Merge pull request #844 from rjeffman/ci_enable_ansible_core_2_12

upstream CI: Update nightly Ansible versions.

.ansible-lint

@@ -14,6 +14,8 @@ exclude_paths:
 kinds:
   - playbook: '**/tests/**/test_*.yml'
   - playbook: '**/playbooks/**/*.yml'
+  - tasks: '**/tasks_*.yml'
+  - tasks: '**/env_*.yml'
 
 parseable: true
 

.github/workflows/ansible-test.yml

@@ -0,0 +1,17 @@
+---
+name: ansible-test sanity
+on:
+  - push
+  - pull_request
+jobs:
+  ansible_test:
+    name: Verify ansible-test sanity
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Install virtualenv using pip
+        run: pip install virtualenv
+      - name: Run ansible-test
+        run: bash tests/sanity/sanity.sh

.github/workflows/docs.yml

@@ -12,9 +12,11 @@ jobs:
       - uses: actions/setup-python@v2
         with:
           python-version: '3.x'
-      - name: Run ansible-doc-test
+      - name: Install Ansible 2.9
         run: |
           python -m pip install "ansible < 2.10"
+      - name: Run ansible-doc-test
+        run: |
           ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
 
   check_docs_2_11:
@@ -25,9 +27,27 @@ jobs:
       - uses: actions/setup-python@v2
         with:
           python-version: '3.x'
-      - name: Run ansible-doc-test
+      - name: Install Ansible 2.11
         run: |
           python -m pip install "ansible-core >=2.11,<2.12"
+      - name: Run ansible-doc-test
+        run: |
+          ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
+
+  check_docs_2_12:
+    name: Check Ansible Documentation with ansible-core 2.12.
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+      - name: Install Ansible 2.12
+        run: |
+          python -m pip install "ansible-core >=2.12,<2.13"
+      - name: Run ansible-doc-test
+        run: |
+          python -m pip install "ansible-core >=2.12,<2.13"
           ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
 
   check_docs_latest:
@@ -38,7 +58,9 @@ jobs:
       - uses: actions/setup-python@v2
         with:
           python-version: '3.x'
-      - name: Run ansible-doc-test
+      - name: Install Ansible-latest
         run: |
           python -m pip install ansible
+      - name: Run ansible-doc-test
+        run: |
           ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins

.github/workflows/lint.yml

@@ -13,15 +13,9 @@ jobs:
         with:
           python-version: "3.x"
       - name: Run ansible-lint
-        uses: ansible/ansible-lint-action@master
-        with:
-          targets: |
-            tests/*.yml
-            tests/*/*.yml
-            tests/*/*/*.yml
-            playbooks/*.yml
-            playbooks/*/*.yml
-            roles/*/*/*.yml
+        run: |
+          pip install ansible-core==2.11.6 ansible-lint
+          find playbooks roles tests -name '*.yml' ! -name "env_*" ! -name "tasks_*" -exec ansible-lint --force-color {} \+
         env:
           ANSIBLE_MODULE_UTILS: plugins/module_utils
           ANSIBLE_LIBRARY: plugins/modules
@@ -74,8 +68,8 @@ jobs:
           python-version: "3.x"
       - name: Run pylint
         run: |
-            pip install pylint==2.10.2
-            pylint plugins --disable=import-error
+            pip install pylint==2.12.2
+            pylint plugins roles --disable=import-error
 
   shellcheck:
     name: Shellcheck

.github/workflows/readme.yml

@@ -0,0 +1,16 @@
+---
+name: readme test
+on:
+  - push
+  - pull_request
+jobs:
+  ansible_test:
+    name: Verify readme
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run readme test
+        run: |
+          error=0
+          for i in roles/ipa*/README.md README-*.md; do grep -q $i README.md && echo "OK: $i" || { echo -e "\033[31;1mERROR: ${i} missing\033[0m"; error=1; } done
+          exit $error

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 ---
 repos:
 - repo: https://github.com/ansible/ansible-lint.git
-  rev: v5.1.2
+  rev: v5.3.2
   hooks:
   - id: ansible-lint
     always_run: false
@@ -24,7 +24,7 @@ repos:
   hooks:
   - id: pydocstyle
 - repo: https://github.com/pycqa/pylint
-  rev: v2.10.2
+  rev: v2.12.2
   hooks:
   - id: pylint
     args:
@@ -38,8 +38,10 @@ repos:
     entry: utils/ansible-doc-test
     # args: ['-v', 'roles', 'plugins']
     files: ^.*.py$
-- repo: https://github.com/koalaman/shellcheck-precommit
-  rev: v0.8.0
+- repo: local
   hooks:
   - id: shellcheck
-    args: ["--severity=warning"]  # Only show errors and warnings
+    name: ShellCheck
+    language: system
+    entry: shellcheck
+    files: \.sh$

README-automember.md

@@ -262,9 +262,6 @@ Example playbook to ensure all orphan automember hostgroup rules are removed:
 Variables
 ---------
 
-ipaautomember
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-automountkey.md

@@ -0,0 +1,112 @@
+Automountkey module
+=====================
+
+Description
+-----------
+
+The automountkey module allows management of keys within an automount map.
+
+It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
+
+
+Features
+--------
+* Automount key management
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaautomountkey module.
+
+Requirements
+------------
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to ensure presence of an automount key:
+
+```yaml
+---
+- name: Playbook to manage automount key
+  hosts: ipaserver
+
+  tasks:
+  - name: ensure automount key TestKey is present
+    ipaautomountkey:
+      ipaadmin_password: SomeADMINpassword
+      location: TestLocation
+      mapname: TestMap
+      key: TestKey
+      info: 192.168.122.1:/exports
+      state: present
+```
+
+Example playbook to rename an automount map:
+
+```yaml
+---
+- name: Playbook to add an automount map
+  hosts: ipaserver
+
+  tasks:
+  - name: ensure aumount key TestKey is renamed to NewKeyName
+    ipaautomountkey:
+      ipaadmin_password: password01
+      automountlocationcn: TestLocation
+      automountmapname: TestMap
+      automountkey: TestKey
+      newname: NewKeyName
+      state: renamed
+```
+
+Example playbook to ensure an automount key is absent:
+
+```yaml
+---
+- name: Playbook to manage an automount key
+  hosts: ipaserver
+
+  tasks:
+  - name: ensure automount key TestKey is absent
+    ipaautomountkey:
+      ipaadmin_password: SomeADMINpassword
+      location: TestLocation
+      mapname: TestMap
+      key: TestKey
+      state: absent
+```
+
+
+Variables
+=========
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`location` \| `automountlocationcn` \| `automountlocation` | Location name. | yes
+`mapname` \|  `map` \| `automountmapname` \| `automountmap` | Map the key belongs to | yes
+`key` \| `name` \| `automountkey` | Automount key to manage | yes
+`rename` \| `new_name` \| `newautomountkey` | the name to change the key to if state is `renamed` | yes when state is `renamed`
+`info` \| `information` \| `automountinformation` | Mount information for the key | yes when state is `present`
+`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
+
+Authors
+=======
+
+Chris Procter

README-automountlocation.md

@@ -97,9 +97,6 @@ Example playbook to ensure absence of an automount location:
 Variables
 =========
 
-ipaautomountlocation
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-automountmap.md

@@ -0,0 +1,96 @@
+Automountmap module
+=====================
+
+Description
+-----------
+
+The automountmap module allows the addition and removal of maps within automount locations.
+
+It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
+
+
+Features
+--------
+* Automount map management
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaautomountmap module.
+
+Requirements
+------------
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to ensure presence of an automount map:
+
+```yaml
+---
+- name: Playbook to add an automount map
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: ensure map named auto.DMZ in location DMZ is created
+    ipaautomountmap:
+      ipaadmin_password: SomeADMINpassword
+      name: auto.DMZ
+      location: DMZ
+      desc: "this is a map for servers in the DMZ"
+```
+
+Example playbook to ensure auto.DMZi is absent:
+
+```yaml
+---
+- name: Playbook to remove an automount map
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: ensure map auto.DMZ has been removed
+    ipaautomountmap:
+      ipaadmin_password: SomeADMINpassword
+      name: auto.DMZ
+      location: DMZ
+      state: absent
+```
+
+
+Variables
+=========
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `mapname` \| `map` \| `automountmapname` | Name of the map to manage | yes
+`location` \| `automountlocation` \| `automountlocationcn` | Location name. | yes
+`desc` \| `description` | Description of the map | yes
+`state` | The state to ensure. It can be one of `present`, or `absent`, default: `present`. | no
+
+
+Notes
+=====
+
+Creation of indirect mount points are not supported.
+
+Authors
+=======
+
+Chris Procter

README-config.md

@@ -82,9 +82,6 @@ Example playbook to read config options:
 Variables
 =========
 
-ipauser
--------
-
 **General Variables:**
 
 Variable | Description | Required

README-delegation.md

@@ -135,9 +135,6 @@ Example playbook to make sure delegation "basic manager attributes" is absent:
 Variables
 ---------
 
-ipadelegation
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-dnsconfig.md

