import ansible-freeipa-1.9.2-1.el9

c9 imports/c9/ansible-freeipa-1.9.2-1.el9
CentOS Sources 2 years ago committed by MSVSphere Packaging Team
parent 010a23cbf9
commit bd75f5ff7a

@ -1 +1 @@
c4d984a5760e18c642703728f847fd9a8e4d2d7a SOURCES/ansible-freeipa-1.8.3.tar.gz
03f590ebf93439a08c56f8b98e61f38619309556 SOURCES/ansible-freeipa-1.9.2.tar.gz

2
.gitignore vendored

@ -1 +1 @@
SOURCES/ansible-freeipa-1.8.3.tar.gz
SOURCES/ansible-freeipa-1.9.2.tar.gz

@ -1,435 +0,0 @@
From 3c8d6c7c7aec408b3b68440982929e30e7d69130 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Mon, 5 Sep 2022 17:18:00 -0300
Subject: [PATCH] ipaconfig: Add support for SID related attributes.
Since FreeIPA 4.9.8 the 'config_mod' command has parameters to enable
and configure SIDs, and set the Netbios name.
This patch adds the following parameters to ipaconfig plugin:
enable_sids: New users and groups automatically get a SID assigned
add_sids: Add SIDs for existing users and groups
netbios_name: NetBIOS name of the IPA domain
Both add_sids and netbios_name requires 'enable_sid: yes'.
'enable_sid' and 'netbios_name' are returned when querying IPA
configuration.
'add_sids' always generate SIDs for users and groups, so, muiltiple
executions of the playbook with 'add_sids: yes' will return 'changed',
even if users and groups SIDs are not modified.
A new test playbook is available:
tests/config/test_config_sid.yml
New examples playbooks are available:
playbooks/config/change-ipa-domain-netbios-name.yml
playbooks/config/generate-users-groups-sids.yml
Fixes: #781
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069174
Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069184
---
README-config.md | 42 ++++++
.../config/change-ipa-domain-netbios-name.yml | 12 ++
.../config/generate-users-groups-sids.yml | 12 ++
plugins/modules/ipaconfig.py | 120 +++++++++++++++++-
tests/azure/templates/variables_centos-7.yaml | 9 +-
tests/config/test_config_sid.yml | 70 ++++++++++
6 files changed, 256 insertions(+), 9 deletions(-)
create mode 100644 playbooks/config/change-ipa-domain-netbios-name.yml
create mode 100644 playbooks/config/generate-users-groups-sids.yml
create mode 100644 tests/config/test_config_sid.yml
diff --git a/README-config.md b/README-config.md
index 17c85f1..13023ea 100644
--- a/README-config.md
+++ b/README-config.md
@@ -65,6 +65,9 @@ Example playbook to read config options:
maxusername: 64
```
+
+Example playbook to set global configuration options:
+
```yaml
---
- name: Playbook to ensure some config options are set
@@ -79,6 +82,40 @@ Example playbook to read config options:
```
+Example playbook to enable SID and generate users and groups SIDs:
+
+```yaml
+---
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Enable SID and generate users and groups SIDS
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ add_sids: yes
+```
+
+Example playbook to change IPA domain NetBIOS name:
+
+```yaml
+---
+- name: Playbook to change IPA domain netbios name
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Set IPA domain netbios name
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ netbios_name: IPADOM
+```
+
Variables
=========
@@ -111,6 +148,9 @@ Variable | Description | Required
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
+`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no
+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
Return Values
@@ -140,6 +180,8 @@ Variable | Description | Returned When
&nbsp; | `user_auth_type` | &nbsp;
&nbsp; | `domain_resolution_order` | &nbsp;
&nbsp; | `ca_renewal_master_server` | &nbsp;
+&nbsp; | `enable_sid` | &nbsp;
+&nbsp; | `netbios_name` | &nbsp;
All returned fields take the same form as their namesake input parameters
diff --git a/playbooks/config/change-ipa-domain-netbios-name.yml b/playbooks/config/change-ipa-domain-netbios-name.yml
new file mode 100644
index 0000000..04e56b3
--- /dev/null
+++ b/playbooks/config/change-ipa-domain-netbios-name.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook to change IPA domain netbios name
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Set IPA domain netbios name
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ netbios_name: IPADOM
diff --git a/playbooks/config/generate-users-groups-sids.yml b/playbooks/config/generate-users-groups-sids.yml
new file mode 100644
index 0000000..9df85ba
--- /dev/null
+++ b/playbooks/config/generate-users-groups-sids.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Enable SID and generate users and groups SIDS
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ add_sids: yes
diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py
index 6731e37..d1f1398 100644
--- a/plugins/modules/ipaconfig.py
+++ b/plugins/modules/ipaconfig.py
@@ -148,6 +148,24 @@ options:
required: false
type: list
aliases: ["ipadomainresolutionorder"]
+ enable_sid:
+ description: >
+ New users and groups automatically get a SID assigned.
