Merge pull request #867 from jpclipffel/master

ipaclient: Removed invalid call `logger.info()`

.ansible-lint

@@ -14,6 +14,8 @@ exclude_paths:
 kinds:
   - playbook: '**/tests/**/test_*.yml'
   - playbook: '**/playbooks/**/*.yml'
+  - tasks: '**/tasks_*.yml'
+  - tasks: '**/env_*.yml'
 
 parseable: true
 

.github/workflows/ansible-test.yml

@@ -0,0 +1,17 @@
+---
+name: ansible-test sanity
+on:
+  - push
+  - pull_request
+jobs:
+  ansible_test:
+    name: Verify ansible-test sanity
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+      - name: Install virtualenv using pip
+        run: pip install virtualenv
+      - name: Run ansible-test
+        run: bash tests/sanity/sanity.sh

.github/workflows/docs.yml

@@ -12,9 +12,11 @@ jobs:
       - uses: actions/setup-python@v2
         with:
           python-version: '3.x'
-      - name: Run ansible-doc-test
+      - name: Install Ansible 2.9
         run: |
           python -m pip install "ansible < 2.10"
+      - name: Run ansible-doc-test
+        run: |
           ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
 
   check_docs_2_11:
@@ -25,9 +27,27 @@ jobs:
       - uses: actions/setup-python@v2
         with:
           python-version: '3.x'
-      - name: Run ansible-doc-test
+      - name: Install Ansible 2.11
         run: |
           python -m pip install "ansible-core >=2.11,<2.12"
+      - name: Run ansible-doc-test
+        run: |
+          ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
+
+  check_docs_2_12:
+    name: Check Ansible Documentation with ansible-core 2.12.
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: '3.x'
+      - name: Install Ansible 2.12
+        run: |
+          python -m pip install "ansible-core >=2.12,<2.13"
+      - name: Run ansible-doc-test
+        run: |
+          python -m pip install "ansible-core >=2.12,<2.13"
           ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
 
   check_docs_latest:
@@ -38,7 +58,9 @@ jobs:
       - uses: actions/setup-python@v2
         with:
           python-version: '3.x'
-      - name: Run ansible-doc-test
+      - name: Install Ansible-latest
         run: |
           python -m pip install ansible
+      - name: Run ansible-doc-test
+        run: |
           ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins

.github/workflows/lint.yml

@@ -13,15 +13,9 @@ jobs:
         with:
           python-version: "3.x"
       - name: Run ansible-lint
-        uses: ansible/ansible-lint-action@master
-        with:
-          targets: |
-            tests/*.yml
-            tests/*/*.yml
-            tests/*/*/*.yml
-            playbooks/*.yml
-            playbooks/*/*.yml
-            roles/*/*/*.yml
+        run: |
+          pip install ansible-core==2.11.6 ansible-lint
+          find playbooks roles tests -name '*.yml' ! -name "env_*" ! -name "tasks_*" -exec ansible-lint --force-color {} \+
         env:
           ANSIBLE_MODULE_UTILS: plugins/module_utils
           ANSIBLE_LIBRARY: plugins/modules
@@ -74,8 +68,8 @@ jobs:
           python-version: "3.x"
       - name: Run pylint
         run: |
-            pip install pylint==2.10.2
-            pylint plugins --disable=import-error
+            pip install pylint==2.12.2
+            pylint plugins roles --disable=import-error
 
   shellcheck:
     name: Shellcheck

.github/workflows/readme.yml

@@ -0,0 +1,16 @@
+---
+name: readme test
+on:
+  - push
+  - pull_request
+jobs:
+  ansible_test:
+    name: Verify readme
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run readme test
+        run: |
+          error=0
+          for i in roles/ipa*/README.md README-*.md; do grep -q $i README.md && echo "OK: $i" || { echo -e "\033[31;1mERROR: ${i} missing\033[0m"; error=1; } done
+          exit $error

.pre-commit-config.yaml

@@ -1,7 +1,7 @@
 ---
 repos:
 - repo: https://github.com/ansible/ansible-lint.git
-  rev: v5.1.2
+  rev: v5.3.2
   hooks:
   - id: ansible-lint
     always_run: false
@@ -24,7 +24,7 @@ repos:
   hooks:
   - id: pydocstyle
 - repo: https://github.com/pycqa/pylint
-  rev: v2.10.2
+  rev: v2.12.2
   hooks:
   - id: pylint
     args:
@@ -38,8 +38,10 @@ repos:
     entry: utils/ansible-doc-test
     # args: ['-v', 'roles', 'plugins']
     files: ^.*.py$
-- repo: https://github.com/koalaman/shellcheck-precommit
-  rev: v0.8.0
+- repo: local
   hooks:
   - id: shellcheck
-    args: ["--severity=warning"]  # Only show errors and warnings
+    name: ShellCheck
+    language: system
+    entry: shellcheck
+    files: \.sh$

README-automountkey.md

@@ -0,0 +1,112 @@
+Automountkey module
+=====================
+
+Description
+-----------
+
+The automountkey module allows management of keys within an automount map.
+
+It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
+
+
+Features
+--------
+* Automount key management
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaautomountkey module.
+
+Requirements
+------------
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to ensure presence of an automount key:
+
+```yaml
+---
+- name: Playbook to manage automount key
+  hosts: ipaserver
+
+  tasks:
+  - name: ensure automount key TestKey is present
+    ipaautomountkey:
+      ipaadmin_password: SomeADMINpassword
+      location: TestLocation
+      mapname: TestMap
+      key: TestKey
+      info: 192.168.122.1:/exports
+      state: present
+```
+
+Example playbook to rename an automount map:
+
+```yaml
+---
+- name: Playbook to add an automount map
+  hosts: ipaserver
+
+  tasks:
+  - name: ensure aumount key TestKey is renamed to NewKeyName
+    ipaautomountkey:
+      ipaadmin_password: password01
+      automountlocationcn: TestLocation
+      automountmapname: TestMap
+      automountkey: TestKey
+      newname: NewKeyName
+      state: renamed
+```
+
+Example playbook to ensure an automount key is absent:
+
+```yaml
+---
+- name: Playbook to manage an automount key
+  hosts: ipaserver
+
+  tasks:
+  - name: ensure automount key TestKey is absent
+    ipaautomountkey:
+      ipaadmin_password: SomeADMINpassword
+      location: TestLocation
+      mapname: TestMap
+      key: TestKey
+      state: absent
+```
+
+
+Variables
+=========
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`location` \| `automountlocationcn` \| `automountlocation` | Location name. | yes
+`mapname` \|  `map` \| `automountmapname` \| `automountmap` | Map the key belongs to | yes
+`key` \| `name` \| `automountkey` | Automount key to manage | yes
+`rename` \| `new_name` \| `newautomountkey` | the name to change the key to if state is `renamed` | yes when state is `renamed`
+`info` \| `information` \| `automountinformation` | Mount information for the key | yes when state is `present`
+`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
+
+Authors
+=======
+
+Chris Procter

README-automountmap.md

@@ -0,0 +1,96 @@
+Automountmap module
+=====================
+
+Description
+-----------
+
+The automountmap module allows the addition and removal of maps within automount locations.
+
+It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
+
+
+Features
+--------
+* Automount map management
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaautomountmap module.
+
+Requirements
+------------
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to ensure presence of an automount map:
+
+```yaml
+---
+- name: Playbook to add an automount map
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: ensure map named auto.DMZ in location DMZ is created
+    ipaautomountmap:
+      ipaadmin_password: SomeADMINpassword
+      name: auto.DMZ
+      location: DMZ
+      desc: "this is a map for servers in the DMZ"
+```
+
+Example playbook to ensure auto.DMZi is absent:
+
+```yaml
+---
+- name: Playbook to remove an automount map
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: ensure map auto.DMZ has been removed
+    ipaautomountmap:
+      ipaadmin_password: SomeADMINpassword
+      name: auto.DMZ
+      location: DMZ
+      state: absent
+```
+
+
+Variables
+=========
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `mapname` \| `map` \| `automountmapname` | Name of the map to manage | yes
+`location` \| `automountlocation` \| `automountlocationcn` | Location name. | yes
+`desc` \| `description` | Description of the map | yes
+`state` | The state to ensure. It can be one of `present`, or `absent`, default: `present`. | no
+
+
+Notes
+=====
+
+Creation of indirect mount points are not supported.
+
+Authors
+=======
+
+Chris Procter

README-dnsconfig.md

@@ -71,6 +71,7 @@ Example playbook to ensure a global forwarder, with a custom port, is absent:
       forwarders:
           - ip_address: 2001:4860:4860::8888
             port: 53
+      action: member
       state: absent
 ```
 
@@ -128,9 +129,10 @@ Variable | Description | Required
 `forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
   | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
   | `port` - The custom port that should be used on this server. | no
-`forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`.  | no
+`forward_policy` \| `forwardpolicy` | The global forwarding policy. It can be one of `only`, `first`, or `none`.  | no
 `allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | yes
-`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
+`action` | Work on dnsconfig or member level. It can be one of `member` or `dnsconfig` and defaults to `dnsconfig`. Only `forwarders` can be managed with `action: member`. | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. `absent` can only be used with `action: member` and `forwarders`. | yes
 
 
 Authors

README-dnsforwardzone.md

@@ -110,7 +110,7 @@ Variable | Description | Required
 `forwarders` \| `idnsforwarders` |  Per-zone forwarders. A custom port can be specified for each forwarder. Options | no
   | `ip_address`: The forwarder IP address. | yes
   | `port`: The forwarder IP port. | no
-`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
+`forwardpolicy` \| `idnsforwardpolicy` \| `forward_policy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
 `skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
 `permission` | Allow DNS Forward Zone to be managed. (bool) | no
 `action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no

README-group.md

@@ -100,7 +100,7 @@ Example playbook to add group members to a group:
   become: true
 
   tasks:
-  # Add group members sysops and appops to group sysops
+  # Add group members sysops and appops to group ops
   - ipagroup:
       ipaadmin_password: SomeADMINpassword
       name: ops
@@ -166,6 +166,7 @@ Variable | Description | Required
 `membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `externalmember` \| `ipaexternalmember`  \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
+`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up.| no
 `action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
 

README-idrange.md

@@ -0,0 +1,196 @@
+Idrange module
+============
+
+Description
+-----------
+
+The idrange module allows the management of ID ranges.
+
+In general it is not necessary to modify or delete ID ranges. If there is no other way to achieve a certain configuration than to modify or delete an ID range it should be done with great care. Because UIDs are stored in the file system and are used for access control it might be possible that users are allowed to access files of other users if an ID range got deleted and reused for a different domain.
+
+
+Use cases
+---------
+
+* Add an ID range from a transitively trusted domain
+
+If the trusted domain (A) trusts another domain (B) as well and this trust is transitive 'ipa trust-add domain-A' will only create a range for domain A. The ID range for domain B must be added manually.
+
+* Add an additional ID range for the local domain
+
+If the ID range of the local domain is exhausted, i.e. no new IDs can be assigned to Posix users or groups by the DNA plugin, a new range has to be created to allow new users and groups to be added. (Currently there is no connection between this range CLI and the DNA plugin, but a future version might be able to modify the configuration of the DNS plugin as well).
+
+
+Features
+--------
+
+* ID Range management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaidrange module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to ensure a local domain idrange is present:
+
+```yaml
+---
+- name: Playbook to manage IPA idrange.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure an ID Range for the local domain is present.
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      name: local_domain_id_range
+      base_id: 150000
+      range_size: 200000
+```
+
+Example playbook to ensure a local domain idrange is present, with RID and secondary RID base values:
+
+```yaml
+---
+- name: Playbook to manage IPA idrange.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure local idrange is present
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      name: local_domain_id_range
+      base_id: 150000000
+      range_size: 200000
+      rid_base: 1000000
+      secondary_rid_base: 200000000
+```
+
+Example playbook to ensure an AD-trust idrange is present, with range type 'trust-ad' and using domain SID:
+
+```yaml
+---
+- name: Playbook to manage IPA idrange.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure AD-trust idrange is present
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      name: ad_id_range
+      base_id: 150000000
+      range_size: 200000
+      idrange_type: ipa-ad-trust
+      dom_sid: S-1-5-21-2870384104-3340008087-3140804251
+```
+
+Example playbook to ensure an AD-trust idrange is present, with range type 'trust-ad-posix' and using domain SID:
+
+```yaml
+---
+- name: Playbook to manage IPA idrange.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure AD-trust idrange is present
+    ipaidrange:
+      name: ad_posix_id_range
+      base_id: 150000000
+      range_size: 200000
+      idrange_type: ipa-ad-trust-posix
+      dom_name: ad.ipa.test
+```
+
+Example playbook to ensure an AD-trust idrange has auto creation of groups set to 'hybrid':
+
+```yaml
+---
+- name: Playbook to manage IPA idrange.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Modify AD-trust idrange 'auto_private_groups'
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+      name: ad_id_range
+      auto_private_groups: "hybrid"
+```
+
+Example playbook to make sure an idrange is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA idrange.
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure ID range 'ad_id_range' is absent.
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      name: ad_id_range
+      state: absent
+```
+
+
+Variables
+---------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
+`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
+`name` \| `cn` | The list of idrange name strings. | yes
+`base_id` \| `ipabaseid` | First Posix ID of the range. (int) | yes, if `state: present`
+`range_size` \| `ipaidrangesize` | Number of IDs in the range. (int) | yes, if `state: present`
+`rid_base` \| `ipabaserid` | First RID of the corresponding RID range. (int) | no
+`secondary_rid_base` \| `ipasecondarybaserid` | First RID of the secondary RID range. (int) | no
+`dom_sid` \| `ipanttrusteddomainsid` | Domain SID of the trusted domain. | no
+`idrange_type` \| `iparangetype` | ID range type, one of `ipa-ad-trust`, `ipa-ad-trust-posix`, `ipa-local`. Only valid if idrange does not exist. | no
+`dom_name` \| `ipanttrusteddomainname` | Name of the trusted domain. Can only be used when `ipaapi_context: server`. | no
+`auto_private_groups` \| `ipaautoprivategroups` | Auto creation of private groups, one of `true`, `false`, `hybrid`. | no
+`delete_continue` \| `continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Notes
+=====
+
+DNA plugin in 389-ds will allocate IDs based on the ranges configured for the local domain. Currently the DNA plugin *cannot* be reconfigured itself based on the local ranges set via this family of commands.
+
+Manual configuration change has to be done in the DNA plugin configuration for the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be modified to match the new range.
+
+
+Authors
+=======
+
+Rafael Guterres Jeffman

README-service.md

@@ -293,8 +293,8 @@ Variable | Description | Required
 `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
 `name` \| `service` | The list of service name strings. | yes
 `certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
-`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
-`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
+`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no
+`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit` or `hardened`.  Use empty string to reset auth_ind to the initial value. | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
 `ok_as_delegate` \|  `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
 `ok_to_auth_as_delegate` \|  `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no

README-servicedelegationrule.md

@@ -0,0 +1,172 @@
+Servicedelegationrule module
+============
+
+Description
+-----------
+
+The servicedelegationrule module allows to ensure presence and absence of servicedelegationrules and servicedelegationrule members.
+
+Features
+--------
+
+* Servicedelegationrule management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaservicedelegationrule module.
+
+Host princpals are only usable with IPA versions 4.9.0 and up.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure servicedelegationrule delegation-rule is present:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationrule
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule delegation-rule is present
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-rule
+```
+
+
+Example playbook to make sure servicedelegationrule delegation-rule member principal test/example.com is present:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationrule
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule delegation-rule member principal test/example.com is present
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-rule
+      principal: test/example.com
+      action: member
+```
+
+
+Example playbook to make sure servicedelegationrule delegation-rule member principal test/example.com is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationrule
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule delegation-rule member principal test/example.com is absent
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-rule
+      principal: test/example.com
+      action: member
+      state: absent
+    state: absent
+```
+
+
+Example playbook to make sure servicedelegationrule delegation-rule member target delegation-target is present:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationrule
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule delegation-rule member target delegation-target is present
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-rule
+      target: delegation-target
+      action: member
+```
+
+
+Example playbook to make sure servicedelegationrule delegation-rule member target delegation-target is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationrule
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule delegation-rule member target delegation-target is absent
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-rule
+      target: delegation-target
+      action: member
+      state: absent
+    state: absent
+```
+
+
+Example playbook to make sure servicedelegationrule delegation-rule is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationrule
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule delegation-rule is absent
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-rule
+      state: absent
+```
+
+
+Variables
+---------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
+`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
+`name` \| `cn` | The list of servicedelegationrule name strings. | yes
+`principal` |  The list of principals. A principal can be of the format: fqdn, fqdn@REALM, service/fqdn, service/fqdn@REALM, host/fqdn, host/fqdn@REALM, alias$, alias$@REALM, where fqdn and fqdn@REALM are host principals and the same as host/fqdn and host/fqdn@REALM. Host princpals are only usable with IPA versions 4.9.0 and up. | no
+`target` \| `servicedelegationtarget` | The list of service delegation targets. | no
+`action` | Work on servicedelegationrule or member level. It can be on of `member` or `servicedelegationrule` and defaults to `servicedelegationrule`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner

README-servicedelegationtarget.md

@@ -0,0 +1,133 @@
+Servicedelegationtarget module
+============
+
+Description
+-----------
+
+The servicedelegationtarget module allows to ensure presence and absence of servicedelegationtargets and servicedelegationtarget members.
+
+Features
+--------
+
+* Servicedelegationtarget management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaservicedelegationtarget module.
+
+Host princpals are only usable with IPA versions 4.9.0 and up.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure servicedelegationtarget delegation-target is present:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationtarget
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationtarget delegation-target is present
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-target
+```
+
+
+Example playbook to make sure servicedelegationtarget delegation-target member principal test/example.com is present:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationtarget
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationtarget delegation-target member principal test/example.com is present
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-target
+      principal: test/example.com
+      action: member
+```
+
+
+Example playbook to make sure servicedelegationtarget delegation-target member principal test/example.com is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationtarget
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationtarget delegation-target member principal test/example.com is absent
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-target
+      principal: test/example.com
+      action: member
+      state: absent
+    state: absent
+```
+
+
+Example playbook to make sure servicedelegationtarget delegation-target is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA servicedelegationtarget
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationtarget delegation-target is absent
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: delegation-target
+      state: absent
+```
+
+
+Variables
+---------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
+`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
+`name` \| `cn` | The list of servicedelegationtarget name strings. | yes
+`principal` |  The list of principals. A principal can be of the format: fqdn, fqdn@REALM, service/fqdn, service/fqdn@REALM, host/fqdn, host/fqdn@REALM, alias$, alias$@REALM, where fqdn and fqdn@REALM are host principals and the same as host/fqdn and host/fqdn@REALM. Host princpals are only usable with IPA versions 4.9.0 and up. | no
+`action` | Work on servicedelegationtarget or member level. It can be on of `member` or `servicedelegationtarget` and defaults to `servicedelegationtarget`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner

README-trust.md

@@ -105,6 +105,7 @@ Variable | Description | Required
 `password` | Active Directory domain administrator's password string. | no
 `server` | Domain controller for the Active Directory domain string. | no
 `trust_secret` | Shared secret for the trust string. | no
+`trust_type` | Trust type. Currently, only 'ad' for Active Directory is supported. | no
 `base_id` | First posix id for the trusted domain integer. | no
 `range_size` | Size of the ID range reserved for the trusted domain integer. | no
 `range_type` | Type of trusted domain ID range, It can be one of `ipa-ad-trust` or `ipa-ad-trust-posix`and defaults to `ipa-ad-trust`. | no

README.md

@@ -12,8 +12,11 @@ Features
 * One-time-password (OTP) support for client installation
 * Repair mode for clients
 * Backup and restore, also to and from controller
+* Smartcard setup for servers and clients
 * Modules for automembership rule management
+* Modules for automount key management
 * Modules for automount location management
+* Modules for automount map management
 * Modules for config management
 * Modules for delegation management
 * Modules for dns config management
@@ -26,6 +29,7 @@ Features
 * Modules for hbacsvcgroup management
 * Modules for host management
 * Modules for hostgroup management
+* Modules for idrange management
 * Modules for location management
 * Modules for permission management
 * Modules for privilege management
@@ -34,6 +38,8 @@ Features
 * Modules for self service management
 * Modules for server management
 * Modules for service management
+* Modules for service delegation rule management
+* Modules for service delegation target management
 * Modules for sudocmd management
 * Modules for sudocmdgroup management
 * Modules for sudorule management
@@ -63,7 +69,6 @@ Requirements
 **Controller**
 * Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)
 * /usr/bin/kinit is required on the controller if a one time password (OTP) is used
-* python3-gssapi is required on the controller if a one time password (OTP) is used with keytab to install the client.
 
 **Node**
 * Supported FreeIPA version (see above)
@@ -283,7 +288,8 @@ ipaserver_domain=test.local
 ipaserver_realm=TEST.LOCAL
 ```
 
