaclient_no_sshd }}"
         no_sudo: "{{ ipaclient_no_sudo }}"
         subid: "{{ ipaclient_subid }}"
-        fixed_primary: "{{ ipassd_fixed_primary
-                           | default(ipasssd_fixed_primary) }}"
-        permit: "{{ ipassd_permit | default(ipasssd_permit) }}"
-        no_krb5_offline_passwords:
-          "{{ ipassd_no_krb5_offline_passwords
-              | default(ipasssd_no_krb5_offline_passwords) }}"
+        fixed_primary: "{{ ipasssd_fixed_primary }}"
+        permit: "{{ ipasssd_permit }}"
+        no_krb5_offline_passwords: "{{ ipasssd_no_krb5_offline_passwords }}"
         no_dns_sshfp: "{{ ipaclient_no_dns_sshfp }}"
         nosssd_files: "{{ result_ipaclient_test.nosssd_files }}"
         selinux_works: "{{ result_ipaclient_test.selinux_works }}"

roles/ipaclient/tasks/uninstall.yml

@@ -15,8 +15,3 @@
   ipaclient_configure_dns_resolver:
     state: absent
   when: ipaclient_cleanup_dns_resolver | bool
-
-#- name: Remove IPA client package
-#  ansible.builtin.package:
-#    name: "{{ ipaclient_packages }}"
-#    state: absent

roles/ipaclient/vars/Debian-10.yml

@@ -1,6 +1,7 @@
 ---
 # vars/Debian.yml
 ipaclient_packages: [ "freeipa-client" ]
+ipaclient_packages_dot: [ ]
 # Debian Buster must use python2 as Python interpreter due
 # to the way freeipa-client package is defined.
 # You must install package python2.7 before executing this role.

roles/ipaclient/vars/Debian.yml

@@ -2,3 +2,4 @@
 # vars/Debian.yml
 ---
 ipaclient_packages: [ "freeipa-client" ]
+ipaclient_packages_dot: [ ]

roles/ipaclient/vars/Fedora-25.yml

@@ -1,5 +0,0 @@
-# defaults file for ipaclient
-# vars/Fedora-25.yml
----
-ipaclient_packages: [ "ipa-client", "libselinux-python" ]
-#ansible_python_interpreter: '/usr/bin/python2'

roles/ipaclient/vars/Fedora-26.yml

@@ -1,5 +0,0 @@
-# defaults file for ipaclient
-# vars/Fedora-26.yml
----
-ipaclient_packages: [ "ipa-client", "libselinux-python" ]
-#ansible_python_interpreter: '/usr/bin/python2'

roles/ipaclient/vars/RedHat-7.3.yml

@@ -1,5 +0,0 @@
-# defaults file for ipaclient
-# vars/RedHat-7.3.yml
----
-ipaclient_packages: [ "ipa-client", "ipa-admintools", "libselinux-python" ]
-#ansible_python_interpreter: '/usr/bin/python2'

roles/ipaclient/vars/RedHat-7.yml

@@ -2,4 +2,4 @@
 # vars/RedHat-7
 ---
 ipaclient_packages: [ "ipa-client", "libselinux-python" ]
-#ansible_python_interpreter: '/usr/bin/python2'
+ipaclient_packages_dot: [ ]

roles/ipaclient/vars/RedHat-8.yml

@@ -2,3 +2,4 @@
 # vars/RedHat-8.yml
 ---
 ipaclient_packages: [ "@idm:DL1/client" ]
+ipaclient_packages_dot: [ ]

roles/ipaclient/vars/Ubuntu-18.04.yml

@@ -1,6 +1,7 @@
 # vars/Ubuntu-18.04.yml
 ---
 ipaclient_packages: [ "freeipa-client" ]
+ipaclient_packages_dot: [ ]
 # Ubuntu Bionic Beaver must use python2 as Python interpreter due
 # to the way python-ipalib package is defined.
 # Package python2.7 must be installed before executing this role.

roles/ipaclient/vars/default.yml

@@ -2,4 +2,4 @@
 # vars/default.yml
 ---
 ipaclient_packages: [ "ipa-client", "python3-libselinux" ]
-#ansible_python_interpreter: '/usr/bin/python3'
+ipaclient_packages_dot: [ "ipa-client-encrypted-dns" ]

roles/ipareplica/README.md

@@ -28,7 +28,7 @@ Supported Distributions
 
 * RHEL/CentOS 7.6+
 * CentOS Stream 8+
-* Fedora 26+
+* Fedora 40+
 * Ubuntu 16.04 and 18.04
 
 
@@ -270,6 +270,11 @@ Variable | Description | Required
 `ipareplica_auto_forwarders` | Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS. (bool, default: false) | no
 `ipareplica_forward_policy` | DNS forwarding policy for global forwarders specified using other options. (choice: first,only) | no
 `ipareplica_no_dnssec_validation` | Disable DNSSEC validation on this server. (bool, default: false) | no
+`ipareplica_dot_forwarders` | List of DNS over TLS forwarders. Required if `ipareplica_dns_over_tls` is enabled. (list of strings) | no
+`ipareplica_dns_over_tls` \| `ipaclient_dns_over_tls` | Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later. (bool, default: false) | no
+`ipareplica_dns_over_tls_cert` | Certificate to use for DNS over TLS. If empty, a new certificate will be requested from IPA CA. (string) | no
+`ipareplica_dns_over_tls_key` | Key for certificate specified in `ipareplica_dns_over_tls_cert`. (string) | no
+`ipareplica_dns_policy` | Encrypted DNS policy. Only usable if `ipareplica_dns_over_tls` is enabled. (choice: relaxed, enforced, default: relaxed) | no
 
 AD trust Variables
 ------------------

roles/ipareplica/defaults/main.yml

@@ -17,10 +17,10 @@ ipareplica_no_ui_redirect: no
 ipaclient_mkhomedir: no
 ipaclient_force_join: no
 ipaclient_no_ntp: no
-#ipaclient_ssh_trust_dns: no
-#ipaclient_no_ssh: no
-#ipaclient_no_sshd: no
-#ipaclient_no_dns_sshfp: no
+# ipaclient_ssh_trust_dns: no
+# ipaclient_no_ssh: no
+# ipaclient_no_sshd: no
+# ipaclient_no_dns_sshfp: no
 ipaclient_ssh_trust_dns: no
 ### certificate system ###
 ipareplica_skip_schema_check: no

roles/ipareplica/library/ipareplica_prepare.py

@@ -224,6 +224,32 @@ options:
     type: bool
     default: no
     required: no
+  dot_forwarders:
+    description: List of DNS over TLS forwarders
+    type: list
+    elements: str
+    default: []
+    required: no
+  dns_over_tls:
+    description: Configure DNS over TLS
+    type: bool
+    default: no
+    required: no
+  dns_over_tls_cert:
+    description:
+      Certificate to use for DNS over TLS. If empty, a new
+      certificate will be requested from IPA CA
+    type: str
+    required: no
+  dns_over_tls_key:
+    description: Key for certificate specified in dns_over_tls_cert
+    type: str
+    required: no
+  dns_policy:
+    description: Encrypted DNS policy
+    type: str
+    choices: ['relaxed', 'enforced']
+    default: 'relaxed'
   enable_compat:
     description: Enable support for trusted domains for old clients
     type: bool
@@ -354,6 +380,15 @@ def main():
                                 choices=['first', 'only'], default=None),
             no_dnssec_validation=dict(required=False, type='bool',
                                       default=False),
+            dot_forwarders=dict(required=False, type='list', elements='str',
+                                default=[]),
+            dns_over_tls=dict(required=False, type='bool',
+                              default=False),
+            dns_over_tls_cert=dict(required=False, type='str'),
+            dns_over_tls_key=dict(required=False, type='str'),
+            dns_policy=dict(required=False, type='str',
+                            choices=['relaxed', 'enforced'],
+                            default='relaxed'),
             # ad trust
             enable_compat=dict(required=False, type='bool', default=False),
             netbios_name=dict(required=False, type='str'),
@@ -430,6 +465,11 @@ def main():
     options.forward_policy = ansible_module.params.get('forward_policy')
     options.no_dnssec_validation = ansible_module.params.get(
         'no_dnssec_validation')
+    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
+    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
+    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
+    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
+    options.dns_policy = ansible_module.params.get('dns_policy')
     # ad trust
     options.enable_compat = ansible_module.params.get('enable_compat')
     options.netbios_name = ansible_module.params.get('netbios_name')

roles/ipareplica/library/ipareplica_setup_dns.py

@@ -72,6 +72,32 @@ options:
     type: bool
     default: no
     required: no
+  dot_forwarders:
+    description: List of DNS over TLS forwarders
+    type: list
+    elements: str
+    default: []
+    required: no
+  dns_over_tls:
+    description: Configure DNS over TLS
+    type: bool
+    default: no
+    required: no
+  dns_over_tls_cert:
+    description:
+      Certificate to use for DNS over TLS. If empty, a new
+      certificate will be requested from IPA CA
+    type: str
+    required: no
+  dns_over_tls_key:
+    description: Key for certificate specified in dns_over_tls_cert
+    type: str
+    required: no
+  dns_policy:
+    description: Encrypted DNS policy
+    type: str
+    choices: ['relaxed', 'enforced']
+    default: 'relaxed'
   dns_ip_addresses:
     description: The dns ip_addresses setting
     type: list
@@ -117,6 +143,9 @@ from ansible.module_utils.ansible_ipa_replica import (
     gen_ReplicaConfig, gen_remote_api, api, redirect_stdout, dns,
     ansible_module_get_parsed_ip_addresses
 )
+# pylint: disable=unused-import
+from ansible.module_utils.ansible_ipa_replica import bindinstance  # noqa: F401
+# pylint: enable=unused-import
 