+ Requires IPA 4.9.8+.
+ required: false
+ type: bool
+ netbios_name:
+ description: >
+ NetBIOS name of the IPA domain.
+ Requires IPA 4.9.8+ and 'enable_sid: yes'.
+ required: false
+ type: string
+ add_sids:
+ description: >
+ Add SIDs for existing users and groups.
+ Requires IPA 4.9.8+ and 'enable_sid: yes'.
+ required: false
+ type: bool
'''
EXAMPLES = '''
@@ -169,6 +187,24 @@ EXAMPLES = '''
ipaadmin_password: SomeADMINpassword
defaultshell: /bin/bash
maxusername: 64
+
+- name: Playbook to enable SID and generate users and groups SIDs
+ hosts: ipaserver
+ tasks:
+ - name: Enable SID and generate users and groups SIDS
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ add_sids: yes
+
+- name: Playbook to change IPA domain netbios name
+ hosts: ipaserver
+ tasks:
+ - name: Enable SID and generate users and groups SIDS
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ netbios_name: IPADOM
'''
RETURN = '''
@@ -247,6 +283,14 @@ config:
domain_resolution_order:
description: list of domains used for short name qualification
returned: always
+ enable_sid:
+ description: >
+ new users and groups automatically get a SID assigned.
+ Requires IPA 4.9.8+.
+ returned: always
+ netbios_name:
+ description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+.
+ returned: if enable_sid is True
'''
@@ -260,6 +304,28 @@ def config_show(module):
return _result["result"]
+def get_netbios_name(module):
+ try:
+ _result = module.ipa_command_no_name("trustconfig_show", {"all": True})
+ except Exception: # pylint: disable=broad-except
+ return None
+ else:
+ return _result["result"]["ipantflatname"][0]
+
+
+def is_enable_sid(module):
+ """When 'enable-sid' is true admin user and admins group have SID set."""
+ _result = module.ipa_command("user_show", "admin", {"all": True})
+ sid = _result["result"].get("ipantsecurityidentifier", [""])
+ if not sid[0].endswith("-500"):
+ return False
+ _result = module.ipa_command("group_show", "admins", {"all": True})
+ sid = _result["result"].get("ipantsecurityidentifier", [""])
+ if not sid[0].endswith("-512"):
+ return False
+ return True
+
+
def main():
ansible_module = IPAAnsibleModule(
argument_spec=dict(
@@ -313,7 +379,10 @@ def main():
aliases=["ipauserauthtype"]),
ca_renewal_master_server=dict(type="str", required=False),
domain_resolution_order=dict(type="list", required=False,
- aliases=["ipadomainresolutionorder"])
+ aliases=["ipadomainresolutionorder"]),
+ enable_sid=dict(type="bool", required=False),
+ add_sids=dict(type="bool", required=False),
+ netbios_name=dict(type="str", required=False),
),
supports_check_mode=True,
)
@@ -344,7 +413,10 @@ def main():
"pac_type": "ipakrbauthzdata",
"user_auth_type": "ipauserauthtype",
"ca_renewal_master_server": "ca_renewal_master_server",
- "domain_resolution_order": "ipadomainresolutionorder"
+ "domain_resolution_order": "ipadomainresolutionorder",
+ "enable_sid": "enable_sid",
+ "netbios_name": "netbios_name",
+ "add_sids": "add_sids",
}
allow_empty_string = ["pac_type", "user_auth_type", "configstring"]
reverse_field_map = {v: k for k, v in field_map.items()}
@@ -394,11 +466,47 @@ def main():
changed = False
exit_args = {}
- # Connect to IPA API
- with ansible_module.ipa_connect():
+ # Connect to IPA API (enable-sid requires context == 'client')
+ with ansible_module.ipa_connect(context="client"):
+ has_enable_sid = ansible_module.ipa_command_param_exists(
+ "config_mod", "enable_sid")
result = config_show(ansible_module)
+
if params:
+ netbios_name = params.get("netbios_name")
+ if netbios_name:
+ netbios_name = netbios_name.upper()
+ add_sids = params.get("add_sids")
+ enable_sid = params.get("enable_sid")
+ required_sid = any([netbios_name, add_sids])
+ if required_sid and not enable_sid:
+ ansible_module.fail_json(
+ "'enable-sid: yes' required for 'netbios_name' "
+ "and 'add-sids'."