-For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the controller using the (first) server. It is needed to have the python-gssapi bindings installed on the controller for this.
+For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the controller using the (first) server.
+
 To enable the generation of the one-time-password:
 ```yaml
 [ipaclients:vars]
@@ -420,12 +426,16 @@ Roles
 * [Replica](roles/ipareplica/README.md)
 * [Client](roles/ipaclient/README.md)
 * [Backup](roles/ipabackup/README.md)
+* [SmartCard server](roles/ipasmartcard_server/README.md)
+* [SmartCard client](roles/ipasmartcard_client/README.md)
 
 Modules in plugin/modules
 =========================
 
 * [ipaautomember](README-automember.md)
+* [ipaautomountkey](README-automountkey.md)
 * [ipaautomountlocation](README-automountlocation.md)
+* [ipaautomountmap](README-automountmap.md)
 * [ipaconfig](README-config.md)
 * [ipadelegation](README-delegation.md)
 * [ipadnsconfig](README-dnsconfig.md)
@@ -435,9 +445,10 @@ Modules in plugin/modules
 * [ipagroup](README-group.md)
 * [ipahbacrule](README-hbacrule.md)
 * [ipahbacsvc](README-hbacsvc.md)
-* [ipahbacsvcgroup](README-hbacsvc.md)
+* [ipahbacsvcgroup](README-hbacsvcgroup.md)
 * [ipahost](README-host.md)
 * [ipahostgroup](README-hostgroup.md)
+* [idrange](README-idrange.md)
 * [ipalocation](README-location.md)
 * [ipapermission](README-permission.md)
 * [ipaprivilege](README-privilege.md)
@@ -446,6 +457,8 @@ Modules in plugin/modules
 * [ipaselfservice](README-selfservice.md)
 * [ipaserver](README-server.md)
 * [ipaservice](README-service.md)
+* [ipaservicedelegationrule](README-servicedelegationrule.md)
+* [ipaservicedelegationtarget](README-servicedelegationtarget.md)
 * [ipasudocmd](README-sudocmd.md)
 * [ipasudocmdgroup](README-sudocmdgroup.md)
 * [ipasudorule](README-sudorule.md)

molecule/c8s-build/Dockerfile

@@ -0,0 +1,30 @@
+FROM quay.io/centos/centos:stream8
+ENV container=docker
+
+RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
+dnf makecache; \
+dnf --assumeyes install \
+    /usr/bin/python3 \
+    /usr/bin/python3-config \
+    /usr/bin/dnf-3 \
+    sudo \
+    bash \
+    systemd \
+    procps-ng \
+    iproute && \
+dnf clean all; \
+(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
+rm -f /lib/systemd/system/multi-user.target.wants/*;\
+rm -f /etc/systemd/system/*.wants/*;\
+rm -f /lib/systemd/system/local-fs.target.wants/*; \
+rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
+rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
+rm -f /lib/systemd/system/basic.target.wants/*;\
+rm -f /lib/systemd/system/anaconda.target.wants/*; \
+rm -rf /var/cache/dnf/;
+
+STOPSIGNAL RTMIN+3
+
+VOLUME ["/sys/fs/cgroup"]
+
+CMD ["/usr/sbin/init"]

molecule/c8s-build/molecule.yml

@@ -0,0 +1,19 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: c8s-build
+    image: "quay.io/centos/centos:stream8"
+    dockerfile: Dockerfile
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 8.8.8.8
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare-build.yml
+prerun: false

molecule/c8s/molecule.yml

@@ -2,8 +2,8 @@
 driver:
   name: docker
 platforms:
-  - name: centos-8
-    image: quay.io/ansible-freeipa/upstream-tests:centos-8
+  - name: c8s
+    image: quay.io/ansible-freeipa/upstream-tests:c8s
     pre_build_image: true
     hostname: ipaserver.test.local
     dns_servers:
@@ -16,3 +16,4 @@ provisioner:
   name: ansible
   playbooks:
     prepare: ../resources/playbooks/prepare.yml
+prerun: false

molecule/c9s-build/Dockerfile

@@ -5,7 +5,6 @@ RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
     /usr/bin/python3 \
-    /usr/bin/python3-config \
     /usr/bin/dnf-3 \
     sudo \
     bash \

molecule/c9s-build/molecule.yml

@@ -2,7 +2,7 @@
 driver:
   name: docker
 platforms:
-  - name: centos-9-build
+  - name: c9s-build
     image: "quay.io/centos/centos:stream9"
     dockerfile: Dockerfile
     hostname: ipaserver.test.local
@@ -16,3 +16,4 @@ provisioner:
   name: ansible
   playbooks:
     prepare: ../resources/playbooks/prepare-build.yml
+prerun: false

molecule/c9s/molecule.yml

@@ -0,0 +1,19 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: c9s
+    image: quay.io/ansible-freeipa/upstream-tests:c9s
+    pre_build_image: true
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 127.0.0.1
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare.yml
+prerun: false

molecule/centos-7-build/molecule.yml

@@ -16,3 +16,4 @@ provisioner:
   name: ansible
   playbooks:
     prepare: ../resources/playbooks/prepare-build.yml
+prerun: false

molecule/centos-7/molecule.yml

@@ -16,3 +16,4 @@ provisioner:
   name: ansible
   playbooks:
     prepare: ../resources/playbooks/prepare.yml
+prerun: false

molecule/default

@@ -1 +1 @@
-centos-8
+fedora-latest

molecule/fedora-latest-build/molecule.yml

@@ -16,3 +16,4 @@ provisioner:
   name: ansible
   playbooks:
     prepare: ../resources/playbooks/prepare-build.yml
+prerun: false

molecule/fedora-latest/molecule.yml

@@ -16,3 +16,4 @@ provisioner:
   name: ansible
   playbooks:
     prepare: ../resources/playbooks/prepare.yml
+prerun: false

molecule/fedora-rawhide-build/Dockerfile

@@ -0,0 +1,30 @@
+FROM fedora:rawhide
+ENV container=docker
+
+RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
+dnf makecache; \
+dnf --assumeyes install \
+    /usr/bin/python3 \
+    /usr/bin/python3-config \
+    /usr/bin/dnf-3 \
+    sudo \
+    bash \
+    systemd \
+    procps-ng \
+    iproute && \
+dnf clean all; \
+(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
+rm -f /lib/systemd/system/multi-user.target.wants/*;\
+rm -f /etc/systemd/system/*.wants/*;\
+rm -f /lib/systemd/system/local-fs.target.wants/*; \
+rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
+rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
+rm -f /lib/systemd/system/basic.target.wants/*;\
+rm -f /lib/systemd/system/anaconda.target.wants/*; \
+rm -rf /var/cache/dnf/;
+
+STOPSIGNAL RTMIN+3
+
+VOLUME ["/sys/fs/cgroup"]
+
+CMD ["/usr/sbin/init"]

molecule/fedora-rawhide-build/molecule.yml

@@ -2,9 +2,9 @@
 driver:
   name: docker
 platforms:
-  - name: centos-8-build
-    image: "centos:centos8"
-    pre_build_image: true
+  - name: fedora-rawhide-build
+    image: "fedora:rawhide"
+    dockerfile: Dockerfile
     hostname: ipaserver.test.local
     dns_servers:
       - 8.8.8.8
@@ -16,3 +16,4 @@ provisioner:
   name: ansible
   playbooks:
     prepare: ../resources/playbooks/prepare-build.yml
+prerun: false

molecule/fedora-rawhide/molecule.yml

@@ -0,0 +1,19 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: fedora-rawhide
+    image: quay.io/ansible-freeipa/upstream-tests:fedora-rawhide
+    pre_build_image: true
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 127.0.0.1
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare.yml
+prerun: false

molecule/resources/playbooks/prepare.yml

@@ -25,3 +25,24 @@
     ansible.builtin.service:
       name: ipa
       state: started
+
+  - name: Wait for krb5dkc to be running
+    ansible.builtin.service_facts:
+    no_log: True
+    register: result
+    until: "'krb5kdc.service' in result.ansible_facts.services and \
+            result.ansible_facts.services['krb5kdc.service'].state == 'running'"
+    retries: 30
+    delay: 5
+
+  - name: Check if TGT is available for admin.
+    ansible.builtin.shell:
+      cmd: echo SomeADMINpassword | kinit -c ansible_freeipa_cache admin
+    register: result
+    until: not result.failed
+    retries: 30
+    delay: 5
+
+  - name: Cleanup TGT.
+    ansible.builtin.shell:
+      cmd: kdestroy -c ansible_freeipa_cache -A

playbooks/automount/automount-map-absent.yaml

@@ -0,0 +1,12 @@
+---
+- name: Automount map absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: ensure map TestMap is absent
+    ipaautomountmap:
+      ipaadmin_password: SomeADMINpassword
+      name: TestMap
+      location: TestLocation
+      state: absent

playbooks/automount/automount-map-present.yaml

@@ -0,0 +1,12 @@
+---
+- name: Automount map present example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: ensure map TestMap is present
+    ipaautomountmap:
+      ipaadmin_password: SomeADMINpassword
+      name: TestMap
+      location: TestLocation
+      desc: "this is a test map"

playbooks/automount/automountkey-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage an automout key
+  hosts: ipaserver
+
+  tasks:
+  - name: Ensure autmount key is present
+    ipaautomountkey:
+      ipaadmin_password: SomeADMINpassword
+      location: TestLocation
+      mapname: TestMap
+      key: TestKey
+      info: 192.168.122.1:/exports
+      state: present

playbooks/automount/automountkey-renamed.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage an automount key
+  hosts: ipaserver
+
+  tasks:
+  - name: Ensure aumount key TestKey is renamed to NewKeyName
+    ipaautomountkey:
+      ipaadmin_password: SomeADMINpassword
+      automountlocationcn: TestLocation
+      automountmapname: TestMap
+      automountkey: TestKey
+      newname: NewKeyName
+      state: renamed

playbooks/automount/automoutkey-absent.yml

@@ -0,0 +1,12 @@
+---
+- name: Playbook to manage an automount key
+  hosts: ipaserver
+
+  tasks:
+  - name: Ensure autmount key is present
+    ipaautomountkey:
+      ipaadmin_password: SomeADMINpassword
+      location: TestLocation
+      mapname: TestMap
+      key: TestKey
+      state: absent

playbooks/dnsconfig/disable-global-forwarders.yml

@@ -6,4 +6,5 @@
   tasks:
   - name: Disable global forwarders.
     ipadnsconfig:
+      ipaadmin_password: SomeADMINpassword
       forward_policy: none

playbooks/dnsconfig/disallow-reverse-sync.yml

@@ -6,4 +6,5 @@
   tasks:
   - name: Disallow reverse record synchronization.
     ipadnsconfig:
+      ipaadmin_password: SomeADMINpassword
       allow_sync_ptr: no

playbooks/dnsconfig/forwarders-absent.yml

@@ -4,10 +4,12 @@
   become: true
 
   tasks:
-  - name: Set dnsconfig.
+  - name: Set dnsconfig forwarders.
     ipadnsconfig:
+      ipaadmin_password: SomeADMINpassword
       forwarders:
         - ip_address: 8.8.4.4
         - ip_address: 2001:4860:4860::8888
           port: 53
+      action: member
       state: absent

playbooks/dnsconfig/forwarders-present.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Set dnsconfig forwarders.
+    ipadnsconfig:
+      ipaadmin_password: SomeADMINpassword
+      forwarders:
+        - ip_address: 8.8.4.4
+        - ip_address: 2001:4860:4860::8888
+          port: 53
+      action: member

playbooks/dnsconfig/set-configuration.yml

@@ -6,6 +6,7 @@
   tasks:
   - name: Set dnsconfig.
     ipadnsconfig:
+      ipaadmin_password: SomeADMINpassword
       forwarders:
         - ip_address: 8.8.4.4
         - ip_address: 2001:4860:4860::8888

playbooks/dnsrecord/ensure-CNAME-record-is-absent.yml

@@ -7,6 +7,7 @@
   tasks:
   - name: Ensure that 'host04' has CNAME, with cname_hostname, is absent
     ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
       zone_name: example.com
       name: host04
       cname_hostname: host04.example.com

playbooks/dnsrecord/ensure-CNAME-record-is-present.yml

@@ -7,6 +7,7 @@
   tasks:
   - name: Ensure that 'host04' has CNAME, with cname_hostname, is present
     ipadnsrecord:
+      ipaadmin_password: SomeADMINpassword
       zone_name: example.com
       name: host04
       cname_hostname: host04.example.com

playbooks/idrange/idrange-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Idrange absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure idrange is absent
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      name: id_range
+      state: absent

playbooks/idrange/idrange-ad-posix-present.yml

@@ -0,0 +1,15 @@
+---
+- name: Playbook to manage idrange
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure AD-trust idrange is present
+    ipaidrange:
+      name: id_range
+      base_id: 150000000
+      range_size: 200000
+      rid_base: 1000000
+      idrange_type: ipa-ad-trust-posix
+      dom_name: ad.ipa.test
+      auto_private_groups: "false"

playbooks/idrange/idrange-ad-present.yml

@@ -0,0 +1,16 @@
+---
+- name: Playbook to manage idrange
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure AD-trust idrange is present
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      name: ad_id_range
+      base_id: 150000000
+      range_size: 200000
+      rid_base: 1000000
+      idrange_type: ipa-ad-trust
+      dom_sid: S-1-5-21-2870384104-3340008087-3140804251
+      auto_private_groups: "true"

playbooks/idrange/idrange-present.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage idrange
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure local idrange is present
+    ipaidrange:
+      ipaadmin_password: SomeADMINpassword
+      name: id_range
+      base_id: 150000000
+      range_size: 200000
+      rid_base: 1000000
+      secondary_rid_base: 200000000

playbooks/install-smartcard-clients.yml

@@ -0,0 +1,8 @@
+---
+- name: Playbook to setup smartcard for IPA clients
+  hosts: ipaclients
+  become: true
+
+  roles:
+  - role: ipasmartcard_client
+    state: present

playbooks/install-smartcard-replicas.yml

@@ -0,0 +1,8 @@
+---
+- name: Playbook to setup smartcard for IPA replicas
+  hosts: ipareplicas
+  become: true
+
+  roles:
+  - role: ipasmartcard_server
+    state: present

playbooks/install-smartcard-server.yml

@@ -0,0 +1,8 @@
+---
+- name: Playbook to setup smartcard for IPA server
+  hosts: ipaserver
+  become: true
+
+  roles:
+  - role: ipasmartcard_server
+    state: present

playbooks/install-smartcard-servers.yml

@@ -0,0 +1,8 @@
+---
+- name: Playbook to setup smartcard for IPA server and replicas
+  hosts: ipaserver, ipareplicas
+  become: true
+
+  roles:
+  - role: ipasmartcard_server
+    state: present

playbooks/privilege/privilege-absent.yml

@@ -6,5 +6,6 @@
   tasks:
   - name: Ensure privilege "Broad Privilege" is absent
     ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
       name: Broad Privilege
       state: absent

playbooks/servicedelegationrule/servicedelegationrule-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Servicedelegationrule absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule test-delegation-rule is absent
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-rule
+      state: absent

playbooks/servicedelegationrule/servicedelegationrule-present.yml

@@ -0,0 +1,10 @@
+---
+- name: Servicedelegationrule present example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationrule test-delegation-rule is present
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-rule

playbooks/servicedelegationrule/servicedelegationrule-principal-member-absent.yml

@@ -0,0 +1,13 @@
+---
+- name: Servicedelegationrule principal member absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure principal member test/example.com is absent in servicedelegationrule test-delegation-rule
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-rule
+      principal: test/example.com
+      action: member
+      state: absent

playbooks/servicedelegationrule/servicedelegationrule-principal-member-present.yml

@@ -0,0 +1,12 @@
+---
+- name: Servicedelegationrule principal member present example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure principal member test/example.com is present in servicedelegationrule test-delegation-rule
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-rule
+      principal: test/example.com
+      action: member

playbooks/servicedelegationrule/servicedelegationrule-target-member-absent.yml

@@ -0,0 +1,13 @@
+---
+- name: Servicedelegationrule absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure member test/example.com is absent in servicedelegationrule test-delegation-rule
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-rule
+      principal: test/example.com
+      action: member
+      state: absent

playbooks/servicedelegationrule/servicedelegationrule-target-member-present.yml

@@ -0,0 +1,12 @@
+---
+- name: Servicedelegationrule member present example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure member test/example.com is present in servicedelegationrule test-delegation-rule
+    ipaservicedelegationrule:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-rule
+      principal: test/example.com
+      action: member

playbooks/servicedelegationtarget/servicedelegationtarget-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Servicedelegationtarget absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationtarget test-delegation-target is absent
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-target
+      state: absent

playbooks/servicedelegationtarget/servicedelegationtarget-member-absent.yml

@@ -0,0 +1,13 @@
+---
+- name: Servicedelegationtarget absent example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure member test/example.com is absent in servicedelegationtarget test-delegation-target
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-target
+      principal: test/example.com
+      action: member
+      state: absent

playbooks/servicedelegationtarget/servicedelegationtarget-member-present.yml

@@ -0,0 +1,12 @@
+---
+- name: Servicedelegationtarget member present example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure member test/example.com is present in servicedelegationtarget test-delegation-target
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-target
+      principal: test/example.com
+      action: member

playbooks/servicedelegationtarget/servicedelegationtarget-present.yml

@@ -0,0 +1,10 @@
+---
+- name: Servicedelegationtarget present example
+  hosts: ipaserver
+  become: no
+
+  tasks:
+  - name: Ensure servicedelegationtarget test-delegation-target is present
+    ipaservicedelegationtarget:
+      ipaadmin_password: SomeADMINpassword
+      name: test-delegation-target

playbooks/sudocmdgroup/ensure-sudocmdgroup-is-absent.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Ensure sudocmdgroup is absent
     ipasudocmdgroup:
-      ipaadmin_password: pass1234
+      ipaadmin_password: SomeADMINpassword
       name: network
       state: absent
       action: sudocmdgroup

playbooks/sudocmdgroup/ensure-sudocmdgroup-is-present.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Ensure sudocmdgroup sudocmds are present
     ipasudocmdgroup:
-      ipaadmin_password: pass1234
+      ipaadmin_password: SomeADMINpassword
       name: network
       description: Group of important commands.
       sudocmd:

playbooks/sudorule/ensure-sudorule-is-absent.yml

@@ -6,6 +6,6 @@
   tasks:
   - name: Ensure sudorule command is absent
     ipasudorule:
-      ipaadmin_password: pass1234
+      ipaadmin_password: SomeADMINpassword
       name: testrule1
       state: absent

playbooks/topology/add-topologysegments.yml

@@ -14,7 +14,7 @@
   tasks:
   - name: Add topology segment
     ipatopologysegment:
-      ipaadmin_password: "{{ ipaadmin_password }}"
+      ipaadmin_password: SomeADMINpassword
       suffix: "{{ item.suffix }}"
       name: "{{ item.name | default(omit) }}"
       left: "{{ item.left }}"

playbooks/topology/check-topologysegments.yml

@@ -14,7 +14,7 @@
   tasks:
   - name: Add topology segment
     ipatopologysegment:
-      ipaadmin_password: "{{ ipaadmin_password }}"
+      ipaadmin_password: SomeADMINpassword
       suffix: "{{ item.suffix }}"
       name: "{{ item.name | default(omit) }}"
       left: "{{ item.left }}"

playbooks/topology/delete-topologysegments.yml

@@ -14,7 +14,7 @@
   tasks:
   - name: Add topology segment
     ipatopologysegment:
-      ipaadmin_password: "{{ ipaadmin_password }}"
+      ipaadmin_password: SomeADMINpassword
       suffix: "{{ item.suffix }}"
       name: "{{ item.name | default(omit) }}"
       left: "{{ item.left }}"

playbooks/trust/add-trust.yml

@@ -6,6 +6,7 @@
   tasks:
     - name: ensure the trust is present
       ipatrust:
+        ipaadmin_password: SomeADMINpassword
         realm: windows.local
         admin: Administrator
         password: secret_password

playbooks/trust/del-trust.yml

@@ -6,5 +6,6 @@
   tasks:
     - name: ensure the trust is absent
       ipatrust:
+        ipaadmin_password: SomeADMINpassword
         realm: windows.local
         state: absent

plugins/doc_fragments/ipamodule_base_docs.py

@@ -45,3 +45,13 @@ options:
     type: bool
     default: true
 """
+
+    DELETE_CONTINUE = r"""
+options:
+  delete_continue:
+    description: |
+      Continuous mode. Don't stop on errors. Valid only if `state` is `absent`.
+    aliases: ["continue"]
+    type: bool
+    default: True
+"""

plugins/module_utils/ansible_freeipa_module.py

@@ -28,8 +28,8 @@ __metaclass__ = type
 __all__ = ["gssapi", "netaddr", "api", "ipalib_errors", "Env",
            "DEFAULT_CONFIG", "LDAP_GENERALIZED_TIME_FORMAT",
            "kinit_password", "kinit_keytab", "run", "DN", "VERSION",
-           "paths", "get_credentials_if_valid", "Encoding",
-           "load_pem_x509_certificate", "DNSName"]
+           "paths", "tasks", "get_credentials_if_valid", "Encoding",
+           "load_pem_x509_certificate", "DNSName", "getargspec"]
 
 import sys
 
@@ -48,29 +48,32 @@ else:
     import gssapi
     from datetime import datetime
     from contextlib import contextmanager
-    import inspect
+
+    # Import getargspec from inspect or provide own getargspec for
+    # Python 2 compatibility with Python 3.11+.
+    try:
+        from inspect import getargspec
+    except ImportError:
+        from collections import namedtuple
+        from inspect import getfullargspec
+
+        # The code is copied from Python 3.10 inspect.py
+        # Authors: Ka-Ping Yee <ping@lfw.org>
+        #          Yury Selivanov <yselivanov@sprymix.com>
+        ArgSpec = namedtuple('ArgSpec', 'args varargs keywords defaults')
+
+        def getargspec(func):
+            args, varargs, varkw, defaults, kwonlyargs, _kwonlydefaults, \
+                ann = getfullargspec(func)
+            if kwonlyargs or ann:
+                raise ValueError(
+                    "Function has keyword-only parameters or annotations"
+                    ", use inspect.signature() API which can support them")
+            return ArgSpec(args, varargs, varkw, defaults)
 
     # ansible-freeipa requires locale to be C, IPA requires utf-8.
     os.environ["LANGUAGE"] = "C"
 
-    try:
-        from packaging import version
-    except ImportError:
-        # If `packaging` not found, split version string for creating version
-        # object. Although it is not PEP 440 compliant, it will work for stable
-        # FreeIPA releases.
-        import re
-
-        class version:  # pylint: disable=invalid-name, too-few-public-methods
-            @staticmethod
-            def parse(version_str):
-                """
-                Split a version string A.B.C, into a tuple.
-
-                This will not work for `rc`, `dev` or similar version string.
-                """
-                return tuple(re.split("[-_.]", version_str))  # noqa: W605
-
     from ipalib import api
     from ipalib import errors as ipalib_errors  # noqa
     from ipalib.config import Env
@@ -84,8 +87,10 @@ else:
     from ipapython.dn import DN
     from ipapython.version import VERSION
     from ipaplatform.paths import paths
+    from ipaplatform.tasks import tasks
     from ipalib.krb_utils import get_credentials_if_valid
     from ipapython.dnsutil import DNSName
+    from ipapython import kerberos
     from ansible.module_utils.basic import AnsibleModule
     from ansible.module_utils._text import to_text
     from ansible.module_utils.common.text.converters import jsonify
@@ -138,6 +143,13 @@ else:
 
                 return fstore.has_files()
 
+    # Try to import dcerpc
+    try:
+        import ipaserver.dcerpc  # pylint: disable=no-member
+        _dcerpc_bindings_installed = True  # pylint: disable=invalid-name
+    except ImportError:
+        _dcerpc_bindings_installed = False  # pylint: disable=invalid-name
+
     if six.PY3:
         unicode = str
 
@@ -220,6 +232,8 @@ else:
                 ldap_cache: Control use of LDAP cache layer. (bool)
 
         """
+        global _dcerpc_bindings_installed  # pylint: disable=C0103,W0603
+
         env = Env()
         env._bootstrap()
         env._finalize_core(**dict(DEFAULT_CONFIG))
@@ -251,6 +265,7 @@ else:
             backend = api.Backend.ldap2
         else:
             backend = api.Backend.rpcclient
+            _dcerpc_bindings_installed = False
 
         if not backend.isconnected():
             backend.connect(ccache=os.environ.get('KRB5CCNAME', None))
@@ -288,8 +303,8 @@ else:
         operation = oper_map.get(oper)
         if not operation:
             raise NotImplementedError("Invalid operator: %s" % oper)
-        return operation(version.parse(VERSION),
-                         version.parse(requested_version))
+        return operation(tasks.parse_ipa_version(VERSION),
+                         tasks.parse_ipa_version(requested_version))
 
     def date_format(value):
         accepted_date_formats = [
@@ -309,15 +324,49 @@ else:
         raise ValueError("Invalid date '%s'" % value)
 
     def compare_args_ipa(module, args, ipa, ignore=None):  # noqa
-        """Compare IPA obj attrs with the command args.
+        """Compare IPA object attributes against command arguments.
 
-        This function compares IPA objects attributes with the args the
-        module is intending to use to call a command. ignore can be a list
-        of attributes, that should be ignored in the comparison.
-        This is useful to know if a call to IPA server will be needed or not.
-        In order to compare we have to perform slight changes in data formats.
+        This function compares 'ipa' attributes with the 'args' the module
+        is intending to use as parameters to an IPA API command. A list of
+        attribute names that should be ignored during comparison may be
+        provided.
 
-        Returns True if they are the same and False otherwise.
+        The comparison will be performed on every attribute provided in
+        'args'. If the attribute in 'args' or 'ipa' is not a scalar value
+        (including strings) the comparison will be performed as if the
+        attribute is a set of values, so duplicate values will count as a
+        single one. If both values are scalar values, then a direct
+        comparison is performed.
+
+        If an attribute is not available in 'ipa', its value is considered
+        to be a list with an empty string (['']), possibly forcing the
+        conversion of the 'args' attribute to a list for comparison. This
+        allows, for example, the usage of empty strings which should compare
+        as equals to inexistent attributes (None), as is done in IPA API.
+
+        This function is mostly useful to evaluate the need of a call to
+        IPA server when provided arguments are equivalent to the existing
+        values for a given IPA object.
+
+        Parameters
+        ----------
+        module: AnsibleModule
+            The AnsibleModule used to log debug messages.
+
+        args: dict
+            The set of attributes provided by the playbook task.
+
+        ipa: dict
+            The set of attributes from the IPA object retrieved.
+
+        ignore: list
+            An optional list of attribute names that should be ignored and
+            not evaluated.
+
+        Return
+        ------
+            True is returned if all attribute values in 'args' are
+            equivalent to the corresponding attribute value in 'ipa'.
         """
         base_debug_msg = "Ansible arguments and IPA commands differed. "
 
@@ -337,52 +386,45 @@ else:
         filtered_args = [key for key in args if key not in ignore]
 
         for key in filtered_args:
-            if key not in ipa:  # pylint: disable=no-else-return
-                module.debug(
-                    base_debug_msg + "Command key not present in IPA: %s" % key
-                )
-                return False
+            arg = args[key]
+            ipa_arg = ipa.get(key, [""])
+            # If ipa_arg is a list and arg is not, replace arg
+            # with list containing arg. Most args in a find result
+            # are lists, but not all.
+            if isinstance(ipa_arg, (list, tuple)):
+                if not isinstance(arg, list):
+                    arg = [arg]
+                if len(ipa_arg) != len(arg):
+                    module.debug(
+                        base_debug_msg
+                        + "List length doesn't match for key %s: %d %d"
+                        % (key, len(arg), len(ipa_arg),)
+                    )
+                    return False
+                # ensure list elements types are the same.
+                if not (
+                    isinstance(ipa_arg[0], type(arg[0]))
+                    or isinstance(arg[0], type(ipa_arg[0]))
+                ):
+                    arg = [to_text(_arg) for _arg in arg]
+            try:
+                arg_set = set(arg)
+                ipa_arg_set = set(ipa_arg)
+            except TypeError:
+                if arg != ipa_arg:
+                    module.debug(
+                        base_debug_msg
+                        + "Different values: %s %s" % (arg, ipa_arg)
+                    )
+                    return False
             else:
-                arg = args[key]
-                ipa_arg = ipa[key]
-                # If ipa_arg is a list and arg is not, replace arg
-                # with list containing arg. Most args in a find result
-                # are lists, but not all.
-                if isinstance(ipa_arg, tuple):
-                    ipa_arg = list(ipa_arg)
-                if isinstance(ipa_arg, list):
-                    if not isinstance(arg, list):