 
 def main():
@@ -135,6 +164,14 @@ def main():
                                 choices=['first', 'only'], default=None),
             no_dnssec_validation=dict(required=False, type='bool',
                                       default=False),
+            dot_forwarders=dict(required=False, type='list', elements='str',
+                                default=[]),
+            dns_over_tls=dict(required=False, type='bool', default=False),
+            dns_over_tls_cert=dict(required=False, type='str'),
+            dns_over_tls_key=dict(required=False, type='str'),
+            dns_policy=dict(required=False, type='str',
+                            choices=['relaxed', 'enforced'],
+                            default='relaxed'),
             # additional
             dns_ip_addresses=dict(required=True, type='list', elements='str'),
             dns_reverse_zones=dict(required=True, type='list', elements='str'),
@@ -167,6 +204,11 @@ def main():
     options.forward_policy = ansible_module.params.get('forward_policy')
     options.no_dnssec_validation = ansible_module.params.get(
         'no_dnssec_validation')
+    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
+    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
+    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
+    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
+    options.dns_policy = ansible_module.params.get('dns_policy')
     # additional
     dns.ip_addresses = ansible_module_get_parsed_ip_addresses(
         ansible_module, 'dns_ip_addresses')

roles/ipareplica/library/ipareplica_test.py

@@ -181,6 +181,32 @@ options:
     type: bool
     default: no
     required: no
+  dot_forwarders:
+    description: List of DNS over TLS forwarders
+    type: list
+    elements: str
+    default: []
+    required: no
+  dns_over_tls:
+    description: Configure DNS over TLS
+    type: bool
+    default: no
+    required: no
+  dns_over_tls_cert:
+    description:
+      Certificate to use for DNS over TLS. If empty, a new
+      certificate will be requested from IPA CA
+    type: str
+    required: no
+  dns_over_tls_key:
+    description: Key for certificate specified in dns_over_tls_cert
+    type: str
+    required: no
+  dns_policy:
+    description: Encrypted DNS policy
+    type: str
+    choices: ['relaxed', 'enforced']
+    default: 'relaxed'
 author:
     - Thomas Woerner (@t-woerner)
 '''
@@ -199,7 +225,8 @@ from ansible.module_utils.ansible_ipa_replica import (
     paths, sysrestore, ansible_module_get_parsed_ip_addresses, service,
     redirect_stdout, create_ipa_conf, ipautil,
     x509, validate_domain_name, common_check,
-    IPA_PYTHON_VERSION, getargspec, adtrustinstance, install_ca_cert
+    IPA_PYTHON_VERSION, getargspec, adtrustinstance, install_ca_cert,
+    services, CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION
 )
 
 
@@ -250,6 +277,14 @@ def main():
                                 choices=['first', 'only'], default=None),
             no_dnssec_validation=dict(required=False, type='bool',
                                       default=False),
+            dot_forwarders=dict(required=False, type='list', elements='str',
+                                default=[]),
+            dns_over_tls=dict(required=False, type='bool', default=False),
+            dns_over_tls_cert=dict(required=False, type='str'),
+            dns_over_tls_key=dict(required=False, type='str'),
+            dns_policy=dict(required=False, type='str',
+                            choices=['relaxed', 'enforced'],
+                            default='relaxed'),
         ),
     )
 
@@ -298,6 +333,11 @@ def main():
     options.forward_policy = ansible_module.params.get('forward_policy')
     options.no_dnssec_validation = ansible_module.params.get(
         'no_dnssec_validation')
+    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
+    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
+    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
+    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
+    options.dns_policy = ansible_module.params.get('dns_policy')
 
     ##########################################################################
     # replica init ###########################################################
@@ -419,6 +459,14 @@ def main():
             ansible_module.fail_json(
                 msg="You cannot specify a --no-dnssec-validation option "
                 "without the --setup-dns option")
+        if installer.dns_over_tls_cert:
+            ansible_module.fail_json(
+                msg="You cannot specify a --dns-over-tls-cert option "
+                "without the --setup-dns option")
+        if installer.dns_over_tls_key:
+            ansible_module.fail_json(
+                msg="You cannot specify a --dns-over-tls-key option "
+                "without the --setup-dns option")
     elif installer.forwarders and installer.no_forwarders:
         ansible_module.fail_json(
             msg="You cannot specify a --forwarder option together with "
@@ -435,6 +483,31 @@ def main():
         ansible_module.fail_json(
             msg="You cannot specify a --auto-reverse option together with "
             "--no-reverse")
+    elif installer.dot_forwarders and not installer.dns_over_tls:
+        ansible_module.fail_json(
+            msg="You cannot specify a --dot-forwarder option "
+            "without the --dns-over-tls option")
+    elif (installer.dns_over_tls
+          and not services.knownservices["unbound"].is_installed()):
+        ansible_module.fail_json(
+            msg="To enable DNS over TLS, package ipa-server-encrypted-dns "
+            "must be installed.")
+    elif installer.dns_policy == "enforced" and not installer.dns_over_tls:
+        ansible_module.fail_json(
+            msg="You cannot specify a --dns-policy option "
+            "without the --dns-over-tls option")
+    elif installer.dns_over_tls_cert and not installer.dns_over_tls:
+        ansible_module.fail_json(
+            msg="You cannot specify a --dns-over-tls-cert option "
+            "without the --dns-over-tls option")
+    elif installer.dns_over_tls_key and not installer.dns_over_tls:
+        ansible_module.fail_json(
+            msg="You cannot specify a --dns-over-tls-key option "
+            "without the --dns-over-tls option")
+    elif bool(installer.dns_over_tls_key) != bool(installer.dns_over_tls_cert):
+        ansible_module.fail_json(
+            msg="You cannot specify a --dns-over-tls-key option "
+            "without the --dns-over-tls-cert option and vice versa")
 
     # replica installers
     if installer.servers and not installer.domain_name:
@@ -449,6 +522,10 @@ def main():
             ansible_module.fail_json(
                 msg="You must specify at least one of --forwarder, "
                 "--auto-forwarders, or --no-forwarders options")
+            if installer.dns_over_tls and not installer.dot_forwarders:
+                ansible_module.fail_json(
+                    msg="You must specify --dot-forwarder "
+                    "when enabling DNS over TLS")
 
     if installer.dirsrv_config_file is not None and \
        not os.path.exists(installer.dirsrv_config_file):
@@ -486,6 +563,11 @@ def main():
     if installer.domain_name is not None:
         validate_domain_name(installer.domain_name)
 
+    if installer.dns_over_tls and not CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION:
+        ansible_module.fail_json(
+            msg="Important patches for DNS over TLS are missing in your "
+            "IPA version.")
+
     ##########################################################################
     # replica promote_check excerpts #########################################
     ##########################################################################

roles/ipareplica/module_utils/ansible_ipa_replica.py

@@ -80,6 +80,13 @@ except ImportError:
 try:
     from contextlib import contextmanager as contextlib_contextmanager
     from ipapython.version import NUM_VERSION, VERSION
+    try:
+        from ipapython.version import parse_version
+    except ImportError:
+        # In IPA we either need pkg_resources or packaging Version
+        # class to compare versions with check_remote_version, so
+        # we let an exception to be raised if neither is available.
+        from pkg_resources import parse_version
 
     if NUM_VERSION < 30201:
         # See ipapython/version.py
@@ -99,8 +106,6 @@ try:
         import dns.resolver as dnsresolver
         import dns.reversename as dnsreversename
 
-        from pkg_resources import parse_version
-
         from ipaclient.install.ipachangeconf import IPAChangeConf
         from ipalib.install import certstore, sysrestore
         from ipapython.ipautil import ipa_generate_password
@@ -182,6 +187,14 @@ try:
             from ipaserver.install import ntpinstance
             time_service = "ntpd"  # pylint: disable=invalid-name
 
+        try:
+            CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION = False
+            from ipaclient.install.client import ClientInstallInterface
+        except ImportError:
+            pass
+        else:
+            if hasattr(ClientInstallInterface, "no_dnssec_validation"):
+                CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION = True
     else:
         # IPA version < 4.6
         raise RuntimeError("freeipa version '%s' is too old" % VERSION)
@@ -208,11 +221,13 @@ def setup_logging():
 
 @contextlib_contextmanager
 def redirect_stdout(stream):
+    old_stdout = sys.stdout
+
     sys.stdout = stream
     try:
         yield stream
     finally:
-        sys.stdout = sys.__stdout__
+        sys.stdout = old_stdout
 
 
 class AnsibleModuleLog():
@@ -331,6 +346,7 @@ options.add_agents = False
 # ServerReplicaInstall
 options.subject_base = None
 options.ca_subject = None
+
 # pylint: enable=attribute-defined-outside-init
 
 

roles/ipareplica/tasks/install.yml

@@ -1,33 +1,43 @@
 ---
 # tasks file for ipareplica
 
-- name: Package installation
+- name: Install - Set ipareplica__dns_over_lts
+  ansible.builtin.set_fact:
+    ipareplica__dns_over_tls: "{{ ipareplica_dns_over_tls | default(ipaclient_dns_over_tls) | default(False) }}"
+
+- name: Install - Package installation
   when: ipareplica_install_packages | bool
   block:
 
-  - name: Install - Ensure IPA replica packages are installed
-    ansible.builtin.package:
-      name: "{{ ipareplica_packages }}"
-      state: present
+  - name: Install - Set packages for installation
+    ansible.builtin.set_fact:
+      _ipapackages: "{{ ipareplica_packages }}"
 
-  - name: Install - Ensure IPA replica packages for dns are installed
-    ansible.builtin.package:
-      name: "{{ ipareplica_packages_dns }}"
-      state: present
+  - name: Install - Set packages for installlation, add DNS
+    ansible.builtin.set_fact:
+      _ipapackages: "{{ _ipapackages + ipareplica_packages_dns }}"
     when: ipareplica_setup_dns | bool
 
-  - name: Install - Ensure IPA replica packages for adtrust are installed
-    ansible.builtin.package:
-      name: "{{ ipareplica_packages_adtrust }}"
-      state: present
+  - name: Install - Set packages for installlation, add DOT
+    ansible.builtin.set_fact:
+      _ipapackages: "{{ _ipapackages + ipareplica_packages_dot }}"
+    when: ipareplica__dns_over_tls | bool
+
+  - name: Install - Set packages for installlation, add adtrust
+    ansible.builtin.set_fact:
+      _ipapackages: "{{ _ipapackages + ipareplica_packages_adtrust }}"
     when: ipareplica_setup_adtrust | bool
 
-  - name: Install - Ensure that firewall packages installed
-    ansible.builtin.package:
-      name: "{{ ipareplica_packages_firewalld }}"
-      state: present
+  - name: Install - Set packages for installlation, add firewalld
+    ansible.builtin.set_fact:
+      _ipapackages: "{{ _ipapackages + ipareplica_packages_firewalld }}"
     when: ipareplica_setup_firewalld | bool
 