+ )
+ if enable_sid:
+ if not has_enable_sid:
+ ansible_module.fail_json(
+ "This version of IPA does not support 'enable-sid'.")
+ if (
+ netbios_name
+ and netbios_name == get_netbios_name(ansible_module)
+ ):
+ del params["netbios_name"]
+ netbios_name = None
+ if not add_sids and "add_sids" in params:
+ del params["add_sids"]
+ if (
+ not any([netbios_name, add_sids])
+ and is_enable_sid(ansible_module)
+ ):
+ del params["enable_sid"]
+ else:
+ for param in ["enable_sid", "netbios_name", "add_sids"]:
+ if param in params:
+ del params[params]
+
params = {
k: v for k, v in params.items()
if k not in result or result[k] != v
@@ -458,6 +566,10 @@ def main():
# Add empty domain_resolution_order if it is not set
if "domain_resolution_order" not in exit_args:
exit_args["domain_resolution_order"] = []
+ # Set enable_sid
+ if has_enable_sid:
+ exit_args["enable_sid"] = is_enable_sid(ansible_module)
+ exit_args["netbios_name"] = get_netbios_name(ansible_module)
# Done
ansible_module.exit_json(changed=changed, config=exit_args)
#diff --git a/tests/azure/templates/variables_centos-7.yaml b/tests/azure/templates/variables_centos-7.yaml
#index 586d5ec..8628af2 100644
#--- a/tests/azure/templates/variables_centos-7.yaml
#+++ b/tests/azure/templates/variables_centos-7.yaml
#@@ -12,8 +12,7 @@
# #
# ---
# variables:
#- empty: true
#-# ipa_enabled_modules: >-
#-# ipa_enabled_tests: >-
#-# ipa_disabled_modules: >-
#-# ipa_disabled_tests: >-
#+ # ipa_enabled_modules: >-
#+ # ipa_enabled_tests: >-
#+ # ipa_disabled_modules: >-
#+ ipa_disabled_tests: test_config_sid
diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml
new file mode 100644
index 0000000..1761795
--- /dev/null
+++ b/tests/config/test_config_sid.yml
@@ -0,0 +1,70 @@
+---
+- name: Test config
+ hosts: "{{ ipa_test_host | default('ipaserver') }}"
+ become: no
+ gather_facts: no
+
+ tasks:
+
+ # GET CURRENT CONFIG
+
+ - name: Return current values of the global configuration options
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ register: previous
+
+ # TESTS
+ - block:
+ - name: Ensure SID is enabled.
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ register: result
+ failed_when: result.failed or previous.config.enable_sid == result.changed
+
+ - name: Ensure SID is enabled, again.
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ register: result
+ failed_when: result.failed or result.changed
+
+ - name: Ensure netbios_name is "IPATESTPLAY"
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ netbios_name: IPATESTPLAY
+ register: result
+ failed_when: result.failed or not result.changed
+
+ - name: Ensure netbios_name is "IPATESTPLAY", again
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ netbios_name: IPATESTPLAY
+ register: result
+ failed_when: result.failed or result.changed
+
+ # add_sids is not idempotent as it always tries to generate the missing
+ # SIDs for users and groups.
+ - name: Add SIDs to users and groups.
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ add_sids: yes
+
+ # REVERT TO PREVIOUS CONFIG
+ always:
+ # Once SID is enabled, it cannot be reverted.