-                        arg = [arg]
-                    if len(ipa_arg) != len(arg):
-                        module.debug(
-                            base_debug_msg
-                            + "List length doesn't match for key %s: %d %d"
-                            % (key, len(arg), len(ipa_arg),)
-                        )
-                        return False
-                    if isinstance(ipa_arg[0], str) and isinstance(arg[0], int):
-                        arg = [to_text(_arg) for _arg in arg]
-                    if isinstance(ipa_arg[0], unicode) \
-                       and isinstance(arg[0], int):
-                        arg = [to_text(_arg) for _arg in arg]
-                try:
-                    arg_set = set(arg)
-                    ipa_arg_set = set(ipa_arg)
-                except TypeError:
-                    if arg != ipa_arg:
-                        module.debug(
-                            base_debug_msg
-                            + "Different values: %s %s" % (arg, ipa_arg)
-                        )
-                        return False
-                else:
-                    if arg_set != ipa_arg_set:
-                        module.debug(
-                            base_debug_msg
-                            + "Different set content: %s %s"
-                            % (arg_set, ipa_arg_set,)
-                        )
-                        return False
+                if arg_set != ipa_arg_set:
+                    module.debug(
+                        base_debug_msg
+                        + "Different set content: %s %s"
+                        % (arg_set, ipa_arg_set,)
+                    )
+                    return False
         return True
 
     def _afm_convert(value):
@@ -397,11 +439,32 @@ else:
 
         return value
 
-    def module_params_get(module, name):
-        return _afm_convert(module.params.get(name))
-
-    def module_params_get_lowercase(module, name):
+    def module_params_get(module, name, allow_empty_string=False):
         value = _afm_convert(module.params.get(name))
+
+        # Fail on empty strings in the list or if allow_empty_string is True
+        # if there is another entry in the list together with the empty
+        # string.
+        # Due to an issue in Ansible it is possible to use the empty string
+        # "" for lists with choices, even if the empty list is not part of
+        # the choices.
+        # Ansible issue https://github.com/ansible/ansible/issues/77108
+        if isinstance(value, list):
+            for val in value:
+                if isinstance(val, (str, unicode)) and not val:
+                    if not allow_empty_string:
+                        module.fail_json(
+                            msg="Parameter '%s' contains an empty string" %
+                            name)
+                    elif len(value) > 1:
+                        module.fail_json(
+                            msg="Parameter '%s' may not contain another "
+                            "entry together with an empty string" % name)
+
+        return value
+
+    def module_params_get_lowercase(module, name, allow_empty_string=False):
+        value = module_params_get(module, name, allow_empty_string)
         if isinstance(value, list):
             value = [v.lower() for v in value]
         if isinstance(value, (str, unicode)):
@@ -550,6 +613,89 @@ else:
             return False
         return True
 
+    def servicedelegation_normalize_principals(module, principal,
+                                               check_exists=False):
+        """
+        Normalize servicedelegation principals.
+
+        The principals can be service and with IPA 4.9.0+ also host principals.
+        """
+
+        def _normalize_principal_name(name, realm):
+            # Normalize principal name
+            # Copied from ipaserver/plugins/servicedelegation.py
+            try:
+                princ = kerberos.Principal(name, realm=realm)
+            except ValueError as _err:
+                raise ipalib_errors.ValidationError(
+                    name='principal',
+                    reason="Malformed principal: %s" % str(_err))
+
+            if len(princ.components) == 1 and \
+               not princ.components[0].endswith('$'):
+                nprinc = 'host/' + unicode(princ)
+            else:
+                nprinc = unicode(princ)
+            return nprinc
+
+        def _check_exists(module, _type, name):
+            # Check if item of type _type exists using the show command
+            try:
+                module.ipa_command("%s_show" % _type, name, {})
+            except ipalib_errors.NotFound as e:
+                msg = str(e)
+                if "%s not found" % _type in msg:
+                    return False
+                module.fail_json(msg="%s_show failed: %s" % (_type, msg))
+            return True
+
+        ipa_realm = module.ipa_get_realm()
+        _principal = []
+        for _princ in principal:
+            princ = _princ
+            realm = ipa_realm
+
+            # Get principal and realm from _princ if there is a realm
+            if '@' in _princ:
+                princ, realm = _princ.rsplit('@', 1)
+
+            # Lowercase principal
+            princ = princ.lower()
+
+            # Normalize principal
+            try:
+                nprinc = _normalize_principal_name(princ, realm)
+            except ipalib_errors.ValidationError as err:
+                module.fail_json(msg="%s: %s" % (_princ, str(err)))
+            princ = unicode(nprinc)
+
+            # Check that host principal exists
+            if princ.startswith("host/"):
+                if module.ipa_check_version("<", "4.9.0"):
+                    module.fail_json(
+                        msg="The use of host principals is not supported "
+                        "by your IPA version")
+
+                # Get host FQDN (no leading 'host/' and no trailing realm)
+                # (There is no removeprefix and removesuffix in Python2)
+                _host = princ[5:]
+                if _host.endswith("@%s" % realm):
+                    _host = _host[:-len(realm) - 1]
+
+                # Seach for host
+                if check_exists and not _check_exists(module, "host", _host):
+                    module.fail_json(msg="Host '%s' does not exist" % _host)
+
+            # Check the service principal exists
+            else:
+                if check_exists and \
+                   not _check_exists(module, "service", princ):
+                    module.fail_json(msg="Service %s does not exist" % princ)
+
+            _principal.append(princ)
+
+        return _principal
+
     def exit_raw_json(module, **kwargs):
         """
         Print the raw parameters in JSON format, without masking.
@@ -569,6 +715,42 @@ else:
         print(jsonify(kwargs))
         sys.exit(0)
 
+    def __get_domain_validator():
+        if not _dcerpc_bindings_installed:
+            raise ipalib_errors.NotFound(
+                reason=(
+                    'Cannot perform SID validation without Samba 4 support '
+                    'installed. Make sure you have installed server-trust-ad '
+                    'sub-package of IPA on the server'
+                )
+            )
+
+        # pylint: disable=no-member
+        domain_validator = ipaserver.dcerpc.DomainValidator(api)
+        # pylint: enable=no-member
+
+        if not domain_validator.is_configured():
+            raise ipalib_errors.NotFound(
+                reason=(
+                    'Cross-realm trusts are not configured. Make sure you '
+                    'have run ipa-adtrust-install on the IPA server first'
+                )
+            )
+
+        return domain_validator
+
+    def get_trusted_domain_sid_from_name(dom_name):
+        """
+        Given a trust domain name, returns the domain SID.
+
+        Returns unicode string representation for a given trusted domain name
+        or None if SID for the given trusted domain name could not be found.
+        """
+        domain_validator = __get_domain_validator()
+        sid = domain_validator.get_sid_from_domain_name(dom_name)
+
+        return unicode(sid) if sid is not None else None
+
     class IPAParamMapping(Mapping):
         """
         Provides IPA API mapping to playbook parameters or computed values.
@@ -667,7 +849,10 @@ else:
                 # Check if param_name is actually a param
                 if param_name in self.ansible_module.params:
                     value = self.ansible_module.params_get(param_name)
-                    if isinstance(value, bool):
+                    if (
+                        self.ansible_module.ipa_check_version("<", "4.9.10")
+                        and isinstance(value, bool)
+                    ):
                         value = "TRUE" if value else "FALSE"
 
                 # Since param wasn't a param check if it's a method name
@@ -742,6 +927,12 @@ else:
             ipaapi_ldap_cache=dict(type="bool", default="True"),
         )
 
+        ipa_module_options_spec = dict(
+            delete_continue=dict(
+                type="bool", default=True, aliases=["continue"]
+            )
+        )
+
         def __init__(self, *args, **kwargs):
             # Extend argument_spec with ipa_module_base_spec
             if "argument_spec" in kwargs:
@@ -749,6 +940,16 @@ else:
                 _spec.update(self.ipa_module_base_spec)
                 kwargs["argument_spec"] = _spec
 
+            if "ipa_module_options" in kwargs:
+                _update = {
+                    k: self.ipa_module_options_spec[k]
+                    for k in kwargs["ipa_module_options"]
+                }
+                _spec = kwargs.get("argument_spec", {})
+                _spec.update(_update)
+                kwargs["argument_spec"] = _spec
+                del kwargs["ipa_module_options"]
+
             # pylint: disable=super-with-arguments
             super(IPAAnsibleModule, self).__init__(*args, **kwargs)
 
@@ -797,7 +998,7 @@ else:
                 finally:
                     temp_kdestroy(ccache_dir, ccache_name)
 
-        def params_get(self, name):
+        def params_get(self, name, allow_empty_string=False):
             """
             Retrieve value set for module parameter.
 
@@ -805,11 +1006,13 @@ else:
             ----------
             name: string
                 The name of the parameter to retrieve.
+            allow_empty_string: bool
+                The parameter allowes to have empty strings in a list
 
             """
-            return module_params_get(self, name)
+            return module_params_get(self, name, allow_empty_string)
 
-        def params_get_lowercase(self, name):
+        def params_get_lowercase(self, name, allow_empty_string=False):
             """
             Retrieve value set for module parameter as lowercase, if not None.
 
@@ -817,9 +1020,11 @@ else:
             ----------
             name: string
                 The name of the parameter to retrieve.
+            allow_empty_string: bool
+                The parameter allowes to have empty strings in a list
 
             """
-            return module_params_get_lowercase(self, name)
+            return module_params_get_lowercase(self, name, allow_empty_string)
 
         def params_fail_used_invalid(self, invalid_params, state, action=None):
             """
@@ -875,10 +1080,11 @@ else:
             """
             return api_command_no_name(self, command, args)
 
-        @staticmethod
-        def ipa_get_domain():
+        def ipa_get_domain(self):
             """Retrieve IPA API domain."""
-            return api_get_domain()
+            if not hasattr(self, "__ipa_api_domain"):
+                setattr(self, "__ipa_api_domain", api_get_domain())
+            return getattr(self, "__ipa_api_domain")
 
         @staticmethod
         def ipa_get_realm():
@@ -1029,7 +1235,7 @@ else:
             elif result_handler is not None:
                 if "errors" not in handlers_user_args:
                     # pylint: disable=deprecated-method
-                    argspec = inspect.getargspec(result_handler)
+                    argspec = getargspec(result_handler)
                     if "errors" in argspec.args:
                         handlers_user_args["errors"] = _errors
 

plugins/modules/ipaautomember.py

@@ -587,7 +587,6 @@ def main():
                         commands.append([None,
                                          'automember_default_group_remove',
                                          {'type': automember_type}])
-                        ansible_module.warn("commands: %s" % repr(commands))
 
                 else:
                     dn_default_group = [DN(('cn', default_group),

plugins/modules/ipaautomountkey.py

@@ -0,0 +1,235 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Chris Procter <cprocter@redhat.com>
+#
+# Copyright (C) 2021 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    "metadata_version": "1.0",
+    "supported_by": "community",
+    "status": ["preview"],
+}
+
+
+DOCUMENTATION = '''
+---
+module: ipaautomountkey
+author: chris procter
+short_description: Manage FreeIPA autommount map
+description:
+- Add, delete, and modify an IPA automount map
+options:
+  ipaadmin_principal:
+    description: The admin principal
+    default: admin
+  ipaadmin_password:
+    description: The admin password
+    required: False
+  location:
+    description: automount location map is in
+    required: True
+    choices: ["automountlocationcn", "automountlocation"]
+  mapname:
+    description: automount map to be managed
+    choices: ["map", "automountmapname", "automountmap"]
+    required: True
+  key:
+    description: automount key to be managed
+    required: True
+    choices: ["name", "automountkey"]
+  newkey:
+    description: key to change to if state is 'renamed'
+    required: True
+    choices: ["newname", "newautomountkey"]
+  info:
+    description: Mount information for the key
+    required: True
+    choices: ["information", "automountinformation"]
+  state:
+    description: State to ensure
+    required: False
+    default: present
+    choices: ["present", "absent", "renamed"]
+'''
+
+EXAMPLES = '''
+  - name: create key TestKey
+    ipaautomountkey:
+      ipaadmin_password: SomeADMINpassword
+      locationcn: TestLocation
+      mapname: TestMap
+      key: TestKey
+      info: 192.168.122.1:/exports
+      state: present
+
+  - name: ensure key TestKey is absent
+    ipaautomountkey:
+      ipaadmin_password: SomeADMINpassword
+      location: TestLocation
+      mapname: TestMap
+      key: TestKey
+      state: absent
+'''
+
+RETURN = '''
+'''
+
+from ansible.module_utils.ansible_freeipa_module import (
+    IPAAnsibleModule, ipalib_errors
+)
+
+
+class AutomountKey(IPAAnsibleModule):
+
+    def __init__(self, *args, **kwargs):
+        # pylint: disable=super-with-arguments
+        super(AutomountKey, self).__init__(*args, **kwargs)
+        self.commands = []
+
+    def get_key(self, location, mapname, key):
+        try:
+            args = {
+                "automountmapautomountmapname": mapname,
+                "automountkey": key,
+                "all": True,
+            }
+            resp = self.ipa_command("automountkey_show", location, args)
+        except ipalib_errors.NotFound:
+            return None
+        else:
+            return resp.get("result")
+
+    def check_ipa_params(self):
+        invalid = []
+        state = self.params_get("state")
+        if state == "present":
+            invalid = ["rename"]
+            if not self.params_get("info"):
+                self.fail_json(msg="Value required for argument 'info'")
+
+        if state == "rename":
+            invalid = ["info"]
+            if not self.params_get("rename"):
+                self.fail_json(msg="Value required for argument 'renamed'")
+
+        if state == "absent":
+            invalid = ["info", "rename"]
+
+        self.params_fail_used_invalid(invalid, state)
+
+    @staticmethod
+    def get_args(mapname, key, info, rename):
+        _args = {}
+        if mapname:
+            _args["automountmapautomountmapname"] = mapname
+        if key:
+            _args["automountkey"] = key
+        if info:
+            _args["automountinformation"] = info
+        if rename:
+            _args["rename"] = rename
+        return _args
+
+    def define_ipa_commands(self):
+        state = self.params_get("state")
+        location = self.params_get("location")
+        mapname = self.params_get("mapname")
+        key = self.params_get("key")
+        info = self.params_get("info")
+        rename = self.params_get("rename")
+
+        args = self.get_args(mapname, key, info, rename)
+
+        res_find = self.get_key(location, mapname, key)
+
+        if state == "present":
+            if res_find is None:
+                # does not exist and is wanted
+                self.commands.append([location, "automountkey_add", args])
+            else:
+                # exists and is wanted, check for changes
+                if info not in res_find.get("automountinformation"):
+                    self.commands.append([location, "automountkey_mod", args])
+
+        if state == "renamed":
+            if res_find is None:
+                self.fail_json(
+                    msg=(
+                        "Cannot rename inexistent key: '%s', '%s', '%s'"
+                        % (location, mapname, key)
+                    )
+                )
+            self.commands.append([location, "automountkey_mod", args])
+
+        if state == "absent":
+            # if key exists and self.ipa_params.state == "absent":
+            if res_find is not None:
+                self.commands.append([location, "automountkey_del", args])
+
+
+def main():
+    ipa_module = AutomountKey(
+        argument_spec=dict(
+            state=dict(
+                type='str',
+                choices=['present', 'absent', 'renamed'],
+                required=None,
+                default='present',
+            ),
+            location=dict(
+                type="str",
+                aliases=["automountlocationcn", "automountlocation"],
+                required=True,
+            ),
+            rename=dict(
+                type="str",
+                aliases=["new_name", "newautomountkey"],
+                required=False,
+            ),
+            mapname=dict(
+                type="str",
+                aliases=["map", "automountmapname", "automountmap"],
+                required=True,
+            ),
+            key=dict(
+                type="str",
+                aliases=["name", "automountkey"],
+                required=True,
+            ),
+            info=dict(
+                type="str",
+                aliases=["information", "automountinformation"],
+                required=False,
+            ),
+        ),
+    )
+    ipaapi_context = ipa_module.params_get("ipaapi_context")
+    with ipa_module.ipa_connect(context=ipaapi_context):
+        ipa_module.check_ipa_params()
+        ipa_module.define_ipa_commands()
+        changed = ipa_module.execute_ipa_commands(ipa_module.commands)
+    ipa_module.exit_json(changed=changed)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/ipaautomountmap.py

@@ -0,0 +1,197 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+# Authors:
+#   Chris Procter <cprocter@redhat.com>
+#
+# Copyright (C) 2021 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    "metadata_version": "1.0",
+    "supported_by": "community",
+    "status": ["preview"],
+}
+
+
+DOCUMENTATION = '''
+---
+module: ipaautomountmap
+author: Chris Procter
+short_description: Manage FreeIPA autommount map
+description:
+- Add, delete, and modify an IPA automount map
+options:
+  ipaadmin_principal:
+    description: The admin principal.
+    default: admin
+  ipaadmin_password:
+    description: The admin password.
+    required: false
+  automountlocation:
+    description: automount location map is anchored to
+    choices: ["location", "automountlocationcn"]
+    required: True
+  name:
+    description: automount map to be managed.
+    choices: ["mapname", "map", "automountmapname"]
+    required: True
+  desc:
+    description: description of automount map.
+    choices: ["description"]
+    required: false
+  state:
+    description: State to ensure
+    required: false
+    default: present
+    choices: ["present", "absent"]
+'''
+
+EXAMPLES = '''
+  - name: ensure map named auto.DMZ in location DMZ is present
+    ipaautomountmap:
+      ipaadmin_password: SomeADMINpassword
+      name: auto.DMZ
+      location: DMZ
+      desc: "this is a map for servers in the DMZ"
+
+  - name: remove a map named auto.DMZ in location DMZ if it exists
+    ipaautomountmap:
+      ipaadmin_password: SomeADMINpassword
+      name: auto.DMZ
+      location: DMZ
+      state: absent
+'''
+
+RETURN = '''
+'''
+
+from ansible.module_utils.ansible_freeipa_module import (
+    IPAAnsibleModule, compare_args_ipa
+)
+
+
+class AutomountMap(IPAAnsibleModule):
+
+    def __init__(self, *args, **kwargs):
+        # pylint: disable=super-with-arguments
+        super(AutomountMap, self).__init__(*args, **kwargs)
+        self.commands = []
+
+    def get_automountmap(self, location, name):
+        try:
+            response = self.ipa_command(
+                "automountmap_show",
+                location,
+                {"automountmapname": name, "all": True}
+            )
+        except Exception:  # pylint: disable=broad-except
+            return None
+        else:
+            return response["result"]
+
+    def check_ipa_params(self):
+        invalid = []
+        name = self.params_get("name")
+        state = self.params_get("state")
+        if state == "present":
+            if len(name) != 1:
+                self.fail_json(msg="Exactly one name must be provided for"
+                                   " 'state: present'.")
+        if state == "absent":
+            if len(name) == 0:
+                self.fail_json(msg="At least one 'name' must be provided for"
+                                   " 'state: absent'")
+            invalid = ["desc"]
+
+        self.params_fail_used_invalid(invalid, state)
+
+    def get_args(self, mapname, desc):  # pylint: disable=no-self-use
+        # automountmapname is required for all automountmap operations.
+        if not mapname:
+            self.fail_json(msg="automountmapname cannot be None or empty.")
+        _args = {"automountmapname": mapname}
+        # An empty string is valid and will clear the attribute.
+        if desc is not None:
+            _args["description"] = desc
+        return _args
+
+    def define_ipa_commands(self):
+        name = self.params_get("name")
+        state = self.params_get("state")
+        location = self.params_get("location")
+        desc = self.params_get("desc")
+
+        for mapname in name:
+            automountmap = self.get_automountmap(location, mapname)
+
+            if state == "present":
+                args = self.get_args(mapname, desc)
+                if automountmap is None:
+                    self.commands.append([location, "automountmap_add", args])
+                else:
+                    if not compare_args_ipa(self, args, automountmap):
+                        self.commands.append(
+                            [location, "automountmap_mod", args]
+                        )
+
+            if state == "absent":
+                if automountmap is not None:
+                    self.commands.append([
+                        location,
+                        "automountmap_del",
+                        {"automountmapname": [mapname]}
+                    ])
+
+
+def main():
+    ipa_module = AutomountMap(
+        argument_spec=dict(
+            state=dict(type='str',
+                       default='present',
+                       choices=['present', 'absent']
+                       ),
+            location=dict(type="str",
+                          aliases=["automountlocation", "automountlocationcn"],
+                          default=None,
+                          required=True
+                          ),
+            name=dict(type="list",
+                      aliases=["mapname", "map", "automountmapname"],
+                      default=None,
+                      required=True
+                      ),
+            desc=dict(type="str",
+                      aliases=["description"],
+                      required=False,
+                      default=None
+                      ),
+        ),
+    )
+    changed = False
+    ipaapi_context = ipa_module.params_get("ipaapi_context")
+    with ipa_module.ipa_connect(context=ipaapi_context):
+        ipa_module.check_ipa_params()
+        ipa_module.define_ipa_commands()
+        changed = ipa_module.execute_ipa_commands(ipa_module.commands)
+    ipa_module.exit_json(changed=changed)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/ipaconfig.py

@@ -346,11 +346,13 @@ def main():
         "ca_renewal_master_server": "ca_renewal_master_server",
         "domain_resolution_order": "ipadomainresolutionorder"
     }
+    allow_empty_string = ["pac_type", "user_auth_type", "configstring"]
     reverse_field_map = {v: k for k, v in field_map.items()}
 
     params = {}
     for x in field_map:
-        val = ansible_module.params_get(x)
+        val = ansible_module.params_get(
+            x, allow_empty_string=(x in allow_empty_string))
 
         if val is not None:
             params[field_map.get(x, x)] = val
@@ -401,6 +403,10 @@ def main():
                 k: v for k, v in params.items()
                 if k not in result or result[k] != v
             }
+            # Remove empty string args from params if result arg is not set
+            for k in ["ipakrbauthzdata", "ipauserauthtype", "ipaconfigstring"]:
+                if k not in result and k in params and params[k] == [""]:
+                    del params[k]
             if params \
                and not compare_args_ipa(ansible_module, params, result):
                 changed = True
@@ -435,12 +441,23 @@ def main():
                     elif (
                         isinstance(value, (tuple, list)) and arg_type == "bool"
                     ):
-                        exit_args[k] = (value[0] == "TRUE")
+                        # FreeIPA 4.9.10+ and 4.10 use proper mapping for
+                        # boolean values, so we need to convert it to str
+                        # for comparison.
+                        # See: https://github.com/freeipa/freeipa/pull/6294
+                        exit_args[k] = (str(value[0]).upper() == "TRUE")
                     else:
                         if arg_type not in type_map:
                             raise ValueError(
                                 "Unexpected attribute type: %s" % arg_type)
                         exit_args[k] = type_map[arg_type](value)
+            # Add empty pac_type and user_auth_type if they are not set
+            for key in ["pac_type", "user_auth_type"]:
+                if key not in exit_args:
+                    exit_args[key] = ""
+            # Add empty domain_resolution_order if it is not set
+            if "domain_resolution_order" not in exit_args:
+                exit_args["domain_resolution_order"] = []
 
     # Done
     ansible_module.exit_json(changed=changed, config=exit_args)

plugins/modules/ipadnsconfig.py

@@ -54,13 +54,22 @@ options:
       global forwarders.
     required: false
     choices: ['only', 'first', 'none']
+    alias: ["forwardpolicy"]
   allow_sync_ptr:
     description:
       Allow synchronization of forward (A, AAAA) and reverse (PTR) records.
     required: false
     type: bool
+  action:
+    description: |
+      Work on dnsconfig or member level. It can be one of `member` or
+      `dnsconfig`. Only `forwarders` can be managed with `action: member`.
+    default: "dnsconfig"
+    choices: ["member", "dnsconfig"]
   state:
-    description: State to ensure
+    description: |
+      The state to ensure. It can be one of `present` or `absent`.
+      `absent` can only be used with `action: member` and `forwarders`.
     default: present
     choices: ["present", "absent"]
 """
@@ -83,6 +92,7 @@ EXAMPLES = """
       - ip_address: 2001:4860:4860::8888
         port: 53
     state: absent
+    action: member
 
 # Disable PTR record synchronization.
 - ipadnsconfig:
@@ -118,7 +128,7 @@ def find_dnsconfig(module):
     return None
 
 
-def gen_args(module, state, dnsconfig, forwarders, forward_policy,
+def gen_args(module, state, action, dnsconfig, forwarders, forward_policy,
              allow_sync_ptr):
     _args = {}
 
@@ -137,15 +147,20 @@ def gen_args(module, state, dnsconfig, forwarders, forward_policy,
 
         global_forwarders = dnsconfig.get('idnsforwarders', [])
         if state == 'absent':
-            _args['idnsforwarders'] = [
-                fwd for fwd in global_forwarders if fwd not in _forwarders]
-            # When all forwarders should be excluded, use an empty string ('').
-            if not _args['idnsforwarders']:
-                _args['idnsforwarders'] = ['']
+            if action == "member":
+                _args['idnsforwarders'] = [
+                    fwd for fwd in global_forwarders if fwd not in _forwarders]
+                # When all forwarders should be excluded,
+                # use an empty string ('').
+                if not _args['idnsforwarders']:
+                    _args['idnsforwarders'] = ['']
 
         elif state == 'present':
-            _args['idnsforwarders'] = [
-                fwd for fwd in _forwarders if fwd not in global_forwarders]
+            if action == "member":