+  - name: Install - Ensure that packages are installed
+    ansible.builtin.package:
+      name: "{{ _ipapackages }}"
+      state: present
+
 - name: Firewall configuration
   when: ipareplica_setup_firewalld | bool
   block:
@@ -104,6 +114,11 @@
     auto_forwarders: "{{ ipareplica_auto_forwarders }}"
     forward_policy: "{{ ipareplica_forward_policy | default(omit) }}"
     no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"
+    dot_forwarders: "{{ ipareplica_dot_forwarders | default([]) }}"
+    dns_over_tls: "{{ ipareplica__dns_over_tls }}"
+    dns_over_tls_cert: "{{ ipareplica_dns_over_tls_cert | default(omit) }}"
+    dns_over_tls_key: "{{ ipareplica_dns_over_tls_key | default(omit) }}"
+    dns_policy: "{{ ipareplica_dns_policy | default(omit) }}"
   register: result_ipareplica_test
 
 - name: Install - Deploy replica
@@ -127,6 +142,8 @@
       ipaclient_hostname: "{{ result_ipareplica_test.hostname }}"
       ipaclient_ip_addresses: "{{ ipareplica_ip_addresses | default(omit) }}"
       ipaclient_install_packages: "{{ ipareplica_install_packages }}"
+      ipaclient_dns_over_tls: "{{ ipareplica__dns_over_tls }}"
+      ipaclient_no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"
     when: not result_ipareplica_test.client_enrolled
 
   - name: Install - Configure firewalld
@@ -140,6 +157,8 @@
       {{ "--add-service=freeipa-trust" if result_ipareplica_test.setup_adtrust
          else "" }}
       {{ "--add-service=dns" if ipareplica_setup_dns | bool else "" }}
+      {{ "--add-service=dns-over-tls" if ipareplica__dns_over_tls | bool
+         else "" }}
       {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
     when: ipareplica_setup_firewalld | bool
 
@@ -153,6 +172,8 @@
       {{ "--add-service=freeipa-trust" if result_ipareplica_test.setup_adtrust
          else "" }}
       {{ "--add-service=dns" if ipareplica_setup_dns | bool else "" }}
+      {{ "--add-service=dns-over-tls" if ipareplica__dns_over_tls | bool
+         else "" }}
       {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
     when: ipareplica_setup_firewalld | bool
 
@@ -201,6 +222,11 @@
       auto_forwarders: "{{ ipareplica_auto_forwarders }}"
       forward_policy: "{{ ipareplica_forward_policy | default(omit) }}"
       no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"
+      dot_forwarders: "{{ ipareplica_dot_forwarders | default([]) }}"
+      dns_over_tls: "{{ ipareplica__dns_over_tls }}"
+      dns_over_tls_cert: "{{ ipareplica_dns_over_tls_cert | default(omit) }}"
+      dns_over_tls_key: "{{ ipareplica_dns_over_tls_key | default(omit) }}"
+      dns_policy: "{{ ipareplica_dns_policy | default(omit) }}"
       ### ad trust ###
       enable_compat: "{{ ipareplica_enable_compat }}"
       netbios_name: "{{ ipareplica_netbios_name | default(omit) }}"
@@ -717,6 +743,11 @@
                           result_ipareplica_prepare.forward_policy is
                           not none else omit }}"
       no_dnssec_validation: "{{ ipareplica_no_dnssec_validation }}"
+      dot_forwarders: "{{ ipareplica_dot_forwarders | default([]) }}"
+      dns_over_tls: "{{ ipareplica__dns_over_tls }}"
+      dns_over_tls_cert: "{{ ipareplica_dns_over_tls_cert | default(omit) }}"
+      dns_over_tls_key: "{{ ipareplica_dns_over_tls_key | default(omit) }}"
+      dns_policy: "{{ ipareplica_dns_policy | default(omit) }}"
       ### additional ###
       dns_ip_addresses: "{{ result_ipareplica_prepare.dns_ip_addresses }}"
       dns_reverse_zones: "{{ result_ipareplica_prepare.dns_reverse_zones }}"

roles/ipareplica/vars/Fedora-25.yml

@@ -1,7 +0,0 @@
-# defaults file for ipareplica
-# vars/Fedora-25.yml
----
-ipareplica_packages: [ "ipa-server", "libselinux-python" ]
-ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
-ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/Fedora-26.yml

@@ -1,7 +0,0 @@
-# defaults file for ipareplica
-# vars/Fedora-26.yml
----
-ipareplica_packages: [ "ipa-server", "libselinux-python" ]
-ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
-ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/Fedora-27.yml

@@ -1,7 +0,0 @@
-# defaults file for ipareplica
-# vars/Fedora-27.yml
----
-ipareplica_packages: [ "ipa-server", "libselinux-python" ]
-ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
-ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/Fedora.yml

@@ -3,5 +3,6 @@
 ---
 ipareplica_packages: [ "freeipa-server", "python3-libselinux" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
+ipareplica_packages_dot: [ "freeipa-server-encrypted-dns" ]
 ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/RedHat-7.yml

@@ -3,5 +3,6 @@
 ---
 ipareplica_packages: [ "ipa-server", "libselinux-python" ]
 ipareplica_packages_dns: [ "ipa-server-dns" ]
+ipareplica_packages_dot: [ ]
 ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
 ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/RedHat-8.yml

@@ -3,5 +3,6 @@
 ---
 ipareplica_packages: [ "@idm:DL1/server" ]
 ipareplica_packages_dns: [ "@idm:DL1/dns" ]
+ipareplica_packages_dot: [ ]
 ipareplica_packages_adtrust: [ "@idm:DL1/adtrust" ]
 ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/Ubuntu-18.04.yml

@@ -2,6 +2,7 @@
 ---
 ipareplica_packages: [ "freeipa-server" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
+ipareplica_packages_dot: [ ]
 ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipareplica_packages_firewalld: [ "firewalld" ]
 # Ubuntu Bionic Beaver must use python2 as Python interpreter due

roles/ipareplica/vars/Ubuntu.yml

@@ -3,5 +3,6 @@
 ---
 ipareplica_packages: [ "freeipa-server" ]
 ipareplica_packages_dns: [ "freeipa-server-dns" ]
+ipareplica_packages_dot: [ ]
 ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipareplica/vars/default.yml

@@ -1,7 +1,8 @@
 # defaults file for ipareplica
 # vars/default.yml
 ---
-ipareplica_packages: [ "freeipa-server", "python3-libselinux" ]
-ipareplica_packages_dns: [ "freeipa-server-dns" ]
-ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages: [ "ipa-server", "python3-libselinux" ]
+ipareplica_packages_dns: [ "ipa-server-dns" ]
+ipareplica_packages_dot: [ "ipa-server-encrypted-dns" ]
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
 ipareplica_packages_firewalld: [ "firewalld" ]

roles/ipaserver/README.md

@@ -25,7 +25,7 @@ Supported Distributions
 
 * RHEL/CentOS 7.6+
 * CentOS Stream 8+
-* Fedora 26+
+* Fedora 40+
 * Ubuntu 16.04 and 18.04
 
 
@@ -343,6 +343,12 @@ Variable | Description | Required
 `ipaserver_auto_forwarders` | Add DNS forwarders configured in /etc/resolv.conf to the list of forwarders used by IPA DNS. (bool, default: false) | no
 `ipaserver_forward_policy` | DNS forwarding policy for global forwarders specified using other options. (choice: first, only) | no
 `ipaserver_no_dnssec_validation` | Disable DNSSEC validation on this server. (bool, default: false) | no
+`ipaserver_dot_forwarders` | List of DNS over TLS forwarders. Required if `ipaserver_dns_over_tls` is enabled. (list of strings) | no
+`ipaserver_dns_over_tls` \| `ipaclient_dns_over_tls` | Configure DNS over TLS. Requires FreeIPA version 4.12.5 or later. (bool, default: false) | no
+`ipaserver_dns_over_tls_cert` | Certificate to use for DNS over TLS. If empty, a new certificate will be requested from IPA CA. (string) | no
+`ipaserver_dns_over_tls_key` | Key for certificate specified in `ipaserver_dns_over_tls_cert`. (string) | no
+`ipaserver_dns_policy` | Encrypted DNS policy. Only usable if `ipaserver_dns_over_tls` is enabled. (choice: relaxed, enforced, default: relaxed) | no
+
 
 AD trust Variables
 ------------------

roles/ipaserver/defaults/main.yml

@@ -16,10 +16,10 @@ ipaserver_random_serial_numbers: false
 ### client ###
 ipaclient_mkhomedir: no
 ipaclient_no_ntp: no
-#ipaclient_ssh_trust_dns: no
-#ipaclient_no_ssh: no
-#ipaclient_no_sshd: no
-#ipaclient_no_dns_sshfp: no
+# ipaclient_ssh_trust_dns: no
+# ipaclient_no_ssh: no
+# ipaclient_no_sshd: no
+# ipaclient_no_dns_sshfp: no
 ### certificate system ###
 ipaserver_external_ca: no
 ### dns ###

roles/ipaserver/library/ipaserver_prepare.py

@@ -174,6 +174,32 @@ options:
     type: bool
     default: no
     required: no
+  dot_forwarders:
+    description: List of DNS over TLS forwarders
+    type: list
+    elements: str
+    default: []
+    required: no
+  dns_over_tls:
+    description: Configure DNS over TLS
+    type: bool
+    default: no
+    required: no
+  dns_over_tls_cert:
+    description:
+      Certificate to use for DNS over TLS. If empty, a new
+      certificate will be requested from IPA CA
+    type: str
+    required: no
+  dns_over_tls_key:
+    description: Key for certificate specified in dns_over_tls_cert
+    type: str
+    required: no
+  dns_policy:
+    description: Encrypted DNS policy
+    type: str
+    choices: ['relaxed', 'enforced']
+    default: 'relaxed'
   enable_compat:
     description: Enable support for trusted domains for old clients
     type: bool
@@ -280,6 +306,15 @@ def main():
                                 choices=['first', 'only'], default=None),
             no_dnssec_validation=dict(required=False, type='bool',
                                       default=False),
+            dot_forwarders=dict(required=False, type='list', elements='str',
+                                default=[]),
+            dns_over_tls=dict(required=False, type='bool',
+                              default=False),
+            dns_over_tls_cert=dict(required=False, type='str'),
+            dns_over_tls_key=dict(required=False, type='str'),
+            dns_policy=dict(required=False, type='str',
+                            choices=['relaxed', 'enforced'],
+                            default='relaxed'),
             # ad trust
             enable_compat=dict(required=False, type='bool', default=False),
             netbios_name=dict(required=False, type='str'),
@@ -360,6 +395,11 @@ def main():
     options.forward_policy = ansible_module.params.get('forward_policy')
     options.no_dnssec_validation = ansible_module.params.get(
         'no_dnssec_validation')
+    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
+    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
+    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
+    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
+    options.dns_policy = ansible_module.params.get('dns_policy')
     # ad trust
     options.enable_compat = ansible_module.params.get('enable_compat')
     options.netbios_name = ansible_module.params.get('netbios_name')