+ - name: Revert netbios_name to original configuration
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ netbios_name: "{{ previous.config.netbios_name | default(omit) }}"
+ enable_sid: yes
--
2.37.3

@ -1,113 +0,0 @@
From 320168071ff56c00ff65870e781a261075fccc66 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Wed, 21 Sep 2022 18:28:55 -0300
Subject: [PATCH] ipaconfig: Do not allow enable_sid set to False.
Once enabled, SID cannot be disabled. This patch ensures that an error
is raised if one tries to disable SID.
---
README-config.md | 2 +-
plugins/modules/ipaconfig.py | 15 ++++++++-------
tests/config/test_config_sid.yml | 13 +++++++++++++
3 files changed, 22 insertions(+), 8 deletions(-)
diff --git a/README-config.md b/README-config.md
index 13023ea..d6fe40a 100644
--- a/README-config.md
+++ b/README-config.md
@@ -148,7 +148,7 @@ Variable | Description | Required
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
-`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no
+`enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no
`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py
index 87810b2..9c19afb 100644
--- a/plugins/modules/ipaconfig.py
+++ b/plugins/modules/ipaconfig.py
@@ -175,7 +175,7 @@ options:
enable_sid:
description: >
New users and groups automatically get a SID assigned.
- Requires IPA 4.9.8+.
+ Cannot be deactivated once activated. Requires IPA 4.9.8+.
required: false
type: bool
netbios_name:
@@ -525,11 +525,16 @@ def main():
result = config_show(ansible_module)
if params:
+ enable_sid = params.get("enable_sid")
+ sid_is_enabled = has_enable_sid and is_enable_sid(ansible_module)
+
+ if sid_is_enabled and enable_sid is False:
+ ansible_module.fail_json(msg="SID cannot be disabled.")
+
netbios_name = params.get("netbios_name")
if netbios_name:
netbios_name = netbios_name.upper()
add_sids = params.get("add_sids")
- enable_sid = params.get("enable_sid")
required_sid = any([netbios_name, add_sids])
if required_sid and not enable_sid:
ansible_module.fail_json(
@@ -551,13 +556,9 @@ def main():
del params["add_sids"]
if (
not any([netbios_name, add_sids])
- and is_enable_sid(ansible_module)
+ and sid_is_enabled
):
del params["enable_sid"]
- else:
- for param in ["enable_sid", "netbios_name", "add_sids"]:
- if param in params:
- del params[params]
params = {
k: v for k, v in params.items()
diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml
index 1761795..bd550a5 100644
--- a/tests/config/test_config_sid.yml
+++ b/tests/config/test_config_sid.yml
@@ -6,6 +6,9 @@
tasks:
+ - name: Set FreeIPA facts.
+ include_tasks: ../env_freeipa_facts.yml
+
# GET CURRENT CONFIG
- name: Return current values of the global configuration options
@@ -32,6 +35,14 @@
register: result
failed_when: result.failed or result.changed
+ - name: Try to Ensure SID is disabled.
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: no
+ register: result
+ failed_when: not result.failed or "SID cannot be disabled." not in result.msg
+
- name: Ensure netbios_name is "IPATESTPLAY"
ipaconfig:
ipaadmin_password: SomeADMINpassword
@@ -59,6 +70,8 @@
enable_sid: yes
add_sids: yes
+ # only run tests if version supports enable-sid
+ when: ipa_version is version("4.9.8", ">=")
# REVERT TO PREVIOUS CONFIG
always:
# Once SID is enabled, it cannot be reverted.
--
2.37.3

@ -1,218 +0,0 @@
Adapted version of
From c808ad6e3408c2145ba660025c75531920f05d73 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Tue, 18 Oct 2022 10:26:01 -0300
Subject: [PATCH] ipaconfig: Do not require enable_sid for add_sids or
netbios_name
Current behavior of ipaconfig mimics FreeIPA CLI and requires that
'enable_sid' is set to True every time add_sids or netbios_name are
used. It is sufficient that SID generation is enabled to use add_sids
and netbios_name, but the IPA API requires 'enable_sid' so that the
operations are executed.
This patch allows ansible-freeipa plugin ipaconfig to run 'add_sids' or
set 'netbios_name without requiring 'enable_sid' to be set on the
playbook.
If SID generation is enabled, 'add_sids' and 'netbios_name' can be used
without 'enable_sid: yes'. If SID generation is not enabled, an error
message will be raised if 'enable_sid: yes' is not used.