@@ -71,6 +71,7 @@ Example playbook to ensure a global forwarder, with a custom port, is absent:
       forwarders:
           - ip_address: 2001:4860:4860::8888
             port: 53
+      action: member
       state: absent
 ```
 
@@ -119,9 +120,6 @@ Example playbook to disallow synchronization of forward (A, AAAA) and reverse (P
 Variables
 =========
 
-ipadnsconfig
-------------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
@@ -131,9 +129,10 @@ Variable | Description | Required
 `forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
   | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
   | `port` - The custom port that should be used on this server. | no
-`forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`.  | no
+`forward_policy` \| `forwardpolicy` | The global forwarding policy. It can be one of `only`, `first`, or `none`.  | no
 `allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | yes
-`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
+`action` | Work on dnsconfig or member level. It can be one of `member` or `dnsconfig` and defaults to `dnsconfig`. Only `forwarders` can be managed with `action: member`. | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. `absent` can only be used with `action: member` and `forwarders`. | yes
 
 
 Authors

README-dnsforwardzone.md

@@ -100,9 +100,6 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
 Variables
 =========
 
-ipagroup
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
@@ -113,7 +110,7 @@ Variable | Description | Required
 `forwarders` \| `idnsforwarders` |  Per-zone forwarders. A custom port can be specified for each forwarder. Options | no
   | `ip_address`: The forwarder IP address. | yes
   | `port`: The forwarder IP port. | no
-`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
+`forwardpolicy` \| `idnsforwardpolicy` \| `forward_policy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
 `skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
 `permission` | Allow DNS Forward Zone to be managed. (bool) | no
 `action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no

README-dnsrecord.md

@@ -242,9 +242,6 @@ Example playbook to ensure multiple DNS records are absent:
 Variables
 =========
 
-ipadnsrecord
-------------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-dnszone.md

@@ -195,9 +195,6 @@ Example playbook to create a zone for reverse DNS lookup, from an IP address, gi
 Variables
 =========
 
-ipadnszone
-----------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
@@ -233,9 +230,6 @@ Variable | Description | Required
 Return Values
 =============
 
-ipadnszone
-----------
-
 Variable | Description | Returned When
 -------- | ----------- | -------------
 `dnszone` | DNS Zone dict with zone name infered from `name_from_ip`. <br>Options: |  If `state` is `present`, `name_from_ip` is used, and a zone was created.

README-group.md

@@ -100,7 +100,7 @@ Example playbook to add group members to a group:
   become: true
 
   tasks:
-  # Add group members sysops and appops to group sysops
+  # Add group members sysops and appops to group ops
   - ipagroup:
       ipaadmin_password: SomeADMINpassword
       name: ops
@@ -147,9 +147,6 @@ Example playbook to remove groups:
 Variables
 =========
 
-ipagroup
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
@@ -169,6 +166,7 @@ Variable | Description | Required
 `membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `externalmember` \| `ipaexternalmember`  \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
+`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up.| no
 `action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
 

README-hbacrule.md

@@ -129,9 +129,6 @@ Example playbook to make sure HBAC Rule login is absent:
 Variables
 =========
 
-ipahbacrule
----------------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-hbacsvc.md

@@ -91,9 +91,6 @@ Example playbook to make sure HBAC Services for http and tftp are absent
 Variables
 =========
 
-ipahbacsvc
-----------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-hbacsvcgroup.md

@@ -129,9 +129,6 @@ Example playbook to make sure HBAC Service Group login is absent:
 Variables
 =========
 
-ipahbacsvcgroup
----------------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-host.md

@@ -313,9 +313,6 @@ Example playbook to ensure a host is absent:
 Variables
 =========
 
-ipahost
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
@@ -370,9 +367,6 @@ Variable | Description | Required
 Return Values
 =============
 
-ipahost
--------
-
 There are only return values if one or more random passwords have been generated.
 
 Variable | Description | Returned When

README-hostgroup.md

@@ -143,9 +143,6 @@ Example playbook to make sure host-group databases is absent:
 Variables
 =========
 
-ipahostgroup
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-idrange.md

@@ -0,0 +1,196 @@
+Idrange module
+============
+
+Description
+-----------
+
+The idrange module allows the management of ID ranges.
+
+In general it is not necessary to modify or delete ID ranges. If there is no other way to achieve a certain configuration than to modify or delete an ID range it should be done with great care. Because UIDs are stored in the file system and are used for access control it might be possible that users are allowed to access files of other users if an ID range got deleted and reused for a different domain.
+
+
+Use cases
+---------
+
+* Add an ID range from a transitively trusted domain
+
+If the trusted domain (A) trusts another domain (B) as well and this trust is transitive 'ipa trust-add domain-A' will only create a range for domain A. The ID range for domain B must be added manually.
+
+* Add an additional ID range for the local domain
+
+If the ID range of the local domain is exhausted, i.e. no new IDs can be assigned to Posix users or groups by the DNA plugin, a new range has to be created to allow new users and groups to be added. (Currently there is no connection between this range CLI and the DNA plugin, but a future version might be able to modify the configuration of the DNS plugin as well).
+
+
+Features
+--------
+
+* ID Range management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaidrange module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to ensure a local domain idrange is present:
+
+```yaml
+---
+- name: Playbook to manage IPA idrange.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure an ID Range for the local domain is present.
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      name: local_domain_id_range
+      base_id: 150000
+      range_size: 200000
+```
+
+Example playbook to ensure a local domain idrange is present, with RID and secondary RID base values:
+
+```yaml
+---
+- name: Playbook to manage IPA idrange.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure local idrange is present
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      name: local_domain_id_range
+      base_id: 150000000
+      range_size: 200000
+      rid_base: 1000000
+      secondary_rid_base: 200000000
+```
+
+Example playbook to ensure an AD-trust idrange is present, with range type 'trust-ad' and using domain SID:
+
+```yaml
+---
+- name: Playbook to manage IPA idrange.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure AD-trust idrange is present
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      name: ad_id_range
+      base_id: 150000000
+      range_size: 200000
+      idrange_type: ipa-ad-trust
+      dom_sid: S-1-5-21-2870384104-3340008087-3140804251
+```
+
+Example playbook to ensure an AD-trust idrange is present, with range type 'trust-ad-posix' and using domain SID:
+
+```yaml
+---
+- name: Playbook to manage IPA idrange.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure AD-trust idrange is present
+    ipaidrange:
+      name: ad_posix_id_range
+      base_id: 150000000
+      range_size: 200000
+      idrange_type: ipa-ad-trust-posix
+      dom_name: ad.ipa.test
+```
+
+Example playbook to ensure an AD-trust idrange has auto creation of groups set to 'hybrid':
+
+```yaml
+---
+- name: Playbook to manage IPA idrange.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Modify AD-trust idrange 'auto_private_groups'
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: ad_id_range
+      auto_private_groups: "hybrid"
+```
+
+Example playbook to make sure an idrange is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA idrange.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure ID range 'ad_id_range' is absent.
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      name: ad_id_range
+      state: absent
+```
+
+
+Variables
+---------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
+`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
+`name` \| `cn` | The list of idrange name strings. | yes
+`base_id` \| `ipabaseid` | First Posix ID of the range. (int) | yes, if `state: present`
+`range_size` \| `ipaidrangesize` | Number of IDs in the range. (int) | yes, if `state: present`
+`rid_base` \| `ipabaserid` | First RID of the corresponding RID range. (int) | no
+`secondary_rid_base` \| `ipasecondarybaserid` | First RID of the secondary RID range. (int) | no
+`dom_sid` \| `ipanttrusteddomainsid` | Domain SID of the trusted domain. | no
+`idrange_type` \| `iparangetype` | ID range type, one of `ipa-ad-trust`, `ipa-ad-trust-posix`, `ipa-local`. Only valid if idrange does not exist. | no
+`dom_name` \| `ipanttrusteddomainname` | Name of the trusted domain. Can only be used when `ipaapi_context: server`. | no
+`auto_private_groups` \| `ipaautoprivategroups` | Auto creation of private groups, one of `true`, `false`, `hybrid`. | no
+`delete_continue` \| `continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Notes
+=====
+
+DNA plugin in 389-ds will allocate IDs based on the ranges configured for the local domain. Currently the DNA plugin *cannot* be reconfigured itself based on the local ranges set via this family of commands.
+
+Manual configuration change has to be done in the DNA plugin configuration for the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be modified to match the new range.
+
+
+Authors
+=======
+
+Rafael Guterres Jeffman

README-location.md

@@ -74,9 +74,6 @@ Example playbook to make sure location "my_location1" is absent:
 Variables
 ---------
 
-ipalocation
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-permission.md

@@ -154,9 +154,6 @@ Example playbook to make sure permission "MyPermission" is renamed to "MyNewPerm
 Variables
 ---------
 
-ipapermission
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-privilege.md

@@ -126,9 +126,6 @@ Example playbook to make sure privilege "DNS Special Privilege" is absent:
 Variables
 ---------
 
-ipaprivilege
-------------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin`. | no

README-pwpolicy.md

@@ -91,9 +91,6 @@ Example playbook to ensure maxlife is set to 49 in global policy:
 Variables
 =========
 
-ipapwpolicy
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-role.md

@@ -238,9 +238,6 @@ Example playbook to ensure that different members are not associated with a role
 Variables
 ---------
 
-iparole
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-selfservice.md

@@ -131,9 +131,6 @@ Example playbook to make sure selfservice "Users can manage their own name detai
 Variables
 ---------
 