roles/ipaserver/library/ipaserver_setup_dns.py

@@ -83,6 +83,32 @@ options:
     type: bool
     default: no
     required: no
+  dot_forwarders:
+    description: List of DNS over TLS forwarders
+    type: list
+    elements: str
+    default: []
+    required: no
+  dns_over_tls:
+    description: Configure DNS over TLS
+    type: bool
+    default: no
+    required: no
+  dns_over_tls_cert:
+    description:
+      Certificate to use for DNS over TLS. If empty, a new
+      certificate will be requested from IPA CA
+    type: str
+    required: no
+  dns_over_tls_key:
+    description: Key for certificate specified in dns_over_tls_cert
+    type: str
+    required: no
+  dns_policy:
+    description: Encrypted DNS policy
+    type: str
+    choices: ['relaxed', 'enforced']
+    default: 'relaxed'
   dns_ip_addresses:
     description: The dns ip_addresses setting
     type: list
@@ -107,9 +133,13 @@ from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_server import (
     check_imports, AnsibleModuleLog, setup_logging, options, paths, dns,
     ansible_module_get_parsed_ip_addresses, sysrestore, api_Backend_ldap2,
-    redirect_stdout, bindinstance
+    redirect_stdout
 )
 
+# pylint: disable=unused-import
+from ansible.module_utils.ansible_ipa_server import bindinstance  # noqa: F401
+# pylint: enable=unused-import
+
 
 def main():
     ansible_module = AnsibleModule(
@@ -130,6 +160,14 @@ def main():
                                 default='first'),
             no_dnssec_validation=dict(required=False, type='bool',
                                       default=False),
+            dot_forwarders=dict(required=False, type='list', elements='str',
+                                default=[]),
+            dns_over_tls=dict(required=False, type='bool', default=False),
+            dns_over_tls_cert=dict(required=False, type='str'),
+            dns_over_tls_key=dict(required=False, type='str'),
+            dns_policy=dict(required=False, type='str',
+                            choices=['relaxed', 'enforced'],
+                            default='relaxed'),
             # additional
             dns_ip_addresses=dict(required=True, type='list', elements='str'),
             dns_reverse_zones=dict(required=True, type='list', elements='str'),
@@ -158,6 +196,11 @@ def main():
     options.forward_policy = ansible_module.params.get('forward_policy')
     options.no_dnssec_validation = ansible_module.params.get(
         'no_dnssec_validation')
+    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
+    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
+    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
+    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
+    options.dns_policy = ansible_module.params.get('dns_policy')
     # additional
     dns.ip_addresses = ansible_module_get_parsed_ip_addresses(
         ansible_module, 'dns_ip_addresses')
@@ -165,25 +208,16 @@ def main():
 
     # init ##################################################################
 
-    fstore = sysrestore.FileStore(paths.SYSRESTORE)
+    # pylint: disable=unused-variable
+    fstore = sysrestore.FileStore(paths.SYSRESTORE)  # noqa: F841
+    # pylint: enable=unused-variable
 
     api_Backend_ldap2(options.host_name, options.setup_ca, connect=True)
 
     # setup dns #############################################################
 
     with redirect_stdout(ansible_log):
-        if options.setup_dns:
-            dns.install(False, False, options)
-        else:
-            # Create a BIND instance
-            bind = bindinstance.BindInstance(fstore)
-            bind.set_output(ansible_log)
-            bind.setup(options.host_name, options.ip_addresses,
-                       options.realm_name,
-                       options.domain_name, (), 'first', (),
-                       zonemgr=options.zonemgr,
-                       no_dnssec_validation=options.no_dnssec_validation)
-            bind.create_file_with_system_records()
+        dns.install(False, False, options)
 
     # done ##################################################################
 

roles/ipaserver/library/ipaserver_test.py

@@ -265,6 +265,32 @@ options:
     type: bool
     default: no
     required: no
+  dot_forwarders:
+    description: List of DNS over TLS forwarders
+    type: list
+    elements: str
+    default: []
+    required: no
+  dns_over_tls:
+    description: Configure DNS over TLS
+    type: bool
+    default: no
+    required: no
+  dns_over_tls_cert:
+    description:
+      Certificate to use for DNS over TLS. If empty, a new
+      certificate will be requested from IPA CA
+    type: str
+    required: no
+  dns_over_tls_key:
+    description: Key for certificate specified in dns_over_tls_cert
+    type: str
+    required: no
+  dns_policy:
+    description: Encrypted DNS policy
+    type: str
+    choices: ['relaxed', 'enforced']
+    default: 'relaxed'
   enable_compat:
     description: Enable support for trusted domains for old clients
     type: bool
@@ -312,7 +338,8 @@ from ansible.module_utils.ansible_ipa_server import (
     check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
     validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
     encode_certificate, check_available_memory, getargspec, adtrustinstance,
-    get_min_idstart, SerialNumber
+    get_min_idstart, SerialNumber, services, service,
+    CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION
 )
 from ansible.module_utils import six
 
@@ -396,6 +423,14 @@ def main():
                                 choices=['first', 'only'], default=None),
             no_dnssec_validation=dict(required=False, type='bool',
                                       default=False),
+            dot_forwarders=dict(required=False, type='list', elements='str',
+                                default=[]),
+            dns_over_tls=dict(required=False, type='bool', default=False),
+            dns_over_tls_cert=dict(required=False, type='str'),
+            dns_over_tls_key=dict(required=False, type='str'),
+            dns_policy=dict(required=False, type='str',
+                            choices=['relaxed', 'enforced'],
+                            default='relaxed'),
             # ad trust
             enable_compat=dict(required=False, type='bool', default=False),
             netbios_name=dict(required=False, type='str'),
@@ -482,6 +517,11 @@ def main():
     options.forward_policy = ansible_module.params.get('forward_policy')
     options.no_dnssec_validation = ansible_module.params.get(
         'no_dnssec_validation')
+    options.dot_forwarders = ansible_module.params.get('dot_forwarders')
+    options.dns_over_tls = ansible_module.params.get('dns_over_tls')
+    options.dns_over_tls_cert = ansible_module.params.get('dns_over_tls_cert')
+    options.dns_over_tls_key = ansible_module.params.get('dns_over_tls_key')
+    options.dns_policy = ansible_module.params.get('dns_policy')
     # ad trust
     options.enable_compat = ansible_module.params.get('enable_compat')
     options.netbios_name = ansible_module.params.get('netbios_name')
@@ -603,6 +643,14 @@ def main():
                 raise RuntimeError(
                     "You cannot specify a --no-dnssec-validation option "
                     "without the --setup-dns option")
+            if self.dns_over_tls_cert:
+                raise RuntimeError(
+                    "You cannot specify a --dns-over-tls-cert option "
+                    "without the --setup-dns option")
+            if self.dns_over_tls_key:
+                raise RuntimeError(
+                    "You cannot specify a --dns-over-tls-key option "
+                    "without the --setup-dns option")
         elif self.forwarders and self.no_forwarders:
             raise RuntimeError(
                 "You cannot specify a --forwarder option together with "
@@ -619,7 +667,31 @@ def main():
             raise RuntimeError(
                 "You cannot specify a --auto-reverse option together with "
                 "--no-reverse")
-
+        elif self.dot_forwarders and not self.dns_over_tls:
+            raise RuntimeError(
+                "You cannot specify a --dot-forwarder option "
+                "without the --dns-over-tls option")
+        elif (self.dns_over_tls
+              and not services.knownservices["unbound"].is_installed()):
+            raise RuntimeError(
+                "To enable DNS over TLS, package ipa-server-encrypted-dns "
+                "must be installed.")
+        elif self.dns_policy == "enforced" and not self.dns_over_tls:
+            raise RuntimeError(
+                "You cannot specify a --dns-policy option "
+                "without the --dns-over-tls option")
+        elif self.dns_over_tls_cert and not self.dns_over_tls:
+            raise RuntimeError(
+                "You cannot specify a --dns-over-tls-cert option "
+                "without the --dns-over-tls option")
+        elif self.dns_over_tls_key and not self.dns_over_tls:
+            raise RuntimeError(
+                "You cannot specify a --dns-over-tls-key option "
+                "without the --dns-over-tls option")
+        elif bool(self.dns_over_tls_key) != bool(self.dns_over_tls_cert):
+            raise RuntimeError(
+                "You cannot specify a --dns-over-tls-key option "
+                "without the --dns-over-tls-cert option and vice versa")
         if not self.setup_adtrust:
             if self.add_agents:
                 raise RuntimeError(
@@ -677,6 +749,10 @@ def main():
                         raise RuntimeError(
                             "You must specify at least one of --forwarder, "
                             "--auto-forwarders, or --no-forwarders options")
+                    if self.dns_over_tls and not self.dot_forwarders:
+                        raise RuntimeError(
+                            "You must specify --dot-forwarder "
+                            "when enabling DNS over TLS")
 
             any_ignore_option_true = any(
                 [self.ignore_topology_disconnect, self.ignore_last_of_role])
@@ -719,6 +795,19 @@ def main():
 
     # #######################################################################
 
+    if options.dns_over_tls and not CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION:
+        ansible_module.fail_json(
+            msg="Important patches for DNS over TLS are missing in your "
+            "IPA version.")
+
+    client_dns_over_tls = self.dns_over_tls
+    if self.dns_over_tls and not self.setup_dns:
+        service.print_msg("Warning: --dns-over-tls option "
+                          "specified without --setup-dns, ignoring")
+        client_dns_over_tls = False
+
+    # #######################################################################
+
     # If any of the key file options are selected, all are required.
     cert_file_req = (options.dirsrv_cert_files, options.http_cert_files)
     cert_file_opt = (options.pkinit_cert_files,)
@@ -1208,6 +1297,7 @@ def main():
         domainlevel=options.domainlevel,
         sid_generation_always=sid_generation_always,
         random_serial_numbers=options._random_serial_numbers,
+        client_dns_over_tls=client_dns_over_tls
     )
 
