diff --git a/README-dnsconfig.md b/README-dnsconfig.md
new file mode 100644
index 0000000000000000000000000000000000000000..029ec515a16514984d9d8b742f7a0b1b7eee0028
--- /dev/null
+++ b/README-dnsconfig.md
@@ -0,0 +1,140 @@
+DNSConfig module
+============
+
+Description
+-----------
+
+The dnsconfig module allows to modify global DNS configuration.
+
+
+Features
+--------
+* Global DNS configuration
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipadnsconfig module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to set global DNS configuration:
+
+```yaml
+---
+- name: Playbook to handle global DNS configuration
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Set dnsconfig.
+ - ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ forward_policy: only
+ allow_sync_ptr: yes
+```
+
+Example playbook to ensure a global forwarder, with a custom port, is absent:
+
+```yaml
+---
+- name: Playbook to handle global DNS configuration
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Ensure global forwarder with a custom port is absent.
+ - ipadnsconfig:
+ forwarders:
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ state: absent
+```
+
+Example playbook to disable global forwarders:
+
+```yaml
+---
+- name: Playbook to disable global DNS forwarders
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Disable global forwarders.
+ - ipadnsconfig:
+ forward_policy: none
+```
+
+Example playbook to change global forward policy:
+
+```yaml
+---
+- name: Playbook to change global forward policy
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Disable global forwarders.
+ - ipadnsconfig:
+ forward_policy: first
+```
+
+Example playbook to disallow synchronization of forward (A, AAAA) and reverse (PTR) records:
+
+```yaml
+---
+- name: Playbook to disallow reverse synchronization.
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Disable global forwarders.
+ - ipadnsconfig:
+ allow_sync_ptr: no
+```
+
+Variables
+=========
+
+ipadnsconfig
+------------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
+ | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
+ | `port` - The custom port that should be used on this server. | no
+`forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`. | no
+`allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | yes
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
+
+
+Authors
+=======
+
+Rafael Guterres Jeffman
diff --git a/README-group.md b/README-group.md
index 8bba32373e28ab3e79f12c0c2c1c5004785bb00f..4a278560057eb2e3dd6aa79d1c5850a777f47065 100644
--- a/README-group.md
+++ b/README-group.md
@@ -52,20 +52,20 @@ Example playbook to add groups:
tasks:
# Create group ops with gid 1234
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
gidnumber: 1234
# Create group sysops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops
user:
- pinky
# Create group appops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: appops
```
@@ -80,7 +80,7 @@ Example playbook to add users to a group:
tasks:
# Add user member brain to group sysops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops
action: member
user:
@@ -100,7 +100,7 @@ Example playbook to add group members to a group:
tasks:
# Add group members sysops and appops to group sysops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
group:
- sysops
@@ -118,7 +118,7 @@ Example playbook to remove groups:
tasks:
# Remove goups sysops, appops and ops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops,appops,ops
state: absent
```
@@ -138,7 +138,7 @@ Variable | Description | Required
`description` | The group description string. | no
`gid` \| `gidnumber` | The GID integer. | no
`nonposix` | Create as a non-POSIX group. (bool) | no
-`external` | Allow adding external non-IPA members from trusted domains. (flag) | no
+`external` | Allow adding external non-IPA members from trusted domains. (bool) | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`user` | List of user name strings assigned to this group. | no
`group` | List of group name strings assigned to this group. | no
diff --git a/README-hbacrule.md b/README-hbacrule.md
index 39a242c1d52d9a5e539fdcb38bb994976fa892b1..d14692f9735cd95476122a0683b8b5a40b6338ed 100644
--- a/README-hbacrule.md
+++ b/README-hbacrule.md
@@ -50,7 +50,7 @@ Example playbook to make sure HBAC Rule login exists:
tasks:
# Ensure HBAC Rule login is present
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
```
@@ -66,7 +66,7 @@ Example playbook to make sure HBAC Rule login exists with the only HBAC Service
tasks:
# Ensure HBAC Rule login is present with the only HBAC Service sshd
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -83,7 +83,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
tasks:
# Ensure HBAC Service sshd is present in HBAC Rule login
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -101,7 +101,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
tasks:
# Ensure HBAC Service sshd is present in HBAC Rule login
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -120,7 +120,7 @@ Example playbook to make sure HBAC Rule login is absent:
tasks:
# Ensure HBAC Rule login is present
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
state: absent
```
diff --git a/README-hbacsvc.md b/README-hbacsvc.md
index 861ed6f9856da27fa6dc0ca0319b93b40329fb96..7203e54971c47ddda82fa0b0258712fc1e2ded5e 100644
--- a/README-hbacsvc.md
+++ b/README-hbacsvc.md
@@ -50,7 +50,7 @@ Example playbook to make sure HBAC Service for http is present
tasks:
# Ensure HBAC Service for http is present
- ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http
description: Web service
```
@@ -66,7 +66,7 @@ Example playbook to make sure HBAC Service for tftp is present
tasks:
# Ensure HBAC Service for tftp is present
- ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: tftp
description: TFTPWeb service
```
@@ -82,7 +82,7 @@ Example playbook to make sure HBAC Services for http and tftp are absent
tasks:
# Ensure HBAC Service for http and tftp are absent
- ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http,tftp
state: absent
```
diff --git a/README-hbacsvcgroup.md b/README-hbacsvcgroup.md
index e2a8260f6c922acd64ac105c68ecfb9881317662..56d5f7a6880a6b55b7ea1659b1ea9a0f495a6560 100644
--- a/README-hbacsvcgroup.md
+++ b/README-hbacsvcgroup.md
@@ -4,7 +4,7 @@ HBACsvcgroup module
Description
-----------
-The hbacsvcgroup (HBAC Service Group) module allows to ensure presence and absence of HBAP Service Groups and members of the groups.
+The hbacsvcgroup (HBAC Service Group) module allows to ensure presence and absence of HBAC Service Groups and members of the groups.
Features
@@ -50,7 +50,7 @@ Example playbook to make sure HBAC Service Group login exists:
tasks:
# Ensure HBAC Service Group login is present
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
```
@@ -66,7 +66,7 @@ Example playbook to make sure HBAC Service Group login exists with the only HBAC
tasks:
# Ensure HBAC Service Group login is present with the only HBAC Service sshd
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -83,7 +83,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Service Group
tasks:
# Ensure HBAC Service sshd is present in HBAC Service Group login
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -101,7 +101,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Service Group
tasks:
# Ensure HBAC Service sshd is present in HBAC Service Group login
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -120,7 +120,7 @@ Example playbook to make sure HBAC Service Group login is absent:
tasks:
# Ensure HBAC Service Group login is present
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
state: absent
```
diff --git a/README-host.md b/README-host.md
index 77ca098d1cd2a0c4315fb7758308e62da4458b39..5f540cac10255ec7af0cce6c2b46496bb7a06b70 100644
--- a/README-host.md
+++ b/README-host.md
@@ -52,7 +52,7 @@ Example playbook to ensure host presence:
tasks:
# Ensure host is present
- ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address: 192.168.0.123
@@ -65,6 +65,79 @@ Example playbook to ensure host presence:
- "52:54:00:BD:97:1E"
state: present
```
+Compared to `ipa host-add` command no IP address conflict check is done as the ipahost module supports to have several IPv4 and IPv6 addresses for a host.
+
+
+Example playbook to ensure host presence with several IP addresses:
+
+```yaml
+---
+- name: Playbook to handle hosts
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Ensure host is present
+ - ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: host01.example.com
+ description: Example host
+ ip_address:
+ - 192.168.0.123
+ - 192.168.0.124
+ - fe80::20c:29ff:fe02:a1b3
+ - fe80::20c:29ff:fe02:a1b4
+ locality: Lab
+ ns_host_location: Lab
+ ns_os_version: CentOS 7
+ ns_hardware_platform: Lenovo T61
+ mac_address:
+ - "08:00:27:E3:B1:2D"
+ - "52:54:00:BD:97:1E"
+ state: present
+```
+
+
+Example playbook to ensure IP addresses are present for a host:
+
+```yaml
+---
+- name: Playbook to handle hosts
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Ensure host is present
+ - ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: host01.example.com
+ ip_address:
+ - 192.168.0.124
+ - fe80::20c:29ff:fe02:a1b4
+ action: member
+ state: present
+```
+
+
+Example playbook to ensure IP addresses are absent for a host:
+
+```yaml
+---
+- name: Playbook to handle hosts
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Ensure host is present
+ - ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: host01.example.com
+ ip_address:
+ - 192.168.0.124
+ - fe80::20c:29ff:fe02:a1b4
+ action: member
+ state: absent
+```
Example playbook to ensure host presence without DNS:
@@ -78,7 +151,7 @@ Example playbook to ensure host presence without DNS:
tasks:
# Ensure host is present without DNS
- ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host02.example.com
description: Example host
force: yes
@@ -96,7 +169,7 @@ Example playbook to ensure host presence with a random password:
tasks:
- name: Host host01.example.com present with random password
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
random: yes
force: yes
@@ -120,7 +193,7 @@ Example playbook to ensure presence of several hosts with a random password:
tasks:
- name: Hosts host01.example.com and host01.example.com present with random passwords
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
random: yes
@@ -152,7 +225,7 @@ Example playbook to ensure presence of host member principal:
tasks:
- name: Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
principal:
- host/testhost01.example.com
@@ -171,7 +244,7 @@ Example playbook to ensure presence of host member certificate:
tasks:
- name: Host host01.example.com present with certificate
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
certificate:
- MIIC/zCCAeegAwIBAg...
@@ -189,7 +262,7 @@ Example playbook to ensure presence of member managedby_host for serveral hosts:
tasks:
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
managedby_host: server.exmaple.com
@@ -210,12 +283,12 @@ Example playbook to disable a host:
tasks:
# Ensure host is disabled
- ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
update_dns: yes
state: disabled
```
-`update_dns` controls if the DNS entries will be updated.
+`update_dns` controls if the DNS entries will be updated in this case. For `state` present it is controlling the update of the DNS SSHFP records, but not the the other DNS records.
Example playbook to ensure a host is absent:
@@ -269,25 +342,25 @@ Variable | Description | Required
`certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
`managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
`principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
-`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. <br>Options: | no
-`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. <br>Options: | no
-`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host. <br>Options: | no
-`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host. <br>Options: | no
-`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host. <br>Options: | no
-`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host. <br>Options: | no
-`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host. <br>Options: | no
-`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host. <br>Options: | no
+`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
+`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no
+`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host. | no
+`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host. | no
+`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host. | no
`mac_address` \| `macaddress` | List of hardware MAC addresses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
`userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
-`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened"] | no
+`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no
`force` | Force host name even if not in DNS. | no
`reverse` | Reverse DNS detection. | no
-`ip_address` \| `ipaddress` | The host IP address. | no
-`update_dns` | Update DNS entries. | no
+`ip_address` \| `ipaddress` | The host IP address list. It can contain IPv4 and IPv6 addresses. No conflict check for IP addresses is done. | no
+`update_dns` | For existing hosts: DNS SSHFP records are updated with `state` present and all DNS entries for a host removed with `state` absent. | no
Return Values
diff --git a/README-hostgroup.md b/README-hostgroup.md
index 39ea77f054e974d8dde8908a24b6bdcfe66a6043..857012443adb7ff7d9db7aa6e64187f76d4cac89 100644
--- a/README-hostgroup.md
+++ b/README-hostgroup.md
@@ -52,7 +52,7 @@ Example playbook to make sure hostgroup databases exists:
tasks:
# Ensure host-group databases is present
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -72,7 +72,7 @@ Example playbook to make sure that hosts and hostgroups are present in existing
tasks:
# Ensure hosts and hostgroups are present in existing databases hostgroup
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -94,7 +94,7 @@ Example playbook to make sure hosts and hostgroups are absent in databases hostg
tasks:
# Ensure hosts and hostgroups are absent in databases hostgroup
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -116,7 +116,7 @@ Example playbook to make sure host-group databases is absent:
tasks:
# Ensure host-group databases is absent
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: absent
```
diff --git a/README-pwpolicy.md b/README-pwpolicy.md
index 16306b7496e0a0a6a3b6d85c63698565f8f2f242..f0b5d8853d508301fb1fb343efcef8376e77001b 100644
--- a/README-pwpolicy.md
+++ b/README-pwpolicy.md
@@ -45,7 +45,7 @@ Example playbook to ensure presence of pwpolicies for exisiting group ops:
tasks:
- name: Ensure presence of pwpolicies for group ops
ipapwpolicy:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
minlife: 7
maxlife: 49
@@ -56,7 +56,7 @@ Example playbook to ensure presence of pwpolicies for exisiting group ops:
maxfail: 3
```
-Example playbook to ensure absence of pwpolicies for group ops
+Example playbook to ensure absence of pwpolicies for group ops:
```yaml
---
@@ -67,11 +67,26 @@ Example playbook to ensure absence of pwpolicies for group ops
tasks:
# Ensure absence of pwpolicies for group ops
- ipapwpolicy:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
state: absent
```
+Example playbook to ensure maxlife is set to 49 in global policy:
+
+```yaml
+---
+- name: Playbook to handle pwpolicies
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # Ensure absence of pwpolicies for group ops
+ - ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ maxlife: 49
+```
+
Variables
=========
@@ -83,7 +98,7 @@ Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
-`name` \| `cn` | The list of pwpolicy name strings. | no
+`name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
`maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
`minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no
`history` \| `krbpwdhistorylength` | Password history size. (int) | no
diff --git a/README-service.md b/README-service.md
new file mode 100644
index 0000000000000000000000000000000000000000..da0c692c36563091d65a791b6635054b874d32e9
--- /dev/null
+++ b/README-service.md
@@ -0,0 +1,320 @@
+Service module
+==============
+
+Description
+-----------
+
+The service module allows to ensure presence and absence of services.
+
+
+Features
+--------
+
+* Service management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaservice module.
+
+Option `skip_host_check` requires FreeIPA version 4.7.0 or later.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FReeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure service is present:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
+ DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
+ ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
+ VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
+ LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
+ oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
+ 4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
+ xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
+ UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
+ eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
+ 5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
+ uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
+ 2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
+ obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
+ /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ pac_type: PAD
+ auth_ind: otp
+ requires_pre_auth: false
+ ok_as_delegate: false
+ ok_to_auth_as_delegate: false
+ skip-host-check: true
+ force: true
+```
+
+
+Example playbook to make sure service is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ state: absent
+```
+
+
+Example playbook to make sure service is disabled:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ state: disabled
+```
+
+Example playbook to add a service even if the host object does not exist, but only if it does have a DNS entry:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ skip_host_check: true
+ force: false
+```
+
+Example playbook to add a service if it does have a DNS entry, but host object exits:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ skip_host_check: false
+ force: true
+```
+
+Example playbook to ensure service has a certificate:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service member certificate is present.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
+ DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
+ ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
+ VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
+ LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
+ oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
+ 4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
+ xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
+ UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
+ eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
+ 5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
+ uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
+ 2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
+ obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
+ /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ action: member
+ state: present
+```
+
+Example playbook to add a principal to the service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Principal host/principal.example.com present in service.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ principal: host/principal.example.com
+ action: member
+```
+
+Example playbook to enable a host to manage service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure host can manage service, again.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ host: host1.example.com
+ action: member
+```
+
+Example playbook to allow users, groups, hosts or hostgroups to create a keytab of this service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Allow users, groups, hosts or host groups to create a keytab of this service.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - host1.example.com
+ - host2.example.com
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+```
+
+Example playbook to allow users, groups, hosts or hostgroups to retrieve a keytab of this service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Allow users, groups, hosts or host groups to retrieve a keytab of this service.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+```
+
+
+Variables
+---------
+
+ipaservice
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `service` | The list of service name strings. | yes
+`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
+`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
+`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
+`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
+`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
+`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
+`skip_host_check` | Force service to be created even when host object does not exist to manage it. Default to false. (bool)| no
+`force` | Force principal name even if host not in DNS. Default to false. (bool) | no
+`host` \| `managedby_host`| Hosts that can manage the service. | no
+`principal` \| `krbprincipalname` | List of principal aliases for the service. | no
+`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
+`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group`| Groups allowed to create a keytab of this host. | no
+`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host`| Hosts allowed to create a keytab of this host. | no
+`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_group`| Host groups allowed to create a keytab of this host. | no
+`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retrieve a keytab of this host. | no
+`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
+`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
+`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
+`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
+
+
+Authors
+=======
+
+Rafael Jeffman
diff --git a/README-sudocmd.md b/README-sudocmd.md
index 2842a2fc3ae38b8cd965e5b3c7bee3a7c8495021..64300e08d5b8484ae08649a333c313c11a6efd9c 100644
--- a/README-sudocmd.md
+++ b/README-sudocmd.md
@@ -52,7 +52,7 @@ Example playbook to make sure sudocmd exists:
tasks:
# Ensure sudocmd is present
- ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: present
```
@@ -68,7 +68,7 @@ Example playbook to make sure sudocmd is absent:
tasks:
# Ensure sudocmd are absent
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: absent
```
diff --git a/README-sudocmdgroup.md b/README-sudocmdgroup.md
index f24b2cc4ee7bfcd7ec7ac8e53a6b632b18d9f25a..cca08c191d92e18b9fdf6ee610a4b734aec44d1a 100644
--- a/README-sudocmdgroup.md
+++ b/README-sudocmdgroup.md
@@ -52,7 +52,7 @@ Example playbook to make sure sudocmdgroup is present:
tasks:
# Ensure sudocmdgroup is present
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group01
description: Group of important commands
```
@@ -68,7 +68,7 @@ Example playbook to make sure that a sudo command and sudocmdgroups are present
tasks:
# Ensure sudo commands are present in existing sudocmdgroup
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group01
sudocmd:
- /usr/bin/su
@@ -88,7 +88,7 @@ Example playbook to make sure that a sudo command and sudocmdgroups are absent i
tasks:
# Ensure sudocmds are absent in existing sudocmdgroup
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group01
sudocmd:
- /usr/bin/su
@@ -108,7 +108,7 @@ Example playbook to make sure sudocmdgroup is absent:
tasks:
# Ensure sudocmdgroup is absent
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group01
state: absent
```
diff --git a/README-sudorule.md b/README-sudorule.md
index aca1b2d0e1c4e6ed9bdce4f48b7a9db2d3870af0..4bec5e65fde0b96ad1c7b7314ba57b187a50bdf8 100644
--- a/README-sudorule.md
+++ b/README-sudorule.md
@@ -50,7 +50,7 @@ Example playbook to make sure Sudo Rule is present:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
```
@@ -66,9 +66,9 @@ Example playbook to make sure sudocmds are present in Sudo Rule:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
action: member
```
@@ -85,9 +85,9 @@ Example playbook to make sure sudocmds are not present in Sudo Rule:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
action: member
state: absent
@@ -104,8 +104,9 @@ Example playbook to make sure Sudo Rule is absent:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
+ state: absent
```
@@ -124,13 +125,21 @@ Variable | Description | Required
`usercategory` | User category the rule applies to. Choices: ["all"] | no
`hostcategory` | Host category the rule applies to. Choices: ["all"] | no
`cmdcategory` | Command category the rule applies to. Choices: ["all"] | no
+`runasusercategory` | RunAs User category the rule applies to. Choices: ["all"] | no
+`runasgroupcategory` | RunAs Group category the rule applies to. Choices: ["all"] | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this sudorule. | no
`hostgroup` | List of host group name strings assigned to this sudorule. | no
`user` | List of user name strings assigned to this sudorule. | no
`group` | List of user group name strings assigned to this sudorule. | no
-`cmd` | List of sudocmd name strings assigned to this sudorule. | no
-`cmdgroup` | List of sudocmd group name strings assigned wto this sudorule. | no
+`allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no
+`deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no
+`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no
+`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no
+`sudooption` \| `option` | List of options to the sudorule | no
+`order` | Integer to order the sudorule | no
+`runasuser` | List of users for Sudo to execute as. | no
+`runasgroup` | List of groups for Sudo to execute as. | no
`action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
diff --git a/README-topology.md b/README-topology.md
index dc595ebdb104116830762003898ca968802c4e5e..84ab240d50166f57a05494ffcb1b49ebddfaf477 100644
--- a/README-topology.md
+++ b/README-topology.md
@@ -50,7 +50,7 @@ Example playbook to add a topology segment with default name (cn):
tasks:
- name: Add topology segment
ipatopologysegment:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -70,7 +70,7 @@ Example playbook to delete a topology segment:
tasks:
- name: Delete topology segment
ipatopologysegment:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -90,7 +90,7 @@ Example playbook to reinitialize a topology segment:
tasks:
- name: Reinitialize topology segment
ipatopologysegment:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -111,7 +111,7 @@ Example playbook to verify a topology suffix:
tasks:
- name: Verify topology suffix
ipatopologysuffix:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
state: verified
```
diff --git a/README-user.md b/README-user.md
index 56772a7704101b24622662c039203ba93f5b663d..6958ebe575066d6ea6d1ea831f04adc8b0587864 100644
--- a/README-user.md
+++ b/README-user.md
@@ -52,7 +52,7 @@ Example playbook to ensure a user is present:
tasks:
# Ensure user pinky is present
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
first: pinky
last: Acme
@@ -66,7 +66,7 @@ Example playbook to ensure a user is present:
# Ensure user brain is present
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: brain
first: brain
last: Acme
@@ -85,7 +85,7 @@ These two `ipauser` module calls can be combined into one with the `users` varia
tasks:
# Ensure users pinky and brain are present
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: pinky
first: pinky
@@ -153,7 +153,7 @@ Ensure user pinky is present with a generated random password and print the rand
tasks:
# Ensure user pinky is present with a random password
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: brain
first: brain
last: Acme
@@ -176,7 +176,7 @@ Ensure users pinky and brain are present with a generated random password and pr
tasks:
# Ensure users pinky and brain are present with random password
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: pinky
first: pinky
@@ -212,7 +212,7 @@ Example playbook to delete a user, but preserve it:
tasks:
# Remove but preserve user pinky
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
preserve: yes
state: absent
@@ -231,7 +231,7 @@ Example playbook to delete a user, but preserve it using the `users` variable:
tasks:
# Remove but preserve user pinky
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: pinky
preserve: yes
@@ -252,7 +252,7 @@ Example playbook to undelete a preserved user.
tasks:
# Undelete preserved user pinky
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
state: undeleted
```
@@ -271,7 +271,7 @@ Example playbook to disable a user:
tasks:
# Disable user pinky
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
state: disabled
```
@@ -290,7 +290,7 @@ Example playbook to enable users:
tasks:
# Enable user pinky and brain
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: enabled
```
@@ -309,7 +309,7 @@ Example playbook to unlock users:
tasks:
# Unlock user pinky and brain
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: unlocked
```
@@ -326,7 +326,7 @@ Example playbook to ensure users are absent:
tasks:
# Ensure users pinky and brain are absent
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: absent
```
@@ -345,7 +345,7 @@ Example playbook to ensure users are absent:
tasks:
# Ensure users pinky and brain are absent
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: pinky
- name: brain
@@ -408,7 +408,7 @@ Variable | Description | Required
`manager` | List of manager user names. | no
`carlicense` | List of car licenses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
-`userauthtype` | List of supported user authentication types. Choices: `password`, `radius` and `otp` | no
+`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp` and ``. Use empty string to reset userauthtype to the initial value. | no
`userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
`radius` | RADIUS proxy configuration | no
`radiususer` | RADIUS proxy username | no
diff --git a/README-vault.md b/README-vault.md
new file mode 100644
index 0000000000000000000000000000000000000000..9c0c833c4a9e5454cadcc778e2d8c6c5a84a0bd1
--- /dev/null
+++ b/README-vault.md
@@ -0,0 +1,203 @@
+Vault module
+===================
+
+Description
+-----------
+
+The vault module allows to ensure presence and absence of vault and members of vaults.
+
+The vault module is as compatible as possible to the Ansible upstream `ipa_vault` module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
+
+
+Features
+--------
+* Vault management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipavault module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+* KRA service must be enabled
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to make sure vault is present:
+
+```yaml
+---
+- name: Playbook to handle vaults
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ vault_password: MyVaultPassword123
+ description: A standard private vault.
+```
+
+Example playbook to make sure that a vault and its members are present:
+
+```yaml
+---
+- name: Playbook to handle vaults
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ users: user01
+```
+
+`action` controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set `action` to `member`.
+
+Example playbook to make sure that a vault member is present in vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ users: user01
+ action: member
+```
+
+Example playbook to make sure that a vault owner is absent in vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ owner: user01
+ action: member
+ state: absent
+```
+
+Example playbook to make sure vault data is present in a symmetric vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ vault_password: MyVaultPassword123
+ vault_data: >
+ Data archived.
+ More data archived.
+ action: member
+```
+
+Example playbook to make sure vault data is absent in a symmetric vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ vault_password: MyVaultPassword123
+ action: member
+ state: absent
+```
+
+Example playbook to make sure vault is absent:
+
+```yaml
+---
+- name: Playbook to handle vaults
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ state: absent
+```
+
+Variables
+=========
+
+ipavault
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | The list of vault name strings. | yes
+`description` | The vault description string. | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+`vault_public_key` \| `ipavaultpublickey` | Vault public key. | no
+`vault_salt` \| `ipavaultsalt` | Vault salt. | no
+`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
+`service` | Any service can own one or more service vaults. | no
+`user` | Any user can own one or more user vaults. | no
+`shared` | Vault is shared. Default to false. (bool) | no
+`users` | Users that are members of the vault. | no
+`groups` | Groups that are member of the vault. | no
+`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
+`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+
+
+Notes
+=====
+
+ipavault uses a client context to execute, and it might affect execution time.
+
+
+Authors
+=======
+
+Rafael Jeffman
diff --git a/README.md b/README.md
index f95458a37ca32ea4abccb8319dbf36709524e947..49060399986294570c7437f02711b7249943e7b8 100644
--- a/README.md
+++ b/README.md
@@ -19,16 +19,18 @@ Features
* Modules for host management
* Modules for hostgroup management
* Modules for pwpolicy management
+* Modules for service management
* Modules for sudocmd management
* Modules for sudocmdgroup management
* Modules for sudorule management
* Modules for topology management
* Modules for user management
+* Modules for vault management
Supported FreeIPA Versions
--------------------------
-FreeIPA versions 4.6 and up are supported by all roles.
+FreeIPA versions 4.6 and up are supported by all roles.
The client role supports versions 4.4 and up, the server role is working with versions 4.5 and up, the replica role is currently only working with versions 4.6 and up.
@@ -156,6 +158,7 @@ ipaserver_install_packages=no
ipaserver_setup_firewalld=no
```
The installation of packages and also the configuration of the firewall are by default enabled.
+Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
For more server settings, please have a look at the [server role documentation](roles/ipaserver/README.md).
@@ -231,6 +234,7 @@ ipareplica_setup_firewalld=no
```
The installation of packages and also the configuration of the firewall are by default enabled.
+Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
For more replica settings, please have a look at the [replica role documentation](roles/ipareplica/README.md).
@@ -404,6 +408,7 @@ Roles
Modules in plugin/modules
=========================
+* [ipadnsconfig](README-dnsconfig.md)
* [ipadnsforwardzone](README-dnsforwardzone.md)
* [ipagroup](README-group.md)
* [ipahbacrule](README-hbacrule.md)
@@ -412,9 +417,11 @@ Modules in plugin/modules
* [ipahost](README-host.md)
* [ipahostgroup](README-hostgroup.md)
* [ipapwpolicy](README-pwpolicy.md)
+* [ipaservice](README-service.md)
* [ipasudocmd](README-sudocmd.md)
* [ipasudocmdgroup](README-sudocmdgroup.md)
* [ipasudorule](README-sudorule.md)
* [ipatopologysegment](README-topology.md)
* [ipatopologysuffix](README-topology.md)
* [ipauser](README-user.md)
+* [ipavault](README-vault.md)
diff --git a/galaxy.yml b/galaxy.yml
index 8c9788b22cff525b55329da613c64221ebcf2450..9740ba3d570c9d691b9709a22c331f7dfbfb7bfa 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -15,6 +15,8 @@ readme: "README.md"
license: "GPL-3.0-or-later"
license_file: "COPYING"
+dependencies:
+
tags:
- "identity"
- "ipa"
diff --git a/playbooks/dnsconfig/disable-global-forwarders.yml b/playbooks/dnsconfig/disable-global-forwarders.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3b4f638c72adb42e4fe094e681238778b2aa591b
--- /dev/null
+++ b/playbooks/dnsconfig/disable-global-forwarders.yml
@@ -0,0 +1,9 @@
+---
+- name: Playbook to disable global DNS forwarders
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Disable global forwarders.
+ ipadnsconfig:
+ forward_policy: none
diff --git a/playbooks/dnsconfig/disallow-reverse-sync.yml b/playbooks/dnsconfig/disallow-reverse-sync.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e99996efe1cf766b3470b82c8709d8c1d29af628
--- /dev/null
+++ b/playbooks/dnsconfig/disallow-reverse-sync.yml
@@ -0,0 +1,9 @@
+---
+- name: Playbook to disallow reverse record synchronization.
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Disallow reverse record synchronization.
