import ansible-freeipa-1.8.3-1.el8

This commit is contained in:
CentOS Sources 2022-11-08 01:43:18 -05:00 committed by Stepan Oksanichenko
parent 9e16d0ade9
commit 79d0a61dd9
10 changed files with 62 additions and 1173 deletions

View File

@ -1 +1 @@
7f143f7b2263b6de41c41bba9aea905d17242efb SOURCES/ansible-freeipa-1.6.3.tar.gz c4d984a5760e18c642703728f847fd9a8e4d2d7a SOURCES/ansible-freeipa-1.8.3.tar.gz

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/ansible-freeipa-1.6.3.tar.gz SOURCES/ansible-freeipa-1.8.3.tar.gz

View File

@ -1,361 +0,0 @@
diff -up ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml.ipaconfig_sid ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml
--- ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200
+++ ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml 2022-10-07 17:12:51.172335899 +0200
@@ -0,0 +1,12 @@
+---
+- name: Playbook to change IPA domain netbios name
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Set IPA domain netbios name
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ netbios_name: IPADOM
diff -up ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml.ipaconfig_sid ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml
--- ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200
+++ ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml 2022-10-07 17:12:51.172335899 +0200
@@ -0,0 +1,12 @@
+---
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Enable SID and generate users and groups SIDS
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ add_sids: yes
diff -up ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py.ipaconfig_sid ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py
--- ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py.ipaconfig_sid 2022-01-27 14:05:04.000000000 +0100
+++ ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py 2022-10-07 17:18:43.193785596 +0200
@@ -148,6 +148,24 @@ options:
required: false
type: list
aliases: ["ipadomainresolutionorder"]
+ enable_sid:
+ description: >
+ New users and groups automatically get a SID assigned.
+ Requires IPA 4.9.8+.
+ required: false
+ type: bool
+ netbios_name:
+ description: >
+ NetBIOS name of the IPA domain.
+ Requires IPA 4.9.8+ and 'enable_sid: yes'.
+ required: false
+ type: string
+ add_sids:
+ description: >
+ Add SIDs for existing users and groups.
+ Requires IPA 4.9.8+ and 'enable_sid: yes'.
+ required: false
+ type: bool
'''
EXAMPLES = '''
@@ -169,6 +187,24 @@ EXAMPLES = '''
ipaadmin_password: SomeADMINpassword
defaultshell: /bin/bash
maxusername: 64
+
+- name: Playbook to enable SID and generate users and groups SIDs
+ hosts: ipaserver
+ tasks:
+ - name: Enable SID and generate users and groups SIDS
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ add_sids: yes
+
+- name: Playbook to change IPA domain netbios name
+ hosts: ipaserver
+ tasks:
+ - name: Enable SID and generate users and groups SIDS
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ netbios_name: IPADOM
'''
RETURN = '''
@@ -247,6 +283,14 @@ config:
domain_resolution_order:
description: list of domains used for short name qualification
returned: always
+ enable_sid:
+ description: >
+ new users and groups automatically get a SID assigned.
+ Requires IPA 4.9.8+.
+ returned: always
+ netbios_name:
+ description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+.
+ returned: if enable_sid is True
'''
@@ -260,6 +304,28 @@ def config_show(module):
return _result["result"]
+def get_netbios_name(module):
+ try:
+ _result = module.ipa_command_no_name("trustconfig_show", {"all": True})
+ except Exception: # pylint: disable=broad-except
+ return None
+ else:
+ return _result["result"]["ipantflatname"][0]
+
+
+def is_enable_sid(module):
+ """When 'enable-sid' is true admin user and admins group have SID set."""
+ _result = module.ipa_command("user_show", "admin", {"all": True})
+ sid = _result["result"].get("ipantsecurityidentifier", [""])
+ if not sid[0].endswith("-500"):
+ return False
+ _result = module.ipa_command("group_show", "admins", {"all": True})
+ sid = _result["result"].get("ipantsecurityidentifier", [""])
+ if not sid[0].endswith("-512"):
+ return False
+ return True
+
+
def main():
ansible_module = IPAAnsibleModule(
argument_spec=dict(
@@ -313,7 +379,10 @@ def main():
aliases=["ipauserauthtype"]),
ca_renewal_master_server=dict(type="str", required=False),
domain_resolution_order=dict(type="list", required=False,
- aliases=["ipadomainresolutionorder"])
+ aliases=["ipadomainresolutionorder"]),
+ enable_sid=dict(type="bool", required=False),
+ add_sids=dict(type="bool", required=False),
+ netbios_name=dict(type="str", required=False),
),
supports_check_mode=True,
)
@@ -344,7 +413,10 @@ def main():
"pac_type": "ipakrbauthzdata",
"user_auth_type": "ipauserauthtype",
"ca_renewal_master_server": "ca_renewal_master_server",
- "domain_resolution_order": "ipadomainresolutionorder"
+ "domain_resolution_order": "ipadomainresolutionorder",
+ "enable_sid": "enable_sid",
+ "netbios_name": "netbios_name",
+ "add_sids": "add_sids",
}
reverse_field_map = {v: k for k, v in field_map.items()}
@@ -392,11 +464,47 @@ def main():
changed = False
exit_args = {}
- # Connect to IPA API
- with ansible_module.ipa_connect():
+ # Connect to IPA API (enable-sid requires context == 'client')
+ with ansible_module.ipa_connect(context="client"):
+ has_enable_sid = ansible_module.ipa_command_param_exists(
+ "config_mod", "enable_sid")
result = config_show(ansible_module)
+
if params:
+ netbios_name = params.get("netbios_name")
+ if netbios_name:
+ netbios_name = netbios_name.upper()
+ add_sids = params.get("add_sids")
+ enable_sid = params.get("enable_sid")
+ required_sid = any([netbios_name, add_sids])
+ if required_sid and not enable_sid:
+ ansible_module.fail_json(
+ "'enable-sid: yes' required for 'netbios_name' "
+ "and 'add-sids'."