-ipaselfservice
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-server.md

@@ -242,9 +242,6 @@ This task will always report a change.
 Variables
 ---------
 
-ipaserver
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-service.md

@@ -285,8 +285,6 @@ Example playbook to allow users, groups, hosts or hostgroups to retrieve a keyta
 Variables
 ---------
 
-ipaservice
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
@@ -295,8 +293,8 @@ Variable | Description | Required
 `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
 `name` \| `service` | The list of service name strings. | yes
 `certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
-`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
-`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
+`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no
+`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit` or `hardened`.  Use empty string to reset auth_ind to the initial value. | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
 `ok_as_delegate` \|  `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
 `ok_to_auth_as_delegate` \|  `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no

README-servicedelegationrule.md

@@ -0,0 +1,172 @@
+Servicedelegationrule module
+============
+
+Description
+-----------
+
+The servicedelegationrule module allows to ensure presence and absence of servicedelegationrules and servicedelegationrule members.
+
+Features
+--------
+
+* Servicedelegationrule management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaservicedelegationrule module.
+
+Host princpals are only usable with IPA versions 4.9.0 and up.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure servicedelegationrule delegation-rule is present:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationrule
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule delegation-rule is present
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-rule
+```
+
+
+Example playbook to make sure servicedelegationrule delegation-rule member principal test/example.com is present:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationrule
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule delegation-rule member principal test/example.com is present
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-rule
+      principal: test/example.com
+      action: member
+```
+
+
+Example playbook to make sure servicedelegationrule delegation-rule member principal test/example.com is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationrule
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule delegation-rule member principal test/example.com is absent
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-rule
+      principal: test/example.com
+      action: member
+      state: absent
+    state: absent
+```
+
+
+Example playbook to make sure servicedelegationrule delegation-rule member target delegation-target is present:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationrule
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule delegation-rule member target delegation-target is present
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-rule
+      target: delegation-target
+      action: member
+```
+
+
+Example playbook to make sure servicedelegationrule delegation-rule member target delegation-target is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationrule
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule delegation-rule member target delegation-target is absent
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-rule
+      target: delegation-target
+      action: member
+      state: absent
+    state: absent
+```
+
+
+Example playbook to make sure servicedelegationrule delegation-rule is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationrule
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule delegation-rule is absent
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-rule
+      state: absent
+```
+
+
+Variables
+---------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
+`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
+`name` \| `cn` | The list of servicedelegationrule name strings. | yes
+`principal` |  The list of principals. A principal can be of the format: fqdn, fqdn@REALM, service/fqdn, service/fqdn@REALM, host/fqdn, host/fqdn@REALM, alias$, alias$@REALM, where fqdn and fqdn@REALM are host principals and the same as host/fqdn and host/fqdn@REALM. Host princpals are only usable with IPA versions 4.9.0 and up. | no
+`target` \| `servicedelegationtarget` | The list of service delegation targets. | no
+`action` | Work on servicedelegationrule or member level. It can be on of `member` or `servicedelegationrule` and defaults to `servicedelegationrule`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner

README-servicedelegationtarget.md

@@ -0,0 +1,133 @@
+Servicedelegationtarget module
+============
+
+Description
+-----------
+
+The servicedelegationtarget module allows to ensure presence and absence of servicedelegationtargets and servicedelegationtarget members.
+
+Features
+--------
+
+* Servicedelegationtarget management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaservicedelegationtarget module.
+
+Host princpals are only usable with IPA versions 4.9.0 and up.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure servicedelegationtarget delegation-target is present:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationtarget
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationtarget delegation-target is present
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-target
+```
+
+
+Example playbook to make sure servicedelegationtarget delegation-target member principal test/example.com is present:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationtarget
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationtarget delegation-target member principal test/example.com is present
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-target
+      principal: test/example.com
+      action: member
+```
+
+
+Example playbook to make sure servicedelegationtarget delegation-target member principal test/example.com is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationtarget
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationtarget delegation-target member principal test/example.com is absent
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-target
+      principal: test/example.com
+      action: member
+      state: absent
+    state: absent
+```
+
+
+Example playbook to make sure servicedelegationtarget delegation-target is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationtarget
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationtarget delegation-target is absent
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-target
+      state: absent
+```
+
+
+Variables
+---------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
+`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
+`name` \| `cn` | The list of servicedelegationtarget name strings. | yes
+`principal` |  The list of principals. A principal can be of the format: fqdn, fqdn@REALM, service/fqdn, service/fqdn@REALM, host/fqdn, host/fqdn@REALM, alias$, alias$@REALM, where fqdn and fqdn@REALM are host principals and the same as host/fqdn and host/fqdn@REALM. Host princpals are only usable with IPA versions 4.9.0 and up. | no
+`action` | Work on servicedelegationtarget or member level. It can be on of `member` or `servicedelegationtarget` and defaults to `servicedelegationtarget`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner

README-sudocmd.md

@@ -76,9 +76,6 @@ Example playbook to make sure sudocmd is absent:
 Variables
 =========
 
-ipasudocmd
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-sudocmdgroup.md

@@ -116,9 +116,6 @@ Example playbook to make sure sudocmdgroup is absent:
 Variables
 =========
 
-ipasudocmdgroup
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-sudorule.md

@@ -113,9 +113,6 @@ Example playbook to make sure Sudo Rule is absent:
 Variables
 =========
 
-ipasudorule
----------------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no

README-trust.md

@@ -94,9 +94,6 @@ This will only delete the ipa-side of the trust and it does NOT delete the id-ra
 Variables
 =========
 
-ipatrust
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
@@ -108,6 +105,7 @@ Variable | Description | Required
 `password` | Active Directory domain administrator's password string. | no
 `server` | Domain controller for the Active Directory domain string. | no
 `trust_secret` | Shared secret for the trust string. | no
+`trust_type` | Trust type. Currently, only 'ad' for Active Directory is supported. | no
 `base_id` | First posix id for the trusted domain integer. | no
 `range_size` | Size of the ID range reserved for the trusted domain integer. | no
 `range_type` | Type of trusted domain ID range, It can be one of `ipa-ad-trust` or `ipa-ad-trust-posix`and defaults to `ipa-ad-trust`. | no

README-user.md

@@ -356,9 +356,6 @@ Example playbook to ensure users are absent:
 Variables
 =========
 
-ipauser
--------
-
 **General Variables:**
 
 Variable | Description | Required
@@ -432,9 +429,6 @@ Variable | Description | Required
 Return Values
 =============
 
-ipauser
--------
-
 There are only return values if one or more random passwords have been generated.
 
 Variable | Description | Returned When

README-vault.md

@@ -210,9 +210,6 @@ Example playbook to make sure vault is absent:
 Variables
 =========
 
-ipavault
--------
-
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
@@ -250,9 +247,6 @@ Variable | Description | Required
 Return Values
 =============
 
-ipavault
---------
-
 There is only a return value if `state` is `retrieved`.
 
 Variable | Description | Returned When

README.md

@@ -12,7 +12,11 @@ Features
 * One-time-password (OTP) support for client installation
 * Repair mode for clients
 * Backup and restore, also to and from controller
+* Smartcard setup for servers and clients
 * Modules for automembership rule management
+* Modules for automount key management
+* Modules for automount location management
+* Modules for automount map management
 * Modules for config management
 * Modules for delegation management
 * Modules for dns config management
@@ -25,6 +29,7 @@ Features
 * Modules for hbacsvcgroup management
 * Modules for host management
 * Modules for hostgroup management
+* Modules for idrange management
 * Modules for location management
 * Modules for permission management
 * Modules for privilege management
@@ -33,6 +38,8 @@ Features
 * Modules for self service management
 * Modules for server management
 * Modules for service management
+* Modules for service delegation rule management
+* Modules for service delegation target management
 * Modules for sudocmd management
 * Modules for sudocmdgroup management
 * Modules for sudorule management
@@ -62,7 +69,6 @@ Requirements
 **Controller**
 * Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)
 * /usr/bin/kinit is required on the controller if a one time password (OTP) is used
-* python3-gssapi is required on the controller if a one time password (OTP) is used with keytab to install the client.
 
 **Node**
 * Supported FreeIPA version (see above)
@@ -282,7 +288,8 @@ ipaserver_domain=test.local
 ipaserver_realm=TEST.LOCAL
 ```
 
