diff --git a/README-group.md b/README-group.md
index ac282b22bbb651ba0d4d9f3172f3104ee9ed1324..021fc1050544a75cf193dd1ddb68fe10ed828bfc 100644
--- a/README-group.md
+++ b/README-group.md
@@ -166,6 +166,7 @@ Variable | Description | Required
`membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`externalmember` \| `ipaexternalmember` \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
+`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up.| no
`action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
diff --git a/plugins/modules/ipagroup.py b/plugins/modules/ipagroup.py
index e16f978c862fcd5414b494e08f0728741761224c..09d8e1c93641b918db6079e2d9390137572db251 100644
--- a/plugins/modules/ipagroup.py
+++ b/plugins/modules/ipagroup.py
@@ -97,6 +97,11 @@ options:
required: false
type: list
ailases: ["ipaexternalmember", "external_member"]
+ idoverrideuser:
+ description:
+ - User ID overrides to add
+ required: false
+ type: list
action:
description: Work on group or member level
default: group
@@ -184,7 +189,7 @@ RETURN = """
from ansible.module_utils._text import to_text
from ansible.module_utils.ansible_freeipa_module import \
IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, \
- gen_add_list, gen_intersection_list
+ gen_add_list, gen_intersection_list, api_check_param
def find_group(module, name):
@@ -223,7 +228,7 @@ def gen_args(description, gid, nomembers):
return _args
-def gen_member_args(user, group, service, externalmember):
+def gen_member_args(user, group, service, externalmember, idoverrideuser):
_args = {}
if user is not None:
_args["member_user"] = user
@@ -233,6 +238,8 @@ def gen_member_args(user, group, service, externalmember):
_args["member_service"] = service
if externalmember is not None:
_args["member_external"] = externalmember
+ if idoverrideuser is not None:
+ _args["member_idoverrideuser"] = idoverrideuser
return _args
@@ -280,6 +287,7 @@ def main():
user=dict(required=False, type='list', default=None),
group=dict(required=False, type='list', default=None),
service=dict(required=False, type='list', default=None),
+ idoverrideuser=dict(required=False, type='list', default=None),
membermanager_user=dict(required=False, type='list', default=None),
membermanager_group=dict(required=False, type='list',
default=None),
@@ -312,6 +320,7 @@ def main():
gid = ansible_module.params_get("gid")
nonposix = ansible_module.params_get("nonposix")
external = ansible_module.params_get("external")
+ idoverrideuser = ansible_module.params_get("idoverrideuser")
posix = ansible_module.params_get("posix")
nomembers = ansible_module.params_get("nomembers")
user = ansible_module.params_get("user")
@@ -379,6 +388,13 @@ def main():
"by your IPA version"
)
+ has_idoverrideuser = api_check_param(
+ "group_add_member", "idoverrideuser")
+ if idoverrideuser is not None and not has_idoverrideuser:
+ ansible_module.fail_json(
+ msg="Managing a idoverrideuser as part of a group is not "
+ "supported by your IPA version")
+
commands = []
for name in names:
@@ -389,6 +405,7 @@ def main():
group_add, group_del = [], []
service_add, service_del = [], []
externalmember_add, externalmember_del = [], []
+ idoverrides_add, idoverrides_del = [], []
membermanager_user_add, membermanager_user_del = [], []
membermanager_group_add, membermanager_group_del = [], []
@@ -438,7 +455,7 @@ def main():
res_find["objectclass"].append("posixgroup")
member_args = gen_member_args(
- user, group, service, externalmember
+ user, group, service, externalmember, idoverrideuser
)
if not compare_args_ipa(ansible_module, member_args,
res_find):
@@ -456,6 +473,12 @@ def main():
externalmember_del) = gen_add_del_lists(
externalmember, res_find.get("member_external"))
+ (idoverrides_add,
+ idoverrides_del) = gen_add_del_lists(
+ idoverrideuser,
+ res_find.get("member_idoverrideuser")
+ )
+
membermanager_user_add, membermanager_user_del = \
gen_add_del_lists(
membermanager_user,
@@ -483,6 +506,8 @@ def main():
service, res_find.get("member_service"))
externalmember_add = gen_add_list(
externalmember, res_find.get("member_external"))
+ idoverrides_add = gen_add_list(
+ idoverrideuser, res_find.get("member_idoverrideuser"))
membermanager_user_add = gen_add_list(
membermanager_user,
@@ -516,6 +541,8 @@ def main():
service, res_find.get("member_service"))
externalmember_del = gen_intersection_list(
externalmember, res_find.get("member_external"))
+ idoverrides_del = gen_intersection_list(
+ idoverrideuser, res_find.get("member_idoverrideuser"))
membermanager_user_del = gen_intersection_list(
membermanager_user, res_find.get("membermanager_user"))
@@ -532,10 +559,16 @@ def main():
"user": user_add,
"group": group_add,
}
+
del_member_args = {
"user": user_del,
"group": group_del,
}
+
+ if has_idoverrideuser:
+ add_member_args["idoverrideuser"] = idoverrides_add
+ del_member_args["idoverrideuser"] = idoverrides_del
+
if has_add_member_service:
add_member_args["service"] = service_add
del_member_args["service"] = service_del
@@ -550,15 +583,16 @@ def main():
msg="Cannot add external members to a "
"non-external group."