+ )
+ if enable_sid:
+ if not has_enable_sid:
+ ansible_module.fail_json(
+ "This version of IPA does not support 'enable-sid'.")
+ if (
+ netbios_name
+ and netbios_name == get_netbios_name(ansible_module)
+ ):
+ del params["netbios_name"]
+ netbios_name = None
+ if not add_sids and "add_sids" in params:
+ del params["add_sids"]
+ if (
+ not any([netbios_name, add_sids])
+ and is_enable_sid(ansible_module)
+ ):
+ del params["enable_sid"]
+ else:
+ for param in ["enable_sid", "netbios_name", "add_sids"]:
+ if param in params:
+ del params[params]
+
params = {
k: v for k, v in params.items()
if k not in result or result[k] != v
@@ -441,6 +549,10 @@ def main():
raise ValueError(
"Unexpected attribute type: %s" % arg_type)
exit_args[k] = type_map[arg_type](value)
+ # Set enable_sid
+ if has_enable_sid:
+ exit_args["enable_sid"] = is_enable_sid(ansible_module)
+ exit_args["netbios_name"] = get_netbios_name(ansible_module)
# Done
ansible_module.exit_json(changed=changed, config=exit_args)
diff -up ansible-freeipa-1.6.3/README-config.md.ipaconfig_sid ansible-freeipa-1.6.3/README-config.md
--- ansible-freeipa-1.6.3/README-config.md.ipaconfig_sid 2022-01-27 14:05:04.000000000 +0100
+++ ansible-freeipa-1.6.3/README-config.md 2022-10-07 17:12:51.172335899 +0200
@@ -65,6 +65,9 @@ Example playbook to read config options:
maxusername: 64
```
+
+Example playbook to set global configuration options:
+
```yaml
---
- name: Playbook to ensure some config options are set
@@ -79,6 +82,40 @@ Example playbook to read config options:
```
+Example playbook to enable SID and generate users and groups SIDs:
+
+```yaml
+---
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Enable SID and generate users and groups SIDS
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ add_sids: yes
+```
+
+Example playbook to change IPA domain NetBIOS name:
+
+```yaml
+---
+- name: Playbook to change IPA domain netbios name
+ hosts: ipaserver
+ become: no
+ gather_facts: no
+
+ tasks:
+ - name: Set IPA domain netbios name
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ enable_sid: yes
+ netbios_name: IPADOM
+```
+
Variables
=========
@@ -111,6 +148,9 @@ Variable | Description | Required
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
+`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no
+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
Return Values
@@ -140,6 +180,8 @@ Variable | Description | Returned When
  | `user_auth_type` |  
  | `domain_resolution_order` |  
  | `ca_renewal_master_server` |  
+  | `enable_sid` |  
+  | `netbios_name` |  
All returned fields take the same form as their namesake input parameters
diff -up ansible-freeipa-1.6.3/tests/config/test_config_sid.yml.ipaconfig_sid ansible-freeipa-1.6.3/tests/config/test_config_sid.yml
--- ansible-freeipa-1.6.3/tests/config/test_config_sid.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200
+++ ansible-freeipa-1.6.3/tests/config/test_config_sid.yml 2022-10-07 17:12:51.172335899 +0200
@@ -0,0 +1,70 @@
+---
+- name: Test config
+ hosts: "{{ ipa_test_host | default('ipaserver') }}"
+ become: no
+ gather_facts: no
+
+ tasks:
+
+ # GET CURRENT CONFIG
+
+ - name: Return current values of the global configuration options
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ register: previous
+
+ # TESTS
+ - block:
+ - name: Ensure SID is enabled.
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ register: result
+ failed_when: result.failed or previous.config.enable_sid == result.changed
+
+ - name: Ensure SID is enabled, again.
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ register: result
+ failed_when: result.failed or result.changed
+
+ - name: Ensure netbios_name is "IPATESTPLAY"
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ netbios_name: IPATESTPLAY
+ register: result
+ failed_when: result.failed or not result.changed
+
+ - name: Ensure netbios_name is "IPATESTPLAY", again
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ netbios_name: IPATESTPLAY
+ register: result
+ failed_when: result.failed or result.changed
+
+ # add_sids is not idempotent as it always tries to generate the missing
+ # SIDs for users and groups.
+ - name: Add SIDs to users and groups.
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ enable_sid: yes
+ add_sids: yes
+
+ # REVERT TO PREVIOUS CONFIG
+ always:
+ # Once SID is enabled, it cannot be reverted.
+ - name: Revert netbios_name to original configuration
+ ipaconfig:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ netbios_name: "{{ previous.config.netbios_name | default(omit) }}"
+ enable_sid: yes

View File

@ -1,38 +0,0 @@
From 641c550cc3650c6d0aa95f52b422089f64e7fb6a Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Mon, 15 Aug 2022 16:00:06 +0200
Subject: [PATCH] ipareplica: ipareplica_setup_adtrust fails while updating
ipaNTFlatName
The internal parameter sid_generation_always is generated in
ipareplica_test to enable SID generation if ipareplica_setup_adtrust is
not enabled.
This parameter was not used for ipareplica_prepare though, therefore
adtrust.install_check was not executed and did not set the attribute
adtrust.netbios_name. As a result adtrust.netbios_name was None and the
try to use this as the new NetBIOS domain name failed with an
INVALID_SYNTAX error in adtrustinstance while executing
ipareplica_setup_adtrust.
This issue only occurs if SIDs are not enabled in the domain yet for
example with an old deployment.