+                _args['idnsforwarders'] = \
+                    list(set(list(_forwarders) + list(global_forwarders)))
+            else:
+                _args['idnsforwarders'] = _forwarders
             # If no forwarders should be added, remove argument.
             if not _args['idnsforwarders']:
                 del _args['idnsforwarders']
@@ -158,7 +173,10 @@ def gen_args(module, state, dnsconfig, forwarders, forward_policy,
         _args['idnsforwardpolicy'] = forward_policy
 
     if allow_sync_ptr is not None:
-        _args['idnsallowsyncptr'] = 'TRUE' if allow_sync_ptr else 'FALSE'
+        if module.ipa_check_version("<", "4.9.10"):
+            _args['idnsallowsyncptr'] = "TRUE" if allow_sync_ptr else "FALSE"
+        else:
+            _args['idnsallowsyncptr'] = allow_sync_ptr
 
     return _args
 
@@ -175,13 +193,17 @@ def main():
             forwarders=dict(type='list', default=None, required=False,
                             options=dict(**forwarder_spec)),
             forward_policy=dict(type='str', required=False, default=None,
-                                choices=['only', 'first', 'none']),
+                                choices=['only', 'first', 'none'],
+                                aliases=["forwardpolicy"]),
             allow_sync_ptr=dict(type='bool', required=False, default=None),
 
             # general
+            action=dict(type="str", default="dnsconfig",
+                        choices=["member", "dnsconfig"]),
             state=dict(type="str", default="present",
                        choices=["present", "absent"]),
-        )
+        ),
+        supports_check_mode=True,
     )
 
     ansible_module._ansible_debug = True
@@ -191,11 +213,17 @@ def main():
     forward_policy = ansible_module.params_get('forward_policy')
     allow_sync_ptr = ansible_module.params_get('allow_sync_ptr')
 
+    action = ansible_module.params_get('action')
     state = ansible_module.params_get('state')
 
     # Check parameters.
     invalid = []
+    if state == "present" and action == "member":
+        invalid = ['forward_policy', 'allow_sync_ptr']
     if state == 'absent':
+        if action != "member":
+            ansible_module.fail_json(
+                msg="State 'absent' is only valid with action 'member'.")
         invalid = ['forward_policy', 'allow_sync_ptr']
 
     ansible_module.params_fail_used_invalid(invalid, state)
@@ -208,7 +236,7 @@ def main():
     with ansible_module.ipa_connect():
 
         res_find = find_dnsconfig(ansible_module)
-        args = gen_args(ansible_module, state, res_find, forwarders,
+        args = gen_args(ansible_module, state, action, res_find, forwarders,
                         forward_policy, allow_sync_ptr)
 
         # Execute command only if configuration changes.

plugins/modules/ipadnsforwardzone.py

@@ -68,7 +68,7 @@ options:
     required: false
     default: only
     choices: ["only", "first", "none"]
-    aliases: ["idnsforwarders"]
+    aliases: ["idnsforwarders", "forward_policy"]
   skip_overlap_check:
     description:
     - Force DNS zone creation even if it will overlap with an existing zone.
@@ -189,7 +189,8 @@ def main():
                                  port=dict(type='int', required=False,
                                            default=None),
                             )),
-            forwardpolicy=dict(type='str', aliases=["idnsforwardpolicy"],
+            forwardpolicy=dict(type='str',
+                               aliases=["idnsforwardpolicy", "forward_policy"],
                                required=False,
                                choices=['only', 'first', 'none']),
             skip_overlap_check=dict(type='bool', required=False),
@@ -343,7 +344,13 @@ def main():
 
             if state in ['enabled', 'disabled']:
                 if existing_resource is not None:
-                    is_enabled = existing_resource["idnszoneactive"][0]
+                    # FreeIPA 4.9.10+ and 4.10 use proper mapping for
+                    # boolean values, so we need to convert it to str
+                    # for comparison.
+                    # See: https://github.com/freeipa/freeipa/pull/6294
+                    is_enabled = (
+                        str(existing_resource["idnszoneactive"][0]).upper()
+                    )
                 else:
                     ansible_module.fail_json(
                         msg="dnsforwardzone '%s' not found." % (name))

plugins/modules/ipadnszone.py

@@ -418,7 +418,11 @@ class DNSZoneModule(IPAAnsibleModule):
             is_zone_active = False
         else:
             zone = response["result"]
-            is_zone_active = "TRUE" in zone.get("idnszoneactive")
+            # FreeIPA 4.9.10+ and 4.10 use proper mapping for boolean vaalues.
+            # See: https://github.com/freeipa/freeipa/pull/6294
+            is_zone_active = (
+                str(zone.get("idnszoneactive")[0]).upper() == "TRUE"
+            )
 
         return zone, is_zone_active
 

plugins/modules/ipagroup.py

@@ -97,6 +97,11 @@ options:
     required: false
     type: list
     ailases: ["ipaexternalmember", "external_member"]
+  idoverrideuser:
+    description:
+    - User ID overrides to add
+    required: false
+    type: list
   action:
     description: Work on group or member level
     default: group
@@ -181,9 +186,10 @@ EXAMPLES = """
 RETURN = """
 """
 
+from ansible.module_utils._text import to_text
 from ansible.module_utils.ansible_freeipa_module import \
     IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, \
-    gen_add_list, gen_intersection_list
+    gen_add_list, gen_intersection_list, api_check_param
 
 
 def find_group(module, name):
@@ -198,7 +204,14 @@ def find_group(module, name):
         module.fail_json(
             msg="There is more than one group '%s'" % (name))
     elif len(_result["result"]) == 1:
-        return _result["result"][0]
+        _res = _result["result"][0]
+        # The returned services are of type ipapython.kerberos.Principal,
+        # also services are not case sensitive. Therefore services are
+        # converted to lowercase strings to be able to do the comparison.
+        if "member_service" in _res:
+            _res["member_service"] = \
+                [to_text(svc).lower() for svc in _res["member_service"]]
+        return _res
 
     return None
 
@@ -215,7 +228,7 @@ def gen_args(description, gid, nomembers):
     return _args
 
 
-def gen_member_args(user, group, service, externalmember):
+def gen_member_args(user, group, service, externalmember, idoverrideuser):
     _args = {}
     if user is not None:
         _args["member_user"] = user
@@ -225,6 +238,8 @@ def gen_member_args(user, group, service, externalmember):
         _args["member_service"] = service
     if externalmember is not None:
         _args["member_external"] = externalmember
+    if idoverrideuser is not None:
+        _args["member_idoverrideuser"] = idoverrideuser
 
     return _args
 
@@ -272,6 +287,7 @@ def main():
             user=dict(required=False, type='list', default=None),
             group=dict(required=False, type='list', default=None),
             service=dict(required=False, type='list', default=None),
+            idoverrideuser=dict(required=False, type='list', default=None),
             membermanager_user=dict(required=False, type='list', default=None),
             membermanager_group=dict(required=False, type='list',
                                      default=None),
@@ -304,11 +320,13 @@ def main():
     gid = ansible_module.params_get("gid")
     nonposix = ansible_module.params_get("nonposix")
     external = ansible_module.params_get("external")
+    idoverrideuser = ansible_module.params_get("idoverrideuser")
     posix = ansible_module.params_get("posix")
     nomembers = ansible_module.params_get("nomembers")
     user = ansible_module.params_get("user")
     group = ansible_module.params_get("group")
-    service = ansible_module.params_get("service")
+    # Services are not case sensitive
+    service = ansible_module.params_get_lowercase("service")
     membermanager_user = ansible_module.params_get("membermanager_user")
     membermanager_group = ansible_module.params_get("membermanager_group")
     externalmember = ansible_module.params_get("externalmember")
@@ -370,12 +388,27 @@ def main():
                 "by your IPA version"
             )
 
+        has_idoverrideuser = api_check_param(
+            "group_add_member", "idoverrideuser")
+        if idoverrideuser is not None and not has_idoverrideuser:
+            ansible_module.fail_json(
+                msg="Managing a idoverrideuser as part of a group is not "
+                "supported by your IPA version")
+
         commands = []
 
         for name in names:
             # Make sure group exists
             res_find = find_group(ansible_module, name)
 
+            user_add, user_del = [], []
+            group_add, group_del = [], []
+            service_add, service_del = [], []
+            externalmember_add, externalmember_del = [], []
+            idoverrides_add, idoverrides_del = [], []
+            membermanager_user_add, membermanager_user_del = [], []
+            membermanager_group_add, membermanager_group_del = [], []
+
             # Create command
             if state == "present":
                 # Can't change an existing posix group
@@ -422,7 +455,7 @@ def main():
                         res_find["objectclass"].append("posixgroup")
 
                     member_args = gen_member_args(
-                        user, group, service, externalmember
+                        user, group, service, externalmember, idoverrideuser
                     )
                     if not compare_args_ipa(ansible_module, member_args,
                                             res_find):
@@ -440,44 +473,11 @@ def main():
                          externalmember_del) = gen_add_del_lists(
                             externalmember, res_find.get("member_external"))
 
-                        # setup member args for add/remove members.
-                        add_member_args = {
-                            "user": user_add,
-                            "group": group_add,
-                        }
-                        del_member_args = {
-                            "user": user_del,
-                            "group": group_del,
-                        }
-                        if has_add_member_service:
-                            add_member_args["service"] = service_add
-                            del_member_args["service"] = service_del
-
-                        if is_external_group(res_find):
-                            add_member_args["ipaexternalmember"] = \
-                                externalmember_add
-                            del_member_args["ipaexternalmember"] = \
-                                externalmember_del
-                        elif externalmember or external:
-                            ansible_module.fail_json(
-                                msg="Cannot add external members to a "
-                                    "non-external group."
-                            )
-
-                        # Add members
-                        add_members = any([user_add, group_add,
-                                           service_add, externalmember_add])
-                        if add_members:
-                            commands.append(
-                                [name, "group_add_member", add_member_args]
-                            )
-                        # Remove members
-                        remove_members = any([user_del, group_del,
-                                              service_del, externalmember_del])
-                        if remove_members:
-                            commands.append(
-                                [name, "group_remove_member", del_member_args]
-                            )
+                        (idoverrides_add,
+                         idoverrides_del) = gen_add_del_lists(
+                            idoverrideuser,
+                            res_find.get("member_idoverrideuser")
+                        )
 
                     membermanager_user_add, membermanager_user_del = \
                         gen_add_del_lists(
@@ -491,93 +491,32 @@ def main():
                             res_find.get("membermanager_group")
                         )
 
-                    if has_add_membermanager:
-                        # Add membermanager users and groups
-                        if len(membermanager_user_add) > 0 or \
-                           len(membermanager_group_add) > 0:
-                            commands.append(
-                                [name, "group_add_member_manager",
-                                 {
-                                     "user": membermanager_user_add,
-                                     "group": membermanager_group_add,
-                                 }]
-                            )
-                        # Remove member manager
-                        if len(membermanager_user_del) > 0 or \
-                           len(membermanager_group_del) > 0:
-                            commands.append(
-                                [name, "group_remove_member_manager",
-                                 {
-                                     "user": membermanager_user_del,
-                                     "group": membermanager_group_del,
-                                 }]
-                            )
-
                 elif action == "member":
                     if res_find is None:
                         ansible_module.fail_json(msg="No group '%s'" % name)
 
-                    add_member_args = {
-                        "user": user,
-                        "group": group,
-                    }
-                    if has_add_member_service:
-                        add_member_args["service"] = service
-                    if is_external_group(res_find):
-                        add_member_args["ipaexternalmember"] = externalmember
-                    elif externalmember:
-                        ansible_module.fail_json(
-                            msg="Cannot add external members to a "
-                                "non-external group."
-                        )
-
                     # Reduce add lists for member_user, member_group,
                     # member_service and member_external to new entries
                     # only that are not in res_find.
-                    if user is not None and "member_user" in res_find:
-                        user = gen_add_list(
-                            user, res_find["member_user"])
-                    if group is not None and "member_group" in res_find:
-                        group = gen_add_list(
-                            group, res_find["member_group"])
-                    if service is not None and "member_service" in res_find:
-                        service = gen_add_list(
-                            service, res_find["member_service"])
-                    if externalmember is not None \
-                       and "member_external" in res_find:
-                        externalmember = gen_add_list(
-                            externalmember, res_find["member_external"])
+                    user_add = gen_add_list(
+                        user, res_find.get("member_user"))
+                    group_add = gen_add_list(
+                        group, res_find.get("member_group"))
+                    service_add = gen_add_list(
+                        service, res_find.get("member_service"))
+                    externalmember_add = gen_add_list(
+                        externalmember, res_find.get("member_external"))
+                    idoverrides_add = gen_add_list(
+                        idoverrideuser, res_find.get("member_idoverrideuser"))
 
-                    if any([user, group, service, externalmember]):
-                        commands.append(
-                            [name, "group_add_member", add_member_args]
-                        )
-
-                    if has_add_membermanager:
-                        # Reduce add list for membermanager_user and
-                        # membermanager_group to new entries only that are
-                        # not in res_find.
-                        if membermanager_user is not None \
-                           and "membermanager_user" in res_find:
-                            membermanager_user = gen_add_list(
-                                membermanager_user,
-                                res_find["membermanager_user"])
-                        if membermanager_group is not None \
-                           and "membermanager_group" in res_find:
-                            membermanager_group = gen_add_list(
-                                membermanager_group,
-                                res_find["membermanager_group"])
-
-                        # Add membermanager users and groups
-                        if membermanager_user is not None or \
-                           membermanager_group is not None:
-                            commands.append(
-                                [name, "group_add_member_manager",
-                                 {
-                                     "user": membermanager_user,
-                                     "group": membermanager_group,
-                                 }]
-                            )
+                    membermanager_user_add = gen_add_list(
+                        membermanager_user,
+                        res_find.get("membermanager_user")
+                    )
+                    membermanager_group_add = gen_add_list(
+                        membermanager_group,
+                        res_find.get("membermanager_group")
+                    )
 
             elif state == "absent":
                 if action == "group":
@@ -588,70 +527,100 @@ def main():
                     if res_find is None:
                         ansible_module.fail_json(msg="No group '%s'" % name)
 
-                    del_member_args = {
-                        "user": user,
-                        "group": group,
-                    }
-                    if has_add_member_service:
-                        del_member_args["service"] = service
-                    if is_external_group(res_find):
-                        del_member_args["ipaexternalmember"] = externalmember
-                    elif externalmember:
+                    if not is_external_group(res_find) and externalmember:
                         ansible_module.fail_json(
                             msg="Cannot add external members to a "
                                 "non-external group."
                         )
 
-                    # Reduce del lists of member_user, member_group,
-                    # member_service and member_external to the entries only
-                    # that are in res_find.
-                    if user is not None:
-                        user = gen_intersection_list(
-                            user, res_find.get("member_user"))
-                    if group is not None:
-                        group = gen_intersection_list(
-                            group, res_find.get("member_group"))
-                    if service is not None:
-                        service = gen_intersection_list(
-                            service, res_find.get("member_service"))
-                    if externalmember is not None:
-                        externalmember = gen_intersection_list(
-                            externalmember, res_find.get("member_external"))
-
-                    if any([user, group, service, externalmember]):
-                        commands.append(
-                            [name, "group_remove_member", del_member_args]
-                        )
-
-                    if has_add_membermanager:
-                        # Reduce del lists of membermanager_user and
-                        # membermanager_group to the entries only that are
-                        # in res_find.
-                        if membermanager_user is not None:
-                            membermanager_user = gen_intersection_list(
-                                membermanager_user,
-                                res_find.get("membermanager_user"))
-                        if membermanager_group is not None:
-                            membermanager_group = gen_intersection_list(
-                                membermanager_group,
-                                res_find.get("membermanager_group"))
-
-                        # Remove membermanager users and groups
-                        if membermanager_user is not None or \
-                           membermanager_group is not None:
-                            commands.append(
-                                [name, "group_remove_member_manager",
-                                 {
-                                     "user": membermanager_user,
-                                     "group": membermanager_group,
-                                 }]
-                            )
+                    user_del = gen_intersection_list(
+                        user, res_find.get("member_user"))
+                    group_del = gen_intersection_list(
+                        group, res_find.get("member_group"))
+                    service_del = gen_intersection_list(
+                        service, res_find.get("member_service"))
+                    externalmember_del = gen_intersection_list(
+                        externalmember, res_find.get("member_external"))
+                    idoverrides_del = gen_intersection_list(
+                        idoverrideuser, res_find.get("member_idoverrideuser"))
 
+                    membermanager_user_del = gen_intersection_list(
+                        membermanager_user, res_find.get("membermanager_user"))
+                    membermanager_group_del = gen_intersection_list(
+                        membermanager_group,
+                        res_find.get("membermanager_group")
+                    )
             else:
                 ansible_module.fail_json(msg="Unkown state '%s'" % state)
 
-        # Execute commands
+            # manage members
+            # setup member args for add/remove members.
+            add_member_args = {
+                "user": user_add,
+                "group": group_add,
+            }
 
+            del_member_args = {
+                "user": user_del,
+                "group": group_del,
+            }
+
+            if has_idoverrideuser:
+                add_member_args["idoverrideuser"] = idoverrides_add
+                del_member_args["idoverrideuser"] = idoverrides_del
+
+            if has_add_member_service:
+                add_member_args["service"] = service_add
+                del_member_args["service"] = service_del
+
+            if is_external_group(res_find):
+                add_member_args["ipaexternalmember"] = \
+                    externalmember_add
+                del_member_args["ipaexternalmember"] = \
+                    externalmember_del
+            elif externalmember or external:
+                ansible_module.fail_json(
+                    msg="Cannot add external members to a "
+                        "non-external group."
+                )
+
+            # Add members
+            add_members = any([user_add, group_add, idoverrides_add,
+                               service_add, externalmember_add])
+            if add_members:
+                commands.append(
+                    [name, "group_add_member", add_member_args]
+                )
+            # Remove members
+            remove_members = any([user_del, group_del, idoverrides_del,
+                                  service_del, externalmember_del])
+            if remove_members:
+                commands.append(
+                    [name, "group_remove_member", del_member_args]
+                )
+
+            # manage membermanager members
+            if has_add_membermanager:
+                # Add membermanager users and groups
+                if any([membermanager_user_add, membermanager_group_add]):
+                    commands.append(
+                        [name, "group_add_member_manager",
+                         {
+                             "user": membermanager_user_add,
+                             "group": membermanager_group_add,
+                         }]
+                    )
+                # Remove member manager
+                if any([membermanager_user_del, membermanager_group_del]):
+                    commands.append(
+                        [name, "group_remove_member_manager",
+                         {
+                             "user": membermanager_user_del,
+                             "group": membermanager_group_del,
+                         }]
+                    )
+
+        # Execute commands
         changed = ansible_module.execute_ipa_commands(
             commands, fail_on_member_errors=True)
 

plugins/modules/ipahbacrule.py

@@ -238,12 +238,12 @@ def main():
     hostcategory = ansible_module.params_get("hostcategory")
     servicecategory = ansible_module.params_get("servicecategory")
     nomembers = ansible_module.params_get("nomembers")
-    host = ansible_module.params_get("host")
-    hostgroup = ansible_module.params_get("hostgroup")
-    hbacsvc = ansible_module.params_get("hbacsvc")
-    hbacsvcgroup = ansible_module.params_get("hbacsvcgroup")
-    user = ansible_module.params_get("user")
-    group = ansible_module.params_get("group")
+    host = ansible_module.params_get_lowercase("host")
+    hostgroup = ansible_module.params_get_lowercase("hostgroup")
+    hbacsvc = ansible_module.params_get_lowercase("hbacsvc")
+    hbacsvcgroup = ansible_module.params_get_lowercase("hbacsvcgroup")
+    user = ansible_module.params_get_lowercase("user")
+    group = ansible_module.params_get_lowercase("group")
     action = ansible_module.params_get("action")
     # state
     state = ansible_module.params_get("state")
@@ -307,7 +307,7 @@ def main():
 
         # Ensure fqdn host names, use default domain for simple names
         if host is not None:
-            _host = [ensure_fqdn(x, default_domain) for x in host]
+            _host = [ensure_fqdn(x, default_domain).lower() for x in host]
             host = _host
 
         commands = []
@@ -316,6 +316,13 @@ def main():
             # Make sure hbacrule exists
             res_find = find_hbacrule(ansible_module, name)
 
+            host_add, host_del = [], []
+            hostgroup_add, hostgroup_del = [], []
+            hbacsvc_add, hbacsvc_del = [], []
+            hbacsvcgroup_add, hbacsvcgroup_del = [], []
+            user_add, user_del = [], []
+            group_add, group_del = [], []
+
             # Create command
             if state == "present":
                 # Generate args
@@ -353,69 +360,30 @@ def main():
                         res_find = {}
 
                     # Generate addition and removal lists
-                    host_add, host_del = gen_add_del_lists(
-                        host, res_find.get("memberhost_host"))
+                    if host is not None:
+                        host_add, host_del = gen_add_del_lists(
+                            host, res_find.get("memberhost_host"))
 
-                    hostgroup_add, hostgroup_del = gen_add_del_lists(
-                        hostgroup, res_find.get("memberhost_hostgroup"))
+                    if hostgroup is not None:
+                        hostgroup_add, hostgroup_del = gen_add_del_lists(
+                            hostgroup, res_find.get("memberhost_hostgroup"))
 
-                    hbacsvc_add, hbacsvc_del = gen_add_del_lists(
-                        hbacsvc, res_find.get("memberservice_hbacsvc"))
+                    if hbacsvc is not None:
+                        hbacsvc_add, hbacsvc_del = gen_add_del_lists(
+                            hbacsvc, res_find.get("memberservice_hbacsvc"))
 
-                    hbacsvcgroup_add, hbacsvcgroup_del = gen_add_del_lists(
-                        hbacsvcgroup,
-                        res_find.get("memberservice_hbacsvcgroup"))
+                    if hbacsvcgroup is not None:
+                        hbacsvcgroup_add, hbacsvcgroup_del = gen_add_del_lists(
+                            hbacsvcgroup,
+                            res_find.get("memberservice_hbacsvcgroup"))
 
-                    user_add, user_del = gen_add_del_lists(
-                        user, res_find.get("memberuser_user"))
+                    if user is not None:
+                        user_add, user_del = gen_add_del_lists(
+                            user, res_find.get("memberuser_user"))
 
-                    group_add, group_del = gen_add_del_lists(
-                        group, res_find.get("memberuser_group"))
-
-                    # Add hosts and hostgroups
-                    if len(host_add) > 0 or len(hostgroup_add) > 0:
-                        commands.append([name, "hbacrule_add_host",
-                                         {
-                                             "host": host_add,
-                                             "hostgroup": hostgroup_add,
-                                         }])
-                    # Remove hosts and hostgroups
-                    if len(host_del) > 0 or len(hostgroup_del) > 0:
-                        commands.append([name, "hbacrule_remove_host",
-                                         {
-                                             "host": host_del,
-                                             "hostgroup": hostgroup_del,