+ ipadnsconfig:
+ allow_sync_ptr: no
diff --git a/playbooks/dnsconfig/forwarders-absent.yml b/playbooks/dnsconfig/forwarders-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..21a393ddeffc4af6e05367ee458c59d827fe5b4f
--- /dev/null
+++ b/playbooks/dnsconfig/forwarders-absent.yml
@@ -0,0 +1,13 @@
+---
+- name: Playbook to handle global DNS configuration
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Set dnsconfig.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ state: absent
diff --git a/playbooks/dnsconfig/set-configuration.yml b/playbooks/dnsconfig/set-configuration.yml
new file mode 100644
index 0000000000000000000000000000000000000000..17880aaf090dc05fd52d525da0b12cf24b755936
--- /dev/null
+++ b/playbooks/dnsconfig/set-configuration.yml
@@ -0,0 +1,14 @@
+---
+- name: Playbook to handle global DNS configuration
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Set dnsconfig.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ forward_policy: only
+ allow_sync_ptr: yes
diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
index 73dfd2ac4b26f3aac5fff76fea61c77d68429f2b..fda5aeac54eba04482c80beafbf8237538d4c4ab 100644
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Rule allhosts is absent
ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
state: absent
diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
index 33196df530c20d51503da1cd876cc5019669d6d8..4a5c7b152e8eef802b313cd646ad99d6b62002ed 100644
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Rule allhosts is disabled
ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
state: disabled
diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
index ad97b97594293435a510bd3e4fe18d7968d3ace1..86b815f17ec33f1211b1f0d3130122229305f889 100644
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Rule allhosts is enabled
ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
state: enabled
diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
index 203f914a208a4bc4a2274ca352b38057cb85869f..d43bc4e5b28b342533ddf384b678a1c1b07b12a6 100644
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Rule allhosts is present
ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
usercategory: all
diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
index d3a77394574cb05662838dc9cae01008dffaf584..bbe5e8caf6d4f23fc66c453584a14ed6b43f021b 100644
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
@@ -7,7 +7,7 @@
tasks:
- name: Ensure host server is absent in HBAC Rule allhosts
ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
host: server
action: member
diff --git a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
index 286402fc85e57645efea4127a3cedaac733179b8..d1703b2794e9e857c247978cc73babc0377faa36 100644
--- a/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
+++ b/playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
@@ -7,7 +7,7 @@
tasks:
- name: Ensure host server is present in HBAC Rule allhosts
ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
host: server
action: member
diff --git a/playbooks/hbacsvc/ensure-hbacsvc-absent.yml b/playbooks/hbacsvc/ensure-hbacsvc-absent.yml
index cb766e7316059a5ddf9050562d99673ed7672eb2..357fa8afc86ff952f6a9d9eebf3aab95c89038ef 100644
--- a/playbooks/hbacsvc/ensure-hbacsvc-absent.yml
+++ b/playbooks/hbacsvc/ensure-hbacsvc-absent.yml
@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Services for http and tftp are absent
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http,tftp
state: absent
diff --git a/playbooks/hbacsvc/ensure-hbacsvc-present.yml b/playbooks/hbacsvc/ensure-hbacsvc-present.yml
index 1ed1d7c9b74a5dedc6d9bfb7647613b39ac69170..6892125da28fdad345fe465643e78ed73bff41ac 100644
--- a/playbooks/hbacsvc/ensure-hbacsvc-present.yml
+++ b/playbooks/hbacsvc/ensure-hbacsvc-present.yml
@@ -7,12 +7,12 @@
tasks:
- name: Ensure HBAC Service for http is present
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http
description: Web service
- name: Ensure HBAC Service for tftp is present
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: tftp
description: TFTP service
diff --git a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
index c4e24d1313241da758333e93bc9b402d5691b8c8..7564b9bf15e1b3080e833fcf71c249bafd1a0075 100644
--- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
+++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
@@ -7,7 +7,7 @@
tasks:
- name: Ensure HBAC Service Group login is absent
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
diff --git a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
index b72703c361313498bffef93d11f03f90ccd80d98..f37fa27c9d90521d42b924b040861b26eadc620f 100644
--- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
+++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
@@ -7,7 +7,7 @@
tasks:
- name: Ensure HBAC Services sshd is absent in HBAC Service Group login
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
diff --git a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
index 9b213c7bbe77dd266453a3f2b8745370b427fcdd..c03c55710d2b59474216a6ee409ad04cdf6f1fec 100644
--- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
+++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
@@ -7,7 +7,7 @@
tasks:
- name: Ensure HBAC Service sshd is present in HBAC Service Group login
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
diff --git a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml
index 9b213c7bbe77dd266453a3f2b8745370b427fcdd..c03c55710d2b59474216a6ee409ad04cdf6f1fec 100644
--- a/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml
+++ b/playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml
@@ -7,7 +7,7 @@
tasks:
- name: Ensure HBAC Service sshd is present in HBAC Service Group login
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
diff --git a/playbooks/host/delete-host.yml b/playbooks/host/delete-host.yml
index 30eaf3ef838715f913d6ce999550b59d505a0d67..c441c8bb7439430eb97e7e8ea5539bb33b347288 100644
--- a/playbooks/host/delete-host.yml
+++ b/playbooks/host/delete-host.yml
@@ -6,6 +6,6 @@
tasks:
- name: Ensure host host01.example.com is absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
state: absent
diff --git a/playbooks/host/disable-host.yml b/playbooks/host/disable-host.yml
index 3e265fe238886aef57f79ca671d339c87d11ee65..c6e277c7a3ef5f49b3e83aa9d1a923efd7ae6477 100644
--- a/playbooks/host/disable-host.yml
+++ b/playbooks/host/disable-host.yml
@@ -6,6 +6,6 @@
tasks:
- name: Disable host host01.example.com
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
state: disabled
diff --git a/playbooks/host/ensure_host_with_randompassword.yml b/playbooks/host/ensure_host_with_randompassword.yml
index cd1a1331380c0fa169659e06d6097e878eee36b7..d6376033a9fbbc513ab1f806a02f6a646217be0b 100644
--- a/playbooks/host/ensure_host_with_randompassword.yml
+++ b/playbooks/host/ensure_host_with_randompassword.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host "{{ 'host1.' + ipaserver_domain }}" present with random password
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ 'host1.' + ipaserver_domain }}"
random: yes
force: yes
diff --git a/playbooks/host/host-member-allow_create_keytab-absent.yml b/playbooks/host/host-member-allow_create_keytab-absent.yml
index 55e3110d852a2f82c287c8f220869abe18f03983..5ec1a171f93322f24f4d1177b9e4ce4d60c53dab 100644
--- a/playbooks/host/host-member-allow_create_keytab-absent.yml
+++ b/playbooks/host/host-member-allow_create_keytab-absent.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com members allow_create_keytab absent for users, groups, hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_create_keytab_user:
- user01
diff --git a/playbooks/host/host-member-allow_create_keytab-present.yml b/playbooks/host/host-member-allow_create_keytab-present.yml
index f5865497faa1716693b550cf5090931b9ee0da65..36c31dd28ec529ba993c6a0b4c4a7fe5609c5570 100644
--- a/playbooks/host/host-member-allow_create_keytab-present.yml
+++ b/playbooks/host/host-member-allow_create_keytab-present.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com members allow_create_keytab present for users, groups, hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_create_keytab_user:
- user01
diff --git a/playbooks/host/host-member-allow_retrieve_keytab-absent.yml b/playbooks/host/host-member-allow_retrieve_keytab-absent.yml
index b8830f605171830b3bf3fd30953e0fa50d290358..b7752e7c06dca4d9a06bd8b88cde4b9ba10e0ff9 100644
--- a/playbooks/host/host-member-allow_retrieve_keytab-absent.yml
+++ b/playbooks/host/host-member-allow_retrieve_keytab-absent.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com members allow_retrieve_keytab absent for users, groups, hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_retrieve_keytab_user:
- user01
diff --git a/playbooks/host/host-member-allow_retrieve_keytab-present.yml b/playbooks/host/host-member-allow_retrieve_keytab-present.yml
index fde116cce25c705364749a8dfbc9e2bb3a14cd6e..ee849e062d77645d7cc061fe940166030cd43483 100644
--- a/playbooks/host/host-member-allow_retrieve_keytab-present.yml
+++ b/playbooks/host/host-member-allow_retrieve_keytab-present.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com members allow_retrieve_keytab present for users, groups, hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_retrieve_keytab_user:
- user01
diff --git a/playbooks/host/host-member-certificate-absent.yml b/playbooks/host/host-member-certificate-absent.yml
index 918951f82d64a8f405a8f239a16ba93df2c542d3..841b39cddc672be3d0a6f03bde1ecc3582d5ac09 100644
--- a/playbooks/host/host-member-certificate-absent.yml
+++ b/playbooks/host/host-member-certificate-absent.yml
@@ -5,7 +5,7 @@
tasks:
- name: Host host01.example.com member certificate absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
certificate:
- MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3
diff --git a/playbooks/host/host-member-certificate-present.yml b/playbooks/host/host-member-certificate-present.yml
index 066ae0a975a38271d4a645135a4dd10aba342746..8071a9425b609751a31144d9dae2ea4e717b38ab 100644
--- a/playbooks/host/host-member-certificate-present.yml
+++ b/playbooks/host/host-member-certificate-present.yml
@@ -5,7 +5,7 @@
tasks:
- name: Host host01.example.com member certificate present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
certificate:
- MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3
diff --git a/playbooks/host/host-member-ipaddresses-absent.yml b/playbooks/host/host-member-ipaddresses-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..31c2eec7a0044441e40ddcb12639063eca8742e5
--- /dev/null
+++ b/playbooks/host/host-member-ipaddresses-absent.yml
@@ -0,0 +1,17 @@
+---
+- name: Host member IP addresses absent
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Ensure host01.example.com IP addresses absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: host01.example.com
+ ip_address:
+ - 192.168.0.123
+ - fe80::20c:29ff:fe02:a1b3
+ - 192.168.0.124
+ - fe80::20c:29ff:fe02:a1b4
+ action: member
+ state: absent
diff --git a/playbooks/host/host-member-ipaddresses-present.yml b/playbooks/host/host-member-ipaddresses-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2dd88e1380d482343071602b28c4db906b6bfe4c
--- /dev/null
+++ b/playbooks/host/host-member-ipaddresses-present.yml
@@ -0,0 +1,16 @@
+---
+- name: Host member IP addresses present
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Ensure host01.example.com IP addresses present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: host01.example.com
+ ip_address:
+ - 192.168.0.123
+ - fe80::20c:29ff:fe02:a1b3
+ - 192.168.0.124
+ - fe80::20c:29ff:fe02:a1b4
+ action: member
diff --git a/playbooks/host/host-member-managedby_host-absent.yml b/playbooks/host/host-member-managedby_host-absent.yml
index f899a52fa6c6756b419aa256c1da1252476fc7e6..e9fc6b4c5497bbf0f8d68ad164b636f2e4ea531e 100644
--- a/playbooks/host/host-member-managedby_host-absent.yml
+++ b/playbooks/host/host-member-managedby_host-absent.yml
@@ -5,7 +5,7 @@
tasks:
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
managedby_host: server.exmaple.com
action: member
diff --git a/playbooks/host/host-member-managedby_host-present.yml b/playbooks/host/host-member-managedby_host-present.yml
index 073d81ad6335bd61f7d7e853ce72bd562e4927cb..c00548cf2b480d2d3252278eda634374f57af90e 100644
--- a/playbooks/host/host-member-managedby_host-present.yml
+++ b/playbooks/host/host-member-managedby_host-present.yml
@@ -5,7 +5,7 @@
tasks:
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
managedby_host: server.exmaple.com
action: member
diff --git a/playbooks/host/host-member-principal-absent.yml b/playbooks/host/host-member-principal-absent.yml
index b2c3a8d88191f8a6c0fa0ff51a36d3315ea42d36..2688737e1a3b03d21cb4fa7b0a97efff58e110bd 100644
--- a/playbooks/host/host-member-principal-absent.yml
+++ b/playbooks/host/host-member-principal-absent.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host01.example.com principals host/testhost01.example.com and host/myhost01.example.com absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
principal:
- host/testhost01.example.com
diff --git a/playbooks/host/host-member-principal-present.yml b/playbooks/host/host-member-principal-present.yml
index b56fd591276493536d9d35987c355fea957c02b7..8b5d0cf5b9c77bfa8eb46ebdb838ed8ac791c028 100644
--- a/playbooks/host/host-member-principal-present.yml
+++ b/playbooks/host/host-member-principal-present.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host01.example.com principals host/testhost01.example.com and host/myhost01.example.com present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
principal:
- host/testhost01.example.com
diff --git a/playbooks/host/host-present-with-allow_create_keytab.yml b/playbooks/host/host-present-with-allow_create_keytab.yml
index f7b9c6f43e8925c6e4520c0840b89211a64f43de..bcdd5df5a2b94979cc1dfdb29a3d3105c8dc94da 100644
--- a/playbooks/host/host-present-with-allow_create_keytab.yml
+++ b/playbooks/host/host-present-with-allow_create_keytab.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com present with allow_create_keytab for users, groups, hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_create_keytab_user:
- user01
diff --git a/playbooks/host/host-present-with-allow_retrieve_keytab.yml b/playbooks/host/host-present-with-allow_retrieve_keytab.yml
index 5a9f3af5a9b2e2c88f7562f756ba80ee5558df96..f12b15f6290860dafc1fdb89d37bbd9d20985a45 100644
--- a/playbooks/host/host-present-with-allow_retrieve_keytab.yml
+++ b/playbooks/host/host-present-with-allow_retrieve_keytab.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com present with allow_retrieve_keytab for users, groups, hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_retrieve_keytab_user:
- user01
diff --git a/playbooks/host/host-present-with-certificate.yml b/playbooks/host/host-present-with-certificate.yml
index f5da46d72577ec2f19ccf795fcda30b88c6f589e..919d7c0bbe4ed3f6d53b59d0a3b12a9bd424c9a3 100644
--- a/playbooks/host/host-present-with-certificate.yml
+++ b/playbooks/host/host-present-with-certificate.yml
@@ -5,7 +5,7 @@
tasks:
- name: Host host01.example.com present with certificate
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
certificate:
- MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3
diff --git a/playbooks/host/host-present-with-managedby_host.yml b/playbooks/host/host-present-with-managedby_host.yml
index b85f5e60ecadd5acf8c96805be7ecff22edcf69e..51a1c21fcf58f5ea9d86f42d1881b121735ceac0 100644
--- a/playbooks/host/host-present-with-managedby_host.yml
+++ b/playbooks/host/host-present-with-managedby_host.yml
@@ -5,7 +5,7 @@
tasks:
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
managedby_host: server.exmaple.com
force: yes
diff --git a/playbooks/host/host-present-with-principal.yml b/playbooks/host/host-present-with-principal.yml
index 5b8ad4eefa8fe27baaad0249826f88f06fe64fab..e84f45a59848053dfbf159b35b210505f4bacba4 100644
--- a/playbooks/host/host-present-with-principal.yml
+++ b/playbooks/host/host-present-with-principal.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
principal:
- host/testhost01.example.com
diff --git a/playbooks/host/host-present-with-randompassword.yml b/playbooks/host/host-present-with-randompassword.yml
index 9063c48061b6a9f3e26073a0bc2e7afc5f136c53..2e9d793dd2814ea3e3358fd3e7a025b7f5bc931f 100644
--- a/playbooks/host/host-present-with-randompassword.yml
+++ b/playbooks/host/host-present-with-randompassword.yml
@@ -6,7 +6,7 @@
tasks:
- name: Host host01.example.com present with random password
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
random: yes
force: yes
diff --git a/playbooks/host/host-present-with-several-ip-addresses.yml b/playbooks/host/host-present-with-several-ip-addresses.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e74f67c68bccc48492dc675464049ca0fa80a36c
--- /dev/null
+++ b/playbooks/host/host-present-with-several-ip-addresses.yml
@@ -0,0 +1,24 @@
+---
+- name: Host present with several IP addresses
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Ensure host is present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: host01.example.com
+ description: Example host
+ ip_address:
+ - 192.168.0.123
+ - fe80::20c:29ff:fe02:a1b3
+ - 192.168.0.124
+ - fe80::20c:29ff:fe02:a1b4
+ locality: Lab
+ ns_host_location: Lab
+ ns_os_version: CentOS 7
+ ns_hardware_platform: Lenovo T61
+ mac_address:
+ - "08:00:27:E3:B1:2D"
+ - "52:54:00:BD:97:1E"
+ state: present
diff --git a/playbooks/host/host-present.yml b/playbooks/host/host-present.yml
index d40c1ecf21e1281e7d6c8844b5499606ed4b3fec..afb9a0ecbda3a320b6e7beb7b595ed85c7705563 100644
--- a/playbooks/host/host-present.yml
+++ b/playbooks/host/host-present.yml
@@ -6,7 +6,7 @@
tasks:
- name: Ensure host is present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address: 192.168.0.123
diff --git a/playbooks/host/hosts-member-certificate-absent.yml b/playbooks/host/hosts-member-certificate-absent.yml
index bb2d5b0393d5474a01bdfbd5bbe3bb30ca4fc383..ec9ba94f046a946325566056435f342ad77f3580 100644
--- a/playbooks/host/hosts-member-certificate-absent.yml
+++ b/playbooks/host/hosts-member-certificate-absent.yml
@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.example.com and host01.exmaple.com member certificate absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
certificate:
diff --git a/playbooks/host/hosts-member-certificate-present.yml b/playbooks/host/hosts-member-certificate-present.yml
index c402ef4a04cdc36452ec9c630c34281af02b9354..2976244a149cd5018cd8d2cfcbbffe591c17579c 100644
--- a/playbooks/host/hosts-member-certificate-present.yml
+++ b/playbooks/host/hosts-member-certificate-present.yml
@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.example.com and host01.exmaple.com member certificate present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
certificate:
diff --git a/playbooks/host/hosts-member-managedby_host-absent.yml b/playbooks/host/hosts-member-managedby_host-absent.yml
index 9b584e5165fb219e290d5e1471628d0fce30ed50..40ae3b7d53aec85894c4063116fc98610f27c69a 100644
--- a/playbooks/host/hosts-member-managedby_host-absent.yml
+++ b/playbooks/host/hosts-member-managedby_host-absent.yml
@@ -5,7 +5,7 @@
tasks:
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
managedby_host: server.exmaple.com
diff --git a/playbooks/host/hosts-member-managedby_host-present.yml b/playbooks/host/hosts-member-managedby_host-present.yml
index f8d4e2b79790dbb170fda08210a3131bc1c77745..fe70a59fe1836ee41316b29406644a085c41707b 100644
--- a/playbooks/host/hosts-member-managedby_host-present.yml
+++ b/playbooks/host/hosts-member-managedby_host-present.yml
@@ -5,7 +5,7 @@
tasks:
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
managedby_host: server.exmaple.com
diff --git a/playbooks/host/hosts-member-principal-absent.yml b/playbooks/host/hosts-member-principal-absent.yml
index edd33521ea89e6bba2981493e51ac121e7e2c914..733bb126b86e3c7b69add484c8df48650496d11f 100644
--- a/playbooks/host/hosts-member-principal-absent.yml
+++ b/playbooks/host/hosts-member-principal-absent.yml
@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.exmaple.com and host02.exmaple.com member principals host/testhost0X.exmaple.com absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
principal:
diff --git a/playbooks/host/hosts-member-principal-present.yml b/playbooks/host/hosts-member-principal-present.yml
index 54c9a8f6e467d91e3fb44c0ad6bb20792a9c772c..68d26fe5d0081b895cb10d1f6abff02d503d9e80 100644
--- a/playbooks/host/hosts-member-principal-present.yml
+++ b/playbooks/host/hosts-member-principal-present.yml
@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.exmaple.com and host02.exmaple.com member principals host/testhost0X.exmaple.com present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
principal:
diff --git a/playbooks/host/hosts-present-with-certificate.yml b/playbooks/host/hosts-present-with-certificate.yml
index 34e402f741a355ade66d54f3865f1d8a871ff44e..78102e258a01a3bb75884bb6467cc73c6ec9ea6b 100644
--- a/playbooks/host/hosts-present-with-certificate.yml
+++ b/playbooks/host/hosts-present-with-certificate.yml
@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.example.com and host01.exmaple.com present with certificate
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
certificate:
diff --git a/playbooks/host/hosts-present-with-managedby_host.yml b/playbooks/host/hosts-present-with-managedby_host.yml
index 5f3546b6fff68e37daaa719f9127663410ccccbf..262f6c1d0ad8cc39f4c944b748fc3ae97fdffd19 100644
--- a/playbooks/host/hosts-present-with-managedby_host.yml
+++ b/playbooks/host/hosts-present-with-managedby_host.yml
@@ -5,7 +5,7 @@
tasks:
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
managedby_host: server.exmaple.com
diff --git a/playbooks/host/hosts-present-with-randompasswords.yml b/playbooks/host/hosts-present-with-randompasswords.yml
index f747ca31a5d1f906110757a1678789c27bd9adb2..5a1ea9c05c611cfe5ff30a2fa73aa6d45d0b23fd 100644
--- a/playbooks/host/hosts-present-with-randompasswords.yml
+++ b/playbooks/host/hosts-present-with-randompasswords.yml
@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.example.com and host01.example.com present with random passwords
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
random: yes
diff --git a/playbooks/hostgroup/ensure-hostgroup-is-absent.yml b/playbooks/hostgroup/ensure-hostgroup-is-absent.yml
index 86508fc6407cfa1cbb203adc5729fcd58fc5dc56..c9e37d3f3c91d5a54455fe7f536b6e9e9072f95d 100644
--- a/playbooks/hostgroup/ensure-hostgroup-is-absent.yml
+++ b/playbooks/hostgroup/ensure-hostgroup-is-absent.yml
@@ -6,6 +6,6 @@
tasks:
# Ensure host-group databases is present
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: absent
diff --git a/playbooks/hostgroup/ensure-hostgroup-is-present.yml b/playbooks/hostgroup/ensure-hostgroup-is-present.yml
index a2c7ae9adb311b707f30623b077a2a9fa47752ea..bc059dbaebbf7193f5d2d891d815a521e8aba360 100644
--- a/playbooks/hostgroup/ensure-hostgroup-is-present.yml
+++ b/playbooks/hostgroup/ensure-hostgroup-is-present.yml
@@ -6,7 +6,7 @@
tasks:
# Ensure host-group databases is present
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
diff --git a/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml b/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
index 149dfcff07a1f225ba48a68235919e59d32e5739..b3fbd558a95b6c732ea947057d2d27ed2becafec 100644
--- a/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
+++ b/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
@@ -6,7 +6,7 @@
tasks:
# Ensure hosts and hostgroups are present in existing databases hostgroup
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
diff --git a/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml b/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
index 4b22fd66930b8f5392e32c6c1b55cc3bbdaa510c..c103ce927d49793c24a6fddc2b0b416dc204a6aa 100644
--- a/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
+++ b/playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
@@ -6,7 +6,7 @@
tasks:
# Ensure hosts and hostgroups are present in existing databases hostgroup
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
diff --git a/playbooks/service/service-host-is-absent.yml b/playbooks/service/service-host-is-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5963340f3447aa83c8569fb905381cc7d4b84e7c
--- /dev/null
+++ b/playbooks/service/service-host-is-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure management host is absent.
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ host: "{{ groups.ipaserver[0] }}"
+ action: member
+ state: absent
diff --git a/playbooks/service/service-host-is-present.yml b/playbooks/service/service-host-is-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2460051ebf793ab6e357cf24cd02499c1aaeb777
--- /dev/null
+++ b/playbooks/service/service-host-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure management host is present.
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ host: "{{ groups.ipaserver[0] }}"
+ action: member
diff --git a/playbooks/service/service-is-absent.yml b/playbooks/service/service-is-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..fe65771ef893048fcc888adb4f0ca226026acaac
--- /dev/null
+++ b/playbooks/service/service-is-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is absent
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ state: absent
diff --git a/playbooks/service/service-is-disabled.yml b/playbooks/service/service-is-disabled.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2bf01fb156aa88ba0a3f9d8ded7ea084ccc06f9d
--- /dev/null
+++ b/playbooks/service/service-is-disabled.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook to disable IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is disabled
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ state: disabled
diff --git a/playbooks/service/service-is-present-with-all-attributes.yml b/playbooks/service/service-is-present-with-all-attributes.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f7e59ebca7ad8082befb552d5b3e06ba433dab78
--- /dev/null
+++ b/playbooks/service/service-is-present-with-all-attributes.yml
@@ -0,0 +1,23 @@
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ certificate:
+ - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
+ pac_type:
+ - MS-PAC
+ - PAD
+ auth_ind: otp
+ force: no
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ action: service
+ state: present
diff --git a/playbooks/service/service-is-present-with-host-force.yml b/playbooks/service/service-is-present-with-host-force.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2268ea8f402afc815df7fe978177ee3d93f6c3eb
--- /dev/null
+++ b/playbooks/service/service-is-present-with-host-force.yml
@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/ihavenodns.info
+ force: yes
+ # state: absent
diff --git a/playbooks/service/service-is-present-without-host-object.yml b/playbooks/service/service-is-present-without-host-object.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ddf72b8e24ad6a57e564fe2c4321487c77c2955c
--- /dev/null
+++ b/playbooks/service/service-is-present-without-host-object.yml
@@ -0,0 +1,12 @@
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.ansible.com
+ skip_host_check: yes
diff --git a/playbooks/service/service-is-present.yml b/playbooks/service/service-is-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..06e883431b13f6b3e275f7117387725eac68f703
--- /dev/null
+++ b/playbooks/service/service-is-present.yml
@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage IPA service.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
diff --git a/playbooks/service/service-member-allow_create_keytab-absent.yml b/playbooks/service/service-member-allow_create_keytab-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d4a15ea4828753242d5527e52e2db4b7ebd5b15a
--- /dev/null
+++ b/playbooks/service/service-member-allow_create_keytab-absent.yml
@@ -0,0 +1,24 @@
+---
+- name: Service member allow_create_keytab absent
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Service HTTP/www.example.com members allow_create_keytab absent for users, groups, hosts and hostgroups
+ ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - host01.example.com
+ - host02.example.com
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
diff --git a/playbooks/service/service-member-allow_create_keytab-present.yml b/playbooks/service/service-member-allow_create_keytab-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b28b6dc23a89e061eaa267426543746c1938f2d4
--- /dev/null
+++ b/playbooks/service/service-member-allow_create_keytab-present.yml
@@ -0,0 +1,23 @@
+---
+- name: Service member allow_create_keytab present
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Service HTTP/www.example.com members allow_create_keytab present for users, groups, hosts and hostgroups
+ ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - host01.example.com
+ - host02.example.com
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
diff --git a/playbooks/service/service-member-allow_retrieve_keytab-absent.yml b/playbooks/service/service-member-allow_retrieve_keytab-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ceada70e5ee1b75e80f6fde05298fa28852902e2
--- /dev/null
+++ b/playbooks/service/service-member-allow_retrieve_keytab-absent.yml
@@ -0,0 +1,24 @@
+---
+- name: Service member allow_retrieve_keytab absent
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Service HTTP/www.example.com members allow_retrieve_keytab absent for users, groups, hosts and hostgroups
+ ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - host01.example.com
+ - host02.example.com
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
diff --git a/playbooks/service/service-member-allow_retrieve_keytab-present.yml b/playbooks/service/service-member-allow_retrieve_keytab-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ac98904b32b2ec3e58ab2d9366d76e7177cad28e
--- /dev/null
+++ b/playbooks/service/service-member-allow_retrieve_keytab-present.yml
@@ -0,0 +1,23 @@
+---
+- name: Service member allow_retrieve_keytab present
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Service HTTP/www.example.com members allow_retrieve_keytab present for users, groups, hosts and hostgroups
+ ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - host01.example.com
+ - host02.example.com
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
diff --git a/playbooks/service/service-member-certificate-absent.yml b/playbooks/service/service-member-certificate-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..57b71e5eda70c4cc8fffcf3cd93b0c314620ab12
--- /dev/null
+++ b/playbooks/service/service-member-certificate-absent.yml
@@ -0,0 +1,16 @@
+---
+- name: Service certificate absent.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service certificate is absent
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+
+ certificate:
+ - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
+ action: member
+ state: absent
diff --git a/playbooks/service/service-member-certificate-present.yml b/playbooks/service/service-member-certificate-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..bfa01d055d1e5efd8b88422a7b9000469782cc7a
--- /dev/null
+++ b/playbooks/service/service-member-certificate-present.yml
@@ -0,0 +1,15 @@
+---
+- name: Service certificate present.
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure service certificate is present
+ - ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ certificate:
+ - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
+ action: member
+ state: present
diff --git a/playbooks/service/service-member-principal-absent.yml b/playbooks/service/service-member-principal-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6bfb168c4f8233384a1c8cdaea9f492c53b10c9c
--- /dev/null
+++ b/playbooks/service/service-member-principal-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Service member principal absent
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Service HTTP/www.exmaple.com member principals host/test.exmaple.com absent
+ ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ principal:
+ - host/test.exmaple.com
+ action: member
+ state: absent
diff --git a/playbooks/service/service-member-principal-present.yml b/playbooks/service/service-member-principal-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..aa94f32e896e568076a2ae017aaac8f224cde09d
--- /dev/null
+++ b/playbooks/service/service-member-principal-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Service member principal present
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Service HTTP/www.exmaple.com member principals host/test.exmaple.com present
+ ipaservice:
+ ipaadmin_password: MyPassword123
+ name: HTTP/www.example.com
+ principal:
+ - host/test.exmaple.com
+ action: member
diff --git a/playbooks/sudocmd/ensure-sudocmd-is-absent.yml b/playbooks/sudocmd/ensure-sudocmd-is-absent.yml
index 1b3bbf45e4a0fbe4a4b7f08bb2c40d035ccf4742..3539ed00372d5efcb39aa0e4ae128f12970e688b 100644
--- a/playbooks/sudocmd/ensure-sudocmd-is-absent.yml
+++ b/playbooks/sudocmd/ensure-sudocmd-is-absent.yml
@@ -6,6 +6,6 @@
tasks:
# Ensure sudo command is absent
- ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: absent
diff --git a/playbooks/sudocmd/ensure-sudocmd-is-present.yml b/playbooks/sudocmd/ensure-sudocmd-is-present.yml
index 3aa0f47195f39501e2b339a76213d4d0073752aa..d648de54282f6c7c5e98e554253e661fb4b27049 100644
--- a/playbooks/sudocmd/ensure-sudocmd-is-present.yml
+++ b/playbooks/sudocmd/ensure-sudocmd-is-present.yml
@@ -6,6 +6,6 @@
tasks:
# Ensure sudo command is present
- ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: present
diff --git a/playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml b/playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml
index bde823e54ae63e31047bfcda7a92bf28b5267cc9..49ba2d5a5cce63aae1de8d448d470cdf9d38d860 100644
--- a/playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml
+++ b/playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml
@@ -6,7 +6,7 @@
tasks:
# Ensure sudocmds are absent in sudocmdgroup
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
diff --git a/playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml b/playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml
index c415695b0b27bae02d36311f9a727195a6d0db2f..fe9ab207541ff5e43cdd085df2ed5e35471f9c91 100644
--- a/playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml
+++ b/playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml
@@ -6,7 +6,7 @@
tasks:
# Ensure sudo commands are present
- ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
- /usr/sbin/iwlist
@@ -14,7 +14,7 @@
# Ensure sudo commands are present in existing sudocmdgroup
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
diff --git a/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b48a710d96406e83c3f5f0dce1d2a97e7883f4a6
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudooption is absent in sudorule
+ - ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ sudooption: "!root"
+ action: member
+ state: absent
diff --git a/playbooks/sudorule/ensure-sudorule-has-sudooption.yml b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d1a394cfa93e7c51ade1b2e7180f202829362bce
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-has-sudooption.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudooption is present in sudorule
+ - ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ sudooption: "!root"
+ action: member
diff --git a/playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml b/playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
index f74765c29592879008fa93b63a9745396053dbc6..2f0655c56ef96cff65a695844e855e7b1856dc71 100644
--- a/playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
+++ b/playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
@@ -7,7 +7,7 @@
tasks:
# Ensure host server is absent in Sudo Rule
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
host: server
action: member
diff --git a/playbooks/sudorule/ensure-sudorule-host-member-is-present.yml b/playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
index 4ecf3f33931687b778ccd665451765d085b306c3..e0ce73de8f2b4a7bc78d4bf3b2907f66c69d9ed5 100644
--- a/playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
+++ b/playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
@@ -7,7 +7,7 @@
tasks:
# Ensure host server is present in Sudo Rule
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
host: server
action: member
diff --git a/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml b/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
index 301030f533465b32d7932fffb64305540eba083f..c30d63a0a99667d6dcacd769509a7db058683fc8 100644
--- a/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
+++ b/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
@@ -7,7 +7,7 @@
tasks:
# Ensure hostgroup cluster is absent in Sudo Rule
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
hostgroup: cluster
action: member
diff --git a/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml b/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
index b4473b27878434989e79fc2c300c5d0cba6a6d49..4813213b6caf9512028a0603a45c2ec26ff5a539 100644
--- a/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
+++ b/playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
@@ -7,7 +7,7 @@
tasks:
# Ensure hostgrep cluster is present in Sudo Rule
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
hostgroup: cluster
action: member
diff --git a/playbooks/sudorule/ensure-sudorule-is-disabled.yml b/playbooks/sudorule/ensure-sudorule-is-disabled.yml
index 90afbd24f671a2c6b11ea283bbcec258f7a0cc49..b51da11875470a2a9ec7fa72f3b40b26f57e880e 100644
--- a/playbooks/sudorule/ensure-sudorule-is-disabled.yml
+++ b/playbooks/sudorule/ensure-sudorule-is-disabled.yml
@@ -6,6 +6,6 @@
tasks:
# Ensure sudorule command is disabled
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: disabled
diff --git a/playbooks/sudorule/ensure-sudorule-is-enabled.yml b/playbooks/sudorule/ensure-sudorule-is-enabled.yml
index 6618344cefbeb47347b72f053a2bce4e3072776b..4cba3bec35666366ba805650575dd55045e89dfc 100644
--- a/playbooks/sudorule/ensure-sudorule-is-enabled.yml
+++ b/playbooks/sudorule/ensure-sudorule-is-enabled.yml
@@ -6,6 +6,6 @@
tasks:
# Ensure sudorule command is enabled
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: enabled
diff --git a/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml b/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b884886e6e820b74d56135dd57921999b254c436
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-is-present-with-order.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudorule is present with the given order.
+ - ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ order: 2
diff --git a/playbooks/sudorule/ensure-sudorule-is-present.yml b/playbooks/sudorule/ensure-sudorule-is-present.yml
index 5b8f32bc2ac6952fc5d081edbeb3d6bcdd0dc196..e88017cf79b917b4da48d2bce20e233cbbe72f54 100644
--- a/playbooks/sudorule/ensure-sudorule-is-present.yml
+++ b/playbooks/sudorule/ensure-sudorule-is-present.yml
@@ -6,7 +6,9 @@
tasks:
# Ensure sudorule command is present
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
description: A test sudo rule.
+ allow_sudocmd: /bin/ls
+ deny_sudocmd: /bin/vim
state: present
diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml b/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..465f386c003db861d75a6188a3b08301243fbdbe
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudorule is present with the given order.
+ - ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ runasuser: admin
+ action: member
+ state: absent
diff --git a/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml b/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..4a5bee941862c2f6a82b7461cda0191f29349f3b
--- /dev/null
+++ b/playbooks/sudorule/ensure-sudorule-runasuser-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ # Ensure sudorule is present with the given order.
+ - ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ runasuser: admin
+ action: member
diff --git a/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml b/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
index 942d0b53cf0a6744823f932bb9ec20242967aaf2..3ded226ec774fb77451bd8a8a3079200ccabd4e6 100644
--- a/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
+++ b/playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
@@ -6,10 +6,15 @@
tasks:
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
+ deny_sudocmd:
- /usr/bin/vim
+ allow_sudocmdgroup:
+ - devops
+ deny_sudocmdgroup:
+ - users
action: member
state: absent
diff --git a/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml b/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
index 61fcbb0d90b1f02acc0567cf82c94e233c63f6d9..23dd56de84797fc85ab94020e5b530a29914288f 100644
--- a/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
+++ b/playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml
@@ -6,9 +6,14 @@
tasks:
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
+ deny_sudocmd:
- /usr/bin/vim
+ allow_sudocmdgroup:
+ - devops
+ deny_sudocmdgroup:
+ - users
action: member
diff --git a/playbooks/topology/add-topologysegment.yml b/playbooks/topology/add-topologysegment.yml
index ebf55445cd0da288c9281c4f389e545d17445701..cf157e2ccfef47f2b8087330f19828e158656a22 100644
--- a/playbooks/topology/add-topologysegment.yml
+++ b/playbooks/topology/add-topologysegment.yml
@@ -6,7 +6,7 @@
tasks:
- name: Add topology segment
ipatopologysegment:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
diff --git a/playbooks/topology/delete-topologysegment.yml b/playbooks/topology/delete-topologysegment.yml
index a3f2c680b17466e0b81c1489d465a4168b52a999..984ea1f521c3d7d737949945db2cfb07f035083c 100644
--- a/playbooks/topology/delete-topologysegment.yml
+++ b/playbooks/topology/delete-topologysegment.yml
@@ -6,7 +6,7 @@
tasks:
- name: Delete topology segment
ipatopologysegment:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
diff --git a/playbooks/topology/reinitialize-topologysegment.yml b/playbooks/topology/reinitialize-topologysegment.yml
index 1f21cd23080985b0828523d175677b8f491a87d5..efe6bc3e1f92a36c8aaa1df40bd5580a8e9046d4 100644
--- a/playbooks/topology/reinitialize-topologysegment.yml
+++ b/playbooks/topology/reinitialize-topologysegment.yml
@@ -6,7 +6,7 @@
tasks:
- name: Reinitialize topology segment
ipatopologysegment:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
diff --git a/playbooks/topology/verify-topologysuffix.yml b/playbooks/topology/verify-topologysuffix.yml
index b27ca3d60f171b236f9b58a467258e66af2316e6..70e788c383b43d76b6b71b19bcec446fde8572c3 100644
--- a/playbooks/topology/verify-topologysuffix.yml
+++ b/playbooks/topology/verify-topologysuffix.yml
@@ -6,6 +6,6 @@
tasks:
- name: Verify topology suffix
ipatopologysuffix:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
suffix: domain
state: verified
diff --git a/playbooks/user/add-group.yml b/playbooks/user/add-group.yml
index a36ca14f698192f4821e9086403b334dfa22e3be..46e0faabda92fb8e7a31a37f6c28f020c3fe4a76 100644
--- a/playbooks/user/add-group.yml
+++ b/playbooks/user/add-group.yml
@@ -6,19 +6,19 @@
tasks:
- name: Create group ops with gid 1234
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
gidnumber: 1234
- name: Create group sysops
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops
user:
- pinky
- name: Create group appops
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: appops
diff --git a/playbooks/user/add-groups-to-group.yml b/playbooks/user/add-groups-to-group.yml
index ecc9b455b82163fbc170f4f985df809187837c1a..d91e526416871e21eaa2f637df649e8019421175 100644
--- a/playbooks/user/add-groups-to-group.yml
+++ b/playbooks/user/add-groups-to-group.yml
@@ -6,7 +6,7 @@
tasks:
- name: Add group members sysops and appops to group sysops
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
group:
- sysops
diff --git a/playbooks/user/add-user-to-group.yml b/playbooks/user/add-user-to-group.yml
index 9ed5eb1a7163e67302241491da2520d89442c402..635c0a9130ad597741ff75eba35ed401ae1142cf 100644
--- a/playbooks/user/add-user-to-group.yml
+++ b/playbooks/user/add-user-to-group.yml
@@ -6,7 +6,7 @@
tasks:
- name: Add user member brain to group sysops
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops
action: member
user:
diff --git a/playbooks/user/add-user.yml b/playbooks/user/add-user.yml
index 345a028e123f0a8795bf1a3f91288ab7dc5d6c0c..ed72e51d267fab6947afa198dbfe46fbe1db9108 100644
--- a/playbooks/user/add-user.yml
+++ b/playbooks/user/add-user.yml
@@ -6,7 +6,7 @@
tasks:
- name: Create user pinky
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
first: pinky
last: Acme
diff --git a/playbooks/user/delete-group.yml b/playbooks/user/delete-group.yml
index 2d863c37dd861c6d3ee0b8a86f6b2587274be4ff..ae9f78c79b10673f18c7152998c1ace96c27bc05 100644
--- a/playbooks/user/delete-group.yml
+++ b/playbooks/user/delete-group.yml
@@ -6,6 +6,6 @@
tasks:
- name: Remove goups sysops, appops and ops
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops,appops,ops
state: absent
diff --git a/playbooks/user/delete-preserve-user.yml b/playbooks/user/delete-preserve-user.yml
index c202b15923db2efa02bfb9b616061d21c92b8868..5d93a3d310e25fee583ed40563bd2bc3d2c832ac 100644
--- a/playbooks/user/delete-preserve-user.yml
+++ b/playbooks/user/delete-preserve-user.yml
@@ -6,7 +6,7 @@
tasks:
- name: Delete and preserve user pinky
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
preserve: yes
state: absent
diff --git a/playbooks/user/delete-user.yml b/playbooks/user/delete-user.yml
index 101a2b4b1e199babc806864cd5f8a1caeb73047a..d9239e04d0923ac827dd0f3d497be422e95d4d38 100644
--- a/playbooks/user/delete-user.yml
+++ b/playbooks/user/delete-user.yml
@@ -6,6 +6,6 @@
tasks:
- name: Remove user pinky and brain
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
state: absent
diff --git a/playbooks/user/disable-user.yml b/playbooks/user/disable-user.yml
index 192fd53106b560c8d657730bebdc0a0e1ebff4bb..17c55940620e6dfd42bf24f00158acd7cbc3ddf3 100644
--- a/playbooks/user/disable-user.yml
+++ b/playbooks/user/disable-user.yml
@@ -6,6 +6,6 @@
tasks:
- name: Disable user pinky
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
state: disabled
diff --git a/playbooks/user/enable-user.yml b/playbooks/user/enable-user.yml
index dfbba493ba7832c3be3240f61e48dbcc1486bc89..fd3ebf3b7917f9deb899a8af85b2755d6b015e5e 100644
--- a/playbooks/user/enable-user.yml
+++ b/playbooks/user/enable-user.yml
@@ -6,6 +6,6 @@
tasks:
- name: Enable user pinky
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
state: enabled
diff --git a/playbooks/user/ensure_user_with_randompassword.yml b/playbooks/user/ensure_user_with_randompassword.yml
index 4ca9f214b10bce196438f531490c4a8940094091..ee821f0a01f3a84c53d312bec2632e9a14e28211 100644
--- a/playbooks/user/ensure_user_with_randompassword.yml
+++ b/playbooks/user/ensure_user_with_randompassword.yml
@@ -6,7 +6,7 @@
tasks:
- name: User user1 present with random password
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: user1
first: first1
last: last1
diff --git a/playbooks/user/ensure_users_with_randompasswords.yml b/playbooks/user/ensure_users_with_randompasswords.yml
index 06f50c71444d325388fe6afde72bd6cb9d6bafad..c03988778685502b56a9d80eb127d001a717a454 100644
--- a/playbooks/user/ensure_users_with_randompasswords.yml
+++ b/playbooks/user/ensure_users_with_randompasswords.yml
@@ -6,7 +6,7 @@
tasks:
- name: Users user1 and user1 present with random password
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
first: first1
diff --git a/playbooks/user/undelete-user.yml b/playbooks/user/undelete-user.yml
index 79feda07f1c72c6473ea5c56f70a676af9983d0f..2b95100facf57d04820343bb58fec319f33d7bbb 100644
--- a/playbooks/user/undelete-user.yml
+++ b/playbooks/user/undelete-user.yml
@@ -6,6 +6,6 @@
tasks:
- name: Undelete preserved user pinky
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
state: undeleted
diff --git a/playbooks/user/unlock-users.yml b/playbooks/user/unlock-users.yml
index 337e97f4fa8cb26b9a5def230ccf0d7ec4af62a4..36edac259d8badf16f12d27d11f6766cef059b59 100644
--- a/playbooks/user/unlock-users.yml
+++ b/playbooks/user/unlock-users.yml
@@ -6,6 +6,6 @@
tasks:
- name: Unlock users pinky and brain
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: unlocked
diff --git a/playbooks/vault/data-archive-in-asymmetric-vault.yml b/playbooks/vault/data-archive-in-asymmetric-vault.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5fd55dfe3115088e8a4cd89e7fcda561f63b5cf5
--- /dev/null
+++ b/playbooks/vault/data-archive-in-asymmetric-vault.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ vault_data: The world of π is half rounded.
+ action: member
diff --git a/playbooks/vault/data-archive-in-symmetric-vault.yml b/playbooks/vault/data-archive-in-symmetric-vault.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f94e9d87abacdc74bea596322c3deee1e8060be0
--- /dev/null
+++ b/playbooks/vault/data-archive-in-symmetric-vault.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ vault_password: MyVaultPassword123
+ vault_data: The world of π is half rounded.
+ action: member
diff --git a/playbooks/vault/ensure-asymetric-vault-is-absent.yml b/playbooks/vault/ensure-asymetric-vault-is-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7ee6cf39401de1b9eebf9644c62fbbfdbb7178f1
--- /dev/null
+++ b/playbooks/vault/ensure-asymetric-vault-is-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: admin
+ state: absent
diff --git a/playbooks/vault/ensure-asymetric-vault-is-present.yml b/playbooks/vault/ensure-asymetric-vault-is-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..247f36fce1cbd4b766a6a69e5a8753639550c573
--- /dev/null
+++ b/playbooks/vault/ensure-asymetric-vault-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: admin
+ vault_public_key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlVbFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=
+ vault_type: asymmetric
diff --git a/playbooks/vault/ensure-service-vault-is-absent.yml b/playbooks/vault/ensure-service-vault-is-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..65c4c8d816d93b5b966ebc94bd03f3b005d7ab95
--- /dev/null
+++ b/playbooks/vault/ensure-service-vault-is-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: svcvault
+ service: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
diff --git a/playbooks/vault/ensure-service-vault-is-present.yml b/playbooks/vault/ensure-service-vault-is-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..cf6da2236d075f0ca27c1bedcfa023e54a8cfe99
--- /dev/null
+++ b/playbooks/vault/ensure-service-vault-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: svcvault
+ service: "HTTP/{{ groups.ipaserver[0] }}"
+ ipavaultpassword: MyVaultPassword123
+ state: present
diff --git a/playbooks/vault/ensure-shared-vault-is-absent.yml b/playbooks/vault/ensure-shared-vault-is-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0191ab1c3bfa5bd75e335f7873b91b7f1aaa5010
--- /dev/null
+++ b/playbooks/vault/ensure-shared-vault-is-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: sharedvault
+ shared: True
+ state: absent
diff --git a/playbooks/vault/ensure-shared-vault-is-present.yml b/playbooks/vault/ensure-shared-vault-is-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c403afccce3bfde96fedc2e3b102d35a52f1e1c5
--- /dev/null
+++ b/playbooks/vault/ensure-shared-vault-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: sharedvault
+ shared: True
+ ipavaultpassword: MyVaultPassword123
+ state: present
diff --git a/playbooks/vault/ensure-standard-vault-is-absent.yml b/playbooks/vault/ensure-standard-vault-is-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3d7cd8abeb9dc398f86017d247aaa9ebc07d15e3
--- /dev/null
+++ b/playbooks/vault/ensure-standard-vault-is-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: admin
+ state: absent
diff --git a/playbooks/vault/ensure-standard-vault-is-present.yml b/playbooks/vault/ensure-standard-vault-is-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..64d08fec65225f8d30601b0f62afce253558ce71
--- /dev/null
+++ b/playbooks/vault/ensure-standard-vault-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ vault_type: standard
+ username: admin
+ description: A standard private vault.
diff --git a/playbooks/vault/ensure-symetric-vault-is-absent.yml b/playbooks/vault/ensure-symetric-vault-is-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a0d5bbcda3c1571bc14ace2ad7387df68a9ec273
--- /dev/null
+++ b/playbooks/vault/ensure-symetric-vault-is-absent.yml
@@ -0,0 +1,12 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ state: absent
diff --git a/playbooks/vault/ensure-symetric-vault-is-present.yml b/playbooks/vault/ensure-symetric-vault-is-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..949f60e27abb2cea12e7f196e6e3a331b602dd2f
--- /dev/null
+++ b/playbooks/vault/ensure-symetric-vault-is-present.yml
@@ -0,0 +1,13 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ vault_password: MyVaultPassword123
+ vault_type: symmetric
diff --git a/playbooks/vault/ensure-vault-is-present-with-members.yml b/playbooks/vault/ensure-vault-is-present-with-members.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ba96ad14e9a301a0c1aa895edddd77bfe8c84e69
--- /dev/null
+++ b/playbooks/vault/ensure-vault-is-present-with-members.yml
@@ -0,0 +1,17 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ vault_type: standard
+ username: admin
+ users:
+ - user01
+ - user02
+ groups:
+ - ipausers
diff --git a/playbooks/vault/ensure-vault-member-group-is-absent.yml b/playbooks/vault/ensure-vault-member-group-is-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..c5e7f7d5780874fe7bbcf1ddd4fa37f4a00df7a9
--- /dev/null
+++ b/playbooks/vault/ensure-vault-member-group-is-absent.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: keychain
+ username: admin
+ state: absent
+ action: member
+ groups: ipausers
diff --git a/playbooks/vault/ensure-vault-member-group-is-present.yml b/playbooks/vault/ensure-vault-member-group-is-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..12b52613ad0e5b57560b6b0ff971ca6533baf9f6
--- /dev/null
+++ b/playbooks/vault/ensure-vault-member-group-is-present.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: keychain
+ username: admin
+ state: present
+ action: member
+ groups: ipausers
diff --git a/playbooks/vault/ensure-vault-member-user-is-absent.yml b/playbooks/vault/ensure-vault-member-user-is-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7d0578a62307384483e6bb42ee311de3545afdfe
--- /dev/null
+++ b/playbooks/vault/ensure-vault-member-user-is-absent.yml
@@ -0,0 +1,16 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: keychain
+ username: admin
+ state: absent
+ action: member
+ users:
+ - user01
+ - user02
diff --git a/playbooks/vault/ensure-vault-member-user-is-present.yml b/playbooks/vault/ensure-vault-member-user-is-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a04e6e209ac13dbc3de1ecfcb1683f260256a545
--- /dev/null
+++ b/playbooks/vault/ensure-vault-member-user-is-present.yml
@@ -0,0 +1,14 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: keychain
+ username: admin
+ state: present
+ action: member
+ users: user1
diff --git a/playbooks/vault/ensure-vault-owner-is-absent.yml b/playbooks/vault/ensure-vault-owner-is-absent.yml
new file mode 100644
index 0000000000000000000000000000000000000000..817a324b43795ac58534b4bfa00bc21f4aa49fb2
--- /dev/null
+++ b/playbooks/vault/ensure-vault-owner-is-absent.yml
@@ -0,0 +1,15 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ owners: user01
+ ownergroups: ipausers
+ action: member
+ state: absent
diff --git a/playbooks/vault/ensure-vault-owner-is-present.yml b/playbooks/vault/ensure-vault-owner-is-present.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7c4cfb200746e50f7d38cfed03ad4b43e0cef949
--- /dev/null
+++ b/playbooks/vault/ensure-vault-owner-is-present.yml
@@ -0,0 +1,15 @@
+---
+- name: Tests
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+ - ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ owners: user01
+ ownergroups: ipausers
+ action: member
+ state: present
diff --git a/plugins/module_utils/ansible_freeipa_module.py b/plugins/module_utils/ansible_freeipa_module.py
index a8312bc5c2c0306129398fb6c91c226d57679167..b8df38d4f6bc6fe21dc4af8bedab93cd728cbdd2 100644
--- a/plugins/module_utils/ansible_freeipa_module.py
+++ b/plugins/module_utils/ansible_freeipa_module.py
@@ -28,6 +28,7 @@ import shutil
import gssapi
from datetime import datetime
from ipalib import api
+from ipalib import errors as ipalib_errors
from ipalib.config import Env
from ipalib.constants import DEFAULT_CONFIG, LDAP_GENERALIZED_TIME_FORMAT
try:
@@ -42,6 +43,7 @@ try:
from ipalib.x509 import Encoding
except ImportError:
from cryptography.hazmat.primitives.serialization import Encoding
+import socket
import base64
import six
@@ -151,6 +153,13 @@ def api_command(module, command, name, args):
return api.Command[command](name, **args)
+def api_command_no_name(module, command, args):
+ """
+ Call ipa.Command without a name.
+ """
+ return api.Command[command](**args)
+
+
def api_check_param(command, name):
"""
Return if param exists in command param list
@@ -215,10 +224,20 @@ def compare_args_ipa(module, args, ipa):
arg = [to_text(_arg) for _arg in arg]
if isinstance(ipa_arg[0], unicode) and isinstance(arg[0], int):
arg = [to_text(_arg) for _arg in arg]
- # module.warn("%s <=> %s" % (arg, ipa_arg))
- if set(arg) != set(ipa_arg):
- # module.warn("DIFFERENT")
- return False
+ # module.warn("%s <=> %s" % (repr(arg), repr(ipa_arg)))
+ try:
+ arg_set = set(arg)
+ ipa_arg_set = set(ipa_arg)
+ except TypeError:
+ if arg != ipa_arg:
+ # module.warn("%s != %s" % (repr(arg), repr(ipa_arg)))
+ return False
+ else:
+ if arg_set != ipa_arg_set:
+ # module.warn("%s != %s" % (repr(arg), repr(ipa_arg)))
+ return False
+
+ # module.warn("%s == %s" % (repr(arg), repr(ipa_arg)))
return True
@@ -261,10 +280,32 @@ def encode_certificate(cert):
Encode a certificate using base64 with also taking FreeIPA and Python
versions into account
"""
- if isinstance(cert, str) or isinstance(cert, unicode):
+ if isinstance(cert, (str, unicode, bytes)):
encoded = base64.b64encode(cert)
else:
encoded = base64.b64encode(cert.public_bytes(Encoding.DER))
if not six.PY2:
encoded = encoded.decode('ascii')
return encoded
+
+
+def is_ipv4_addr(ipaddr):
+ """
+ Test if figen IP address is a valid IPv4 address
+ """
+ try:
+ socket.inet_pton(socket.AF_INET, ipaddr)
+ except socket.error:
+ return False
+ return True
+
+
+def is_ipv6_addr(ipaddr):
+ """
+ Test if figen IP address is a valid IPv6 address
+ """
+ try:
+ socket.inet_pton(socket.AF_INET6, ipaddr)
+ except socket.error:
+ return False
+ return True
diff --git a/plugins/modules/ipadnsconfig.py b/plugins/modules/ipadnsconfig.py
new file mode 100644
index 0000000000000000000000000000000000000000..4c9cf2d71a4652737adcf678bfc486d8b97dc465
--- /dev/null
+++ b/plugins/modules/ipadnsconfig.py
@@ -0,0 +1,257 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Authors:
+# Rafael Guterres Jeffman <rjeffman@redhat.com>
+#
+# Copyright (C) 2019 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+
+ANSIBLE_METADATA = {
+ "metadata_version": "1.0",
+ "supported_by": "community",
+ "status": ["preview"],
+}
+
+DOCUMENTATION = """
+---
+module: ipadnsconfig
+short description: Manage FreeIPA dnsconfig
+description: Manage FreeIPA dnsconfig
+options:
+ ipaadmin_principal:
+ description: The admin principal
+ default: admin
+ ipaadmin_password:
+ description: The admin password
+ required: false
+
+ forwarders:
+ description: The list of global DNS forwarders.
+ required: false
+ options:
+ ip_address:
+ description: The forwarder nameserver IP address list (IPv4 and IPv6).
+ required: true
+ port:
+ description: The port to forward requests to.
+ required: false
+ forward_policy:
+ description:
+ Global forwarding policy. Set to "none" to disable any configured
+ global forwarders.
+ required: false
+ choices: ['only', 'first', 'none']
+ allow_sync_ptr:
+ description:
+ Allow synchronization of forward (A, AAAA) and reverse (PTR) records.
+ required: false
+ type: bool
+ state:
+ description: State to ensure
+ default: present
+ choices: ["present", "absent"]
+"""
+
+EXAMPLES = """
+# Ensure global DNS forward configuration, allowing PTR record synchronization.
+- ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ forward_policy: only
+ allow_sync_ptr: yes
+
+# Ensure forwarder is absent.
+- ipadnsconfig:
+ forwarders:
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ state: absent
+
+# Disable PTR record synchronization.
+- ipadnsconfig:
+ allow_sync_ptr: no
+
+# Disable global forwarders.
+- ipadnsconfig:
+ forward_policy: none
+"""
+
+RETURN = """
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_text
+from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
+ temp_kdestroy, valid_creds, api_connect, api_command, \
+ api_command_no_name, compare_args_ipa, module_params_get, \
+ gen_add_del_lists, is_ipv4_addr, is_ipv6_addr, ipalib_errors
+
+
+def find_dnsconfig(module):
+ _args = {
+ "all": True,
+ }
+
+ _result = api_command_no_name(module, "dnsconfig_show", _args)
+
+ if "result" in _result:
+ if _result["result"].get('idnsforwarders', None) is None:
+ _result["result"]['idnsforwarders'] = ['']
+ return _result["result"]
+ else:
+ module.fail("Could not retrieve current DNS configuration.")
+ return None
+
+
+def gen_args(module, state, dnsconfig, forwarders, forward_policy,
+ allow_sync_ptr):
+ _args = {}
+
+ if forwarders:
+ _forwarders = []
+ for forwarder in forwarders:
+ ip_address = forwarder.get('ip_address')
+ port = forwarder.get('port')
+ if not (is_ipv4_addr(ip_address) or is_ipv6_addr(ip_address)):
+ module.fail(
+ msg="Invalid IP for DNS forwarder: %s" % ip_address)
+ if port is None:
+ _forwarders.append(ip_address)
+ else:
+ _forwarders.append('%s port %d' % (ip_address, port))
+
+ global_forwarders = dnsconfig.get('idnsforwarders', [])
+ if state == 'absent':
+ _args['idnsforwarders'] = [
+ fwd for fwd in global_forwarders if fwd not in _forwarders]
+ # When all forwarders should be excluded, use an empty string ('').
+ if not _args['idnsforwarders']:
+ _args['idnsforwarders'] = ['']
+
+ elif state == 'present':
+ _args['idnsforwarders'] = [
+ fwd for fwd in _forwarders if fwd not in global_forwarders]
+ # If no forwarders should be added, remove argument.
+ if not _args['idnsforwarders']:
+ del _args['idnsforwarders']
+
+ else:
+ # shouldn't happen, but let's be paranoid.
+ module.fail(msg="Invalid state: %s" % state)
+
+ if forward_policy is not None:
+ _args['idnsforwardpolicy'] = forward_policy
+
+ if allow_sync_ptr is not None:
+ _args['idnsallowsyncptr'] = 'TRUE' if allow_sync_ptr else 'FALSE'
+
+ return _args
+
+
+def main():
+ forwarder_spec = dict(
+ ip_address=dict(type=str, required=True),
+ port=dict(type=int, required=False, default=None)
+ )
+
+ ansible_module = AnsibleModule(
+ argument_spec=dict(
+ # general
+ ipaadmin_principal=dict(type='str', default='admin'),
+ ipaadmin_password=dict(type='str', no_log=True),
+
+ # dnsconfig
+ forwarders=dict(type='list', default=None, required=False,
+ options=dict(**forwarder_spec)),
+ forward_policy=dict(type='str', required=False, default=None,
+ choices=['only', 'first', 'none']),
+ allow_sync_ptr=dict(type='bool', required=False, default=None),
+
+ # general
+ state=dict(type="str", default="present",
+ choices=["present", "absent"]),
+
+ )
+ )
+
+ ansible_module._ansible_debug = True
+
+ # general
+ ipaadmin_principal = module_params_get(ansible_module,
+ "ipaadmin_principal")
+ ipaadmin_password = module_params_get(ansible_module,
+ "ipaadmin_password")
+
+ forwarders = module_params_get(ansible_module, 'forwarders') or []
+ forward_policy = module_params_get(ansible_module, 'forward_policy')
+ allow_sync_ptr = module_params_get(ansible_module, 'allow_sync_ptr')
+
+ state = module_params_get(ansible_module, 'state')
+
+ # Check parameters.
+ invalid = []
+ if state == 'absent':
+ invalid = ['forward_policy', 'allow_sync_ptr']
+
+ for x in invalid:
+ if vars()[x] is not None:
+ ansible_module.fail_json(
+ msg="Argument '%s' can not be used with state '%s'" %
+ (x, state))
+
+ # Init
+
+ changed = False
+ ccache_dir = None
+ ccache_name = None
+ try:
+ if not valid_creds(ansible_module, ipaadmin_principal):
+ ccache_dir, ccache_name = temp_kinit(ipaadmin_principal,
+ ipaadmin_password)
+ api_connect()
+
+ res_find = find_dnsconfig(ansible_module)
+ args = gen_args(ansible_module, state, res_find, forwarders,
+ forward_policy, allow_sync_ptr)
+
+ # Execute command only if configuration changes.
+ if not compare_args_ipa(ansible_module, args, res_find):
+ try:
+ api_command_no_name(ansible_module, 'dnsconfig_mod', args)
+ # If command did not fail, something changed.
+ changed = True
+
+ except Exception as e:
+ msg = str(e)
+ ansible_module.fail_json(msg="dnsconfig_mod: %s" % msg)
+
+ except Exception as e:
+ ansible_module.fail_json(msg=str(e))
+
+ finally:
+ temp_kdestroy(ccache_dir, ccache_name)
+
+ # Done
+
+ ansible_module.exit_json(changed=changed)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/plugins/modules/ipagroup.py b/plugins/modules/ipagroup.py
index 50838cbffc3d55a2e993d2bfa241f25243187bf1..477c505185d0cfbe0b307110b2feaf1f04ee1775 100644
--- a/plugins/modules/ipagroup.py
+++ b/plugins/modules/ipagroup.py
@@ -90,23 +90,23 @@ author:
EXAMPLES = """
# Create group ops with gid 1234
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
gidnumber: 1234
# Create group sysops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops
# Create group appops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: appops
# Add user member pinky to group sysops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops
action: member
user:
@@ -114,7 +114,7 @@ EXAMPLES = """
# Add user member brain to group sysops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops
action: member
user:
@@ -122,7 +122,7 @@ EXAMPLES = """
# Add group members sysops and appops to group sysops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
group:
- sysops
@@ -130,7 +130,7 @@ EXAMPLES = """
# Remove goups sysops, appops and ops
- ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sysops,appops,ops
state: absent
"""
diff --git a/plugins/modules/ipahbacrule.py b/plugins/modules/ipahbacrule.py
index 385876b37fe761d3e37c1e3ce4899f50cd3ec04c..fd0ce238c15af5c63291b7a1ee2a7e439c5aa9e6 100644
--- a/plugins/modules/ipahbacrule.py
+++ b/plugins/modules/ipahbacrule.py
@@ -103,52 +103,52 @@ author:
EXAMPLES = """
# Ensure HBAC Rule allhosts is present
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
usercategory: all
# Ensure host server is present in HBAC Rule allhosts
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
host: server
action: member
# Ensure HBAC Rule sshd-pinky is present
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sshd-pinky
hostcategory: all
# Ensure user pinky is present in HBAC Rule sshd-pinky
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sshd-pinky
user: pinky
action: member
# Ensure HBAC service sshd is present in HBAC Rule sshd-pinky
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sshd-pinky
hbacsvc: sshd
action: member
# Ensure HBAC Rule sshd-pinky is disabled
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sshd-pinky
state: disabled
# Ensure HBAC Rule sshd-pinky is enabled
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sshd-pinky
state: enabled
# Ensure HBAC Rule sshd-pinky is absent
- ipahbacrule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: sshd-pinky
state: absent
"""
@@ -344,41 +344,41 @@ def main():
# Generate addition and removal lists
host_add = list(
set(host or []) -
- set(res_find.get("member_host", [])))
+ set(res_find.get("memberhost_host", [])))
host_del = list(
- set(res_find.get("member_host", [])) -
+ set(res_find.get("memberhost_host", [])) -
set(host or []))
hostgroup_add = list(
set(hostgroup or []) -
- set(res_find.get("member_hostgroup", [])))
+ set(res_find.get("memberhost_hostgroup", [])))
hostgroup_del = list(
- set(res_find.get("member_hostgroup", [])) -
+ set(res_find.get("memberhost_hostgroup", [])) -
set(hostgroup or []))
hbacsvc_add = list(
set(hbacsvc or []) -
- set(res_find.get("member_hbacsvc", [])))
+ set(res_find.get("memberservice_hbacsvc", [])))
hbacsvc_del = list(
- set(res_find.get("member_hbacsvc", [])) -
+ set(res_find.get("memberservice_hbacsvc", [])) -
set(hbacsvc or []))
hbacsvcgroup_add = list(
set(hbacsvcgroup or []) -
- set(res_find.get("member_hbacsvcgroup", [])))
+ set(res_find.get("memberservice_hbacsvcgroup", [])))
hbacsvcgroup_del = list(
- set(res_find.get("member_hbacsvcgroup", [])) -
+ set(res_find.get("memberservice_hbacsvcgroup", [])) -
set(hbacsvcgroup or []))
user_add = list(
set(user or []) -
- set(res_find.get("member_user", [])))
+ set(res_find.get("memberuser_user", [])))
user_del = list(
- set(res_find.get("member_user", [])) -
+ set(res_find.get("memberuser_user", [])) -
set(user or []))
group_add = list(
set(group or []) -
- set(res_find.get("member_group", [])))
+ set(res_find.get("memberuser_group", [])))
group_del = list(
- set(res_find.get("member_group", [])) -
+ set(res_find.get("memberuser_group", [])) -
set(group or []))
# Add hosts and hostgroups
diff --git a/plugins/modules/ipahbacsvc.py b/plugins/modules/ipahbacsvc.py
index cf9bc60c3084d0228f1be788c5f45a50b2295b58..969a62efa7f9b06691266f48838e03312468a76c 100644
--- a/plugins/modules/ipahbacsvc.py
+++ b/plugins/modules/ipahbacsvc.py
@@ -56,13 +56,13 @@ author:
EXAMPLES = """
# Ensure HBAC Service for http is present
- ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http
description: Web service
# Ensure HBAC Service for tftp is absent
- ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: tftp
state: absent
"""
diff --git a/plugins/modules/ipahbacsvcgroup.py b/plugins/modules/ipahbacsvcgroup.py
index 643f2805ab99bbad8a79343c68f9f58bd510adb5..3b9132a0ae660ca35c5bc743929034c0e37e3fa6 100644
--- a/plugins/modules/ipahbacsvcgroup.py
+++ b/plugins/modules/ipahbacsvcgroup.py
@@ -69,14 +69,14 @@ author:
EXAMPLES = """
# Ensure hbacsvcgroup login is present
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
# Ensure hbacsvc sshd is present in existing login hbacsvcgroup
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
hbacsvc:
- sshd
@@ -84,7 +84,7 @@ EXAMPLES = """
# Ensure hbacsvc sshd is abdsent in existing login hbacsvcgroup
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
hbacsvc:
- sshd
@@ -93,7 +93,7 @@ EXAMPLES = """
# Ensure hbacsvcgroup login is absent
- ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
state: absent
"""
diff --git a/plugins/modules/ipahost.py b/plugins/modules/ipahost.py
index ec5e19630debc8989ed3264e3c1b1ef36a831a5d..9b22f5bf69f0423df9084bc069c41d4bbf47f73d 100644
--- a/plugins/modules/ipahost.py
+++ b/plugins/modules/ipahost.py
@@ -147,9 +147,10 @@ options:
Defines a whitelist for Authentication Indicators. Use 'otp' to allow
OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA
authentications. Other values may be used for custom configurations.
+ Use empty string to reset auth_ind to the initial value.
type: list
aliases: ["krbprincipalauthind"]
- choices: ["radius", "otp", "pkinit", "hardened"]
+ choices: ["radius", "otp", "pkinit", "hardened", ""]
required: false
requires_pre_auth:
description: Pre-authentication is required for the service
@@ -175,11 +176,16 @@ options:
default: true
required: false
ip_address:
- description: The host IP address
+ description:
+ The host IP address list (IPv4 and IPv6). No IP address conflict
+ check will be done.
aliases: ["ipaddress"]
required: false
update_dns:
- description: Update DNS entries
+ description:
+ Controls the update of the DNS SSHFP records for existing hosts and
+ the removal of all DNS entries if a host gets removed with state
+ absent.
required: false
description:
description: The host description
@@ -277,9 +283,10 @@ options:
Defines a whitelist for Authentication Indicators. Use 'otp' to allow
OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA
authentications. Other values may be used for custom configurations.
+ Use empty string to reset auth_ind to the initial value.
type: list
aliases: ["krbprincipalauthind"]
- choices: ["radius", "otp", "pkinit", "hardened"]
+ choices: ["radius", "otp", "pkinit", "hardened", ""]
required: false
requires_pre_auth:
description: Pre-authentication is required for the service
@@ -304,11 +311,16 @@ options:
default: true
required: false
ip_address:
- description: The host IP address
+ description:
+ The host IP address list (IPv4 and IPv6). No IP address conflict
+ check will be done.
aliases: ["ipaddress"]
required: false
update_dns:
- description: Update DNS entries
+ description:
+ Controls the update of the DNS SSHFP records for existing hosts and
+ the removal of all DNS entries if a host gets removed with state
+ absent.
required: false
update_password:
description:
@@ -331,7 +343,7 @@ author:
EXAMPLES = """
# Ensure host is present
- ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address: 192.168.0.123
@@ -346,14 +358,14 @@ EXAMPLES = """
# Ensure host is present without DNS
- ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host02.example.com
description: Example host
force: yes
# Initiate generation of a random password for the host
- ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address: 192.168.0.123
@@ -361,7 +373,7 @@ EXAMPLES = """
# Ensure host is disabled
- ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: host01.example.com
update_dns: yes
state: disabled
@@ -396,7 +408,8 @@ from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils._text import to_text
from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \
- module_params_get, gen_add_del_lists, encode_certificate, api_get_realm
+ module_params_get, gen_add_del_lists, encode_certificate, api_get_realm, \
+ is_ipv4_addr, is_ipv6_addr, ipalib_errors
import six
@@ -426,6 +439,32 @@ def find_host(module, name):
return None
+def find_dnsrecord(module, name):
+ domain_name = name[name.find(".")+1:]
+ host_name = name[:name.find(".")]