---
roles/ipareplica/tasks/install.yml | 1 +
1 file changed, 1 insertion(+)
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index 0e5f840..7413884 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -201,6 +201,7 @@
### additional ###
server: "{{ result_ipareplica_test.server }}"
skip_conncheck: "{{ ipareplica_skip_conncheck }}"
+ sid_generation_always: "{{ result_ipareplica_test.sid_generation_always }}"
register: result_ipareplica_prepare
- name: Install - Add to ipaservers
--
2.37.3

View File

@ -1,54 +0,0 @@
diff -up ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.idstart_heck ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py
--- ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.idstart_heck 2022-10-07 17:06:41.915918624 +0200
+++ ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py 2022-10-07 17:09:55.228613556 +0200
@@ -226,7 +226,8 @@ from ansible.module_utils.ansible_ipa_se
read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance,
check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
- encode_certificate, check_available_memory, adtrustinstance
+ encode_certificate, check_available_memory, adtrustinstance,
+ get_min_idstart
)
from ansible.module_utils import six
@@ -580,6 +581,16 @@ def main():
"'--ignore-topology-disconnect/--ignore-last-of-role' "
"options can be used only during uninstallation")
+ if get_min_idstart is not None:
+ min_idstart = get_min_idstart()
+ if self.idstart < min_idstart:
+ raise RuntimeError(
+ "idstart (%i) must be larger than UID_MAX/GID_MAX "
+ "(%i) setting in /etc/login.defs." % (
+ self.idstart, min_idstart
+ )
+ )
+
if self.idmax < self.idstart:
raise RuntimeError(
"idmax (%s) cannot be smaller than idstart (%s)" %
diff -up ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py.idstart_heck ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py
--- ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py.idstart_heck 2022-01-27 14:05:04.000000000 +0100
+++ ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py 2022-10-07 17:07:35.907833419 +0200
@@ -41,7 +41,7 @@ __all__ = ["IPAChangeConf", "certmonger"
"adtrustinstance", "IPAAPI_USER", "sync_time", "PKIIniLoader",
"default_subject_base", "default_ca_subject_dn",
"check_ldap_conf", "encode_certificate", "decode_certificate",
- "check_available_memory"]
+ "check_available_memory", "get_min_idstart"]
import sys
@@ -178,6 +178,11 @@ else:
from ipalib.x509 import load_certificate
load_pem_x509_certificate = None
+ try:
+ from ipaserver.install.server.install import get_min_idstart
+ except ImportError:
+ get_min_idstart = None
+
else:
# IPA version < 4.5

View File

@ -1,55 +0,0 @@
From 7077776de3432a321298df13076ea0cc59bc35b1 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Mon, 5 Sep 2022 13:16:26 +0200
Subject: [PATCH] ipaserver/ipareplica: Add isatty method to AnsibleModuleLog
In some cases ipa code is using sys.stdout.isatty. As stdout is mapped
to AnsibleModuleLog this call will lead in a traceback as it was not
defined.
The staticmethod isatty has been added to AnsibleModuleLog in ipaserver
role module_utils/ansible_ipa_server.py and in ipareplica role
module_utils/ansible_ipa_repica.py.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2120415
ansible-freeipa Replica Install Setup DNS fails
Fixes: #251 - 'AnsibleModuleLog' object has no attribute 'isatty'
Fixes: #117 - 'AnsibleModuleLog' object has no attribute 'isatty'
---
roles/ipareplica/module_utils/ansible_ipa_replica.py | 4 ++++
roles/ipaserver/module_utils/ansible_ipa_server.py | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py
index 0e4e738..27ee13d 100644
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
@@ -222,6 +222,10 @@ else:
def info(self, msg):
self.module.debug(msg)
+ @staticmethod
+ def isatty():
+ return False
+
def write(self, msg):
self.module.debug(msg)
# self.module.warn(msg)
diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py
index 5b1c4e5..8e7be0b 100644
--- a/roles/ipaserver/module_utils/ansible_ipa_server.py
+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
@@ -255,6 +255,10 @@ else:
def info(self, msg):
self.module.debug(msg)
+ @staticmethod
+ def isatty():
+ return False
+
def write(self, msg):
self.module.debug(msg)
# self.module.warn(msg)
--
2.37.3

View File

@ -1,259 +0,0 @@
diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py
--- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py.always_sids 2022-01-27 14:05:04.000000000 +0100
+++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py 2022-10-07 16:51:35.750411448 +0200
@@ -182,6 +182,9 @@ options:
skip_conncheck:
description: Skip connection check to remote master
required: yes
+ sid_generation_always:
+ description: Enable SID generation always
+ required: yes
author:
- Thomas Woerner
'''
@@ -275,6 +278,8 @@ def main():
# additional
server=dict(required=True),
skip_conncheck=dict(required=False, type='bool'),
+ sid_generation_always=dict(required=False, type='bool',
+ default=False),
),
supports_check_mode=True,
)
@@ -350,6 +355,7 @@ def main():
# '_hostname_overridden')
options.server = ansible_module.params.get('server')
options.skip_conncheck = ansible_module.params.get('skip_conncheck')
+ sid_generation_always = ansible_module.params.get('sid_generation_always')
# init #
@@ -755,7 +761,7 @@ def main():
ansible_log.debug("-- CHECK ADTRUST --")
- if options.setup_adtrust:
+ if options.setup_adtrust or sid_generation_always:
adtrust.install_check(False, options, remote_api)
except errors.ACIError:
diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py
--- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py.always_sids 2022-01-27 14:05:04.000000000 +0100
+++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py 2022-10-07 16:44:59.008094369 +0200
@@ -71,6 +71,9 @@ options:
setup_ca:
description: Configure a dogtag CA