-                                         }])
-
-                    # Add hbacsvcs and hbacsvcgroups
-                    if len(hbacsvc_add) > 0 or len(hbacsvcgroup_add) > 0:
-                        commands.append([name, "hbacrule_add_service",
-                                         {
-                                             "hbacsvc": hbacsvc_add,
-                                             "hbacsvcgroup": hbacsvcgroup_add,
-                                         }])
-                    # Remove hbacsvcs and hbacsvcgroups
-                    if len(hbacsvc_del) > 0 or len(hbacsvcgroup_del) > 0:
-                        commands.append([name, "hbacrule_remove_service",
-                                         {
-                                             "hbacsvc": hbacsvc_del,
-                                             "hbacsvcgroup": hbacsvcgroup_del,
-                                         }])
-
-                    # Add users and groups
-                    if len(user_add) > 0 or len(group_add) > 0:
-                        commands.append([name, "hbacrule_add_user",
-                                         {
-                                             "user": user_add,
-                                             "group": group_add,
-                                         }])
-                    # Remove users and groups
-                    if len(user_del) > 0 or len(group_del) > 0:
-                        commands.append([name, "hbacrule_remove_user",
-                                         {
-                                             "user": user_del,
-                                             "group": group_del,
-                                         }])
+                    if group is not None:
+                        group_add, group_del = gen_add_del_lists(
+                            group, res_find.get("memberuser_group"))
 
                 elif action == "member":
                     if res_find is None:
@@ -424,63 +392,33 @@ def main():
                     # Generate add lists for host, hostgroup and
                     # res_find to only try to add hosts and hostgroups
                     # that not in hbacrule already
-                    if host is not None and \
-                       "memberhost_host" in res_find:
-                        host = gen_add_list(
-                            host, res_find["memberhost_host"])
-                    if hostgroup is not None and \
-                       "memberhost_hostgroup" in res_find:
-                        hostgroup = gen_add_list(
-                            hostgroup, res_find["memberhost_hostgroup"])
-
-                    # Add hosts and hostgroups
-                    if host is not None or hostgroup is not None:
-                        commands.append([name, "hbacrule_add_host",
-                                         {
-                                             "host": host,
-                                             "hostgroup": hostgroup,
-                                         }])
+                    if host:
+                        host_add = gen_add_list(
+                            host, res_find.get("memberhost_host"))
+                    if hostgroup:
+                        hostgroup_add = gen_add_list(
+                            hostgroup, res_find.get("memberhost_hostgroup"))
 
                     # Generate add lists for hbacsvc, hbacsvcgroup and
                     # res_find to only try to add hbacsvcs and hbacsvcgroups
                     # that not in hbacrule already
-                    if hbacsvc is not None and \
-                       "memberservice_hbacsvc" in res_find:
-                        hbacsvc = gen_add_list(
-                            hbacsvc, res_find["memberservice_hbacsvc"])
-                    if hbacsvcgroup is not None and \
-                       "memberservice_hbacsvcgroup" in res_find:
-                        hbacsvcgroup = gen_add_list(
+                    if hbacsvc:
+                        hbacsvc_add = gen_add_list(
+                            hbacsvc, res_find.get("memberservice_hbacsvc"))
+                    if hbacsvcgroup:
+                        hbacsvcgroup_add = gen_add_list(
                             hbacsvcgroup,
-                            res_find["memberservice_hbacsvcgroup"])
-
-                    # Add hbacsvcs and hbacsvcgroups
-                    if hbacsvc is not None or hbacsvcgroup is not None:
-                        commands.append([name, "hbacrule_add_service",
-                                         {
-                                             "hbacsvc": hbacsvc,
-                                             "hbacsvcgroup": hbacsvcgroup,
-                                         }])
+                            res_find.get("memberservice_hbacsvcgroup"))
 
                     # Generate add lists for user, group and
                     # res_find to only try to add users and groups
                     # that not in hbacrule already
-                    if user is not None and \
-                       "memberuser_user" in res_find:
-                        user = gen_add_list(
-                            user, res_find["memberuser_user"])
-                    if group is not None and \
-                       "memberuser_group" in res_find:
-                        group = gen_add_list(
-                            group, res_find["memberuser_group"])
-
-                    # Add users and groups
-                    if user is not None or group is not None:
-                        commands.append([name, "hbacrule_add_user",
-                                         {
-                                             "user": user,
-                                             "group": group,
-                                         }])
+                    if user:
+                        user_add = gen_add_list(
+                            user, res_find.get("memberuser_user"))
+                    if group:
+                        group_add = gen_add_list(
+                            group, res_find.get("memberuser_group"))
 
             elif state == "absent":
                 if action == "hbacrule":
@@ -494,75 +432,39 @@ def main():
                     # Generate intersection lists for host, hostgroup and
                     # res_find to only try to remove hosts and hostgroups
                     # that are in hbacrule
-                    if host is not None:
+                    if host:
                         if "memberhost_host" in res_find:
-                            host = gen_intersection_list(
+                            host_del = gen_intersection_list(
                                 host, res_find["memberhost_host"])
-                        else:
-                            host = None
-                    if hostgroup is not None:
+                    if hostgroup:
                         if "memberhost_hostgroup" in res_find:
-                            hostgroup = gen_intersection_list(
+                            hostgroup_del = gen_intersection_list(
                                 hostgroup, res_find["memberhost_hostgroup"])
-                        else:
-                            hostgroup = None
-
-                    # Remove hosts and hostgroups
-                    if host is not None or hostgroup is not None:
-                        commands.append([name, "hbacrule_remove_host",
-                                         {
-                                             "host": host,
-                                             "hostgroup": hostgroup,
-                                         }])
 
                     # Generate intersection lists for hbacsvc, hbacsvcgroup
                     # and res_find to only try to remove hbacsvcs and
                     # hbacsvcgroups that are in hbacrule
-                    if hbacsvc is not None:
+                    if hbacsvc:
                         if "memberservice_hbacsvc" in res_find:
-                            hbacsvc = gen_intersection_list(
+                            hbacsvc_del = gen_intersection_list(
                                 hbacsvc, res_find["memberservice_hbacsvc"])
-                        else:
-                            hbacsvc = None
-                    if hbacsvcgroup is not None:
+                    if hbacsvcgroup:
                         if "memberservice_hbacsvcgroup" in res_find:
-                            hbacsvcgroup = gen_intersection_list(
+                            hbacsvcgroup_del = gen_intersection_list(
                                 hbacsvcgroup,
                                 res_find["memberservice_hbacsvcgroup"])
-                        else:
-                            hbacsvcgroup = None
-
-                    # Remove hbacsvcs and hbacsvcgroups
-                    if hbacsvc is not None or hbacsvcgroup is not None:
-                        commands.append([name, "hbacrule_remove_service",
-                                         {
-                                             "hbacsvc": hbacsvc,
-                                             "hbacsvcgroup": hbacsvcgroup,
-                                         }])
 
                     # Generate intersection lists for user, group and
                     # res_find to only try to remove users and groups
                     # that are in hbacrule
-                    if user is not None:
+                    if user:
                         if "memberuser_user" in res_find:
-                            user = gen_intersection_list(
+                            user_del = gen_intersection_list(
                                 user, res_find["memberuser_user"])
-                        else:
-                            user = None
-                    if group is not None:
+                    if group:
                         if "memberuser_group" in res_find:
-                            group = gen_intersection_list(
+                            group_del = gen_intersection_list(
                                 group, res_find["memberuser_group"])
-                        else:
-                            group = None
-
-                    # Remove users and groups
-                    if user is not None or group is not None:
-                        commands.append([name, "hbacrule_remove_user",
-                                         {
-                                             "user": user,
-                                             "group": group,
-                                         }])
 
             elif state == "enabled":
                 if res_find is None:
@@ -570,23 +472,78 @@ def main():
                 # hbacrule_enable is not failing on an enabled hbacrule
                 # Therefore it is needed to have a look at the ipaenabledflag
                 # in res_find.
-                if "ipaenabledflag" not in res_find or \
-                   res_find["ipaenabledflag"][0] != "TRUE":
+                # FreeIPA 4.9.10+ and 4.10 use proper mapping for
+                # boolean values, so we need to convert it to str
+                # for comparison.
+                # See: https://github.com/freeipa/freeipa/pull/6294
+                enabled_flag = str(res_find.get("ipaenabledflag", [False])[0])
+                if enabled_flag.upper() != "TRUE":
                     commands.append([name, "hbacrule_enable", {}])
 
             elif state == "disabled":
                 if res_find is None:
                     ansible_module.fail_json(msg="No hbacrule '%s'" % name)
-                # hbacrule_disable is not failing on an disabled hbacrule
+                # hbacrule_disable is not failing on an enabled hbacrule
                 # Therefore it is needed to have a look at the ipaenabledflag
                 # in res_find.
-                if "ipaenabledflag" not in res_find or \
-                   res_find["ipaenabledflag"][0] != "FALSE":
+                # FreeIPA 4.9.10+ and 4.10 use proper mapping for
+                # boolean values, so we need to convert it to str
+                # for comparison.
+                # See: https://github.com/freeipa/freeipa/pull/6294
+                enabled_flag = str(res_find.get("ipaenabledflag", [False])[0])
+                if enabled_flag.upper() != "FALSE":
                     commands.append([name, "hbacrule_disable", {}])
 
             else:
                 ansible_module.fail_json(msg="Unkown state '%s'" % state)
 
+            # Manage HBAC rule members.
+
+            # Add hosts and hostgroups
+            if len(host_add) > 0 or len(hostgroup_add) > 0:
+                commands.append([name, "hbacrule_add_host",
+                                 {
+                                     "host": host_add,
+                                     "hostgroup": hostgroup_add,
+                                 }])
+            # Remove hosts and hostgroups
+            if len(host_del) > 0 or len(hostgroup_del) > 0:
+                commands.append([name, "hbacrule_remove_host",
+                                 {
+                                     "host": host_del,
+                                     "hostgroup": hostgroup_del,
+                                 }])
+
+            # Add hbacsvcs and hbacsvcgroups
+            if len(hbacsvc_add) > 0 or len(hbacsvcgroup_add) > 0:
+                commands.append([name, "hbacrule_add_service",
+                                 {
+                                     "hbacsvc": hbacsvc_add,
+                                     "hbacsvcgroup": hbacsvcgroup_add,
+                                 }])
+            # Remove hbacsvcs and hbacsvcgroups
+            if len(hbacsvc_del) > 0 or len(hbacsvcgroup_del) > 0:
+                commands.append([name, "hbacrule_remove_service",
+                                 {
+                                     "hbacsvc": hbacsvc_del,
+                                     "hbacsvcgroup": hbacsvcgroup_del,
+                                 }])
+
+            # Add users and groups
+            if len(user_add) > 0 or len(group_add) > 0:
+                commands.append([name, "hbacrule_add_user",
+                                 {
+                                     "user": user_add,
+                                     "group": group_add,
+                                 }])
+            # Remove users and groups
+            if len(user_del) > 0 or len(group_del) > 0:
+                commands.append([name, "hbacrule_remove_user",
+                                 {
+                                     "user": user_del,
+                                     "group": group_del,
+                                 }])
+
         # Execute commands
 
         changed = ansible_module.execute_ipa_commands(

plugins/modules/ipahbacsvcgroup.py

@@ -101,7 +101,8 @@ RETURN = """
 """
 
 from ansible.module_utils.ansible_freeipa_module import \
-    IPAAnsibleModule, compare_args_ipa, gen_add_del_lists
+    IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, gen_add_list, \
+    gen_intersection_list
 
 
 def find_hbacsvcgroup(module, name):
@@ -183,7 +184,7 @@ def main():
     # present
     description = ansible_module.params_get("description")
     nomembers = ansible_module.params_get("nomembers")
-    hbacsvc = ansible_module.params_get("hbacsvc")
+    hbacsvc = ansible_module.params_get_lowercase("hbacsvc")
     action = ansible_module.params_get("action")
     # state
     state = ansible_module.params_get("state")
@@ -223,6 +224,8 @@ def main():
             # Make sure hbacsvcgroup exists
             res_find = find_hbacsvcgroup(ansible_module, name)
 
+            hbacsvc_add, hbacsvc_del = [], []
+
             # Create command
             if state == "present":
                 # Generate args
@@ -246,32 +249,20 @@ def main():
                     if not compare_args_ipa(ansible_module, member_args,
                                             res_find):
                         # Generate addition and removal lists
-                        hbacsvc_add, hbacsvc_del = gen_add_del_lists(
-                            hbacsvc, res_find.get("member_hbacsvc"))
+                        if hbacsvc is not None:
+                            hbacsvc_add, hbacsvc_del = gen_add_del_lists(
+                                hbacsvc, res_find.get("member_hbacsvc"))
 
-                        # Add members
-                        if len(hbacsvc_add) > 0:
-                            commands.append([name, "hbacsvcgroup_add_member",
-                                             {
-                                                 "hbacsvc": hbacsvc_add
-                                             }])
-                        # Remove members
-                        if len(hbacsvc_del) > 0:
-                            commands.append([name,
-                                             "hbacsvcgroup_remove_member",
-                                             {
-                                                 "hbacsvc": hbacsvc_del
-                                             }])
                 elif action == "member":
                     if res_find is None:
                         ansible_module.fail_json(
                             msg="No hbacsvcgroup '%s'" % name)
 
                     # Ensure members are present
-                    commands.append([name, "hbacsvcgroup_add_member",
-                                     {
-                                         "hbacsvc": hbacsvc
-                                     }])
+                    if hbacsvc:
+                        hbacsvc_add = gen_add_list(
+                            hbacsvc, res_find.get("member_hbacsvc"))
+
             elif state == "absent":
                 if action == "hbacsvcgroup":
                     if res_find is not None:
@@ -283,15 +274,28 @@ def main():
                             msg="No hbacsvcgroup '%s'" % name)
 
                     # Ensure members are absent
-                    commands.append([name, "hbacsvcgroup_remove_member",
-                                     {
-                                         "hbacsvc": hbacsvc
-                                     }])
+                    if hbacsvc:
+                        hbacsvc_del = gen_intersection_list(
+                            hbacsvc, res_find.get("member_hbacsvc"))
+
             else:
                 ansible_module.fail_json(msg="Unkown state '%s'" % state)
 
-        # Execute commands
+            # Manage members
+            if len(hbacsvc_add) > 0:
+                commands.append([name, "hbacsvcgroup_add_member",
+                                 {
+                                     "hbacsvc": hbacsvc_add
+                                 }])
+            # Remove members
+            if len(hbacsvc_del) > 0:
+                commands.append([name,
+                                 "hbacsvcgroup_remove_member",
+                                 {
+                                     "hbacsvc": hbacsvc_del
+                                 }])
 
+        # Execute commands
         changed = ansible_module.execute_ipa_commands(commands, result_handler)
 
     # Done

plugins/modules/ipahost.py

@@ -709,7 +709,7 @@ def main():
                        elements='dict', required=False),
 
             # mod
-            update_password=dict(type='str', default=None,
+            update_password=dict(type='str', default=None, no_log=False,
                                  choices=['always', 'on_create']),
 
             # general
@@ -764,7 +764,7 @@ def main():
     mac_address = ansible_module.params_get("mac_address")
     sshpubkey = ansible_module.params_get("sshpubkey")
     userclass = ansible_module.params_get("userclass")
-    auth_ind = ansible_module.params_get("auth_ind")
+    auth_ind = ansible_module.params_get("auth_ind", allow_empty_string=True)
     requires_pre_auth = ansible_module.params_get("requires_pre_auth")
     ok_as_delegate = ansible_module.params_get("ok_as_delegate")
     ok_to_auth_as_delegate = ansible_module.params_get(

plugins/modules/ipahostgroup.py

@@ -139,7 +139,7 @@ RETURN = """
 
 from ansible.module_utils.ansible_freeipa_module import \
     IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, gen_add_list, \
-    gen_intersection_list
+    gen_intersection_list, ensure_fqdn
 
 
 def find_hostgroup(module, name):
@@ -281,6 +281,15 @@ def main():
             ansible_module.fail_json(
                 msg="Renaming hostgroups is not supported by your IPA version")
 
+        # If hosts are given, ensure that the hosts are FQDN and also
+        # lowercase to be able to do a proper comparison to exising hosts
+        # in the hostgroup.
+        # Fixes #666 (ipahostgroup not idempotent and with error)
+        if host is not None:
+            default_domain = ansible_module.ipa_get_domain()
+            host = [ensure_fqdn(_host, default_domain).lower()
+                    for _host in host]
+
         commands = []
 
         for name in names:

plugins/modules/ipaidrange.py

@@ -0,0 +1,340 @@
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Rafael Guterres Jeffman <rjeffman@redhat.com>
+#
+# Copyright (C) 2022 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    "metadata_version": "1.0",
+    "supported_by": "community",
+    "status": ["preview"],
+}
+
+DOCUMENTATION = """
+---
+module: ipaidrange
+short description: Manage FreeIPA idrange
+description: Manage FreeIPA idrange
+extends_documentation_fragment:
+  - ipamodule_base_docs
+  - ipamodule_base_docs.delete_continue
+options:
+  name:
+    description: The list of idrange name strings.
+    required: true
+    aliases: ["cn"]
+  base_id:
+    description: First Posix ID of the range.
+    type: int
+    required: false
+    aliases: ["ipabaseid"]
+  range_size:
+    description: Number of IDs in the range.
+    type: int
+    required: false
+    aliases: ["ipaidrangesize"]
+  rid_base:
+    description: First RID of the corresponding RID range.
+    type: int
+    required: false
+    aliases: ["ipabaserid"]
+  secondary_rid_base:
+    description: First RID of the secondary RID range.
+    type: int
+    required: false
+    aliases: ["ipasecondarybaserid"]
+  idrange_type:
+    description: ID range type.
+    type: string
+    required: false
+    choices: ["ipa-ad-trust", "ipa-ad-trust-posix", "ipa-local"]
+    aliases: ["iparangetype"]
+  dom_sid:
+    description: Domain SID of the trusted domain.
+    type: string
+    required: false
+    aliases: ["ipanttrusteddomainsid"]
+  dom_name:
+    description: |
+      Domain name of the trusted domain. Can only be used when
+      `ipaapi_context: server`.
+    type: string
+    required: false
+    aliases: ["ipanttrusteddomainname"]
+  auto_private_groups:
+    description: Auto creation of private groups.
+    type: string
+    required: false
+    choices: ["true", "false", "hybrid"]
+    aliases: ["ipaautoprivategroups"]
+  state:
+    description: The state to ensure.
+    choices: ["present", "absent"]
+    default: present
+    required: true
+"""
+
+EXAMPLES = """
+# Ensure local domain idrange is present
+- ipaidrange:
+    ipaadmin_password: SomeADMINpassword
+    name: id_range
+    base_id: 150000000
+    range_size: 200000
+    rid_base: 1000000
+    secondary_rid_base: 200000000
+
+# Ensure local domain idrange is absent
+- ipaidrange:
+    ipaadmin_password: SomeADMINpassword
+    name: id_range
+    state: absent
+
+# Ensure AD-trust idrange is present
+- ipaidrange:
+    name: id_range
+    base_id: 150000000
+    range_size: 200000
+    rid_base: 1000000
+    idrange_type: ipa-ad-trust
+    dom_sid: S-1-5-21-2870384104-3340008087-3140804251
+    auto_private_groups: "false"
+
+# Ensure AD-trust idrange is present, with range type ad-trust-posix,
+# and using domain name
+- ipaidrange:
+    name: id_range
+    base_id: 150000000
+    range_size: 200000
+    rid_base: 1000000
+    idrange_type: ipa-ad-trust-posix
+    dom_name: ad.ipa.test
+    auto_private_groups: "hybrid"
+"""
+
+RETURN = """
+"""
+
+
+from ansible.module_utils.ansible_freeipa_module import \
+    IPAAnsibleModule, compare_args_ipa, get_trusted_domain_sid_from_name
+from ansible.module_utils import six
+
+if six.PY3:
+    unicode = str
+
+
+def find_idrange(module, name):
+    """Find if a idrange with the given name already exist."""
+    try:
+        _result = module.ipa_command("idrange_show", name, {"all": True})
+    except Exception:  # pylint: disable=broad-except
+        # An exception is raised if idrange name is not found.
+        return None
+    else:
+        return _result["result"]
+
+
+def gen_args(
+    base_id, range_size, rid_base, secondary_rid_base, idrange_type, dom_sid,
+    dom_name, auto_private_groups
+):
+    _args = {}
+    # Integer parameters are stored as strings.
+    # Converting them here allows the proper use of compare_args_ipa.
+    if base_id is not None:
+        _args["ipabaseid"] = base_id
+    if range_size is not None:
+        _args["ipaidrangesize"] = range_size
+    if rid_base is not None:
+        _args["ipabaserid"] = rid_base
+    if secondary_rid_base is not None:
+        _args["ipasecondarybaserid"] = secondary_rid_base
+    if idrange_type is not None:
+        _args["iparangetype"] = idrange_type
+    if dom_name is not None:
+        dom_sid = get_trusted_domain_sid_from_name(dom_name)
+    if dom_sid is not None:
+        _args["ipanttrusteddomainsid"] = dom_sid
+    if auto_private_groups is not None:
+        _args["ipaautoprivategroups"] = auto_private_groups
+    return _args
+
+
+def main():
+    ansible_module = IPAAnsibleModule(
+        argument_spec=dict(
+            # general
+            name=dict(type="list", aliases=["cn"],
+                      default=None, required=True),
+            # present
+            base_id=dict(required=False, type='int',
+                         aliases=["ipabaseid"], default=None),
+            range_size=dict(required=False, type='int',
+                            aliases=["ipaidrangesize"], default=None),
+            rid_base=dict(required=False, type='int',
+                          aliases=["ipabaserid"], default=None),
+            secondary_rid_base=dict(required=False, type='int', default=None,
+                                    aliases=["ipasecondarybaserid"]),
+            idrange_type=dict(required=False, aliases=["iparangetype"],
+                              type="str", default=None,
+                              choices=["ipa-ad-trust", "ipa-ad-trust-posix",
+                                       "ipa-local"]),
+            dom_sid=dict(required=False, type='str', default=None,
+                         aliases=["ipanttrusteddomainsid"]),
+            dom_name=dict(required=False, type='str', default=None,
+                          aliases=["ipanttrusteddomainname"]),
+            auto_private_groups=dict(required=False, type='str', default=None,
+                                     aliases=["ipaautoprivategroups"],
+                                     choices=['true', 'false', 'hybrid']),
+            # state
+            state=dict(type="str", default="present",
+                       choices=["present", "absent"]),
+        ),
+        mutually_exclusive=[
+            ["dom_sid", "secondary_rid_base"],
+            ["dom_name", "secondary_rid_base"],
+            ["dom_sid", "dom_name"],
+        ],
+        supports_check_mode=True,
+        ipa_module_options=["delete_continue"],
+    )
+
+    ansible_module._ansible_debug = True
+
+    # Get parameters
+
+    # general
+    names = ansible_module.params_get("name")
+    delete_continue = ansible_module.params_get("delete_continue")
+
+    # present
+    base_id = ansible_module.params_get("base_id")
+    range_size = ansible_module.params_get("range_size")
+    rid_base = ansible_module.params_get("rid_base")
+    secondary_rid_base = ansible_module.params_get("secondary_rid_base")
+    idrange_type = ansible_module.params_get("idrange_type")
+    dom_sid = ansible_module.params_get("dom_sid")
+    dom_name = ansible_module.params_get("dom_name")
+    auto_private_groups = \
+        ansible_module.params_get_lowercase("auto_private_groups")
+
+    # state
+    state = ansible_module.params_get("state")
+
+    # Check parameters
+
+    invalid = []
+
+    if state == "present":
+        if len(names) != 1:
+            ansible_module.fail_json(
+                msg="Only one idrange can be added at a time.")
+
+    if state == "absent":
+        if len(names) < 1:
+            ansible_module.fail_json(msg="No name given.")
+        invalid = [
+            "base_id", "range_size", "idrange_type", "dom_sid", "dom_name",
+            "rid_base", "secondary_rid_base", "auto_private_groups"
+        ]
+
+    ansible_module.params_fail_used_invalid(invalid, state)
+
+    # Init
+
+    changed = False
+    exit_args = {}
+
+    range_types = {
+        "Active Directory domain range": "ipa-ad-trust",
+        "Active Directory trust range with POSIX attributes":
+            "ipa-ad-trust-posix",
+        "local domain range": "ipa-local",
+    }
+
+    # Connect to IPA API
+    with ansible_module.ipa_connect():
+
+        commands = []
+        for name in names:
+            # Make sure idrange exists
+            res_find = find_idrange(ansible_module, name)
+
+            # Create command
+            if state == "present":
+
+                # Generate args
+                args = gen_args(
+                    base_id, range_size, rid_base, secondary_rid_base,
+                    idrange_type, dom_sid, dom_name, auto_private_groups
+                )
+
+                # Found the idrange