---
README-config.md | 4 +--
plugins/modules/ipaconfig.py | 53 +++++++++++++++++---------------
tests/config/test_config_sid.yml | 48 +++++++++++++++++++++++++++--
3 files changed, 76 insertions(+), 29 deletions(-)
diff --git a/README-config.md b/README-config.md
index d6fe40a..a1d6117 100644
--- a/README-config.md
+++ b/README-config.md
@@ -149,8 +149,8 @@ Variable | Description | Required
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
`enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no
-`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
-`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and SID generation to be activated. | no
+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and SID generation to be activated. (bool) | no
Return Values
diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py
index 9c19afb..7e78492 100644
--- a/plugins/modules/ipaconfig.py
+++ b/plugins/modules/ipaconfig.py
@@ -180,14 +180,14 @@ options:
type: bool
netbios_name:
description: >
- NetBIOS name of the IPA domain.
- Requires IPA 4.9.8+ and 'enable_sid: yes'.
+ NetBIOS name of the IPA domain. Requires IPA 4.9.8+
+ and SID generation to be activated.
required: false
type: string
add_sids:
description: >
- Add SIDs for existing users and groups.
- Requires IPA 4.9.8+ and 'enable_sid: yes'.
+ Add SIDs for existing users and groups. Requires IPA 4.9.8+
+ and SID generation to be activated.
required: false
type: bool
'''
@@ -362,7 +362,7 @@ def get_netbios_name(module):
def is_enable_sid(module):
- """When 'enable-sid' is true admin user and admins group have SID set."""
+ """When 'enable_sid' is true admin user and admins group have SID set."""
_result = module.ipa_command("user_show", "admin", {"all": True})
sid = _result["result"].get("ipantsecurityidentifier", [""])
if not sid[0].endswith("-500"):
@@ -517,7 +517,7 @@ def main():
changed = False
exit_args = {}
- # Connect to IPA API (enable-sid requires context == 'client')
+ # Connect to IPA API (enable_sid requires context == 'client')
with ansible_module.ipa_connect(context="client"):
has_enable_sid = ansible_module.ipa_command_param_exists(
"config_mod", "enable_sid")
@@ -532,20 +532,8 @@ def main():
ansible_module.fail_json(msg="SID cannot be disabled.")
netbios_name = params.get("netbios_name")
- if netbios_name:
- netbios_name = netbios_name.upper()
add_sids = params.get("add_sids")
- required_sid = any([netbios_name, add_sids])
- if required_sid and not enable_sid:
- ansible_module.fail_json(
- msg="'enable-sid: yes' required for 'netbios_name' "
- "and 'add-sids'."
- )
- if enable_sid:
- if not has_enable_sid:
- ansible_module.fail_json(
- msg="This version of IPA does not support enable-sid."
- )
+ if has_enable_sid:
if (
netbios_name
and netbios_name == get_netbios_name(ansible_module)
@@ -554,12 +542,27 @@ def main():
netbios_name = None
if not add_sids and "add_sids" in params:
del params["add_sids"]
- if (
- not any([netbios_name, add_sids])
- and sid_is_enabled
- ):
- del params["enable_sid"]
-
+ if any([netbios_name, add_sids]):
+ if sid_is_enabled:
+ params["enable_sid"] = True
+ else:
+ if not enable_sid:
+ ansible_module.fail_json(
+ msg="SID generation must be enabled for "
+ "'netbios_name' and 'add_sids'. Use "
+ "'enable_sid: yes'."
+ )
+ else:
+ if sid_is_enabled and "enable_sid" in params:
+ del params["enable_sid"]
+
+ else:
+ if any([enable_sid, netbios_name, add_sids is not None]):
+ ansible_module.fail_json(
+ msg="This version of IPA does not support enable_sid, "
+ "add_sids or netbios_name setting through the "
+ "config module"
+ )
params = {
k: v for k, v in params.items()
if k not in result or result[k] != v
diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml
index bd550a5..d8d78f1 100644
--- a/tests/config/test_config_sid.yml
+++ b/tests/config/test_config_sid.yml
@@ -19,6 +19,32 @@
# TESTS
- block:
+ - name: Check if SID is enabled.
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ check_mode: yes
+ register: sid_disabled
+
+ - name: Ensure netbios_name can't be changed without SID enabled.