required: no
+ setup_adtrust:
+ description: Configure AD trust capability
+ required: yes
config_master_host_name:
description: The config master_host_name setting
required: no
@@ -112,6 +115,7 @@ def main():
ccache=dict(required=True),
_top_dir=dict(required=True),
setup_ca=dict(required=True, type='bool'),
+ setup_adtrust=dict(required=True, type='bool'),
config_master_host_name=dict(required=True),
),
supports_check_mode=True,
@@ -140,6 +144,7 @@ def main():
os.environ['KRB5CCNAME'] = ccache
options._top_dir = ansible_module.params.get('_top_dir')
options.setup_ca = ansible_module.params.get('setup_ca')
+ options.setup_adtrust = ansible_module.params.get('setup_adtrust')
config_master_host_name = ansible_module.params.get(
'config_master_host_name')
adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name')
diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py
--- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py.always_sids 2022-01-27 14:05:04.000000000 +0100
+++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py 2022-10-07 16:50:45.621497736 +0200
@@ -144,7 +144,7 @@ from ansible.module_utils.ansible_ipa_re
ansible_module_get_parsed_ip_addresses, service,
redirect_stdout, create_ipa_conf, ipautil,
x509, validate_domain_name, common_check,
- IPA_PYTHON_VERSION
+ IPA_PYTHON_VERSION, adtrustinstance
)
@@ -271,6 +271,14 @@ def main():
# # options.setup_adtrust = False
# # ansible_module.warn(msg="adtrust is not supported, disabling")
+ sid_generation_always = False
+ if not options.setup_adtrust:
+ # pylint: disable=deprecated-method
+ argspec = inspect.getargspec(adtrustinstance.ADTRUSTInstance.__init__)
+ # pylint: enable=deprecated-method
+ if "fulltrust" in argspec.args:
+ sid_generation_always = True
+
# if options.setup_kra and not kra_imported:
# # if "kra" not in options._allow_missing:
# ansible_module.fail_json(msg="kra can not be imported")
@@ -472,6 +480,7 @@ def main():
# additional
client_enrolled=client_enrolled,
change_master_for_certmonger=change_master_for_certmonger,
+ sid_generation_always=sid_generation_always
)
diff -up ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py
--- ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py.always_sids 2022-01-27 14:05:04.000000000 +0100
+++ ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py 2022-10-07 16:54:27.707115487 +0200
@@ -46,7 +46,8 @@ __all__ = ["contextlib", "dnsexception",
"common_check", "current_domain_level",
"check_domain_level_is_supported", "promotion_check_ipa_domain",
"SSSDConfig", "CalledProcessError", "timeconf", "ntpinstance",
- "dnsname", "kernel_keyring", "krbinstance"]
+ "dnsname", "kernel_keyring", "krbinstance",
+ "adtrustinstance"]
import sys
@@ -105,6 +106,7 @@ else:
adtrust, bindinstance, ca, certs, dns, dsinstance, httpinstance,
installutils, kra, krbinstance,
otpdinstance, custodiainstance, service, upgradeinstance)
+ from ipaserver.install import adtrustinstance
try:
from ipaserver.masters import (
find_providing_servers, find_providing_server)
diff -up ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml.always_sids ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml
--- ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml.always_sids 2022-01-27 14:05:04.000000000 +0100
+++ ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml 2022-10-07 16:44:59.008094369 +0200
@@ -748,13 +748,15 @@
ccache: "{{ result_ipareplica_prepare.ccache }}"
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
+ setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"
config_master_host_name:
"{{ result_ipareplica_prepare.config_master_host_name }}"
adtrust_netbios_name:
"{{ result_ipareplica_prepare.adtrust_netbios_name }}"
adtrust_reset_netbios_name:
"{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}"
- when: result_ipareplica_test.setup_adtrust
+ when: result_ipareplica_test.setup_adtrust or
+ result_ipareplica_test.sid_generation_always
- name: Install - Enable IPA
ipareplica_enable_ipa:
diff -up ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py.always_sids ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py
--- ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py.always_sids 2022-01-27 14:05:04.000000000 +0100
+++ ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py 2022-10-07 16:47:45.005808635 +0200
@@ -141,6 +141,9 @@ options:
setup_ca:
description: Configure a dogtag CA
required: yes
+ sid_generation_always:
+ description: Enable SID generation always
+ required: yes
_hostname_overridden:
description: The installer _hostname_overridden setting
required: yes
@@ -213,6 +216,8 @@ def main():
# additional
setup_ca=dict(required=False, type='bool', default=False),
+ sid_generation_always=dict(required=False, type='bool',
+ default=False),
_hostname_overridden=dict(required=False, type='bool',
default=False),
),
@@ -279,6 +284,7 @@ def main():
options.setup_ca = ansible_module.params.get('setup_ca')
options._host_name_overridden = ansible_module.params.get(
'_hostname_overridden')
+ sid_generation_always = ansible_module.params.get('sid_generation_always')
options.kasp_db_file = None
# init ##################################################################
@@ -371,7 +377,7 @@ def main():
logger.debug('Starting Directory Server')
services.knownservices.dirsrv.start(instance_name)
- if options.setup_adtrust:
+ if options.setup_adtrust or sid_generation_always:
with redirect_stdout(ansible_log):
adtrust.install_check(False, options, api)
diff -up ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.always_sids ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py
--- ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.always_sids 2022-01-27 14:05:04.000000000 +0100
+++ ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py 2022-10-07 16:46:12.413968014 +0200
