Merge pull request #906 from rjeffman/ipaconfig_sid

ipaconfig: Add support for SID related attributes.

README-config.md

@@ -65,6 +65,9 @@ Example playbook to read config options:
         maxusername: 64
 ```
 
+
+Example playbook to set global configuration options:
+
 ```yaml
 ---
 - name: Playbook to ensure some config options are set
@@ -79,6 +82,40 @@ Example playbook to read config options:
 ```
 
 
+Example playbook to enable SID and generate users and groups SIDs:
+
+```yaml
+---
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+    - name: Enable SID and generate users and groups SIDS
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        add_sids: yes
+```
+
+Example playbook to change IPA domain NetBIOS name:
+
+```yaml
+---
+- name: Playbook to change IPA domain netbios name
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+    - name: Set IPA domain netbios name
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        netbios_name: IPADOM
+```
+
 Variables
 =========
 
@@ -111,6 +148,9 @@ Variable | Description | Required
 `user_auth_type` \| `ipauserauthtype` |  set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
 `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
 `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
+`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no
+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
 
 
 Return Values
@@ -140,6 +180,8 @@ Variable | Description | Returned When
   | `user_auth_type` |  
   | `domain_resolution_order` |  
   | `ca_renewal_master_server` |  
+  | `enable_sid` |  
+  | `netbios_name` |  
 
 All returned fields take the same form as their namesake input parameters
 

playbooks/config/change-ipa-domain-netbios-name.yml

+---
+- name: Playbook to change IPA domain netbios name
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+    - name: Set IPA domain netbios name
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        netbios_name: IPADOM

playbooks/config/generate-users-groups-sids.yml

+---
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+    - name: Enable SID and generate users and groups SIDS
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        add_sids: yes

plugins/modules/ipaconfig.py

@@ -148,6 +148,24 @@ options:
         required: false
         type: list
         aliases: ["ipadomainresolutionorder"]
+    enable_sid:
+        description: >
+          New users and groups automatically get a SID assigned.
+          Requires IPA 4.9.8+.
+        required: false
+        type: bool
+    netbios_name:
+        description: >
+          NetBIOS name of the IPA domain.
+          Requires IPA 4.9.8+ and 'enable_sid: yes'.
+        required: false
+        type: string
+    add_sids:
+        description: >
+          Add SIDs for existing users and groups.
+          Requires IPA 4.9.8+ and 'enable_sid: yes'.
+        required: false
+        type: bool
 '''
 
 EXAMPLES = '''
@@ -169,6 +187,24 @@ EXAMPLES = '''
         ipaadmin_password: SomeADMINpassword
         defaultshell: /bin/bash
         maxusername: 64
+
+- name: Playbook to enable SID and generate users and groups SIDs
+  hosts: ipaserver
+  tasks:
+    - name: Enable SID and generate users and groups SIDS
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        add_sids: yes
+
+- name: Playbook to change IPA domain netbios name
+  hosts: ipaserver
+  tasks:
+    - name: Enable SID and generate users and groups SIDS
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        enable_sid: yes
+        netbios_name: IPADOM
 '''
 
 RETURN = '''
@@ -247,6 +283,14 @@ config:
     domain_resolution_order:
         description: list of domains used for short name qualification
         returned: always
+    enable_sid:
+        description: >
+          new users and groups automatically get a SID assigned.
+          Requires IPA 4.9.8+.
+        returned: always
+    netbios_name:
+        description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+.
+        returned: if enable_sid is True
 '''
 
 
@@ -260,6 +304,28 @@ def config_show(module):
     return _result["result"]
 
 
+def get_netbios_name(module):
+    try:
+        _result = module.ipa_command_no_name("trustconfig_show", {"all": True})
+    except Exception:  # pylint: disable=broad-except
+        return None
+    else:
+        return _result["result"]["ipantflatname"][0]
+
+
+def is_enable_sid(module):
+    """When 'enable-sid' is true admin user and admins group have SID set."""
+    _result = module.ipa_command("user_show", "admin", {"all": True})
+    sid = _result["result"].get("ipantsecurityidentifier", [""])
+    if not sid[0].endswith("-500"):
+        return False
+    _result = module.ipa_command("group_show", "admins", {"all": True})
+    sid = _result["result"].get("ipantsecurityidentifier", [""])
+    if not sid[0].endswith("-512"):
+        return False
+    return True
+
+
 def main():
     ansible_module = IPAAnsibleModule(
         argument_spec=dict(
@@ -313,7 +379,10 @@ def main():
                                 aliases=["ipauserauthtype"]),
             ca_renewal_master_server=dict(type="str", required=False),
             domain_resolution_order=dict(type="list", required=False,
-                                         aliases=["ipadomainresolutionorder"])
+                                         aliases=["ipadomainresolutionorder"]),