-For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the controller using the (first) server. It is needed to have the python-gssapi bindings installed on the controller for this.
+For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the controller using the (first) server.
+
 To enable the generation of the one-time-password:
 ```yaml
 [ipaclients:vars]
@@ -419,11 +426,16 @@ Roles
 * [Replica](roles/ipareplica/README.md)
 * [Client](roles/ipaclient/README.md)
 * [Backup](roles/ipabackup/README.md)
+* [SmartCard server](roles/ipasmartcard_server/README.md)
+* [SmartCard client](roles/ipasmartcard_client/README.md)
 
 Modules in plugin/modules
 =========================
 
 * [ipaautomember](README-automember.md)
+* [ipaautomountkey](README-automountkey.md)
+* [ipaautomountlocation](README-automountlocation.md)
+* [ipaautomountmap](README-automountmap.md)
 * [ipaconfig](README-config.md)
 * [ipadelegation](README-delegation.md)
 * [ipadnsconfig](README-dnsconfig.md)
@@ -433,17 +445,20 @@ Modules in plugin/modules
 * [ipagroup](README-group.md)
 * [ipahbacrule](README-hbacrule.md)
 * [ipahbacsvc](README-hbacsvc.md)
-* [ipahbacsvcgroup](README-hbacsvc.md)
+* [ipahbacsvcgroup](README-hbacsvcgroup.md)
 * [ipahost](README-host.md)
 * [ipahostgroup](README-hostgroup.md)
-* [ipalocation](README-ipalocation.md)
-* [ipapermission](README-ipapermission.md)
-* [ipaprivilege](README-ipaprivilege.md)
+* [idrange](README-idrange.md)
+* [ipalocation](README-location.md)
+* [ipapermission](README-permission.md)
+* [ipaprivilege](README-privilege.md)
 * [ipapwpolicy](README-pwpolicy.md)
 * [iparole](README-role.md)
-* [ipaselfservice](README-ipaselfservice.md)
+* [ipaselfservice](README-selfservice.md)
 * [ipaserver](README-server.md)
 * [ipaservice](README-service.md)
+* [ipaservicedelegationrule](README-servicedelegationrule.md)
+* [ipaservicedelegationtarget](README-servicedelegationtarget.md)
 * [ipasudocmd](README-sudocmd.md)
 * [ipasudocmdgroup](README-sudocmdgroup.md)
 * [ipasudorule](README-sudorule.md)

galaxy.yml

@@ -16,6 +16,7 @@ readme: "README.md"
 license: "GPL-3.0-or-later"
 
 tags:
+  - "linux"
   - "system"
   - "identity"
   - "ipa"

molecule/c8s-build/Dockerfile

@@ -0,0 +1,30 @@
+FROM quay.io/centos/centos:stream8
+ENV container=docker
+
+RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
+dnf makecache; \
+dnf --assumeyes install \
+    /usr/bin/python3 \
+    /usr/bin/python3-config \
+    /usr/bin/dnf-3 \
+    sudo \
+    bash \
+    systemd \
+    procps-ng \
+    iproute && \
+dnf clean all; \
+(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
+rm -f /lib/systemd/system/multi-user.target.wants/*;\
+rm -f /etc/systemd/system/*.wants/*;\
+rm -f /lib/systemd/system/local-fs.target.wants/*; \
+rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
+rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
+rm -f /lib/systemd/system/basic.target.wants/*;\
+rm -f /lib/systemd/system/anaconda.target.wants/*; \
+rm -rf /var/cache/dnf/;
+
+STOPSIGNAL RTMIN+3
+
+VOLUME ["/sys/fs/cgroup"]
+
+CMD ["/usr/sbin/init"]

molecule/c8s-build/molecule.yml

@@ -2,9 +2,9 @@
 driver:
   name: docker
 platforms:
-  - name: centos-8-build
-    image: "centos:centos8"
-    pre_build_image: true
+  - name: c8s-build
+    image: "quay.io/centos/centos:stream8"
+    dockerfile: Dockerfile
     hostname: ipaserver.test.local
     dns_servers:
       - 8.8.8.8
@@ -16,3 +16,4 @@ provisioner:
   name: ansible
   playbooks:
     prepare: ../resources/playbooks/prepare-build.yml
+prerun: false

molecule/c8s/molecule.yml

@@ -2,8 +2,8 @@
 driver:
   name: docker
 platforms:
-  - name: centos-8
-    image: quay.io/ansible-freeipa/upstream-tests:centos-8
+  - name: c8s
+    image: quay.io/ansible-freeipa/upstream-tests:c8s
     pre_build_image: true
     hostname: ipaserver.test.local
     dns_servers:
@@ -16,3 +16,4 @@ provisioner:
   name: ansible
   playbooks:
     prepare: ../resources/playbooks/prepare.yml
+prerun: false

molecule/c9s-build/Dockerfile

@@ -5,7 +5,6 @@ RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
     /usr/bin/python3 \
-    /usr/bin/python3-config \
     /usr/bin/dnf-3 \
     sudo \
     bash \

molecule/c9s-build/molecule.yml

@@ -2,7 +2,7 @@
 driver:
   name: docker
 platforms:
-  - name: centos-9-build
+  - name: c9s-build
     image: "quay.io/centos/centos:stream9"
     dockerfile: Dockerfile
     hostname: ipaserver.test.local
@@ -16,3 +16,4 @@ provisioner:
   name: ansible
   playbooks:
     prepare: ../resources/playbooks/prepare-build.yml
+prerun: false

molecule/c9s/molecule.yml

@@ -0,0 +1,19 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: c9s
+    image: quay.io/ansible-freeipa/upstream-tests:c9s
+    pre_build_image: true
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 127.0.0.1
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare.yml
+prerun: false

molecule/centos-7-build/molecule.yml

@@ -16,3 +16,4 @@ provisioner:
   name: ansible
   playbooks:
     prepare: ../resources/playbooks/prepare-build.yml
+prerun: false

molecule/centos-7/molecule.yml

@@ -16,3 +16,4 @@ provisioner:
   name: ansible
   playbooks:
     prepare: ../resources/playbooks/prepare.yml
+prerun: false

molecule/default

@@ -1 +1 @@
-centos-8
+fedora-latest

molecule/fedora-latest-build/molecule.yml

@@ -16,3 +16,4 @@ provisioner:
   name: ansible
   playbooks:
     prepare: ../resources/playbooks/prepare-build.yml
+prerun: false

molecule/fedora-latest/molecule.yml

@@ -16,3 +16,4 @@ provisioner:
   name: ansible
   playbooks:
     prepare: ../resources/playbooks/prepare.yml
+prerun: false

molecule/resources/playbooks/prepare.yml

@@ -25,3 +25,24 @@
     ansible.builtin.service:
       name: ipa
       state: started
+
+  - name: Wait for krb5dkc to be running
+    ansible.builtin.service_facts:
+    no_log: True
+    register: result
+    until: "'krb5kdc.service' in result.ansible_facts.services and \
+            result.ansible_facts.services['krb5kdc.service'].state == 'running'"
+    retries: 30
+    delay: 5
+
+  - name: Check if TGT is available for admin.
+    ansible.builtin.shell:
+      cmd: echo SomeADMINpassword | kinit -c ansible_freeipa_cache admin
+    register: result
+    until: not result.failed
+    retries: 30
+    delay: 5
+
+  - name: Cleanup TGT.
+    ansible.builtin.shell:
+      cmd: kdestroy -c ansible_freeipa_cache -A

playbooks/automount/automount-map-absent.yaml

@@ -0,0 +1,12 @@
+---
+- name: Automount map absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: ensure map TestMap is absent
+    ipaautomountmap:
+      ipaadmin_password: SomeADMINpassword
+      name: TestMap
+      location: TestLocation
+      state: absent

playbooks/automount/automount-map-present.yaml

@@ -0,0 +1,12 @@
+---
+- name: Automount map present example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: ensure map TestMap is present
+    ipaautomountmap:
+      ipaadmin_password: SomeADMINpassword
+      name: TestMap
+      location: TestLocation
+      desc: "this is a test map"

playbooks/automount/automountkey-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage an automout key
+  hosts: ipaserver
+
+  tasks:
+  - name: Ensure autmount key is present
+    ipaautomountkey:
+      ipaadmin_password: SomeADMINpassword
+      location: TestLocation
+      mapname: TestMap
+      key: TestKey
+      info: 192.168.122.1:/exports
+      state: present

playbooks/automount/automountkey-renamed.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage an automount key
+  hosts: ipaserver
+
+  tasks:
+  - name: Ensure aumount key TestKey is renamed to NewKeyName
+    ipaautomountkey:
+      ipaadmin_password: SomeADMINpassword
+      automountlocationcn: TestLocation
+      automountmapname: TestMap
+      automountkey: TestKey
+      newname: NewKeyName
+      state: renamed

playbooks/automount/automoutkey-absent.yml

@@ -0,0 +1,12 @@
+---
+- name: Playbook to manage an automount key
+  hosts: ipaserver
+
+  tasks:
+  - name: Ensure autmount key is present
+    ipaautomountkey:
+      ipaadmin_password: SomeADMINpassword
+      location: TestLocation
+      mapname: TestMap
+      key: TestKey
+      state: absent

playbooks/dnsconfig/disable-global-forwarders.yml

@@ -6,4 +6,5 @@
   tasks:
   - name: Disable global forwarders.
     ipadnsconfig:
+      ipaadmin_password: SomeADMINpassword
       forward_policy: none

playbooks/dnsconfig/disallow-reverse-sync.yml

@@ -6,4 +6,5 @@
   tasks:
   - name: Disallow reverse record synchronization.
     ipadnsconfig:
+      ipaadmin_password: SomeADMINpassword
       allow_sync_ptr: no

playbooks/dnsconfig/forwarders-absent.yml

@@ -4,10 +4,12 @@
   become: true
 
   tasks:
-  - name: Set dnsconfig.
+  - name: Set dnsconfig forwarders.
     ipadnsconfig:
+      ipaadmin_password: SomeADMINpassword
       forwarders:
         - ip_address: 8.8.4.4
         - ip_address: 2001:4860:4860::8888
           port: 53
+      action: member
       state: absent

playbooks/dnsconfig/forwarders-present.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Set dnsconfig forwarders.
+    ipadnsconfig:
+      ipaadmin_password: SomeADMINpassword
+      forwarders:
+        - ip_address: 8.8.4.4
+        - ip_address: 2001:4860:4860::8888
+          port: 53
+      action: member

playbooks/dnsconfig/set-configuration.yml

@@ -6,6 +6,7 @@
   tasks:
   - name: Set dnsconfig.
     ipadnsconfig:
+      ipaadmin_password: SomeADMINpassword
       forwarders:
         - ip_address: 8.8.4.4
         - ip_address: 2001:4860:4860::8888

playbooks/dnsrecord/ensure-CNAME-record-is-absent.yml

@@ -7,6 +7,7 @@
   tasks:
   - name: Ensure that 'host04' has CNAME, with cname_hostname, is absent
     ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
       zone_name: example.com
       name: host04
       cname_hostname: host04.example.com

playbooks/dnsrecord/ensure-CNAME-record-is-present.yml

@@ -7,6 +7,7 @@
   tasks:
   - name: Ensure that 'host04' has CNAME, with cname_hostname, is present
     ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
       zone_name: example.com
       name: host04
       cname_hostname: host04.example.com

playbooks/idrange/idrange-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Idrange absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure idrange is absent
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      name: id_range
+      state: absent

playbooks/idrange/idrange-ad-posix-present.yml

@@ -0,0 +1,15 @@
+---
+- name: Playbook to manage idrange
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure AD-trust idrange is present
+    ipaidrange:
+      name: id_range
+      base_id: 150000000
+      range_size: 200000
+      rid_base: 1000000
+      idrange_type: ipa-ad-trust-posix
+      dom_name: ad.ipa.test
+      auto_private_groups: "false"

playbooks/idrange/idrange-ad-present.yml

@@ -0,0 +1,16 @@
+---
+- name: Playbook to manage idrange
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure AD-trust idrange is present
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      name: ad_id_range
+      base_id: 150000000
+      range_size: 200000
+      rid_base: 1000000
+      idrange_type: ipa-ad-trust
+      dom_sid: S-1-5-21-2870384104-3340008087-3140804251
+      auto_private_groups: "true"

playbooks/idrange/idrange-present.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage idrange