+                if res_find is not None:
+                    # For all settings is args, check if there are
+                    # different settings in the find result.
+                    # If yes: modify
+                    if not compare_args_ipa(
+                        ansible_module, args, res_find, ignore=["iparangetype"]
+                    ):
+                        res_type = range_types.get(
+                            res_find.get("iparangetype")[0]
+                        )
+                        if res_type == "local_id_range":
+                            ansible_module.fail_json(
+                                "Cannot modify local IPA domain idrange."
+                            )
+
+                        arg_type = args.get("iparangetype")
+                        if arg_type:
+                            if arg_type != res_type:
+                                ansible_module.fail_json(
+                                    "Cannot modify idrange type."
+                                )
+                            del args["iparangetype"]
+                        commands.append([name, "idrange_mod", args])
+                else:
+                    commands.append([name, "idrange_add", args])
+
+            elif state == "absent":
+                if res_find is not None:
+                    commands.append([
+                        name,
+                        "idrange_del",
+                        {"continue": delete_continue or False}
+                    ])
+
+            else:
+                ansible_module.fail_json(msg="Unkown state '%s'" % state)
+
+        # Execute commands
+
+        changed = ansible_module.execute_ipa_commands(commands)
+
+    # Done
+
+    ansible_module.exit_json(changed=changed, **exit_args)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/iparole.py

@@ -72,7 +72,7 @@ options:
     required: false
   state:
     description: The state to ensure.
-    choices: ["present", "absent"]
+    choices: ["present", "absent", "renamed"]
     default: present
     required: true
 """
@@ -103,10 +103,10 @@ EXAMPLES = """
 # pylint: disable=no-name-in-module
 from ansible.module_utils._text import to_text
 from ansible.module_utils.ansible_freeipa_module import \
-    IPAAnsibleModule, gen_add_del_lists, compare_args_ipa
+    IPAAnsibleModule, gen_add_del_lists, compare_args_ipa, \
+    gen_intersection_list, ensure_fqdn
 from ansible.module_utils import six
 
-
 if six.PY3:
     unicode = str
 
@@ -145,9 +145,22 @@ def check_parameters(module):
 
     invalid = []
 
-    if state == "present":
+    if state == "renamed":
         if action == "member":
-            invalid.extend(['description', 'rename'])
+            module.fail_json(
+                msg="Invalid action 'member' with state 'renamed'.")
+        invalid = [
+            "description",
+            "user", "group",
+            "host", "hostgroup",
+            "service",
+            "privilege",
+        ]
+
+    if state == "present":
+        invalid = ["rename"]
+        if action == "member":
+            invalid.extend(['description'])
 
     if state == "absent":
         invalid.extend(['description', 'rename'])
@@ -157,28 +170,15 @@ def check_parameters(module):
     module.params_fail_used_invalid(invalid, state, action)
 
 
-def member_intersect(module, attr, memberof, res_find):
-    """Filter member arguments from role found by intersection."""
-    params = module.params_get(attr)
-    if not res_find:
-        return params
-    filtered = []
-    if params:
-        existing = res_find.get(memberof, [])
-        filtered = list(set(params) & set(existing))
-    return filtered
-
-
-def member_difference(module, attr, memberof, res_find):
-    """Filter member arguments from role found by difference."""
-    params = module.params_get(attr)
-    if not res_find:
-        return params
-    filtered = []
-    if params:
-        existing = res_find.get(memberof, [])
-        filtered = list(set(params) - set(existing))
-    return filtered
+def get_member_host_with_fqdn_lowercase(module, mod_member):
+    """Retrieve host members from module, as FQDN, lowercase."""
+    default_domain = module.ipa_get_domain()
+    hosts = module.params_get(mod_member)
+    return (
+        [ensure_fqdn(host, default_domain).lower() for host in hosts]
+        if hosts
+        else hosts
+    )
 
 
 def ensure_absent_state(module, name, action, res_find):
@@ -190,23 +190,41 @@ def ensure_absent_state(module, name, action, res_find):
 
     if action == "member":
 
-        members = member_intersect(
-            module, 'privilege', 'memberof_privilege', res_find)
-        if members:
-            commands.append([name, "role_remove_privilege",
-                             {"privilege": members}])
+        _members = module.params_get_lowercase("privilege")
+        if _members is not None:
+            del_list = gen_intersection_list(
+                _members,
+                result_get_value_lowercase(res_find, "memberof_privilege")
+            )
+            if del_list:
+                commands.append([name, "role_remove_privilege",
+                                 {"privilege": del_list}])
 
         member_args = {}
-        for key in ['user', 'group', 'host', 'hostgroup']:
-            items = member_intersect(
-                module, key, 'member_%s' % key, res_find)
-            if items:
-                member_args[key] = items
+        for key in ['user', 'group', 'hostgroup']:
+            _members = module.params_get_lowercase(key)
+            if _members:
+                del_list = gen_intersection_list(
+                    _members,
+                    result_get_value_lowercase(res_find, "member_%s" % key)
+                )
+                if del_list:
+                    member_args[key] = del_list
 
-        _services = filter_service(module, res_find,
-                                   lambda res, svc: res.startswith(svc))
+        # ensure hosts are FQDN.
+        _members = get_member_host_with_fqdn_lowercase(module, "host")
+        if _members:
+            del_list = gen_intersection_list(
+                _members, res_find.get('member_host'))
+            if del_list:
+                member_args["host"] = del_list
+
+        _services = get_service_param(module, "service")
         if _services:
-            member_args['service'] = _services
+            _existing = result_get_value_lowercase(res_find, "member_service")
+            items = gen_intersection_list(_services.keys(), _existing)
+            if items:
+                member_args["service"] = [_services[key] for key in items]
 
         # Only add remove command if there's at least one member no manage.
         if member_args:
@@ -215,66 +233,112 @@ def ensure_absent_state(module, name, action, res_find):
     return commands
 
 
-def filter_service(module, res_find, predicate):
+def get_service_param(module, key):
     """
-    Filter service based on predicate.
+    Retrieve dict of services, with realm, from the module parameters.
 
-    Compare service name with existing ones matching
-    at least until `@` from principal name.
-
-    Predicate is a callable that accepts the existing service, and the
-    modified service to be compared to.
+    As the services are compared in a case insensitive manner, but
+    are recorded in a case preserving way, a dict mapping the services
+    in lowercase to the provided module parameter is generated, so
+    that dict keys can be used for comparison and the values are used
+    with IPA API.
     """
-    _services = []
-    service = module.params_get('service')
-    if service:
-        existing = [to_text(x) for x in res_find.get('member_service', [])]
-        for svc in service:
-            svc = svc if '@' in svc else ('%s@' % svc)
-            found = [x for x in existing if predicate(x, svc)]
-            _services.extend(found)
+    _services = module.params_get(key)
+    if _services is not None:
+        ipa_realm = module.ipa_get_realm()
+        _services = [
+            to_text(svc) if '@' in svc else ('%s@%s' % (svc, ipa_realm))
+            for svc in _services
+        ]
+        if _services:
+            _services = {svc.lower(): svc for svc in _services}
     return _services
 
 
+def result_get_value_lowercase(res_find, key, default=None):
+    """
+    Retrieve a member of a dictionary converted to lowercase.
+
+    If field data is a string it is returned in lowercase. If
+    field data is a list or tuple, it is assumed that all values
+    are strings and the result is a list of strings in lowercase.
+
+    If 'key' is not found in the dictionary, returns 'default'.
+    """
+    existing = res_find.get(key)
+    if existing is not None:
+        if isinstance(existing, (list, tuple)):
+            existing = [to_text(item).lower() for item in existing]
+        if isinstance(existing, (str, unicode)):
+            existing = existing.lower()
+    else:
+        existing = default
+    return existing
+
+
+def gen_services_add_del_lists(module, mod_member, res_find, res_member):
+    """Generate add/del lists for service principals."""
+    add_list, del_list = None, None
+    _services = get_service_param(module, mod_member)
+    if _services is not None:
+        _existing = result_get_value_lowercase(res_find, res_member)
+        add_list, del_list = gen_add_del_lists(_services.keys(), _existing)
+        if add_list:
+            add_list = [_services[key] for key in add_list]
+        if del_list:
+            del_list = [to_text(item) for item in del_list]
+    return add_list, del_list
+
+
 def ensure_role_with_members_is_present(module, name, res_find, action):
     """Define commands to ensure member are present for action `role`."""
     commands = []
-    privilege_add, privilege_del = gen_add_del_lists(
-        module.params_get("privilege"),
-        res_find.get('memberof_privilege', []))
 
-    if privilege_add:
-        commands.append([name, "role_add_privilege",
-                         {"privilege": privilege_add}])
-    if action == "role" and privilege_del:
-        commands.append([name, "role_remove_privilege",
-                         {"privilege": privilege_del}])
+    _members = module.params_get_lowercase("privilege")
+    if _members:
+        add_list, del_list = gen_add_del_lists(
+            _members,
+            result_get_value_lowercase(res_find, "memberof_privilege")
+        )
+
+        if add_list:
+            commands.append([name, "role_add_privilege",
+                             {"privilege": add_list}])
+        if action == "role" and del_list:
+            commands.append([name, "role_remove_privilege",
+                             {"privilege": del_list}])
 
     add_members = {}
     del_members = {}
 
-    for key in ["user", "group", "host", "hostgroup"]:
-        add_list, del_list = gen_add_del_lists(
-            module.params_get(key),
-            res_find.get('member_%s' % key, [])
-        )
-        if add_list:
-            add_members[key] = add_list
-        if del_list:
-            del_members[key] = [to_text(item) for item in del_list]
+    for key in ["user", "group", "hostgroup"]:
+        _members = module.params_get_lowercase(key)
+        if _members is not None:
+            add_list, del_list = gen_add_del_lists(
+                _members,
+                result_get_value_lowercase(res_find, "member_%s" % key)
+            )
+            if add_list:
+                add_members[key] = add_list
+            if del_list:
+                del_members[key] = del_list
 
-    service = [
-        to_text(svc)
-        if '@' in svc
-        else ('%s@%s' % (svc, module.ipa_get_realm()))
-        for svc in (module.params_get('service') or [])
-    ]
-    existing = [str(svc) for svc in res_find.get('member_service', [])]
-    add_list, del_list = gen_add_del_lists(service, existing)
-    if add_list:
-        add_members['service'] = add_list
-    if del_list:
-        del_members['service'] = [to_text(item) for item in del_list]
+    # ensure hosts are FQDN.
+    _members = get_member_host_with_fqdn_lowercase(module, "host")
+    if _members:
+        add_list, del_list = gen_add_del_lists(
+            _members, res_find.get('member_host'))
+        if add_list:
+            add_members["host"] = add_list
+        if del_list:
+            del_members["host"] = del_list
+
+    (add_services, del_services) = gen_services_add_del_lists(
+        module, "service", res_find, "member_service")
+    if add_services:
+        add_members["service"] = add_services
+    if del_services:
+        del_members["service"] = del_services
 
     if add_members:
         commands.append([name, "role_add_member", add_members])
@@ -285,67 +349,24 @@ def ensure_role_with_members_is_present(module, name, res_find, action):
     return commands
 
 
-def ensure_members_are_present(module, name, res_find):
-    """Define commands to ensure members are present for action `member`."""
-    commands = []
-
-    members = member_difference(
-        module, 'privilege', 'memberof_privilege', res_find)
-    if members:
-        commands.append([name, "role_add_privilege",
-                         {"privilege": members}])
-
-    member_args = {}
-    for key in ['user', 'group', 'host', 'hostgroup']:
-        items = member_difference(
-            module, key, 'member_%s' % key, res_find)
-        if items:
-            member_args[key] = items
-
-    _services = filter_service(module, res_find,
-                               lambda res, svc: not res.startswith(svc))
-    if _services:
-        member_args['service'] = _services
-
-    if member_args:
-        commands.append([name, "role_add_member", member_args])
-
-    return commands
-
-
-# pylint: disable=unused-argument
-def result_handler(module, result, command, name, args, errors):
-    """Process the result of a command, looking for errors."""
-    # Get all errors
-    # All "already a member" and "not a member" failures in the
-    # result are ignored. All others are reported.
-    if "failed" in result and len(result["failed"]) > 0:
-        for item in result["failed"]:
-            failed_item = result["failed"][item]
-            for member_type in failed_item:
-                for member, failure in failed_item[member_type]:
-                    if "already a member" in failure \
-                       or "not a member" in failure:
-                        continue
-                    errors.append("%s: %s %s: %s" % (
-                        command, member_type, member, failure))
-
-
 def role_commands_for_name(module, state, action, name):
     """Define commands for the Role module."""
     commands = []
 
-    rename = module.params_get("rename")
-
     res_find = find_role(module, name)
 
+    if state == "renamed":
+        args = gen_args(module)
+        if res_find is None:
+            module.fail_json(msg="No role '%s'" % name)
+        else:
+            commands.append([name, 'role_mod', args])
+
     if state == "present":
         args = gen_args(module)
 
         if action == "role":
             if res_find is None:
-                if rename is not None:
-                    module.fail_json(msg="Cannot `rename` inexistent role.")
                 commands.append([name, 'role_add', args])
                 res_find = {}
             else:
@@ -391,7 +412,7 @@ def create_module():
             action=dict(type="str", default="role",
                         choices=["role", "member"]),
             state=dict(type="str", default="present",
-                       choices=["present", "absent"]),
+                       choices=["present", "absent", "renamed"]),
         ),
         supports_check_mode=True,
         mutually_exclusive=[],
@@ -426,7 +447,8 @@ def main():
 
         # Execute commands
 
-        changed = ansible_module.execute_ipa_commands(commands, result_handler)
+        changed = ansible_module.execute_ipa_commands(
+            commands, fail_on_member_errors=True)
 
     # Done
     ansible_module.exit_json(changed=changed, **exit_args)

plugins/modules/ipaservice.py

@@ -50,13 +50,13 @@ options:
   pac_type:
     description: Supported PAC type.
     required: false
-    choices: ["MS-PAC", "PAD", "NONE"]
+    choices: ["MS-PAC", "PAD", "NONE", ""]
     type: list
     aliases: ["pac_type", "ipakrbauthzdata"]
   auth_ind:
     description: Defines a whitelist for Authentication Indicators.
     required: false
-    choices: ["otp", "radius", "pkinit", "hardened"]
+    choices: ["otp", "radius", "pkinit", "hardened", ""]
     aliases: ["krbprincipalauthind"]
   skip_host_check:
     description: Skip checking if host object exists.
@@ -356,7 +356,7 @@ def init_ansible_module():
             smb=dict(type="bool", required=False),
             netbiosname=dict(type="str", required=False),
             pac_type=dict(type="list", aliases=["ipakrbauthzdata"],
-                          choices=["MS-PAC", "PAD", "NONE"]),
+                          choices=["MS-PAC", "PAD", "NONE", ""]),
             auth_ind=dict(type="list",
                           aliases=["krbprincipalauthind"],
                           choices=["otp", "radius", "pkinit", "hardened", ""]),
@@ -420,8 +420,8 @@ def main():
     # service attributes
     principal = ansible_module.params_get("principal")
     certificate = ansible_module.params_get("certificate")
-    pac_type = ansible_module.params_get("pac_type")
-    auth_ind = ansible_module.params_get("auth_ind")
+    pac_type = ansible_module.params_get("pac_type", allow_empty_string=True)
+    auth_ind = ansible_module.params_get("auth_ind", allow_empty_string=True)
     skip_host_check = ansible_module.params_get("skip_host_check")
     force = ansible_module.params_get("force")
     requires_pre_auth = ansible_module.params_get("requires_pre_auth")
@@ -537,6 +537,15 @@ def main():
                             if remove in args:
                                 del args[remove]
 
+                        if (
+                            "ipakrbauthzdata" in args
+                            and (
+                                args.get("ipakrbauthzdata", [""]) ==
+                                res_find.get("ipakrbauthzdata", [""])
+                            )
+                        ):
+                            del args["ipakrbauthzdata"]
+
                         if (
                             "krbprincipalauthind" in args
                             and (

plugins/modules/ipaservicedelegationrule.py

@@ -0,0 +1,352 @@
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Thomas Woerner <twoerner@redhat.com>
+#
+# Copyright (C) 2022 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    "metadata_version": "1.0",
+    "supported_by": "community",
+    "status": ["preview"],
+}
+
+DOCUMENTATION = """
+---
+module: ipaservicedelegationrule
+short description: Manage FreeIPA servicedelegationrule
+description: |
+  Manage FreeIPA servicedelegationrule and servicedelegationrule members
+extends_documentation_fragment:
+  - ipamodule_base_docs
+options:
+  name:
+    description: The list of servicedelegationrule name strings.
+    required: true
+    aliases: ["cn"]
+  principal:
+    description: |
+      The list of principals. A principal can be of the format:
+      fqdn, fqdn@REALM, service/fqdn, service/fqdn@REALM, host/fqdn,
+      host/fqdn@REALM, alias$, alias$@REALM, where fqdn and fqdn@REALM
+      are host principals and the same as host/fqdn and host/fqd
+      Host princpals are only usable with IPA versions 4.9.0 and up.
+    required: false
+  target:
+    description: |
+      The list of service delegation targets.
+    required: false
+    aliases: ["servicedelegationtarget"]
+  action:
+    description: Work on servicedelegationrule or member level.
+    choices: ["servicedelegationrule", "member"]
+    default: servicedelegationrule
+    required: false
+  state:
+    description: The state to ensure.
+    choices: ["present", "absent"]
+    default: present
+    required: true
+"""
+
+EXAMPLES = """
+# Ensure servicedelegationrule delegation-rule is present
+- ipaservicedelegationrule:
+    ipaadmin_password: SomeADMINpassword
+    name: delegation-rule
+
+# Ensure servicedelegationrule delegation-rule member principal
+# test/example.com is present
+- ipaservicedelegationrule:
+    ipaadmin_password: SomeADMINpassword
+    name: delegation-rule
+    principal: test/example.com
+    action: member
+
+# Ensure servicedelegationrule delegation-rule member principal
+# test/example.com is absent
+- ipaservicedelegationrule:
+    ipaadmin_password: SomeADMINpassword
+    name: delegation-rule
+    principal: test/example.com
+    action: member
+    state: absent
+
+# Ensure servicedelegationrule delegation-rule member target
+# test/example.com is present
+- ipaservicedelegationrule:
+    ipaadmin_password: SomeADMINpassword
+    name: delegation-rule
+    target: delegation-target
+    action: member
+
+# Ensure servicedelegationrule delegation-rule member target
+# test/example.com is absent
+- ipaservicedelegationrule:
+    ipaadmin_password: SomeADMINpassword
+    name: delegation-rule
+    target: delegation-target
+    action: member
+    state: absent
+
+# Ensure servicedelegationrule delegation-rule is absent
+- ipaservicedelegationrule:
+    ipaadmin_password: SomeADMINpassword
+    name: delegation-rule
+    state: absent
+"""
+
+RETURN = """
+"""
+
+
+from ansible.module_utils.ansible_freeipa_module import \
+    IPAAnsibleModule, gen_add_del_lists, gen_add_list, gen_intersection_list, \
+    servicedelegation_normalize_principals, ipalib_errors
+from ansible.module_utils import six
+
+if six.PY3:
+    unicode = str
+
+
+def find_servicedelegationrule(module, name):
+    """Find if a servicedelegationrule with the given name already exist."""
+    try:
+        _result = module.ipa_command("servicedelegationrule_show", name,
+                                     {"all": True})
+    except Exception:  # pylint: disable=broad-except
+        # An exception is raised if servicedelegationrule name is not found.
+        return None
+    else:
+        return _result["result"]
+
+
+def check_targets(module, targets):
+    def _check_exists(module, _type, name):
+        # Check if item of type _type exists using the show command
+        try:
+            module.ipa_command("%s_show" % _type, name, {})
+        except ipalib_errors.NotFound as e:
+            msg = str(e)
+            if "%s not found" % _type in msg:
+                return False
+            module.fail_json(msg="%s_show failed: %s" % (_type, msg))
+        return True
+
+    for _target in targets:
+        if not _check_exists(module, "servicedelegationtarget", _target):
+            module.fail_json(
+                msg="Service delegation target '%s' does not exist" % _target)
+
+
+def main():
+    ansible_module = IPAAnsibleModule(
+        argument_spec=dict(
+            # general
+            name=dict(type="list", aliases=["cn"], default=None,
+                      required=True),
+            # present
+            principal=dict(required=False, type='list', default=None),
+            target=dict(required=False, type='list',
+                        aliases=["servicedelegationtarget"], default=None),
+
+            action=dict(type="str", default="servicedelegationrule",
+                        choices=["member", "servicedelegationrule"]),
+            # state
+            state=dict(type="str", default="present",
+                       choices=["present", "absent"]),
+        ),
+        supports_check_mode=True,
+    )
+
+    ansible_module._ansible_debug = True
+
+    # Get parameters
+
+    # general
+    names = ansible_module.params_get("name")
+
+    # present
+    principal = ansible_module.params_get("principal")
+    target = ansible_module.params_get("target")
+
+    action = ansible_module.params_get("action")
+
+    # state
+    state = ansible_module.params_get("state")
+
+    # Check parameters
+
+    invalid = []
+
+    if state == "present":
+        if len(names) != 1:
+            ansible_module.fail_json(
+                msg="Only one servicedelegationrule can be added at a time.")
+
+    if state == "absent":
+        if len(names) < 1:
+            ansible_module.fail_json(msg="No name given.")
+        if action == "servicedelegationrule":
+            invalid = ["principal", "target"]
+
+    ansible_module.params_fail_used_invalid(invalid, state, action)
+
+    # Init
+
+    membertarget = "ipaallowedtarget_servicedelegationtarget"
+    changed = False
+    exit_args = {}
+
+    # Connect to IPA API
+    with ansible_module.ipa_connect():
+
+        # Normalize principals
+        if principal:
+            principal = servicedelegation_normalize_principals(
+                ansible_module, principal, state == "present")
+        if target and state == "present":
+            check_targets(ansible_module, target)
+
+        commands = []
+        principal_add = principal_del = []
+        target_add = target_del = []
+        for name in names:
+            # Make sure servicedelegationrule exists
+            res_find = find_servicedelegationrule(ansible_module, name)
+
+            # Create command
+            if state == "present":
+
+                if action == "servicedelegationrule":
+                    # A servicedelegationrule does not have normal options.
+                    # There is no servicedelegationtarget-mod command.
+                    # Principal members are handled with the _add_member and
+                    # _remove_member commands further down.
+                    if res_find is None:
+                        commands.append([name, "servicedelegationrule_add",
+                                         {}])
+                        res_find = {}
+
+                    # Generate addition and removal lists for principal
+                    principal_add, principal_del = gen_add_del_lists(
+                        principal, res_find.get("memberprincipal"))
+
+                    # Generate addition and removal lists for target
+                    target_add, target_del = gen_add_del_lists(
+                        target, res_find.get(membertarget))
+
+                elif action == "member":
+                    if res_find is None:
+                        ansible_module.fail_json(
+                            msg="No servicedelegationrule '%s'" % name)
+
+                    # Reduce add lists for principal
+                    # to new entries only that are not in res_find.
+                    if principal is not None and \
+                       "memberprincipal" in res_find:
+                        principal_add = gen_add_list(
+                            principal, res_find["memberprincipal"])
+                    else:
+                        principal_add = principal
+
+                    # Reduce add lists for target
+                    # to new entries only that are not in res_find.
+                    if target is not None and membertarget in res_find:
+                        target_add = gen_add_list(
+                            target, res_find[membertarget])
+                    else:
+                        target_add = target
+
+            elif state == "absent":
+                if action == "servicedelegationrule":
+                    if res_find is not None:
+                        commands.append([name, "servicedelegationrule_del",
+                                         {}])
+
+                elif action == "member":
+                    if res_find is None:
+                        ansible_module.fail_json(
+                            msg="No servicedelegationrule '%s'" % name)
+
+                    # Reduce del lists of principals to the entries only
+                    # that are in res_find.
+                    if principal is not None:
+                        principal_del = gen_intersection_list(
+                            principal, res_find.get("memberprincipal"))
+                    else:
+                        principal_del = principal
+
+                    # Reduce del lists of targets to the entries only
+                    # that are in res_find.
+                    if target is not None:
+                        target_del = gen_intersection_list(
+                            target, res_find.get(membertarget))
+                    else:
+                        target_del = target
+
+            else:
+                ansible_module.fail_json(msg="Unkown state '%s'" % state)
+
+            # Handle members
+
+            # Add principal members
+            if principal_add is not None and len(principal_add) > 0:
+                commands.append(
+                    [name, "servicedelegationtarget_add_member",
+                     {
+                         "principal": principal_add,
+                     }])
+            # Remove principal members
+            if principal_del is not None and len(principal_del) > 0:
+                commands.append(
+                    [name, "servicedelegationtarget_remove_member",
+                     {
+                         "principal": principal_del,
+                     }])
+
+            # Add target members
+            if target_add is not None and len(target_add) > 0:
+                commands.append(
+                    [name, "servicedelegationrule_add_target",
+                     {
+                         "servicedelegationtarget": target_add,
+                     }])
+            # Remove target members
+            if target_del is not None and len(target_del) > 0:
+                commands.append(
+                    [name, "servicedelegationrule_remove_target",
+                     {