+            enable_sid=dict(type="bool", required=False),
+            add_sids=dict(type="bool", required=False),
+            netbios_name=dict(type="str", required=False),
         ),
         supports_check_mode=True,
     )
@@ -344,7 +413,10 @@ def main():
         "pac_type": "ipakrbauthzdata",
         "user_auth_type": "ipauserauthtype",
         "ca_renewal_master_server": "ca_renewal_master_server",
-        "domain_resolution_order": "ipadomainresolutionorder"
+        "domain_resolution_order": "ipadomainresolutionorder",
+        "enable_sid": "enable_sid",
+        "netbios_name": "netbios_name",
+        "add_sids": "add_sids",
     }
     allow_empty_string = ["pac_type", "user_auth_type", "configstring"]
     reverse_field_map = {v: k for k, v in field_map.items()}
@@ -394,11 +466,47 @@ def main():
     changed = False
     exit_args = {}
 
-    # Connect to IPA API
-    with ansible_module.ipa_connect():
+    # Connect to IPA API (enable-sid requires context == 'client')
+    with ansible_module.ipa_connect(context="client"):
+        has_enable_sid = ansible_module.ipa_command_param_exists(
+            "config_mod", "enable_sid")
 
         result = config_show(ansible_module)
+
         if params:
+            netbios_name = params.get("netbios_name")
+            if netbios_name:
+                netbios_name = netbios_name.upper()
+            add_sids = params.get("add_sids")
+            enable_sid = params.get("enable_sid")
+            required_sid = any([netbios_name, add_sids])
+            if required_sid and not enable_sid:
+                ansible_module.fail_json(
+                    "'enable-sid: yes' required for 'netbios_name' "
+                    "and 'add-sids'."
+                )
+            if enable_sid:
+                if not has_enable_sid:
+                    ansible_module.fail_json(
+                        "This version of IPA does not support 'enable-sid'.")
+                if (
+                    netbios_name
+                    and netbios_name == get_netbios_name(ansible_module)
+                ):
+                    del params["netbios_name"]
+                    netbios_name = None
+                if not add_sids and "add_sids" in params:
+                    del params["add_sids"]
+                if (
+                    not any([netbios_name, add_sids])
+                    and is_enable_sid(ansible_module)
+                ):
+                    del params["enable_sid"]
+            else:
+                for param in ["enable_sid", "netbios_name", "add_sids"]:
+                    if param in params:
+                        del params[params]
+
             params = {
                 k: v for k, v in params.items()
                 if k not in result or result[k] != v
@@ -458,6 +566,10 @@ def main():
             # Add empty domain_resolution_order if it is not set
             if "domain_resolution_order" not in exit_args:
                 exit_args["domain_resolution_order"] = []
+            # Set enable_sid
+            if has_enable_sid:
+                exit_args["enable_sid"] = is_enable_sid(ansible_module)
+                exit_args["netbios_name"] = get_netbios_name(ansible_module)
 
     # Done
     ansible_module.exit_json(changed=changed, config=exit_args)

tests/azure/templates/variables_centos-7.yaml

@@ -12,8 +12,7 @@
 #
 ---
 variables:
-  empty: true
   # ipa_enabled_modules: >-
   # ipa_enabled_tests: >-
   # ipa_disabled_modules: >-
-#   ipa_disabled_tests: >-
+  ipa_disabled_tests: test_config_sid

tests/config/test_config_sid.yml

+---
+- name: Test config
+  hosts: "{{ ipa_test_host | default('ipaserver') }}"
+  become: no
+  gather_facts: no
+
+  tasks:
+
+  # GET CURRENT CONFIG
+
+  - name: Return current values of the global configuration options
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ipaapi_context: "{{ ipa_context | default(omit) }}"
+    register: previous
+
+  # TESTS
+  - block:
+    - name: Ensure SID is enabled.
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        enable_sid: yes
+      register: result
+      failed_when: result.failed or previous.config.enable_sid == result.changed
+
+    - name: Ensure SID is enabled, again.
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        enable_sid: yes
+      register: result
+      failed_when: result.failed or result.changed
+
+    - name: Ensure netbios_name is "IPATESTPLAY"
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        enable_sid: yes
+        netbios_name: IPATESTPLAY
+      register: result
+      failed_when: result.failed or not result.changed
+
+    - name: Ensure netbios_name is "IPATESTPLAY", again
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        enable_sid: yes
+        netbios_name: IPATESTPLAY
+      register: result
+      failed_when: result.failed or result.changed
+
+    # add_sids is not idempotent as it always tries to generate the missing
+    # SIDs for users and groups.
+    - name: Add SIDs to users and groups.
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        enable_sid: yes
+        add_sids: yes
+
+    # REVERT TO PREVIOUS CONFIG
+    always:
+    # Once SID is enabled, it cannot be reverted.
+    - name: Revert netbios_name to original configuration
+      ipaconfig:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        netbios_name: "{{ previous.config.netbios_name | default(omit) }}"
+        enable_sid: yes