@@ -226,7 +226,7 @@ from ansible.module_utils.ansible_ipa_se
read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance,
check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
- encode_certificate, check_available_memory
+ encode_certificate, check_available_memory, adtrustinstance
)
from ansible.module_utils import six
@@ -395,12 +395,16 @@ def main():
# version specific ######################################################
- if options.setup_adtrust and not adtrust_imported:
- # if "adtrust" not in options._allow_missing:
- ansible_module.fail_json(msg="adtrust can not be imported")
- # else:
- # options.setup_adtrust = False
- # ansible_module.warn(msg="adtrust is not supported, disabling")
+ sid_generation_always = False
+ if not options.setup_adtrust:
+ # pylint: disable=deprecated-method
+ argspec = inspect.getargspec(adtrustinstance.ADTRUSTInstance.__init__)
+ # pylint: enable=deprecated-method
+ if "fulltrust" in argspec.args:
+ sid_generation_always = True
+ else:
+ if not adtrust_imported:
+ ansible_module.fail_json(msg="adtrust can not be imported")
if options.setup_kra and not kra_imported:
# if "kra" not in options._allow_missing:
@@ -522,7 +526,8 @@ def main():
"You cannot specify an --enable-compat option without the "
"--setup-adtrust option")
- if self.netbios_name:
+ # Deactivate test for new IPA SID generation
+ if self.netbios_name and not sid_generation_always:
raise RuntimeError(
"You cannot specify a --netbios-name option without the "
"--setup-adtrust option")
@@ -1079,7 +1084,8 @@ def main():
ntp_pool=options.ntp_pool,
# additional
_installation_cleanup=_installation_cleanup,
- domainlevel=options.domainlevel)
+ domainlevel=options.domainlevel,
+ sid_generation_always=sid_generation_always)
if __name__ == '__main__':
diff -up ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml.always_sids ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml
--- ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml.always_sids 2022-01-27 14:05:04.000000000 +0100
+++ ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml 2022-10-07 16:48:36.946719227 +0200
@@ -191,6 +191,7 @@
secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
### additional ###
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
+ sid_generation_always: "{{ result_ipaserver_test.sid_generation_always }}"
_hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
register: result_ipaserver_prepare
@@ -392,7 +393,8 @@
adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}"
adtrust_reset_netbios_name:
"{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}"
- when: result_ipaserver_test.setup_adtrust
+ when: result_ipaserver_test.setup_adtrust or
+ result_ipaserver_test.sid_generation_always
- name: Install - Set DS password
ipaserver_set_ds_password:

View File

@ -1,79 +0,0 @@
From 6124dc0cf1a7653f11e88d80290aeb231e486cab Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Tue, 26 Apr 2022 11:11:12 -0300
Subject: [PATCH] ipatrust: Updated ipatrust documentation.
This patch updates the ipatrust documentation about the 'trust_type'
parameter, and changes one password to be similar to the standard
passwords used in other modules.
---
README-trust.md | 1 +
plugins/modules/ipatrust.py | 5 +++--
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/README-trust.md b/README-trust.md
index ef04f6c..efa69c7 100644
--- a/README-trust.md
+++ b/README-trust.md
@@ -105,6 +105,7 @@ Variable | Description | Required
`password` | Active Directory domain administrator's password string. | no
`server` | Domain controller for the Active Directory domain string. | no
`trust_secret` | Shared secret for the trust string. | no
+`trust_type` | Trust type. Currently, only 'ad' for Active Directory is supported. | no
`base_id` | First posix id for the trusted domain integer. | no
`range_size` | Size of the ID range reserved for the trusted domain integer. | no
`range_type` | Type of trusted domain ID range, It can be one of `ipa-ad-trust` or `ipa-ad-trust-posix`and defaults to `ipa-ad-trust`. | no
diff --git a/plugins/modules/ipatrust.py b/plugins/modules/ipatrust.py
index 0c7aac5..d94ec94 100644
--- a/plugins/modules/ipatrust.py
+++ b/plugins/modules/ipatrust.py
@@ -44,7 +44,8 @@ options:
description:
- Trust type (ad for Active Directory, default)
default: ad
- required: true
+ required: false
+ choices: ["ad"]
admin:
description:
- Active Directory domain administrator
@@ -103,7 +104,7 @@ EXAMPLES = """
realm: ad.example.test
trust_type: ad
admin: Administrator
- password: Welcome2020!
+ password: SomeW1Npassword
state: present
# delete ad-trust
--
2.37.3
From 423a6b0e12e87adb86cd76095a7b260d19ab4959 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Tue, 12 Apr 2022 18:47:20 -0300
Subject: [PATCH] ipatrust: Set valid choices for trust_type.
Ensure only valid choices for trust_type ('ad') are available for the
module parameter.
---
plugins/modules/ipatrust.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/plugins/modules/ipatrust.py b/plugins/modules/ipatrust.py
index 6251ecc..0c7aac5 100644
--- a/plugins/modules/ipatrust.py
+++ b/plugins/modules/ipatrust.py
@@ -190,7 +190,8 @@ def main():
state=dict(type="str", default="present",
choices=["present", "absent"]),
# present
- trust_type=dict(type="str", default="ad", required=False),
+ trust_type=dict(type="str", default="ad", required=False,
+ choices=["ad"]),
admin=dict(type="str", default=None, required=False),
password=dict(type="str", default=None,
required=False, no_log=True),
--
2.37.3

View File

@ -1,298 +0,0 @@
From 766cf5a285aa24d1ca8058a90605ca03d04f14f5 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Wed, 13 Apr 2022 08:12:26 -0300
Subject: [PATCH] ipatrust: Fix support for `range_type`.
The ipatrust module was ignoring the value of `range_type`, which is
required to allow for different types of idranges.
