import ansible-freeipa-1.8.3-1.el8
This commit is contained in:
parent
9e16d0ade9
commit
79d0a61dd9
@ -1 +1 @@
|
||||
7f143f7b2263b6de41c41bba9aea905d17242efb SOURCES/ansible-freeipa-1.6.3.tar.gz
|
||||
c4d984a5760e18c642703728f847fd9a8e4d2d7a SOURCES/ansible-freeipa-1.8.3.tar.gz
|
||||
|
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/ansible-freeipa-1.6.3.tar.gz
|
||||
SOURCES/ansible-freeipa-1.8.3.tar.gz
|
||||
|
@ -1,361 +0,0 @@
|
||||
diff -up ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml.ipaconfig_sid ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml
|
||||
--- ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200
|
||||
+++ ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml 2022-10-07 17:12:51.172335899 +0200
|
||||
@@ -0,0 +1,12 @@
|
||||
+---
|
||||
+- name: Playbook to change IPA domain netbios name
|
||||
+ hosts: ipaserver
|
||||
+ become: no
|
||||
+ gather_facts: no
|
||||
+
|
||||
+ tasks:
|
||||
+ - name: Set IPA domain netbios name
|
||||
+ ipaconfig:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ enable_sid: yes
|
||||
+ netbios_name: IPADOM
|
||||
diff -up ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml.ipaconfig_sid ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml
|
||||
--- ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200
|
||||
+++ ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml 2022-10-07 17:12:51.172335899 +0200
|
||||
@@ -0,0 +1,12 @@
|
||||
+---
|
||||
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
|
||||
+ hosts: ipaserver
|
||||
+ become: no
|
||||
+ gather_facts: no
|
||||
+
|
||||
+ tasks:
|
||||
+ - name: Enable SID and generate users and groups SIDS
|
||||
+ ipaconfig:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ enable_sid: yes
|
||||
+ add_sids: yes
|
||||
diff -up ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py.ipaconfig_sid ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py
|
||||
--- ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py.ipaconfig_sid 2022-01-27 14:05:04.000000000 +0100
|
||||
+++ ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py 2022-10-07 17:18:43.193785596 +0200
|
||||
@@ -148,6 +148,24 @@ options:
|
||||
required: false
|
||||
type: list
|
||||
aliases: ["ipadomainresolutionorder"]
|
||||
+ enable_sid:
|
||||
+ description: >
|
||||
+ New users and groups automatically get a SID assigned.
|
||||
+ Requires IPA 4.9.8+.
|
||||
+ required: false
|
||||
+ type: bool
|
||||
+ netbios_name:
|
||||
+ description: >
|
||||
+ NetBIOS name of the IPA domain.
|
||||
+ Requires IPA 4.9.8+ and 'enable_sid: yes'.
|
||||
+ required: false
|
||||
+ type: string
|
||||
+ add_sids:
|
||||
+ description: >
|
||||
+ Add SIDs for existing users and groups.
|
||||
+ Requires IPA 4.9.8+ and 'enable_sid: yes'.
|
||||
+ required: false
|
||||
+ type: bool
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
@@ -169,6 +187,24 @@ EXAMPLES = '''
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
defaultshell: /bin/bash
|
||||
maxusername: 64
|
||||
+
|
||||
+- name: Playbook to enable SID and generate users and groups SIDs
|
||||
+ hosts: ipaserver
|
||||
+ tasks:
|
||||
+ - name: Enable SID and generate users and groups SIDS
|
||||
+ ipaconfig:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ enable_sid: yes
|
||||
+ add_sids: yes
|
||||
+
|
||||
+- name: Playbook to change IPA domain netbios name
|
||||
+ hosts: ipaserver
|
||||
+ tasks:
|
||||
+ - name: Enable SID and generate users and groups SIDS
|
||||
+ ipaconfig:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ enable_sid: yes
|
||||
+ netbios_name: IPADOM
|
||||
'''
|
||||
|
||||
RETURN = '''
|
||||
@@ -247,6 +283,14 @@ config:
|
||||
domain_resolution_order:
|
||||
description: list of domains used for short name qualification
|
||||
returned: always
|
||||
+ enable_sid:
|
||||
+ description: >
|
||||
+ new users and groups automatically get a SID assigned.
|
||||
+ Requires IPA 4.9.8+.
|
||||
+ returned: always
|
||||
+ netbios_name:
|
||||
+ description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+.
|
||||
+ returned: if enable_sid is True
|
||||
'''
|
||||
|
||||
|
||||
@@ -260,6 +304,28 @@ def config_show(module):
|
||||
return _result["result"]
|
||||
|
||||
|
||||
+def get_netbios_name(module):
|
||||
+ try:
|
||||
+ _result = module.ipa_command_no_name("trustconfig_show", {"all": True})
|
||||
+ except Exception: # pylint: disable=broad-except
|
||||
+ return None
|
||||
+ else:
|
||||
+ return _result["result"]["ipantflatname"][0]
|
||||
+
|
||||
+
|
||||
+def is_enable_sid(module):
|
||||
+ """When 'enable-sid' is true admin user and admins group have SID set."""
|
||||
+ _result = module.ipa_command("user_show", "admin", {"all": True})
|
||||
+ sid = _result["result"].get("ipantsecurityidentifier", [""])
|
||||
+ if not sid[0].endswith("-500"):
|
||||
+ return False
|
||||
+ _result = module.ipa_command("group_show", "admins", {"all": True})
|
||||
+ sid = _result["result"].get("ipantsecurityidentifier", [""])
|
||||
+ if not sid[0].endswith("-512"):
|
||||
+ return False
|
||||
+ return True
|
||||
+
|
||||
+
|
||||
def main():
|
||||
ansible_module = IPAAnsibleModule(
|
||||
argument_spec=dict(
|
||||
@@ -313,7 +379,10 @@ def main():
|
||||
aliases=["ipauserauthtype"]),
|
||||
ca_renewal_master_server=dict(type="str", required=False),
|
||||
domain_resolution_order=dict(type="list", required=False,
|
||||
- aliases=["ipadomainresolutionorder"])
|
||||
+ aliases=["ipadomainresolutionorder"]),
|
||||
+ enable_sid=dict(type="bool", required=False),
|
||||
+ add_sids=dict(type="bool", required=False),
|
||||
+ netbios_name=dict(type="str", required=False),
|
||||
),
|
||||
supports_check_mode=True,
|
||||
)
|
||||
@@ -344,7 +413,10 @@ def main():
|
||||
"pac_type": "ipakrbauthzdata",
|
||||
"user_auth_type": "ipauserauthtype",
|
||||
"ca_renewal_master_server": "ca_renewal_master_server",
|
||||
- "domain_resolution_order": "ipadomainresolutionorder"
|
||||
+ "domain_resolution_order": "ipadomainresolutionorder",
|
||||
+ "enable_sid": "enable_sid",
|
||||
+ "netbios_name": "netbios_name",
|
||||
+ "add_sids": "add_sids",
|
||||
}
|
||||
reverse_field_map = {v: k for k, v in field_map.items()}
|
||||
|
||||
@@ -392,11 +464,47 @@ def main():
|
||||
changed = False
|
||||
exit_args = {}
|
||||
|
||||
- # Connect to IPA API
|
||||
- with ansible_module.ipa_connect():
|
||||
+ # Connect to IPA API (enable-sid requires context == 'client')
|
||||
+ with ansible_module.ipa_connect(context="client"):
|
||||
+ has_enable_sid = ansible_module.ipa_command_param_exists(
|
||||
+ "config_mod", "enable_sid")
|
||||
|
||||
result = config_show(ansible_module)
|
||||
+
|
||||
if params:
|
||||
+ netbios_name = params.get("netbios_name")
|
||||
+ if netbios_name:
|
||||
+ netbios_name = netbios_name.upper()
|
||||
+ add_sids = params.get("add_sids")
|
||||
+ enable_sid = params.get("enable_sid")
|
||||
+ required_sid = any([netbios_name, add_sids])
|
||||
+ if required_sid and not enable_sid:
|
||||
+ ansible_module.fail_json(
|
||||
+ "'enable-sid: yes' required for 'netbios_name' "
|
||||
+ "and 'add-sids'."