 

roles/ipaserver/module_utils/ansible_ipa_server.py

@@ -216,6 +216,14 @@ try:
         except ImportError:
             SerialNumber = None
 
+        try:
+            CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION = False
+            from ipaclient.install.client import ClientInstallInterface
+        except ImportError:
+            pass
+        else:
+            if hasattr(ClientInstallInterface, "no_dnssec_validation"):
+                CLIENT_SUPPORTS_NO_DNSSEC_VALIDATION = True
     else:
         # IPA version < 4.5
         raise RuntimeError("freeipa version '%s' is too old" % VERSION)
@@ -241,11 +249,13 @@ def setup_logging():
 
 @contextlib_contextmanager
 def redirect_stdout(stream):
+    old_stdout = sys.stdout
+
     sys.stdout = stream
     try:
         yield stream
     finally:
-        sys.stdout = sys.__stdout__
+        sys.stdout = old_stdout
 
 
 class AnsibleModuleLog():

roles/ipaserver/tasks/install.yml

@@ -1,32 +1,42 @@
 ---
 # tasks file for ipaserver
 
+- name: Install - Set ipaserver__dns_over_lts
+  ansible.builtin.set_fact:
+    ipaserver__dns_over_tls: "{{ ipaserver_dns_over_tls | default(ipaclient_dns_over_tls) | default(False) }}"
+
 - name: Install - Package installation
   when: ipaserver_install_packages | bool
   block:
-  - name: Install - Ensure that IPA server packages are installed
-    ansible.builtin.package:
-      name: "{{ ipaserver_packages }}"
-      state: present
 
-  - name: Install - Ensure that IPA server packages for dns are installed
-    ansible.builtin.package:
-      name: "{{ ipaserver_packages_dns }}"
-      state: present
+  - name: Install - Set packages for installation
+    ansible.builtin.set_fact:
+      _ipapackages: "{{ ipaserver_packages }}"
+
+  - name: Install - Set packages for installlation, add DNS
+    ansible.builtin.set_fact:
+      _ipapackages: "{{ _ipapackages + ipaserver_packages_dns }}"
     when: ipaserver_setup_dns | bool
 
-  - name: Install - Ensure that IPA server packages for adtrust are installed
-    ansible.builtin.package:
-      name: "{{ ipaserver_packages_adtrust }}"
-      state: present
+  - name: Install - Set packages for installlation, add DOT
+    ansible.builtin.set_fact:
+      _ipapackages: "{{ _ipapackages + ipaserver_packages_dot }}"
+    when: ipaserver__dns_over_tls | bool
+
+  - name: Install - Set packages for installlation, add adtrust
+    ansible.builtin.set_fact:
+      _ipapackages: "{{ _ipapackages + ipaserver_packages_adtrust }}"
     when: ipaserver_setup_adtrust | bool
 
-  - name: Install - Ensure that firewall packages installed
-    ansible.builtin.package:
-      name: "{{ ipaserver_packages_firewalld }}"
-      state: present
+  - name: Install - Set packages for installlation, add firewalld
+    ansible.builtin.set_fact:
+      _ipapackages: "{{ _ipapackages + ipaserver_packages_firewalld }}"
     when: ipaserver_setup_firewalld | bool
 
+  - name: Install - Ensure that packages are installed
+    ansible.builtin.package:
+      name: "{{ _ipapackages }}"
+      state: present
 
 - name: Install - Firewall configuration
   when: ipaserver_setup_firewalld | bool
@@ -121,6 +131,11 @@
     auto_forwarders: "{{ ipaserver_auto_forwarders }}"
     forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"
     no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
+    dot_forwarders: "{{ ipaserver_dot_forwarders | default([]) }}"
+    dns_over_tls: "{{ ipaserver__dns_over_tls }}"
+    dns_over_tls_cert: "{{ ipaserver_dns_over_tls_cert | default(omit) }}"
+    dns_over_tls_key: "{{ ipaserver_dns_over_tls_key | default(omit) }}"
+    dns_policy: "{{ ipaserver_dns_policy | default(omit) }}"
     ### ad trust ###
     enable_compat: "{{ ipaserver_enable_compat }}"
     netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"
@@ -192,6 +207,11 @@
       auto_forwarders: "{{ ipaserver_auto_forwarders }}"
       forward_policy: "{{ ipaserver_forward_policy | default(omit) }}"
       no_dnssec_validation: "{{ ipaserver_no_dnssec_validation }}"
+      dot_forwarders: "{{ ipaserver_dot_forwarders | default([]) }}"
+      dns_over_tls: "{{ ipaserver__dns_over_tls }}"
+      dns_over_tls_cert: "{{ ipaserver_dns_over_tls_cert | default(omit) }}"
+      dns_over_tls_key: "{{ ipaserver_dns_over_tls_key | default(omit) }}"
+      dns_policy: "{{ ipaserver_dns_policy | default(omit) }}"
       ### ad trust ###
       enable_compat: "{{ ipaserver_enable_compat }}"
       netbios_name: "{{ ipaserver_netbios_name | default(omit) }}"
@@ -381,6 +401,11 @@
         forward_policy: "{{ result_ipaserver_prepare.forward_policy }}"
         zonemgr: "{{ ipaserver_zonemgr | default(omit) }}"
         no_dnssec_validation: "{{ result_ipaserver_prepare.no_dnssec_validation }}"
+        dot_forwarders: "{{ ipaserver_dot_forwarders | default([]) }}"
+        dns_over_tls: "{{ ipaserver__dns_over_tls }}"
+        dns_over_tls_cert: "{{ ipaserver_dns_over_tls_cert | default(omit) }}"
+        dns_over_tls_key: "{{ ipaserver_dns_over_tls_key | default(omit) }}"
+        dns_policy: "{{ ipaserver_dns_policy | default(omit) }}"
         ### additional ###
         dns_ip_addresses: "{{ result_ipaserver_prepare.dns_ip_addresses }}"
         dns_reverse_zones: "{{ result_ipaserver_prepare.dns_reverse_zones }}"
@@ -432,6 +457,7 @@
         ipaclient_no_ntp:
           "{{ 'true' if result_ipaserver_test.ipa_python_version >= 40690
                else 'false' }}"
+        ipaclient_dns_over_tls: "{{ result_ipaserver_test.client_dns_over_tls }}"
         ipaclient_install_packages: no
 
     - name: Install - Enable IPA
@@ -452,6 +478,8 @@
         {{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
            else "" }}
         {{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
+        {{ "--add-service=dns-over-tls" if ipaserver__dns_over_tls | bool
+           else "" }}
         {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
       when: ipaserver_setup_firewalld | bool
 
@@ -465,6 +493,8 @@
         {{ "--add-service=freeipa-trust" if ipaserver_setup_adtrust | bool
            else "" }}
         {{ "--add-service=dns" if ipaserver_setup_dns | bool else "" }}
+        {{ "--add-service=dns-over-tls" if ipaserver__dns_over_tls | bool
+           else "" }}
         {{ "--add-service=ntp" if not ipaclient_no_ntp | bool else "" }}
       when: ipaserver_setup_firewalld | bool
 

roles/ipaserver/tasks/uninstall.yml

@@ -54,8 +54,3 @@
   # 1 means that uninstall failed because IPA server was not configured
   failed_when: uninstall.rc != 0 and uninstall.rc != 1
   changed_when: uninstall.rc == 0
-
-#- name: Remove IPA server packages
-#  ansible.builtin.package:
-#    name: "{{ ipaserver_packages }}"
-#    state: absent

roles/ipaserver/vars/Fedora-25.yml

@@ -1,7 +0,0 @@
-# defaults file for ipaserver
-# vars/Fedora-25.yml
----
-ipaserver_packages: [ "ipa-server", "libselinux-python" ]
-ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
-ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/Fedora-26.yml

@@ -1,7 +0,0 @@
-# defaults file for ipaserver
-# vars/Fedora-26.yml
----
-ipaserver_packages: [ "ipa-server", "libselinux-python" ]
-ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
-ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/Fedora-27.yml

@@ -1,7 +0,0 @@
-# defaults file for ipaserver
-# vars/Fedora-27.yml
----
-ipaserver_packages: [ "ipa-server", "libselinux-python" ]
-ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
-ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/Fedora.yml

@@ -3,5 +3,6 @@
 ---
 ipaserver_packages: [ "freeipa-server", "python3-libselinux" ]
 ipaserver_packages_dns: [ "freeipa-server-dns" ]
+ipaserver_packages_dot: [ "freeipa-server-encrypted-dns" ]
 ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/RedHat-7.yml

@@ -3,5 +3,6 @@
 ---
 ipaserver_packages: [ "ipa-server", "libselinux-python" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
+ipaserver_packages_dot: [ ]
 ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
 ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/RedHat-8.yml

@@ -3,5 +3,6 @@
 ---
 ipaserver_packages: [ "@idm:DL1/server" ]
 ipaserver_packages_dns: [ "@idm:DL1/dns" ]
+ipaserver_packages_dot: [ ]
 ipaserver_packages_adtrust: [ "@idm:DL1/adtrust" ]
 ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/Ubuntu-18.04.yml

@@ -2,6 +2,7 @@
 ---
 ipaserver_packages: [ "freeipa-server" ]
 ipaserver_packages_dns: [ "freeipa-server-dns" ]
+ipaserver_packages_dot: [ ]
 ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipaserver_packages_firewalld: [ "firewalld" ]
 # Ubuntu Bionic Beaver must use python2 as Python interpreter due

roles/ipaserver/vars/Ubuntu.yml

@@ -3,5 +3,6 @@
 ---
 ipaserver_packages: [ "freeipa-server" ]
 ipaserver_packages_dns: [ "freeipa-server-dns" ]
+ipaserver_packages_dot: [ ]
 ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipaserver/vars/default.yml