)
+
# Add members
- add_members = any([user_add, group_add,
+ add_members = any([user_add, group_add, idoverrides_add,
service_add, externalmember_add])
if add_members:
commands.append(
[name, "group_add_member", add_member_args]
)
# Remove members
- remove_members = any([user_del, group_del,
+ remove_members = any([user_del, group_del, idoverrides_del,
service_del, externalmember_del])
if remove_members:
commands.append(
diff --git a/tests/group/test_group_idoverrideuser.yml b/tests/group/test_group_idoverrideuser.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3a5be5069ce27a318b0425984aa2360b3adf87d5
--- /dev/null
+++ b/tests/group/test_group_idoverrideuser.yml
@@ -0,0 +1,104 @@
+---
+- name: Test group
+ hosts: ipaserver
+ become: yes
+ gather_facts: yes
+
+ vars:
+ ad_user: "{{ test_ad_user | default('AD\\aduser') }}"
+ ad_domain: "{{ test_ad_domain | default('ad.ipa.test') }}"
+
+ tasks:
+ - include_tasks: ../env_freeipa_facts.yml
+
+ - block:
+ - name: Create idoverrideuser.
+ shell: |
+ kinit -c idoverride_cache admin <<< SomeADMINpassword
+ ipa idoverrideuser-add "Default Trust View" {{ ad_user }}
+ kdestroy -A -q -c idoverride_cache
+
+ - name: Remove testing groups.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - idovergroup
+ state: absent
+
+ - name: Add group with idoverrideuser.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: idovergroup
+ idoverrideuser: "{{ ad_user }}"
+ register: result
+ failed_when: result.failed or not result.changed
+
+ - name: Add group with idoverrideuser, again.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: idovergroup
+ idoverrideuser: "{{ ad_user }}"
+ register: result
+ failed_when: result.failed or result.changed
+
+ - name: Remove idoverrideuser member.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: idovergroup
+ idoverrideuser: "{{ ad_user }}"
+ action: member
+ state: absent
+ register: result
+ failed_when: result.failed or not result.changed
+
+ - name: Remove idoverrideuser member, again.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: idovergroup
+ idoverrideuser: "{{ ad_user }}"
+ action: member
+ state: absent
+ register: result
+ failed_when: result.failed or result.changed
+
+ - name: Add idoverrideuser member.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: idovergroup
+ idoverrideuser: "{{ ad_user }}"
+ action: member
+ register: result
+ failed_when: result.failed or not result.changed
+
+ - name: Add idoverrideuser member, again.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: idovergroup
+ idoverrideuser: "{{ ad_user }}"
+ action: member
+ register: result
+ failed_when: result.failed or result.changed
+
+ - name: Cleanup idoverrideuser member.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: idovergroup
+ idoverrideuser: "{{ ad_user }}"
+ state: absent
+
+ - name: Remove testing groups.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - idovergroup
+ state: absent
+
+ always:
+ - name: Remove idoverrideuser.
+ shell: |
+ kinit -c idoverride_cache admin <<< SomeADMINpassword
+ ipa idoverrideuser-del "Default Trust View" {{ ad_user }}
+ kdestroy -A -q -c idoverride_cache
+ when:
+
+ when: ipa_version is version("4.8.7", ">=") and trust_test_is_supported | default(false)