|
||||
+ )
|
||||
+ if enable_sid:
|
||||
+ if not has_enable_sid:
|
||||
+ ansible_module.fail_json(
|
||||
+ "This version of IPA does not support 'enable-sid'.")
|
||||
+ if (
|
||||
+ netbios_name
|
||||
+ and netbios_name == get_netbios_name(ansible_module)
|
||||
+ ):
|
||||
+ del params["netbios_name"]
|
||||
+ netbios_name = None
|
||||
+ if not add_sids and "add_sids" in params:
|
||||
+ del params["add_sids"]
|
||||
+ if (
|
||||
+ not any([netbios_name, add_sids])
|
||||
+ and is_enable_sid(ansible_module)
|
||||
+ ):
|
||||
+ del params["enable_sid"]
|
||||
+ else:
|
||||
+ for param in ["enable_sid", "netbios_name", "add_sids"]:
|
||||
+ if param in params:
|
||||
+ del params[params]
|
||||
+
|
||||
params = {
|
||||
k: v for k, v in params.items()
|
||||
if k not in result or result[k] != v
|
||||
@@ -441,6 +549,10 @@ def main():
|
||||
raise ValueError(
|
||||
"Unexpected attribute type: %s" % arg_type)
|
||||
exit_args[k] = type_map[arg_type](value)
|
||||
+ # Set enable_sid
|
||||
+ if has_enable_sid:
|
||||
+ exit_args["enable_sid"] = is_enable_sid(ansible_module)
|
||||
+ exit_args["netbios_name"] = get_netbios_name(ansible_module)
|
||||
|
||||
# Done
|
||||
ansible_module.exit_json(changed=changed, config=exit_args)
|
||||
diff -up ansible-freeipa-1.6.3/README-config.md.ipaconfig_sid ansible-freeipa-1.6.3/README-config.md
|
||||
--- ansible-freeipa-1.6.3/README-config.md.ipaconfig_sid 2022-01-27 14:05:04.000000000 +0100
|
||||
+++ ansible-freeipa-1.6.3/README-config.md 2022-10-07 17:12:51.172335899 +0200
|
||||
@@ -65,6 +65,9 @@ Example playbook to read config options:
|
||||
maxusername: 64
|
||||
```
|
||||
|
||||
+
|
||||
+Example playbook to set global configuration options:
|
||||
+
|
||||
```yaml
|
||||
---
|
||||
- name: Playbook to ensure some config options are set
|
||||
@@ -79,6 +82,40 @@ Example playbook to read config options:
|
||||
```
|
||||
|
||||
|
||||
+Example playbook to enable SID and generate users and groups SIDs:
|
||||
+
|
||||
+```yaml
|
||||
+---
|
||||
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
|
||||
+ hosts: ipaserver
|
||||
+ become: no
|
||||
+ gather_facts: no
|
||||
+
|
||||
+ tasks:
|
||||
+ - name: Enable SID and generate users and groups SIDS
|
||||
+ ipaconfig:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ enable_sid: yes
|
||||
+ add_sids: yes
|
||||
+```
|
||||
+
|
||||
+Example playbook to change IPA domain NetBIOS name:
|
||||
+
|
||||
+```yaml
|
||||
+---
|
||||
+- name: Playbook to change IPA domain netbios name
|
||||
+ hosts: ipaserver
|
||||
+ become: no
|
||||
+ gather_facts: no
|
||||
+
|
||||
+ tasks:
|
||||
+ - name: Set IPA domain netbios name
|
||||
+ ipaconfig:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ enable_sid: yes
|
||||
+ netbios_name: IPADOM
|
||||
+```
|
||||
+
|
||||
Variables
|
||||
=========
|
||||
|
||||
@@ -111,6 +148,9 @@ Variable | Description | Required
|
||||
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
|
||||
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
|
||||
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
|
||||
+`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no
|
||||
+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
|
||||
+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
|
||||
|
||||
|
||||
Return Values
|
||||
@@ -140,6 +180,8 @@ Variable | Description | Returned When
|
||||
| `user_auth_type` |
|
||||
| `domain_resolution_order` |
|
||||
| `ca_renewal_master_server` |
|
||||
+ | `enable_sid` |
|
||||
+ | `netbios_name` |
|
||||
|
||||
All returned fields take the same form as their namesake input parameters
|
||||
|
||||
diff -up ansible-freeipa-1.6.3/tests/config/test_config_sid.yml.ipaconfig_sid ansible-freeipa-1.6.3/tests/config/test_config_sid.yml
|
||||
--- ansible-freeipa-1.6.3/tests/config/test_config_sid.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200
|
||||
+++ ansible-freeipa-1.6.3/tests/config/test_config_sid.yml 2022-10-07 17:12:51.172335899 +0200
|
||||
@@ -0,0 +1,70 @@
|
||||
+---
|
||||
+- name: Test config
|
||||
+ hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
||||
+ become: no
|
||||
+ gather_facts: no
|
||||
+
|
||||
+ tasks:
|
||||
+
|
||||
+ # GET CURRENT CONFIG
|
||||
+
|
||||
+ - name: Return current values of the global configuration options
|
||||
+ ipaconfig:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
+ register: previous
|
||||
+
|
||||
+ # TESTS
|
||||
+ - block:
|
||||
+ - name: Ensure SID is enabled.
|
||||
+ ipaconfig:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
+ enable_sid: yes
|
||||
+ register: result
|
||||
+ failed_when: result.failed or previous.config.enable_sid == result.changed
|
||||
+
|
||||
+ - name: Ensure SID is enabled, again.
|
||||
+ ipaconfig:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
+ enable_sid: yes
|
||||
+ register: result
|
||||
+ failed_when: result.failed or result.changed
|
||||
+
|
||||
+ - name: Ensure netbios_name is "IPATESTPLAY"
|
||||
+ ipaconfig:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
+ enable_sid: yes
|
||||
+ netbios_name: IPATESTPLAY
|
||||
+ register: result
|
||||
+ failed_when: result.failed or not result.changed
|
||||
+
|
||||
+ - name: Ensure netbios_name is "IPATESTPLAY", again
|
||||
+ ipaconfig:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
+ enable_sid: yes
|
||||
+ netbios_name: IPATESTPLAY
|
||||
+ register: result
|
||||
+ failed_when: result.failed or result.changed
|
||||
+
|
||||
+ # add_sids is not idempotent as it always tries to generate the missing
|
||||
+ # SIDs for users and groups.
|
||||
+ - name: Add SIDs to users and groups.
|
||||
+ ipaconfig:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
+ enable_sid: yes
|
||||
+ add_sids: yes
|
||||
+
|
||||
+ # REVERT TO PREVIOUS CONFIG
|
||||
+ always:
|
||||
+ # Once SID is enabled, it cannot be reverted.