+
+ _args = {
+ "all": True,
+ "idnsname": to_text(host_name),
+ }
+
+ _result = api_command(module, "dnsrecord_find", to_text(domain_name),
+ _args)
+
+ if len(_result["result"]) > 1:
+ module.fail_json(
+ msg="There is more than one host '%s'" % (name))
+ elif len(_result["result"]) == 1:
+ _res = _result["result"][0]
+ certs = _res.get("usercertificate")
+ if certs is not None:
+ _res["usercertificate"] = [encode_certificate(cert) for
+ cert in certs]
+ return _res
+ else:
+ return None
+
+
def show_host(module, name):
_result = api_command(module, "host_show", to_text(name), {})
return _result["result"]
@@ -468,16 +507,34 @@ def gen_args(description, locality, location, platform, os, password, random,
_args["ipakrboktoauthasdelegate"] = ok_to_auth_as_delegate
if force is not None:
_args["force"] = force
- if reverse is not None:
- _args["no_reverse"] = not reverse
if ip_address is not None:
- _args["ip_address"] = ip_address
+ # IP addresses are handed extra, therefore it is needed to set
+ # the force option here to make sure that host-add is able to
+ # add a host without IP address.
+ _args["force"] = True
if update_dns is not None:
_args["updatedns"] = update_dns
return _args
+def gen_dnsrecord_args(module, ip_address, reverse):
+ _args = {}
+ if reverse is not None:
+ _args["a_extra_create_reverse"] = reverse
+ _args["aaaa_extra_create_reverse"] = reverse
+ if ip_address is not None:
+ for ip in ip_address:
+ if is_ipv4_addr(ip):
+ _args.setdefault("arecord", []).append(ip)
+ elif is_ipv6_addr(ip):
+ _args.setdefault("aaaarecord", []).append(ip)
+ else:
+ module.fail_json(msg="'%s' is not a valid IP address." % ip)
+
+ return _args
+
+
def check_parameters(
module, state, action,
description, locality, location, platform, os, password, random,
@@ -497,8 +554,7 @@ def check_parameters(
"os", "password", "random", "mac_address", "sshpubkey",
"userclass", "auth_ind", "requires_pre_auth",
"ok_as_delegate", "ok_to_auth_as_delegate", "force",
- "reverse", "ip_address", "update_dns",
- "update_password"]
+ "reverse", "update_dns", "update_password"]
for x in invalid:
if vars()[x] is not None:
module.fail_json(
@@ -510,20 +566,26 @@ def check_parameters(
"password", "random", "mac_address", "sshpubkey",
"userclass", "auth_ind", "requires_pre_auth",
"ok_as_delegate", "ok_to_auth_as_delegate", "force",
- "reverse", "ip_address", "update_password"]
+ "reverse", "update_password"]
+ for x in invalid:
+ if vars()[x] is not None:
+ module.fail_json(
+ msg="Argument '%s' can not be used with state '%s'" %
+ (x, state))
if action == "host":
- invalid.extend([
+ invalid = [
"certificate", "managedby_host", "principal",
"allow_create_keytab_user", "allow_create_keytab_group",
"allow_create_keytab_host", "allow_create_keytab_hostgroup",
"allow_retrieve_keytab_user", "allow_retrieve_keytab_group",
"allow_retrieve_keytab_host",
- "allow_retrieve_keytab_hostgroup"])
- for x in invalid:
- if vars()[x] is not None:
- module.fail_json(
- msg="Argument '%s' can not be used with state '%s'" %
- (x, state))
+ "allow_retrieve_keytab_hostgroup"
+ ]
+ for x in invalid:
+ if vars()[x] is not None:
+ module.fail_json(
+ msg="Argument '%s' can only be used with action "
+ "'member' for state '%s'" % (x, state))
def main():
@@ -541,9 +603,6 @@ def main():
default=None, no_log=True),
random=dict(type="bool", aliases=["random_password"],
default=None),
-
-
-
certificate=dict(type="list", aliases=["usercertificate"],
default=None),
managedby_host=dict(type="list",
@@ -590,7 +649,7 @@ def main():
default=None),
auth_ind=dict(type='list', aliases=["krbprincipalauthind"],
default=None,
- choices=['password', 'radius', 'otp']),
+ choices=['radius', 'otp', 'pkinit', 'hardened', '']),
requires_pre_auth=dict(type="bool", aliases=["ipakrbrequirespreauth"],
default=None),
ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"],
@@ -600,7 +659,7 @@ def main():
default=None),
force=dict(type='bool', default=None),
reverse=dict(type='bool', default=None),
- ip_address=dict(type="str", aliases=["ipaddress"],
+ ip_address=dict(type="list", aliases=["ipaddress"],
default=None),
update_dns=dict(type="bool", aliases=["updatedns"],
default=None),
@@ -812,6 +871,20 @@ def main():
# Make sure host exists
res_find = find_host(ansible_module, name)
+ try:
+ res_find_dnsrecord = find_dnsrecord(ansible_module, name)
+ except ipalib_errors.NotFound as e:
+ msg = str(e)
+ if ip_address is None and \
+ ("DNS is not configured" in msg or \
+ "DNS zone not found" in msg):
+ # IP address(es) not given and no DNS support in IPA
+ # -> Ignore failure
+ # IP address(es) not given and DNS zone is not found
+ # -> Ignore failure
+ res_find_dnsrecord = None
+ else:
+ ansible_module.fail_json(msg="%s: %s" % (host, msg))
# Create command
if state == "present":
@@ -821,6 +894,8 @@ def main():
random, mac_address, sshpubkey, userclass, auth_ind,
requires_pre_auth, ok_as_delegate, ok_to_auth_as_delegate,
force, reverse, ip_address, update_dns)
+ dnsrecord_args = gen_dnsrecord_args(
+ ansible_module, ip_address, reverse)
if action == "host":
# Found the host
@@ -835,6 +910,13 @@ def main():
if x in args:
del args[x]
+ # Ignore auth_ind if it is empty (for resetting)
+ # and not set in for the host
+ if "krbprincipalauthind" not in res_find and \
+ "krbprincipalauthind" in args and \
+ args["krbprincipalauthind"] == ['']:
+ del args["krbprincipalauthind"]
+
# For all settings is args, check if there are
# different settings in the find result.
# If yes: modify
@@ -923,39 +1005,25 @@ def main():
res_find.get(
"ipaallowedtoperform_read_keys_hostgroup"))
- else:
- certificate_add = certificate or []
- certificate_del = []
- managedby_host_add = managedby_host or []
- managedby_host_del = []
- principal_add = principal or []
- principal_del = []
- allow_create_keytab_user_add = \
- allow_create_keytab_user or []
- allow_create_keytab_user_del = []
- allow_create_keytab_group_add = \
- allow_create_keytab_group or []
- allow_create_keytab_group_del = []
- allow_create_keytab_host_add = \
- allow_create_keytab_host or []
- allow_create_keytab_host_del = []
- allow_create_keytab_hostgroup_add = \
- allow_create_keytab_hostgroup or []
- allow_create_keytab_hostgroup_del = []
- allow_retrieve_keytab_user_add = \
- allow_retrieve_keytab_user or []
- allow_retrieve_keytab_user_del = []
- allow_retrieve_keytab_group_add = \
- allow_retrieve_keytab_group or []
- allow_retrieve_keytab_group_del = []
- allow_retrieve_keytab_host_add = \
- allow_retrieve_keytab_host or []
- allow_retrieve_keytab_host_del = []
- allow_retrieve_keytab_hostgroup_add = \
- allow_retrieve_keytab_hostgroup or []
- allow_retrieve_keytab_hostgroup_del = []
+ # IP addresses are not really a member of hosts, but
+ # we will simply treat it as this to enable the
+ # addition and removal of IPv4 and IPv6 addresses in
+ # a simple way.
+ _dnsrec = res_find_dnsrecord or {}
+ dnsrecord_a_add, dnsrecord_a_del = gen_add_del_lists(
+ dnsrecord_args.get("arecord"),
+ _dnsrec.get("arecord"))
+ dnsrecord_aaaa_add, dnsrecord_aaaa_del = \
+ gen_add_del_lists(
+ dnsrecord_args.get("aaaarecord"),
+ _dnsrec.get("aaaarecord"))
else:
+ if res_find is None:
+ ansible_module.fail_json(
+ msg="No host '%s'" % name)
+
+ if action != "host" or (action == "host" and res_find is None):
certificate_add = certificate or []
certificate_del = []
managedby_host_add = managedby_host or []
@@ -986,6 +1054,10 @@ def main():
allow_retrieve_keytab_hostgroup_add = \
allow_retrieve_keytab_hostgroup or []
allow_retrieve_keytab_hostgroup_del = []
+ dnsrecord_a_add = dnsrecord_args.get("arecord") or []
+ dnsrecord_a_del = []
+ dnsrecord_aaaa_add = dnsrecord_args.get("aaaarecord") or []
+ dnsrecord_aaaa_del = []
# Remove canonical principal from principal_del
canonical_principal = "host/" + name + "@" + server_realm
@@ -1120,6 +1192,39 @@ def main():
"hostgroup": allow_retrieve_keytab_hostgroup_del,
}])
+ if len(dnsrecord_a_add) > 0 or len(dnsrecord_aaaa_add) > 0:
+ domain_name = name[name.find(".")+1:]
+ host_name = name[:name.find(".")]
+
+ _args = {"idnsname": host_name}
+ if len(dnsrecord_a_add) > 0:
+ _args["arecord"] = dnsrecord_a_add
+ if reverse is not None:
+ _args["a_extra_create_reverse"] = reverse
+ if len(dnsrecord_aaaa_add) > 0:
+ _args["aaaarecord"] = dnsrecord_aaaa_add
+ if reverse is not None:
+ _args["aaaa_extra_create_reverse"] = reverse
+
+ commands.append([domain_name,
+ "dnsrecord_add", _args])
+
+ if len(dnsrecord_a_del) > 0 or len(dnsrecord_aaaa_del) > 0:
+ domain_name = name[name.find(".")+1:]
+ host_name = name[:name.find(".")]
+
+ # There seems to be an issue with dnsrecord_del (not
+ # for dnsrecord_add) if aaaarecord is an empty list.
+ # Therefore this is done differently here:
+ _args = {"idnsname": host_name}
+ if len(dnsrecord_a_del) > 0:
+ _args["arecord"] = dnsrecord_a_del
+ if len(dnsrecord_aaaa_del) > 0:
+ _args["aaaarecord"] = dnsrecord_aaaa_del
+
+ commands.append([domain_name,
+ "dnsrecord_del", _args])
+
elif state == "absent":
if action == "host":
@@ -1200,6 +1305,17 @@ def main():
"hostgroup": allow_retrieve_keytab_hostgroup,
}])
+ dnsrecord_args = gen_dnsrecord_args(ansible_module,
+ ip_address, reverse)
+ if "arecord" in dnsrecord_args or \
+ "aaaarecord" in dnsrecord_args:
+ domain_name = name[name.find(".")+1:]
+ host_name = name[:name.find(".")]
+ dnsrecord_args["idnsname"] = host_name
+
+ commands.append([domain_name, "dnsrecord_del",
+ dnsrecord_args])
+
elif state == "disabled":
if res_find is not None:
commands.append([name, "host_disable", {}])
@@ -1244,6 +1360,11 @@ def main():
# Host is already disabled, ignore error
if "This entry is already disabled" in msg:
continue
+
+ # Ignore no modification error.
+ if "no modifications to be performed" in msg:
+ continue
+
ansible_module.fail_json(msg="%s: %s: %s" % (command, name,
msg))
diff --git a/plugins/modules/ipahostgroup.py b/plugins/modules/ipahostgroup.py
index 9dbfa62531b0d005fdbbbe1fe7f022913de64c11..5fcca1d678cdb8b16f53c8fdde2f0f4c41f982cd 100644
--- a/plugins/modules/ipahostgroup.py
+++ b/plugins/modules/ipahostgroup.py
@@ -73,7 +73,7 @@ author:
EXAMPLES = """
# Ensure host-group databases is present
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -83,7 +83,7 @@ EXAMPLES = """
# Ensure hosts and hostgroups are present in existing databases hostgroup
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -94,7 +94,7 @@ EXAMPLES = """
# Ensure hosts and hostgroups are absent in databases hostgroup
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -106,7 +106,7 @@ EXAMPLES = """
# Ensure host-group databases is absent
- ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: absent
"""
diff --git a/plugins/modules/ipapwpolicy.py b/plugins/modules/ipapwpolicy.py
index 9437b5953ec2c047fa526f7d08c39ec837ab6954..0d68fb1c7fde44cf841723deeac265b95c3ebd82 100644
--- a/plugins/modules/ipapwpolicy.py
+++ b/plugins/modules/ipapwpolicy.py
@@ -98,7 +98,7 @@ author:
EXAMPLES = """
# Ensure pwpolicy is set for ops
- ipapwpolicy:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: ops
minlife: 7
maxlife: 49
@@ -167,7 +167,7 @@ def main():
ipaadmin_password=dict(type="str", required=False, no_log=True),
name=dict(type="list", aliases=["cn"], default=None,
- required=True),
+ required=False),
# present
maxlife=dict(type="int", aliases=["krbmaxpwdlife"], default=None),
@@ -218,6 +218,9 @@ def main():
# Check parameters
+ if names is None:
+ names = ["global_policy"]
+
if state == "present":
if len(names) != 1:
ansible_module.fail_json(
@@ -225,8 +228,10 @@ def main():
if state == "absent":
if len(names) < 1:
+ ansible_module.fail_json(msg="No name given.")
+ if "global_policy" in names:
ansible_module.fail_json(
- msg="No name given.")
+ msg="'global_policy' can not be made absent.")
invalid = ["maxlife", "minlife", "history", "minclasses",
"minlength", "priority", "maxfail", "failinterval",
"lockouttime"]
diff --git a/plugins/modules/ipaservice.py b/plugins/modules/ipaservice.py
new file mode 100644
index 0000000000000000000000000000000000000000..e0da817cbb71523b7714ea34b060624daf07a1be
--- /dev/null
+++ b/plugins/modules/ipaservice.py
@@ -0,0 +1,811 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Authors:
+# Rafael Guterres Jeffman <rjeffman@redhat.com>
+#
+# Copyright (C) 2019 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+ANSIBLE_METADATA = {
+ "metadata_version": "1.0",
+ "supported_by": "community",
+ "status": ["preview"],
+}
+
+
+DOCUMENTATION = """
+---
+module: ipaservice
+short description: Manage FreeIPA service
+description: Manage FreeIPA service
+options:
+ ipaadmin_principal:
+ description: The admin principal
+ default: admin
+ ipaadmin_password:
+ description: The admin password
+ required: false
+ name:
+ description: The service to manage
+ required: true
+ aliases: ["service"]
+ certificate:
+ description: Base-64 encoded service certificate.
+ required: false
+ type: list
+ aliases=['usercertificate']
+ pac_type:
+ description: Supported PAC type.
+ required: false
+ choices: ["MS-PAC", "PAD", "NONE"]
+ type: list
+ aliases: ["pac_type", "ipakrbauthzdata"]
+ auth_ind:
+ description: Defines a whitelist for Authentication Indicators.
+ required: false
+ choices: ["otp", "radius", "pkinit", "hardened"]
+ aliases: ["krbprincipalauthind"]
+ skip_host_check:
+ description: Skip checking if host object exists.
+ required: False
+ type: bool
+ force:
+ description: Force principal name even if host is not in DNS.
+ required: False
+ type: bool
+ requires_pre_auth:
+ description: Pre-authentication is required for the service.
+ required: false
+ type: bool
+ default: False
+ aliases: ["ipakrbrequirespreauth"]
+ ok_as_delegate:
+ description: Client credentials may be delegated to the service.
+ required: false
+ type: bool
+ default: False
+ aliases: ["ipakrbokasdelegate"]
+ ok_to_auth_as_delegate: Allow service to authenticate on behalf of a client.
+ description: .
+ required: false
+ type: bool
+ default: False
+ aliases:["ipakrboktoauthasdelegate"]
+ principal:
+ description: List of principal aliases for the service.
+ required: false
+ type: list
+ aliases: ["krbprincipalname"]
+ host:
+ description: Host that can manage the service.
+ required: false
+ type: list
+ aliases: ["managedby_host"]
+ allow_create_keytab_user:
+ descrption: Users allowed to create a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_write_keys_user"]
+ allow_create_keytab_group:
+ descrption: Groups allowed to create a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_write_keys_group"]
+ allow_create_keytab_host:
+ descrption: Hosts allowed to create a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_write_keys_host"]
+ allow_create_keytab_hostgroup:
+ descrption: Host group allowed to create a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_write_keys_hostgroup"]
+ allow_retrieve_keytab_user:
+ descrption: User allowed to retrieve a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_read_keys_user"]
+ allow_retrieve_keytab_group:
+ descrption: Groups allowed to retrieve a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_read_keys_group"]
+ allow_retrieve_keytab_host:
+ descrption: Hosts allowed to retrieve a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_read_keys_host"]
+ allow_retrieve_keytab_hostgroup:
+ descrption: Host groups allowed to retrieve a keytab of this host.
+ required: false
+ type: list
+ aliases: ["ipaallowedtoperform_read_keys_hostgroup"]
+ action:
+ description: Work on service or member level
+ default: service
+ choices: ["member", "service"]
+ state:
+ description: State to ensure
+ default: present
+ choices: ["present", "absent", "enabled", "disabled"]
+author:
+ - Rafael Jeffman
+"""
+
+EXAMPLES = """
+ # Ensure service is present
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ pac_type:
+ - MS-PAC
+ - PAD
+ auth_ind: otp
+ skip_host_check: true
+ force: false
+ requires_pre_auth: true
+ ok_as_delegate: false
+ ok_to_auth_as_delegate: false
+
+ # Ensure service is absent
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ state: absent
+
+ # Ensure service member certificate is present.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
+ DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
+ ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
+ VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
+ LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
+ oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
+ 4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
+ xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
+ UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
+ eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
+ 5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
+ uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
+ 2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
+ obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
+ /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ action: member
+ state: present
+
+ # Ensure principal host/test.example.com present in service.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ principal:
+ - host/test.example.com
+ action: member
+
+ # Ensure host can manage service.
+ - ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.example.com
+ host:
+ - host1.example.com
+ - host2.example.com
+ action: member
+"""
+
+RETURN = """
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
+ temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \
+ encode_certificate, gen_add_del_lists, module_params_get, to_text, \
+ api_check_param
+
+
+def find_service(module, name):
+ _args = {
+ "all": True,
+ }
+
+ _result = api_command(module, "service_find", to_text(name), _args)
+
+ if len(_result["result"]) > 1:
+ module.fail_json(
+ msg="There is more than one service '%s'" % (name))
+ elif len(_result["result"]) == 1:
+ _res = _result["result"][0]
+ certs = _res.get("usercertificate")
+ if certs is not None:
+ _res["usercertificate"] = [encode_certificate(cert) for
+ cert in certs]
+ return _res
+ else:
+ return None
+
+
+def gen_args(pac_type, auth_ind, skip_host_check, force, requires_pre_auth,
+ ok_as_delegate, ok_to_auth_as_delegate):
+ _args = {}
+
+ if pac_type is not None:
+ _args['ipakrbauthzdata'] = pac_type
+ if auth_ind is not None:
+ _args['krbprincipalauthind'] = auth_ind
+ if skip_host_check is not None:
+ _args['skip_host_check'] = (skip_host_check)
+ if force is not None:
+ _args['force'] = (force)
+ if requires_pre_auth is not None:
+ _args['ipakrbrequirespreauth'] = (requires_pre_auth)
+ if ok_as_delegate is not None:
+ _args['ipakrbokasdelegate'] = (ok_as_delegate)
+ if ok_to_auth_as_delegate is not None:
+ _args['ipakrboktoauthasdelegate'] = (ok_to_auth_as_delegate)
+
+ return _args
+
+
+def check_parameters(module, state, action, names, parameters):
+ assert isinstance(parameters, dict)
+
+ # invalid parameters for everything but state 'present', action 'service'.
+ invalid = ['pac_type', 'auth_ind', 'skip_host_check',
+ 'force', 'requires_pre_auth', 'ok_as_delegate',
+ 'ok_to_auth_as_delegate']
+
+ # invalid parameters when not handling service members.
+ invalid_not_member = \
+ ['principal', 'certificate', 'host', 'allow_create_keytab_user',
+ 'allow_create_keytab_group', 'allow_create_keytab_host',
+ 'allow_create_keytab_hostgroup', 'allow_retrieve_keytab_user',
+ 'allow_retrieve_keytab_group', 'allow_retrieve_keytab_host',
+ 'allow_retrieve_keytab_hostgroup']
+
+ if state == 'present':
+ if len(names) != 1:
+ module.fail_json(msg="Only one service can be added at a time.")
+
+ if action == 'service':
+ invalid = []
+
+ elif state == 'absent':
+ if len(names) < 1:
+ module.fail_json(msg="No name given.")
+
+ if action == "service":
+ invalid.extend(invalid_not_member)
+
+ elif state == 'disabled':
+ invalid.extend(invalid_not_member)
+ if action != "service":
+ module.fail_json(
+ msg="Invalid action '%s' for state '%s'" % (action, state))
+
+ else:
+ module.fail_json(msg="Invalid state '%s'" % (state))
+
+ for _invalid in invalid:
+ if parameters[_invalid] is not None:
+ module.fail_json(
+ msg="Argument '%s' can not be used with state '%s'" %
+ (_invalid, state))
+
+
+def init_ansible_module():
+ ansible_module = AnsibleModule(
+ argument_spec=dict(
+ # general
+ ipaadmin_principal=dict(type="str", default="admin"),
+ ipaadmin_password=dict(type="str", required=False, no_log=True),
+
+ name=dict(type="list", aliases=["service"], default=None,
+ required=True),
+ # service attributesstr
+ certificate=dict(type="list", aliases=['usercertificate'],
+ default=None, required=False),
+ principal=dict(type="list", aliases=["krbprincipalname"],
+ default=None),
+ pac_type=dict(type="list", aliases=["ipakrbauthzdata"],
+ choices=["MS-PAC", "PAD", "NONE"]),
+ auth_ind=dict(type="str",
+ aliases=["krbprincipalauthind"],
+ choices=["otp", "radius", "pkinit", "hardened"]),
+ skip_host_check=dict(type="bool"),
+ force=dict(type="bool"),
+ requires_pre_auth=dict(
+ type="bool", aliases=["ipakrbrequirespreauth"]),
+ ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"]),
+ ok_to_auth_as_delegate=dict(type="bool",
+ aliases=["ipakrboktoauthasdelegate"]),
+ host=dict(type="list", aliases=["managedby_host"], required=False),
+ allow_create_keytab_user=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_write_keys_user']),
+ allow_retrieve_keytab_user=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_read_keys_user']),
+ allow_create_keytab_group=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_write_keys_group']),
+ allow_retrieve_keytab_group=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_read_keys_group']),
+ allow_create_keytab_host=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_write_keys_host']),
+ allow_retrieve_keytab_host=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_read_keys_host']),
+ allow_create_keytab_hostgroup=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_write_keys_hostgroup']),
+ allow_retrieve_keytab_hostgroup=dict(
+ type="list", required=False,
+ aliases=['ipaallowedtoperform_read_keys_hostgroup']),
+ # action
+ action=dict(type="str", default="service",
+ choices=["member", "service"]),
+ # state
+ state=dict(type="str", default="present",
+ choices=["present", "absent",
+ "enabled", "disabled"]),
+ ),
+ supports_check_mode=True,
+ )
+
+ ansible_module._ansible_debug = True
+
+ return ansible_module
+
+
+def main():
+ ansible_module = init_ansible_module()
+
+ # Get parameters
+
+ # general
+ ipaadmin_principal = module_params_get(ansible_module,
+ "ipaadmin_principal")
+ ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password")
+ names = module_params_get(ansible_module, "name")
+
+ # service attributes
+ principal = module_params_get(ansible_module, "principal")
+ certificate = module_params_get(ansible_module, "certificate")
+ pac_type = module_params_get(ansible_module, "pac_type")
+ auth_ind = module_params_get(ansible_module, "auth_ind")
+ skip_host_check = module_params_get(ansible_module, "skip_host_check")
+ force = module_params_get(ansible_module, "force")
+ requires_pre_auth = module_params_get(ansible_module, "requires_pre_auth")
+ ok_as_delegate = module_params_get(ansible_module, "ok_as_delegate")
+ ok_to_auth_as_delegate = module_params_get(ansible_module,
+ "ok_to_auth_as_delegate")
+
+ host = module_params_get(ansible_module, "host")
+
+ allow_create_keytab_user = module_params_get(
+ ansible_module, "allow_create_keytab_user")
+ allow_create_keytab_group = module_params_get(
+ ansible_module, "allow_create_keytab_group")
+ allow_create_keytab_host = module_params_get(
+ ansible_module, "allow_create_keytab_host")
+ allow_create_keytab_hostgroup = module_params_get(
+ ansible_module, "allow_create_keytab_hostgroup")
+
+ allow_retrieve_keytab_user = module_params_get(
+ ansible_module, "allow_retrieve_keytab_user")
+ allow_retrieve_keytab_group = module_params_get(
+ ansible_module, "allow_retrieve_keytab_group")
+ allow_retrieve_keytab_host = module_params_get(
+ ansible_module, "allow_create_keytab_host")
+ allow_retrieve_keytab_hostgroup = module_params_get(
+ ansible_module, "allow_retrieve_keytab_hostgroup")
+
+ # action
+ action = module_params_get(ansible_module, "action")
+ # state
+ state = module_params_get(ansible_module, "state")
+
+ # check parameters
+ check_parameters(ansible_module, state, action, names, vars())
+
+ # Init
+
+ changed = False
+ exit_args = {}
+ ccache_dir = None
+ ccache_name = None
+ try:
+ if not valid_creds(ansible_module, ipaadmin_principal):
+ ccache_dir, ccache_name = temp_kinit(ipaadmin_principal,
+ ipaadmin_password)
+ api_connect()
+
+ has_skip_host_check = api_check_param(
+ "service_add", "skip_host_check")
+ if skip_host_check and not has_skip_host_check:
+ ansible_module.fail_json(
+ msg="Skipping host check is not supported by your IPA version")
+
+ commands = []
+
+ for name in names:
+ res_find = find_service(ansible_module, name)
+
+ if state == "present":
+ if action == "service":
+ args = gen_args(
+ pac_type, auth_ind, skip_host_check, force,
+ requires_pre_auth, ok_as_delegate,
+ ok_to_auth_as_delegate)
+ if not has_skip_host_check and 'skip_host_check' in args:
+ del args['skip_host_check']
+
+ if res_find is None:
+ commands.append([name, 'service_add', args])
+
+ certificate_add = certificate or []
+ certificate_del = []
+ host_add = host or []
+ host_del = []
+ principal_add = principal or []
+ principal_del = []
+ allow_create_keytab_user_add = \
+ allow_create_keytab_user or []
+ allow_create_keytab_user_del = []
+ allow_create_keytab_group_add = \
+ allow_create_keytab_group or []
+ allow_create_keytab_group_del = []
+ allow_create_keytab_host_add = \
+ allow_create_keytab_host or []
+ allow_create_keytab_host_del = []
+ allow_create_keytab_hostgroup_add = \
+ allow_create_keytab_hostgroup or []
+ allow_create_keytab_hostgroup_del = []
+ allow_retrieve_keytab_user_add = \
+ allow_retrieve_keytab_user or []
+ allow_retrieve_keytab_user_del = []
+ allow_retrieve_keytab_group_add = \
+ allow_retrieve_keytab_group or []
+ allow_retrieve_keytab_group_del = []
+ allow_retrieve_keytab_host_add = \
+ allow_retrieve_keytab_host or []
+ allow_retrieve_keytab_host_del = []
+ allow_retrieve_keytab_hostgroup_add = \
+ allow_retrieve_keytab_hostgroup or []
+ allow_retrieve_keytab_hostgroup_del = []
+
+ else:
+ for remove in ['skip_host_check', 'force']:
+ if remove in args:
+ del args[remove]
+
+ if not compare_args_ipa(ansible_module, args,
+ res_find):
+ commands.append([name, "service_mod", args])
+
+ certificate_add, certificate_del = gen_add_del_lists(
+ certificate, res_find.get("usercertificate"))
+
+ host_add, host_del = gen_add_del_lists(
+ host, res_find.get('managedby_host', []))
+
+ principal_add, principal_del = gen_add_del_lists(
+ principal, res_find.get("principal"))
+
+ (allow_create_keytab_user_add,
+ allow_create_keytab_user_del) = \
+ gen_add_del_lists(
+ allow_create_keytab_user, res_find.get(
+ 'ipaallowedtoperform_write_keys_user',
+ []))
+ (allow_retrieve_keytab_user_add,
+ allow_retrieve_keytab_user_del) = \
+ gen_add_del_lists(
+ allow_retrieve_keytab_user, res_find.get(
+ 'ipaallowedtoperform_read_keys_user',
+ []))
+ (allow_create_keytab_group_add,
+ allow_create_keytab_group_del) = \
+ gen_add_del_lists(
+ allow_create_keytab_group, res_find.get(
+ 'ipaallowedtoperform_write_keys_group',
+ []))
+ (allow_retrieve_keytab_group_add,
+ allow_retrieve_keytab_group_del) = \
+ gen_add_del_lists(
+ allow_retrieve_keytab_group,
+ res_find.get(
+ 'ipaallowedtoperform_read_keys_group',
+ []))
+ (allow_create_keytab_host_add,
+ allow_create_keytab_host_del) = \
+ gen_add_del_lists(
+ allow_create_keytab_host,
+ res_find.get(
+ 'ipaallowedtoperform_write_keys_host',
+ []))
+ (allow_retrieve_keytab_host_add,
+ allow_retrieve_keytab_host_del) = \
+ gen_add_del_lists(
+ allow_retrieve_keytab_host,
+ res_find.get(
+ 'ipaallowedtoperform_read_keys_host',
+ []))
+ (allow_create_keytab_hostgroup_add,
+ allow_create_keytab_hostgroup_del) = \
+ gen_add_del_lists(
+ allow_create_keytab_hostgroup,
+ res_find.get(
+ 'ipaallowedtoperform_write_keys_hostgroup',
+ []))
+ (allow_retrieve_keytab_hostgroup_add,
+ allow_retrieve_keytab_hostgroup_del) = \
+ gen_add_del_lists(
+ allow_retrieve_keytab_hostgroup,
+ res_find.get(
+ 'ipaallowedtoperform_read_keys_hostgroup',
+ []))
+
+ elif action == "member":
+ if res_find is None:
+ ansible_module.fail_json(msg="No service '%s'" % name)
+
+ existing = res_find.get('usercertificate', [])
+ if certificate is None:
+ certificate_add = []
+ else:
+ certificate_add = [c for c in certificate
+ if c not in existing]
+ certificate_del = []
+ host_add = host or []
+ host_del = []
+ principal_add = principal or []
+ principal_del = []
+
+ allow_create_keytab_user_add = \
+ allow_create_keytab_user or []
+ allow_create_keytab_user_del = []
+ allow_create_keytab_group_add = \
+ allow_create_keytab_group or []
+ allow_create_keytab_group_del = []
+ allow_create_keytab_host_add = \
+ allow_create_keytab_host or []
+ allow_create_keytab_host_del = []
+ allow_create_keytab_hostgroup_add = \
+ allow_create_keytab_hostgroup or []
+ allow_create_keytab_hostgroup_del = []
+ allow_retrieve_keytab_user_add = \
+ allow_retrieve_keytab_user or []
+ allow_retrieve_keytab_user_del = []
+ allow_retrieve_keytab_group_add = \
+ allow_retrieve_keytab_group or []
+ allow_retrieve_keytab_group_del = []
+ allow_retrieve_keytab_host_add = \
+ allow_retrieve_keytab_host or []
+ allow_retrieve_keytab_host_del = []
+ allow_retrieve_keytab_hostgroup_add = \
+ allow_retrieve_keytab_hostgroup or []
+ allow_retrieve_keytab_hostgroup_del = []
+
+ # Add principals
+ for _principal in principal_add:
+ commands.append([name, "service_add_principal",
+ {
+ "krbprincipalname":
+ _principal,
+ }])
+
+ # Remove principals
+ for _principal in principal_del:
+ commands.append([name, "service_remove_principal",
+ {
+ "krbprincipalname":
+ _principal,
+ }])
+
+ for _certificate in certificate_add:
+ commands.append([name, "service_add_cert",
+ {
+ "usercertificate":
+ _certificate,
+ }])
+ # Remove certificates
+ for _certificate in certificate_del:
+ commands.append([name, "service_remove_cert",
+ {
+ "usercertificate":
+ _certificate,
+ }])
+
+ # Add hosts.