+                         "servicedelegationtarget": target_del,
+                     }])
+
+        # Execute commands
+
+        changed = ansible_module.execute_ipa_commands(
+            commands, fail_on_member_errors=True)
+
+    # Done
+
+    ansible_module.exit_json(changed=changed, **exit_args)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/ipaservicedelegationtarget.py

@@ -0,0 +1,270 @@
+# -*- coding: utf-8 -*-
+
+# Authors:
+#   Thomas Woerner <twoerner@redhat.com>
+#
+# Copyright (C) 2022 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    "metadata_version": "1.0",
+    "supported_by": "community",
+    "status": ["preview"],
+}
+
+DOCUMENTATION = """
+---
+module: ipaservicedelegationtarget
+short description: Manage FreeIPA servicedelegationtarget
+description: |
+  Manage FreeIPA servicedelegationtarget and servicedelegationtarget members
+extends_documentation_fragment:
+  - ipamodule_base_docs
+options:
+  name:
+    description: The list of servicedelegationtarget name strings.
+    required: true
+    aliases: ["cn"]
+  principal:
+    description: |
+      The list of principals. A principal can be of the format:
+      fqdn, fqdn@REALM, service/fqdn, service/fqdn@REALM, host/fqdn,
+      host/fqdn@REALM, alias$, alias$@REALM, where fqdn and fqdn@REALM
+      are host principals and the same as host/fqdn and host/fqdn@REALM.
+      Host princpals are only usable with IPA versions 4.9.0 and up.
+    required: false
+  action:
+    description: Work on servicedelegationtarget or member level.
+    choices: ["servicedelegationtarget", "member"]
+    default: servicedelegationtarget
+    required: false
+  state:
+    description: The state to ensure.
+    choices: ["present", "absent"]
+    default: present
+    required: true
+"""
+
+EXAMPLES = """
+# Ensure servicedelegationtarget delegation-target is present
+- ipaservicedelegationtarget:
+    ipaadmin_password: SomeADMINpassword
+    name: delegation-target
+
+# Ensure servicedelegationtarget delegation-target member principal
+# test/example.com is present
+- ipaservicedelegationtarget:
+    ipaadmin_password: SomeADMINpassword
+    name: delegation-target
+    principal: test/example.com
+    action: member
+
+# Ensure servicedelegationtarget delegation-target member principal
+# test/example.com is absent
+- ipaservicedelegationtarget:
+    ipaadmin_password: SomeADMINpassword
+    name: delegation-target
+    principal: test/example.com
+    action: member
+    state: absent
+
+# Ensure servicedelegationtarget delegation-target is absent
+- ipaservicedelegationtarget:
+    ipaadmin_password: SomeADMINpassword
+    name: delegation-target
+    state: absent
+"""
+
+RETURN = """
+"""
+
+
+from ansible.module_utils.ansible_freeipa_module import \
+    IPAAnsibleModule, gen_add_del_lists, gen_add_list, gen_intersection_list, \
+    servicedelegation_normalize_principals
+from ansible.module_utils import six
+
+if six.PY3:
+    unicode = str
+
+
+def find_servicedelegationtarget(module, name):
+    """Find if a servicedelegationtarget with the given name already exist."""
+    try:
+        _result = module.ipa_command("servicedelegationtarget_show", name,
+                                     {"all": True})
+    except Exception:  # pylint: disable=broad-except
+        # An exception is raised if servicedelegationtarget name is not found.
+        return None
+    else:
+        return _result["result"]
+
+
+def main():
+    ansible_module = IPAAnsibleModule(
+        argument_spec=dict(
+            # general
+            name=dict(type="list", aliases=["cn"], default=None,
+                      required=True),
+            # present
+            principal=dict(required=False, type='list', default=None),
+
+            action=dict(type="str", default="servicedelegationtarget",
+                        choices=["member", "servicedelegationtarget"]),
+            # state
+            state=dict(type="str", default="present",
+                       choices=["present", "absent"]),
+        ),
+        supports_check_mode=True,
+    )
+
+    ansible_module._ansible_debug = True
+
+    # Get parameters
+
+    # general
+    names = ansible_module.params_get("name")
+
+    # present
+    principal = ansible_module.params_get("principal")
+
+    action = ansible_module.params_get("action")
+
+    # state
+    state = ansible_module.params_get("state")
+
+    # Check parameters
+
+    invalid = []
+
+    if state == "present":
+        if len(names) != 1:
+            ansible_module.fail_json(
+                msg="Only one servicedelegationtarget can be added at a time.")
+
+    if state == "absent":
+        if len(names) < 1:
+            ansible_module.fail_json(msg="No name given.")
+        if action == "servicedelegationtarget":
+            invalid.append("principal")
+
+    ansible_module.params_fail_used_invalid(invalid, state, action)
+
+    # Init
+
+    changed = False
+    exit_args = {}
+
+    # Connect to IPA API
+    with ansible_module.ipa_connect():
+
+        # Normalize principals
+        if principal:
+            principal = servicedelegation_normalize_principals(
+                ansible_module, principal, state == "present")
+
+        commands = []
+        principal_add = principal_del = []
+        for name in names:
+            # Make sure servicedelegationtarget exists
+            res_find = find_servicedelegationtarget(ansible_module, name)
+
+            # Create command
+            if state == "present":
+
+                if action == "servicedelegationtarget":
+                    # A servicedelegationtarget does not have normal options.
+                    # There is no servicedelegationtarget-mod command.
+                    # Principal members are handled with the _add_member and
+                    # _remove_member commands further down.
+                    if res_find is None:
+                        commands.append([name, "servicedelegationtarget_add",
+                                         {}])
+                        res_find = {}
+
+                    # Generate addition and removal lists
+                    principal_add, principal_del = gen_add_del_lists(
+                        principal, res_find.get("memberprincipal"))
+
+                elif action == "member":
+                    if res_find is None:
+                        ansible_module.fail_json(
+                            msg="No servicedelegationtarget '%s'" % name)
+
+                    # Reduce add lists for principal
+                    # to new entries only that are not in res_find.
+                    if principal is not None and \
+                       "memberprincipal" in res_find:
+                        principal_add = gen_add_list(
+                            principal, res_find["memberprincipal"])
+                    else:
+                        principal_add = principal
+
+            elif state == "absent":
+                if action == "servicedelegationtarget":
+                    if res_find is not None:
+                        commands.append([name, "servicedelegationtarget_del",
+                                         {}])
+
+                elif action == "member":
+                    if res_find is None:
+                        ansible_module.fail_json(
+                            msg="No servicedelegationtarget '%s'" % name)
+
+                    # Reduce del lists of principal
+                    # to the entries only that are in res_find.
+                    if principal is not None:
+                        principal_del = gen_intersection_list(
+                            principal, res_find.get("memberprincipal"))
+                    else:
+                        principal_del = principal
+
+            else:
+                ansible_module.fail_json(msg="Unkown state '%s'" % state)
+
+            # Handle members
+
+            # Add principal members
+            if principal_add is not None and len(principal_add) > 0:
+                commands.append(
+                    [name, "servicedelegationtarget_add_member",
+                     {
+                         "principal": principal_add,
+                     }])
+            # Remove principal members
+            if principal_del is not None and len(principal_del) > 0:
+                commands.append(
+                    [name, "servicedelegationtarget_remove_member",
+                     {
+                         "principal": principal_del,
+                     }])
+
+        # Execute commands
+
+        changed = ansible_module.execute_ipa_commands(
+            commands, fail_on_member_errors=True)
+
+    # Done
+
+    ansible_module.exit_json(changed=changed, **exit_args)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/ipasudorule.py

@@ -188,7 +188,7 @@ RETURN = """
 
 from ansible.module_utils.ansible_freeipa_module import \
     IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, gen_add_list, \
-    gen_intersection_list
+    gen_intersection_list, api_get_domain, ensure_fqdn
 
 
 def find_sudorule(module, name):
@@ -297,17 +297,19 @@ def main():
     hostcategory = ansible_module.params_get("hostcategory")  # noqa
     nomembers = ansible_module.params_get("nomembers")  # noqa
     host = ansible_module.params_get("host")
-    hostgroup = ansible_module.params_get("hostgroup")
-    user = ansible_module.params_get("user")
-    group = ansible_module.params_get("group")
+    hostgroup = ansible_module.params_get_lowercase("hostgroup")
+    user = ansible_module.params_get_lowercase("user")
+    group = ansible_module.params_get_lowercase("group")
     allow_sudocmd = ansible_module.params_get('allow_sudocmd')
-    allow_sudocmdgroup = ansible_module.params_get('allow_sudocmdgroup')
+    allow_sudocmdgroup = \
+        ansible_module.params_get_lowercase('allow_sudocmdgroup')
     deny_sudocmd = ansible_module.params_get('deny_sudocmd')
-    deny_sudocmdgroup = ansible_module.params_get('deny_sudocmdgroup')
+    deny_sudocmdgroup = \
+        ansible_module.params_get_lowercase('deny_sudocmdgroup')
     sudooption = ansible_module.params_get("sudooption")
     order = ansible_module.params_get("order")
-    runasuser = ansible_module.params_get("runasuser")
-    runasgroup = ansible_module.params_get("runasgroup")
+    runasuser = ansible_module.params_get_lowercase("runasuser")
+    runasgroup = ansible_module.params_get_lowercase("runasgroup")
     action = ansible_module.params_get("action")
 
     # state
@@ -374,8 +376,26 @@ def main():
 
     # Connect to IPA API
     with ansible_module.ipa_connect():
+        default_domain = api_get_domain()
+
+        # Ensure host is not short hostname.
+        if host:
+            host = list(
+                {ensure_fqdn(value.lower(), default_domain) for value in host}
+            )
 
         commands = []
+        host_add, host_del = [], []
+        user_add, user_del = [], []
+        group_add, group_del = [], []
+        hostgroup_add, hostgroup_del = [], []
+        allow_cmd_add, allow_cmd_del = [], []
+        allow_cmdgroup_add, allow_cmdgroup_del = [], []
+        deny_cmd_add, deny_cmd_del = [], []
+        deny_cmdgroup_add, deny_cmdgroup_del = [], []
+        sudooption_add, sudooption_del = [], []
+        runasuser_add, runasuser_del = [], []
+        runasgroup_add, runasgroup_del = [], []
 
         for name in names:
             # Make sure sudorule exists
@@ -480,95 +500,11 @@ def main():
                     runasgroup_add, runasgroup_del = gen_add_del_lists(
                         runasgroup,
                         (
-                            res_find.get('ipasudorunas_group', [])
+                            res_find.get('ipasudorunasgroup_group', [])
                             + res_find.get('ipasudorunasextgroup', [])
                         )
                     )
 
-                    # Add hosts and hostgroups
-                    if len(host_add) > 0 or len(hostgroup_add) > 0:
-                        commands.append([name, "sudorule_add_host",
-                                         {
-                                             "host": host_add,
-                                             "hostgroup": hostgroup_add,
-                                         }])
-                    # Remove hosts and hostgroups
-                    if len(host_del) > 0 or len(hostgroup_del) > 0:
-                        commands.append([name, "sudorule_remove_host",
-                                         {
-                                             "host": host_del,
-                                             "hostgroup": hostgroup_del,
-                                         }])
-
-                    # Add users and groups
-                    if len(user_add) > 0 or len(group_add) > 0:
-                        commands.append([name, "sudorule_add_user",
-                                         {
-                                             "user": user_add,
-                                             "group": group_add,
-                                         }])
-                    # Remove users and groups
-                    if len(user_del) > 0 or len(group_del) > 0:
-                        commands.append([name, "sudorule_remove_user",
-                                         {
-                                             "user": user_del,
-                                             "group": group_del,
-                                         }])
-
-                    # Add commands allowed
-                    if len(allow_cmd_add) > 0 or len(allow_cmdgroup_add) > 0:
-                        commands.append([name, "sudorule_add_allow_command",
-                                         {"sudocmd": allow_cmd_add,
-                                          "sudocmdgroup": allow_cmdgroup_add,
-                                          }])
-
-                    if len(allow_cmd_del) > 0 or len(allow_cmdgroup_del) > 0:
-                        commands.append([name, "sudorule_remove_allow_command",
-                                         {"sudocmd": allow_cmd_del,
-                                          "sudocmdgroup": allow_cmdgroup_del
-                                          }])
-
-                    # Add commands denied
-                    if len(deny_cmd_add) > 0 or len(deny_cmdgroup_add) > 0:
-                        commands.append([name, "sudorule_add_deny_command",
-                                         {"sudocmd": deny_cmd_add,
-                                          "sudocmdgroup": deny_cmdgroup_add,
-                                          }])
-
-                    if len(deny_cmd_del) > 0 or len(deny_cmdgroup_del) > 0:
-                        commands.append([name, "sudorule_remove_deny_command",
-                                         {"sudocmd": deny_cmd_del,
-                                          "sudocmdgroup": deny_cmdgroup_del
-                                          }])
-
-                    # Add RunAS Users
-                    if len(runasuser_add) > 0:
-                        commands.append([name, "sudorule_add_runasuser",
-                                         {"user": runasuser_add}])
-                    # Remove RunAS Users
-                    if len(runasuser_del) > 0:
-                        commands.append([name, "sudorule_remove_runasuser",
-                                         {"user": runasuser_del}])
-
-                    # Add RunAS Groups
-                    if len(runasgroup_add) > 0:
-                        commands.append([name, "sudorule_add_runasgroup",
-                                         {"group": runasgroup_add}])
-                    # Remove RunAS Groups
-                    if len(runasgroup_del) > 0:
-                        commands.append([name, "sudorule_remove_runasgroup",
-                                         {"group": runasgroup_del}])
-
-                    # Add sudo options
-                    for sudoopt in sudooption_add:
-                        commands.append([name, "sudorule_add_option",
-                                         {"ipasudoopt": sudoopt}])
-
-                    # Remove sudo options
-                    for sudoopt in sudooption_del:
-                        commands.append([name, "sudorule_remove_option",
-                                         {"ipasudoopt": sudoopt}])
-
                 elif action == "member":
                     if res_find is None:
                         ansible_module.fail_json(msg="No sudorule '%s'" % name)
@@ -578,56 +514,47 @@ def main():
                     # deny_sudocmdgroup, sudooption, runasuser, runasgroup
                     # and res_find to only try to add the items that not in
                     # the sudorule already
-                    if host is not None and \
-                       "memberhost_host" in res_find:
-                        host = gen_add_list(
-                            host, res_find["memberhost_host"])
-                    if hostgroup is not None and \
-                       "memberhost_hostgroup" in res_find:
-                        hostgroup = gen_add_list(
-                            hostgroup, res_find["memberhost_hostgroup"])
-                    if user is not None and \
-                       "memberuser_user" in res_find:
-                        user = gen_add_list(
-                            user, res_find["memberuser_user"])
-                    if group is not None and \
-                       "memberuser_group" in res_find:
-                        group = gen_add_list(
-                            group, res_find["memberuser_group"])
-                    if allow_sudocmd is not None and \
-                       "memberallowcmd_sudocmd" in res_find:
-                        allow_sudocmd = gen_add_list(
-                            allow_sudocmd, res_find["memberallowcmd_sudocmd"])
-                    if allow_sudocmdgroup is not None and \
-                       "memberallowcmd_sudocmdgroup" in res_find:
-                        allow_sudocmdgroup = gen_add_list(
+                    if host is not None:
+                        host_add = gen_add_list(
+                            host, res_find.get("memberhost_host"))
+                    if hostgroup is not None:
+                        hostgroup_add = gen_add_list(
+                            hostgroup, res_find.get("memberhost_hostgroup"))
+                    if user is not None:
+                        user_add = gen_add_list(
+                            user, res_find.get("memberuser_user"))
+                    if group is not None:
+                        group_add = gen_add_list(
+                            group, res_find.get("memberuser_group"))
+                    if allow_sudocmd is not None:
+                        allow_cmd_add = gen_add_list(
+                            allow_sudocmd,
+                            res_find.get("memberallowcmd_sudocmd")
+                        )
+                    if allow_sudocmdgroup is not None:
+                        allow_cmdgroup_add = gen_add_list(
                             allow_sudocmdgroup,
-                            res_find["memberallowcmd_sudocmdgroup"])
-                    if deny_sudocmd is not None and \
-                       "memberdenycmd_sudocmd" in res_find:
-                        deny_sudocmd = gen_add_list(
-                            deny_sudocmd, res_find["memberdenycmd_sudocmd"])
-                    if deny_sudocmdgroup is not None and \
-                       "memberdenycmd_sudocmdgroup" in res_find:
-                        deny_sudocmdgroup = gen_add_list(
+                            res_find.get("memberallowcmd_sudocmdgroup")
+                        )
+                    if deny_sudocmd is not None:
+                        deny_cmd_add = gen_add_list(
+                            deny_sudocmd,
+                            res_find.get("memberdenycmd_sudocmd")
+                        )
+                    if deny_sudocmdgroup is not None:
+                        deny_cmdgroup_add = gen_add_list(
                             deny_sudocmdgroup,
-                            res_find["memberdenycmd_sudocmdgroup"])
-                    if sudooption is not None and \
-                       "ipasudoopt" in res_find:
-                        sudooption = gen_add_list(
-                            sudooption, res_find["ipasudoopt"])
+                            res_find.get("memberdenycmd_sudocmdgroup")
+                        )
+                    if sudooption is not None:
+                        sudooption_add = gen_add_list(
+                            sudooption, res_find.get("ipasudoopt"))
                     # runasuser attribute can be used with both IPA and
                     # non-IPA (external) users, so we need to compare
                     # the provided list against both users and external
                     # users list.
-                    if (
-                        runasuser is not None
-                        and (
-                            "ipasudorunas_user" in res_find
-                            or "ipasudorunasextuser" in res_find
-                        )
-                    ):
-                        runasuser = gen_add_list(
+                    if runasuser is not None:
+                        runasuser_add = gen_add_list(
                             runasuser,
                             (list(res_find.get('ipasudorunas_user', []))
                              + list(res_find.get('ipasudorunasextuser', [])))
@@ -636,69 +563,13 @@ def main():
                     # non-IPA (external) groups, so we need to compare
                     # the provided list against both users and external
                     # groups list.
-                    if (
-                        runasgroup is not None
-                        and (
-                            "ipasudorunasgroup_group" in res_find
-                            or "ipasudorunasextgroup" in res_find
-                        )
-                    ):
-                        runasgroup = gen_add_list(
+                    if runasgroup is not None:
+                        runasgroup_add = gen_add_list(
                             runasgroup,
                             (list(res_find.get("ipasudorunasgroup_group", []))
                              + list(res_find.get("ipasudorunasextgroup", [])))
                         )
 
-                    # Add hosts and hostgroups
-                    if host is not None or hostgroup is not None:
-                        commands.append([name, "sudorule_add_host",
-                                         {
-                                             "host": host,
-                                             "hostgroup": hostgroup,
-                                         }])
-
-                    # Add users and groups
-                    if user is not None or group is not None:
-                        commands.append([name, "sudorule_add_user",
-                                         {
-                                             "user": user,
-                                             "group": group,
-                                         }])
-
-                    # Add commands
-                    if allow_sudocmd is not None \
-                       or allow_sudocmdgroup is not None:
-                        commands.append([name, "sudorule_add_allow_command",
-                                         {"sudocmd": allow_sudocmd,
-                                          "sudocmdgroup": allow_sudocmdgroup,
-                                          }])
-
-                    # Add commands
-                    if deny_sudocmd is not None \
-                       or deny_sudocmdgroup is not None:
-                        commands.append([name, "sudorule_add_deny_command",
-                                         {"sudocmd": deny_sudocmd,
-                                          "sudocmdgroup": deny_sudocmdgroup,
-                                          }])
-
-                    # Add RunAS Users
-                    if runasuser is not None and len(runasuser) > 0:
-                        commands.append([name, "sudorule_add_runasuser",
-                                         {"user": runasuser}])
-
-                    # Add RunAS Groups
-                    if runasgroup is not None and len(runasgroup) > 0:
-                        commands.append([name, "sudorule_add_runasgroup",
-                                         {"group": runasgroup}])
-
-                    # Add options
-                    if sudooption is not None:
-                        existing_opts = res_find.get('ipasudoopt', [])
-                        for sudoopt in sudooption:
-                            if sudoopt not in existing_opts:
-                                commands.append([name, "sudorule_add_option",
-                                                 {"ipasudoopt": sudoopt}])
-
             elif state == "absent":
                 if action == "sudorule":
                     if res_find is not None:
@@ -714,153 +585,70 @@ def main():
                     # and res_find to only try to remove the items that are
                     # in sudorule
                     if host is not None:
-                        if "memberhost_host" in res_find:
-                            host = gen_intersection_list(
-                                host, res_find["memberhost_host"])
-                        else:
-                            host = None
+                        host_del = gen_intersection_list(
+                            host, res_find.get("memberhost_host"))
+
                     if hostgroup is not None:
-                        if "memberhost_hostgroup" in res_find:
-                            hostgroup = gen_intersection_list(
-                                hostgroup, res_find["memberhost_hostgroup"])
-                        else:
-                            hostgroup = None
+                        hostgroup_del = gen_intersection_list(
+                            hostgroup, res_find.get("memberhost_hostgroup"))
+
                     if user is not None:
-                        if "memberuser_user" in res_find:
-                            user = gen_intersection_list(
-                                user, res_find["memberuser_user"])
-                        else:
-                            user = None
+                        user_del = gen_intersection_list(
+                            user, res_find.get("memberuser_user"))
+
                     if group is not None:
-                        if "memberuser_group" in res_find:
-                            group = gen_intersection_list(
-                                group, res_find["memberuser_group"])
-                        else:
-                            group = None
+                        group_del = gen_intersection_list(
+                            group, res_find.get("memberuser_group"))
+
                     if allow_sudocmd is not None:
-                        if "memberallowcmd_sudocmd" in res_find:
-                            allow_sudocmd = gen_intersection_list(
-                                allow_sudocmd,
-                                res_find["memberallowcmd_sudocmd"])
-                        else:
-                            allow_sudocmd = None
+                        allow_cmd_del = gen_intersection_list(
+                            allow_sudocmd,
+                            res_find.get("memberallowcmd_sudocmd")
+                        )
                     if allow_sudocmdgroup is not None:
-                        if "memberallowcmd_sudocmdgroup" in res_find:
-                            allow_sudocmdgroup = gen_intersection_list(
-                                allow_sudocmdgroup,
-                                res_find["memberallowcmd_sudocmdgroup"])
-                        else:
-                            allow_sudocmdgroup = None
+                        allow_cmdgroup_del = gen_intersection_list(
+                            allow_sudocmdgroup,
+                            res_find.get("memberallowcmd_sudocmdgroup")
+                        )
                     if deny_sudocmd is not None:
-                        if "memberdenycmd_sudocmd" in res_find:
-                            deny_sudocmd = gen_intersection_list(
-                                deny_sudocmd,
-                                res_find["memberdenycmd_sudocmd"])
-                        else:
-                            deny_sudocmd = None
+                        deny_cmd_del = gen_intersection_list(
+                            deny_sudocmd,
+                            res_find.get("memberdenycmd_sudocmd")
+                        )
                     if deny_sudocmdgroup is not None:
-                        if "memberdenycmd_sudocmdgroup" in res_find:
-                            deny_sudocmdgroup = gen_intersection_list(
-                                deny_sudocmdgroup,
-                                res_find["memberdenycmd_sudocmdgroup"])
-                        else:
-                            deny_sudocmdgroup = None
+                        deny_cmdgroup_del = gen_intersection_list(
+                            deny_sudocmdgroup,
+                            res_find.get("memberdenycmd_sudocmdgroup")
+                        )
                     if sudooption is not None:
-                        if "ipasudoopt" in res_find:
-                            sudooption = gen_intersection_list(
-                                sudooption, res_find["ipasudoopt"])
-                        else:
-                            sudooption = None
+                        sudooption_del = gen_intersection_list(