|
||||
+ - name: Revert netbios_name to original configuration
|
||||
+ ipaconfig:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
+ netbios_name: "{{ previous.config.netbios_name | default(omit) }}"
|
||||
+ enable_sid: yes
|
@ -1,38 +0,0 @@
|
||||
From 641c550cc3650c6d0aa95f52b422089f64e7fb6a Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Woerner <twoerner@redhat.com>
|
||||
Date: Mon, 15 Aug 2022 16:00:06 +0200
|
||||
Subject: [PATCH] ipareplica: ipareplica_setup_adtrust fails while updating
|
||||
ipaNTFlatName
|
||||
|
||||
The internal parameter sid_generation_always is generated in
|
||||
ipareplica_test to enable SID generation if ipareplica_setup_adtrust is
|
||||
not enabled.
|
||||
|
||||
This parameter was not used for ipareplica_prepare though, therefore
|
||||
adtrust.install_check was not executed and did not set the attribute
|
||||
adtrust.netbios_name. As a result adtrust.netbios_name was None and the
|
||||
try to use this as the new NetBIOS domain name failed with an
|
||||
INVALID_SYNTAX error in adtrustinstance while executing
|
||||
ipareplica_setup_adtrust.
|
||||
|
||||
This issue only occurs if SIDs are not enabled in the domain yet for
|
||||
example with an old deployment.
|
||||
---
|
||||
roles/ipareplica/tasks/install.yml | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
|
||||
index 0e5f840..7413884 100644
|
||||
--- a/roles/ipareplica/tasks/install.yml
|
||||
+++ b/roles/ipareplica/tasks/install.yml
|
||||
@@ -201,6 +201,7 @@
|
||||
### additional ###
|
||||
server: "{{ result_ipareplica_test.server }}"
|
||||
skip_conncheck: "{{ ipareplica_skip_conncheck }}"
|
||||
+ sid_generation_always: "{{ result_ipareplica_test.sid_generation_always }}"
|
||||
register: result_ipareplica_prepare
|
||||
|
||||
- name: Install - Add to ipaservers
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,54 +0,0 @@
|
||||
diff -up ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.idstart_heck ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py
|
||||
--- ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.idstart_heck 2022-10-07 17:06:41.915918624 +0200
|
||||
+++ ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py 2022-10-07 17:09:55.228613556 +0200
|
||||
@@ -226,7 +226,8 @@ from ansible.module_utils.ansible_ipa_se
|
||||
read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance,
|
||||
check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
|
||||
validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
|
||||
- encode_certificate, check_available_memory, adtrustinstance
|
||||
+ encode_certificate, check_available_memory, adtrustinstance,
|
||||
+ get_min_idstart
|
||||
)
|
||||
from ansible.module_utils import six
|
||||
|
||||
@@ -580,6 +581,16 @@ def main():
|
||||
"'--ignore-topology-disconnect/--ignore-last-of-role' "
|
||||
"options can be used only during uninstallation")
|
||||
|
||||
+ if get_min_idstart is not None:
|
||||
+ min_idstart = get_min_idstart()
|
||||
+ if self.idstart < min_idstart:
|
||||
+ raise RuntimeError(
|
||||
+ "idstart (%i) must be larger than UID_MAX/GID_MAX "
|
||||
+ "(%i) setting in /etc/login.defs." % (
|
||||
+ self.idstart, min_idstart
|
||||
+ )
|
||||
+ )
|
||||
+
|
||||
if self.idmax < self.idstart:
|
||||
raise RuntimeError(
|
||||
"idmax (%s) cannot be smaller than idstart (%s)" %
|
||||
diff -up ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py.idstart_heck ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py
|
||||
--- ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py.idstart_heck 2022-01-27 14:05:04.000000000 +0100
|
||||
+++ ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py 2022-10-07 17:07:35.907833419 +0200
|
||||
@@ -41,7 +41,7 @@ __all__ = ["IPAChangeConf", "certmonger"
|
||||
"adtrustinstance", "IPAAPI_USER", "sync_time", "PKIIniLoader",
|
||||
"default_subject_base", "default_ca_subject_dn",
|
||||
"check_ldap_conf", "encode_certificate", "decode_certificate",
|
||||
- "check_available_memory"]
|
||||
+ "check_available_memory", "get_min_idstart"]
|
||||
|
||||
import sys
|
||||
|
||||
@@ -178,6 +178,11 @@ else:
|
||||
from ipalib.x509 import load_certificate
|
||||
load_pem_x509_certificate = None
|
||||
|
||||
+ try:
|
||||
+ from ipaserver.install.server.install import get_min_idstart
|
||||
+ except ImportError:
|
||||
+ get_min_idstart = None
|
||||
+
|
||||
else:
|
||||
# IPA version < 4.5
|
||||
|
@ -1,55 +0,0 @@
|
||||
From 7077776de3432a321298df13076ea0cc59bc35b1 Mon Sep 17 00:00:00 2001
|
||||
From: Thomas Woerner <twoerner@redhat.com>
|
||||
Date: Mon, 5 Sep 2022 13:16:26 +0200
|
||||
Subject: [PATCH] ipaserver/ipareplica: Add isatty method to AnsibleModuleLog
|
||||
|
||||
In some cases ipa code is using sys.stdout.isatty. As stdout is mapped
|
||||
to AnsibleModuleLog this call will lead in a traceback as it was not
|
||||
defined.
|
||||
|
||||
The staticmethod isatty has been added to AnsibleModuleLog in ipaserver
|
||||
role module_utils/ansible_ipa_server.py and in ipareplica role
|
||||
module_utils/ansible_ipa_repica.py.