+ if host is not None and len(host) > 0 and len(host_add) > 0:
+ commands.append([name, "service_add_host",
+ {"host": host_add}])
+ # Remove hosts
+ if host is not None and len(host) > 0 and len(host_del) > 0:
+ commands.append([name, "service_remove_host",
+ {"host": host_del}])
+
+ # Allow create keytab
+ if len(allow_create_keytab_user_add) > 0 or \
+ len(allow_create_keytab_group_add) > 0 or \
+ len(allow_create_keytab_host_add) > 0 or \
+ len(allow_create_keytab_hostgroup_add) > 0:
+ commands.append(
+ [name, "service_allow_create_keytab",
+ {'user': allow_create_keytab_user_add,
+ 'group': allow_create_keytab_group_add,
+ 'host': allow_create_keytab_host_add,
+ 'hostgroup': allow_create_keytab_hostgroup_add
+ }])
+
+ # Disallow create keytab
+ if len(allow_create_keytab_user_del) > 0 or \
+ len(allow_create_keytab_group_del) > 0 or \
+ len(allow_create_keytab_host_del) > 0 or \
+ len(allow_create_keytab_hostgroup_del) > 0:
+ commands.append(
+ [name, "service_disallow_create_keytab",
+ {'user': allow_create_keytab_user_del,
+ 'group': allow_create_keytab_group_del,
+ 'host': allow_create_keytab_host_del,
+ 'hostgroup': allow_create_keytab_hostgroup_del
+ }])
+
+ # Allow retrieve keytab
+ if len(allow_retrieve_keytab_user_add) > 0 or \
+ len(allow_retrieve_keytab_group_add) > 0 or \
+ len(allow_retrieve_keytab_hostgroup_add) > 0 or \
+ len(allow_retrieve_keytab_hostgroup_add) > 0:
+ commands.append(
+ [name, "service_allow_retrieve_keytab",
+ {'user': allow_retrieve_keytab_user_add,
+ 'group': allow_retrieve_keytab_group_add,
+ 'host': allow_retrieve_keytab_host_add,
+ 'hostgroup': allow_retrieve_keytab_hostgroup_add
+ }])
+
+ # Disllow retrieve keytab
+ if len(allow_retrieve_keytab_user_del) > 0 or \
+ len(allow_retrieve_keytab_group_del) > 0 or \
+ len(allow_retrieve_keytab_host_del) > 0 or \
+ len(allow_retrieve_keytab_hostgroup_del) > 0:
+ commands.append(
+ [name, "service_disallow_retrieve_keytab",
+ {'user': allow_retrieve_keytab_user_del,
+ 'group': allow_retrieve_keytab_group_del,
+ 'host': allow_retrieve_keytab_host_del,
+ 'hostgroup': allow_retrieve_keytab_hostgroup_del
+ }])
+
+ elif state == "absent":
+ if action == "service":
+ if res_find is not None:
+ commands.append([name, 'service_del', {}])
+
+ elif action == "member":
+ if res_find is None:
+ ansible_module.fail_json(msg="No service '%s'" % name)
+
+ # Remove principals
+ if principal is not None:
+ for _principal in principal:
+ commands.append([name, "service_remove_principal",
+ {
+ "krbprincipalname":
+ _principal,
+ }])
+ # Remove certificates
+ if certificate is not None:
+ existing = res_find.get('usercertificate', [])
+ for _certificate in certificate:
+ if _certificate in existing:
+ commands.append([name, "service_remove_cert",
+ {
+ "usercertificate":
+ _certificate,
+ }])
+
+ # Add hosts
+ if host is not None:
+ commands.append(
+ [name, "service_remove_host", {"host": host}])
+
+ # Allow create keytab
+ if allow_create_keytab_user is not None or \
+ allow_create_keytab_group is not None or \
+ allow_create_keytab_host is not None or \
+ allow_create_keytab_hostgroup is not None:
+ commands.append(
+ [name, "service_disallow_create_keytab",
+ {'user': allow_create_keytab_user,
+ 'group': allow_create_keytab_group,
+ 'host': allow_create_keytab_host,
+ 'hostgroup': allow_create_keytab_hostgroup
+ }])
+
+ # Allow retriev keytab
+ if allow_retrieve_keytab_user is not None or \
+ allow_retrieve_keytab_group is not None or \
+ allow_retrieve_keytab_host is not None or \
+ allow_retrieve_keytab_hostgroup is not None:
+ commands.append(
+ [name, "service_disallow_retrieve_keytab",
+ {'user': allow_retrieve_keytab_user,
+ 'group': allow_retrieve_keytab_group,
+ 'host': allow_retrieve_keytab_host,
+ 'hostgroup': allow_retrieve_keytab_hostgroup
+ }])
+
+ elif state == "disabled":
+ if action == "service":
+ if res_find is not None and \
+ len(res_find.get('usercertificate', [])) > 0:
+ commands.append([name, 'service_disable', {}])
+ else:
+ ansible_module.fail_json(
+ msg="Invalid action '%s' for state '%s'" %
+ (action, state))
+ else:
+ ansible_module.fail_json(msg="Unkown state '%s'" % state)
+
+ # Execute commands
+ errors = []
+ for name, command, args in commands:
+ try:
+ result = api_command(ansible_module, command, name, args)
+
+ if "completed" in result:
+ if result["completed"] > 0:
+ changed = True
+ else:
+ changed = True
+ except Exception as ex:
+ ansible_module.fail_json(msg="%s: %s: %s" % (command, name,
+ str(ex)))
+ # Get all errors
+ # All "already a member" and "not a member" failures in the
+ # result are ignored. All others are reported.
+ if "failed" in result and len(result["failed"]) > 0:
+ for item in result["failed"]:
+ failed_item = result["failed"][item]
+ for member_type in failed_item:
+ for member, failure in failed_item[member_type]:
+ if "already a member" in failure \
+ or "not a member" in failure:
+ continue
+ errors.append("%s: %s %s: %s" % (
+ command, member_type, member, failure))
+ if len(errors) > 0:
+ ansible_module.fail_json(msg=", ".join(errors))
+
+ except Exception as ex:
+ ansible_module.fail_json(msg=str(ex))
+
+ finally:
+ temp_kdestroy(ccache_dir, ccache_name)
+
+ # Done
+ ansible_module.exit_json(changed=changed, **exit_args)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/plugins/modules/ipasudocmd.py b/plugins/modules/ipasudocmd.py
index 8e25561e815cf20265d57472a0a02a194aa5d7e8..749479335e32869c00371fb9ee0e8a8a4487de24 100644
--- a/plugins/modules/ipasudocmd.py
+++ b/plugins/modules/ipasudocmd.py
@@ -57,13 +57,13 @@ author:
EXAMPLES = """
# Ensure sudocmd is present
- ipacommand:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: su
state: present
# Ensure sudocmd is absent
- ipacommand:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: su
state: absent
"""
@@ -97,7 +97,7 @@ def find_sudocmd(module, name):
def gen_args(description):
_args = {}
if description is not None:
- _args["description"] = description
+ _args["description"] = to_text(description)
return _args
diff --git a/plugins/modules/ipasudocmdgroup.py b/plugins/modules/ipasudocmdgroup.py
index bfa01300199d28f9ea48443baefc6e6db80727ce..3cbb280327b168239cf8e821d1217de5b93c6094 100644
--- a/plugins/modules/ipasudocmdgroup.py
+++ b/plugins/modules/ipasudocmdgroup.py
@@ -73,13 +73,13 @@ author:
EXAMPLES = """
# Ensure sudocmd-group 'network' is present
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
state: present
# Ensure sudocmdgroup and sudocmd are present in 'network' sudocmdgroup
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -88,7 +88,7 @@ EXAMPLES = """
# Ensure sudocmdgroup and sudocmd are absent in 'network' sudocmdgroup
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -98,7 +98,7 @@ EXAMPLES = """
# Ensure sudocmd-group 'network' is absent
- ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
action: member
state: absent
diff --git a/plugins/modules/ipasudorule.py b/plugins/modules/ipasudorule.py
index c21f247ae0c9e19316eea4121244149bf741ea3b..24d0d7eef8fddb0bef13ecaf6c08e3811235301f 100644
--- a/plugins/modules/ipasudorule.py
+++ b/plugins/modules/ipasudorule.py
@@ -79,18 +79,43 @@ options:
description: Host category the sudo rule applies to.
required: false
choices: ["all"]
- cmd:
- description: List of sudocmds assigned to this sudorule.
+ allow_sudocmd:
+ description: List of allowed sudocmds assigned to this sudorule.
required: false
type: list
- cmdgroup:
- description: List of sudocmd groups assigned to this sudorule.
+ allow_sudocmdgroup:
+ description: List of allowed sudocmd groups assigned to this sudorule.
+ required: false
+ type: list
+ deny_sudocmd:
+ description: List of denied sudocmds assigned to this sudorule.
+ required: false
+ type: list
+ deny_sudocmdgroup:
+ description: List of denied sudocmd groups assigned to this sudorule.
required: false
type: list
cmdcategory:
- description: Cammand category the sudo rule applies to
+ description: Command category the sudo rule applies to
required: false
choices: ["all"]
+ order:
+ description: Order to apply this rule.
+ required: false
+ type: int
+ sudooption:
+ description:
+ required: false
+ type: list
+ aliases: ["options"]
+ runasuser:
+ description: List of users for Sudo to execute as.
+ required: false
+ type: list
+ runasgroup:
+ description: List of groups for Sudo to execute as.
+ required: false
+ type: list
action:
description: Work on sudorule or member level
default: sudorule
@@ -106,50 +131,50 @@ author:
EXAMPLES = """
# Ensure Sudo Rule tesrule1 is present
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
# Ensure sudocmd is present in Sudo Rule
- ipasudorule:
- ipaadmin_password: pass1234
- name: testrule1
- cmd:
- - /sbin/ifconfig
- - /usr/bin/vim
- action: member
- state: absent
+ ipaadmin_password: pass1234
+ name: testrule1
+ allow_sudocmd:
+ - /sbin/ifconfig
+ - /usr/bin/vim
+ action: member
+ state: absent
# Ensure host server is present in Sudo Rule
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
host: server
action: member
# Ensure hostgroup cluster is present in Sudo Rule
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
hostgroup: cluster
action: member
# Ensure sudo rule for usercategory "all"
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
action: enabled
# Ensure sudo rule for hostcategory "all"
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: allhosts
hostcategory: all
action: enabled
# Ensure Sudo Rule tesrule1 is absent
- ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: absent
"""
@@ -160,7 +185,7 @@ RETURN = """
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
temp_kdestroy, valid_creds, api_connect, api_command, compare_args_ipa, \
- module_params_get
+ module_params_get, gen_add_del_lists
def find_sudorule(module, name):
@@ -180,14 +205,26 @@ def find_sudorule(module, name):
return None
-def gen_args(ansible_module):
- arglist = ['description', 'usercategory', 'hostcategory', 'cmdcategory',
- 'runasusercategory', 'runasgroupcategory', 'nomembers']
+def gen_args(description, usercat, hostcat, cmdcat, runasusercat,
+ runasgroupcat, order, nomembers):
_args = {}
- for arg in arglist:
- value = module_params_get(ansible_module, arg)
- if value is not None:
- _args[arg] = value
+
+ if description is not None:
+ _args['description'] = description
+ if usercat is not None:
+ _args['usercategory'] = usercat
+ if hostcat is not None:
+ _args['hostcategory'] = hostcat
+ if cmdcat is not None:
+ _args['cmdcategory'] = cmdcat
+ if runasusercat is not None:
+ _args['ipasudorunasusercategory'] = runasusercat
+ if runasgroupcat is not None:
+ _args['ipasudorunasgroupcategory'] = runasgroupcat
+ if order is not None:
+ _args['sudoorder'] = order
+ if nomembers is not None:
+ _args['nomembers'] = nomembers
return _args
@@ -212,13 +249,21 @@ def main():
hostgroup=dict(required=False, type='list', default=None),
user=dict(required=False, type='list', default=None),
group=dict(required=False, type='list', default=None),
- cmd=dict(required=False, type="list", default=None),
+ allow_sudocmd=dict(required=False, type="list", default=None),
+ deny_sudocmd=dict(required=False, type="list", default=None),
+ allow_sudocmdgroup=dict(required=False, type="list", default=None),
+ deny_sudocmdgroup=dict(required=False, type="list", default=None),
cmdcategory=dict(required=False, type="str", default=None,
choices=["all"]),
runasusercategory=dict(required=False, type="str", default=None,
choices=["all"]),
runasgroupcategory=dict(required=False, type="str", default=None,
choices=["all"]),
+ runasuser=dict(required=False, type="list", default=None),
+ runasgroup=dict(required=False, type="list", default=None),
+ order=dict(type="int", required=False, aliases=['sudoorder']),
+ sudooption=dict(required=False, type='list', default=None,
+ aliases=["options"]),
action=dict(type="str", default="sudorule",
choices=["member", "sudorule"]),
# state
@@ -256,8 +301,16 @@ def main():
hostgroup = module_params_get(ansible_module, "hostgroup")
user = module_params_get(ansible_module, "user")
group = module_params_get(ansible_module, "group")
- cmd = module_params_get(ansible_module, 'cmd')
- cmdgroup = module_params_get(ansible_module, 'cmdgroup')
+ allow_sudocmd = module_params_get(ansible_module, 'allow_sudocmd')
+ allow_sudocmdgroup = module_params_get(ansible_module,
+ 'allow_sudocmdgroup')
+ deny_sudocmd = module_params_get(ansible_module, 'deny_sudocmd')
+ deny_sudocmdgroup = module_params_get(ansible_module,
+ 'deny_sudocmdgroup')
+ sudooption = module_params_get(ansible_module, "sudooption")
+ order = module_params_get(ansible_module, "order")
+ runasuser = module_params_get(ansible_module, "runasuser")
+ runasgroup = module_params_get(ansible_module, "runasgroup")
action = module_params_get(ansible_module, "action")
# state
@@ -272,28 +325,30 @@ def main():
if action == "member":
invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory",
- "runasgroupcategory", "nomembers"]
+ "runasgroupcategory", "order", "nomembers"]
- for x in invalid:
- if x in vars() and vars()[x] is not None:
+ for arg in invalid:
+ if arg in vars() and vars()[arg] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with action "
- "'%s'" % (x, action))
+ "'%s'" % (arg, action))
elif state == "absent":
if len(names) < 1:
ansible_module.fail_json(msg="No name given.")
invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory",
- "runasgroupcategory", "nomembers"]
+ "runasgroupcategory", "nomembers", "order"]
if action == "sudorule":
invalid.extend(["host", "hostgroup", "user", "group",
- "cmd", "cmdgroup"])
- for x in invalid:
- if vars()[x] is not None:
+ "runasuser", "runasgroup", "allow_sudocmd",
+ "allow_sudocmdgroup", "deny_sudocmd",
+ "deny_sudocmdgroup", "sudooption"])
+ for arg in invalid:
+ if vars()[arg] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with state '%s'" %
- (x, state))
+ (arg, state))
elif state in ["enabled", "disabled"]:
if len(names) < 1:
@@ -305,12 +360,14 @@ def main():
invalid = ["description", "usercategory", "hostcategory",
"cmdcategory", "runasusercategory", "runasgroupcategory",
"nomembers", "nomembers", "host", "hostgroup",
- "user", "group", "cmd", "cmdgroup"]
- for x in invalid:
- if vars()[x] is not None:
+ "user", "group", "allow_sudocmd", "allow_sudocmdgroup",
+ "deny_sudocmd", "deny_sudocmdgroup", "runasuser",
+ "runasgroup", "order", "sudooption"]
+ for arg in invalid:
+ if vars()[arg] is not None:
ansible_module.fail_json(
msg="Argument '%s' can not be used with state '%s'" %
- (x, state))
+ (arg, state))
else:
ansible_module.fail_json(msg="Invalid state '%s'" % state)
@@ -335,7 +392,9 @@ def main():
# Create command
if state == "present":
# Generate args
- args = gen_args(ansible_module)
+ args = gen_args(description, usercategory, hostcategory,
+ cmdcategory, runasusercategory,
+ runasgroupcategory, order, nomembers)
if action == "sudorule":
# Found the sudorule
if res_find is not None:
@@ -351,44 +410,42 @@ def main():
res_find = {}
# Generate addition and removal lists
- host_add = list(
- set(host or []) -
- set(res_find.get("member_host", [])))
- host_del = list(
- set(res_find.get("member_host", [])) -
- set(host or []))
- hostgroup_add = list(
- set(hostgroup or []) -
- set(res_find.get("member_hostgroup", [])))
- hostgroup_del = list(
- set(res_find.get("member_hostgroup", [])) -
- set(hostgroup or []))
-
- user_add = list(
- set(user or []) -
- set(res_find.get("member_user", [])))
- user_del = list(
- set(res_find.get("member_user", [])) -
- set(user or []))
- group_add = list(
- set(group or []) -
- set(res_find.get("member_group", [])))
- group_del = list(
- set(res_find.get("member_group", [])) -
- set(group or []))
-
- cmd_add = list(
- set(cmd or []) -
- set(res_find.get("member_cmd", [])))
- cmd_del = list(
- set(res_find.get("member_cmd", [])) -
- set(cmd or []))
- cmdgroup_add = list(
- set(cmdgroup or []) -
- set(res_find.get("member_cmdgroup", [])))
- cmdgroup_del = list(
- set(res_find.get("member_cmdgroup", [])) -
- set(cmdgroup or []))
+ host_add, host_del = gen_add_del_lists(
+ host, res_find.get('member_host', []))
+
+ hostgroup_add, hostgroup_del = gen_add_del_lists(
+ hostgroup, res_find.get('member_hostgroup', []))
+
+ user_add, user_del = gen_add_del_lists(
+ user, res_find.get('member_user', []))
+
+ group_add, group_del = gen_add_del_lists(
+ group, res_find.get('member_group', []))
+
+ allow_cmd_add, allow_cmd_del = gen_add_del_lists(
+ allow_sudocmd,
+ res_find.get('memberallowcmd_sudocmd', []))
+
+ allow_cmdgroup_add, allow_cmdgroup_del = gen_add_del_lists(
+ allow_sudocmdgroup,
+ res_find.get('memberallowcmd_sudocmdgroup', []))
+
+ deny_cmd_add, deny_cmd_del = gen_add_del_lists(
+ deny_sudocmd,
+ res_find.get('memberdenycmd_sudocmd', []))
+
+ deny_cmdgroup_add, deny_cmdgroup_del = gen_add_del_lists(
+ deny_sudocmdgroup,
+ res_find.get('memberdenycmd_sudocmdgroup', []))
+
+ sudooption_add, sudooption_del = gen_add_del_lists(
+ sudooption, res_find.get('ipasudoopt', []))
+
+ runasuser_add, runasuser_del = gen_add_del_lists(
+ runasuser, res_find.get('ipasudorunas_user', []))
+
+ runasgroup_add, runasgroup_del = gen_add_del_lists(
+ runasgroup, res_find.get('ipasudorunas_group', []))
# Add hosts and hostgroups
if len(host_add) > 0 or len(hostgroup_add) > 0:
@@ -420,20 +477,59 @@ def main():
"group": group_del,
}])
- # Add commands
- if len(cmd_add) > 0 or len(cmdgroup_add) > 0:
+ # Add commands allowed
+ if len(allow_cmd_add) > 0 or len(allow_cmdgroup_add) > 0:
commands.append([name, "sudorule_add_allow_command",
- {
- "sudocmd": cmd_add,
- "sudocmdgroup": cmdgroup_add,
- }])
-
- if len(cmd_del) > 0 or len(cmdgroup_del) > 0:
+ {"sudocmd": allow_cmd_add,
+ "sudocmdgroup": allow_cmdgroup_add,
+ }])
+
+ if len(allow_cmd_del) > 0 or len(allow_cmdgroup_del) > 0:
+ commands.append([name, "sudorule_remove_allow_command",
+ {"sudocmd": allow_cmd_del,
+ "sudocmdgroup": allow_cmdgroup_del
+ }])
+
+ # Add commands denied
+ if len(deny_cmd_add) > 0 or len(deny_cmdgroup_add) > 0:
commands.append([name, "sudorule_add_deny_command",
- {
- "sudocmd": cmd_del,
- "sudocmdgroup": cmdgroup_del
- }])
+ {"sudocmd": deny_cmd_add,
+ "sudocmdgroup": deny_cmdgroup_add,
+ }])
+
+ if len(deny_cmd_del) > 0 or len(deny_cmdgroup_del) > 0:
+ commands.append([name, "sudorule_remove_deny_command",
+ {"sudocmd": deny_cmd_del,
+ "sudocmdgroup": deny_cmdgroup_del
+ }])
+
+ # Add RunAS Users
+ if len(runasuser_add) > 0:
+ commands.append([name, "sudorule_add_runasuser",
+ {"user": runasuser_add}])
+ # Remove RunAS Users
+ if len(runasuser_del) > 0:
+ commands.append([name, "sudorule_remove_runasuser",
+ {"user": runasuser_del}])
+
+ # Add RunAS Groups
+ if len(runasgroup_add) > 0:
+ commands.append([name, "sudorule_add_runasgroup",
+ {"group": runasgroup_add}])
+ # Remove RunAS Groups
+ if len(runasgroup_del) > 0:
+ commands.append([name, "sudorule_remove_runasgroup",
+ {"group": runasgroup_del}])
+
+ # Add sudo options
+ for sudoopt in sudooption_add:
+ commands.append([name, "sudorule_add_option",
+ {"ipasudoopt": sudoopt}])
+
+ # Remove sudo options
+ for sudoopt in sudooption_del:
+ commands.append([name, "sudorule_remove_option",
+ {"ipasudoopt": sudoopt}])
elif action == "member":
if res_find is None:
@@ -456,11 +552,38 @@ def main():
}])
# Add commands
- if cmd is not None:
+ if allow_sudocmd is not None \
+ or allow_sudocmdgroup is not None:
commands.append([name, "sudorule_add_allow_command",
- {
- "sudocmd": cmd,
- }])
+ {"sudocmd": allow_sudocmd,
+ "sudocmdgroup": allow_sudocmdgroup,
+ }])
+
+ # Add commands
+ if deny_sudocmd is not None \
+ or deny_sudocmdgroup is not None:
+ commands.append([name, "sudorule_add_deny_command",
+ {"sudocmd": deny_sudocmd,
+ "sudocmdgroup": deny_sudocmdgroup,
+ }])
+
+ # Add RunAS Users
+ if runasuser is not None:
+ commands.append([name, "sudorule_add_runasuser",
+ {"user": runasuser}])
+
+ # Add RunAS Groups
+ if runasgroup is not None:
+ commands.append([name, "sudorule_add_runasgroup",
+ {"group": runasgroup}])
+
+ # Add options
+ if sudooption is not None:
+ existing_opts = res_find.get('ipasudoopt', [])
+ for sudoopt in sudooption:
+ if sudoopt not in existing_opts:
+ commands.append([name, "sudorule_add_option",
+ {"ipasudoopt": sudoopt}])
elif state == "absent":
if action == "sudorule":
@@ -487,12 +610,40 @@ def main():
"group": group,
}])
- # Remove commands
- if cmd is not None:
- commands.append([name, "sudorule_add_deny_command",
- {
- "sudocmd": cmd,
- }])
+ # Remove allow commands
+ if allow_sudocmd is not None \
+ or allow_sudocmdgroup is not None:
+ commands.append([name, "sudorule_remove_allow_command",
+ {"sudocmd": allow_sudocmd,
+ "sudocmdgroup": allow_sudocmdgroup
+ }])
+
+ # Remove deny commands
+ if deny_sudocmd is not None \
+ or deny_sudocmdgroup is not None:
+ commands.append([name, "sudorule_remove_deny_command",
+ {"sudocmd": deny_sudocmd,
+ "sudocmdgroup": deny_sudocmdgroup
+ }])
+
+ # Remove RunAS Users
+ if runasuser is not None:
+ commands.append([name, "sudorule_remove_runasuser",
+ {"user": runasuser}])
+
+ # Remove RunAS Groups
+ if runasgroup is not None:
+ commands.append([name, "sudorule_remove_runasgroup",
+ {"group": runasgroup}])
+
+ # Remove options
+ if sudooption is not None:
+ existing_opts = res_find.get('ipasudoopt', [])
+ for sudoopt in sudooption:
+ if sudoopt in existing_opts:
+ commands.append([name,
+ "sudorule_remove_option",
+ {"ipasudoopt": sudoopt}])
elif state == "enabled":
if res_find is None:
@@ -530,9 +681,9 @@ def main():
changed = True
else:
changed = True
- except Exception as e:
+ except Exception as ex:
ansible_module.fail_json(msg="%s: %s: %s" % (command, name,
- str(e)))
+ str(ex)))
# Get all errors
# All "already a member" and "not a member" failures in the
# result are ignored. All others are reported.
@@ -549,8 +700,8 @@ def main():
if len(errors) > 0:
ansible_module.fail_json(msg=", ".join(errors))
- except Exception as e:
- ansible_module.fail_json(msg=str(e))
+ except Exception as ex:
+ ansible_module.fail_json(msg=str(ex))
finally:
temp_kdestroy(ccache_dir, ccache_name)
diff --git a/plugins/modules/ipauser.py b/plugins/modules/ipauser.py
index ac4529581c99de0ade161d4693d19a02435111a0..73f16eff3edaf0d35770d414c5f2a6c42235a5d5 100644
--- a/plugins/modules/ipauser.py
+++ b/plugins/modules/ipauser.py
@@ -153,9 +153,12 @@ options:
required: false
aliases: ["ipasshpubkey"]
userauthtype:
- description: List of supported user authentication types
- choices=['password', 'radius', 'otp']
+ description:
+ List of supported user authentication types
+ Use empty string to reset userauthtype to the initial value.
+ choices=['password', 'radius', 'otp', '']
required: false
+ aliases: ["ipauserauthtype"]
userclass:
description:
- User category
@@ -310,9 +313,12 @@ options:
required: false
aliases: ["ipasshpubkey"]
userauthtype:
- description: List of supported user authentication types
- choices=['password', 'radius', 'otp']
+ description:
+ List of supported user authentication types
+ Use empty string to reset userauthtype to the initial value.
+ choices=['password', 'radius', 'otp', '']
required: false
+ aliases: ["ipauserauthtype"]
userclass:
description:
- User category
@@ -386,7 +392,7 @@ author:
EXAMPLES = """
# Create user pinky
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
first: pinky
last: Acme
@@ -400,39 +406,39 @@ EXAMPLES = """
# Create user brain
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: brain
first: brain
last: Acme
# Delete user pinky, but preserved
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
preserve: yes
state: absent
# Undelete user pinky
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky
state: undeleted
# Disable user pinky
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: disabled
# Enable user pinky and brain
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: enabled
# Remove user pinky and brain
- ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: disabled
"""
@@ -460,7 +466,8 @@ from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils._text import to_text
from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
temp_kdestroy, valid_creds, api_connect, api_command, date_format, \
- compare_args_ipa, module_params_get, api_check_param, api_get_realm
+ compare_args_ipa, module_params_get, api_check_param, api_get_realm, \
+ api_command_no_name
import six
@@ -646,6 +653,14 @@ def check_parameters(module, state, action,
module.fail_json(msg="certmapdata: subject is missing")
+def extend_emails(email, default_email_domain):
+ if email is not None:
+ return [ "%s@%s" % (_email, default_email_domain)
+ if "@" not in _email else _email
+ for _email in email]
+ return email
+
+
def gen_certmapdata_args(certmapdata):
certificate = certmapdata.get("certificate")
issuer = certmapdata.get("issuer")
@@ -701,7 +716,7 @@ def main():
default=None),
userauthtype=dict(type='list', aliases=["ipauserauthtype"],
default=None,
- choices=['password', 'radius', 'otp']),
+ choices=['password', 'radius', 'otp', '']),
userclass=dict(type="list", aliases=["class"],
default=None),
radius=dict(type="str", aliases=["ipatokenradiusconfiglink"],
@@ -845,13 +860,6 @@ def main():
if names is not None and len(names) != 1:
ansible_module.fail_json(
msg="Only one user can be added at a time using name.")
- if action != "member":
- # Only check first and last here if names is set
- if names is not None:
- if first is None:
- ansible_module.fail_json(msg="First name is needed")
- if last is None:
- ansible_module.fail_json(msg="Last name is needed")
check_parameters(
ansible_module, state, action,
@@ -883,6 +891,17 @@ def main():
server_realm = api_get_realm()
+ # Default email domain
+
+ result = api_command_no_name(ansible_module, "config_show", {})
+ default_email_domain = result["result"]["ipadefaultemaildomain"][0]
+
+ # Extend email addresses
+
+ email = extend_emails(email, default_email_domain)
+
+ # commands
+
commands = []
for user in names:
@@ -949,6 +968,10 @@ def main():
certmapdata, noprivate, nomembers, preserve,
update_password)
+ # Extend email addresses
+
+ email = extend_emails(email, default_email_domain)
+
elif isinstance(user, str) or isinstance(user, unicode):
name = user
else:
@@ -1011,6 +1034,13 @@ def main():
if "noprivate" in args:
del args["noprivate"]
+ # Ignore userauthtype if it is empty (for resetting)
+ # and not set in for the user
+ if "ipauserauthtype" not in res_find and \
+ "ipauserauthtype" in args and \
+ args["ipauserauthtype"] == ['']:
+ del args["ipauserauthtype"]
+
# For all settings is args, check if there are
# different settings in the find result.
# If yes: modify
@@ -1019,6 +1049,14 @@ def main():
commands.append([name, "user_mod", args])
else:
+ # Make sure we have a first and last name
+ if first is None:
+ ansible_module.fail_json(
+ msg="First name is needed")
+ if last is None:
+ ansible_module.fail_json(
+ msg="Last name is needed")
+
commands.append([name, "user_add", args])
# Handle members: principal, manager, certificate and
diff --git a/plugins/modules/ipavault.py b/plugins/modules/ipavault.py
new file mode 100644
index 0000000000000000000000000000000000000000..d102202e8195e00cb7a081de6b9429ae9c3d72c2
--- /dev/null
+++ b/plugins/modules/ipavault.py
@@ -0,0 +1,646 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Authors:
+# Rafael Guterres Jeffman <rjeffman@redhat.com>
+#
+# Copyright (C) 2019 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+ANSIBLE_METADATA = {
+ "metadata_version": "1.0",
+ "supported_by": "community",
+ "status": ["preview"],
+}
+
+DOCUMENTATION = """
+---
+module: ipavault
+short description: Manage vaults and secret vaults.
+description: Manage vaults and secret vaults. KRA service must be enabled.
+options:
+ ipaadmin_principal:
+ description: The admin principal
+ default: admin
+ ipaadmin_password:
+ description: The admin password
+ required: false
+ name:
+ description: The vault name
+ required: true
+ aliases: ["cn"]
+ description:
+ description: The vault description
+ required: false
+ vault_public_key:
+ description: Base64 encoded public key.
+ required: false
+ type: list
+ aliases: ["ipavaultpublickey"]
+ vault_salt:
+ description: Vault salt.
+ required: false
+ type: list
+ aliases: ["ipavaultsalt"]
+ vault_password:
+ description: password to be used on symmetric vault.
+ required: false
+ type: string
+ aliases: ["ipavaultpassword"]
+ vault_type:
+ description: Vault types are based on security level.
+ required: true
+ default: symmetric
+ choices: ["standard", "symmetric", "asymmetric"]
+ aliases: ["ipavaulttype"]
+ service:
+ description: Any service can own one or more service vaults.
+ required: false
+ type: list
+ username:
+ description: Any user can own one or more user vaults.
+ required: false
+ type: string
+ aliases: ["user"]
+ shared:
+ description: Vault is shared.
+ required: false
+ type: boolean
+ vault_data:
+ description: Data to be stored in the vault.
+ required: false
+ type: string
+ aliases: ["ipavaultdata"]
+ owners:
+ description: Users that are owners of the container.
+ required: false
+ type: list
+ users:
+ description: Users that are member of the container.
+ required: false
+ type: list
+ groups:
+ description: Groups that are member of the container.
+ required: false
+ type: list
+ action:
+ description: Work on vault or member level.
+ default: vault
+ choices: ["vault", "member"]
+ state:
+ description: State to ensure
+ default: present
+ choices: ["present", "absent"]
+author:
+ - Rafael Jeffman
+"""
+
+EXAMPLES = """
+# Ensure vault symvault is present
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ vault_password: MyVaultPassword123
+ vault_salt: MTIzNDU2Nzg5MAo=
+ vault_type: symmetric
+
+# Ensure group ipausers is a vault member.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ groups: ipausers
+ action: member
+
+# Ensure group ipausers is not a vault member.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ groups: ipausers
+ action: member
+ state: absent
+
+# Ensure vault users are present.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ users:
+ - user01
+ - user02
+ action: member
+
+# Ensure vault users are absent.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ users:
+ - user01
+ - user02
+ action: member
+ status: absent
+
+# Ensure user owns vault.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ action: member
+ owners: user01
+
+# Ensure user does not own vault.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ owners: user01
+ action: member
+ status: absent
+
+# Ensure data is archived to a symmetric vault
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: admin
+ vault_password: MyVaultPassword123
+ vault_data: >
+ Data archived.
+ More data archived.
+ action: member
+
+# Ensure vault symvault is absent
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ user: admin
+ state: absent
+
+# Ensure asymmetric vault is present.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ description: An asymmetric vault
+ vault_type: asymmetric
+ vault_public_key:
+ LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTR
+ HTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi
+ 9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM
+ 295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlV
+ bFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVk
+ tLS0tLQo=
+
+# Ensure data is archived in an asymmetric vault
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: admin
+ vault_data: >
+ Data archived.
+ More data archived.
+ action: member
+
+# Ensure asymmetric vault is absent.
+- ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ vault_type: asymmetric
+ state: absent
+"""
+
+RETURN = """
+"""
+
+import os
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
+ temp_kdestroy, valid_creds, api_connect, api_command, \
+ gen_add_del_lists, compare_args_ipa, module_params_get
+from ipalib.errors import EmptyModlist
+
+
+def find_vault(module, name, username, service, shared):
+ _args = {
+ "all": True,
+ "cn": name,
+ }
+
+ if username is not None:
+ _args['username'] = username
+ elif service is not None:
+ _args['service'] = service
+ else:
+ _args['shared'] = shared
+
+ _result = api_command(module, "vault_find", name, _args)
+
+ if len(_result["result"]) > 1:
+ module.fail_json(
+ msg="There is more than one vault '%s'" % (name))
+ if len(_result["result"]) == 1:
+ return _result["result"][0]
+
+ return None
+
+
+def gen_args(description, username, service, shared, vault_type, salt,
+ public_key, vault_data):
+ _args = {}
+
+ if description is not None:
+ _args['description'] = description
+ if username is not None:
+ _args['username'] = username
+ if service is not None:
+ _args['service'] = service
+ if shared is not None:
+ _args['shared'] = shared
+ if vault_type is not None:
+ _args['ipavaulttype'] = vault_type
+ if salt is not None:
+ _args['ipavaultsalt'] = salt
+ if public_key is not None:
+ _args['ipavaultpublickey'] = public_key
+ if vault_data is not None:
+ _args['data'] = vault_data.encode('utf-8')
+
+ return _args
+
+
+def gen_member_args(args, users, groups):
+ _args = args.copy()
+
+ for arg in ['ipavaulttype', 'description', 'ipavaultpublickey',
+ 'ipavaultsalt']:
+ if arg in _args:
+ del _args[arg]
+
+ _args['user'] = users
+ _args['group'] = groups
+
+ return _args
+
+
+def data_storage_args(args, data, password):
+ _args = {}
+
+ if 'username' in args:
+ _args['username'] = args['username']
+ if 'service' in args:
+ _args['service'] = args['service']
+ if 'shared' in args:
+ _args['shared'] = args['shared']
+
+ if password is not None:
+ _args['password'] = password
+
+ _args['data'] = data
+
+ return _args
+
+
+def check_parameters(module, state, action, description, username, service,
+ shared, users, groups, owners, ownergroups, vault_type,
+ salt, password, public_key, vault_data):
+ invalid = []
+ if state == "present":
+ if action == "member":
+ invalid = ['description', 'public_key', 'salt']
+
+ for param in invalid:
+ if vars()[param] is not None:
+ module.fail_json(
+ msg="Argument '%s' can not be used with action '%s'" %
+ (param, action))
+
+ elif state == "absent":
+ invalid = ['description', 'salt']
+
+ if action == "vault":
+ invalid.extend(['users', 'groups', 'owners', 'ownergroups',
+ 'password', 'public_key'])
+
+ for arg in invalid:
+ if vars()[arg] is not None:
+ module.fail_json(
+ msg="Argument '%s' can not be used with action '%s'" %
+ (arg, state))
+
+
+def check_encryption_params(module, state, vault_type, password, public_key,
+ vault_data, res_find):
+ if state == "present":
+ if vault_type == "symmetric":
+ if password is None \
+ and (vault_data is not None or res_find is None):
+ module.fail_json(
+ msg="Vault password required for symmetric vault.")
+
+ if vault_type == "asymmetric":
+ if public_key is None and res_find is None:
+ module.fail_json(
+ msg="Public Key required for asymmetric vault.")
+
+
+def main():
+ ansible_module = AnsibleModule(
+ argument_spec=dict(
+ # generalgroups
+ ipaadmin_principal=dict(type="str", default="admin"),
+ ipaadmin_password=dict(type="str", required=False, no_log=True),
+
+ name=dict(type="list", aliases=["cn"], default=None,
+ required=True),
+
+ # present
+
+ description=dict(required=False, type="str", default=None),
+ vault_type=dict(type="str", aliases=["ipavaulttype"],
+ default=None, required=False,
+ choices=["standard", "symmetric", "asymmetric"]),
+ vault_public_key=dict(type="str", required=False, default=None,
+ aliases=['ipavaultpublickey']),
+ vault_salt=dict(type="str", required=False, default=None,
+ aliases=['ipavaultsalt']),
+ username=dict(type="str", required=False, default=None,
+ aliases=['user']),
+ service=dict(type="str", required=False, default=None),
+ shared=dict(type="bool", required=False, default=None),
+
+ users=dict(required=False, type='list', default=None),
+ groups=dict(required=False, type='list', default=None),
+ owners=dict(required=False, type='list', default=None),
+ ownergroups=dict(required=False, type='list', default=None),
+
+ vault_data=dict(type="str", required=False, default=None,
+ aliases=['ipavaultdata']),
+ vault_password=dict(type="str", required=False, default=None,
+ no_log=True, aliases=['ipavaultpassword']),
+
+ # state
+ action=dict(type="str", default="vault",
+ choices=["vault", "data", "member"]),
+ state=dict(type="str", default="present",
+ choices=["present", "absent"]),
+ ),
+ supports_check_mode=True,
+ mutually_exclusive=[['username', 'service', 'shared']],
+ required_one_of=[['username', 'service', 'shared']]
+ )
+
+ ansible_module._ansible_debug = True
+
+ # general
+ ipaadmin_principal = module_params_get(ansible_module,
+ "ipaadmin_principal")
+ ipaadmin_password = module_params_get(ansible_module, "ipaadmin_password")
+ names = module_params_get(ansible_module, "name")
+
+ # present
+ description = module_params_get(ansible_module, "description")
+
+ username = module_params_get(ansible_module, "username")
+ service = module_params_get(ansible_module, "service")
+ shared = module_params_get(ansible_module, "shared")
+
+ users = module_params_get(ansible_module, "users")
+ groups = module_params_get(ansible_module, "groups")
+ owners = module_params_get(ansible_module, "owners")
+ ownergroups = module_params_get(ansible_module, "ownergroups")
+
+ vault_type = module_params_get(ansible_module, "vault_type")
+ salt = module_params_get(ansible_module, "vault_salt")
+ password = module_params_get(ansible_module, "vault_password")
+ public_key = module_params_get(ansible_module, "vault_public_key")
+
+ vault_data = module_params_get(ansible_module, "vault_data")
+
+ action = module_params_get(ansible_module, "action")
+ # state
+ state = module_params_get(ansible_module, "state")
+
+ # Check parameters
+
+ if state == "present":
+ if len(names) != 1:
+ ansible_module.fail_json(
+ msg="Only one vault can be added at a time.")
+
+ elif state == "absent":
+ if len(names) < 1:
+ ansible_module.fail_json(msg="No name given.")
+
+ else:
+ ansible_module.fail_json(msg="Invalid state '%s'" % state)
+
+ check_parameters(ansible_module, state, action, description, username,
+ service, shared, users, groups, owners, ownergroups,
+ vault_type, salt, password, public_key, vault_data)
+ # Init
+
+ changed = False
+ exit_args = {}
+ ccache_dir = None
+ ccache_name = None
+ try:
+ if not valid_creds(ansible_module, ipaadmin_principal):
+ ccache_dir, ccache_name = temp_kinit(ipaadmin_principal,
+ ipaadmin_password)
+
+ api_connect(context='ansible-freeipa')
+
+ commands = []
+
+ for name in names:
+ # Make sure vault exists
+ res_find = find_vault(
+ ansible_module, name, username, service, shared)
+
+ # Generate args
+ args = gen_args(description, username, service, shared, vault_type,
+ salt, public_key, vault_data)
+
+ # Set default vault_type if needed.
+ if vault_type is None and vault_data is not None:
+ if res_find is not None:
+ res_vault_type = res_find.get('ipavaulttype')[0]
+ args['ipavaulttype'] = vault_type = res_vault_type
+ else:
+ args['ipavaulttype'] = vault_type = "symmetric"
+
+ # verify data encription args
+ check_encryption_params(ansible_module, state, vault_type,
+ password, public_key, vault_data, res_find)
+
+ # Create command
+ if state == "present":
+
+ # Found the vault
+ if action == "vault":
+ if res_find is not None:
+ # For all settings is args, check if there are
+ # different settings in the find result.
+ # If yes: modify
+ if not compare_args_ipa(ansible_module, args,
+ res_find):
+ commands.append([name, "vault_mod_internal", args])
+ else:
+ if 'ipavaultsault' not in args:
+ args['ipavaultsalt'] = os.urandom(32)
+ commands.append([name, "vault_add_internal", args])
+ # archive empty data to set password
+ pwdargs = data_storage_args(
+ args, args.get('data', ''), password)
+ commands.append([name, "vault_archive", pwdargs])
+
+ # Set res_find to empty dict for next step # noqa
+ res_find = {}
+
+ # Generate adittion and removal lists
+ user_add, user_del = \
+ gen_add_del_lists(users,
+ res_find.get('member_user', []))
+ group_add, group_del = \
+ gen_add_del_lists(groups,
+ res_find.get('member_group', []))
+ owner_add, owner_del = \
+ gen_add_del_lists(owners,
+ res_find.get('owner_user', []))
+ ownergroups_add, ownergroups_del = \
+ gen_add_del_lists(ownergroups,
+ res_find.get('owner_group', []))
+
+ # Add users and groups
+ if len(user_add) > 0 or len(group_add) > 0:
+ user_add_args = gen_member_args(args, user_add,
+ group_add)
+ commands.append([name, 'vault_add_member',
+ user_add_args])
+
+ # Remove users and groups
+ if len(user_del) > 0 or len(group_del) > 0:
+ user_del_args = gen_member_args(args, user_del,
+ group_del)
+ commands.append([name, 'vault_remove_member',
+ user_del_args])
+
+ # Add owner users and groups
+ if len(user_add) > 0 or len(group_add) > 0:
+ owner_add_args = gen_member_args(args, owner_add,
+ ownergroups_add)
+ commands.append([name, 'vault_add_owner',
+ owner_add_args])
+
+ # Remove owner users and groups
+ if len(user_del) > 0 or len(group_del) > 0:
+ owner_del_args = gen_member_args(args, owner_del,
+ ownergroups_del)
+ commands.append([name, 'vault_remove_owner',
+ owner_del_args])
+
+ elif action in "member":
+ # Add users and groups
+ if users is not None or groups is not None:
+ user_args = gen_member_args(args, users, groups)
+ commands.append([name, 'vault_add_member', user_args])
+ if owners is not None or ownergroups is not None:
+ owner_args = gen_member_args(args, owners, ownergroups)
+ commands.append([name, 'vault_add_owner', owner_args])
+
+ if vault_data is not None:
+ data_args = data_storage_args(
+ args, args.get('data', ''), password)
+ commands.append([name, 'vault_archive', data_args])
+
+ elif state == "absent":
+ if 'ipavaulttype' in args:
+ del args['ipavaulttype']
+
+ if action == "vault":
+ if res_find is not None:
+ commands.append([name, "vault_del", args])
+
+ elif action == "member":
+ # remove users and groups
+ if users is not None or groups is not None:
+ user_args = gen_member_args(args, users, groups)
+ commands.append([name, 'vault_remove_member',
+ user_args])
+
+ if owners is not None or ownergroups is not None:
+ owner_args = gen_member_args(args, owners, ownergroups)
+ commands.append([name, 'vault_remove_owner',
+ owner_args])
+ else:
+ ansible_module.fail_json(
+ msg="Invalid action '%s' for state '%s'" %
+ (action, state))
+ else:
+ ansible_module.fail_json(msg="Unkown state '%s'" % state)
+
+ # Execute commands
+
+ errors = []
+ for name, command, args in commands:
+ try:
+ result = api_command(ansible_module, command, name, args)
+
+ if command == 'vault_archive':
+ changed = 'Archived data into' in result['summary']
+ else:
+ if "completed" in result:
+ if result["completed"] > 0:
+ changed = True
+ else:
+ changed = True
+ except EmptyModlist:
+ result = {}
+ except Exception as exception:
+ ansible_module.fail_json(
+ msg="%s: %s: %s" % (command, name, str(exception)))
+
+ # Get all errors
+ # All "already a member" and "not a member" failures in the
+ # result are ignored. All others are reported.
+ if "failed" in result and len(result["failed"]) > 0:
+ for item in result["failed"]:
+ failed_item = result["failed"][item]
+ for member_type in failed_item:
+ for member, failure in failed_item[member_type]:
+ if "already a member" in failure \
+ or "not a member" in failure:
+ continue
+ errors.append("%s: %s %s: %s" % (
+ command, member_type, member, failure))
+ if len(errors) > 0:
+ ansible_module.fail_json(msg=", ".join(errors))
+
+ except Exception as exception:
+ ansible_module.fail_json(msg=str(exception))
+
+ finally:
+ temp_kdestroy(ccache_dir, ccache_name)
+
+ # Done
+ ansible_module.exit_json(changed=changed, **exit_args)
+
+
+if __name__ == "__main__":
+ main()
diff --git a/roles/ipareplica/README.md b/roles/ipareplica/README.md
index ef058c42121ff7aa544f076e926cf82a458a9eda..9e49fec2c3cdbf05386d9e94d9071faf4acc3c7a 100644
--- a/roles/ipareplica/README.md
+++ b/roles/ipareplica/README.md
@@ -47,60 +47,72 @@ Usage
Example inventory file with fixed principal using auto-discovery with DNS records:
- [ipareplicas]
- ipareplica1.example.com
- ipareplica2.example.com
-
- [ipareplicas:vars]
- ipaadmin_principal=admin
+```ini
+[ipareplicas]
+ipareplica1.example.com
+ipareplica2.example.com
+
+[ipareplicas:vars]
+ipaadmin_principal=admin
+```
Example playbook to setup the IPA client(s) using principal from inventory file and password from an [Ansible Vault](http://docs.ansible.com/ansible/latest/playbooks_vault.html) file:
- - name: Playbook to configure IPA replicas
- hosts: ipareplicas
- become: true
- vars_files:
- - playbook_sensitive_data.yml
-
- roles:
- - role: ipareplica
- state: present
+```yaml
+---
+- name: Playbook to configure IPA replicas
+ hosts: ipareplicas
+ become: true
+ vars_files:
+ - playbook_sensitive_data.yml
+
+ roles:
+ - role: ipareplica
+ state: present
+```
Example playbook to unconfigure the IPA client(s) using principal and password from inventory file:
- - name: Playbook to unconfigure IPA replicas
- hosts: ipareplicas
- become: true
-
- roles:
- - role: ipareplica
- state: absent
+```yaml
+---
+- name: Playbook to unconfigure IPA replicas
+ hosts: ipareplicas
+ become: true
+
+ roles:
+ - role: ipareplica
+ state: absent
+```
Example inventory file with fixed server, principal, password and domain:
- [ipaserver]
- ipaserver.example.com
-
- [ipareplicas]
- ipareplica1.example.com
- ipareplica2.example.com
-
- [ipareplicas:vars]
- ipaclient_domain=example.com
- ipaadmin_principal=admin
- ipaadmin_password=MySecretPassword123
- ipadm_password=MySecretPassword456
+```ini
+[ipaserver]
+ipaserver.example.com
+
+[ipareplicas]
+ipareplica1.example.com
+ipareplica2.example.com
+
+[ipareplicas:vars]
+ipaclient_domain=example.com
+ipaadmin_principal=admin
+ipaadmin_password=MySecretPassword123
+ipadm_password=MySecretPassword456
+```
Example playbook to setup the IPA client(s) using principal and password from inventory file:
- - name: Playbook to configure IPA replicas with username/password
- hosts: ipareplicas
- become: true
-
- roles:
- - role: ipareplica
- state: present
+```yaml
+---
+- name: Playbook to configure IPA replicas with username/password
+ hosts: ipareplicas
+ become: true
+ roles:
+ - role: ipareplica
+ state: present
+```
Playbooks
=========
diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml
index 259ae3fbe691a7a0b0d44f18859f10c743cca0d6..3345bebaf537a3b1ed1e2f3a2925dbdabbbee0ad 100644
--- a/roles/ipareplica/tasks/install.yml
+++ b/roles/ipareplica/tasks/install.yml
@@ -20,6 +20,19 @@
state: present
when: ipareplica_setup_adtrust | bool
+ - name: Install - Ensure that firewall packages installed
+ package:
+ name: "{{ ipareplica_packages_firewalld }}"
+ state: present
+ when: ipareplica_setup_firewalld | bool
+
+ - name: Firewalld service - Ensure that firewalld is running
+ systemd:
+ name: firewalld
+ enabled: yes
+ state: started
+ when: ipareplica_setup_firewalld | bool
+
when: ipareplica_install_packages | bool
#- name: Install - Include Python2/3 import test
@@ -44,7 +57,7 @@
domain: "{{ ipareplica_domain | default(ipaserver_domain) |
default(omit) }}"
servers: "{{ ipareplica_servers | default(omit) }}"
- realm: "{{ ipareplica_realm | default(omit) }}"
+ realm: "{{ ipareplica_realm | default(ipaserver_realm) |default(omit) }}"
hostname: "{{ ipareplica_hostname | default(ansible_fqdn) }}"
ca_cert_files: "{{ ipareplica_ca_cert_files | default([]) }}"
hidden_replica: "{{ ipareplica_hidden_replica }}"
diff --git a/roles/ipareplica/vars/CentOS-7.yml b/roles/ipareplica/vars/CentOS-7.yml
index 2baa874fc8f1f759ddf2e462aa0341356b15be86..614de3e5a4c20c71714a1a0c7dc96b8f7e4c8ff7 100644
--- a/roles/ipareplica/vars/CentOS-7.yml
+++ b/roles/ipareplica/vars/CentOS-7.yml
@@ -2,4 +2,5 @@
# vars/RedHat-7.yml
ipareplica_packages: [ "ipa-server", "libselinux-python" ]
ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora-25.yml b/roles/ipareplica/vars/Fedora-25.yml
index f1dc77f6b740ecc826312efb22af31c18cc49d2f..ce981ff81f3a352532d0ac7f5bfb38db90a27fe4 100644
--- a/roles/ipareplica/vars/Fedora-25.yml
+++ b/roles/ipareplica/vars/Fedora-25.yml
@@ -2,4 +2,5 @@
# vars/Fedora-25.yml
ipareplica_packages: [ "ipa-server", "libselinux-python" ]
ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora-26.yml b/roles/ipareplica/vars/Fedora-26.yml
index a52502672b59a04ebc5159d84b3e7aabfa0303ea..5a65e43a895cf3a1c41d3379f659652ba8096d02 100644
--- a/roles/ipareplica/vars/Fedora-26.yml
+++ b/roles/ipareplica/vars/Fedora-26.yml
@@ -2,4 +2,5 @@
# vars/Fedora-26.yml
ipareplica_packages: [ "ipa-server", "libselinux-python" ]
ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora-27.yml b/roles/ipareplica/vars/Fedora-27.yml
index f4e7ffcc44dad4c845c92e9f8d2c10e56f9088f4..5d6f02a1eaaf51f4cd2f3ad63d8d543bfa033bb6 100644
--- a/roles/ipareplica/vars/Fedora-27.yml
+++ b/roles/ipareplica/vars/Fedora-27.yml
@@ -2,4 +2,5 @@
# vars/Fedora.yml
ipareplica_packages: [ "ipa-server", "libselinux-python" ]
ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/Fedora.yml b/roles/ipareplica/vars/Fedora.yml
index 5998d6de6196e5d2134c3d76c2bdf69d63a868e0..f19fb996943418c712a20402e6aad2e09433dc60 100644
--- a/roles/ipareplica/vars/Fedora.yml
+++ b/roles/ipareplica/vars/Fedora.yml
@@ -2,4 +2,5 @@
# vars/Fedora.yml
ipareplica_packages: [ "freeipa-server", "python3-libselinux" ]
ipareplica_packages_dns: [ "freeipa-server-dns" ]
-ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/RedHat-7.3.yml b/roles/ipareplica/vars/RedHat-7.3.yml
index f7a951bcf055acec6fea41f1cc9a1c2532e458d0..a0e7ffea6522f2150289c71281096b4cca416729 100644
--- a/roles/ipareplica/vars/RedHat-7.3.yml
+++ b/roles/ipareplica/vars/RedHat-7.3.yml
@@ -2,4 +2,5 @@
# vars/RedHat-7.3.yml
ipareplica_packages: [ "ipa-server", "libselinux-python" ]
ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/RedHat-7.yml b/roles/ipareplica/vars/RedHat-7.yml
index 2baa874fc8f1f759ddf2e462aa0341356b15be86..614de3e5a4c20c71714a1a0c7dc96b8f7e4c8ff7 100644
--- a/roles/ipareplica/vars/RedHat-7.yml
+++ b/roles/ipareplica/vars/RedHat-7.yml
@@ -2,4 +2,5 @@
# vars/RedHat-7.yml
ipareplica_packages: [ "ipa-server", "libselinux-python" ]
ipareplica_packages_dns: [ "ipa-server-dns" ]
-ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipareplica_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipareplica/vars/RedHat-8.yml b/roles/ipareplica/vars/RedHat-8.yml
index 2aad358bb59ecfc0e4df0c2c106dcd18b22a99d6..025730253dfa65685d81a61da93de0eb4bab9634 100644
--- a/roles/ipareplica/vars/RedHat-8.yml
+++ b/roles/ipareplica/vars/RedHat-8.yml
@@ -3,3 +3,4 @@
ipareplica_packages: [ "@idm:DL1/server" ]
ipareplica_packages_dns: [ "@idm:DL1/dns" ]
ipareplica_packages_adtrust: [ "@idm:DL1/adtrust" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipareplica/vars/Ubuntu.yml b/roles/ipareplica/vars/Ubuntu.yml
index 761989a6916d6f603be599fe21cfc195def542ff..7cdabbfbde0e0f6d017db9e668b3550a37e0fa26 100644
--- a/roles/ipareplica/vars/Ubuntu.yml
+++ b/roles/ipareplica/vars/Ubuntu.yml
@@ -2,3 +2,4 @@
ipareplica_packages: [ "freeipa-server" ]
ipareplica_packages_dns: [ "freeipa-server-dns" ]
ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipareplica/vars/default.yml b/roles/ipareplica/vars/default.yml
index a1898867a04a1a5d1bda93ddd15cf8b594e52b21..ce7393a1b2ee4fa668f7b763716f61bf6414196e 100644
--- a/roles/ipareplica/vars/default.yml
+++ b/roles/ipareplica/vars/default.yml
@@ -3,3 +3,4 @@
ipareplica_packages: [ "freeipa-server", "python3-libselinux" ]
ipareplica_packages_dns: [ "freeipa-server-dns" ]
ipareplica_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipareplica_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipaserver/README.md b/roles/ipaserver/README.md
index 88afb3ac4a773dd4cf755a90fa129da57231fd7d..55c9daa1a70cc56207dc41528a79d32dbd941fb0 100644
--- a/roles/ipaserver/README.md
+++ b/roles/ipaserver/README.md
@@ -42,8 +42,7 @@ Requirements
Limitations
-----------
-External signed CA
-
+**External signed CA**
External signed CA is now supported. But the currently needed two step process is an issue for the processing in a simple playbook.
Work is planned to have a new method to handle CSR for external signed CAs in a separate step before starting the server installation.
@@ -54,57 +53,70 @@ Usage
Example inventory file with fixed domain and realm, setting up of the DNS server and using forwarders from /etc/resolv.conf:
- [ipaserver]
- ipaserver2.example.com
-
- [ipaserver:vars]
- ipaserver_domain=example.com
- ipaserver_realm=EXAMPLE.COM
- ipaserver_setup_dns=yes
- ipaserver_auto_forwarders=yes
+```ini
+[ipaserver]
+ipaserver2.example.com
+
+[ipaserver:vars]
+ipaserver_domain=example.com
+ipaserver_realm=EXAMPLE.COM
+ipaserver_setup_dns=yes
+ipaserver_auto_forwarders=yes
+```
Example playbook to setup the IPA server using admin and dirman passwords from an [Ansible Vault](http://docs.ansible.com/ansible/latest/playbooks_vault.html) file:
- - name: Playbook to configure IPA server
- hosts: ipaserver
- become: true
- vars_files:
- - playbook_sensitive_data.yml
-
- roles:
- - role: ipaserver
- state: present
+```yaml
+---
+- name: Playbook to configure IPA server
+ hosts: ipaserver
+ become: true
+ vars_files:
+ - playbook_sensitive_data.yml
+
+ roles:
+ - role: ipaserver
+ state: present
+```
Example playbook to unconfigure the IPA client(s) using principal and password from inventory file:
- - name: Playbook to unconfigure IPA server
- hosts: ipaserver
- become: true
-
- roles:
- - role: ipaserver
- state: absent
+```yaml
+---
+- name: Playbook to unconfigure IPA server
+ hosts: ipaserver
+ become: true
+
+ roles:
+ - role: ipaserver
+ state: absent
+```
Example inventory file with fixed domain, realm, admin and dirman passwords:
- [ipaserver]
- ipaserver.example.com
-
- [ipaserver:vars]
- ipaserver_domain=example.com
- ipaserver_realm=EXAMPLE.COM
- ipaadmin_password=MySecretPassword123
- ipadm_password=MySecretPassword234
+```ini
+[ipaserver]
+ipaserver.example.com
+
+[ipaserver:vars]
+ipaserver_domain=example.com
+ipaserver_realm=EXAMPLE.COM
+ipaadmin_password=MySecretPassword123
+ipadm_password=MySecretPassword234
+```
Example playbook to setup the IPA server using admin and dirman passwords from inventory file:
- - name: Playbook to configure IPA server
- hosts: ipaserver
- become: true
-
- roles:
- - role: ipaserver
- state: present
+```yaml
+---
+- name: Playbook to configure IPA server
+ hosts: ipaserver
+ become: true
+
+ roles:
+ - role: ipaserver
+ state: present
+```
Example playbook to setup the IPA primary with external signed CA using the previous inventory file:
@@ -135,6 +147,7 @@ Sign with CA: This is up to you
Server installation step 2: Copy `<ipaserver hostname>-chain.crt` to the IPA server and continue with installation of the primary.
```yaml
+---
- name: Playbook to configure IPA server step3
hosts: ipaserver
become: true
diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py
index 1075e6d41a80c5d9f051088487c34b8e9f3e35c0..5668231f1e4f33882f4530513ea1f3d40a717a6f 100644
--- a/roles/ipaserver/library/ipaserver_test.py
+++ b/roles/ipaserver/library/ipaserver_test.py
@@ -719,12 +719,7 @@ def main():
msg="File %s does not exist." % options.dirsrv_config_file)
# domain_name
- if options.setup_dns and not options.allow_zone_overlap and \
- options.domain_name is not None:
- try:
- check_zone_overlap(options.domain_name, False)
- except ValueError as e:
- ansible_module.fail_json(msg=str(e))
+ # Validation is done later on in ipaserver_prepare dns.install_check
# dm_password
with redirect_stdout(ansible_log):
diff --git a/roles/ipaserver/tasks/install.yml b/roles/ipaserver/tasks/install.yml
index 268f5d363f4262cb1372a85439a11c2b1a4c7f4e..85df9a7dd92610a133be9dffc92aef4629837cfe 100644
--- a/roles/ipaserver/tasks/install.yml
+++ b/roles/ipaserver/tasks/install.yml
@@ -19,6 +19,19 @@
state: present
when: ipaserver_setup_adtrust | bool
+ - name: Install - Ensure that firewall packages installed
+ package:
+ name: "{{ ipaserver_packages_firewalld }}"
+ state: present
+ when: ipaserver_setup_firewalld | bool
+
+ - name: Firewalld service - Ensure that firewalld is running
+ systemd:
+ name: firewalld
+ enabled: yes
+ state: started
+ when: ipaserver_setup_firewalld | bool
+
when: ipaserver_install_packages | bool
#- name: Install - Include Python2/3 import test
diff --git a/roles/ipaserver/vars/CentOS-7.yml b/roles/ipaserver/vars/CentOS-7.yml
index 079b719c0b95d50a1d844cd2ef5db058299004a9..1186375745dd9beab8e22733f7582dbb9eeb188d 100644
--- a/roles/ipaserver/vars/CentOS-7.yml
+++ b/roles/ipaserver/vars/CentOS-7.yml
@@ -2,4 +2,5 @@
# vars/rhel.yml
ipaserver_packages: [ "ipa-server", "libselinux-python" ]
ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/Fedora-25.yml b/roles/ipaserver/vars/Fedora-25.yml
index d97afb19623abf7db4f1ac6c95ac365a9b46eb03..374056c0aa3cdff4f8a350dcc64debf1e25fe4fb 100644
--- a/roles/ipaserver/vars/Fedora-25.yml
+++ b/roles/ipaserver/vars/Fedora-25.yml
@@ -1,3 +1,4 @@
ipaserver_packages: [ "ipa-server", "libselinux-python" ]
ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/Fedora-26.yml b/roles/ipaserver/vars/Fedora-26.yml
index d97afb19623abf7db4f1ac6c95ac365a9b46eb03..374056c0aa3cdff4f8a350dcc64debf1e25fe4fb 100644
--- a/roles/ipaserver/vars/Fedora-26.yml
+++ b/roles/ipaserver/vars/Fedora-26.yml
@@ -1,3 +1,4 @@
ipaserver_packages: [ "ipa-server", "libselinux-python" ]
ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/Fedora-27.yml b/roles/ipaserver/vars/Fedora-27.yml
index fa21e34cabcb7fb2585e281d43d8b5ea17d8cf29..b8bfb5774bf5587ee8b908346f524e6ad73951fc 100644
--- a/roles/ipaserver/vars/Fedora-27.yml
+++ b/roles/ipaserver/vars/Fedora-27.yml
@@ -1,3 +1,4 @@
ipaserver_packages: [ "ipa-server", "libselinux-python" ]
ipaserver_packages_dns: [ "ipa-server-dns" ]
ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipaserver/vars/Fedora.yml b/roles/ipaserver/vars/Fedora.yml
index 9db4446ad81fdde4d1d7be6ced459b1752c54171..55a383828196a1b810c4a3faf600944d21deeffa 100644
--- a/roles/ipaserver/vars/Fedora.yml
+++ b/roles/ipaserver/vars/Fedora.yml
@@ -1,3 +1,4 @@
ipaserver_packages: [ "freeipa-server", "python3-libselinux" ]
ipaserver_packages_dns: [ "freeipa-server-dns" ]
-ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/RedHat-7.3.yml b/roles/ipaserver/vars/RedHat-7.3.yml
index 079b719c0b95d50a1d844cd2ef5db058299004a9..1186375745dd9beab8e22733f7582dbb9eeb188d 100644
--- a/roles/ipaserver/vars/RedHat-7.3.yml
+++ b/roles/ipaserver/vars/RedHat-7.3.yml
@@ -2,4 +2,5 @@
# vars/rhel.yml
ipaserver_packages: [ "ipa-server", "libselinux-python" ]
ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/RedHat-7.yml b/roles/ipaserver/vars/RedHat-7.yml
index 079b719c0b95d50a1d844cd2ef5db058299004a9..1186375745dd9beab8e22733f7582dbb9eeb188d 100644
--- a/roles/ipaserver/vars/RedHat-7.yml
+++ b/roles/ipaserver/vars/RedHat-7.yml
@@ -2,4 +2,5 @@
# vars/rhel.yml
ipaserver_packages: [ "ipa-server", "libselinux-python" ]
ipaserver_packages_dns: [ "ipa-server-dns" ]
-ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
\ No newline at end of file
+ipaserver_packages_adtrust: [ "ipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
\ No newline at end of file
diff --git a/roles/ipaserver/vars/RedHat-8.yml b/roles/ipaserver/vars/RedHat-8.yml
index 5b9caac19c043c6038e661545709e9f42ac98eb1..7f5ae4644180195d9f956dd7fb2b641b992d67aa 100644
--- a/roles/ipaserver/vars/RedHat-8.yml
+++ b/roles/ipaserver/vars/RedHat-8.yml
@@ -3,3 +3,4 @@
ipaserver_packages: [ "@idm:DL1/server" ]
ipaserver_packages_dns: [ "@idm:DL1/dns" ]
ipaserver_packages_adtrust: [ "@idm:DL1/adtrust" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipaserver/vars/Ubuntu.yml b/roles/ipaserver/vars/Ubuntu.yml
index b3944a929b0573d5c469cc1d95448c36a55eb85a..d0e01ea8a0a20451821e1d0a0c043f1d78b2c3cb 100644
--- a/roles/ipaserver/vars/Ubuntu.yml
+++ b/roles/ipaserver/vars/Ubuntu.yml
@@ -2,3 +2,4 @@
ipaserver_packages: [ "freeipa-server" ]
ipaserver_packages_dns: [ "freeipa-server-dns" ]
ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
diff --git a/roles/ipaserver/vars/default.yml b/roles/ipaserver/vars/default.yml
index eb5c4894afbaa767d36bb2d6b2a4f0d57b0ecfe3..9f6d58a432de19fb9864d7a635f5e31581293940 100644
--- a/roles/ipaserver/vars/default.yml
+++ b/roles/ipaserver/vars/default.yml
@@ -3,3 +3,4 @@
ipaserver_packages: [ "ipa-server", "python3-libselinux" ]
ipaserver_packages_dns: [ "ipa-server-dns" ]
ipaserver_packages_adtrust: [ "freeipa-server-trust-ad" ]
+ipaserver_packages_firewalld: [ "firewalld" ]
diff --git a/tests/dnsconfig/test_dnsconfig.yml b/tests/dnsconfig/test_dnsconfig.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1e1b109429ee3f80ed72605ae3495843445b2c21
--- /dev/null
+++ b/tests/dnsconfig/test_dnsconfig.yml
@@ -0,0 +1,141 @@
+---
+- name: Test dnsconfig
+ hosts: ipaserver
+ become: true
+ gather_facts: true
+
+ tasks:
+ # Setup.
+ - name: Ensure forwarders are absent.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ state: absent
+
+ # Tests.
+
+ - name: Set dnsconfig.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ forward_policy: only
+ allow_sync_ptr: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Set dnsconfig, with the same values.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ forward_policy: only
+ allow_sync_ptr: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure forwarder is absent.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure forwarder is absent, again.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Disable global forwarders.