+                            sudooption, res_find.get("ipasudoopt"))
                     # runasuser attribute can be used with both IPA and
                     # non-IPA (external) users, so we need to compare
                     # the provided list against both users and external
                     # users list.
                     if runasuser is not None:
-                        if (
-                            "ipasudorunas_user" in res_find
-                            or "ipasudorunasextuser" in res_find
-                        ):
-                            runasuser = gen_intersection_list(
-                                runasuser,
-                                (
-                                    list(res_find.get('ipasudorunas_user', []))
-                                    + list(res_find.get(
-                                        'ipasudorunasextuser', []))
-                                )
+                        runasuser_del = gen_intersection_list(
+                            runasuser,
+                            (
+                                list(res_find.get('ipasudorunas_user', []))
+                                + list(res_find.get('ipasudorunasextuser', []))
                             )
-                        else:
-                            runasuser = None
+                        )
                     # runasgroup attribute can be used with both IPA and
                     # non-IPA (external) groups, so we need to compare
                     # the provided list against both groups and external
                     # groups list.
                     if runasgroup is not None:
-                        if (
-                            "ipasudorunasgroup_group" in res_find
-                            or "ipasudorunasextgroup" in res_find
-                        ):
-                            runasgroup = gen_intersection_list(
-                                runasgroup,
-                                (
-                                    list(res_find.get(
-                                        "ipasudorunasgroup_group", []))
-                                    + list(res_find.get(
-                                        "ipasudorunasextgroup", []))
-                                )
+                        runasgroup_del = gen_intersection_list(
+                            runasgroup,
+                            (
+                                list(res_find.get(
+                                    "ipasudorunasgroup_group", []))
+                                + list(res_find.get(
+                                    "ipasudorunasextgroup", []))
                             )
-                        else:
-                            runasgroup = None
-
-                    # Remove hosts and hostgroups
-                    if host is not None or hostgroup is not None:
-                        commands.append([name, "sudorule_remove_host",
-                                         {
-                                             "host": host,
-                                             "hostgroup": hostgroup,
-                                         }])
-
-                    # Remove users and groups
-                    if user is not None or group is not None:
-                        commands.append([name, "sudorule_remove_user",
-                                         {
-                                             "user": user,
-                                             "group": group,
-                                         }])
-
-                    # Remove allow commands
-                    if allow_sudocmd is not None \
-                       or allow_sudocmdgroup is not None:
-                        commands.append([name, "sudorule_remove_allow_command",
-                                         {"sudocmd": allow_sudocmd,
-                                          "sudocmdgroup": allow_sudocmdgroup
-                                          }])
-
-                    # Remove deny commands
-                    if deny_sudocmd is not None \
-                       or deny_sudocmdgroup is not None:
-                        commands.append([name, "sudorule_remove_deny_command",
-                                         {"sudocmd": deny_sudocmd,
-                                          "sudocmdgroup": deny_sudocmdgroup
-                                          }])
-
-                    # Remove RunAS Users
-                    if runasuser is not None:
-                        commands.append([name, "sudorule_remove_runasuser",
-                                         {"user": runasuser}])
-
-                    # Remove RunAS Groups
-                    if runasgroup is not None:
-                        commands.append([name, "sudorule_remove_runasgroup",
-                                         {"group": runasgroup}])
-
-                    # Remove options
-                    if sudooption is not None:
-                        existing_opts = res_find.get('ipasudoopt', [])
-                        for sudoopt in sudooption:
-                            if sudoopt in existing_opts:
-                                commands.append([name,
-                                                 "sudorule_remove_option",
-                                                 {"ipasudoopt": sudoopt}])
+                        )
 
             elif state == "enabled":
                 if res_find is None:
@@ -868,8 +656,12 @@ def main():
                 # sudorule_enable is not failing on an enabled sudorule
                 # Therefore it is needed to have a look at the ipaenabledflag
                 # in res_find.
-                if "ipaenabledflag" not in res_find or \
-                   res_find["ipaenabledflag"][0] != "TRUE":
+                # FreeIPA 4.9.10+ and 4.10 use proper mapping for
+                # boolean values, so we need to convert it to str
+                # for comparison.
+                # See: https://github.com/freeipa/freeipa/pull/6294
+                enabled_flag = str(res_find.get("ipaenabledflag", [False])[0])
+                if enabled_flag.upper() != "TRUE":
                     commands.append([name, "sudorule_enable", {}])
 
             elif state == "disabled":
@@ -878,13 +670,110 @@ def main():
                 # sudorule_disable is not failing on an disabled sudorule
                 # Therefore it is needed to have a look at the ipaenabledflag
                 # in res_find.
-                if "ipaenabledflag" not in res_find or \
-                   res_find["ipaenabledflag"][0] != "FALSE":
+                # FreeIPA 4.9.10+ and 4.10 use proper mapping for
+                # boolean values, so we need to convert it to str
+                # for comparison.
+                # See: https://github.com/freeipa/freeipa/pull/6294
+                enabled_flag = str(res_find.get("ipaenabledflag", [False])[0])
+                if enabled_flag.upper() != "FALSE":
                     commands.append([name, "sudorule_disable", {}])
 
             else:
                 ansible_module.fail_json(msg="Unkown state '%s'" % state)
 
+            # Manage members.
+            # Manage hosts and hostgroups
+            if host_add or hostgroup_add:
+                commands.append([name, "sudorule_add_host",
+                                 {
+                                     "host": host_add,
+                                     "hostgroup": hostgroup_add,
+                                 }])
+            if host_del or hostgroup_del:
+                commands.append([name, "sudorule_remove_host",
+                                 {
+                                     "host": host_del,
+                                     "hostgroup": hostgroup_del,
+                                 }])
+
+            # Manage users and groups
+            if user_add or group_add:
+                commands.append([
+                    name, "sudorule_add_user",
+                    {"user": user_add, "group": group_add}
+                ])
+            if user_del or group_del:
+                commands.append([
+                    name, "sudorule_remove_user",
+                    {"user": user_del, "group": group_del}
+                ])
+
+            # Manage commands allowed
+            if allow_cmd_add or allow_cmdgroup_add:
+                commands.append([
+                    name, "sudorule_add_allow_command",
+                    {
+                        "sudocmd": allow_cmd_add,
+                        "sudocmdgroup": allow_cmdgroup_add,
+                    }
+                ])
+            if allow_cmd_del or allow_cmdgroup_del:
+                commands.append([
+                    name, "sudorule_remove_allow_command",
+                    {
+                        "sudocmd": allow_cmd_del,
+                        "sudocmdgroup": allow_cmdgroup_del
+                    }
+                ])
+            # Manage commands denied
+            if deny_cmd_add or deny_cmdgroup_add:
+                commands.append([
+                    name, "sudorule_add_deny_command",
+                    {
+                        "sudocmd": deny_cmd_add,
+                        "sudocmdgroup": deny_cmdgroup_add,
+                    }
+                ])
+            if deny_cmd_del or deny_cmdgroup_del:
+                commands.append([
+                    name, "sudorule_remove_deny_command",
+                    {
+                        "sudocmd": deny_cmd_del,
+                        "sudocmdgroup": deny_cmdgroup_del
+                    }
+                ])
+            # Manage RunAS users
+            if runasuser_add:
+                commands.append([
+                    name, "sudorule_add_runasuser", {"user": runasuser_add}
+                ])
+            if runasuser_del:
+                commands.append([
+                    name, "sudorule_remove_runasuser", {"user": runasuser_del}
+                ])
+
+            # Manage RunAS Groups
+            if runasgroup_add:
+                commands.append([
+                    name, "sudorule_add_runasgroup", {"group": runasgroup_add}
+                ])
+            if runasgroup_del:
+                commands.append([
+                    name, "sudorule_remove_runasgroup",
+                    {"group": runasgroup_del}
+                ])
+            # Manage sudo options
+            if sudooption_add:
+                for option in sudooption_add:
+                    commands.append([
+                        name, "sudorule_add_option", {"ipasudoopt": option}
+                    ])
+            if sudooption_del:
+                for option in sudooption_del:
+                    commands.append([
+                        name, "sudorule_remove_option", {"ipasudoopt": option}
+                    ])
+
         # Execute commands
 
         changed = ansible_module.execute_ipa_commands(

plugins/modules/ipatrust.py

@@ -44,7 +44,8 @@ options:
     description:
     - Trust type (ad for Active Directory, default)
     default: ad
-    required: true
+    required: false
+    choices: ["ad"]
   admin:
     description:
     - Active Directory domain administrator
@@ -103,7 +104,7 @@ EXAMPLES = """
     realm: ad.example.test
     trust_type: ad
     admin: Administrator
-    password: Welcome2020!
+    password: SomeW1Npassword
     state: present
 
 # delete ad-trust
@@ -157,7 +158,7 @@ def add_trust(module, realm, args):
 
 
 def gen_args(trust_type, admin, password, server, trust_secret, base_id,
-             range_size, _range_type, two_way, external):
+             range_size, range_type, two_way, external):
     _args = {}
     if trust_type is not None:
         _args["trust_type"] = trust_type
@@ -173,6 +174,8 @@ def gen_args(trust_type, admin, password, server, trust_secret, base_id,
         _args["base_id"] = base_id
     if range_size is not None:
         _args["range_size"] = range_size
+    if range_type is not None:
+        _args["range_type"] = range_type
     if two_way is not None:
         _args["bidirectional"] = two_way
     if external is not None:
@@ -190,7 +193,8 @@ def main():
             state=dict(type="str", default="present",
                        choices=["present", "absent"]),
             # present
-            trust_type=dict(type="str", default="ad", required=False),
+            trust_type=dict(type="str", default="ad", required=False,
+                            choices=["ad"]),
             admin=dict(type="str", default=None, required=False),
             password=dict(type="str", default=None,
                           required=False, no_log=True),

plugins/modules/ipauser.py

@@ -474,41 +474,31 @@ user:
 
 from ansible.module_utils.ansible_freeipa_module import \
     IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, date_format, \
-    encode_certificate, load_cert_from_str, DN_x500_text, to_text
+    encode_certificate, load_cert_from_str, DN_x500_text, to_text, \
+    ipalib_errors
 from ansible.module_utils import six
 if six.PY3:
     unicode = str
 
 
-def find_user(module, name, preserved=False):
+def find_user(module, name):
     _args = {
         "all": True,
-        "uid": name,
     }
-    if preserved:
-        _args["preserved"] = preserved
 
-    _result = module.ipa_command("user_find", name, _args)
+    try:
+        _result = module.ipa_command("user_show", name, _args).get("result")
+    except ipalib_errors.NotFound:
+        return None
 
-    if len(_result["result"]) > 1:
-        module.fail_json(
-            msg="There is more than one user '%s'" % (name))
-    elif len(_result["result"]) == 1:
-        # Transform each principal to a string
-        _result = _result["result"][0]
-        if "krbprincipalname" in _result \
-           and _result["krbprincipalname"] is not None:
-            _list = []
-            for x in _result["krbprincipalname"]:
-                _list.append(str(x))
-            _result["krbprincipalname"] = _list
-        certs = _result.get("usercertificate")
-        if certs is not None:
-            _result["usercertificate"] = [encode_certificate(x)
-                                          for x in certs]
-        return _result
-
-    return None
+    # Transform each principal to a string
+    _result["krbprincipalname"] = [
+        to_text(x) for x in (_result.get("krbprincipalname") or [])
+    ]
+    _result["usercertificate"] = [
+        encode_certificate(x) for x in (_result.get("usercertificate") or [])
+    ]
+    return _result
 
 
 def gen_args(first, last, fullname, displayname, initials, homedir, shell,
@@ -902,8 +892,10 @@ def main():
     title = ansible_module.params_get("title")
     manager = ansible_module.params_get("manager")
     carlicense = ansible_module.params_get("carlicense")
-    sshpubkey = ansible_module.params_get("sshpubkey")
-    userauthtype = ansible_module.params_get("userauthtype")
+    sshpubkey = ansible_module.params_get("sshpubkey",
+                                          allow_empty_string=True)
+    userauthtype = ansible_module.params_get("userauthtype",
+                                             allow_empty_string=True)
     userclass = ansible_module.params_get("userclass")
     radius = ansible_module.params_get("radius")
     radiususer = ansible_module.params_get("radiususer")
@@ -1085,12 +1077,6 @@ def main():
 
             # Make sure user exists
             res_find = find_user(ansible_module, name)
-            # Also search for preserved user if the user could not be found
-            if res_find is None:
-                res_find_preserved = find_user(ansible_module, name,
-                                               preserved=True)
-            else:
-                res_find_preserved = None
 
             # Create command
             if state == "present":
@@ -1104,10 +1090,6 @@ def main():
                     departmentnumber, employeenumber, employeetype,
                     preferredlanguage, noprivate, nomembers)
 
-                # Also check preserved users
-                if res_find is None and res_find_preserved is not None:
-                    res_find = res_find_preserved
-
                 if action == "user":
                     # Found the user
                     if res_find is not None:
@@ -1121,13 +1103,6 @@ def main():
                         if "noprivate" in args:
                             del args["noprivate"]
 
-                        # Ignore userauthtype if it is empty (for resetting)
-                        # and not set in for the user
-                        if "ipauserauthtype" not in res_find and \
-                           "ipauserauthtype" in args and \
-                           args["ipauserauthtype"] == ['']:
-                            del args["ipauserauthtype"]
-
                         # For all settings is args, check if there are
                         # different settings in the find result.
                         # If yes: modify
@@ -1310,16 +1285,16 @@ def main():
                                              gen_certmapdata_args(_data)])
 
             elif state == "absent":
-                # Also check preserved users
-                if res_find is None and res_find_preserved is not None:
-                    res_find = res_find_preserved
-
                 if action == "user":
                     if res_find is not None:
                         args = {}
                         if preserve is not None:
                             args["preserve"] = preserve
-                        commands.append([name, "user_del", args])
+                        if (
+                            not res_find.get("preserved", False)
+                            or not args.get("preserve", False)
+                        ):
+                            commands.append([name, "user_del", args])
                 elif action == "member":
                     if res_find is None:
                         ansible_module.fail_json(
@@ -1370,17 +1345,18 @@ def main():
                             commands.append([name, "user_remove_certmapdata",
                                              gen_certmapdata_args(_data)])
             elif state == "undeleted":
-                if res_find_preserved is not None:
-                    commands.append([name, "user_undel", {}])
+                if res_find is not None:
+                    if res_find.get("preserved", False):
+                        commands.append([name, "user_undel", {}])
                 else:
-                    raise ValueError("No preserved user '%s'" % name)
+                    raise ValueError("No user '%s'" % name)
 
             elif state == "enabled":
                 if res_find is not None:
                     if res_find["nsaccountlock"]:
                         commands.append([name, "user_enable", {}])
                 else:
-                    raise ValueError("No disabled user '%s'" % name)
+                    raise ValueError("No user '%s'" % name)
 
             elif state == "disabled":
                 if res_find is not None:
@@ -1392,6 +1368,8 @@ def main():
             elif state == "unlocked":
                 if res_find is not None:
                     commands.append([name, "user_unlock", {}])
+                else:
+                    raise ValueError("No user '%s'" % name)
 
             else:
                 ansible_module.fail_json(msg="Unkown state '%s'" % state)

requirements-dev.txt

@@ -1,5 +1,12 @@
 -r requirements-tests.txt
-ipdb
+ipdb==0.13.4
 pre-commit
+flake8==4.0.1
 flake8-bugbear
-pylint==2.10.2
+pylint==2.13.7
+pydocstyle==6.0.0
+yamllint==1.26.3
+ansible-lint==5.3.2
+dnspython==2.2.0
+netaddr==0.8.0
+gssapi==1.7.2

roles/ipabackup/library/ipabackup_get_backup_dir.py

@@ -61,7 +61,7 @@ from ipaplatform.paths import paths
 
 def main():
     module = AnsibleModule(
-        argument_spec=dict(),
+        argument_spec={},
         supports_check_mode=True,
     )
 

roles/ipaclient/README.md

@@ -33,7 +33,6 @@ Requirements
 **Controller**
 * Ansible version: 2.8+
 * /usr/bin/kinit is required on the controller if a one time password (OTP) is used
-* python3-gssapi is required on the controller if a one time password (OTP) is used with keytab
 
 **Node**
 * Supported FreeIPA version (see above)

roles/ipaclient/action_plugins/ipaclient_get_otp.py

@@ -21,10 +21,6 @@ from __future__ import (absolute_import, division, print_function)
 
 __metaclass__ = type
 
-try:
-    import gssapi
-except ImportError:
-    gssapi = None
 import os
 import shutil
 import subprocess
@@ -45,12 +41,14 @@ def run_cmd(args, stdin=None):
     if stdin:
         p_in = subprocess.PIPE
 
-    p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err,
-                         close_fds=True)
-    __temp, stderr = p.communicate(stdin)
+    # pylint: disable=invalid-name
+    with subprocess.Popen(
+        args, stdin=p_in, stdout=p_out, stderr=p_err, close_fds=True
+    ) as p:
+        __temp, stderr = p.communicate(stdin)
 
-    if p.returncode != 0:
-        raise RuntimeError(stderr)
+        if p.returncode != 0:
+            raise RuntimeError(stderr)
 
 
 def kinit_password(principal, password, ccache_name, config):
@@ -80,22 +78,17 @@ def kinit_keytab(principal, keytab, ccache_name, config):
     It uses the specified config file to kinit and stores the TGT
     in ccache_name.
     """
-    if gssapi is None:
-        raise ImportError("gssapi is not available")
-
+    args = ["/usr/bin/kinit", "-kt", keytab, "-c", ccache_name, principal]
     old_config = os.environ.get('KRB5_CONFIG')
-    os.environ['KRB5_CONFIG'] = config
+    os.environ["KRB5_CONFIG"] = config
+
     try:
-        name = gssapi.Name(principal, gssapi.NameType.kerberos_principal)
-        store = {'ccache': ccache_name,
-                 'client_keytab': keytab}
-        cred = gssapi.Credentials(name=name, store=store, usage='initiate')
-        return cred
+        return run_cmd(args)
     finally:
         if old_config is not None:
-            os.environ['KRB5_CONFIG'] = old_config
+            os.environ["KRB5_CONFIG"] = old_config
         else:
-            os.environ.pop('KRB5_CONFIG', None)
+            os.environ.pop("KRB5_CONFIG", None)
 
 
 KRB5CONF_TEMPLATE = """
@@ -128,8 +121,9 @@ KRB5CONF_TEMPLATE = """
 """
 
 
-class ActionModule(ActionBase):
+class ActionModule(ActionBase):  # pylint: disable=too-few-public-methods
 
+    # pylint: disable=too-many-return-statements
     def run(self, tmp=None, task_vars=None):
         """
         Handle credential cache transfer.
@@ -149,8 +143,9 @@ class ActionModule(ActionBase):
         Then the IPA commands can use this credential cache file.
         """
         if task_vars is None:
-            task_vars = dict()
+            task_vars = {}
 
+        # pylint: disable=super-with-arguments
         result = super(ActionModule, self).run(tmp, task_vars)
         principal = self._task.args.get('principal', None)
         keytab = self._task.args.get('keytab', None)
@@ -168,7 +163,7 @@ class ActionModule(ActionBase):
             return result
 
         data = self._execute_module(module_name='ipaclient_get_facts',
-                                    module_args=dict(), task_vars=task_vars)
+                                    module_args={}, task_vars=task_vars)
 
         try:
             domain = data['ansible_facts']['ipa']['domain']
@@ -195,7 +190,7 @@ class ActionModule(ActionBase):
             ipa_realm=realm,
             ipa_lifetime=lifetime))
 
-        with open(krb5conf_name, 'w') as f:
+        with open(krb5conf_name, 'w') as f:  # pylint: disable=invalid-name
             f.write(content)
 
         if password:

roles/ipaclient/library/ipaclient_api.py

@@ -75,7 +75,6 @@ subject_base:
 '''
 
 import os
-import inspect
 
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_ipa_client import (
@@ -83,7 +82,7 @@ from ansible.module_utils.ansible_ipa_client import (
     paths, x509, NUM_VERSION, serialization, certdb, api,
     delete_persistent_client_session_data, write_tmp_file,
     ipa_generate_password, CalledProcessError, errors, disable_ra, DN,
-    CLIENT_INSTALL_ERROR, logger
+    CLIENT_INSTALL_ERROR, logger, getargspec
 )
 
 
@@ -133,7 +132,9 @@ def main():
 
         # Add CA certs to a temporary NSS database
         try:
-            argspec = inspect.getargspec(tmp_db.create_db)
+            # pylint: disable=deprecated-method
+            argspec = getargspec(tmp_db.create_db)
+            # pylint: enable=deprecated-method
             if "password_filename" not in argspec.args:
                 tmp_db.create_db()
             else:
@@ -181,7 +182,7 @@ def main():
                 module.warn(
                     "Some capabilities including the ipa command capability "
                     "may not be available")
-            except errors.PublicError as e2:
+            except errors.PublicError as e2:  # pylint: disable=invalid-name
                 module.fail_json(
                     msg="Cannot connect to the IPA server RPC interface: "
                     "%s" % e2)

roles/ipaclient/library/ipaclient_get_facts.py

@@ -56,10 +56,12 @@ def is_ntpd_configured():
     ntpd_conf_section = re.compile(r'^\s*\[ntpd\]\s*$')
 
     try:
+        # pylint: disable=invalid-name
         with open(SERVER_SYSRESTORE_STATE) as f:
             for line in f.readlines():
                 if ntpd_conf_section.match(line):
                     return True
+        # pylint: enable=invalid-name
         return False
     except IOError:
         return False
@@ -71,7 +73,7 @@ def is_dns_configured():
     bind_conf_section = re.compile(r'^\s*dyndb\s+"ipa"\s+"[^"]+"\s+{$')
 
     try:
-        with open(NAMED_CONF) as f:
+        with open(NAMED_CONF) as f:  # pylint: disable=invalid-name
             for line in f.readlines():
                 if bind_conf_section.match(line):
                     return True
@@ -103,7 +105,7 @@ def is_client_configured():
     # and /var/lib/ipa-client/sysrestore/sysrestore.state exists
 
     fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE)
-    return (os.path.isfile(paths.IPA_DEFAULT_CONF) and fstore.has_files())
+    return os.path.isfile(paths.IPA_DEFAULT_CONF) and fstore.has_files()
 
 
 def is_server_configured():
@@ -129,7 +131,9 @@ def get_ipa_conf():
 
 def get_ipa_version():
     try:
+        # pylint: disable=import-outside-toplevel
         from ipapython import version
+        # pylint: enable=import-outside-toplevel
     except ImportError:
         return None
     else:
@@ -156,7 +160,7 @@ def get_ipa_version():
 
 def main():
     module = AnsibleModule(
-        argument_spec=dict(),
+        argument_spec={},
         supports_check_mode=True
     )
 

roles/ipaclient/library/ipaclient_get_otp.py

@@ -146,7 +146,7 @@ def get_host_diff(ipa_host, module_host):
     :return: a dict representing the host attributes to apply
     """
     non_updateable_keys = ['ip_address']
-    data = dict()
+    data = {}
     for key in non_updateable_keys:
         if key in module_host:
             del module_host[key]
@@ -173,7 +173,7 @@ def get_module_host(module):
     :param module: the ansible module
     :returns: a dict representing the host attributes
     """
-    data = dict()
+    data = {}
     certificates = module.params.get('certificates')
     if certificates:
         data['usercertificate'] = certificates
@@ -189,7 +189,7 @@ def get_module_host(module):
     return data
 
 
-def ensure_host_present(module, api, ipahost):
+def ensure_host_present(module, _api, ipahost):
     """
     Ensure host exists in IPA and has the same attributes.
 
@@ -216,13 +216,13 @@ def ensure_host_present(module, api, ipahost):
         # already has Keytab: true, then we need first to run
         # ipa host-disable in order to remove OTP and keytab
         if module.params.get('random') and ipahost['has_keytab'] is True:
-            api.Command.host_disable(fqdn)
+            _api.Command.host_disable(fqdn)
 
-        result = api.Command.host_mod(fqdn, **diffs)
+        result = _api.Command.host_mod(fqdn, **diffs)
         # Save random password as it is not displayed by host-show
         if module.params.get('random'):
             randompassword = result['result']['randompassword']
-        result = api.Command.host_show(fqdn)
+        result = _api.Command.host_show(fqdn)
         if module.params.get('random'):
             result['result']['randompassword'] = randompassword
         module.exit_json(changed=True, host=result['result'])
@@ -236,17 +236,17 @@ def ensure_host_present(module, api, ipahost):
         module_host = get_module_host(module)
         # force creation of host even if there is no DNS record
         module_host["force"] = True
-        result = api.Command.host_add(fqdn, **module_host)
+        result = _api.Command.host_add(fqdn, **module_host)
         # Save random password as it is not displayed by host-show
         if module.params.get('random'):
             randompassword = result['result']['randompassword']
-        result = api.Command.host_show(fqdn)
+        result = _api.Command.host_show(fqdn)
         if module.params.get('random'):
             result['result']['randompassword'] = randompassword
         module.exit_json(changed=True, host=result['result'])
 
 
-def ensure_host_absent(module, api, host):
+def ensure_host_absent(module, _api, host):
     """
     Ensure host does not exist in IPA.
 
@@ -265,7 +265,7 @@ def ensure_host_absent(module, api, host):
 
     fqdn = unicode(module.params.get('fqdn'))
     try:
-        api.Command.host_del(fqdn)
+        _api.Command.host_del(fqdn)
     except Exception as e:
         module.fail_json(msg="Failed to remove host: %s" % e)