--- - name: Playbook to handle server configuration hosts: "{{ ipa_test_host | default('ipaserver') }}" become: true gather_facts: false tasks: - include_tasks: ../env_freeipa_facts.yml - block: # Retrieve current configuration. - name: return current values of the global configuration options ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" register: previousconfig - name: Display current configuration. debug: var: previousconfig # setup environment. - name: create test group ipagroup: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: somedefaultgroup - name: Ensure the default e-mail domain is ipa.test. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" emaildomain: ipa.test - name: set default shell to '/bin/sh' ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" defaultshell: /bin/sh - name: set default group ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" defaultgroup: ipausers - name: set default home directory ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" homedirectory: /home - name: clear pac-type ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" pac_type: "" - name: set maxhostname to 255 block: - ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxhostname: 255 when: ipa_version is version('4.8.0', '>=') - name: set maxusername to 45 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxusername: 45 - name: set pwdexpnotify to 0 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" pwdexpnotify: 0 - name: set searchrecordslimit to 10 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" searchrecordslimit: 10 - name: set searchtimelimit to 1 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" searchtimelimit: 1 - name: clear configstring ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" configstring: "" - name: set configstring to AllowNThash ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" configstring: 'KDC:Disable Lockout' - name: set selinuxusermapdefault ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" selinuxusermapdefault: "staff_u:s0-s0:c0.c1023" - name: set selinuxusermaporder ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023' - name: set usersearch to `uid` ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" usersearch: uid - name: set groupsearch to `cn` ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" groupsearch: cn # tests - name: Ensure the default e-mail domain is somedomain.test. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" emaildomain: somedomain.test register: result failed_when: not result.changed or result.failed - name: Ensure the default e-mail domain is somedomain.test, again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" emaildomain: somedomain.test register: result failed_when: result.changed or result.failed - name: set default shell to '/bin/someshell' ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" defaultshell: /bin/someshell register: result failed_when: not result.changed or result.failed - name: set default shell to '/bin/someshell', again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" defaultshell: /bin/someshell register: result failed_when: result.changed or result.failed - name: set default group ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" defaultgroup: somedefaultgroup register: result failed_when: not result.changed or result.failed - name: set default group, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" defaultgroup: somedefaultgroup register: result failed_when: result.changed or result.failed - name: set default home directory ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" homedirectory: /Users register: result failed_when: not result.changed or result.failed - name: set default home directory, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" homedirectory: /Users register: result failed_when: result.changed or result.failed - name: set pac-type ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" pac_type: "nfs:NONE" register: result failed_when: not result.changed or result.failed - name: set pac-type, again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" pac_type: "nfs:NONE" register: result failed_when: result.changed or result.failed - name: set maxusername to 33 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxusername: 33 register: result failed_when: not result.changed or result.failed - name: set maxusername to 33, again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxusername: 33 register: result failed_when: result.changed or result.failed - name: set maxhostname to 77 block: - ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxhostname: 77 register: result failed_when: not result.changed or result.failed - ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxhostname: 77 register: result failed_when: result.changed or result.failed when: ipa_version is version('4.8.0', '>=') - name: set pwdexpnotify to 17 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" pwdexpnotify: 17 register: result failed_when: not result.changed or result.failed - name: set pwdexpnotify to 17, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" pwdexpnotify: 17 register: result failed_when: result.changed or result.failed - name: set searchrecordslimit to -1 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" searchrecordslimit: -1 register: result failed_when: not result.changed or result.failed - name: set searchrecordslimit to -1, again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" searchrecordslimit: -1 register: result failed_when: result.changed or result.failed - name: set searchtimelimit to 12345 ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" searchtimelimit: 12345 register: result failed_when: not result.changed or result.failed - name: set searchtimelimit to 12345, again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" searchtimelimit: 12345 register: result failed_when: result.changed or result.failed - name: change enable_migration ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" enable_migration: '{{ not (previousconfig.config.enable_migration | bool) }}' register: result failed_when: not result.changed or result.failed - name: change enable_migration, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" enable_migration: '{{ not (previousconfig.config.enable_migration | bool) }}' register: result failed_when: result.changed or result.failed - name: set configstring to AllowNThash ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" configstring: AllowNThash register: result failed_when: not result.changed or result.failed - name: set configstring to AllowNThash, again. ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" configstring: AllowNThash register: result failed_when: result.changed or result.failed - name: set selinuxusermaporder ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' register: result failed_when: not result.changed or result.failed - name: set selinuxusermaporder, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' register: result failed_when: result.changed or result.failed - name: set selinuxusermapdefault ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" selinuxusermapdefault: 'user_u:s0' register: result failed_when: not result.changed or result.failed - name: set selinuxusermapdefault, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" selinuxusermapdefault: 'user_u:s0' register: result failed_when: result.changed or result.failed - name: set groupsearch to `description` ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" groupsearch: description register: result failed_when: not result.changed or result.failed - name: set groupsearch to `gidNumber`, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" groupsearch: description register: result failed_when: result.changed or result.failed - name: set usersearch to `uidNumber` ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" usersearch: uidNumber register: result failed_when: not result.changed or result.failed - name: set usersearch to `uidNumber`, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" usersearch: uidNumber register: result failed_when: result.changed or result.failed - name: reset changed fields ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxusername: '{{ previousconfig.config.maxusername | default(32) | int }}' homedirectory: '{{ previousconfig.config.homedirectory | default(omit) }}' defaultshell: '{{ previousconfig.config.defaultshell | default(omit) }}' defaultgroup: '{{ previousconfig.config.defaultgroup | default(omit) }}' emaildomain: '{{ previousconfig.config.emaildomain | default(omit) }}' searchtimelimit: '{{ previousconfig.config.searchtimelimit | default(2) | int }}' searchrecordslimit: '{{ previousconfig.config.searchrecordslimit | default(100) | int }}' usersearch: '{{ previousconfig.config.usersearch | default(omit) }}' groupsearch: '{{ previousconfig.config.groupsearch | default(omit) }}' enable_migration: '{{ previousconfig.config.enable_migration | default(False) | bool }}' groupobjectclasses: '{{ previousconfig.config.groupobjectclasses | default(omit) }}' userobjectclasses: '{{ previousconfig.config.userobjectclasses | default(omit) }}' pwdexpnotify: '{{ previousconfig.config.pwdexpnotify | default(4) | int }}' configstring: '{{ previousconfig.config.configstring | default(omit) }}' selinuxusermapdefault: '{{ previousconfig.config.selinuxusermapdefault | default(omit) }}' selinuxusermaporder: '{{ previousconfig.config.selinuxusermaporder | default(omit) }}' pac_type: '{{ previousconfig.config.pac_type | default(omit) }}' user_auth_type: '{{ previousconfig.config.user_auth_type | default(omit) }}' domain_resolution_order: '{{ previousconfig.config.domain_resolution_order | default(omit) }}' ca_renewal_master_server: '{{ previousconfig.config.ca_renewal_master_server | default(omit) }}' register: result failed_when: not result.changed or result.failed - name: reset maxhostname block: - ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxhostname: '{{ previousconfig.config.maxhostname | default(omit) }}' when: ipa_version is version('4.8.0', '>=') - name: reset changed fields, again ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxusername: '{{ previousconfig.config.maxusername | default(omit) | int }}' homedirectory: '{{ previousconfig.config.homedirectory | default(omit) }}' defaultshell: '{{ previousconfig.config.defaultshell | default(omit) }}' defaultgroup: '{{ previousconfig.config.defaultgroup | default(omit) }}' emaildomain: '{{ previousconfig.config.emaildomain | default(omit) }}' searchtimelimit: '{{ previousconfig.config.searchtimelimit | default(omit) | int }}' searchrecordslimit: '{{ previousconfig.config.searchrecordslimit | default(omit) | int }}' usersearch: '{{ previousconfig.config.usersearch | default(omit) }}' groupsearch: '{{ previousconfig.config.groupsearch | default(omit) }}' enable_migration: '{{ previousconfig.config.enable_migration | default(omit) | bool }}' groupobjectclasses: '{{ previousconfig.config.groupobjectclasses | default(omit) }}' userobjectclasses: '{{ previousconfig.config.userobjectclasses | default(omit) }}' pwdexpnotify: '{{ previousconfig.config.pwdexpnotify | default(omit) | int }}' configstring: '{{ previousconfig.config.configstring | default(omit) }}' selinuxusermapdefault: '{{ previousconfig.config.selinuxusermapdefault | default(omit) }}' selinuxusermaporder: '{{ previousconfig.config.selinuxusermaporder | default(omit) }}' pac_type: '{{ previousconfig.config.pac_type | default(omit) }}' user_auth_type: '{{ previousconfig.config.user_auth_type | default(omit) }}' domain_resolution_order: '{{ previousconfig.config.domain_resolution_order | default(omit) }}' ca_renewal_master_server: '{{ previousconfig.config.ca_renewal_master_server | default(omit) }}' register: result failed_when: result.changed or result.failed - name: reset maxhostname block: - ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxhostname: '{{ previousconfig.config.maxhostname | default(omit) }}' when: ipa_version is version('4.8.0', '>=') rescue: - name: Set fields to IPA default, due to error ipaconfig: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" maxusername: '{{ previousconfig.config.maxusername | default(omit) | int }}' homedirectory: '{{ previousconfig.config.homedirectory | default(omit) }}' defaultshell: '{{ previousconfig.config.defaultshell | default(omit) }}' defaultgroup: '{{ previousconfig.config.defaultgroup | default(omit) }}' emaildomain: '{{ previousconfig.config.emaildomain | default(omit) }}' searchtimelimit: '{{ previousconfig.config.searchtimelimit | default(omit) | int }}' searchrecordslimit: '{{ previousconfig.config.searchrecordslimit | default(omit) | int }}' usersearch: '{{ previousconfig.config.usersearch | default(omit) }}' groupsearch: '{{ previousconfig.config.groupsearch | default(omit) }}' enable_migration: '{{ previousconfig.config.enable_migration | default(omit) | bool }}' groupobjectclasses: '{{ previousconfig.config.groupobjectclasses | default(omit) }}' userobjectclasses: '{{ previousconfig.config.userobjectclasses | default(omit) }}' pwdexpnotify: '{{ previousconfig.config.pwdexpnotify | default(omit) | int }}' configstring: '{{ previousconfig.config.configstring | default(omit) }}' selinuxusermapdefault: '{{ previousconfig.config.selinuxusermapdefault | default(omit) }}' selinuxusermaporder: '{{ previousconfig.config.selinuxusermaporder | default(omit) }}' pac_type: '{{ previousconfig.config.pac_type | default(omit) }}' user_auth_type: '{{ previousconfig.config.user_auth_type | default(omit) }}' domain_resolution_order: '{{ previousconfig.config.domain_resolution_order | default(omit) }}' ca_renewal_master_server: '{{ previousconfig.config.ca_renewal_master_server | default(omit) }}' register: result - name: "CA-Renewal server warning." debug: msg: "Due to a test failure, IPA CA-Renewal Server might not be correctly be set. Check your configuration." always: # cleanup - name: cleanup test group ipagroup: ipaadmin_password: SomeADMINpassword ipaapi_context: "{{ ipa_context | default(omit) }}" name: somedefaultgroup state: absent