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure local idrange is present
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      name: id_range
+      base_id: 150000000
+      range_size: 200000
+      rid_base: 1000000
+      secondary_rid_base: 200000000

playbooks/install-smartcard-clients.yml

@@ -0,0 +1,8 @@
+---
+- name: Playbook to setup smartcard for IPA clients
+  hosts: ipaclients
+  become: true
+
+  roles:
+  - role: ipasmartcard_client
+    state: present

playbooks/install-smartcard-replicas.yml

@@ -0,0 +1,8 @@
+---
+- name: Playbook to setup smartcard for IPA replicas
+  hosts: ipareplicas
+  become: true
+
+  roles:
+  - role: ipasmartcard_server
+    state: present

playbooks/install-smartcard-server.yml

@@ -0,0 +1,8 @@
+---
+- name: Playbook to setup smartcard for IPA server
+  hosts: ipaserver
+  become: true
+
+  roles:
+  - role: ipasmartcard_server
+    state: present

playbooks/install-smartcard-servers.yml

@@ -0,0 +1,8 @@
+---
+- name: Playbook to setup smartcard for IPA server and replicas
+  hosts: ipaserver, ipareplicas
+  become: true
+
+  roles:
+  - role: ipasmartcard_server
+    state: present

playbooks/privilege/privilege-absent.yml

@@ -6,5 +6,6 @@
   tasks:
   - name: Ensure privilege "Broad Privilege" is absent
     ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
       name: Broad Privilege
       state: absent

playbooks/servicedelegationrule/servicedelegationrule-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Servicedelegationrule absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule test-delegation-rule is absent
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-rule
+      state: absent

playbooks/servicedelegationrule/servicedelegationrule-present.yml

@@ -0,0 +1,10 @@
+---
+- name: Servicedelegationrule present example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule test-delegation-rule is present
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-rule

playbooks/servicedelegationrule/servicedelegationrule-principal-member-absent.yml

@@ -0,0 +1,13 @@
+---
+- name: Servicedelegationrule principal member absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure principal member test/example.com is absent in servicedelegationrule test-delegation-rule
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-rule
+      principal: test/example.com
+      action: member
+      state: absent

playbooks/servicedelegationrule/servicedelegationrule-principal-member-present.yml

@@ -0,0 +1,12 @@
+---
+- name: Servicedelegationrule principal member present example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure principal member test/example.com is present in servicedelegationrule test-delegation-rule
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-rule
+      principal: test/example.com
+      action: member

playbooks/servicedelegationrule/servicedelegationrule-target-member-absent.yml

@@ -0,0 +1,13 @@
+---
+- name: Servicedelegationrule absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure member test/example.com is absent in servicedelegationrule test-delegation-rule
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-rule
+      principal: test/example.com
+      action: member
+      state: absent

playbooks/servicedelegationrule/servicedelegationrule-target-member-present.yml

@@ -0,0 +1,12 @@
+---
+- name: Servicedelegationrule member present example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure member test/example.com is present in servicedelegationrule test-delegation-rule
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-rule
+      principal: test/example.com
+      action: member

playbooks/servicedelegationtarget/servicedelegationtarget-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Servicedelegationtarget absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationtarget test-delegation-target is absent
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-target
+      state: absent

playbooks/servicedelegationtarget/servicedelegationtarget-member-absent.yml

@@ -0,0 +1,13 @@
+---
+- name: Servicedelegationtarget absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure member test/example.com is absent in servicedelegationtarget test-delegation-target
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-target
+      principal: test/example.com
+      action: member
+      state: absent

playbooks/servicedelegationtarget/servicedelegationtarget-member-present.yml

@@ -0,0 +1,12 @@
+---
+- name: Servicedelegationtarget member present example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure member test/example.com is present in servicedelegationtarget test-delegation-target
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-target
+      principal: test/example.com
+      action: member

playbooks/servicedelegationtarget/servicedelegationtarget-present.yml

@@ -0,0 +1,10 @@
+---
+- name: Servicedelegationtarget present example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationtarget test-delegation-target is present
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-target

playbooks/sudocmdgroup/ensure-sudocmdgroup-is-absent.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Ensure sudocmdgroup is absent
     ipasudocmdgroup:
-      ipaadmin_password: pass1234
+      ipaadmin_password: SomeADMINpassword
       name: network
       state: absent
       action: sudocmdgroup

playbooks/sudocmdgroup/ensure-sudocmdgroup-is-present.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Ensure sudocmdgroup sudocmds are present
     ipasudocmdgroup:
-      ipaadmin_password: pass1234
+      ipaadmin_password: SomeADMINpassword
       name: network
       description: Group of important commands.
       sudocmd:

playbooks/sudorule/ensure-sudorule-is-absent.yml

@@ -6,6 +6,6 @@
   tasks:
   - name: Ensure sudorule command is absent
     ipasudorule:
-      ipaadmin_password: pass1234
+      ipaadmin_password: SomeADMINpassword
       name: testrule1
       state: absent

playbooks/topology/add-topologysegments.yml

@@ -14,7 +14,7 @@
   tasks:
   - name: Add topology segment
     ipatopologysegment:
-      ipaadmin_password: "{{ ipaadmin_password }}"
+      ipaadmin_password: SomeADMINpassword
       suffix: "{{ item.suffix }}"
       name: "{{ item.name | default(omit) }}"
       left: "{{ item.left }}"

playbooks/topology/check-topologysegments.yml

@@ -14,7 +14,7 @@
   tasks:
   - name: Add topology segment
     ipatopologysegment:
-      ipaadmin_password: "{{ ipaadmin_password }}"
+      ipaadmin_password: SomeADMINpassword
       suffix: "{{ item.suffix }}"
       name: "{{ item.name | default(omit) }}"
       left: "{{ item.left }}"

playbooks/topology/delete-topologysegments.yml

@@ -14,7 +14,7 @@
   tasks:
   - name: Add topology segment
     ipatopologysegment:
-      ipaadmin_password: "{{ ipaadmin_password }}"
+      ipaadmin_password: SomeADMINpassword
       suffix: "{{ item.suffix }}"
       name: "{{ item.name | default(omit) }}"
       left: "{{ item.left }}"

playbooks/trust/add-trust.yml

@@ -6,6 +6,7 @@
   tasks:
     - name: ensure the trust is present
       ipatrust:
+        ipaadmin_password: SomeADMINpassword
         realm: windows.local
         admin: Administrator
         password: secret_password

playbooks/trust/del-trust.yml

@@ -6,5 +6,6 @@
   tasks:
     - name: ensure the trust is absent
       ipatrust:
+        ipaadmin_password: SomeADMINpassword
         realm: windows.local
         state: absent

plugins/doc_fragments/ipamodule_base_docs.py

@@ -45,3 +45,13 @@ options:
     type: bool
     default: true
 """
+
+    DELETE_CONTINUE = r"""
+options:
+  delete_continue:
+    description: |
+      Continuous mode. Don't stop on errors. Valid only if `state` is `absent`.
+    aliases: ["continue"]
+    type: bool
+    default: True
+"""

plugins/module_utils/ansible_freeipa_module.py

@@ -86,6 +86,7 @@ else:
     from ipaplatform.paths import paths
     from ipalib.krb_utils import get_credentials_if_valid
     from ipapython.dnsutil import DNSName
+    from ipapython import kerberos
     from ansible.module_utils.basic import AnsibleModule
     from ansible.module_utils._text import to_text
     from ansible.module_utils.common.text.converters import jsonify
@@ -138,6 +139,13 @@ else:
 
                 return fstore.has_files()
 
+    # Try to import dcerpc
+    try:
+        import ipaserver.dcerpc  # pylint: disable=no-member
+        _dcerpc_bindings_installed = True  # pylint: disable=invalid-name
+    except ImportError:
+        _dcerpc_bindings_installed = False  # pylint: disable=invalid-name
+
     if six.PY3:
         unicode = str
 
@@ -220,6 +228,8 @@ else:
                 ldap_cache: Control use of LDAP cache layer. (bool)
 
         """
+        global _dcerpc_bindings_installed  # pylint: disable=C0103,W0603
+
         env = Env()
         env._bootstrap()
         env._finalize_core(**dict(DEFAULT_CONFIG))
@@ -251,6 +261,7 @@ else:
             backend = api.Backend.ldap2
         else:
             backend = api.Backend.rpcclient
+            _dcerpc_bindings_installed = False
 
         if not backend.isconnected():
             backend.connect(ccache=os.environ.get('KRB5CCNAME', None))
@@ -309,15 +320,49 @@ else:
         raise ValueError("Invalid date '%s'" % value)
 
     def compare_args_ipa(module, args, ipa, ignore=None):  # noqa
-        """Compare IPA obj attrs with the command args.
+        """Compare IPA object attributes against command arguments.
 
-        This function compares IPA objects attributes with the args the
-        module is intending to use to call a command. ignore can be a list
-        of attributes, that should be ignored in the comparison.
-        This is useful to know if a call to IPA server will be needed or not.
-        In order to compare we have to perform slight changes in data formats.
+        This function compares 'ipa' attributes with the 'args' the module
+        is intending to use as parameters to an IPA API command. A list of
+        attribute names that should be ignored during comparison may be
+        provided.
 
-        Returns True if they are the same and False otherwise.
+        The comparison will be performed on every attribute provided in
+        'args'. If the attribute in 'args' or 'ipa' is not a scalar value
+        (including strings) the comparison will be performed as if the
+        attribute is a set of values, so duplicate values will count as a
+        single one. If both values are scalar values, then a direct
+        comparison is performed.
+
+        If an attribute is not available in 'ipa', its value is considered
+        to be a list with an empty string (['']), possibly forcing the
+        conversion of the 'args' attribute to a list for comparison. This
+        allows, for example, the usage of empty strings which should compare
+        as equals to inexistent attributes (None), as is done in IPA API.
+
+        This function is mostly useful to evaluate the need of a call to
+        IPA server when provided arguments are equivalent to the existing
+        values for a given IPA object.
+
+        Parameters
+        ----------
+        module: AnsibleModule
+            The AnsibleModule used to log debug messages.
+
+        args: dict