---
plugins/modules/ipatrust.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/plugins/modules/ipatrust.py b/plugins/modules/ipatrust.py
index 6251ecc..40b61b5 100644
--- a/plugins/modules/ipatrust.py
+++ b/plugins/modules/ipatrust.py
@@ -157,7 +157,7 @@ def add_trust(module, realm, args):
def gen_args(trust_type, admin, password, server, trust_secret, base_id,
- range_size, _range_type, two_way, external):
+ range_size, range_type, two_way, external):
_args = {}
if trust_type is not None:
_args["trust_type"] = trust_type
@@ -173,6 +173,8 @@ def gen_args(trust_type, admin, password, server, trust_secret, base_id,
_args["base_id"] = base_id
if range_size is not None:
_args["range_size"] = range_size
+ if range_type is not None:
+ _args["range_type"] = range_type
if two_way is not None:
_args["bidirectional"] = two_way
if external is not None:
--
2.37.3
From 3ea452ef6fa25798211623806a862aa4b9e70815 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Wed, 30 Mar 2022 14:22:15 -0300
Subject: [PATCH] tests/trust: Improved test coverage and execution.
This patch applies several changes to the ipatrust test playbook:
* Add externally defined parameters so execution in local trust
environments can be configured. The available parameters are:
* winserver_admin_password: the Administrator password for the AD
server (default: 'SomeW1Npassword')
* winserver_domain: the AD server domain (default: 'windows.local')
* winserver realm: the AD server realm (by default, the uppercase
version of winserver_domain)
* ipaserver_domain: the FreeIPA server domain (default: 'ipa.test')
* ipaserver_realm: the FreeIPA server realm (by default, the
uppercase version of ipaserver_domain
* Modify trust verification to check for the existence of the trust as
it the output of `ipa trust-find`, instead of cheking for the number
of items returned, as the number might vary.
* Add idempotency tests by re-executing tasks and verifying that no
change was performed.
* Added tests to verify creation of trusts with different 'range_type'.
* Use a Kerberos cache for shell scripts, and destroy it on exit.
* Properly remove all `idrange` that might be created upon setting up a
trust.
---
tests/trust/test_trust.yml | 161 +++++++++++++++++++++++++++++++------
1 file changed, 137 insertions(+), 24 deletions(-)
diff --git a/tests/trust/test_trust.yml b/tests/trust/test_trust.yml
index e4ecdf5..5d1280d 100644
--- a/tests/trust/test_trust.yml
+++ b/tests/trust/test_trust.yml
@@ -1,55 +1,168 @@
---
-- name: find trust
+- name: Test ipatrust
hosts: "{{ ipa_test_host | default('ipaserver') }}"
become: true
gather_facts: false
+ vars:
+ adserver:
+ domain: "{{ winserver_domain | default('windows.local')}}"
+ realm: "{{ winserver_realm | default(winserver_domain) | default('windows.local') | upper }}"
+ password: "{{ winserver_admin_password | default('SomeW1Npassword') }}"
+ ipaserver:
+ domain: "{{ ipaserver_domain | default('ipa.test')}}"
+ realm: "{{ ipaserver_realm | default(ipaserver_domain) | default('ipa.test') | upper }}"
+ trust_exists: 'Realm name: {{ adserver.domain }}'
+ ad_range_exists: 'Range name: {{ adserver.realm }}_id_range'
+ ipa_range_exists: 'Range name: {{ ipaserver.realm }}_subid_range'
+
tasks:
- block:
- - name: delete trust
+ - name: Delete test trust
ipatrust:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
- realm: windows.local
+ realm: "{{ adserver.domain }}"
state: absent
- register: del_trust
- - name: check for trust
+ - name: Clear test idranges
shell: |
- echo 'SomeADMINpassword' | kinit admin
- ipa trust-find windows.local
- register: check_find_trust
- failed_when: "'0 trusts matched' not in check_find_trust.stdout"
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
+ ipa idrange-del {{ adserver.realm }}_id_range || true
+ ipa idrange-del {{ ipaserver.realm }}_subid_range || true
+ kdestroy -c test_krb5_cache -q -A
- - name: delete id range
+ - name: Add trust with range_type 'ipa-ad-trust'
+ ipatrust:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ realm: "{{ adserver.domain }}"
+ admin: Administrator
+ trust_type: ad
+ range_type: ipa-ad-trust
+ password: "{{ adserver.password }}"
+ state: present
+ register: result
+ failed_when: result.failed or not result.changed
+
+ - name: check if 'ipa-ad-trust' trust exists
shell: |
echo 'SomeADMINpassword' | kinit admin
- ipa idrange-del WINDOWS.LOCAL_id_range
- when: del_trust['changed'] | bool
+ ipa trust-find
+ kdestroy -c test_krb5_cache -q -A
+ register: check_add_trust
+ failed_when: "trust_exists not in check_add_trust.stdout"
- - name: check for range
+ - name: Add trust with range_type 'ipa-ad-trust', again
+ ipatrust:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ realm: "{{ adserver.domain }}"
+ admin: Administrator
+ range_type: ipa-ad-trust
+ password: "{{ adserver.password }}"
+ state: present
+ register: result
+ failed_when: result.failed or result.changed
+
+ - name: Delete 'ipa-ad-trust' trust
+ ipatrust:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ realm: "{{ adserver.domain }}"
+ state: absent
+ register: result
+ failed_when: result.failed or not result.changed
+
+ - name: Check if 'ipa-ad-trust' trust was removed
shell: |
- echo 'SomeADMINpassword' | kinit admin
- ipa idrange-find WINDOWS.LOCAL_id_range
- register: check_del_idrange
- failed_when: "'0 ranges matched' not in check_del_idrange.stdout"
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
+ ipa trust-find
+ kdestroy -c test_krb5_cache -q -A
+ register: check_add_trust
+ failed_when: "trust_exists in check_add_trust.stdout"
+
+ - name: Delete 'ipa-ad-trust' trust, again
+ ipatrust:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ realm: "{{ adserver.domain }}"
+ state: absent
+ register: result
+ failed_when: result.failed or result.changed
+
+ - name: Clear test idranges
+ shell: |
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
+ ipa idrange-del {{ adserver.realm }}_id_range || true
+ ipa idrange-del {{ ipaserver.realm }}_subid_range || true
+ kdestroy -c test_krb5_cache -q -A
- - name: add trust
+ - name: Add trust with range_type 'ipa-ad-trust-posix'