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ netbios_name: IPATESTPLAY
+ register: result
+ failed_when: not result.failed and "SID generation must be enabled" in result.msg
+ when: sid_disabled.changed
+
+ - name: Ensure SIDs can't be changed without SID enabled.
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ add_sids: yes
+ register: result
+ failed_when: not result.failed and "SID generation must be enabled" in result.msg
+ when: sid_disabled.changed
+
- name: Ensure SID is enabled.
ipaconfig:
ipaadmin_password: SomeADMINpassword
@@ -56,18 +82,36 @@
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
- enable_sid: yes
netbios_name: IPATESTPLAY
register: result
failed_when: result.failed or result.changed
+ - name: Ensure netbios_name cannot be set with lowercase characters
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ netbios_name: IPATESTplay
+ register: result
+ failed_when:
+ (not result.failed
+ and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message)
+
+ - name: Ensure netbios_name cannot be set different lowercase characters
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ netbios_name: otherPLAY
+ register: result
+ failed_when:
+ (not result.failed
+ and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message)
+
# add_sids is not idempotent as it always tries to generate the missing
# SIDs for users and groups.
- name: Add SIDs to users and groups.
ipaconfig:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
- enable_sid: yes
add_sids: yes
# only run tests if version supports enable-sid
--
2.37.3

@ -1,40 +0,0 @@
From 4da89de1d41a752e561d17f628dd6c2cbda3f326 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Wed, 21 Sep 2022 10:10:52 -0300
Subject: [PATCH] ipaconfig: Fix fail_json calls.
Ansible's fail_json() method required that the message paramater was
passed with a keyword parameter, rather than a positional one. Although
this seems to work with ansible-core 2.13+, it might not work with
previous versions of Ansible.
This patch fixes the behaviour for all supported Ansible versions.
---
plugins/modules/ipaconfig.py | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py
index b0b4062..87810b2 100644
--- a/plugins/modules/ipaconfig.py
+++ b/plugins/modules/ipaconfig.py
@@ -533,13 +533,14 @@ def main():
required_sid = any([netbios_name, add_sids])
if required_sid and not enable_sid:
ansible_module.fail_json(
- "'enable-sid: yes' required for 'netbios_name' "
- "and 'add-sids'."
+ msg="'enable-sid: yes' required for 'netbios_name' "
+ "and 'add-sids'."
)
if enable_sid:
if not has_enable_sid:
ansible_module.fail_json(
- "This version of IPA does not support 'enable-sid'.")
+ msg="This version of IPA does not support enable-sid."
+ )
if (
netbios_name
and netbios_name == get_netbios_name(ansible_module)
--
2.37.3

@ -1,73 +0,0 @@
From de8911af504c6b6f51c906e8cec7da12ff4eed09 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Tue, 30 Aug 2022 16:38:42 +0200
Subject: [PATCH] ipaserver: Add missing idstart check
The idstart needs to be larger than UID_MAX or GID_MAX from /etc/login.defs.
This is "Require idstart to be larger than UID_MAX" for freeipa.