+            The set of attributes provided by the playbook task.
+
+        ipa: dict
+            The set of attributes from the IPA object retrieved.
+
+        ignore: list
+            An optional list of attribute names that should be ignored and
+            not evaluated.
+
+        Return
+        ------
+            True is returned if all attribute values in 'args' are
+            equivalent to the corresponding attribute value in 'ipa'.
         """
         base_debug_msg = "Ansible arguments and IPA commands differed. "
 
@@ -337,52 +382,45 @@ else:
         filtered_args = [key for key in args if key not in ignore]
 
         for key in filtered_args:
-            if key not in ipa:  # pylint: disable=no-else-return
-                module.debug(
-                    base_debug_msg + "Command key not present in IPA: %s" % key
-                )
-                return False
+            arg = args[key]
+            ipa_arg = ipa.get(key, [""])
+            # If ipa_arg is a list and arg is not, replace arg
+            # with list containing arg. Most args in a find result
+            # are lists, but not all.
+            if isinstance(ipa_arg, (list, tuple)):
+                if not isinstance(arg, list):
+                    arg = [arg]
+                if len(ipa_arg) != len(arg):
+                    module.debug(
+                        base_debug_msg
+                        + "List length doesn't match for key %s: %d %d"
+                        % (key, len(arg), len(ipa_arg),)
+                    )
+                    return False
+                # ensure list elements types are the same.
+                if not (
+                    isinstance(ipa_arg[0], type(arg[0]))
+                    or isinstance(arg[0], type(ipa_arg[0]))
+                ):
+                    arg = [to_text(_arg) for _arg in arg]
+            try:
+                arg_set = set(arg)
+                ipa_arg_set = set(ipa_arg)
+            except TypeError:
+                if arg != ipa_arg:
+                    module.debug(
+                        base_debug_msg
+                        + "Different values: %s %s" % (arg, ipa_arg)
+                    )
+                    return False
             else:
-                arg = args[key]
-                ipa_arg = ipa[key]
-                # If ipa_arg is a list and arg is not, replace arg
-                # with list containing arg. Most args in a find result
-                # are lists, but not all.
-                if isinstance(ipa_arg, tuple):
-                    ipa_arg = list(ipa_arg)
-                if isinstance(ipa_arg, list):
-                    if not isinstance(arg, list):
-                        arg = [arg]
-                    if len(ipa_arg) != len(arg):
-                        module.debug(
-                            base_debug_msg
-                            + "List length doesn't match for key %s: %d %d"
-                            % (key, len(arg), len(ipa_arg),)
-                        )
-                        return False
-                    if isinstance(ipa_arg[0], str) and isinstance(arg[0], int):
-                        arg = [to_text(_arg) for _arg in arg]
-                    if isinstance(ipa_arg[0], unicode) \
-                       and isinstance(arg[0], int):
-                        arg = [to_text(_arg) for _arg in arg]
-                try:
-                    arg_set = set(arg)
-                    ipa_arg_set = set(ipa_arg)
-                except TypeError:
-                    if arg != ipa_arg:
-                        module.debug(
-                            base_debug_msg
-                            + "Different values: %s %s" % (arg, ipa_arg)
-                        )
-                        return False
-                else:
-                    if arg_set != ipa_arg_set:
-                        module.debug(
-                            base_debug_msg
-                            + "Different set content: %s %s"
-                            % (arg_set, ipa_arg_set,)
-                        )
-                        return False
+                if arg_set != ipa_arg_set:
+                    module.debug(
+                        base_debug_msg
+                        + "Different set content: %s %s"
+                        % (arg_set, ipa_arg_set,)
+                    )
+                    return False
         return True
 
     def _afm_convert(value):
@@ -397,11 +435,32 @@ else:
 
         return value
 
-    def module_params_get(module, name):
-        return _afm_convert(module.params.get(name))
-
-    def module_params_get_lowercase(module, name):
+    def module_params_get(module, name, allow_empty_string=False):
         value = _afm_convert(module.params.get(name))
+
+        # Fail on empty strings in the list or if allow_empty_string is True
+        # if there is another entry in the list together with the empty
+        # string.
+        # Due to an issue in Ansible it is possible to use the empty string
+        # "" for lists with choices, even if the empty list is not part of
+        # the choices.
+        # Ansible issue https://github.com/ansible/ansible/issues/77108
+        if isinstance(value, list):
+            for val in value:
+                if isinstance(val, (str, unicode)) and not val:
+                    if not allow_empty_string:
+                        module.fail_json(
+                            msg="Parameter '%s' contains an empty string" %
+                            name)
+                    elif len(value) > 1:
+                        module.fail_json(
+                            msg="Parameter '%s' may not contain another "
+                            "entry together with an empty string" % name)
+
+        return value
+
+    def module_params_get_lowercase(module, name, allow_empty_string=False):
+        value = module_params_get(module, name, allow_empty_string)
         if isinstance(value, list):
             value = [v.lower() for v in value]
         if isinstance(value, (str, unicode)):
@@ -550,6 +609,89 @@ else:
             return False
         return True
 
+    def servicedelegation_normalize_principals(module, principal,
+                                               check_exists=False):
+        """
+        Normalize servicedelegation principals.
+
+        The principals can be service and with IPA 4.9.0+ also host principals.
+        """
+
+        def _normalize_principal_name(name, realm):
+            # Normalize principal name
+            # Copied from ipaserver/plugins/servicedelegation.py
+            try:
+                princ = kerberos.Principal(name, realm=realm)
+            except ValueError as _err:
+                raise ipalib_errors.ValidationError(
+                    name='principal',
+                    reason="Malformed principal: %s" % str(_err))
+
+            if len(princ.components) == 1 and \
+               not princ.components[0].endswith('$'):
+                nprinc = 'host/' + unicode(princ)
+            else:
+                nprinc = unicode(princ)
+            return nprinc
+
+        def _check_exists(module, _type, name):
+            # Check if item of type _type exists using the show command
+            try:
+                module.ipa_command("%s_show" % _type, name, {})
+            except ipalib_errors.NotFound as e:
+                msg = str(e)
+                if "%s not found" % _type in msg:
+                    return False
+                module.fail_json(msg="%s_show failed: %s" % (_type, msg))
+            return True
+
+        ipa_realm = module.ipa_get_realm()
+        _principal = []
+        for _princ in principal:
+            princ = _princ
+            realm = ipa_realm
+
+            # Get principal and realm from _princ if there is a realm
+            if '@' in _princ:
+                princ, realm = _princ.rsplit('@', 1)
+
+            # Lowercase principal
+            princ = princ.lower()
+
+            # Normalize principal
+            try:
+                nprinc = _normalize_principal_name(princ, realm)
+            except ipalib_errors.ValidationError as err:
+                module.fail_json(msg="%s: %s" % (_princ, str(err)))
+            princ = unicode(nprinc)
+
+            # Check that host principal exists
+            if princ.startswith("host/"):
+                if module.ipa_check_version("<", "4.9.0"):
+                    module.fail_json(
+                        msg="The use of host principals is not supported "
+                        "by your IPA version")
+
+                # Get host FQDN (no leading 'host/' and no trailing realm)
+                # (There is no removeprefix and removesuffix in Python2)
+                _host = princ[5:]
+                if _host.endswith("@%s" % realm):
+                    _host = _host[:-len(realm) - 1]
+
+                # Seach for host
+                if check_exists and not _check_exists(module, "host", _host):
+                    module.fail_json(msg="Host '%s' does not exist" % _host)
+
+            # Check the service principal exists
+            else:
+                if check_exists and \
+                   not _check_exists(module, "service", princ):
+                    module.fail_json(msg="Service %s does not exist" % princ)
+
+            _principal.append(princ)
+
+        return _principal
+
     def exit_raw_json(module, **kwargs):
         """
         Print the raw parameters in JSON format, without masking.
@@ -569,6 +711,42 @@ else:
         print(jsonify(kwargs))
         sys.exit(0)
 
+    def __get_domain_validator():
+        if not _dcerpc_bindings_installed:
+            raise ipalib_errors.NotFound(
+                reason=(
+                    'Cannot perform SID validation without Samba 4 support '
+                    'installed. Make sure you have installed server-trust-ad '
+                    'sub-package of IPA on the server'
+                )
+            )
+
+        # pylint: disable=no-member
+        domain_validator = ipaserver.dcerpc.DomainValidator(api)
+        # pylint: enable=no-member
+
+        if not domain_validator.is_configured():
+            raise ipalib_errors.NotFound(
+                reason=(
+                    'Cross-realm trusts are not configured. Make sure you '
+                    'have run ipa-adtrust-install on the IPA server first'
+                )
+            )
+
+        return domain_validator
+
+    def get_trusted_domain_sid_from_name(dom_name):
+        """
+        Given a trust domain name, returns the domain SID.
+
+        Returns unicode string representation for a given trusted domain name
+        or None if SID for the given trusted domain name could not be found.
+        """
+        domain_validator = __get_domain_validator()
+        sid = domain_validator.get_sid_from_domain_name(dom_name)
+
+        return unicode(sid) if sid is not None else None
+
     class IPAParamMapping(Mapping):
         """
         Provides IPA API mapping to playbook parameters or computed values.
@@ -742,6 +920,12 @@ else:
             ipaapi_ldap_cache=dict(type="bool", default="True"),
         )
 
+        ipa_module_options_spec = dict(
+            delete_continue=dict(
+                type="bool", default=True, aliases=["continue"]
+            )
+        )
+
         def __init__(self, *args, **kwargs):