|
||||
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2120415
|
||||
ansible-freeipa Replica Install Setup DNS fails
|
||||
Fixes: #251 - 'AnsibleModuleLog' object has no attribute 'isatty'
|
||||
Fixes: #117 - 'AnsibleModuleLog' object has no attribute 'isatty'
|
||||
---
|
||||
roles/ipareplica/module_utils/ansible_ipa_replica.py | 4 ++++
|
||||
roles/ipaserver/module_utils/ansible_ipa_server.py | 4 ++++
|
||||
2 files changed, 8 insertions(+)
|
||||
|
||||
diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py
|
||||
index 0e4e738..27ee13d 100644
|
||||
--- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
|
||||
+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
|
||||
@@ -222,6 +222,10 @@ else:
|
||||
def info(self, msg):
|
||||
self.module.debug(msg)
|
||||
|
||||
+ @staticmethod
|
||||
+ def isatty():
|
||||
+ return False
|
||||
+
|
||||
def write(self, msg):
|
||||
self.module.debug(msg)
|
||||
# self.module.warn(msg)
|
||||
diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py
|
||||
index 5b1c4e5..8e7be0b 100644
|
||||
--- a/roles/ipaserver/module_utils/ansible_ipa_server.py
|
||||
+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
|
||||
@@ -255,6 +255,10 @@ else:
|
||||
def info(self, msg):
|
||||
self.module.debug(msg)
|
||||
|
||||
+ @staticmethod
|
||||
+ def isatty():
|
||||
+ return False
|
||||
+
|
||||
def write(self, msg):
|
||||
self.module.debug(msg)
|
||||
# self.module.warn(msg)
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,259 +0,0 @@
|
||||
diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py
|
||||
--- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py.always_sids 2022-01-27 14:05:04.000000000 +0100
|
||||
+++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py 2022-10-07 16:51:35.750411448 +0200
|
||||
@@ -182,6 +182,9 @@ options:
|
||||
skip_conncheck:
|
||||
description: Skip connection check to remote master
|
||||
required: yes
|
||||
+ sid_generation_always:
|
||||
+ description: Enable SID generation always
|
||||
+ required: yes
|
||||
author:
|
||||
- Thomas Woerner
|
||||
'''
|
||||
@@ -275,6 +278,8 @@ def main():
|
||||
# additional
|
||||
server=dict(required=True),
|
||||
skip_conncheck=dict(required=False, type='bool'),
|
||||
+ sid_generation_always=dict(required=False, type='bool',
|
||||
+ default=False),
|
||||
),
|
||||
supports_check_mode=True,
|
||||
)
|
||||
@@ -350,6 +355,7 @@ def main():
|
||||
# '_hostname_overridden')
|
||||
options.server = ansible_module.params.get('server')
|
||||
options.skip_conncheck = ansible_module.params.get('skip_conncheck')
|
||||
+ sid_generation_always = ansible_module.params.get('sid_generation_always')
|
||||
|
||||
# init #
|
||||
|
||||
@@ -755,7 +761,7 @@ def main():
|
||||
|
||||
ansible_log.debug("-- CHECK ADTRUST --")
|
||||
|
||||
- if options.setup_adtrust:
|
||||
+ if options.setup_adtrust or sid_generation_always:
|
||||
adtrust.install_check(False, options, remote_api)
|
||||
|
||||
except errors.ACIError:
|
||||
diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py
|
||||
--- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py.always_sids 2022-01-27 14:05:04.000000000 +0100
|
||||
+++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py 2022-10-07 16:44:59.008094369 +0200
|
||||
@@ -71,6 +71,9 @@ options:
|
||||
setup_ca:
|
||||
description: Configure a dogtag CA
|
||||
required: no
|
||||
+ setup_adtrust:
|
||||
+ description: Configure AD trust capability
|
||||
+ required: yes
|
||||
config_master_host_name:
|
||||
description: The config master_host_name setting
|
||||
required: no
|
||||
@@ -112,6 +115,7 @@ def main():
|
||||
ccache=dict(required=True),
|
||||
_top_dir=dict(required=True),
|
||||
setup_ca=dict(required=True, type='bool'),
|
||||
+ setup_adtrust=dict(required=True, type='bool'),
|
||||
config_master_host_name=dict(required=True),
|
||||
),
|
||||
supports_check_mode=True,
|
||||
@@ -140,6 +144,7 @@ def main():
|
||||
os.environ['KRB5CCNAME'] = ccache
|
||||
options._top_dir = ansible_module.params.get('_top_dir')
|
||||
options.setup_ca = ansible_module.params.get('setup_ca')
|
||||
+ options.setup_adtrust = ansible_module.params.get('setup_adtrust')
|
||||
config_master_host_name = ansible_module.params.get(
|
||||
'config_master_host_name')
|
||||
adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name')
|
||||
diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py
|
||||
--- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py.always_sids 2022-01-27 14:05:04.000000000 +0100
|
||||
+++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py 2022-10-07 16:50:45.621497736 +0200
|
||||
@@ -144,7 +144,7 @@ from ansible.module_utils.ansible_ipa_re
|
||||
ansible_module_get_parsed_ip_addresses, service,
|
||||
redirect_stdout, create_ipa_conf, ipautil,
|
||||
x509, validate_domain_name, common_check,
|
||||
- IPA_PYTHON_VERSION
|
||||
+ IPA_PYTHON_VERSION, adtrustinstance
|
||||
)
|
||||
|
||||
|
||||
@@ -271,6 +271,14 @@ def main():
|
||||
# # options.setup_adtrust = False
|
||||
# # ansible_module.warn(msg="adtrust is not supported, disabling")
|
||||
|
||||
+ sid_generation_always = False
|
||||
+ if not options.setup_adtrust:
|
||||
+ # pylint: disable=deprecated-method
|
||||
+ argspec = inspect.getargspec(adtrustinstance.ADTRUSTInstance.__init__)
|
||||
+ # pylint: enable=deprecated-method
|
||||
+ if "fulltrust" in argspec.args:
|
||||
+ sid_generation_always = True
|
||||
+
|
||||
# if options.setup_kra and not kra_imported:
|
||||
# # if "kra" not in options._allow_missing:
|
||||
# ansible_module.fail_json(msg="kra can not be imported")
|
||||
@@ -472,6 +480,7 @@ def main():
|
||||
# additional
|
||||
client_enrolled=client_enrolled,
|
||||
change_master_for_certmonger=change_master_for_certmonger,
|
||||
+ sid_generation_always=sid_generation_always
|
||||
)
|
||||
|
||||
|
||||
diff -up ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py
|
||||
--- ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py.always_sids 2022-01-27 14:05:04.000000000 +0100
|
||||
+++ ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py 2022-10-07 16:54:27.707115487 +0200
|
||||
@@ -46,7 +46,8 @@ __all__ = ["contextlib", "dnsexception",
|
||||
"common_check", "current_domain_level",
|
||||
"check_domain_level_is_supported", "promotion_check_ipa_domain",
|
||||
"SSSDConfig", "CalledProcessError", "timeconf", "ntpinstance",
|
||||
- "dnsname", "kernel_keyring", "krbinstance"]
|
||||
+ "dnsname", "kernel_keyring", "krbinstance",
|
||||
+ "adtrustinstance"]
|
||||
|
||||
import sys
|
||||
|
||||
@@ -105,6 +106,7 @@ else:
|
||||
adtrust, bindinstance, ca, certs, dns, dsinstance, httpinstance,
|
||||
installutils, kra, krbinstance,
|
||||
otpdinstance, custodiainstance, service, upgradeinstance)
|
||||
+ from ipaserver.install import adtrustinstance
|
||||
try:
|
||||
from ipaserver.masters import (
|
||||
find_providing_servers, find_providing_server)
|
||||
diff -up ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml.always_sids ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml
|
||||
--- ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml.always_sids 2022-01-27 14:05:04.000000000 +0100
|
||||
+++ ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml 2022-10-07 16:44:59.008094369 +0200
|
||||
@@ -748,13 +748,15 @@
|
||||
ccache: "{{ result_ipareplica_prepare.ccache }}"
|
||||
_top_dir: "{{ result_ipareplica_prepare._top_dir }}"
|
||||
setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}"
|
||||
+ setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}"
|
||||
config_master_host_name:
|
||||
"{{ result_ipareplica_prepare.config_master_host_name }}"
|
||||
adtrust_netbios_name:
|
||||
"{{ result_ipareplica_prepare.adtrust_netbios_name }}"
|
||||
adtrust_reset_netbios_name:
|
||||
"{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}"
|
||||
- when: result_ipareplica_test.setup_adtrust
|
||||
+ when: result_ipareplica_test.setup_adtrust or
|
||||
+ result_ipareplica_test.sid_generation_always
|
||||
|
||||
- name: Install - Enable IPA
