mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-06-09 18:25:53 +00:00
c808ad6e34
Current behavior of ipaconfig mimics FreeIPA CLI and requires that 'enable_sid' is set to True every time add_sids or netbios_name are used. It is sufficient that SID generation is enabled to use add_sids and netbios_name, but the IPA API requires 'enable_sid' so that the operations are executed. This patch allows ansible-freeipa plugin ipaconfig to run 'add_sids' or set 'netbios_name without requiring 'enable_sid' to be set on the playbook. If SID generation is enabled, 'add_sids' and 'netbios_name' can be used without 'enable_sid: yes'. If SID generation is not enabled, an error message will be raised if 'enable_sid: yes' is not used.
128 lines
4.4 KiB
YAML
128 lines
4.4 KiB
YAML
---
|
|
- name: Test config
|
|
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
|
become: no
|
|
gather_facts: no
|
|
|
|
tasks:
|
|
|
|
- name: Set FreeIPA facts.
|
|
include_tasks: ../env_freeipa_facts.yml
|
|
|
|
# GET CURRENT CONFIG
|
|
|
|
- name: Return current values of the global configuration options
|
|
ipaconfig:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
register: previous
|
|
|
|
# TESTS
|
|
- block:
|
|
- name: Check if SID is enabled.
|
|
ipaconfig:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
enable_sid: yes
|
|
check_mode: yes
|
|
register: sid_disabled
|
|
|
|
- name: Ensure netbios_name can't be changed without SID enabled.
|
|
ipaconfig:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
netbios_name: IPATESTPLAY
|
|
register: result
|
|
failed_when: not result.failed and "SID generation must be enabled" in result.msg
|
|
when: sid_disabled.changed
|
|
|
|
- name: Ensure SIDs can't be changed without SID enabled.
|
|
ipaconfig:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
add_sids: yes
|
|
register: result
|
|
failed_when: not result.failed and "SID generation must be enabled" in result.msg
|
|
when: sid_disabled.changed
|
|
|
|
- name: Ensure SID is enabled.
|
|
ipaconfig:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
enable_sid: yes
|
|
register: result
|
|
failed_when: result.failed or previous.config.enable_sid == result.changed
|
|
|
|
- name: Ensure SID is enabled, again.
|
|
ipaconfig:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
enable_sid: yes
|
|
register: result
|
|
failed_when: result.failed or result.changed
|
|
|
|
- name: Try to Ensure SID is disabled.
|
|
ipaconfig:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
enable_sid: no
|
|
register: result
|
|
failed_when: not result.failed or "SID cannot be disabled." not in result.msg
|
|
|
|
- name: Ensure netbios_name is "IPATESTPLAY"
|
|
ipaconfig:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
enable_sid: yes
|
|
netbios_name: IPATESTPLAY
|
|
register: result
|
|
failed_when: result.failed or not result.changed
|
|
|
|
- name: Ensure netbios_name is "IPATESTPLAY", again
|
|
ipaconfig:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
netbios_name: IPATESTPLAY
|
|
register: result
|
|
failed_when: result.failed or result.changed
|
|
|
|
- name: Ensure netbios_name cannot be set with lowercase characters
|
|
ipaconfig:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
netbios_name: IPATESTplay
|
|
register: result
|
|
failed_when:
|
|
(not result.failed
|
|
and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message)
|
|
|
|
- name: Ensure netbios_name cannot be set different lowercase characters
|
|
ipaconfig:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
netbios_name: otherPLAY
|
|
register: result
|
|
failed_when:
|
|
(not result.failed
|
|
and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message)
|
|
|
|
# add_sids is not idempotent as it always tries to generate the missing
|
|
# SIDs for users and groups.
|
|
- name: Add SIDs to users and groups.
|
|
ipaconfig:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
add_sids: yes
|
|
|
|
# only run tests if version supports enable-sid
|
|
when: ipa_version is version("4.9.8", ">=")
|
|
# REVERT TO PREVIOUS CONFIG
|
|
always:
|
|
# Once SID is enabled, it cannot be reverted.
|
|
- name: Revert netbios_name to original configuration
|
|
ipaconfig:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
netbios_name: "{{ previous.config.netbios_name | default(omit) }}"
|
|
enable_sid: yes
|