mirror of
https://github.com/freeipa/ansible-freeipa.git
synced 2026-03-26 21:33:05 +00:00
6925503a10
When using AD objects, a user expects to use the more human readable form, like "user@ad.domain", but this impose some dificulties on evaluating which object is being referenced as AD has several forms to refer to the same object. Each object is AD is identified uniquely by its SID, and this is the identifier that IPA stores in its database. When managing AD objects, IPA finds its SID and works with that value. ansible-freeipa tried to process these objects using the human readable values, and it cause idempontence error when ensuring the values were present or modified, and, at least in some cases, prevented the objects to be made absent, as the object list created didn't match the SID to the value used as module parameter. By using SID to process the AD objects in ipagroup, the addition or removal of members works and idempotence of these members is ensured. The only issue with thils approach is that it only works no server nodes. In client nodes, the conversion to SID is not available and the same issues that existed before will still be present. Tests were updated to reflect these changes, a new test, specific to idempotence issues of AD objects was added: tests/group/test_group_ad_users.yml Resolves: https://issues.redhat.com/browse/RHEL-70023
466 lines
12 KiB
YAML
466 lines
12 KiB
YAML
---
|
|
- name: Test group
|
|
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
|
become: false
|
|
gather_facts: false
|
|
module_defaults:
|
|
ipauser:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
ipagroup:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
ipaservice:
|
|
ipaadmin_password: SomeADMINpassword
|
|
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
|
tasks:
|
|
# setup
|
|
- name: Include tasks ../env_freeipa_facts.yml
|
|
ansible.builtin.include_tasks: ../env_freeipa_facts.yml
|
|
|
|
# GET FQDN_AT_DOMAIN
|
|
|
|
- name: Get fqdn_at_domain
|
|
ansible.builtin.set_fact:
|
|
fqdn_at_domain: "{{ ansible_facts['fqdn'] + '@' + ipaserver_realm }}"
|
|
|
|
# CLEANUP TEST ITEMS
|
|
|
|
- name: Ensure users user1, user2 and user3 are absent
|
|
ipauser:
|
|
name: user1,user2,user3
|
|
state: absent
|
|
|
|
- name: Ensure group group3, group2 and group1 are absent
|
|
ipagroup:
|
|
name: groupren,group3,group2,group1
|
|
state: absent
|
|
|
|
# CREATE TEST ITEMS
|
|
|
|
- name: Ensure users user1..user3 are present
|
|
ipauser:
|
|
users:
|
|
- name: user1
|
|
first: user1
|
|
last: Last
|
|
- name: user2
|
|
first: user2
|
|
last: Last
|
|
- name: user3
|
|
first: user3
|
|
last: Last
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure test service HTTP is present
|
|
ipaservice:
|
|
name: "{{ 'HTTP/' + fqdn_at_domain }}"
|
|
notify: Cleanup http service
|
|
|
|
- name: Ensure test service LDAP is present
|
|
ipaservice:
|
|
name: "{{ 'ldap/' + fqdn_at_domain }}"
|
|
notify: Cleanup ldap service
|
|
|
|
# TESTS
|
|
|
|
- name: Ensure group1 is present
|
|
ipagroup:
|
|
name: group1
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure group1 is present again
|
|
ipagroup:
|
|
name: group1
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Rename group1 to groupren
|
|
ipagroup:
|
|
name: group1
|
|
rename: groupren
|
|
state: renamed
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Rename group1 to groupren
|
|
ipagroup:
|
|
name: group1
|
|
rename: groupren
|
|
state: renamed
|
|
register: result
|
|
failed_when: not result.failed or "No group 'group1'" not in result.msg
|
|
|
|
- name: Rename group groupren to groupren
|
|
ipagroup:
|
|
name: groupren
|
|
rename: groupren
|
|
state: renamed
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Rename group groupren back to group1
|
|
ipagroup:
|
|
name: groupren
|
|
rename: group1
|
|
state: renamed
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure group2 is present
|
|
ipagroup:
|
|
name: group2
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure group2 is present again
|
|
ipagroup:
|
|
name: group2
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure group3 is present
|
|
ipagroup:
|
|
name: group3
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure group3 is present again
|
|
ipagroup:
|
|
name: group3
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure groups group2 and group3 are present in group group1
|
|
ipagroup:
|
|
name: group1
|
|
group:
|
|
- group2
|
|
- group3
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure groups group2 and group3 are present in group group1 again
|
|
ipagroup:
|
|
name: group1
|
|
group:
|
|
- group2
|
|
- group3
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure group3 ia present in group group1
|
|
ipagroup:
|
|
name: group1
|
|
group:
|
|
- group3
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
# service
|
|
|
|
- name: Execute tests if ipa_verison >= 4.7.0
|
|
when: ipa_version is version('4.7.0', '>=')
|
|
block:
|
|
|
|
- name: Ensure service "{{ 'HTTP/' + fqdn_at_domain }}" is present in group group1
|
|
ipagroup:
|
|
name: group1
|
|
service:
|
|
- "{{ 'HTTP/' + fqdn_at_domain }}"
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure service "{{ 'HTTP/' + fqdn_at_domain }}" is present in group group1, again
|
|
ipagroup:
|
|
name: group1
|
|
service:
|
|
- "{{ 'HTTP/' + fqdn_at_domain }}"
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure service "{{ 'ldap/' + fqdn_at_domain }}" is present in group group1
|
|
ipagroup:
|
|
name: group1
|
|
service:
|
|
- "{{ 'ldap/' + fqdn_at_domain }}"
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure service "{{ 'ldap/' + fqdn_at_domain }}" is present in group group1, again
|
|
ipagroup:
|
|
name: group1
|
|
service:
|
|
- "{{ 'ldap/' + fqdn_at_domain }}"
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure service "{{ 'HTTP/' + fqdn_at_domain }}" is absent in group group1
|
|
ipagroup:
|
|
name: group1
|
|
service:
|
|
- "{{ 'HTTP/' + fqdn_at_domain }}"
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure service "{{ 'HTTP/' + fqdn_at_domain }}" is absent in group group1, again
|
|
ipagroup:
|
|
name: group1
|
|
service:
|
|
- "{{ 'HTTP/' + fqdn_at_domain }}"
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure service "{{ 'ldap/' + fqdn_at_domain }}" is absent in group group1
|
|
ipagroup:
|
|
name: group1
|
|
service:
|
|
- "{{ 'ldap/' + fqdn_at_domain }}"
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure service "{{ 'ldap/' + fqdn_at_domain }}" is absent in group group1, again
|
|
ipagroup:
|
|
name: group1
|
|
service:
|
|
- "{{ 'ldap/' + fqdn_at_domain }}"
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure services are present in group group1
|
|
ipagroup:
|
|
name: group1
|
|
service:
|
|
- "{{ 'HTTP/' + fqdn_at_domain }}"
|
|
- "{{ 'ldap/' + fqdn_at_domain }}"
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure services are present in group group1, again
|
|
ipagroup:
|
|
name: group1
|
|
service:
|
|
- "{{ 'http/' + fqdn_at_domain }}"
|
|
- "{{ 'ldap/' + fqdn_at_domain }}"
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure services are absent in group group1
|
|
ipagroup:
|
|
name: group1
|
|
service:
|
|
- "{{ 'HTTP/' + fqdn_at_domain }}"
|
|
- "{{ 'LDAP/' + fqdn_at_domain }}"
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure services are absent in group group1, again
|
|
ipagroup:
|
|
name: group1
|
|
service:
|
|
- "{{ 'HTTP/' + fqdn_at_domain }}"
|
|
- "{{ 'ldap/' + fqdn_at_domain }}"
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
# user
|
|
|
|
- name: Ensure users user1, user2 and user3 are present in group group1
|
|
ipagroup:
|
|
name: group1
|
|
user:
|
|
- user1
|
|
- user2
|
|
- user3
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure users user1, user2 and user3 are present in group group1 again
|
|
ipagroup:
|
|
name: group1
|
|
user:
|
|
- user1
|
|
- user2
|
|
- user3
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
#- ipagroup:
|
|
# name: group1
|
|
# user:
|
|
# - user7
|
|
# action: member
|
|
|
|
- name: Ensure user user7 is absent in group group1
|
|
ipagroup:
|
|
name: group1
|
|
user:
|
|
- user7
|
|
action: member
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure group group4 is absent
|
|
ipagroup:
|
|
name: group4
|
|
state: absent
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure groups group3, group2, and group1 are absent
|
|
ipagroup:
|
|
name: group3,group2,group1
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure group group1 is present
|
|
ipagroup:
|
|
name: group1
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure users user1, user2 are present in group group1
|
|
ipagroup:
|
|
name: group1
|
|
user:
|
|
- user1
|
|
- user2
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure users user1, user2 and user3 are present in group group1
|
|
ipagroup:
|
|
name: group1
|
|
user:
|
|
- user1
|
|
- user2
|
|
- user3
|
|
action: member
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure users user1, user2 are present in group group1, again
|
|
ipagroup:
|
|
name: group1
|
|
user:
|
|
- user1
|
|
- user2
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure users user1, user2 and user3 are present in group group1, again
|
|
ipagroup:
|
|
name: group1
|
|
user:
|
|
- user1
|
|
- user2
|
|
- user3
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure group group1 is absent
|
|
ipagroup:
|
|
name: group1
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure group group1 with users user1, user2 is present
|
|
ipagroup:
|
|
name: group1
|
|
user:
|
|
- user1
|
|
- user2
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure group group1 with users user1, user2 and user3 is present
|
|
ipagroup:
|
|
name: group1
|
|
user:
|
|
- user1
|
|
- user2
|
|
- user3
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure group group1 with users user1, user2 and user3 is present, again
|
|
ipagroup:
|
|
name: group1
|
|
user:
|
|
- user1
|
|
- user2
|
|
- user3
|
|
action: member
|
|
register: result
|
|
failed_when: result.changed or result.failed
|
|
|
|
- name: Ensure only users user1, user2 are present in group group1
|
|
ipagroup:
|
|
name: group1
|
|
user:
|
|
- user1
|
|
- user2
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
# CLEANUP TEST ITEMS
|
|
|
|
- name: Ensure group group3, group2 and group1 are absent
|
|
ipagroup:
|
|
name: group3,group2,group1
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
- name: Ensure users user1, user2 and user3 are absent
|
|
ipauser:
|
|
name: user1,user2,user3
|
|
state: absent
|
|
register: result
|
|
failed_when: not result.changed or result.failed
|
|
|
|
# ansible-lint is complaining on the use of 'when' and requiring
|
|
# the use of handlers.
|
|
handlers:
|
|
- name: Cleanup http service
|
|
ipaservice:
|
|
name: "{{ 'HTTP/' + fqdn_at_domain }}"
|
|
state: absent
|
|
|
|
- name: Cleanup ldap service
|
|
ipaservice:
|
|
name: "{{ 'ldap/' + fqdn_at_domain }}"
|
|
state: absent
|