|
||||
ipareplica_enable_ipa:
|
||||
diff -up ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py.always_sids ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py
|
||||
--- ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py.always_sids 2022-01-27 14:05:04.000000000 +0100
|
||||
+++ ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py 2022-10-07 16:47:45.005808635 +0200
|
||||
@@ -141,6 +141,9 @@ options:
|
||||
setup_ca:
|
||||
description: Configure a dogtag CA
|
||||
required: yes
|
||||
+ sid_generation_always:
|
||||
+ description: Enable SID generation always
|
||||
+ required: yes
|
||||
_hostname_overridden:
|
||||
description: The installer _hostname_overridden setting
|
||||
required: yes
|
||||
@@ -213,6 +216,8 @@ def main():
|
||||
|
||||
# additional
|
||||
setup_ca=dict(required=False, type='bool', default=False),
|
||||
+ sid_generation_always=dict(required=False, type='bool',
|
||||
+ default=False),
|
||||
_hostname_overridden=dict(required=False, type='bool',
|
||||
default=False),
|
||||
),
|
||||
@@ -279,6 +284,7 @@ def main():
|
||||
options.setup_ca = ansible_module.params.get('setup_ca')
|
||||
options._host_name_overridden = ansible_module.params.get(
|
||||
'_hostname_overridden')
|
||||
+ sid_generation_always = ansible_module.params.get('sid_generation_always')
|
||||
options.kasp_db_file = None
|
||||
|
||||
# init ##################################################################
|
||||
@@ -371,7 +377,7 @@ def main():
|
||||
logger.debug('Starting Directory Server')
|
||||
services.knownservices.dirsrv.start(instance_name)
|
||||
|
||||
- if options.setup_adtrust:
|
||||
+ if options.setup_adtrust or sid_generation_always:
|
||||
with redirect_stdout(ansible_log):
|
||||
adtrust.install_check(False, options, api)
|
||||
|
||||
diff -up ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.always_sids ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py
|
||||
--- ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.always_sids 2022-01-27 14:05:04.000000000 +0100
|
||||
+++ ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py 2022-10-07 16:46:12.413968014 +0200
|
||||
@@ -226,7 +226,7 @@ from ansible.module_utils.ansible_ipa_se
|
||||
read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance,
|
||||
check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
|
||||
validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
|
||||
- encode_certificate, check_available_memory
|
||||
+ encode_certificate, check_available_memory, adtrustinstance
|
||||
)
|
||||
from ansible.module_utils import six
|
||||
|
||||
@@ -395,12 +395,16 @@ def main():
|
||||
|
||||
# version specific ######################################################
|
||||
|
||||
- if options.setup_adtrust and not adtrust_imported:
|
||||
- # if "adtrust" not in options._allow_missing:
|
||||
- ansible_module.fail_json(msg="adtrust can not be imported")
|
||||
- # else:
|
||||
- # options.setup_adtrust = False
|
||||
- # ansible_module.warn(msg="adtrust is not supported, disabling")
|
||||
+ sid_generation_always = False
|
||||
+ if not options.setup_adtrust:
|
||||
+ # pylint: disable=deprecated-method
|
||||
+ argspec = inspect.getargspec(adtrustinstance.ADTRUSTInstance.__init__)
|
||||
+ # pylint: enable=deprecated-method
|
||||
+ if "fulltrust" in argspec.args:
|
||||
+ sid_generation_always = True
|
||||
+ else:
|
||||
+ if not adtrust_imported:
|
||||
+ ansible_module.fail_json(msg="adtrust can not be imported")
|
||||
|
||||
if options.setup_kra and not kra_imported:
|
||||
# if "kra" not in options._allow_missing:
|
||||
@@ -522,7 +526,8 @@ def main():
|
||||
"You cannot specify an --enable-compat option without the "
|
||||
"--setup-adtrust option")
|
||||
|
||||
- if self.netbios_name:
|
||||
+ # Deactivate test for new IPA SID generation
|
||||
+ if self.netbios_name and not sid_generation_always:
|
||||
raise RuntimeError(
|
||||
"You cannot specify a --netbios-name option without the "
|
||||
"--setup-adtrust option")
|
||||
@@ -1079,7 +1084,8 @@ def main():
|
||||
ntp_pool=options.ntp_pool,
|
||||
# additional
|
||||
_installation_cleanup=_installation_cleanup,
|
||||
- domainlevel=options.domainlevel)
|
||||
+ domainlevel=options.domainlevel,
|
||||
+ sid_generation_always=sid_generation_always)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
diff -up ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml.always_sids ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml
|
||||
--- ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml.always_sids 2022-01-27 14:05:04.000000000 +0100
|
||||
+++ ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml 2022-10-07 16:48:36.946719227 +0200
|
||||
@@ -191,6 +191,7 @@
|
||||
secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}"
|
||||
### additional ###
|
||||
setup_ca: "{{ result_ipaserver_test.setup_ca }}"
|
||||
+ sid_generation_always: "{{ result_ipaserver_test.sid_generation_always }}"
|
||||
_hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}"
|
||||
register: result_ipaserver_prepare
|
||||
|
||||
@@ -392,7 +393,8 @@
|
||||
adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}"
|
||||
adtrust_reset_netbios_name:
|
||||
"{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}"
|
||||
- when: result_ipaserver_test.setup_adtrust
|
||||
+ when: result_ipaserver_test.setup_adtrust or
|
||||
+ result_ipaserver_test.sid_generation_always
|
||||
|
||||
- name: Install - Set DS password
|
||||
ipaserver_set_ds_password:
|
@ -1,79 +0,0 @@
|
||||
From 6124dc0cf1a7653f11e88d80290aeb231e486cab Mon Sep 17 00:00:00 2001
|
||||
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
||||
Date: Tue, 26 Apr 2022 11:11:12 -0300
|
||||
Subject: [PATCH] ipatrust: Updated ipatrust documentation.
|
||||
|
||||
This patch updates the ipatrust documentation about the 'trust_type'
|
||||
parameter, and changes one password to be similar to the standard
|
||||
passwords used in other modules.
|
||||
---
|
||||
README-trust.md | 1 +
|
||||
plugins/modules/ipatrust.py | 5 +++--
|
||||
2 files changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/README-trust.md b/README-trust.md
|
||||
index ef04f6c..efa69c7 100644
|
||||
--- a/README-trust.md
|
||||
+++ b/README-trust.md
|
||||
@@ -105,6 +105,7 @@ Variable | Description | Required
|
||||
`password` | Active Directory domain administrator's password string. | no
|
||||
`server` | Domain controller for the Active Directory domain string. | no
|
||||
`trust_secret` | Shared secret for the trust string. | no
|
||||
+`trust_type` | Trust type. Currently, only 'ad' for Active Directory is supported. | no
|
||||
`base_id` | First posix id for the trusted domain integer. | no
|
||||
`range_size` | Size of the ID range reserved for the trusted domain integer. | no
|
||||
`range_type` | Type of trusted domain ID range, It can be one of `ipa-ad-trust` or `ipa-ad-trust-posix`and defaults to `ipa-ad-trust`. | no
|
||||
diff --git a/plugins/modules/ipatrust.py b/plugins/modules/ipatrust.py
|
||||
index 0c7aac5..d94ec94 100644
|
||||
--- a/plugins/modules/ipatrust.py
|
||||
+++ b/plugins/modules/ipatrust.py
|
||||
@@ -44,7 +44,8 @@ options:
|
||||
description:
|
||||
- Trust type (ad for Active Directory, default)
|
||||
default: ad
|
||||
- required: true
|
||||
+ required: false
|
||||
+ choices: ["ad"]
|
||||
admin:
|
||||
description:
|
||||
- Active Directory domain administrator
|
||||
@@ -103,7 +104,7 @@ EXAMPLES = """
|
||||
realm: ad.example.test
|
||||
trust_type: ad
|
||||
admin: Administrator
|
||||
- password: Welcome2020!
|
||||
+ password: SomeW1Npassword
|
||||
state: present
|
||||
|
||||
# delete ad-trust
|
||||
--
|
||||
2.37.3
|
||||
|
||||
From 423a6b0e12e87adb86cd76095a7b260d19ab4959 Mon Sep 17 00:00:00 2001
|
||||
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
||||
Date: Tue, 12 Apr 2022 18:47:20 -0300
|
||||
Subject: [PATCH] ipatrust: Set valid choices for trust_type.
|
||||
|
||||
Ensure only valid choices for trust_type ('ad') are available for the
|
||||
module parameter.