@@ -3,5 +3,6 @@
 ---
 ipaserver_packages: [ "ipa-server", "python3-libselinux" ]
 ipaserver_packages_dns: [ "ipa-server-dns" ]
+ipaserver_packages_dot: [ "ipa-server-encrypted-dns" ]
 ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
 ipaserver_packages_firewalld: [ "firewalld" ]

roles/ipasmartcard_client/README.md

@@ -25,7 +25,7 @@ Supported Distributions
 
 * RHEL/CentOS 7.6+
 * CentOS Stream 8+
-* Fedora 26+
+* Fedora 40+
 
 
 Requirements

roles/ipasmartcard_client/tasks/main.yml

@@ -109,7 +109,7 @@
       ansible.builtin.file:
         path: /etc/sssd/pki
         state: directory
-        mode: 0711
+        mode: "0711"
 
     - name: Ensure /etc/sssd/pki/sssd_auth_ca_db.pem is absent
       ansible.builtin.file:

roles/ipasmartcard_server/README.md

@@ -27,7 +27,7 @@ Supported Distributions
 
 * RHEL/CentOS 7.6+
 * CentOS Stream 8+
-* Fedora 26+
+* Fedora 40+
 
 
 Requirements

roles/ipasmartcard_server/tasks/main.yml

@@ -201,7 +201,7 @@
       ansible.builtin.file:
         path: /etc/sssd/pki
         state: directory
-        mode: 0711
+        mode: "0711"
 
     - name: Ensure /etc/sssd/pki/sssd_auth_ca_db.pem is absent
       ansible.builtin.file:

tests/ca-less/install_replica_without_ca.yml

@@ -48,7 +48,7 @@
       ansible.builtin.file:
         path: "/root/ca-less-test"
         state: directory
-        mode: 0775
+        mode: "0775"
 
     - name: Copy CA certificate
       ansible.builtin.copy:

tests/ca-less/install_server_without_ca.yml

@@ -48,7 +48,7 @@
       ansible.builtin.file:
         path: "/root/ca-less-test"
         state: directory
-        mode: 0775
+        mode: "0775"
 
     - name: Copy CA certificate
       ansible.builtin.copy:

tests/cert/test_cert_host.yml

@@ -47,7 +47,7 @@
     ansible.builtin.copy:
       dest: "/root/host.csr"
       content: "{{ host_req.stdout }}"
-      mode: 0644
+      mode: "0644"
 
   # TESTS
 

tests/cert/test_cert_user.yml

@@ -45,7 +45,7 @@
     ansible.builtin.copy:
       dest: "/root/user.csr"
       content: "{{ user_req.stdout }}"
-      mode: 0644
+      mode: "0644"
 
   # TESTS
 

tests/env_freeipa_facts.yml

@@ -7,6 +7,10 @@
 # ipa_api_version: The installed FreeIPA API version.
 #
 ---
+- name: Ensure minimal facts are available
+  ansible.builtin.setup:
+    gather_subset: dns
+
 - name: Retrieving FreeIPA version.
   ansible.builtin.shell:
     cmd: 'ipa --version | sed -n "s/VERSION: \([^,]*\).*API_VERSION: \([^,]*\).*/\1\\n\2/p"'
@@ -15,20 +19,31 @@
 - name: Verify if host is an IPA server or client.
   ansible.builtin.shell:
     cmd: |
-      echo SomeADMINpassword | kinit -c {{ krb5ccname }} admin
-      RESULT=$(KRB5CCNAME={{ krb5ccname }} ipa server-show `hostname` && echo SERVER || echo CLIENT)
-      kdestroy -A -c {{ krb5ccname }}
+      echo SomeADMINpassword | kinit -c {{ krb5ccname }} admin >/dev/null
+      RESULT=$(KRB5CCNAME={{ krb5ccname }} ipa server-show `hostname` >/dev/null && echo SERVER || echo CLIENT)
+      kdestroy -A -c {{ krb5ccname }} >/dev/null
       echo $RESULT
   vars:
     krb5ccname: "__check_ipa_host_is_client_or_server__"
-  register: output
+  register: check_client
+
+- name: Verify if AD tests are possible
+  ansible.builtin.shell:
+    cmd: |
+      echo SomeADMINpassword | kinit -c {{ krb5ccname }} admin > /dev/null
+      RESULT=$(KRB5CCNAME={{ krb5ccname }} ipa server-find --all | grep "Enabled server roles")
+      kdestroy -A -c {{ krb5ccname }} > /dev/null
+      echo $RESULT
+  vars:
+    krb5ccname: "__check_ipa_host_is_client_or_server__"
+  register: check_ad_support
 
 - name: Set FreeIPA facts.
   ansible.builtin.set_fact:
     ipa_version: "{{ ipa_cmd_version.stdout_lines[0] }}"
     ipa_api_version: "{{ ipa_cmd_version.stdout_lines[1] }}"
-    ipa_host_is_client: "{{ (output.stdout_lines[-1] == 'CLIENT') | bool }}"
-    trust_test_is_supported: no
+    ipa_host_is_client: "{{ (check_client.stdout_lines[-1] == 'CLIENT') | bool }}"
+    trust_test_is_supported: "{{ 'AD trust agent' in check_ad_support.stdout }}"
 
 - name: Ensure ipaserver_domain is set
   when: ipaserver_domain is not defined
@@ -42,3 +57,8 @@
     ansible.builtin.set_fact:
       ipaserver_domain: "ipa.test"
     when: "'fqdn' not in ansible_facts"
+
+- name: Ensure ipaserver_realm is set
+  ansible.builtin.set_fact:
+    ipaserver_realm: "{{ ipaserver_domain | upper }}"
+  when: ipaserver_realm is not defined

tests/external-signed-ca-with-automatic-copy/install-server-with-external-ca-with-automatic-copy.yml

@@ -28,7 +28,7 @@
   become: true
   vars:
     ipaserver_external_cert_files_from_controller: "{{ groups.ipaserver[0] + '-chain.crt' }}"
-    #ipaserver_external_ca_file: "{{ groups.ipaserver[0] + '-cacert.asc' }}"
+    # ipaserver_external_ca_file: "{{ groups.ipaserver[0] + '-cacert.asc' }}"
 
   roles:
   - role: ipaserver

tests/external-signed-ca-with-manual-copy/install-server-with-external-ca-with-manual-copy.yml

@@ -34,7 +34,7 @@
   become: true
   vars:
     ipaserver_external_cert_files: "/root/chain.crt"
-    #ipaserver_external_ca_file: "cacert.asc"
+    # ipaserver_external_ca_file: "cacert.asc"
 
   pre_tasks:
   - name: Copy "{{ groups.ipaserver[0] + '-chain.crt' }}" to /root/chain.crt on node

tests/group/test_group.yml

@@ -1,8 +1,8 @@
 ---
 - name: Test group
   hosts: "{{ ipa_test_host | default('ipaserver') }}"
-  become: true
-  gather_facts: true
+  become: false
+  gather_facts: false
   module_defaults:
     ipauser:
       ipaadmin_password: SomeADMINpassword
@@ -10,6 +10,9 @@
     ipagroup:
       ipaadmin_password: SomeADMINpassword
       ipaapi_context: "{{ ipa_context | default(omit) }}"
+    ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
 
   tasks:
   # setup
@@ -51,6 +54,16 @@
     register: result
     failed_when: not result.changed or result.failed
 
+  - name: Ensure test service HTTP is present
+    ipaservice:
+      name: "{{ 'HTTP/' + fqdn_at_domain }}"
+    notify: Cleanup http service
+
+  - name: Ensure test service LDAP is present
+    ipaservice:
+      name: "{{ 'ldap/' + fqdn_at_domain }}"
+    notify: Cleanup ldap service
+
   # TESTS
 
   - name: Ensure group1 is present
@@ -298,11 +311,11 @@
     register: result
     failed_when: result.changed or result.failed
 
-  #- ipagroup:
-  #    name: group1
-  #    user:
-  #    - user7
-  #    action: member
+  # - ipagroup:
+  #     name: group1
+  #     user:
+  #     - user7
+  #     action: member
 
   - name: Ensure user user7 is absent in group group1
     ipagroup:
@@ -437,3 +450,16 @@
       state: absent
     register: result
     failed_when: not result.changed or result.failed
+
+  # ansible-lint is complaining on the use of 'when' and requiring
+  # the use of handlers.
+  handlers:
+  - name: Cleanup http service
+    ipaservice:
+      name: "{{ 'HTTP/' + fqdn_at_domain }}"
+      state: absent
+
+  - name: Cleanup ldap service
+    ipaservice:
+      name: "{{ 'ldap/' + fqdn_at_domain }}"
+      state: absent

tests/group/test_group_ad_users.yml

@@ -0,0 +1,73 @@
+---
+- name: Test group AD external members idempotence
+  hosts: ipaserver
+  become: false
+  gather_facts: false
+  module_defaults:
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: server  # external_member requires 'server' context
+
+  vars:
+    ad_user: "{{ test_ad_user | default('AD\\aduser') }}"
+    alt_user: "{{ test_alt_user | default('aduser@ad.ipa.test') }}"
+
+  tasks:
+  - name: Include tasks ../env_freeipa_facts.yml
+    ansible.builtin.include_tasks: ../env_freeipa_facts.yml
+
+  - name: Ensure test group is absent.
+    ipagroup:
+      name: extgroup
+      state: absent
+
+  - name: Execute group tests if trust test environment is supported
+    when: trust_test_is_supported | default(false)
+    block:
+      - name: Ensure external group, with AD users, is present.
+        ipagroup:
+          name: extgroup
+          external: true
+          external_member: "{{ ad_user }}"
+        register: result
+        failed_when: result.failed or not result.changed
+
+      - name: Ensure external group, with AD users, is present, again
+        ipagroup:
+          name: extgroup
+          external: true
+          external_member: "{{ ad_user }}"
+        register: result
+        failed_when: result.failed or result.changed
+
+      - name: Ensure external group, with alternate name AD users, is present
+        ipagroup:
+          name: extgroup
+          external: true
+          external_member: "{{ alt_user }}"
+        register: result
+        failed_when: result.failed or result.changed
+
+      - name: Ensure external_member is absent
+        ipagroup:
+          name: extgroup
+          external_member: "{{ ad_user }}"
+          action: member
+          state: absent
+        register: result
+        failed_when: result.failed or not result.changed
+
+      - name: Ensure external_member is absent, again
+        ipagroup:
+          name: extgroup
+          external_member: "{{ alt_user }}"
+          action: member
+          state: absent
+        register: result
+        failed_when: result.failed or result.changed
+
+    always:
+      - name: Cleanup environment.
+        ipagroup:
+          name: extgroup
+          state: absent

tests/group/test_group_client_context.yml

@@ -4,6 +4,9 @@
   become: no
   gather_facts: no
 
+  vars:
+    ad_user: "{{ test_ad_user | default('AD\\aduser') }}"
+
   tasks:
   - name: Include FreeIPA facts.
     ansible.builtin.include_tasks: ../env_freeipa_facts.yml
@@ -18,6 +21,16 @@
     failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
     when: ipa_host_is_client
 