             # Extend argument_spec with ipa_module_base_spec
             if "argument_spec" in kwargs:
@@ -749,6 +933,16 @@ else:
                 _spec.update(self.ipa_module_base_spec)
                 kwargs["argument_spec"] = _spec
 
+            if "ipa_module_options" in kwargs:
+                _update = {
+                    k: self.ipa_module_options_spec[k]
+                    for k in kwargs["ipa_module_options"]
+                }
+                _spec = kwargs.get("argument_spec", {})
+                _spec.update(_update)
+                kwargs["argument_spec"] = _spec
+                del kwargs["ipa_module_options"]
+
             # pylint: disable=super-with-arguments
             super(IPAAnsibleModule, self).__init__(*args, **kwargs)
 
@@ -797,7 +991,7 @@ else:
                 finally:
                     temp_kdestroy(ccache_dir, ccache_name)
 
-        def params_get(self, name):
+        def params_get(self, name, allow_empty_string=False):
             """
             Retrieve value set for module parameter.
 
@@ -805,11 +999,13 @@ else:
             ----------
             name: string
                 The name of the parameter to retrieve.
+            allow_empty_string: bool
+                The parameter allowes to have empty strings in a list
 
             """
-            return module_params_get(self, name)
+            return module_params_get(self, name, allow_empty_string)
 
-        def params_get_lowercase(self, name):
+        def params_get_lowercase(self, name, allow_empty_string=False):
             """
             Retrieve value set for module parameter as lowercase, if not None.
 
@@ -817,9 +1013,11 @@ else:
             ----------
             name: string
                 The name of the parameter to retrieve.
+            allow_empty_string: bool
+                The parameter allowes to have empty strings in a list
 
             """
-            return module_params_get_lowercase(self, name)
+            return module_params_get_lowercase(self, name, allow_empty_string)
 
         def params_fail_used_invalid(self, invalid_params, state, action=None):
             """
@@ -875,10 +1073,11 @@ else:
             """
             return api_command_no_name(self, command, args)
 
-        @staticmethod
-        def ipa_get_domain():
+        def ipa_get_domain(self):
             """Retrieve IPA API domain."""
-            return api_get_domain()
+            if not hasattr(self, "__ipa_api_domain"):
+                setattr(self, "__ipa_api_domain", api_get_domain())
+            return getattr(self, "__ipa_api_domain")
 
         @staticmethod
         def ipa_get_realm():

plugins/modules/ipaautomember.py

@@ -587,7 +587,6 @@ def main():
                         commands.append([None,
                                          'automember_default_group_remove',
                                          {'type': automember_type}])
-                        ansible_module.warn("commands: %s" % repr(commands))
 
                 else:
                     dn_default_group = [DN(('cn', default_group),

plugins/modules/ipaautomountkey.py

@@ -0,0 +1,235 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Chris Procter <cprocter@redhat.com>
+#
+# Copyright (C) 2021 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    "metadata_version": "1.0",
+    "supported_by": "community",
+    "status": ["preview"],
+}
+
+
+DOCUMENTATION = '''
+---
+module: ipaautomountkey
+author: chris procter
+short_description: Manage FreeIPA autommount map
+description:
+- Add, delete, and modify an IPA automount map
+options:
+  ipaadmin_principal:
+    description: The admin principal
+    default: admin
+  ipaadmin_password:
+    description: The admin password
+    required: False
+  location:
+    description: automount location map is in
+    required: True
+    choices: ["automountlocationcn", "automountlocation"]
+  mapname:
+    description: automount map to be managed
+    choices: ["map", "automountmapname", "automountmap"]
+    required: True
+  key:
+    description: automount key to be managed
+    required: True
+    choices: ["name", "automountkey"]
+  newkey:
+    description: key to change to if state is 'renamed'
+    required: True
+    choices: ["newname", "newautomountkey"]
+  info:
+    description: Mount information for the key
+    required: True
+    choices: ["information", "automountinformation"]
+  state:
+    description: State to ensure
+    required: False
+    default: present
+    choices: ["present", "absent", "renamed"]
+'''
+
+EXAMPLES = '''
+  - name: create key TestKey
+    ipaautomountkey:
+      ipaadmin_password: SomeADMINpassword
+      locationcn: TestLocation
+      mapname: TestMap
+      key: TestKey
+      info: 192.168.122.1:/exports
+      state: present
+
+  - name: ensure key TestKey is absent
+    ipaautomountkey:
+      ipaadmin_password: SomeADMINpassword
+      location: TestLocation
+      mapname: TestMap
+      key: TestKey
+      state: absent
+'''
+
+RETURN = '''
+'''
+
+from ansible.module_utils.ansible_freeipa_module import (
+    IPAAnsibleModule, ipalib_errors
+)
+
+
+class AutomountKey(IPAAnsibleModule):
+
+    def __init__(self, *args, **kwargs):
+        # pylint: disable=super-with-arguments
+        super(AutomountKey, self).__init__(*args, **kwargs)
+        self.commands = []
+
+    def get_key(self, location, mapname, key):
+        try:
+            args = {
+                "automountmapautomountmapname": mapname,
+                "automountkey": key,
+                "all": True,
+            }
+            resp = self.ipa_command("automountkey_show", location, args)
+        except ipalib_errors.NotFound:
+            return None
+        else:
+            return resp.get("result")
+
+    def check_ipa_params(self):
+        invalid = []
+        state = self.params_get("state")
+        if state == "present":
+            invalid = ["rename"]
+            if not self.params_get("info"):
+                self.fail_json(msg="Value required for argument 'info'")
+
+        if state == "rename":
+            invalid = ["info"]
+            if not self.params_get("rename"):
+                self.fail_json(msg="Value required for argument 'renamed'")
+
+        if state == "absent":
+            invalid = ["info", "rename"]
+
+        self.params_fail_used_invalid(invalid, state)
+
+    @staticmethod
+    def get_args(mapname, key, info, rename):
+        _args = {}
+        if mapname:
+            _args["automountmapautomountmapname"] = mapname
+        if key:
+            _args["automountkey"] = key
+        if info:
+            _args["automountinformation"] = info
+        if rename:
+            _args["rename"] = rename
+        return _args
+
+    def define_ipa_commands(self):
+        state = self.params_get("state")
+        location = self.params_get("location")
+        mapname = self.params_get("mapname")
+        key = self.params_get("key")
+        info = self.params_get("info")
+        rename = self.params_get("rename")
+
+        args = self.get_args(mapname, key, info, rename)
+
+        res_find = self.get_key(location, mapname, key)
+
+        if state == "present":
+            if res_find is None:
+                # does not exist and is wanted
+                self.commands.append([location, "automountkey_add", args])
+            else:
+                # exists and is wanted, check for changes
+                if info not in res_find.get("automountinformation"):
+                    self.commands.append([location, "automountkey_mod", args])
+
+        if state == "renamed":
+            if res_find is None:
+                self.fail_json(
+                    msg=(
+                        "Cannot rename inexistent key: '%s', '%s', '%s'"
+                        % (location, mapname, key)
+                    )
+                )
+            self.commands.append([location, "automountkey_mod", args])
+
+        if state == "absent":
+            # if key exists and self.ipa_params.state == "absent":
+            if res_find is not None:
+                self.commands.append([location, "automountkey_del", args])
+
+
+def main():
+    ipa_module = AutomountKey(
+        argument_spec=dict(
+            state=dict(
+                type='str',
+                choices=['present', 'absent', 'renamed'],
+                required=None,
+                default='present',
+            ),
+            location=dict(
+                type="str",
+                aliases=["automountlocationcn", "automountlocation"],
+                required=True,
+            ),
+            rename=dict(
+                type="str",
+                aliases=["new_name", "newautomountkey"],
+                required=False,
+            ),
+            mapname=dict(
+                type="str",
+                aliases=["map", "automountmapname", "automountmap"],
+                required=True,
+            ),
+            key=dict(
+                type="str",
+                aliases=["name", "automountkey"],
+                required=True,
+            ),
+            info=dict(
+                type="str",
+                aliases=["information", "automountinformation"],
+                required=False,
+            ),
+        ),
+    )
+    ipaapi_context = ipa_module.params_get("ipaapi_context")
+    with ipa_module.ipa_connect(context=ipaapi_context):
+        ipa_module.check_ipa_params()
+        ipa_module.define_ipa_commands()
+        changed = ipa_module.execute_ipa_commands(ipa_module.commands)
+    ipa_module.exit_json(changed=changed)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/ipaautomountmap.py

@@ -0,0 +1,197 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+# Authors:
+#   Chris Procter <cprocter@redhat.com>
+#
+# Copyright (C) 2021 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    "metadata_version": "1.0",
+    "supported_by": "community",
+    "status": ["preview"],
+}
+
+
+DOCUMENTATION = '''
+---
+module: ipaautomountmap
+author: Chris Procter
+short_description: Manage FreeIPA autommount map
+description:
+- Add, delete, and modify an IPA automount map
+options:
+  ipaadmin_principal:
+    description: The admin principal.
+    default: admin
+  ipaadmin_password:
+    description: The admin password.
+    required: false
+  automountlocation:
+    description: automount location map is anchored to
+    choices: ["location", "automountlocationcn"]
+    required: True
+  name:
+    description: automount map to be managed.
+    choices: ["mapname", "map", "automountmapname"]
+    required: True
+  desc:
+    description: description of automount map.
+    choices: ["description"]
+    required: false
+  state:
+    description: State to ensure
+    required: false
+    default: present
+    choices: ["present", "absent"]
+'''
+
+EXAMPLES = '''
+  - name: ensure map named auto.DMZ in location DMZ is present
+    ipaautomountmap:
+      ipaadmin_password: SomeADMINpassword
+      name: auto.DMZ
+      location: DMZ
+      desc: "this is a map for servers in the DMZ"
+
+  - name: remove a map named auto.DMZ in location DMZ if it exists
+    ipaautomountmap:
+      ipaadmin_password: SomeADMINpassword
+      name: auto.DMZ
+      location: DMZ
+      state: absent
+'''
+
+RETURN = '''
+'''
+