Fixes: #896 (Invalid RID/SID SSSD backtrace after deployment)
---
roles/ipaserver/library/ipaserver_test.py | 13 ++++++++++++-
roles/ipaserver/module_utils/ansible_ipa_server.py | 7 ++++++-
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py
index 2158150..f830f37 100644
--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -225,7 +225,8 @@ from ansible.module_utils.ansible_ipa_server import (
read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance,
check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
- encode_certificate, check_available_memory, getargspec, adtrustinstance
+ encode_certificate, check_available_memory, getargspec, adtrustinstance,
+ get_min_idstart
)
from ansible.module_utils import six
@@ -579,6 +580,16 @@ def main():
"'--ignore-topology-disconnect/--ignore-last-of-role' "
"options can be used only during uninstallation")
+ if get_min_idstart is not None:
+ min_idstart = get_min_idstart()
+ if self.idstart < min_idstart:
+ raise RuntimeError(
+ "idstart (%i) must be larger than UID_MAX/GID_MAX "
+ "(%i) setting in /etc/login.defs." % (
+ self.idstart, min_idstart
+ )
+ )
+
if self.idmax < self.idstart:
raise RuntimeError(
"idmax (%s) cannot be smaller than idstart (%s)" %
diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py
index aba6b68..5b1c4e5 100644
--- a/roles/ipaserver/module_utils/ansible_ipa_server.py
+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
@@ -41,7 +41,7 @@ __all__ = ["IPAChangeConf", "certmonger", "sysrestore", "root_logger",
"adtrustinstance", "IPAAPI_USER", "sync_time", "PKIIniLoader",
"default_subject_base", "default_ca_subject_dn",
"check_ldap_conf", "encode_certificate", "decode_certificate",
- "check_available_memory", "getargspec"]
+ "check_available_memory", "getargspec", "get_min_idstart"]
import sys
@@ -200,6 +200,11 @@ else:
from ipalib.x509 import load_certificate
load_pem_x509_certificate = None
+ try:
+ from ipaserver.install.server.install import get_min_idstart
+ except ImportError:
+ get_min_idstart = None
+
else:
# IPA version < 4.5
--
2.37.3

@ -1,55 +0,0 @@
From 7077776de3432a321298df13076ea0cc59bc35b1 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Mon, 5 Sep 2022 13:16:26 +0200
Subject: [PATCH] ipaserver/ipareplica: Add isatty method to AnsibleModuleLog
In some cases ipa code is using sys.stdout.isatty. As stdout is mapped
to AnsibleModuleLog this call will lead in a traceback as it was not
defined.
The staticmethod isatty has been added to AnsibleModuleLog in ipaserver
role module_utils/ansible_ipa_server.py and in ipareplica role
module_utils/ansible_ipa_repica.py.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2120415
ansible-freeipa Replica Install Setup DNS fails
Fixes: #251 - 'AnsibleModuleLog' object has no attribute 'isatty'
Fixes: #117 - 'AnsibleModuleLog' object has no attribute 'isatty'
---
roles/ipareplica/module_utils/ansible_ipa_replica.py | 4 ++++
roles/ipaserver/module_utils/ansible_ipa_server.py | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py
index 0e4e738..27ee13d 100644
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -222,6 +222,10 @@ else:
def info(self, msg):
self.module.debug(msg)
+ @staticmethod
+ def isatty():
+ return False
+
def write(self, msg):
self.module.debug(msg)
# self.module.warn(msg)
diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py
index 5b1c4e5..8e7be0b 100644
--- a/roles/ipaserver/module_utils/ansible_ipa_server.py
+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
@@ -255,6 +255,10 @@ else:
def info(self, msg):
self.module.debug(msg)
+ @staticmethod
+ def isatty():
+ return False
+
def write(self, msg):
self.module.debug(msg)
# self.module.warn(msg)
--
2.37.3

@ -7,25 +7,20 @@
Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients
Name: ansible-freeipa
Version: 1.8.3
Release: 2%{?dist}
Version: 1.9.2
Release: 1%{?dist}
URL: https://github.com/freeipa/ansible-freeipa
License: GPLv3+
Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Patch1: ansible-freeipa-1.8.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132974.patch
Patch2: ansible-freeipa-1.8.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132988.patch
Patch3: ansible-freeipa-1.8.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132994.patch
Patch4: ansible-freeipa-1.8.3-ipaconfig-Fix-fail_json-calls_rhbz#2135753.patch
Patch5: ansible-freeipa-1.8.3-ipaconfig-Do-not-allow-enable_sid-set-to-False_rhbz#2135754.patch
Patch6: ansible-freeipa-1.8.3-ipaconfig-Do-not-require-enable_sid-for-add_sids-or-_RHBZ#2135775.patch
BuildArch: noarch
%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
Requires: ansible-core
%endif
%description
Ansible roles and playbooks to install and uninstall FreeIPA servers, replicas
and clients. Also modules management.
Ansible roles to install and uninstall FreeIPA servers, replicas and clients,
roles for backups and SmartCard configuration, modules for management and also
playbooks for all roles and modules.
Note: The Ansible playbooks and roles require a configured Ansible environment
where the Ansible nodes are reachable and are properly set up to have an IP
@ -57,6 +52,7 @@ Features
- Modules for hostgroup management
- Modules for idrange management
- Modules for location management
- Modules for netgroup management
- Modules for permission management
- Modules for privilege management
- Modules for pwpolicy management
@ -93,8 +89,6 @@ Requirements
Controller
- Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)
- /usr/bin/kinit is required on the controller if a one time password (OTP)
is used
Node
- Supported FreeIPA version (see above)
@ -122,23 +116,17 @@ to get the needed requrements to run the tests.