+  - name: Ensuref fail if externalmember is used in client context.
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: client
+      name: ThisShouldNotWork
+      external_member: "{{ ad_user }}"
+      external: true
+    register: result
+    failed_when: not (result.failed and result.msg == "Cannot use externalmember in client context.")
+
 # Import basic module tests, and execute with ipa_context set to 'client'.
 # If ipaclients is set, it will be executed using the client, if not,
 # ipaserver will be used.

tests/group/test_group_external_members.yml

@@ -1,12 +1,16 @@
 ---
-- name: Find trust
-  hosts: ipaserver
+- name: Test groups with external members
+  hosts: "{{ ipa_test_host | default('ipaserver') }}"
   become: false
   gather_facts: false
   module_defaults:
     ipagroup:
       ipaadmin_password: SomeADMINpassword
-      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      ipaapi_context: server  # external_member requires 'server' context
+
+  vars:
+    ad_user: "{{ test_ad_user | default('AD\\aduser') }}"
+    alt_user: "{{ test_alt_user | default('aduser@ad.ipa.test') }}"
 
   tasks:
 
@@ -24,86 +28,121 @@
     when: trust_test_is_supported | default(false)
     block:
 
-    - name: Add nonposix group.
+    - name: Ensure nonposix group is present
       ipagroup:
         name: extgroup
         nonposix: true
       register: result
       failed_when: result.failed or not result.changed
 
-    - name: Set group to be external
+    - name: Ensure nonposix group is present, again
+      ipagroup:
+        name: extgroup
+        nonposix: true
+      register: result
+      failed_when: result.failed or result.changed
+
+    - name: Ensure nonposix group is external
       ipagroup:
         name: extgroup
         external: true
       register: result
       failed_when: result.failed or not result.changed
 
-    - name: Add AD users to group
+    - name: Ensure nonposix group has AD users
       ipagroup:
         name: extgroup
-        external_member: "AD\\Domain Users"
+        external_member: "{{ ad_user }}"
       register: result
       failed_when: result.failed or not result.changed
 
-    - name: Add AD users to group, again
+    - name: Ensure nonposix group has AD users, again
       ipagroup:
         name: extgroup
-        external_member: "AD\\Domain Users"
+        external_member: "{{ ad_user }}"
       register: result
       failed_when: result.failed or result.changed
 
-    - name: Remove external group
+    - name: Ensure nonposix group is absent.
       ipagroup:
         name: extgroup
         state: absent
       register: result
       failed_when: result.failed or not result.changed
 
-    - name: Add nonposix, external group, with AD users.
+    - name: Ensure nonposix group is absent, again.
       ipagroup:
         name: extgroup
-        nonposix: true
-        external: true
-        external_member: "AD\\Domain Users"
-      register: result
-      failed_when: result.failed or not result.changed
-
-    - name: Add nonposix, external group, with AD users, again.
-      ipagroup:
-        name: extgroup
-        nonposix: true
-        external: true
-        external_member: "AD\\Domain Users"
+        state: absent
       register: result
       failed_when: result.failed or result.changed
 
-    - name: Remove group
+    - name: Ensure external group is present, with AD users.
+      ipagroup:
+        name: extgroup
+        external: true
+        external_member: "{{ ad_user }}"
+      register: result
+      failed_when: result.failed or not result.changed
+
+    - name: Ensure external group is present, with AD alternate users.
+      ipagroup:
+        name: extgroup
+        external: true
+        external_member: "{{ alt_user }}"
+      register: result
+      failed_when: result.failed or result.changed
+
+    - name: Ensure external group is present, with AD users, again.
+      ipagroup:
+        name: extgroup
+        external: true
+        external_member: "{{ ad_user }}"
+      register: result
+      failed_when: result.failed or result.changed
+
+    - name: Ensure external group is absent
       ipagroup:
         name: extgroup
         state: absent
       register: result
       failed_when: result.failed or not result.changed
 
-    - name: Add nonposix group.
+    - name: Ensure external group is absent, again
+      ipagroup:
+        name: extgroup
+        state: absent
+      register: result
+      failed_when: result.failed or result.changed
+
+    - name: Ensure nonposix group is present.
       ipagroup:
         name: extgroup
         nonposix: true
       register: result
       failed_when: result.failed or not result.changed
 
-    - name: Set group to be external, and add users.
+    - name: Ensure group is external, and has AD users.
       ipagroup:
         name: extgroup
         external: true
-        external_member: "AD\\Domain Users"
+        external_member: "{{ ad_user }}"
       register: result
       failed_when: result.failed or not result.changed
 
-    - name: Set group to be external, and add users, again.
+    - name: Ensure group is external, and has AD alternate users.
       ipagroup:
         name: extgroup
         external: true
-        external_member: "AD\\Domain Users"
+        external_member: "{{ alt_user }}"
+      register: result
+      failed_when: result.failed or result.changed
+
+    - name: Ensure group is external, and has AD users, again.
+      ipagroup:
+        name: extgroup
+        external: true
+        external_member: "{{ ad_user }}"
       register: result
       failed_when: result.failed or result.changed
 
@@ -117,7 +156,7 @@
     - name: Ensure external group members are present
       ipagroup:
         name: extgroup_members
-        external_member: "AD\\Domain Users"
+        external_member: "{{ ad_user }}"
         action: member
       register: result
       failed_when: result.failed or not result.changed
@@ -125,7 +164,7 @@
     - name: Ensure external group members are present, again
       ipagroup:
         name: extgroup_members
-        external_member: "AD\\Domain Users"
+        external_member: "{{ ad_user }}"
         action: member
       register: result
       failed_when: result.failed or result.changed
@@ -133,16 +172,25 @@
     - name: Ensure external group members are absent
       ipagroup:
         name: extgroup_members
-        external_member: "AD\\Domain Users"
+        external_member: "{{ ad_user }}"
         action: member
         state: absent
       register: result
       failed_when: result.failed or not result.changed
 
+    - name: Ensure external group alternate members are absent
+      ipagroup:
+        name: extgroup_members
+        external_member: "{{ alt_user }}"
+        action: member
+        state: absent
+      register: result
+      failed_when: result.failed or result.changed
+
     - name: Ensure external group members are absent, again
       ipagroup:
         name: extgroup_members
-        external_member: "AD\\Domain Users"
+        external_member: "{{ ad_user }}"
         action: member
         state: absent
       register: result

tests/group/test_group_idoverrideuser.yml

@@ -1,12 +1,17 @@
 ---
-- name: Test group
+- name: Test group idoverrideuser
   hosts: ipaserver
-  become: yes
-  gather_facts: yes
+  become: false
+  gather_facts: false
+  module_defaults:
+    ipagroup:
+      ipaadmin_password: SomeADMINpassword
+    ipaidoverrideuser:
+      ipaadmin_password: SomeADMINpassword
 
   vars:
-      ad_user: "{{ test_ad_user | default('AD\\aduser') }}"
-      ad_domain: "{{ test_ad_domain | default('ad.ipa.test') }}"
+    ad_user: "{{ test_ad_user | default('AD\\aduser') }}"
+    alt_user: "{{ test_alt_user | default('aduser@ad.ipa.test') }}"
 
   tasks:
     - name: Include tasks ../env_freeipa_facts.yml
@@ -15,38 +20,42 @@
     - name: Execute tests if ipa_verison >= 4.8.7 and trust test environment is supported
       when: ipa_version is version("4.8.7", ">=") and trust_test_is_supported | default(false)
       block:
-      - name: Create idoverrideuser.
-        ansible.builtin.shell: |
-          kinit -c idoverride_cache admin <<< SomeADMINpassword
-          ipa idoverrideuser-add "Default Trust View" {{ ad_user }}
-          kdestroy -A -q -c idoverride_cache
+      - name: Ensure test idoverrideuser is present
+        ipaidoverrideuser:
+          idview: "Default Trust View"
+          anchor: "{{ ad_user }}"
+        register: result
+        failed_when: result.failed and "no modifications to be performed" not in result.msg
 
-      - name: Remove testing groups.
+      - name: Ensure test groups are absent
         ipagroup:
-          ipaadmin_password: SomeADMINpassword
           name:
-          - idovergroup
+            - idovergroup
           state: absent
 
-      - name: Add group with idoverrideuser.
+      - name: Ensure group with idoverrideuser is present.
         ipagroup:
-          ipaadmin_password: SomeADMINpassword
           name: idovergroup
           idoverrideuser: "{{ ad_user }}"
         register: result
         failed_when: result.failed or not result.changed
 
-      - name: Add group with idoverrideuser, again.
+      - name: Ensure group with idoverrideuser is present, again.
         ipagroup:
-          ipaadmin_password: SomeADMINpassword
           name: idovergroup
           idoverrideuser: "{{ ad_user }}"
         register: result
         failed_when: result.failed or result.changed
 
-      - name: Remove idoverrideuser member.
+      - name: Ensure group with alternative idoverrideuser is present.
+        ipagroup:
+          name: idovergroup
+          idoverrideuser: "{{ alt_user }}"
+        register: result
+        failed_when: result.failed or result.changed
+
+      - name: Ensure idoverrideuser member is absent.
         ipagroup:
-          ipaadmin_password: SomeADMINpassword
           name: idovergroup
           idoverrideuser: "{{ ad_user }}"
           action: member
@@ -54,9 +63,8 @@
         register: result
         failed_when: result.failed or not result.changed
 
-      - name: Remove idoverrideuser member, again.
+      - name: Ensure idoverrideuser member is absent, again.
         ipagroup:
-          ipaadmin_password: SomeADMINpassword
           name: idovergroup
           idoverrideuser: "{{ ad_user }}"
           action: member
@@ -64,7 +72,7 @@
         register: result
         failed_when: result.failed or result.changed
 