|
||||
---
|
||||
plugins/modules/ipatrust.py | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/plugins/modules/ipatrust.py b/plugins/modules/ipatrust.py
|
||||
index 6251ecc..0c7aac5 100644
|
||||
--- a/plugins/modules/ipatrust.py
|
||||
+++ b/plugins/modules/ipatrust.py
|
||||
@@ -190,7 +190,8 @@ def main():
|
||||
state=dict(type="str", default="present",
|
||||
choices=["present", "absent"]),
|
||||
# present
|
||||
- trust_type=dict(type="str", default="ad", required=False),
|
||||
+ trust_type=dict(type="str", default="ad", required=False,
|
||||
+ choices=["ad"]),
|
||||
admin=dict(type="str", default=None, required=False),
|
||||
password=dict(type="str", default=None,
|
||||
required=False, no_log=True),
|
||||
--
|
||||
2.37.3
|
||||
|
@ -1,298 +0,0 @@
|
||||
From 766cf5a285aa24d1ca8058a90605ca03d04f14f5 Mon Sep 17 00:00:00 2001
|
||||
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
||||
Date: Wed, 13 Apr 2022 08:12:26 -0300
|
||||
Subject: [PATCH] ipatrust: Fix support for `range_type`.
|
||||
|
||||
The ipatrust module was ignoring the value of `range_type`, which is
|
||||
required to allow for different types of idranges.
|
||||
---
|
||||
plugins/modules/ipatrust.py | 4 +++-
|
||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/plugins/modules/ipatrust.py b/plugins/modules/ipatrust.py
|
||||
index 6251ecc..40b61b5 100644
|
||||
--- a/plugins/modules/ipatrust.py
|
||||
+++ b/plugins/modules/ipatrust.py
|
||||
@@ -157,7 +157,7 @@ def add_trust(module, realm, args):
|
||||
|
||||
|
||||
def gen_args(trust_type, admin, password, server, trust_secret, base_id,
|
||||
- range_size, _range_type, two_way, external):
|
||||
+ range_size, range_type, two_way, external):
|
||||
_args = {}
|
||||
if trust_type is not None:
|
||||
_args["trust_type"] = trust_type
|
||||
@@ -173,6 +173,8 @@ def gen_args(trust_type, admin, password, server, trust_secret, base_id,
|
||||
_args["base_id"] = base_id
|
||||
if range_size is not None:
|
||||
_args["range_size"] = range_size
|
||||
+ if range_type is not None:
|
||||
+ _args["range_type"] = range_type
|
||||
if two_way is not None:
|
||||
_args["bidirectional"] = two_way
|
||||
if external is not None:
|
||||
--
|
||||
2.37.3
|
||||
|
||||
From 3ea452ef6fa25798211623806a862aa4b9e70815 Mon Sep 17 00:00:00 2001
|
||||
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
||||
Date: Wed, 30 Mar 2022 14:22:15 -0300
|
||||
Subject: [PATCH] tests/trust: Improved test coverage and execution.
|
||||
|
||||
This patch applies several changes to the ipatrust test playbook:
|
||||
|
||||
* Add externally defined parameters so execution in local trust
|
||||
environments can be configured. The available parameters are:
|
||||
* winserver_admin_password: the Administrator password for the AD
|
||||
server (default: 'SomeW1Npassword')
|
||||
* winserver_domain: the AD server domain (default: 'windows.local')
|
||||
* winserver realm: the AD server realm (by default, the uppercase
|
||||
version of winserver_domain)
|
||||
* ipaserver_domain: the FreeIPA server domain (default: 'ipa.test')
|
||||
* ipaserver_realm: the FreeIPA server realm (by default, the
|
||||
uppercase version of ipaserver_domain
|
||||
|
||||
* Modify trust verification to check for the existence of the trust as
|
||||
it the output of `ipa trust-find`, instead of cheking for the number
|
||||
of items returned, as the number might vary.
|
||||
|
||||
* Add idempotency tests by re-executing tasks and verifying that no
|
||||
change was performed.
|
||||
|
||||
* Added tests to verify creation of trusts with different 'range_type'.
|
||||
|
||||
* Use a Kerberos cache for shell scripts, and destroy it on exit.
|
||||
|
||||
* Properly remove all `idrange` that might be created upon setting up a
|
||||
trust.
|
||||
---
|
||||
tests/trust/test_trust.yml | 161 +++++++++++++++++++++++++++++++------
|
||||
1 file changed, 137 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/tests/trust/test_trust.yml b/tests/trust/test_trust.yml
|
||||
index e4ecdf5..5d1280d 100644
|
||||
--- a/tests/trust/test_trust.yml
|
||||
+++ b/tests/trust/test_trust.yml
|
||||
@@ -1,55 +1,168 @@
|
||||
---
|
||||
-- name: find trust
|
||||
+- name: Test ipatrust
|
||||
hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
||||
become: true
|
||||
gather_facts: false
|
||||
|
||||
+ vars:
|
||||
+ adserver:
|
||||
+ domain: "{{ winserver_domain | default('windows.local')}}"
|
||||
+ realm: "{{ winserver_realm | default(winserver_domain) | default('windows.local') | upper }}"
|
||||
+ password: "{{ winserver_admin_password | default('SomeW1Npassword') }}"
|
||||
+ ipaserver:
|
||||
+ domain: "{{ ipaserver_domain | default('ipa.test')}}"
|
||||
+ realm: "{{ ipaserver_realm | default(ipaserver_domain) | default('ipa.test') | upper }}"
|
||||
+ trust_exists: 'Realm name: {{ adserver.domain }}'
|
||||
+ ad_range_exists: 'Range name: {{ adserver.realm }}_id_range'
|
||||
+ ipa_range_exists: 'Range name: {{ ipaserver.realm }}_subid_range'
|
||||
+
|
||||
tasks:
|
||||
|
||||
- block:
|
||||
|
||||
- - name: delete trust
|
||||
+ - name: Delete test trust
|
||||
ipatrust:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
- realm: windows.local
|
||||
+ realm: "{{ adserver.domain }}"
|
||||
state: absent
|
||||
- register: del_trust
|
||||
|
||||
- - name: check for trust
|
||||
+ - name: Clear test idranges
|
||||
shell: |
|
||||
- echo 'SomeADMINpassword' | kinit admin
|
||||
- ipa trust-find windows.local
|
||||
- register: check_find_trust
|
||||
- failed_when: "'0 trusts matched' not in check_find_trust.stdout"
|
||||
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
||||
+ ipa idrange-del {{ adserver.realm }}_id_range || true
|
||||
+ ipa idrange-del {{ ipaserver.realm }}_subid_range || true
|
||||
+ kdestroy -c test_krb5_cache -q -A
|
||||
|
||||
- - name: delete id range
|
||||
+ - name: Add trust with range_type 'ipa-ad-trust'
|
||||
+ ipatrust:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
+ realm: "{{ adserver.domain }}"
|
||||
+ admin: Administrator
|
||||
+ trust_type: ad
|
||||
+ range_type: ipa-ad-trust
|
||||
+ password: "{{ adserver.password }}"
|
||||
+ state: present
|
||||
+ register: result
|
||||
+ failed_when: result.failed or not result.changed
|
||||
+
|
||||
+ - name: check if 'ipa-ad-trust' trust exists
|
||||
shell: |
|
||||
echo 'SomeADMINpassword' | kinit admin
|
||||
- ipa idrange-del WINDOWS.LOCAL_id_range
|
||||
- when: del_trust['changed'] | bool
|
||||
+ ipa trust-find
|
||||
+ kdestroy -c test_krb5_cache -q -A
|
||||
+ register: check_add_trust
|
||||
+ failed_when: "trust_exists not in check_add_trust.stdout"
|
||||
|
||||
- - name: check for range
|
||||
+ - name: Add trust with range_type 'ipa-ad-trust', again
|
||||
+ ipatrust:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
+ realm: "{{ adserver.domain }}"
|
||||
+ admin: Administrator
|
||||
+ range_type: ipa-ad-trust
|
||||
+ password: "{{ adserver.password }}"
|
||||
+ state: present
|
||||
+ register: result
|
||||
+ failed_when: result.failed or result.changed
|
||||
+
|
||||
+ - name: Delete 'ipa-ad-trust' trust
|
||||
+ ipatrust:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
+ realm: "{{ adserver.domain }}"
|
||||
+ state: absent
|
||||
+ register: result
|
||||
+ failed_when: result.failed or not result.changed