+ ipadnsconfig:
+ forward_policy: none
+ register: result
+ failed_when: not result.changed
+
+ - name: Disable global forwarders, again.
+ ipadnsconfig:
+ forward_policy: none
+ register: result
+ failed_when: result.changed
+
+ - name: Re-enable global forwarders.
+ ipadnsconfig:
+ forward_policy: first
+ register: result
+ failed_when: not result.changed
+
+ - name: Re-enable global forwarders, again.
+ ipadnsconfig:
+ forward_policy: first
+ register: result
+ failed_when: result.changed
+
+ - name: Disable PTR record synchronization.
+ ipadnsconfig:
+ allow_sync_ptr: no
+ register: result
+ failed_when: not result.changed
+
+ - name: Disable PTR record synchronization, again.
+ ipadnsconfig:
+ allow_sync_ptr: no
+ register: result
+ failed_when: result.changed
+
+ - name: Re-enable PTR record synchronization.
+ ipadnsconfig:
+ allow_sync_ptr: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Re-enable PTR record synchronization, again.
+ ipadnsconfig:
+ allow_sync_ptr: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure all forwarders are absent.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+
+ - name: Ensure all forwarders are absent, again.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ # Cleanup.
+ - name: Ensure forwarders are absent.
+ ipadnsconfig:
+ forwarders:
+ - ip_address: 8.8.8.8
+ - ip_address: 8.8.4.4
+ - ip_address: 2001:4860:4860::8888
+ - ip_address: 2001:4860:4860::8888
+ port: 53
+ state: absent
diff --git a/tests/group/test_group.yml b/tests/group/test_group.yml
index 5fc63dd1b5d7139717bd0386841c1cdb962d094f..28df3a5ace4c072639f208fdd75699571d008538 100644
--- a/tests/group/test_group.yml
+++ b/tests/group/test_group.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test group
hosts: ipaserver
become: true
gather_facts: false
@@ -7,19 +7,19 @@
tasks:
- name: Ensure users user1, user2 and user3 are absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: user1,user2,user3
state: absent
- name: Ensure group group3, group2 and group1 are absent
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group3,group2,group1
state: absent
- name: Ensure users user1..user3 are present
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
first: user1
@@ -35,49 +35,49 @@
- name: Ensure group1 is present
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
register: result
failed_when: not result.changed
- name: Ensure group1 is present again
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
register: result
failed_when: result.changed
- name: Ensure group2 is present
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group2
register: result
failed_when: not result.changed
- name: Ensure group2 is present again
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group2
register: result
failed_when: result.changed
- name: Ensure group3 is present
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group3
register: result
failed_when: not result.changed
- name: Ensure group3 is present again
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group3
register: result
failed_when: result.changed
- name: Ensure groups group2 and group3 are present in group group1
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
group:
- group2
@@ -88,7 +88,7 @@
- name: Ensure groups group2 and group3 are present in group group1 again
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
group:
- group2
@@ -99,7 +99,7 @@
- name: Ensure group3 ia present in group group1
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
group:
- group3
@@ -109,7 +109,7 @@
- name: Ensure users user1, user2 and user3 are present in group group1
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
user:
- user1
@@ -121,7 +121,7 @@
- name: Ensure users user1, user2 and user3 are present in group group1 again
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
user:
- user1
@@ -132,7 +132,7 @@
failed_when: result.changed
#- ipagroup:
- # ipaadmin_password: MyPassword123
+ # ipaadmin_password: SomeADMINpassword
# name: group1
# user:
# - user7
@@ -140,7 +140,7 @@
- name: Ensure user user7 is absent in group group1
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
user:
- user7
@@ -151,7 +151,7 @@
- name: Ensure group group4 is absent
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group4
state: absent
register: result
@@ -159,7 +159,7 @@
- name: Ensure group group3, group2 and group1 are absent
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group3,group2,group1
state: absent
register: result
@@ -167,7 +167,7 @@
- name: Ensure users user1, user2 and user3 are absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: user1,user2,user3
state: absent
register: result
diff --git a/tests/hbacrule/test_hbacrule.yml b/tests/hbacrule/test_hbacrule.yml
index a5615cce93dac3ac696aa990653f877bf6824ec8..4d0c203004920e6a15daf99c94c5f219604b0058 100644
--- a/tests/hbacrule/test_hbacrule.yml
+++ b/tests/hbacrule/test_hbacrule.yml
@@ -1,338 +1,629 @@
---
-- name: Tests
+- name: Test hbacrule
hosts: ipaserver
become: true
- gather_facts: false
tasks:
- - name: Ensure HBAC Rule allhosts is absent
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts,sshd-pinky,loginRule
+ - name: Get Domain from server name
+ set_fact:
+ ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
+ when: ipaserver_domain is not defined
+
+ # CLEANUP TEST ITEMS
+
+ - name: Ensure test hosts are absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ - "{{ 'testhost03.' + ipaserver_domain }}"
+ - "{{ 'testhost04.' + ipaserver_domain }}"
+ state: absent
+
+ - name: Ensure test hostgroups are absent
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhostgroup01,testhostgroup02,testhostgroup03,testhostgroup04
state: absent
- - name: User pinky absent
+ - name: Ensure test users are absent
ipauser:
- ipaadmin_password: MyPassword123
- name: pinky
+ ipaadmin_password: SomeADMINpassword
+ name: testuser01,testuser02,testuser03,testuser04
state: absent
- - name: User group login absent
+ - name: Ensure test user groups are absent
ipagroup:
- ipaadmin_password: MyPassword123
- name: login
+ ipaadmin_password: SomeADMINpassword
+ name: testgroup01,testgroup02,testgroup03,testgroup04
+ state: absent
+
+ - name: Ensure test HBAC Services are absent
+ ipahbacsvc:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvc01,testhbacsvc02,testhbacsvc03,testhbacsvc04
+ state: absent
+
+ - name: Ensure test HBAC Service Groups are absent
+ ipahbacsvcgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvcgroup01,testhbacsvcgroup02,testhbacsvcgroup03,testhbacsvcgroup04
state: absent
- - name: User pinky present
+ # CREATE TEST ITEMS
+
+ - name: Ensure hosts "{{ 'host[1..4].' + ipaserver_domain }}" are present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ 'testhost01.' + ipaserver_domain }}"
+ force: yes
+ - name: "{{ 'testhost02.' + ipaserver_domain }}"
+ force: yes
+ - name: "{{ 'testhost03.' + ipaserver_domain }}"
+ force: yes
+ - name: "{{ 'testhost04.' + ipaserver_domain }}"
+ force: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host-group testhostgroup01 is present
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhostgroup01
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host-group testhostgroup02 is present
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhostgroup02
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host-group testhostgroup03 is present
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhostgroup03
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host-group testhostgroup04 is present
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhostgroup04
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure testusers are present
ipauser:
- ipaadmin_password: MyPassword123
- name: pinky
- uid: 10001
- gid: 100
- phone: "+555123457"
- email: pinky@acme.com
- principalexpiration: "20220119235959"
- #passwordexpiration: "2022-01-19 23:59:59"
- first: pinky
- last: Acme
+ ipaadmin_password: SomeADMINpassword
+ users:
+ - name: testuser01
+ first: test
+ last: user01
+ - name: testuser02
+ first: test
+ last: user02
+ - name: testuser03
+ first: test
+ last: user03
+ - name: testuser04
+ first: test
+ last: user04
register: result
failed_when: not result.changed
- - name: User group login present
+ - name: Ensure user group testgroup01 is present
ipagroup:
- ipaadmin_password: MyPassword123
- name: login
+ ipaadmin_password: SomeADMINpassword
+ name: testgroup01
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule allhosts is present
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
- usercategory: all
+ - name: Ensure user group testgroup02 is present
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testgroup02
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule allhosts is present again
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
- usercategory: all
+ - name: Ensure user group testgroup03 is present
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testgroup03
register: result
- failed_when: result.changed
+ failed_when: not result.changed
+
+ - name: Ensure user group testgroup04 is present
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testgroup04
+ register: result
+ failed_when: not result.changed
- - name: Ensure host "{{ groups.ipaserver[0] }}" is present in HBAC Rule allhosts
+ - name: Ensure HBAC Service testhbacsvc01 is present
+ ipahbacsvc:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvc01
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC Service testhbacsvc02 is present
+ ipahbacsvc:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvc02
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC Service testhbacsvc03 is present
+ ipahbacsvc:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvc03
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC Service testhbacsvc04 is present
+ ipahbacsvc:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvc04
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC Service Group testhbacsvcgroup01 is present
+ ipahbacsvcgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvcgroup01
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC Service Group testhbacsvcgroup02 is present
+ ipahbacsvcgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvcgroup02
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC Service Group testhbacsvcgroup03 is present
+ ipahbacsvcgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvcgroup03
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC Service Group testhbacsvcgroup04 is present
+ ipahbacsvcgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvcgroup04
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure test HBAC rule hbacrule01 is absent
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
- host: "{{ groups.ipaserver[0] }}"
- action: member
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ state: absent
+
+ # ENSURE HBACRULE
+
+ - name: Ensure HBAC rule hbacrule01 is present
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
register: result
failed_when: not result.changed
- - name: Ensure host "{{ groups.ipaserver[0] }}" is present in HBAC Rule allhosts again
+ - name: Ensure HBAC rule hbacrule01 is present again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
- host: "{{ groups.ipaserver[0] }}"
- action: member
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
register: result
failed_when: result.changed
- - name: Ensure HBAC Rule sshd-pinky is present
+ # CHANGE HBACRULE WITH ALL MEMBERS
+
+ - name: Ensure HBAC rule hbacrule01 is present with hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- hostcategory: all
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ hostgroup: testhostgroup01,testhostgroup02
+ user: testuser01,testuser02
+ group: testgroup01,testgroup02
+ hbacsvc: testhbacsvc01,testhbacsvc02
+ hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule sshd-pinky is present again
+ - name: Ensure HBAC rule hbacrule01 is present with hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- hostcategory: all
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ hostgroup: testhostgroup01,testhostgroup02
+ user: testuser01,testuser02
+ group: testgroup01,testgroup02
+ hbacsvc: testhbacsvc01,testhbacsvc02
+ hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
register: result
failed_when: result.changed
- - name: Ensure user pinky is present in HBAC Rule sshd-pinky
+ # REMOVE MEMBERS ONE BY ONE
+
+ - name: Ensure test HBAC rule hbacrule01 host members are absent
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- user: pinky
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ state: absent
action: member
register: result
failed_when: not result.changed
- - name: Ensure user pinky is present in HBAC Rule sshd-pinky again
+ - name: Ensure test HBAC rule hbacrule01 host members are absent again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- user: pinky
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ state: absent
action: member
register: result
failed_when: result.changed
- - name: Ensure HBAC service sshd is present in HBAC Rule sshd-pinky
+ - name: Ensure test HBAC rule hbacrule01 hostgroup members are absent
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- hbacsvc: sshd
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hostgroup: testhostgroup01,testhostgroup02
+ state: absent
action: member
register: result
failed_when: not result.changed
- - name: Ensure HBAC service sshd is present in HBAC Rule sshd-pinky again
+ - name: Ensure test HBAC rule hbacrule01 hostgroup members are absent again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- hbacsvc: sshd
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hostgroup: testhostgroup01,testhostgroup02
+ state: absent
action: member
register: result
failed_when: result.changed
- - name: Ensure HBAC Rule loginRule is present with HBAC service sshd
+ - name: Ensure test HBAC rule hbacrule01 user members are absent
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
- group: login
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ user: testuser01,testuser02
+ state: absent
+ action: member
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule loginRule is present with HBAC service sshd again
+ - name: Ensure test HBAC rule hbacrule01 user members are absent again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
- group: login
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ user: testuser01,testuser02
+ state: absent
+ action: member
register: result
failed_when: result.changed
- - name: Ensure user pinky is present in HBAC Rule loginRule
+ - name: Ensure test HBAC rule hbacrule01 user group members are absent
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
- user: pinky
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ group: testgroup01,testgroup02
+ state: absent
action: member
register: result
failed_when: not result.changed
- - name: Ensure user pinky is present in HBAC Rule loginRule again
+ - name: Ensure test HBAC rule hbacrule01 user group members are absent again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
- user: pinky
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ group: testgroup01,testgroup02
+ state: absent
action: member
register: result
failed_when: result.changed
- - name: Ensure user pinky is absent in HBAC Rule loginRule
+ - name: Ensure test HBAC rule hbacrule01 hbacsvc members are absent
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
- user: pinky
- action: member
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvc: testhbacsvc01,testhbacsvc02
state: absent
+ action: member
register: result
failed_when: not result.changed
- - name: Ensure user pinky is absent in HBAC Rule loginRule again
+ - name: Ensure test HBAC rule hbacrule01 hbacsvc members are absent again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
- user: pinky
- action: member
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvc: testhbacsvc01,testhbacsvc02
state: absent
+ action: member
register: result
failed_when: result.changed
- - name: Ensure HBAC Rule loginRule is absent
+ - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are absent
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
state: absent
+ action: member
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule loginRule is absent again
+ - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are absent again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: loginRule
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
state: absent
+ action: member
register: result
failed_when: result.changed
- - name: Ensure HBAC service sshd is absent in HBAC Rule sshd-pinky
+ # ADD MEMBERS BACK
+
+ - name: Ensure test HBAC rule hbacrule01 host members are present
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- hbacsvc: sshd
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
action: member
- state: absent
register: result
failed_when: not result.changed
- - name: Ensure HBAC service sshd is absent in HBAC Rule sshd-pinky again
+ - name: Ensure test HBAC rule hbacrule01 host members are present again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- hbacsvc: sshd
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
action: member
- state: absent
register: result
failed_when: result.changed
- - name: Ensure user pinky is absent in HBAC Rule sshd-pinky
+ - name: Ensure test HBAC rule hbacrule01 hostgroup members are present
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- user: pinky
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hostgroup: testhostgroup01,testhostgroup02
action: member
- state: absent
register: result
failed_when: not result.changed
- - name: Ensure user pinky is absent in HBAC Rule sshd-pinky again
+ - name: Ensure test HBAC rule hbacrule01 hostgroup members are present again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- user: pinky
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hostgroup: testhostgroup01,testhostgroup02
action: member
- state: absent
register: result
failed_when: result.changed
- - name: Ensure HBAC Rule sshd-pinky is disabled
+ - name: Ensure test HBAC rule hbacrule01 user members are present
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- state: disabled
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ user: testuser01,testuser02
+ action: member
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule sshd-pinky is disabled again
+ - name: Ensure test HBAC rule hbacrule01 user members are present again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- state: disabled
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ user: testuser01,testuser02
+ action: member
register: result
failed_when: result.changed
- - name: Ensure HBAC Rule sshd-pinky is enabled
+ - name: Ensure test HBAC rule hbacrule01 user group members are present
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- state: enabled
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ group: testgroup01,testgroup02
+ action: member
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule sshd-pinky is enabled again
+ - name: Ensure test HBAC rule hbacrule01 user group members are present again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- state: enabled
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ group: testgroup01,testgroup02
+ action: member
register: result
failed_when: result.changed
- - name: Ensure HBAC Rule sshd-pinky is absent
+ - name: Ensure test HBAC rule hbacrule01 hbacsvc members are present
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- state: absent
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvc: testhbacsvc01,testhbacsvc02
+ action: member
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule sshd-pinky is absent again
+ - name: Ensure test HBAC rule hbacrule01 hbacsvc members are present again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: sshd-pinky
- state: absent
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvc: testhbacsvc01,testhbacsvc02
+ action: member
register: result
failed_when: result.changed
- - name: Ensure host "{{ groups.ipaserver[0] }}" is absent in HBAC Rule allhosts
+ - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are present
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
- host: "{{ groups.ipaserver[0] }}"
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
action: member
- state: absent
register: result
failed_when: not result.changed
- - name: Ensure host "{{ groups.ipaserver[0] }}" is absent in HBAC Rule allhosts again
+ - name: Ensure test HBAC rule hbacrule01 hbacsvcgroup members are present again
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
- host: "{{ groups.ipaserver[0] }}"
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
action: member
+ register: result
+ failed_when: result.changed
+
+ # CHANGE TO DIFFERENT MEMBERS
+
+ - name: Ensure HBAC rule hbacrule01 is present with different hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost03.' + ipaserver_domain }}"
+ - "{{ 'testhost04.' + ipaserver_domain }}"
+ hostgroup: testhostgroup03,testhostgroup04
+ user: testuser03,testuser04
+ group: testgroup03,testgroup04
+ hbacsvc: testhbacsvc03,testhbacsvc04
+ hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure HBAC rule hbacrule01 is present with different hosts, hostgroups, users, groups, hbassvcs and hbacsvcgroups again
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost03.' + ipaserver_domain }}"
+ - "{{ 'testhost04.' + ipaserver_domain }}"
+ hostgroup: testhostgroup03,testhostgroup04
+ user: testuser03,testuser04
+ group: testgroup03,testgroup04
+ hbacsvc: testhbacsvc03,testhbacsvc04
+ hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04
+ register: result
+ failed_when: result.changed
+
+ # ENSURE OLD TEST MEMBERS ARE ABSENT
+
+ - name: Ensure HBAC rule hbacrule01 members (same) are present
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ hostgroup: testhostgroup01,testhostgroup02
+ user: testuser01,testuser02
+ group: testgroup01,testgroup02
+ hbacsvc: testhbacsvc01,testhbacsvc02
+ hbacsvcgroup: testhbacsvcgroup01,testhbacsvcgroup02
state: absent
+ action: member
register: result
failed_when: result.changed
- - name: Ensure HBAC Rule allhosts is absent
+ # ENSURE NEW TEST MEMBERS ARE ABSENT
+
+ - name: Ensure HBAC rule hbacrule01 members are absent
ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost03.' + ipaserver_domain }}"
+ - "{{ 'testhost04.' + ipaserver_domain }}"
+ hostgroup: testhostgroup03,testhostgroup04
+ user: testuser03,testuser04
+ group: testgroup03,testgroup04
+ hbacsvc: testhbacsvc03,testhbacsvc04
+ hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04
state: absent
+ action: member
register: result
failed_when: not result.changed
- - name: Ensure HBAC Rule allhosts is absent again
- ipahbacrule:
- ipaadmin_password: MyPassword123
- name: allhosts
+ - name: Ensure HBAC rule hbacrule01 members are absent again
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ host:
+ - "{{ 'testhost03.' + ipaserver_domain }}"
+ - "{{ 'testhost04.' + ipaserver_domain }}"
+ hostgroup: testhostgroup03,testhostgroup04
+ user: testuser03,testuser04
+ group: testgroup03,testgroup04
+ hbacsvc: testhbacsvc03,testhbacsvc04
+ hbacsvcgroup: testhbacsvcgroup03,testhbacsvcgroup04
state: absent
+ action: member
register: result
failed_when: result.changed
- - name: User pinky absent
+ # CLEANUP TEST ITEMS
+
+ - name: Ensure test HBAC rule hbacrule01 is absent
+ ipahbacrule:
+ ipaadmin_password: SomeADMINpassword
+ name: hbacrule01
+ state: absent
+
+ - name: Ensure test hosts are absent
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ 'testhost01.' + ipaserver_domain }}"
+ - "{{ 'testhost02.' + ipaserver_domain }}"
+ - "{{ 'testhost03.' + ipaserver_domain }}"
+ - "{{ 'testhost04.' + ipaserver_domain }}"
+ state: absent
+
+ - name: Ensure test hostgroups are absent
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhostgroup01,testhostgroup02,testhostgroup03,testhostgroup04
+ state: absent
+
+ - name: Ensure test users are absent
ipauser:
- ipaadmin_password: MyPassword123
- name: pinky
+ ipaadmin_password: SomeADMINpassword
+ name: testuser01,testuser02,testuser03,testuser04
state: absent
- - name: User group login absent
+ - name: Ensure test user groups are absent
ipagroup:
- ipaadmin_password: MyPassword123
- name: login
+ ipaadmin_password: SomeADMINpassword
+ name: testgroup01,testgroup02,testgroup03,testgroup04
+ state: absent
+
+ - name: Ensure test HBAC Services are absent
+ ipahbacsvc:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvc01,testhbacsvc02,testhbacsvc03,testhbacsvc04
+ state: absent
+
+ - name: Ensure test HBAC Service Groups are absent
+ ipahbacsvcgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: testhbacsvcgroup01,testhbacsvcgroup02,testhbacsvcgroup03,testhbacsvcgroup04
state: absent
diff --git a/tests/hbacsvc/test_hbacsvc.yml b/tests/hbacsvc/test_hbacsvc.yml
index d919b6683664fc1efd3bf8af8e8fcebf6e269008..87a6bbd5fe880330f5a9fa8797a11a164a5fdccb 100644
--- a/tests/hbacsvc/test_hbacsvc.yml
+++ b/tests/hbacsvc/test_hbacsvc.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test hbacsvc
hosts: ipaserver
become: true
gather_facts: false
@@ -7,27 +7,27 @@
tasks:
- name: Ensure HBAC Service for http is absent
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http,tftp
state: absent
- name: Ensure HBAC Service for http is present
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http
register: result
failed_when: not result.changed
- name: Ensure HBAC Service for http is present again
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http
register: result
failed_when: result.changed
- name: Ensure HBAC Service for tftp is present
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: tftp
description: TFTP service
register: result
@@ -35,7 +35,7 @@
- name: Ensure HBAC Service for tftp is present again
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: tftp
description: TFTP service
register: result
@@ -43,7 +43,7 @@
- name: Ensure HBAC Services for http and tftp are absent
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http,tftp
state: absent
register: result
@@ -51,7 +51,7 @@
- name: Ensure HBAC Services for http and tftp are absent again
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: http,tftp
state: absent
register: result
diff --git a/tests/hbacsvcgroup/test_hbacsvcgroup.yml b/tests/hbacsvcgroup/test_hbacsvcgroup.yml
index 9a659f1e2fedf1a3a534cd2936a35800307f2893..853efa2993ca80ebc7e2e26a8feccf54bcbe0de2 100644
--- a/tests/hbacsvcgroup/test_hbacsvcgroup.yml
+++ b/tests/hbacsvcgroup/test_hbacsvcgroup.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test hbacsvcgroup
hosts: ipaserver
become: true
gather_facts: false
@@ -7,32 +7,32 @@
tasks:
- name: Ensure HBAC Service Group login is absent
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
state: absent
- name: Ensure HBAC Service for sshd is present
ipahbacsvc:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
- name: Ensure HBAC Service Group login is present
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
register: result
failed_when: not result.changed
- name: Ensure HBAC Service Group login is present again
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
register: result
failed_when: result.changed
- name: Ensure HBAC Service sshd is present in HBAC Service Group login
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -42,7 +42,7 @@
- name: Ensure HBAC Service sshd is present in HBAC Service Group login again
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -52,7 +52,7 @@
- name: Ensure HBAC Services sshd and foo are absent in HBAC Service Group login
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -64,7 +64,7 @@
- name: Ensure HBAC Services sshd and foo are absent in HBAC Service Group login again
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -76,7 +76,7 @@
- name: Ensure HBAC Service Group login is absent
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
state: absent
register: result
@@ -84,7 +84,7 @@
- name: Ensure HBAC Service Group login is absent again
ipahbacsvcgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: login
state: absent
register: result
diff --git a/tests/host/test_host.yml b/tests/host/test_host.yml
index 1a555a130de3c3b7425fe5fc61a9febb08f4799b..efb0524af9df53dd9705dd4c432495fe4bf4b90c 100644
--- a/tests/host/test_host.yml
+++ b/tests/host/test_host.yml
@@ -20,7 +20,7 @@
- name: Host absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -38,7 +38,7 @@
- name: Host "{{ host1_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
ip_address: "{{ ipv4_prefix + '.201' }}"
update_dns: yes
@@ -48,7 +48,7 @@
- name: Host "{{ host1_fqdn }}" present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
ip_address: "{{ ipv4_prefix + '.201' }}"
update_dns: yes
@@ -58,7 +58,7 @@
- name: Host "{{ host2_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host2_fqdn }}"
ip_address: "{{ ipv4_prefix + '.202' }}"
update_dns: yes
@@ -68,7 +68,7 @@
- name: Host "{{ host2_fqdn }}" present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host2_fqdn }}"
ip_address: "{{ ipv4_prefix + '.202' }}"
update_dns: yes
@@ -78,7 +78,7 @@
- name: Host "{{ host3_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host3_fqdn }}"
ip_address: "{{ ipv4_prefix + '.203' }}"
update_dns: yes
@@ -88,7 +88,7 @@
- name: Host "{{ host3_fqdn }}" present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host3_fqdn }}"
ip_address: "{{ ipv4_prefix + '.203' }}"
update_dns: yes
@@ -98,7 +98,7 @@
- name: Host "{{ host4_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host4_fqdn }}"
ip_address: "{{ ipv4_prefix + '.204' }}"
update_dns: yes
@@ -108,7 +108,7 @@
- name: Host "{{ host4_fqdn }}" present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host4_fqdn }}"
ip_address: "{{ ipv4_prefix + '.204' }}"
update_dns: yes
@@ -118,7 +118,7 @@
- name: Host "{{ host5_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host5_fqdn }}"
ip_address: "{{ ipv4_prefix + '.205' }}"
update_dns: yes
@@ -128,8 +128,8 @@
- name: Host "{{ host5_fqdn }}" present again
ipahost:
- ipaadmin_password: MyPassword123
- name: "{{ host1_fqdn }}"
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host5_fqdn }}"
ip_address: "{{ ipv4_prefix + '.205' }}"
update_dns: yes
reverse: no
@@ -138,7 +138,7 @@
- name: Host "{{ host6_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host6_fqdn }}"
ip_address: "{{ ipv4_prefix + '.206' }}"
update_dns: yes
@@ -148,7 +148,7 @@
- name: Host "{{ host6_fqdn }}" present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host6_fqdn }}"
ip_address: "{{ ipv4_prefix + '.206' }}"
update_dns: yes
@@ -160,7 +160,7 @@
# not enabled.
#- name: Hosts host1..host6 disabled
# ipahost:
- # ipaadmin_password: MyPassword123
+ # ipaadmin_password: SomeADMINpassword
# name:
# - "{{ host1_fqdn }}"
# - "{{ host2_fqdn }}"
@@ -174,7 +174,7 @@
#
#- name: Hosts host1..host6 disabled again
# ipahost:
- # ipaadmin_password: MyPassword123
+ # ipaadmin_password: SomeADMINpassword
# name:
# - "{{ host1_fqdn }}"
# - "{{ host2_fqdn }}"
@@ -188,7 +188,7 @@
- name: Hosts host1..host6 absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -203,7 +203,7 @@
- name: Hosts host1..host6 absent again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
diff --git a/tests/host/test_host_allow_create_keytab.yml b/tests/host/test_host_allow_create_keytab.yml
index eb7b776466c38da861d3e835fc0f3ad48a8fab28..b9ad0a190d32511d827b64e3d45cc237b549cde8 100644
--- a/tests/host/test_host_allow_create_keytab.yml
+++ b/tests/host/test_host_allow_create_keytab.yml
@@ -22,7 +22,7 @@
- name: Host host1..., host2... and host3... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -31,13 +31,13 @@
- name: Ensure host-groups hostgroup1 and hostgroup2 absent
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup1,hostgroup2
state: absent
- name: Ensure users user1 and user2 absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
- name: user2
@@ -45,13 +45,13 @@
- name: Ensure group1 and group2 absent
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1,group2
state: absent
- name: Host host2... and host3... present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host2_fqdn }}"
force: yes
@@ -62,7 +62,7 @@
- name: Ensure host-group hostgroup1 present
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup1
state: present
register: result
@@ -70,7 +70,7 @@
- name: Ensure host-group hostgroup2 present
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup2
state: present
register: result
@@ -78,7 +78,7 @@
- name: Ensure users user1 and user2 present
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
first: First1
@@ -91,21 +91,21 @@
- name: Ensure group1 present
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
register: result
failed_when: not result.changed
- name: Ensure group2 present
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group2
register: result
failed_when: not result.changed
- name: Host host1... present with allow_create_keytab users,groups,hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_create_keytab_user:
- user1
@@ -125,7 +125,7 @@
- name: Host host1... present with allow_create_keytab users,groups,hosts and hostgroups again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_create_keytab_user:
- user1
@@ -145,14 +145,14 @@
- name: Host host1... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
state: absent
- name: Host host1... present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
force: yes
register: result
@@ -160,7 +160,7 @@
- name: Host host1... ensure allow_create_keytab users,groups,hosts and hostgroups present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_create_keytab_user:
- user1
@@ -180,7 +180,7 @@
- name: Host host1... ensure allow_create_keytab users,groups,hosts and hostgroups present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_create_keytab_user:
- user1
@@ -200,7 +200,7 @@
- name: Host host1... ensure allow_create_keytab users,groups,hosts and hostgroups absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_create_keytab_user:
- user1
@@ -221,7 +221,7 @@
- name: Host host1... ensure allow_create_keytab users,groups,hosts and hostgroups absent again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_create_keytab_user:
- user1
@@ -242,7 +242,7 @@
- name: Host host1..., host2... and host3... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -253,7 +253,7 @@
- name: Ensure host-groups hostgroup1 and hostgroup2 absent
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup1,hostgroup2
state: absent
register: result
@@ -261,7 +261,7 @@
- name: Ensure users user1 and user2 absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
- name: user2
@@ -271,7 +271,7 @@
- name: Ensure group1 and group2 absent
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1,group2
state: absent
register: result
diff --git a/tests/host/test_host_allow_retrieve_keytab.yml b/tests/host/test_host_allow_retrieve_keytab.yml
index 65d86aa64777bac4ee83409478119c5458fed9f6..8f95540733bcc1a4db504cf972cc9e6ac84c25c9 100644
--- a/tests/host/test_host_allow_retrieve_keytab.yml
+++ b/tests/host/test_host_allow_retrieve_keytab.yml
@@ -22,7 +22,7 @@
- name: Host host1..., host2... and host3... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -31,13 +31,13 @@
- name: Ensure host-groups hostgroup1 and hostgroup2 absent
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup1,hostgroup2
state: absent
- name: Ensure users user1 and user2 absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
- name: user2
@@ -45,13 +45,13 @@
- name: Ensure group1 and group2 absent
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1,group2
state: absent
- name: Host host2... and host3... present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host2_fqdn }}"
force: yes
@@ -62,7 +62,7 @@
- name: Ensure host-group hostgroup1 present
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup1
state: present
register: result
@@ -70,7 +70,7 @@
- name: Ensure host-group hostgroup2 present
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup2
state: present
register: result
@@ -78,7 +78,7 @@
- name: Ensure users user1 and user2 present
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
first: First1
@@ -91,21 +91,21 @@
- name: Ensure group1 present
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1
register: result
failed_when: not result.changed
- name: Ensure group2 present
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group2
register: result
failed_when: not result.changed
- name: Host host1... present with allow_retrieve_keytab users,groups,hosts and hostgroups
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_retrieve_keytab_user:
- user1
@@ -125,7 +125,7 @@
- name: Host host1... present with allow_retrieve_keytab users,groups,hosts and hostgroups again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_retrieve_keytab_user:
- user1
@@ -145,14 +145,14 @@
- name: Host host1... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
state: absent
- name: Host host1... present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
force: yes
register: result
@@ -160,7 +160,7 @@
- name: Host host1... ensure allow_retrieve_keytab users,groups,hosts and hostgroups present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_retrieve_keytab_user:
- user1
@@ -180,7 +180,7 @@
- name: Host host1... ensure allow_retrieve_keytab users,groups,hosts and hostgroups present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_retrieve_keytab_user:
- user1
@@ -200,7 +200,7 @@
- name: Host host1... ensure allow_retrieve_keytab users,groups,hosts and hostgroups absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_retrieve_keytab_user:
- user1
@@ -221,7 +221,7 @@
- name: Host host1... ensure allow_retrieve_keytab users,groups,hosts and hostgroups absent again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
allow_retrieve_keytab_user:
- user1
@@ -242,7 +242,7 @@
- name: Host host1..., host2... and host3... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -253,7 +253,7 @@
- name: Ensure host-groups hostgroup1 and hostgroup2 absent
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: hostgroup1,hostgroup2
state: absent
register: result
@@ -261,7 +261,7 @@
- name: Ensure users user1 and user2 absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
- name: user2
@@ -271,7 +271,7 @@
- name: Ensure group1 and group2 absent
ipagroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: group1,group2
state: absent
register: result
diff --git a/tests/host/test_host_bool_params.yml b/tests/host/test_host_bool_params.yml
new file mode 100644
index 0000000000000000000000000000000000000000..efded1f15a17d9b55340d3c7991db704f5bf1e09
--- /dev/null
+++ b/tests/host/test_host_bool_params.yml
@@ -0,0 +1,119 @@
+---
+- name: Test host bool parameters
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Get Domain from server name
+ set_fact:
+ ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
+ when: ipaserver_domain is not defined
+
+ - name: Set host1_fqdn .. host6_fqdn
+ set_fact:
+ host1_fqdn: "{{ 'host1.' + ipaserver_domain }}"
+
+ - name: Host absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ update_dns: yes
+ state: absent
+
+ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ force: yes
+ requires_pre_auth: yes
+ ok_as_delegate: yes
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ requires_pre_auth: yes
+ ok_as_delegate: yes
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate set to no
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ requires_pre_auth: no
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth, ok_as_delegate and ok_to_auth_as_delegate set to no again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ requires_pre_auth: no
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ requires_pre_auth: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with requires_pre_auth again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ requires_pre_auth: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with ok_as_delegate
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ok_as_delegate: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with ok_as_delegate again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ok_as_delegate: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with ok_to_auth_as_delegate
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with ok_to_auth_as_delegate again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Host absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ update_dns: yes
+ state: absent
diff --git a/tests/host/test_host_ipaddresses.yml b/tests/host/test_host_ipaddresses.yml
new file mode 100644
index 0000000000000000000000000000000000000000..45500707d875b3403bf4566de6048ce4d5a0da49
--- /dev/null
+++ b/tests/host/test_host_ipaddresses.yml
@@ -0,0 +1,321 @@
+---
+- name: Test host IP addresses
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ - name: Get Domain from server name
+ set_fact:
+ ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
+ when: ipaserver_domain is not defined
+
+ - name: Set host1_fqdn .. host6_fqdn
+ set_fact:
+ host1_fqdn: "{{ 'host1.' + ipaserver_domain }}"
+ host2_fqdn: "{{ 'host2.' + ipaserver_domain }}"
+ host3_fqdn: "{{ 'host3.' + ipaserver_domain }}"
+
+ - name: Get IPv4 address prefix from server node
+ set_fact:
+ ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+ join('.') }}"
+
+ - name: Host absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ - "{{ host3_fqdn }}"
+ update_dns: yes
+ state: absent
+
+ - name: Host "{{ host1_fqdn }}" present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.201' }}"
+ - fe80::20c:29ff:fe02:a1b2
+ update_dns: yes
+ reverse: no
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.201' }}"
+ - fe80::20c:29ff:fe02:a1b2
+ update_dns: yes
+ reverse: no
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" present again with new IP address
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ update_dns: yes
+ reverse: no
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present again with new IP address again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ update_dns: yes
+ reverse: no
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv4 address present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv4 address present again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv4 address absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv4 address absent again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv6 address present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: fe80::20c:29ff:fe02:a1b2
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv6 address present again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: fe80::20c:29ff:fe02:a1b2
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv6 address absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: fe80::20c:29ff:fe02:a1b2
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" member IPv6 address absent again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: fe80::20c:29ff:fe02:a1b2
+ action: member
+ state: absent
+ register: result
+
+ - name: Host "{{ host1_fqdn }}" member all ip-addresses absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" all member ip-addresses absent again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" present with same IP addresses
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ - name: "{{ host2_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ register: result
+ failed_when: not result.changed
+
+ - name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" present with same IP addresses again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host1_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ - name: "{{ host2_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ register: result
+ failed_when: result.changed
+
+ - name: Hosts "{{ host3_fqdn }}" present with same IP addresses
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host3_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ register: result
+ failed_when: not result.changed
+
+ - name: Hosts "{{ host3_fqdn }}" present with same IP addresses again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host3_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host3_fqdn }}" present with differnt IP addresses
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host3_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.111' }}"
+ - fe80::20c:29ff:fe02:a1b1
+ - "{{ ipv4_prefix + '.121' }}"
+ - fe80::20c:29ff:fe02:a1b2
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host3_fqdn }}" present with different IP addresses again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host3_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.111' }}"
+ - fe80::20c:29ff:fe02:a1b1
+ - "{{ ipv4_prefix + '.121' }}"
+ - fe80::20c:29ff:fe02:a1b2
+ register: result
+ failed_when: result.changed
+
+ - name: Host "{{ host3_fqdn }}" present with old IP addresses
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host3_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host3_fqdn }}" present with old IP addresses again
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host3_fqdn }}"
+ ip_address:
+ - "{{ ipv4_prefix + '.211' }}"
+ - fe80::20c:29ff:fe02:a1b3
+ - "{{ ipv4_prefix + '.221' }}"
+ - fe80::20c:29ff:fe02:a1b4
+ register: result
+ failed_when: result.changed
+
+ - name: Absent host01.ihavenodns.info test
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: host01.ihavenodns.info
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Host absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ - "{{ host3_fqdn }}"
+ update_dns: yes
+ state: absent
diff --git a/tests/host/test_host_managedby_host.yml b/tests/host/test_host_managedby_host.yml
index 78c5a43d76fb7a355858a537718a97fb8c70ce15..e6fb9dc65d2de818b0cdb439a89ab6be0aa9290b 100644
--- a/tests/host/test_host_managedby_host.yml
+++ b/tests/host/test_host_managedby_host.yml
@@ -16,7 +16,7 @@
- name: Host absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -25,7 +25,7 @@
- name: Host "{{ host1_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
force: yes
register: result
@@ -33,7 +33,7 @@
- name: Host "{{ host2_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host2_fqdn }}"
force: yes
register: result
@@ -41,7 +41,7 @@
- name: Host "{{ host1_fqdn }}" managed by "{{ 'host2.' + ipaserver_domain }}"
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ host2_fqdn }}"
register: result
@@ -49,7 +49,7 @@
- name: Host "{{ host1_fqdn }}" managed by "{{ 'host2.' + ipaserver_domain }}" again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ host2_fqdn }}"
register: result
@@ -57,7 +57,7 @@
- name: Host "{{ host1_fqdn }}" managed by "{{ groups.ipaserver[0] }}"
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ groups.ipaserver[0] }}"
action: member
@@ -66,7 +66,7 @@
- name: Host "{{ host1_fqdn }}" managed by "{{ groups.ipaserver[0] }}" again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ groups.ipaserver[0] }}"
action: member
@@ -75,7 +75,7 @@
- name: Host "{{ host1_fqdn }}" not managed by "{{ groups.ipaserver[0] }}"
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ groups.ipaserver[0] }}"
action: member
@@ -85,7 +85,7 @@
- name: Host "{{ host1_fqdn }}" not managed by "{{ groups.ipaserver[0] }}" again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ groups.ipaserver[0] }}"
action: member
@@ -95,7 +95,7 @@
- name: Host "{{ host1_fqdn }}" not managed by "{{ 'host2.' + ipaserver_domain }}"
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ host2_fqdn }}"
state: absent
@@ -105,7 +105,7 @@
- name: Host "{{ host1_fqdn }}" not managed by "{{ 'host2.' + ipaserver_domain }}" again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
managedby_host: "{{ host2_fqdn }}"
action: member
@@ -115,7 +115,7 @@
- name: Host absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
diff --git a/tests/host/test_host_principal.yml b/tests/host/test_host_principal.yml
index 0dce400a32387ba79e8829bf64ac25a78858716f..6c7d0dc04d3ac241045818c330fa87e0b56ac39f 100644
--- a/tests/host/test_host_principal.yml
+++ b/tests/host/test_host_principal.yml
@@ -20,7 +20,7 @@
- name: Host host1 absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
update_dns: yes
@@ -28,7 +28,7 @@
- name: Host host1... present with principal host/testhost1...
