--- - name: Playbook to handle server configuration hosts: "{{ ipa_test_host | default('ipaserver') }}" become: true gather_facts: false tasks: - name: Include tasks ../env_freeipa_facts.yml ansible.builtin.include_tasks: ../env_freeipa_facts.yml - name: Execute config tests block: # Retrieve current configuration. - name: Return current values of the global configuration options ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" register: previousconfig - name: Display current configuration. ansible.builtin.debug: var: previousconfig # setup environment. - name: Create test group ipagroup: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: somedefaultgroup - name: Ensure the default e-mail domain is ipa.test. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" emaildomain: ipa.test - name: Set default shell to '/bin/sh' ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" defaultshell: /bin/sh - name: Set default group ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" defaultgroup: ipausers - name: Set default home directory ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" homedirectory: /home - name: Clear pac-type ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" pac_type: "" - name: Execute tests if ipa_version >= 4.8.0 when: ipa_version is version('4.8.0', '>=') block: - name: Set maxhostname to 255 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxhostname: 255 - name: Set maxusername to 45 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxusername: 45 - name: Set pwdexpnotify to 0 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" pwdexpnotify: 0 - name: Set searchrecordslimit to 10 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" searchrecordslimit: 10 - name: Set searchtimelimit to 1 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" searchtimelimit: 1 - name: Clear configstring ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" configstring: "" - name: Set configstring to AllowNThash ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" configstring: 'KDC:Disable Lockout' - name: Set selinuxusermapdefault ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" selinuxusermapdefault: "staff_u:s0-s0:c0.c1023" - name: Set selinuxusermaporder ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023' - name: Set usersearch to `uid` ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" usersearch: uid - name: Set groupsearch to `cn` ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" groupsearch: cn # tests - name: Ensure the default e-mail domain is somedomain.test. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" emaildomain: somedomain.test register: result failed_when: not result.changed or result.failed - name: Ensure the default e-mail domain is somedomain.test, again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" emaildomain: somedomain.test register: result failed_when: result.changed or result.failed - name: Set default shell to '/bin/someshell' ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" defaultshell: /bin/someshell register: result failed_when: not result.changed or result.failed - name: Set default shell to '/bin/someshell', again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" defaultshell: /bin/someshell register: result failed_when: result.changed or result.failed - name: Set default group ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" defaultgroup: somedefaultgroup register: result failed_when: not result.changed or result.failed - name: Set default group, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" defaultgroup: somedefaultgroup register: result failed_when: result.changed or result.failed - name: Set default home directory ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" homedirectory: /Users register: result failed_when: not result.changed or result.failed - name: Set default home directory, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" homedirectory: /Users register: result failed_when: result.changed or result.failed - name: Set pac-type ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" pac_type: "nfs:NONE" register: result failed_when: not result.changed or result.failed - name: Set pac-type, again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" pac_type: "nfs:NONE" register: result failed_when: result.changed or result.failed - name: Set maxusername to 33 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxusername: 33 register: result failed_when: not result.changed or result.failed - name: Set maxusername to 33, again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxusername: 33 register: result failed_when: result.changed or result.failed - name: Execute tests if ipa_version >= 4.8.0 when: ipa_version is version('4.8.0', '>=') block: - name: Set maxhostname to 77 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxhostname: 