|
||||
+
|
||||
+ - name: Check if 'ipa-ad-trust' trust was removed
|
||||
shell: |
|
||||
- echo 'SomeADMINpassword' | kinit admin
|
||||
- ipa idrange-find WINDOWS.LOCAL_id_range
|
||||
- register: check_del_idrange
|
||||
- failed_when: "'0 ranges matched' not in check_del_idrange.stdout"
|
||||
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
||||
+ ipa trust-find
|
||||
+ kdestroy -c test_krb5_cache -q -A
|
||||
+ register: check_add_trust
|
||||
+ failed_when: "trust_exists in check_add_trust.stdout"
|
||||
+
|
||||
+ - name: Delete 'ipa-ad-trust' trust, again
|
||||
+ ipatrust:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
+ realm: "{{ adserver.domain }}"
|
||||
+ state: absent
|
||||
+ register: result
|
||||
+ failed_when: result.failed or result.changed
|
||||
+
|
||||
+ - name: Clear test idranges
|
||||
+ shell: |
|
||||
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
||||
+ ipa idrange-del {{ adserver.realm }}_id_range || true
|
||||
+ ipa idrange-del {{ ipaserver.realm }}_subid_range || true
|
||||
+ kdestroy -c test_krb5_cache -q -A
|
||||
|
||||
- - name: add trust
|
||||
+ - name: Add trust with range_type 'ipa-ad-trust-posix'
|
||||
ipatrust:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
- realm: windows.local
|
||||
+ realm: "{{ adserver.domain }}"
|
||||
admin: Administrator
|
||||
- password: secret_ad_pw
|
||||
+ range_type: ipa-ad-trust-posix
|
||||
+ password: "{{ adserver.password }}"
|
||||
state: present
|
||||
+ register: result
|
||||
+ failed_when: result.failed or not result.changed
|
||||
|
||||
- - name: check for trust
|
||||
+ - name: Check if 'ipa-ad-trust-posix' trust exists
|
||||
shell: |
|
||||
- echo 'SomeADMINpassword' | kinit admin
|
||||
- ipa trust-find windows.local
|
||||
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
||||
+ ipa trust-find
|
||||
+ kdestroy -c test_krb5_cache -q -A
|
||||
register: check_add_trust
|
||||
- failed_when: "'1 trust matched' not in check_add_trust.stdout"
|
||||
+ failed_when: "trust_exists not in check_add_trust.stdout"
|
||||
+
|
||||
+ - name: Add trust with range_type 'ipa-ad-trust-posix', again
|
||||
+ ipatrust:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
+ realm: "{{ adserver.domain }}"
|
||||
+ admin: Administrator
|
||||
+ range_type: ipa-ad-trust-posix
|
||||
+ password: "{{ adserver.password }}"
|
||||
+ state: present
|
||||
+ register: result
|
||||
+ failed_when: result.failed or result.changed
|
||||
+
|
||||
+ - name: Delete 'ipa-ad-trust-posix' trust
|
||||
+ ipatrust:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
+ realm: "{{ adserver.domain }}"
|
||||
+ state: absent
|
||||
+ register: result
|
||||
+ failed_when: result.failed or not result.changed
|
||||
+
|
||||
+ - name: Check if trust 'ipa-ad-trust-posix' was removed
|
||||
+ shell: |
|
||||
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
||||
+ ipa trust-find
|
||||
+ kdestroy -c test_krb5_cache -q -A
|
||||
+ register: check_del_trust
|
||||
+ failed_when: "trust_exists in check_del_trust.stdout"
|
||||
+
|
||||
+ - name: Delete 'ipa-ad-trust-posix' trust, again
|
||||
+ ipatrust:
|
||||
+ ipaadmin_password: SomeADMINpassword
|
||||
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
||||
+ realm: "{{ adserver.domain }}"
|
||||
+ state: absent
|
||||
+ register: result
|
||||
+ failed_when: result.failed or result.changed
|
||||
+
|
||||
+ - name: Clear test idranges
|
||||
+ shell: |
|
||||
+ kinit -c test_krb5_cache admin <<< SomeADMINpassword
|
||||
+ ipa idrange-del {{ adserver.realm }}_id_range || true
|
||||
+ ipa idrange-del {{ ipaserver.realm }}_subid_range || true
|
||||
+ kdestroy -c test_krb5_cache -q -A
|
||||
|
||||
when: trust_test_is_supported | default(false)
|
||||
--
|
||||
2.37.3
|
||||
|
||||
From 50b16cb33ff80f479825228b54349ba93b7c2ad5 Mon Sep 17 00:00:00 2001
|
||||
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
|
||||
Date: Wed, 30 Mar 2022 14:42:12 -0300
|
||||
Subject: [PATCH] tests/ipatrust: Modify AD realm name to an invalid name.
|
||||
|
||||
As the task is expected to fail, the AD realm name was modified to show
|
||||
the expected behavior more clearly.
|
||||
---
|
||||
tests/trust/test_trust_client_context.yml | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/tests/trust/test_trust_client_context.yml b/tests/trust/test_trust_client_context.yml
|
||||
index 2ea3853..6f4ff06 100644
|
||||
--- a/tests/trust/test_trust_client_context.yml
|
||||
+++ b/tests/trust/test_trust_client_context.yml
|
||||
@@ -13,7 +13,7 @@
|
||||
ipatrust:
|
||||
ipaadmin_password: SomeADMINpassword
|
||||
ipaapi_context: server
|
||||
- realm: windows.local
|
||||
+ realm: this.test.should.fail
|
||||
register: result
|
||||
failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*"))
|
||||
when: ipa_host_is_client
|
||||
--
|
||||
2.37.3
|
||||
|
@ -7,18 +7,11 @@
|
||||
|
||||
Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients
|
||||
Name: ansible-freeipa
|
||||
Version: 1.6.3
|
||||
Release: 2%{?dist}
|
||||
Version: 1.8.3
|
||||
Release: 1%{?dist}
|
||||
URL: https://github.com/freeipa/ansible-freeipa
|
||||
License: GPLv3+
|
||||
Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
|
||||
Patch1: ansible-freeipa-1.6.3-ipatrust-Set-valid-choices-for-trust_type_PR808_RHBZ#2132967.patch
|
||||
Patch2: ansible-freeipa-1.6.3-ipatrust-fix-range_type-and-test-enhancement_PR810_RHBZ#2132967.patch
|
||||
Patch3: ansible-freeipa-1.6.3-ipaserver-ipareplica-Always-generate-SIDs_PR866_RHBZ#2132970.patch
|
||||
Patch4: ansible-freeipa-1.6.3-ipareplica-ipareplica_setup_adtrust-fails-while-upda_PR877_RHBZ#2132970.patch
|
||||
Patch5: ansible-freeipa-1.6.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132975.patch
|
||||
Patch6: ansible-freeipa-1.6.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132989.patch
|
||||
Patch7: ansible-freeipa-1.6.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132995.patch
|
||||
BuildArch: noarch
|
||||
|
||||
%description
|
||||
@ -36,6 +29,7 @@ Features
|
||||
- One-time-password (OTP) support for client installation
|
||||
- Repair mode for clients
|
||||
- Backup and restore, also to and from controller
|
||||
- Smartcard setup for servers and clients
|
||||
- Modules for automembership rule management
|
||||
- Modules for automount key management
|
||||
- Modules for automount location management
|
||||
@ -52,6 +46,7 @@ Features
|
||||
- Modules for hbacsvcgroup management
|
||||
- Modules for host management
|
||||
- Modules for hostgroup management
|
||||
- Modules for idrange management
|
||||
- Modules for location management
|
||||
- Modules for permission management
|
||||
- Modules for privilege management
|
||||
@ -60,6 +55,8 @@ Features
|
||||
- Modules for self service management
|
||||
- Modules for server management
|
||||
- Modules for service management
|
||||
- Modules for service delegation rule management
|
||||
- Modules for service delegation target management
|
||||
- Modules for sudocmd management
|
||||
- Modules for sudocmdgroup management
|
||||
- Modules for sudorule management
|
||||
@ -68,6 +65,7 @@ Features
|
||||
- Modules for user management
|
||||
- Modules for vault management
|
||||
|
||||
|
||||
Supported FreeIPA Versions
|
||||
|
||||
FreeIPA versions 4.6 and up are supported by all roles.