ipatrust:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
- realm: windows.local
+ realm: "{{ adserver.domain }}"
admin: Administrator
- password: secret_ad_pw
+ range_type: ipa-ad-trust-posix
+ password: "{{ adserver.password }}"
state: present
+ register: result
+ failed_when: result.failed or not result.changed
- - name: check for trust
+ - name: Check if 'ipa-ad-trust-posix' trust exists
shell: |
- echo 'SomeADMINpassword' | kinit admin
- ipa trust-find windows.local
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
+ ipa trust-find
+ kdestroy -c test_krb5_cache -q -A
register: check_add_trust
- failed_when: "'1 trust matched' not in check_add_trust.stdout"
+ failed_when: "trust_exists not in check_add_trust.stdout"
+
+ - name: Add trust with range_type 'ipa-ad-trust-posix', again
+ ipatrust:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ realm: "{{ adserver.domain }}"
+ admin: Administrator
+ range_type: ipa-ad-trust-posix
+ password: "{{ adserver.password }}"
+ state: present
+ register: result
+ failed_when: result.failed or result.changed
+
+ - name: Delete 'ipa-ad-trust-posix' trust
+ ipatrust:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ realm: "{{ adserver.domain }}"
+ state: absent
+ register: result
+ failed_when: result.failed or not result.changed
+
+ - name: Check if trust 'ipa-ad-trust-posix' was removed
+ shell: |
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
+ ipa trust-find
+ kdestroy -c test_krb5_cache -q -A
+ register: check_del_trust
+ failed_when: "trust_exists in check_del_trust.stdout"
+
+ - name: Delete 'ipa-ad-trust-posix' trust, again
+ ipatrust:
+ ipaadmin_password: SomeADMINpassword
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
+ realm: "{{ adserver.domain }}"
+ state: absent
+ register: result
+ failed_when: result.failed or result.changed
+
+ - name: Clear test idranges
+ shell: |
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
+ ipa idrange-del {{ adserver.realm }}_id_range || true
+ ipa idrange-del {{ ipaserver.realm }}_subid_range || true
+ kdestroy -c test_krb5_cache -q -A
when: trust_test_is_supported | default(false)
--
2.37.3
From 50b16cb33ff80f479825228b54349ba93b7c2ad5 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Wed, 30 Mar 2022 14:42:12 -0300
Subject: [PATCH] tests/ipatrust: Modify AD realm name to an invalid name.
As the task is expected to fail, the AD realm name was modified to show
the expected behavior more clearly.
---
tests/trust/test_trust_client_context.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tests/trust/test_trust_client_context.yml b/tests/trust/test_trust_client_context.yml
index 2ea3853..6f4ff06 100644
--- a/tests/trust/test_trust_client_context.yml
+++ b/tests/trust/test_trust_client_context.yml
@@ -13,7 +13,7 @@
ipatrust:
ipaadmin_password: SomeADMINpassword
ipaapi_context: server
- realm: windows.local
+ realm: this.test.should.fail
register: result
failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
when: ipa_host_is_client
--
2.37.3

View File

@ -7,18 +7,11 @@
Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients
Name: ansible-freeipa Name: ansible-freeipa
Version: 1.6.3 Version: 1.8.3
Release: 2%{?dist} Release: 1%{?dist}
URL: https://github.com/freeipa/ansible-freeipa URL: https://github.com/freeipa/ansible-freeipa
License: GPLv3+ License: GPLv3+
Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
Patch1: ansible-freeipa-1.6.3-ipatrust-Set-valid-choices-for-trust_type_PR808_RHBZ#2132967.patch
Patch2: ansible-freeipa-1.6.3-ipatrust-fix-range_type-and-test-enhancement_PR810_RHBZ#2132967.patch
Patch3: ansible-freeipa-1.6.3-ipaserver-ipareplica-Always-generate-SIDs_PR866_RHBZ#2132970.patch
Patch4: ansible-freeipa-1.6.3-ipareplica-ipareplica_setup_adtrust-fails-while-upda_PR877_RHBZ#2132970.patch
Patch5: ansible-freeipa-1.6.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132975.patch
Patch6: ansible-freeipa-1.6.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132989.patch
Patch7: ansible-freeipa-1.6.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132995.patch
BuildArch: noarch BuildArch: noarch
%description %description
@ -36,6 +29,7 @@ Features
- One-time-password (OTP) support for client installation - One-time-password (OTP) support for client installation
- Repair mode for clients - Repair mode for clients
- Backup and restore, also to and from controller - Backup and restore, also to and from controller
- Smartcard setup for servers and clients
- Modules for automembership rule management - Modules for automembership rule management
- Modules for automount key management - Modules for automount key management
- Modules for automount location management - Modules for automount location management
@ -52,6 +46,7 @@ Features
- Modules for hbacsvcgroup management - Modules for hbacsvcgroup management
- Modules for host management - Modules for host management
- Modules for hostgroup management - Modules for hostgroup management
- Modules for idrange management
- Modules for location management - Modules for location management
- Modules for permission management - Modules for permission management
- Modules for privilege management - Modules for privilege management
@ -60,6 +55,8 @@ Features
- Modules for self service management - Modules for self service management
- Modules for server management - Modules for server management
- Modules for service management - Modules for service management
- Modules for service delegation rule management
- Modules for service delegation target management
- Modules for sudocmd management - Modules for sudocmd management
- Modules for sudocmdgroup management - Modules for sudocmdgroup management
- Modules for sudorule management - Modules for sudorule management
@ -68,6 +65,7 @@ Features
- Modules for user management - Modules for user management
- Modules for vault management - Modules for vault management
Supported FreeIPA Versions Supported FreeIPA Versions
FreeIPA versions 4.6 and up are supported by all roles. FreeIPA versions 4.6 and up are supported by all roles.