%prep
%setup -q
# Do not create backup files with patches
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
# Fix python modules and module utils:
# - Remove shebang
# - Remove execute flag
for i in roles/ipa*/library/*.py roles/ipa*/module_utils/*.py plugins/*/*.py; do
for i in roles/ipa*/library/*.py roles/ipa*/module_utils/*.py plugins/*/*.py;
do
sed -i '1{/\/usr\/bin\/python*/d;}' $i
chmod a-x $i
done
for i in utils/*.py utils/ansible-ipa-*-install utils/new_module \
utils/changelog utils/ansible-doc-test;
for i in utils/*.py utils/new_module utils/changelog utils/ansible-doc-test;
do
sed -i '{s@/usr/bin/python*@%{python}@}' $i
done
@ -191,19 +179,55 @@ cp -rp tests %{buildroot}%{_datadir}/ansible-freeipa/
%{_datadir}/ansible-freeipa/requirements-tests.txt
%changelog
-* Tue Oct 18 2022 Thomas Woerner <twoerner@redhat.com> - 1.8.3-2
- ipaserver: Add missing idstart check
Resolves: RHBZ#2132976
- Replica Install Setup DNS fails
Resolves: RHBZ#2132990
- ipaconfig: Add support for SID related attributes
Resolves: RHBZ#2132996
- paconfig: Fix fail_json calls
Resolves: RHBZ#2135756
* Tue Jan 31 2023 Thomas Woerner <twoerner@redhat.com> - 1.9.2-1
- Update to version 1.9.2
https://github.com/freeipa/ansible-freeipa/releases/tag/v1.9.2
Resolves: RHBZ#2125592
- ipabackup: Use ipabackup_item again in copy_backup_to_server
Resolves: RHBZ#2165953
* Mon Jan 30 2023 Thomas Woerner <twoerner@redhat.com> - 1.9.1-1
- Update to version 1.9.1
https://github.com/freeipa/ansible-freeipa/releases/tag/v1.9.1
Resolves: RHBZ#2125592
- pwpolicy: Allow clearing policy values
Resolves: RHBZ#2150334
- Use netgroup_find instead of netgroup_show to workaround IPA bug
Resolves: RHBZ#2144725
* Wed Dec 7 2022 Thomas Woerner <twoerner@redhat.com> - 1.9.0-1
- Update to version 1.9.0
https://github.com/freeipa/ansible-freeipa/releases/tag/v1.9.0
Related: RHBZ#2125592
- pwpolicy: Add support for password check and grace limit
Resolves: RHBZ#2127911
- ipaconfig: Do not allow enable_sid set to False
Resolves: RHBZ#2135757
Resolves: RHBZ#2127446
- ipaclient: No kinit on controller for deployment using OTP
Resolves: RHBZ#2127887
- ipaclient: Configure DNS resolver
Resolves: RHBZ#2127895
- New netgroup management module
Resolves: RHBZ#2127910
- sudorule: Add support for 'hostmask' parameter
Resolves: RHBZ#2127913
- ipaconfig: Fix fail_json calls
Resolves: RHBZ#2134375
- ipaconfig: Do not require enable_sid for add_sids or netbios_name
Resolves: RHBZ#2135776
Resolves: RHBZ#2134505
- ipaserver: Add missing idstart check
Resolves: RHBZ#2132731
* Mon Sep 12 2022 Thomas Woerner <twoerner@redhat.com> - 1.8.4-1
- Update to version 1.8.4
https://github.com/freeipa/ansible-freeipa/releases/tag/v1.8.4
Resolves: RHBZ#2125592
- 'ansible-doc' -l lists most idm modules as 'UNDOCUMENTED'
Resolves: RHBZ#2125603
- ansible-freeipa Replica Install Setup DNS fails
Resolves: RHBZ#2125616
- ipaconfig does not support SID and netbios attributes
Resolves: RHBZ#2069184
* Tue Aug 16 2022 Thomas Woerner <twoerner@redhat.com> - 1.8.3-1
- Update to version 1.8.3

Loading…
Cancel
Save