+from ansible.module_utils.ansible_freeipa_module import (
+    IPAAnsibleModule, compare_args_ipa
+)
+
+
+class AutomountMap(IPAAnsibleModule):
+
+    def __init__(self, *args, **kwargs):
+        # pylint: disable=super-with-arguments
+        super(AutomountMap, self).__init__(*args, **kwargs)
+        self.commands = []
+
+    def get_automountmap(self, location, name):
+        try:
+            response = self.ipa_command(
+                "automountmap_show",
+                location,
+                {"automountmapname": name, "all": True}
+            )
+        except Exception:  # pylint: disable=broad-except
+            return None
+        else:
+            return response["result"]
+
+    def check_ipa_params(self):
+        invalid = []
+        name = self.params_get("name")
+        state = self.params_get("state")
+        if state == "present":
+            if len(name) != 1:
+                self.fail_json(msg="Exactly one name must be provided for"
+                                   " 'state: present'.")
+        if state == "absent":
+            if len(name) == 0:
+                self.fail_json(msg="At least one 'name' must be provided for"
+                                   " 'state: absent'")
+            invalid = ["desc"]
+
+        self.params_fail_used_invalid(invalid, state)
+
+    def get_args(self, mapname, desc):  # pylint: disable=no-self-use
+        # automountmapname is required for all automountmap operations.
+        if not mapname:
+            self.fail_json(msg="automountmapname cannot be None or empty.")
+        _args = {"automountmapname": mapname}
+        # An empty string is valid and will clear the attribute.
+        if desc is not None:
+            _args["description"] = desc
+        return _args
+
+    def define_ipa_commands(self):
+        name = self.params_get("name")
+        state = self.params_get("state")
+        location = self.params_get("location")
+        desc = self.params_get("desc")
+
+        for mapname in name:
+            automountmap = self.get_automountmap(location, mapname)
+
+            if state == "present":
+                args = self.get_args(mapname, desc)
+                if automountmap is None:
+                    self.commands.append([location, "automountmap_add", args])
+                else:
+                    if not compare_args_ipa(self, args, automountmap):
+                        self.commands.append(
+                            [location, "automountmap_mod", args]
+                        )
+
+            if state == "absent":
+                if automountmap is not None:
+                    self.commands.append([
+                        location,
+                        "automountmap_del",
+                        {"automountmapname": [mapname]}
+                    ])
+
+
+def main():
+    ipa_module = AutomountMap(
+        argument_spec=dict(
+            state=dict(type='str',
+                       default='present',
+                       choices=['present', 'absent']
+                       ),
+            location=dict(type="str",
+                          aliases=["automountlocation", "automountlocationcn"],
+                          default=None,
+                          required=True
+                          ),
+            name=dict(type="list",
+                      aliases=["mapname", "map", "automountmapname"],
+                      default=None,
+                      required=True
+                      ),
+            desc=dict(type="str",
+                      aliases=["description"],
+                      required=False,
+                      default=None
+                      ),
+        ),
+    )
+    changed = False
+    ipaapi_context = ipa_module.params_get("ipaapi_context")
+    with ipa_module.ipa_connect(context=ipaapi_context):
+        ipa_module.check_ipa_params()
+        ipa_module.define_ipa_commands()
+        changed = ipa_module.execute_ipa_commands(ipa_module.commands)
+    ipa_module.exit_json(changed=changed)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/ipaconfig.py

@@ -346,11 +346,13 @@ def main():
         "ca_renewal_master_server": "ca_renewal_master_server",
         "domain_resolution_order": "ipadomainresolutionorder"
     }
+    allow_empty_string = ["pac_type", "user_auth_type", "configstring"]
     reverse_field_map = {v: k for k, v in field_map.items()}
 
     params = {}
     for x in field_map:
-        val = ansible_module.params_get(x)
+        val = ansible_module.params_get(
+            x, allow_empty_string=(x in allow_empty_string))
 
         if val is not None:
             params[field_map.get(x, x)] = val
@@ -401,6 +403,10 @@ def main():
                 k: v for k, v in params.items()
                 if k not in result or result[k] != v
             }
+            # Remove empty string args from params if result arg is not set
+            for k in ["ipakrbauthzdata", "ipauserauthtype", "ipaconfigstring"]:
+                if k not in result and k in params and params[k] == [""]:
+                    del params[k]
             if params \
                and not compare_args_ipa(ansible_module, params, result):
                 changed = True
@@ -441,6 +447,13 @@ def main():
                             raise ValueError(
                                 "Unexpected attribute type: %s" % arg_type)
                         exit_args[k] = type_map[arg_type](value)
+            # Add empty pac_type and user_auth_type if they are not set
+            for key in ["pac_type", "user_auth_type"]:
+                if key not in exit_args:
+                    exit_args[key] = ""
+            # Add empty domain_resolution_order if it is not set
+            if "domain_resolution_order" not in exit_args:
+                exit_args["domain_resolution_order"] = []
 
     # Done
     ansible_module.exit_json(changed=changed, config=exit_args)

plugins/modules/ipadnsconfig.py

@@ -54,13 +54,22 @@ options:
       global forwarders.
     required: false
     choices: ['only', 'first', 'none']
+    alias: ["forwardpolicy"]
   allow_sync_ptr:
     description:
       Allow synchronization of forward (A, AAAA) and reverse (PTR) records.
     required: false
     type: bool
+  action:
+    description: |
+      Work on dnsconfig or member level. It can be one of `member` or
+      `dnsconfig`. Only `forwarders` can be managed with `action: member`.
+    default: "dnsconfig"
+    choices: ["member", "dnsconfig"]
   state:
-    description: State to ensure
+    description: |
+      The state to ensure. It can be one of `present` or `absent`.
+      `absent` can only be used with `action: member` and `forwarders`.
     default: present
     choices: ["present", "absent"]
 """
@@ -83,6 +92,7 @@ EXAMPLES = """
       - ip_address: 2001:4860:4860::8888
         port: 53
     state: absent
+    action: member
 
 # Disable PTR record synchronization.
 - ipadnsconfig:
@@ -118,7 +128,7 @@ def find_dnsconfig(module):
     return None
 
 
-def gen_args(module, state, dnsconfig, forwarders, forward_policy,
+def gen_args(module, state, action, dnsconfig, forwarders, forward_policy,
              allow_sync_ptr):
     _args = {}
 
@@ -137,15 +147,20 @@ def gen_args(module, state, dnsconfig, forwarders, forward_policy,
 
         global_forwarders = dnsconfig.get('idnsforwarders', [])
         if state == 'absent':
-            _args['idnsforwarders'] = [
-                fwd for fwd in global_forwarders if fwd not in _forwarders]
-            # When all forwarders should be excluded, use an empty string ('').
-            if not _args['idnsforwarders']:
-                _args['idnsforwarders'] = ['']
+            if action == "member":
+                _args['idnsforwarders'] = [
+                    fwd for fwd in global_forwarders if fwd not in _forwarders]
+                # When all forwarders should be excluded,
+                # use an empty string ('').
+                if not _args['idnsforwarders']:
+                    _args['idnsforwarders'] = ['']
 
         elif state == 'present':
-            _args['idnsforwarders'] = [
-                fwd for fwd in _forwarders if fwd not in global_forwarders]
+            if action == "member":
+                _args['idnsforwarders'] = \
+                    list(set(list(_forwarders) + list(global_forwarders)))
+            else:
+                _args['idnsforwarders'] = _forwarders
             # If no forwarders should be added, remove argument.
             if not _args['idnsforwarders']:
                 del _args['idnsforwarders']
@@ -175,10 +190,13 @@ def main():
             forwarders=dict(type='list', default=None, required=False,
                             options=dict(**forwarder_spec)),
             forward_policy=dict(type='str', required=False, default=None,
-                                choices=['only', 'first', 'none']),
+                                choices=['only', 'first', 'none'],
+                                aliases=["forwardpolicy"]),
             allow_sync_ptr=dict(type='bool', required=False, default=None),
 
             # general
+            action=dict(type="str", default="dnsconfig",
+                        choices=["member", "dnsconfig"]),
             state=dict(type="str", default="present",
                        choices=["present", "absent"]),
         )
@@ -191,11 +209,17 @@ def main():
     forward_policy = ansible_module.params_get('forward_policy')
     allow_sync_ptr = ansible_module.params_get('allow_sync_ptr')
 
+    action = ansible_module.params_get('action')
     state = ansible_module.params_get('state')
 
     # Check parameters.
     invalid = []
+    if state == "present" and action == "member":
+        invalid = ['forward_policy', 'allow_sync_ptr']
     if state == 'absent':
+        if action != "member":
+            ansible_module.fail_json(
+                msg="State 'absent' is only valid with action 'member'.")
         invalid = ['forward_policy', 'allow_sync_ptr']
 
     ansible_module.params_fail_used_invalid(invalid, state)
@@ -208,7 +232,7 @@ def main():
     with ansible_module.ipa_connect():
 
         res_find = find_dnsconfig(ansible_module)
-        args = gen_args(ansible_module, state, res_find, forwarders,
+        args = gen_args(ansible_module, state, action, res_find, forwarders,
                         forward_policy, allow_sync_ptr)
 
         # Execute command only if configuration changes.

plugins/modules/ipadnsforwardzone.py

@@ -68,7 +68,7 @@ options:
     required: false
     default: only
     choices: ["only", "first", "none"]
-    aliases: ["idnsforwarders"]
+    aliases: ["idnsforwarders", "forward_policy"]
   skip_overlap_check:
     description:
     - Force DNS zone creation even if it will overlap with an existing zone.
@@ -189,7 +189,8 @@ def main():
                                  port=dict(type='int', required=False,
                                            default=None),
                             )),
-            forwardpolicy=dict(type='str', aliases=["idnsforwardpolicy"],
+            forwardpolicy=dict(type='str',
+                               aliases=["idnsforwardpolicy", "forward_policy"],
                                required=False,
                                choices=['only', 'first', 'none']),
             skip_overlap_check=dict(type='bool', required=False),