@ -116,13 +114,6 @@ to get the needed requrements to run the tests.
%prep %prep
%setup -q %setup -q
# Do not create backup files with patches # Do not create backup files with patches
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
# Fix python modules and module utils: # Fix python modules and module utils:
# - Remove shebang # - Remove shebang
@ -151,6 +142,10 @@ cp -rp roles/ipaclient %{buildroot}%{_datadir}/ansible/roles/
cp -rp roles/ipaclient/README.md README-client.md cp -rp roles/ipaclient/README.md README-client.md
cp -rp roles/ipabackup %{buildroot}%{_datadir}/ansible/roles/ cp -rp roles/ipabackup %{buildroot}%{_datadir}/ansible/roles/
cp -rp roles/ipabackup/README.md README-backup.md cp -rp roles/ipabackup/README.md README-backup.md
cp -rp roles/ipasmartcard_server %{buildroot}%{_datadir}/ansible/roles/
cp -rp roles/ipasmartcard_server/README.md README-smartcard_server.md
cp -rp roles/ipasmartcard_client %{buildroot}%{_datadir}/ansible/roles/
cp -rp roles/ipasmartcard_client/README.md README-smartcard_client.md
install -m 755 -d %{buildroot}%{_datadir}/ansible/plugins/ install -m 755 -d %{buildroot}%{_datadir}/ansible/plugins/
cp -rp plugins/* %{buildroot}%{_datadir}/ansible/plugins/ cp -rp plugins/* %{buildroot}%{_datadir}/ansible/plugins/
@ -166,6 +161,8 @@ cp -rp tests %{buildroot}%{_datadir}/ansible-freeipa/
%{_datadir}/ansible/roles/ipareplica %{_datadir}/ansible/roles/ipareplica
%{_datadir}/ansible/roles/ipaclient %{_datadir}/ansible/roles/ipaclient
%{_datadir}/ansible/roles/ipabackup %{_datadir}/ansible/roles/ipabackup
%{_datadir}/ansible/roles/ipasmartcard_server
%{_datadir}/ansible/roles/ipasmartcard_client
%{_datadir}/ansible/plugins/doc_fragments %{_datadir}/ansible/plugins/doc_fragments
%{_datadir}/ansible/plugins/module_utils %{_datadir}/ansible/plugins/module_utils
%{_datadir}/ansible/plugins/modules %{_datadir}/ansible/plugins/modules
@ -180,17 +177,53 @@ cp -rp tests %{buildroot}%{_datadir}/ansible-freeipa/
%{_datadir}/ansible-freeipa/requirements-tests.txt %{_datadir}/ansible-freeipa/requirements-tests.txt
%changelog %changelog
* Mon Oct 10 2022 Thomas Woerner <twoerner@redhat.com> - 1.6.3-2 * Tue Aug 16 2022 Thomas Woerner <twoerner@redhat.com> - 1.8.3-1
- ipatrust: fix range_type and set valid choices for trust_type - Update to version 1.8.3
Resolves: RHBZ#2132967 https://github.com/freeipa/ansible-freeipa/releases/tag/v1.8.3
- ipaserver/ipareplica: Always generate SIDs Related: RHBZ#2080321
Resolves: RHBZ#2132970 - Fixes replica deployment issue for domains without SID support.
- ipaserver: Add missing idstart check Related: RHBZ#2110491
Resolves: RHBZ#2132975
- ansible-freeipa Replica Install Setup DNS fails * Thu Jul 28 2022 Thomas Woerner <twoerner@redhat.com> - 1.8.2-1
Resolves: RHBZ#2132989 - Update to version 1.8.2
- ipaconfig does not support SID and netbios attributes https://github.com/freeipa/ansible-freeipa/releases/tag/v1.8.2
Resolves: RHBZ#2132995 Related: RHBZ#2080321
- SIDs are always generated for server and replica deployments
Resolves: RHBZ#2110491
- Random Serial Numbers are not enabled by default any more
Resolves: RHBZ#2110526
- Fixes comparison of bool values in IPA 4.9.10+ for ipadnsconfig
Resolves: RHBZ#2110539
* Thu Jul 7 2022 Thomas Woerner <twoerner@redhat.com> - 1.8.1-1
- Update to version 1.8.1
https://github.com/freeipa/ansible-freeipa/releases/tag/v1.8.1
Related: RHBZ#2080321
- ipa server deploys failing with latest IPA compose
Resolves: RHBZ#2103928
- ipaserver_external_cert_files failes to copy with ansible 2.13
Resolves: RHBZ#2104842
* Fri Jun 24 2022 Thomas Woerner <twoerner@redhat.com> - 1.8.0-1
- idrange: Fix usage of dom_name when idrange doesn't exist.
Resolves: RHBZ#2086993
- smartcard roles for ansible-freeipa
Resolves: RHBZ#2076554
* Fri Apr 29 2022 Thomas Woerner <twoerner@redhat.com> - 1.7.0-1
- Update to version 1.7.0
https://github.com/freeipa/ansible-freeipa/releases/tag/v1.7.0
Resolves: RHBZ#2080321
- New idrange management module.
Resolves: RHBZ#1921545
- Not able to update empty descriptions in automount maps.a
Resolves: RHBZ#2048552
- New servicedelegationrule management module.
Resolves: RHBZ#2069170
- New servicedelegationtarget management module.
Resolves: RHBZ#2069172
- Add support for managing idoverrideusers in ipagroup.
Resolves: RHBZ#2069173
* Thu Jan 27 2022 Thomas Woerner <twoerner@redhat.com> - 1.6.3-1 * Thu Jan 27 2022 Thomas Woerner <twoerner@redhat.com> - 1.6.3-1
- Update to version 1.6.3 - Update to version 1.6.3