-      - name: Add idoverrideuser member.
+      - name: Ensure idoverrideuser member is present.
         ipagroup:
           ipaadmin_password: SomeADMINpassword
           name: idovergroup
@@ -73,7 +81,7 @@
         register: result
         failed_when: result.failed or not result.changed
 
-      - name: Add idoverrideuser member, again.
+      - name: Ensure idoverrideuser member is present, again.
         ipagroup:
           ipaadmin_password: SomeADMINpassword
           name: idovergroup
@@ -82,24 +90,17 @@
         register: result
         failed_when: result.failed or result.changed
 
-      - name: Cleanup idoverrideuser member.
-        ipagroup:
-          ipaadmin_password: SomeADMINpassword
-          name: idovergroup
-          idoverrideuser: "{{ ad_user }}"
-          state: absent
-
-      - name: Remove testing groups.
-        ipagroup:
-          ipaadmin_password: SomeADMINpassword
-          name:
-          - idovergroup
-          state: absent
-
       always:
+      - name: Remove testing groups.
+        ipagroup:
+          ipaadmin_password: SomeADMINpassword
+          name:
+          - idovergroup
+          state: absent
+
       - name: Remove idoverrideuser.
-        ansible.builtin.shell:
-          cmd: |
-            kinit -c idoverride_cache admin <<< SomeADMINpassword
-            ipa idoverrideuser-del "Default Trust View" {{ ad_user }}
-            kdestroy -A -q -c idoverride_cache
+        ipaidoverrideuser:
+          idview: "Default Trust View"
+          anchor: "{{ ad_user }}"
+          continue: true
+          state: absent

tests/host/test_host.yml

@@ -191,35 +191,35 @@
 
   # disabled can only be checked with enabled hosts, all hosts above are
   # not enabled.
-  #- name: Hosts host1..host6 disabled
-  #  ipahost:
-  #    ipaadmin_password: SomeADMINpassword
-  #    ipaapi_context: "{{ ipa_context | default(omit) }}"
-  #    name:
-  #    - "{{ host1_fqdn }}"
-  #    - "{{ host2_fqdn }}"
-  #    - "{{ host3_fqdn }}"
-  #    - "{{ host4_fqdn }}"
-  #    - "{{ host5_fqdn }}"
-  #    - "{{ host6_fqdn }}"
-  #    state: disabled
-  #  register: result
-  #  failed_when: not result.changed or result.failed
+  # - name: Hosts host1..host6 disabled
+  #   ipahost:
+  #     ipaadmin_password: SomeADMINpassword
+  #     ipaapi_context: "{{ ipa_context | default(omit) }}"
+  #     name:
+  #     - "{{ host1_fqdn }}"
+  #     - "{{ host2_fqdn }}"
+  #     - "{{ host3_fqdn }}"
+  #     - "{{ host4_fqdn }}"
+  #     - "{{ host5_fqdn }}"
+  #     - "{{ host6_fqdn }}"
+  #     state: disabled
+  #   register: result
+  #   failed_when: not result.changed or result.failed
   #
-  #- name: Hosts host1..host6 disabled again
-  #  ipahost:
-  #    ipaadmin_password: SomeADMINpassword
-  #    ipaapi_context: "{{ ipa_context | default(omit) }}"
-  #    name:
-  #    - "{{ host1_fqdn }}"
-  #    - "{{ host2_fqdn }}"
-  #    - "{{ host3_fqdn }}"
-  #    - "{{ host4_fqdn }}"
-  #    - "{{ host5_fqdn }}"
-  #    - "{{ host6_fqdn }}"
-  #    state: disabled
-  #  register: result
-  #  failed_when: result.changed or result.failed
+  # - name: Hosts host1..host6 disabled again
+  #   ipahost:
+  #     ipaadmin_password: SomeADMINpassword
+  #     ipaapi_context: "{{ ipa_context | default(omit) }}"
+  #     name:
+  #     - "{{ host1_fqdn }}"
+  #     - "{{ host2_fqdn }}"
+  #     - "{{ host3_fqdn }}"
+  #     - "{{ host4_fqdn }}"
+  #     - "{{ host5_fqdn }}"
+  #     - "{{ host6_fqdn }}"
+  #     state: disabled
+  #   register: result
+  #   failed_when: result.changed or result.failed
 
   - name: Hosts host1..host6 absent
     ipahost:

tests/idoverrideuser/test_idoverrideuser_client_context.yml

@@ -16,7 +16,8 @@
     ipaidoverrideuser:
       ipaadmin_password: SomeADMINpassword
       ipaapi_context: server
-      name: ThisShouldNotWork
+      idview: ThisShouldNotWork
+      anchor: ThisShouldNotWork
     register: result
     failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
     when: ipa_host_is_client

tests/idrange/test_idrange.yml

@@ -36,6 +36,50 @@
   # Test local idrange, only if ipa-adtrust-install was not executed.
   - name: Test local idrange
     block:
+      - name: Can't add idrange without base_id
+        ipaidrange:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          name: local_id_range
+          range_size: 200000
+          rid_base: 1000000
+          secondary_rid_base: 200000000
+        register: result
+        failed_when: "not (result.failed and 'Missing required parameters: base_id' in result.msg)"
+
+      - name: Can't add idrange without range_size
+        ipaidrange:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          name: local_id_range
+          base_id: 150000000
+          rid_base: 1000000
+          secondary_rid_base: 200000000
+        register: result
+        failed_when: "not (result.failed and 'Missing required parameters: range_size' in result.msg)"
+
+      - name: Can't add idrange without rid_base
+        ipaidrange:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          name: local_id_range
+          base_id: 150000000
+          range_size: 200000
+          secondary_rid_base: 200000000
+        register: result
+        failed_when: "not (result.failed and 'Missing required parameters: rid_base' in result.msg)"
+
+      - name: Can't add idrange without secondary_rid_base
+        ipaidrange:
+          ipaadmin_password: SomeADMINpassword
+          ipaapi_context: "{{ ipa_context | default(omit) }}"
+          name: local_id_range
+          base_id: 150000000
+          range_size: 200000
+          rid_base: 1000000
+        register: result
+        failed_when: "not (result.failed and 'Missing required parameters: secondary_rid_base' in result.msg)"
+
       - name: Ensure idrange with minimal attributes is present
         ipaidrange:
           ipaadmin_password: SomeADMINpassword
@@ -43,6 +87,8 @@
           name: local_id_range
           base_id: 150000000
           range_size: 200000
+          rid_base: 1000000
+          secondary_rid_base: 200000000
         register: result
         failed_when:
           not (result.failed or result.changed) or (result.failed and 'ipa-adtrust-install has already been run' not in result.msg)
@@ -54,6 +100,8 @@
           name: local_id_range
           base_id: 150000000
           range_size: 200000
+          rid_base: 1000000
+          secondary_rid_base: 200000000
         register: result
         failed_when:
           result.changed or (result.failed and 'ipa-adtrust-install has already been run' not in result.msg)
@@ -118,6 +166,7 @@
           ipaadmin_password: SomeADMINpassword
           ipaapi_context: "{{ ipa_context | default(omit) }}"
           name: local_id_range
+          state: absent
 
   - name: Execute idrange tests if trust test environment is supported
     when: trust_test_is_supported | default(false)

tests/service/env_cleanup.yml

@@ -31,7 +31,7 @@
       - "{{ host2_fqdn }}"
       - "{{ nohost_fqdn }}"
       - svc.ihavenodns.info
-    update_dns: no
+    update_dns: true
     state: absent
 
 - name: Ensure testing users are absent.

tests/user/test_user.yml

@@ -56,7 +56,7 @@
       first: pinky
       last: Acme
       initials: pa
-      #password: foo2
+      # password: foo2
       principal: pa
       random: yes
       street: PinkyStreet
@@ -73,8 +73,8 @@
       # sshpubkey
       userauthtype: password,radius,otp
       userclass: PinkyUserClass
-      #radius: "http://some.link/"
-      #radiususer: PinkyRadiusUser
+      # radius: "http://some.link/"
+      # radiususer: PinkyRadiusUser
       departmentnumber: "1234"
       employeenumber: "0815"
       employeetype: "PinkyExmployeeType"
@@ -82,8 +82,8 @@
       # certificate
       noprivate: yes
       nomembers: false
-      #issuer: PinkyIssuer
-      #subject: PinkySubject
+      # issuer: PinkyIssuer
+      # subject: PinkySubject
     register: result
     failed_when: not result.changed or result.failed
 

tests/user/test_users.yml

@@ -190,7 +190,7 @@
       first: pinky
       last: Acme
       initials: pa
-      #password: foo2
+      # password: foo2
       principal: pa
       random: yes
       street: PinkyStreet
@@ -207,8 +207,8 @@
       # sshpubkey
       userauthtype: password,radius,otp
       userclass: PinkyUserClass
-      #radius: "http://some.link/"
-      #radiususer: PinkyRadiusUser
+      # radius: "http://some.link/"
+      # radiususer: PinkyRadiusUser
       departmentnumber: "1234"
       employeenumber: "0815"
       employeetype: "PinkyExmployeeType"
@@ -216,8 +216,8 @@
       # certificate
       noprivate: yes
       nomembers: false
-      #issuer: PinkyIssuer
-      #subject: PinkySubject
+      # issuer: PinkyIssuer
+      # subject: PinkySubject
     register: result
     failed_when: not result.changed or result.failed
 
@@ -234,7 +234,7 @@
       first: pinky
       last: Acme
       initials: pa
-      #password: foo2
+      # password: foo2
       principal: pa
       random: yes
       street: PinkyStreet
@@ -251,8 +251,8 @@
       # sshpubkey
       userauthtype: password,radius,otp
       userclass: PinkyUserClass
-      #radius: "http://some.link/"
-      #radiususer: PinkyRadiusUser
+      # radius: "http://some.link/"
+      # radiususer: PinkyRadiusUser
       departmentnumber: "1234"
       employeenumber: "0815"
       employeetype: "PinkyExmployeeType"
@@ -260,8 +260,8 @@
       # certificate
       noprivate: yes
       nomembers: false
-      #issuer: PinkyIssuer
-      #subject: PinkySubject
+      # issuer: PinkyIssuer
+      # subject: PinkySubject
     register: result
     failed_when: result.changed or result.failed