77 register: result failed_when: not result.changed or result.failed - name: Set maxhostname to 77, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxhostname: 77 register: result failed_when: result.changed or result.failed - name: Set pwdexpnotify to 17 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" pwdexpnotify: 17 register: result failed_when: not result.changed or result.failed - name: Set pwdexpnotify to 17, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" pwdexpnotify: 17 register: result failed_when: result.changed or result.failed - name: Set searchrecordslimit to -1 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" searchrecordslimit: -1 register: result failed_when: not result.changed or result.failed - name: Set searchrecordslimit to -1, again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" searchrecordslimit: -1 register: result failed_when: result.changed or result.failed - name: Set searchtimelimit to 12345 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" searchtimelimit: 12345 register: result failed_when: not result.changed or result.failed - name: Set searchtimelimit to 12345, again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" searchtimelimit: 12345 register: result failed_when: result.changed or result.failed - name: Change enable_migration ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" enable_migration: '{{ not (previousconfig.config.enable_migration | bool) }}' register: result failed_when: not result.changed or result.failed - name: Change enable_migration, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" enable_migration: '{{ not (previousconfig.config.enable_migration | bool) }}' register: result failed_when: result.changed or result.failed - name: Set configstring to AllowNThash ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" configstring: AllowNThash register: result failed_when: not result.changed or result.failed - name: Set configstring to AllowNThash, again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" configstring: AllowNThash register: result failed_when: result.changed or result.failed - name: Set selinuxusermaporder ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' register: result failed_when: not result.changed or result.failed - name: Set selinuxusermaporder, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' register: result failed_when: result.changed or result.failed - name: Set selinuxusermapdefault ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" selinuxusermapdefault: 'user_u:s0' register: result failed_when: not result.changed or result.failed - name: Set selinuxusermapdefault, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" selinuxusermapdefault: 'user_u:s0' register: result failed_when: result.changed or result.failed - name: Set groupsearch to `description` ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" groupsearch: description register: result failed_when: not result.changed or result.failed - name: Set groupsearch to `gidNumber`, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" groupsearch: description register: result failed_when: result.changed or result.failed - name: Set usersearch to `uidNumber` ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" usersearch: uidNumber register: result failed_when: not result.changed or result.failed - name: Set usersearch to `uidNumber`, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" usersearch: uidNumber register: result failed_when: result.changed or result.failed - name: Reset changed fields ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxusername: '{{ previousconfig.config.maxusername | default(32) | int }}' homedirectory: '{{ previousconfig.config.homedirectory | default(omit) }}' defaultshell: '{{ previousconfig.config.defaultshell | default(omit) }}' defaultgroup: '{{ previousconfig.config.defaultgroup | default(omit) }}' emaildomain: '{{ previousconfig.config.emaildomain | default(omit) }}' searchtimelimit: '{{ previousconfig.config.searchtimelimit | default(2) | int }}' searchrecordslimit: '{{ previousconfig.config.searchrecordslimit | default(100) | int }}' usersearch: '{{ previousconfig.config.usersearch | default(omit) }}' groupsearch: '{{ previousconfig.config.groupsearch | default(omit) }}' enable_migration: '{{ omit if previousconfig.config.enable_migration is not defined else (previousconfig.config.enable_migration | bool) }}' groupobjectclasses: '{{ previousconfig.config.groupobjectclasses | default(omit) }}' userobjectclasses: '{{ previousconfig.config.userobjectclasses | default(omit) }}' pwdexpnotify: '{{ previousconfig.config.pwdexpnotify | default(4) | int }}' configstring: '{{ previousconfig.config.configstring | default(omit) }}' selinuxusermapdefault: '{{ previousconfig.config.selinuxusermapdefault | default(omit) }}' selinuxusermaporder: '{{ previousconfig.config.selinuxusermaporder | default(omit) }}' pac_type: '{{ previousconfig.config.pac_type | default(omit) }}' user_auth_type: '{{ previousconfig.config.user_auth_type | default(omit) }}' domain_resolution_order: '{{ previousconfig.config.domain_resolution_order | default(omit) }}' ca_renewal_master_server: '{{ previousconfig.config.ca_renewal_master_server | default(omit) }}' register: result failed_when: not result.changed or result.failed - name: Execute tests if ipa_version >= 4.8.0 when: ipa_version is version('4.8.0', '>=') block: - name: Reset maxhostname ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxhostname: '{{ previousconfig.config.maxhostname | default(omit) }}' - name: Reset changed fields, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxusername: '{{ previousconfig.config.maxusername | default(omit) | int }}' homedirectory: '{{ previousconfig.config.homedirectory | default(omit) }}' defaultshell: '{{ previousconfig.config.defaultshell | default(omit) }}' defaultgroup: '{{ previousconfig.config.defaultgroup | default(omit) }}' emaildomain: '{{ previousconfig.config.emaildomain | default(omit) }}' searchtimelimit: '{{ previousconfig.config.searchtimelimit | default(omit) | int }}' searchrecordslimit: '{{ previousconfig.config.searchrecordslimit | default(omit) | int }}' usersearch: '{{ previousconfig.config.usersearch | default(omit) }}' groupsearch: '{{ previousconfig.config.groupsearch | default(omit) }}' enable_migration: '{{ omit if previousconfig.config.enable_migration is not defined else (previousconfig.config.enable_migration | bool) }}' groupobjectclasses: '{{ previousconfig.config.groupobjectclasses | default(omit) }}' userobjectclasses: '{{ previousconfig.config.userobjectclasses | default(omit) }}' pwdexpnotify: '{{ previousconfig.config.pwdexpnotify | default(omit) | int }}' configstring: '{{ previousconfig.config.configstring | default(omit) }}' selinuxusermapdefault: '{{ previousconfig.config.selinuxusermapdefault | default(omit) }}' selinuxusermaporder: '{{ previousconfig.config.selinuxusermaporder | default(omit) }}' pac_type: '{{ previousconfig.config.pac_type | default(omit) }}' user_auth_type: '{{ previousconfig.config.user_auth_type | default(omit) }}' domain_resolution_order: '{{ previousconfig.config.domain_resolution_order | default(omit) }}' ca_renewal_master_server: '{{ previousconfig.config.ca_renewal_master_server | default(omit) }}' register: result failed_when: result.changed or result.failed - name: Execute tests if ipa_version >= 4.8.0 when: ipa_version is version('4.8.0', '>=') block: - name: Reset maxhostname ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxhostname: '{{ previousconfig.config.maxhostname | default(omit) }}' rescue: - name: Set fields to IPA default, due to error ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxusername: '{{ previousconfig.config.maxusername | default(omit) | int }}' homedirectory: '{{ previousconfig.config.homedirectory | default(omit) }}' defaultshell: '{{ previousconfig.config.defaultshell | default(omit) }}' defaultgroup: '{{ previousconfig.config.defaultgroup | default(omit) }}' emaildomain: '{{ previousconfig.config.emaildomain | default(omit) }}' searchtimelimit: '{{ previousconfig.config.searchtimelimit | default(omit) | int }}' searchrecordslimit: '{{ previousconfig.config.searchrecordslimit | default(omit) | int }}' usersearch: '{{ previousconfig.config.usersearch | default(omit) }}' groupsearch: '{{ previousconfig.config.groupsearch | default(omit) }}' enable_migration: '{{ omit if previousconfig.config.enable_migration is not defined else (previousconfig.config.enable_migration | bool) }}' groupobjectclasses: '{{ previousconfig.config.groupobjectclasses | default(omit) }}' userobjectclasses: '{{ previousconfig.config.userobjectclasses | default(omit) }}' pwdexpnotify: '{{ previousconfig.config.pwdexpnotify | default(omit) | int }}' configstring: '{{ previousconfig.config.configstring | default(omit) }}' selinuxusermapdefault: '{{ previousconfig.config.selinuxusermapdefault | default(omit) }}' selinuxusermaporder: '{{ previousconfig.config.selinuxusermaporder | default(omit) }}' pac_type: '{{ previousconfig.config.pac_type | default(omit) }}' user_auth_type: '{{ previousconfig.config.user_auth_type | default(omit) }}' domain_resolution_order: '{{ previousconfig.config.domain_resolution_order | default(omit) }}' ca_renewal_master_server: '{{ previousconfig.config.ca_renewal_master_server | default(omit) }}' register: result - name: "CA-Renewal server warning." ansible.builtin.debug: msg: "Due to a test failure, IPA CA-Renewal Server might not be correctly be set. Check your configuration." always: # cleanup - name: Cleanup test group ipagroup: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: somedefaultgroup state: absent