internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity
Files
6925503a10af1c95d1e2a37eff43e8241382cf58
ansible-freeipa/tests/group/test_group_external_members.yml
Rafael Guterres Jeffman 6925503a10 ipagroup: Fix management of AD objects 
When using AD objects, a user expects to use the more human readable
form, like "user@ad.domain", but this impose some dificulties on
evaluating which object is being referenced as AD has several forms to
refer to the same object.

Each object is AD is identified uniquely by its SID, and this is the
identifier that IPA stores in its database. When managing AD objects,
IPA finds its SID and works with that value.

ansible-freeipa tried to process these objects using the human readable
values, and it cause idempontence error when ensuring the values were
present or modified, and, at least in some cases, prevented the objects
to be made absent, as the object list created didn't match the SID to
the value used as module parameter.

By using SID to process the AD objects in ipagroup, the addition or
removal of members works and idempotence of these members is ensured.

The only issue with thils approach is that it only works no server
nodes. In client nodes, the conversion to SID is not available and the
same issues that existed before will still be present.

Tests were updated to reflect these changes, a new test, specific to
idempotence issues of AD objects was added:

   tests/group/test_group_ad_users.yml

Resolves: https://issues.redhat.com/browse/RHEL-70023
2025-01-31 10:29:48 -03:00

205 lines
5.7 KiB
YAML
Raw Blame History

---
- name: Test groups with external members
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: false
gather_facts: false
module_defaults:
ipagroup:
ipaadmin_password: SomeADMINpassword
ipaapi_context: server # external_member requires 'server' context
vars:
ad_user: "{{ test_ad_user | default('AD\\aduser') }}"
alt_user: "{{ test_alt_user | default('aduser@ad.ipa.test') }}"
tasks:
- name: Include tasks ../env_freeipa_facts.yml
ansible.builtin.include_tasks: ../env_freeipa_facts.yml
- name: Ensure tests groups are absent
ipagroup:
name:
- extgroup
- extgroup_members
state: absent
- name: Execute group tests if trust test environment is supported
when: trust_test_is_supported | default(false)
block:
- name: Ensure nonposix group is present
ipagroup:
name: extgroup
nonposix: true
register: result
failed_when: result.failed or not result.changed
- name: Ensure nonposix group is present, again
ipagroup:
name: extgroup
nonposix: true
register: result
failed_when: result.failed or result.changed
- name: Ensure nonposix group is external
ipagroup:
name: extgroup
external: true
register: result
failed_when: result.failed or not result.changed
- name: Ensure nonposix group has AD users
ipagroup:
name: extgroup
external_member: "{{ ad_user }}"
register: result
failed_when: result.failed or not result.changed
- name: Ensure nonposix group has AD users, again
ipagroup:
name: extgroup
external_member: "{{ ad_user }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure nonposix group is absent.
ipagroup:
name: extgroup
state: absent
register: result
failed_when: result.failed or not result.changed
- name: Ensure nonposix group is absent, again.
ipagroup:
name: extgroup
state: absent
register: result
failed_when: result.failed or result.changed
- name: Ensure external group is present, with AD users.
ipagroup:
name: extgroup
external: true
external_member: "{{ ad_user }}"
register: result
failed_when: result.failed or not result.changed
- name: Ensure external group is present, with AD alternate users.
ipagroup:
name: extgroup
external: true
external_member: "{{ alt_user }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure external group is present, with AD users, again.
ipagroup:
name: extgroup
external: true
external_member: "{{ ad_user }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure external group is absent
ipagroup:
name: extgroup
state: absent
register: result
failed_when: result.failed or not result.changed
- name: Ensure external group is absent, again
ipagroup:
name: extgroup
state: absent
register: result
failed_when: result.failed or result.changed
- name: Ensure nonposix group is present.
ipagroup:
name: extgroup
nonposix: true
register: result
failed_when: result.failed or not result.changed
- name: Ensure group is external, and has AD users.
ipagroup:
name: extgroup
external: true
external_member: "{{ ad_user }}"
register: result
failed_when: result.failed or not result.changed
- name: Ensure group is external, and has AD alternate users.
ipagroup:
name: extgroup
external: true
external_member: "{{ alt_user }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure group is external, and has AD users, again.
ipagroup:
name: extgroup
external: true
external_member: "{{ ad_user }}"
register: result
failed_when: result.failed or result.changed
- name: Ensure external group for external member exist
ipagroup:
name: extgroup_members
external: true
register: result
failed_when: result.failed or not result.changed
- name: Ensure external group members are present
ipagroup:
name: extgroup_members
external_member: "{{ ad_user }}"
action: member
register: result
failed_when: result.failed or not result.changed
- name: Ensure external group members are present, again
ipagroup:
name: extgroup_members
external_member: "{{ ad_user }}"
action: member
register: result
failed_when: result.failed or result.changed
- name: Ensure external group members are absent
ipagroup:
name: extgroup_members
external_member: "{{ ad_user }}"
action: member
state: absent
register: result
failed_when: result.failed or not result.changed
- name: Ensure external group alternate members are absent
ipagroup:
name: extgroup_members
external_member: "{{ alt_user }}"
action: member
state: absent
register: result
failed_when: result.failed or result.changed
- name: Ensure external group members are absent, again
ipagroup:
name: extgroup_members
external_member: "{{ ad_user }}"
action: member
state: absent
register: result
failed_when: result.failed or result.changed
- name: Ensure tests groups are absent
ipagroup:
name:
- extgroup
- extgroup_members
state: absent
Reference in New Issue View Git Blame Copy Permalink