|
||||
@ -116,13 +114,6 @@ to get the needed requrements to run the tests.
|
||||
%prep
|
||||
%setup -q
|
||||
# Do not create backup files with patches
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
|
||||
# Fix python modules and module utils:
|
||||
# - Remove shebang
|
||||
@ -151,6 +142,10 @@ cp -rp roles/ipaclient %{buildroot}%{_datadir}/ansible/roles/
|
||||
cp -rp roles/ipaclient/README.md README-client.md
|
||||
cp -rp roles/ipabackup %{buildroot}%{_datadir}/ansible/roles/
|
||||
cp -rp roles/ipabackup/README.md README-backup.md
|
||||
cp -rp roles/ipasmartcard_server %{buildroot}%{_datadir}/ansible/roles/
|
||||
cp -rp roles/ipasmartcard_server/README.md README-smartcard_server.md
|
||||
cp -rp roles/ipasmartcard_client %{buildroot}%{_datadir}/ansible/roles/
|
||||
cp -rp roles/ipasmartcard_client/README.md README-smartcard_client.md
|
||||
install -m 755 -d %{buildroot}%{_datadir}/ansible/plugins/
|
||||
cp -rp plugins/* %{buildroot}%{_datadir}/ansible/plugins/
|
||||
|
||||
@ -166,6 +161,8 @@ cp -rp tests %{buildroot}%{_datadir}/ansible-freeipa/
|
||||
%{_datadir}/ansible/roles/ipareplica
|
||||
%{_datadir}/ansible/roles/ipaclient
|
||||
%{_datadir}/ansible/roles/ipabackup
|
||||
%{_datadir}/ansible/roles/ipasmartcard_server
|
||||
%{_datadir}/ansible/roles/ipasmartcard_client
|
||||
%{_datadir}/ansible/plugins/doc_fragments
|
||||
%{_datadir}/ansible/plugins/module_utils
|
||||
%{_datadir}/ansible/plugins/modules
|
||||
@ -180,17 +177,53 @@ cp -rp tests %{buildroot}%{_datadir}/ansible-freeipa/
|
||||
%{_datadir}/ansible-freeipa/requirements-tests.txt
|
||||
|
||||
%changelog
|
||||
* Mon Oct 10 2022 Thomas Woerner <twoerner@redhat.com> - 1.6.3-2
|
||||
- ipatrust: fix range_type and set valid choices for trust_type
|
||||
Resolves: RHBZ#2132967
|
||||
- ipaserver/ipareplica: Always generate SIDs
|
||||
Resolves: RHBZ#2132970
|
||||
- ipaserver: Add missing idstart check
|
||||
Resolves: RHBZ#2132975
|
||||
- ansible-freeipa Replica Install Setup DNS fails
|
||||
Resolves: RHBZ#2132989
|
||||
- ipaconfig does not support SID and netbios attributes
|
||||
Resolves: RHBZ#2132995
|
||||
* Tue Aug 16 2022 Thomas Woerner <twoerner@redhat.com> - 1.8.3-1
|
||||
- Update to version 1.8.3
|
||||
https://github.com/freeipa/ansible-freeipa/releases/tag/v1.8.3
|
||||
Related: RHBZ#2080321
|
||||
- Fixes replica deployment issue for domains without SID support.
|
||||
Related: RHBZ#2110491
|
||||
|
||||
* Thu Jul 28 2022 Thomas Woerner <twoerner@redhat.com> - 1.8.2-1
|
||||
- Update to version 1.8.2
|
||||
https://github.com/freeipa/ansible-freeipa/releases/tag/v1.8.2
|
||||
Related: RHBZ#2080321
|
||||
- SIDs are always generated for server and replica deployments
|
||||
Resolves: RHBZ#2110491
|
||||
- Random Serial Numbers are not enabled by default any more
|
||||
Resolves: RHBZ#2110526
|
||||
- Fixes comparison of bool values in IPA 4.9.10+ for ipadnsconfig
|
||||
Resolves: RHBZ#2110539
|
||||
|
||||
* Thu Jul 7 2022 Thomas Woerner <twoerner@redhat.com> - 1.8.1-1
|
||||
- Update to version 1.8.1
|
||||
https://github.com/freeipa/ansible-freeipa/releases/tag/v1.8.1
|
||||
Related: RHBZ#2080321
|
||||
- ipa server deploys failing with latest IPA compose
|
||||
Resolves: RHBZ#2103928
|
||||
- ipaserver_external_cert_files failes to copy with ansible 2.13
|
||||
Resolves: RHBZ#2104842
|
||||
|
||||
* Fri Jun 24 2022 Thomas Woerner <twoerner@redhat.com> - 1.8.0-1
|
||||
- idrange: Fix usage of dom_name when idrange doesn't exist.
|
||||
Resolves: RHBZ#2086993
|
||||
- smartcard roles for ansible-freeipa
|
||||
Resolves: RHBZ#2076554
|
||||
|
||||
* Fri Apr 29 2022 Thomas Woerner <twoerner@redhat.com> - 1.7.0-1
|
||||
- Update to version 1.7.0
|
||||
https://github.com/freeipa/ansible-freeipa/releases/tag/v1.7.0
|
||||
Resolves: RHBZ#2080321
|
||||
- New idrange management module.
|
||||
Resolves: RHBZ#1921545
|
||||
- Not able to update empty descriptions in automount maps.a
|
||||
Resolves: RHBZ#2048552
|
||||
- New servicedelegationrule management module.
|
||||
Resolves: RHBZ#2069170
|
||||
- New servicedelegationtarget management module.
|
||||
Resolves: RHBZ#2069172
|
||||
- Add support for managing idoverrideusers in ipagroup.
|
||||
Resolves: RHBZ#2069173
|
||||
|
||||
* Thu Jan 27 2022 Thomas Woerner <twoerner@redhat.com> - 1.6.3-1
|
||||
- Update to version 1.6.3
|
||||
|
Loading…
Reference in New Issue
Block a user