--- - name: Test config hosts: "{{ ipa_test_host | default('ipaserver') }}" become: no gather_facts: no tasks: - name: Set FreeIPA facts. ansible.builtin.include_tasks: ../env_freeipa_facts.yml # GET CURRENT CONFIG - name: Return current values of the global configuration options ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" register: previous # TESTS - name: Test config sid block: - name: Check if SID is enabled. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" enable_sid: yes check_mode: yes register: sid_disabled - name: Ensure netbios_name can't be changed without SID enabled. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" netbios_name: IPATESTPLAY register: result failed_when: not result.failed and "SID generation must be enabled" in result.msg when: sid_disabled.changed - name: Ensure SIDs can't be changed without SID enabled. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" add_sids: yes register: result failed_when: not result.failed and "SID generation must be enabled" in result.msg when: sid_disabled.changed - name: Ensure SID is enabled. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" enable_sid: yes register: result failed_when: result.failed or previous.config.enable_sid == result.changed - name: Ensure SID is enabled, again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" enable_sid: yes register: result failed_when: result.failed or result.changed - name: Try to Ensure SID is disabled. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" enable_sid: no register: result failed_when: not result.failed or "SID cannot be disabled." not in result.msg - name: Ensure netbios_name is "IPATESTPLAY" ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" enable_sid: yes netbios_name: IPATESTPLAY register: result failed_when: result.failed or not result.changed - name: Ensure netbios_name is "IPATESTPLAY", again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" netbios_name: IPATESTPLAY register: result failed_when: result.failed or result.changed - name: Ensure netbios_name cannot be set with lowercase characters ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" netbios_name: IPATESTplay register: result failed_when: (not result.failed and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message) - name: Ensure netbios_name cannot be set different lowercase characters ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" netbios_name: otherPLAY register: result failed_when: (not result.failed and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message) # add_sids is not idempotent as it always tries to generate the missing # SIDs for users and groups. - name: Add SIDs to users and groups. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" add_sids: yes # only run tests if version supports enable-sid when: ipa_version is version("4.9.8", ">=") # REVERT TO PREVIOUS CONFIG always: # Once SID is enabled, it cannot be reverted. - name: Revert netbios_name to original configuration ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" netbios_name: "{{ previous.config.netbios_name | default(omit) }}" enable_sid: yes