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal:
- "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
@@ -38,7 +38,7 @@
- name: Host host1... principal host/host1... present (existing already)
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal:
- "{{ 'host/host1.' + ipaserver_domain + '@' + ipaserver_realm }}"
@@ -48,7 +48,7 @@
- name: Host host1... principal host/testhost1... present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal: "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
action: member
@@ -57,7 +57,7 @@
- name: Host host1... principal host/testhost1... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal: "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
action: member
@@ -67,7 +67,7 @@
- name: Host host1... principal host/testhost1... absent again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal: "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
action: member
@@ -77,7 +77,7 @@
- name: Host host1... principal host/testhost1... and host/myhost1... present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal:
- "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
@@ -88,7 +88,7 @@
- name: Host host1... principal host/testhost1... and host/myhost1... present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal:
- "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
@@ -99,7 +99,7 @@
- name: Host host1... principal host/testhost1... and host/myhost1... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal:
- "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
@@ -111,7 +111,7 @@
- name: Host host1... principal host/testhost1... and host/myhost1... absent again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
principal:
- "{{ 'host/testhost1.' + ipaserver_domain + '@' + ipaserver_realm }}"
@@ -123,7 +123,7 @@
- name: Host host1... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
update_dns: yes
diff --git a/tests/host/test_host_random.yml b/tests/host/test_host_random.yml
index 84893f9007280636d310d5801a9eb9d7adcb836e..4d1b2545e6ae94d71e0adf5a5643b2fdac7e4757 100644
--- a/tests/host/test_host_random.yml
+++ b/tests/host/test_host_random.yml
@@ -16,7 +16,7 @@
- name: Test hosts absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -25,7 +25,7 @@
- name: Host "{{ host1_fqdn }}" present with random password
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host1_fqdn }}"
random: yes
force: yes
@@ -43,14 +43,14 @@
- name: Host "{{ host1_fqdn }}" absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
state: absent
- name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" present with random password
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
random: yes
@@ -79,7 +79,7 @@
- name: Hosts "{{ host1_fqdn }}" and "{{ host2_fqdn }}" absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
diff --git a/tests/host/test_host_reverse.yml b/tests/host/test_host_reverse.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9031b70b33aadfd63d130fcea21f2a669d040b01
--- /dev/null
+++ b/tests/host/test_host_reverse.yml
@@ -0,0 +1,103 @@
+---
+- name: Test host
+ hosts: ipaserver
+ become: true
+ gather_facts: true
+
+ tasks:
+ - name: Get Domain from server name
+ set_fact:
+ ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
+ when: ipaserver_domain is not defined
+
+ - name: Set host1_fqdn
+ set_fact:
+ host1_fqdn: "{{ 'host1.' + ipaserver_domain }}"
+
+ - name: Host absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ update_dns: yes
+ state: absent
+
+ - name: Get IPv4 address prefix from server node
+ set_fact:
+ ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+ join('.') }}"
+ reverse_zone: "{{ ansible_default_ipv4.address.split('.')[2::-1] |
+ join('.') }}"
+
+ - name: Set zone for reverse address.
+ command: ipa dnszone-add "{{ item }}" --skip-nameserver-check --skip-overlap-check
+ with_items:
+ - "{{ reverse_zone + '.in-addr.arpa.' }}"
+ - 'ip6.arpa.'
+ ignore_errors: yes
+
+ - name: Host "{{ host1_fqdn }}" present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ update_dns: yes
+ reverse: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present, again.
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ update_dns: yes
+ reverse: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Hosts host1 absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ update_dns: yes
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with IPv6
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "fd00::0001"
+ update_dns: yes
+ reverse: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Host "{{ host1_fqdn }}" present with IPv6, again.
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ host1_fqdn }}"
+ ip_address: "fd00::0001"
+ update_dns: yes
+ reverse: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Hosts host1 absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ update_dns: yes
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Set zone for reverse address.
+ command: ipa dnszone-del "{{ item }}"
+ with_items:
+ - "{{ reverse_zone + '.in-addr.arpa.' }}"
+ - 'ip6.arpa.'
diff --git a/tests/host/test_hosts.yml b/tests/host/test_hosts.yml
index 8e92bf32b6d4b589665098bc7d75b6ca11a4045d..30fd6538f80af9beea6e9f3acb1cac54f623c8af 100644
--- a/tests/host/test_hosts.yml
+++ b/tests/host/test_hosts.yml
@@ -21,7 +21,7 @@
- name: Host host1..host6 absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
- name: "{{ host2_fqdn }}"
@@ -33,7 +33,7 @@
- name: Hosts host1..host6 present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
force: yes
@@ -52,7 +52,7 @@
- name: Hosts host1..host6 present again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
force: yes
@@ -71,7 +71,7 @@
- name: Hosts host1..host6 absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
- name: "{{ host2_fqdn }}"
@@ -85,7 +85,7 @@
- name: Hosts host1..host6 absent again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
- name: "{{ host2_fqdn }}"
diff --git a/tests/host/test_hosts_managedby_host.yml b/tests/host/test_hosts_managedby_host.yml
index a692745a666a38d19a4de1804b1cd00186c2e688..bd6452c4905f8bd79abd76a3689164fe2c49c67f 100644
--- a/tests/host/test_hosts_managedby_host.yml
+++ b/tests/host/test_hosts_managedby_host.yml
@@ -19,7 +19,7 @@
- name: Host absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -31,7 +31,7 @@
- name: Host "{{ host5_fqdn }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ host5_fqdn }}"
force: yes
register: result
@@ -39,7 +39,7 @@
- name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" present and managed by "{{ 'host5.' + ipaserver_domain }}"
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
managedby_host: "{{ host5_fqdn }}"
@@ -61,7 +61,7 @@
- name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" present and managed by "{{ 'host5.' + ipaserver_domain }}" again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
managedby_host: "{{ host5_fqdn }}"
@@ -83,7 +83,7 @@
- name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" managed by "{{ 'host5.' + ipaserver_domain }}"
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
managedby_host: "{{ host5_fqdn }}"
@@ -101,7 +101,7 @@
- name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" not managed by "{{ 'host5.' + ipaserver_domain }}"
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
managedby_host: "{{ host5_fqdn }}"
@@ -120,7 +120,7 @@
- name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" not managed by "{{ 'host5.' + ipaserver_domain }}" again
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
managedby_host: "{{ host5_fqdn }}"
@@ -139,7 +139,7 @@
- name: Hosts "{{ host1_fqdn }}" .. "{{ 'host5.' + ipaserver_domain }}" absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
- name: "{{ host2_fqdn }}"
diff --git a/tests/host/test_hosts_principal.yml b/tests/host/test_hosts_principal.yml
index 5918d35d0fe7c7e707154f3ab80b64dfdbc18394..87e3a85316759b9620e59feeeded33e60da0732b 100644
--- a/tests/host/test_hosts_principal.yml
+++ b/tests/host/test_hosts_principal.yml
@@ -21,7 +21,7 @@
- name: Host host1... and host2... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
@@ -30,7 +30,7 @@
- name: Host hostX... present with principal host/testhostX... X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -45,7 +45,7 @@
- name: Host hostX... principal 'host/hostX... present (existing already) X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -59,7 +59,7 @@
- name: Host hostX... principal host/testhostX... present again X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -73,7 +73,7 @@
- name: Host hostX.. principal host/testhostX... absent X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -88,7 +88,7 @@
- name: Host hostX... principal host/testhostX... absent again X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -103,7 +103,7 @@
- name: Host hostX... principal host/testhostX... and host/myhostX... present X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -119,7 +119,7 @@
- name: Host hostX... principal host/testhostX... and host/myhostX... present again X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -135,7 +135,7 @@
- name: Host hostX... principal host/testhostX... and host/myhostX... absent X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -153,7 +153,7 @@
- name: Host hostX... principal host/testhostX... and host/myhostX... absent again X=[1,2]
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
hosts:
- name: "{{ host1_fqdn }}"
principal:
@@ -171,7 +171,7 @@
- name: Hosts host1... and host2... absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
diff --git a/tests/hostgroup/test_hostgroup.yml b/tests/hostgroup/test_hostgroup.yml
index c3c44966062827a0713e08c7237787fb6b118781..ba449a06031eed69d86ea46093030d2a413b9968 100644
--- a/tests/hostgroup/test_hostgroup.yml
+++ b/tests/hostgroup/test_hostgroup.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test hostgroup
hosts: ipaserver
become: true
gather_facts: false
@@ -12,7 +12,7 @@
- name: Ensure host-group databases, mysql-server and oracle-server are absent
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- databases
- mysql-server
@@ -21,7 +21,7 @@
- name: Test hosts db1 and db2 absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ 'db1.' + ipaserver_domain }}"
- "{{ 'db2.' + ipaserver_domain }}"
@@ -29,7 +29,7 @@
- name: Host "{{ 'db1.' + ipaserver_domain }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ 'db1.' + ipaserver_domain }}"
force: yes
register: result
@@ -37,7 +37,7 @@
- name: Host "{{ 'db2.' + ipaserver_domain }}" present
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: "{{ 'db2.' + ipaserver_domain }}"
force: yes
register: result
@@ -45,7 +45,7 @@
- name: Ensure host-group mysql-server is present
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: mysql-server
state: present
register: result
@@ -53,7 +53,7 @@
- name: Ensure host-group mysql-server is present again
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: mysql-server
state: present
register: result
@@ -61,7 +61,7 @@
- name: Ensure host-group oracle-server is present
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: oracle-server
state: present
register: result
@@ -69,7 +69,7 @@
- name: Ensure host-group oracle-server is present again
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: oracle-server
state: present
register: result
@@ -77,7 +77,7 @@
- name: Ensure host-group databases is present
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: present
host:
@@ -89,7 +89,7 @@
- name: Ensure host-group databases is present again
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: present
host:
@@ -101,7 +101,7 @@
- name: Ensure host db2 is member of host-group databases
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: present
host:
@@ -112,7 +112,7 @@
- name: Ensure host db2 is member of host-group databases again
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: present
host:
@@ -123,7 +123,7 @@
- name: Ensure host-group mysql-server is member of host-group databases
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: present
hostgroup:
@@ -134,7 +134,7 @@
- name: Ensure host-group mysql-server is member of host-group databases again
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: present
hostgroup:
@@ -145,7 +145,7 @@
- name: Ensure host-group oracle-server is member of host-group databases (again)
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: databases
state: present
hostgroup:
@@ -156,7 +156,7 @@
- name: Ensure host-group databases, mysql-server and oracle-server are absent
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- databases
- mysql-server
@@ -167,7 +167,7 @@
- name: Ensure host-group databases, mysql-server and oracle-server are absent again
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- databases
- mysql-server
@@ -178,7 +178,7 @@
- name: Test hosts db1 and db2 absent
ipahost:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- "{{ 'db1.' + ipaserver_domain }}"
- "{{ 'db2.' + ipaserver_domain }}"
diff --git a/tests/pwpolicy/test_pwpolicy.yml b/tests/pwpolicy/test_pwpolicy.yml
index 5c69345cbea330052266c9a691ed3657c4efb040..d5a254e478ed240a1cae376649ca0e0f13d35ae4 100644
--- a/tests/pwpolicy/test_pwpolicy.yml
+++ b/tests/pwpolicy/test_pwpolicy.yml
@@ -1,14 +1,34 @@
---
-- name: Tests
+- name: Test pwpolicy
hosts: ipaserver
become: true
gather_facts: false
tasks:
+ - name: Ensure maxlife of 90 for global_policy
+ ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ maxlife: 90
+
+ - name: Ensure absence of group ops
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: ops
+ state: absent
+
+ - name: Ensure absence of pwpolicies for group ops
+ ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ name: ops
+ state: absent
+
- name: Ensure presence of group ops
ipagroup:
ipaadmin_password: SomeADMINpassword
name: ops
+ state: present
+ register: result
+ failed_when: not result.changed
- name: Ensure presence of pwpolicies for group ops
ipapwpolicy:
@@ -42,6 +62,28 @@
register: result
failed_when: result.changed
+ - name: Ensure maxlife of 49 for global_policy
+ ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ maxlife: 49
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure maxlife of 49 for global_policy again
+ ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ maxlife: 49
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure absence of pwpoliciy global_policy will fail
+ ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ state: absent
+ register: result
+ ignore_errors: True
+ failed_when: result is defined and result
+
- name: Ensure absence of pwpolicies for group ops
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
@@ -50,6 +92,13 @@
register: result
failed_when: not result.changed
+ - name: Ensure maxlife of 90 for global_policy
+ ipapwpolicy:
+ ipaadmin_password: SomeADMINpassword
+ maxlife: 90
+ register: result
+ failed_when: not result.changed
+
- name: Ensure absence of pwpolicies for group ops
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
diff --git a/tests/service/certificate/cert1.der b/tests/service/certificate/cert1.der
new file mode 100644
index 0000000000000000000000000000000000000000..b1b90efde6d33ab44ca7b62941eee06fdbc05da9
Binary files /dev/null and b/tests/service/certificate/cert1.der differ
diff --git a/tests/service/certificate/cert1.pem b/tests/service/certificate/cert1.pem
new file mode 100644
index 0000000000000000000000000000000000000000..ab3704bba5957ba125762cfb3b5b11b1067b20a8
--- /dev/null
+++ b/tests/service/certificate/cert1.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQx
+MDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk
++OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa
+8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0am
+nvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cj
+QQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidS
+X0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYuku
+H/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0
+WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
+uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkG
+wIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyE
+iaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj
+9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV
+7MVq
+-----END CERTIFICATE-----
diff --git a/tests/service/certificate/cert2.der b/tests/service/certificate/cert2.der
new file mode 100644
index 0000000000000000000000000000000000000000..e176c2ba50270b331c457e784dea5f5f6a09e53a
Binary files /dev/null and b/tests/service/certificate/cert2.der differ
diff --git a/tests/service/certificate/cert2.pem b/tests/service/certificate/cert2.pem
new file mode 100644
index 0000000000000000000000000000000000000000..e8ea2e434b79dd142b7531c03ab105ddd2d5d5fd
--- /dev/null
+++ b/tests/service/certificate/cert2.pem
@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/zCCAeegAwIBAgIURhps6LEteMDCdBrlVkWe4cgSh0YwDQYJKoZIhvcNAQEL
+BQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQyNDBaFw0zMDAyMDExNDQy
+NDBaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC4W56H0VraEKGlCxSTS2PqnaD11shMjruexmholmTEtYPePPnQHpwiiZlg
+K7CPBIOdCn4hHH+hXQDg/TJRMjrde1VzD0pFRBUq6H25sy8oOlfD0bDXkncWn82S
+OJu2UJHeL7htQLRxW14VIAO2YO9zaXdophy6/csTAkFq1ls/vTBp73pnnYp8D7Tg
+zBB6bb95OZBSHeCzPIH2FSCJ/W0j6bHw4i7uHu/jWx0o0LR152fSFFwk0Wrmp8HH
+b2083OlnSBgTM+BZDg9rB7jpLCsIGHWXbjG36jmRaZu5z4vq2FNomJ8PXkX7mwUf
+aft6z+px7UlhrwUxEVWIXOoUBYcJAgMBAAGjUzBRMB0GA1UdDgQWBBTttCQn5UaQ
+i+N5WRnA7ZTQlkVfRTAfBgNVHSMEGDAWgBTttCQn5UaQi+N5WRnA7ZTQlkVfRTAP
+BgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBW3vRR5wEDztuLVrcQ
+Dojn1XB24OOqn4C6OJyz3FUxd4MQA8J2vKN4P2QXhY0oYsauFKhR5xfOaDUcK2Tu
+kAtFz1mxqm1ygUVQHbrs8lBeIi4hoMc76ODJ/V9GNY7N/y/5xtD7XlyTVT2tb6tc
+6tmv8e4497PTPspuHp9YbbvzdSI12JENDW4hKCOpR/Uv7mRcCT+c2iMJdUL3f3YO
+FsGBbxVdTPmuhL4My8qR/CtCNpN0gBsaxUKFAP+/1AvFbFDChFVDEEdD8PLznH5x
+8HLmA9/K5x/cXbgqESUqK13P53f1XYOfggKb1f7yqBAZRnTY82+k9Kn9qWOcnyxS
+uUtZ
+-----END CERTIFICATE-----
diff --git a/tests/service/certificate/private1.key b/tests/service/certificate/private1.key
new file mode 100644
index 0000000000000000000000000000000000000000..372908d226ff4d711846f4a4097d8059437b0388
--- /dev/null
+++ b/tests/service/certificate/private1.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC+XVVGFYpHVkcD
+fVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJ
+zMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmj
+fMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn
+0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQW
+AnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63
+g5cZyE+nAgMBAAECggEBALJIsw5aKhE5inSIN0xZT3FTWxcjHF26jE+X86G0H3KZ
+roLqnjOagOKTwjeErXt66IWKFh3b5vKCSNq6PEs8OCeRHv71bay5zK1WWLH87sKJ
+EAUSPuK5O6donI9aC36VL8tTwSOOOS9WJ0KoHqsn/tLHlONXOvo063iYEg8xFhuP
+etrOf2gDjwGbeWis7VeHG7wL5p2/WdsyjTDbQPhmUlBO93rtkBlm9FaqYKwrp8qe
+4c5gf6ZAKgY2EZaQuEvq3Lonk7TRCtPDVCPLYQxZGOmn2UeUS+HMnDSqrlQesBKD
+hNNCCJVaQZHsghmwXa8t9yRBIxoOqVObdEQYJ8wuxMECgYEA676x3m7T2PwJXS+q
+Km3snv60lCozxKbzaNJ1xlAmpW08MijYCkDS/kWSIwN5GO+b5B6use8iALrV9SyP
+eC/6bFuMJ+zRfGhn1cw4Ibz79EroTxmJio7J7SiD/yxvjNVznKx5xgQeB9tdgjaf
+yHSxInWoQzcDGKUe2h2KFJxUzJECgYEAzrh6zI8Ugne5iBUbLcpJUehlMd4+RM0l
+1y8ZOBS1tjzimWycjZaPtMB0q4FOc1ou2zcSxwoGIv5khvUsjKhTfOc6lK+cHPhE
+fAppYUxhHw2UDpX/0hKDuDu++O+86ANp7AOvM+KcNAiEoovxUyurVjBsT/PPlrTA
+r5w7xuyi1LcCgYAZ7ZdSh431R4MgJKXqlLx5oDnsMdgPwOz0knExpo8ZkrIUMjnQ
+puCN5sjz4OXowDG9HULJfyuWOPZfSM9ewKgiUs9PdNR1gmYpNZTW4Ro0/CggywY9
+nwbGdrZN0m1SaAeXK8EY7kr/Qjk+oRNh0LPKvnYLLnnAtCh4hNcy/R62gQKBgBaD
+3UweYVt8csaxlc489BNpvmvaCuovdemkBZkoGEqLAxs2yy5Ysbo8I/jyEntZ3TSf
+IPpwyw5Qqt5QIdQIGV/HR4geQGCfYcYo1CV2zjU1o2SbTcuxnIsaZshyRB75EDZW
+iGScT+sS6m9R0qz+WqD+kS18HqYJddsqpxAZgfqtAoGBAJx7E8HxFpaNfz/QQPAQ
+mvON6ub5u4AfhH4DgiPErMxNsdzVICL+mnQy0wdmi1oEpq9KH4/8aSxdPhadyl/8
+l+0CkCkBZvEP7+NmctR8Zot60wS0DnOwuURCxm/zYJ26DXjB0XitDDumFJ56Wd6p
+uLl9eKMBE/jBsCSWQTuwrtnT
+-----END PRIVATE KEY-----
diff --git a/tests/service/certificate/private2.key b/tests/service/certificate/private2.key
new file mode 100644
index 0000000000000000000000000000000000000000..58909dbf5990ff703c7d70395edb0899ce90fb3d
--- /dev/null
+++ b/tests/service/certificate/private2.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQC4W56H0VraEKGl
+CxSTS2PqnaD11shMjruexmholmTEtYPePPnQHpwiiZlgK7CPBIOdCn4hHH+hXQDg
+/TJRMjrde1VzD0pFRBUq6H25sy8oOlfD0bDXkncWn82SOJu2UJHeL7htQLRxW14V
+IAO2YO9zaXdophy6/csTAkFq1ls/vTBp73pnnYp8D7TgzBB6bb95OZBSHeCzPIH2
+FSCJ/W0j6bHw4i7uHu/jWx0o0LR152fSFFwk0Wrmp8HHb2083OlnSBgTM+BZDg9r
+B7jpLCsIGHWXbjG36jmRaZu5z4vq2FNomJ8PXkX7mwUfaft6z+px7UlhrwUxEVWI
+XOoUBYcJAgMBAAECggEAPTBrlbiu5uHORPFAiwLizuQyoGYBZSearkA8Nzpzh7aX
+ZhPm9mSyfeQdvAXEPDPLWzw4UNUcp3ou6H4hTUHWt9xPqDjS9dp7DBrOX+xRIpD6
+wEvA3kwGqsOvf3C6ffCP+abtF5X6TgV9XJWbpdTWpP/EWj+IGahS1qRRAhzTfHvF
+YGMTFwlgbz4eOs+FXBnVNGsdsdMLpOyqHMdDAA4BhyspWHyHgCRjEjROuJCKSDUR
+MD1pNdaEYzoj5QeE1IKzXAzTaxG/YKd36BxV5Cp9DOBuZZLgNEd2EisXxV7UwZL4
+leGgxAc+KQs6QoPoz+mrKbdDnxe6V+uaa9KHoqnj4QKBgQD1qh+MEIF+Vuf/keFJ
+vDgS7oFeg1UGzMtWypiNfVYu9cBLp32tgY48+ey3OCvhRSJAVROH1rc5ZfkESSQ2
+rSeV/T3plr5bBkLc7chuDM8An745p8VSOM+Ak1zE2qb+Qo+IsxNRA9KyeUvupuB8
+HJ7fxdZ7JpgueD/mKyCn1WaGIwKBgQDAHTS6J7LKm52d2norERK6ZyBNVhKaKNDW
+ssRqSh906oFU63Qijsp4dbm1iRXGME6Zoe1quN/K80iATdv/VzjzxS1Of8mqA7gr
+/2juZbpEluSxjkqPAZp1p4Kx9WURdzv2ModkYwM3zSTGR5l22Whd9QdNQvVl1mf0
++RfgE6ty4wKBgA+GtwO1L1n6yCLg52ovmSOpK0f76O3LF7beixG2MDI7mfGuHkVP
+ANxdt1ZFGJDeO7HxLpDRQzc/eKOKs904yF20aatPuawrEyK/bIF4EcUqU211awUt
+TgAEUEKoxxEex8+N8dSW90QMYn4s0ddGP8xIxqt13vxg4Tj81M2GsTodAoGAOa8L
+S/Hrj0ZWdzVIhXHk669XVaFIiJ1Ex5J5w2hqNZLMLpFcF5xEUxMWJdn5fb63ew3R
+2b+VAr01wcCfE/Y+lYNY7T8VcEUZoaxY92v4F+wu0tlkrbfPhxA6//As3qesi2n0
+mUHZj4G7TwXkoHj7C2stPBek02UjZbz9XDzLt/0CgYAiawpqmHJK4LhRm+P6J1+X
+nzLPzQ6t15ivh4jPrWZPgOG3hKV+If+PTv7lLy51y2X4Ttuyumy09J+kYiy3qIHR
+nmbAEkc9lesrxk1eytxmYY+fGTBpaLAc+vNXWCtUc1ttKcfrPhZdncmSh5Z0aFN3
+D+EddEZHzfzoGlfbNVkfmQ==
+-----END PRIVATE KEY-----
diff --git a/tests/service/certificate/test_service_certificate.yml b/tests/service/certificate/test_service_certificate.yml
new file mode 100644
index 0000000000000000000000000000000000000000..89c46f10e69aecf419e354cd68bc995c54604d4e
--- /dev/null
+++ b/tests/service/certificate/test_service_certificate.yml
@@ -0,0 +1,225 @@
+#
+# Generate self-signed certificates using openssl:
+#
+# openssl req -x509 -newkey rsa:2048 -days 3650 -nodes -keyout private1.key -out cert1.pem -subj '/CN=test'
+# openssl req -x509 -newkey rsa:2048 -days 3650 -nodes -keyout private2.key -out cert2.pem -subj '/CN=test'
+#
+# Convert the certificate do DER for easier handling through CLI
+#
+# openssl x509 -outform der -in cert1.pem -out cert1.der
+# openssl x509 -outform der -in cert2.pem -out cert2.der
+#
+# Use base64:
+#
+# base64 cert1.der -w5000
+# base64 cert2.der -w5000
+#
+# Certificates:
+# cert1:
+# - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+# cert2:
+# - MIIC/zCCAeegAwIBAgIURhps6LEteMDCdBrlVkWe4cgSh0YwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQyNDBaFw0zMDAyMDExNDQyNDBaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4W56H0VraEKGlCxSTS2PqnaD11shMjruexmholmTEtYPePPnQHpwiiZlgK7CPBIOdCn4hHH+hXQDg/TJRMjrde1VzD0pFRBUq6H25sy8oOlfD0bDXkncWn82SOJu2UJHeL7htQLRxW14VIAO2YO9zaXdophy6/csTAkFq1ls/vTBp73pnnYp8D7TgzBB6bb95OZBSHeCzPIH2FSCJ/W0j6bHw4i7uHu/jWx0o0LR152fSFFwk0Wrmp8HHb2083OlnSBgTM+BZDg9rB7jpLCsIGHWXbjG36jmRaZu5z4vq2FNomJ8PXkX7mwUfaft6z+px7UlhrwUxEVWIXOoUBYcJAgMBAAGjUzBRMB0GA1UdDgQWBBTttCQn5UaQi+N5WRnA7ZTQlkVfRTAfBgNVHSMEGDAWgBTttCQn5UaQi+N5WRnA7ZTQlkVfRTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBW3vRR5wEDztuLVrcQDojn1XB24OOqn4C6OJyz3FUxd4MQA8J2vKN4P2QXhY0oYsauFKhR5xfOaDUcK2TukAtFz1mxqm1ygUVQHbrs8lBeIi4hoMc76ODJ/V9GNY7N/y/5xtD7XlyTVT2tb6tc6tmv8e4497PTPspuHp9YbbvzdSI12JENDW4hKCOpR/Uv7mRcCT+c2iMJdUL3f3YOFsGBbxVdTPmuhL4My8qR/CtCNpN0gBsaxUKFAP+/1AvFbFDChFVDEEdD8PLznH5x8HLmA9/K5x/cXbgqESUqK13P53f1XYOfggKb1f7yqBAZRnTY82+k9Kn9qWOcnyxSuUtZ
+
+---
+- name: Test service certificates
+ hosts: ipaserver
+ become: true
+
+ tasks:
+ # setup
+ - name: Get Domain from server name
+ set_fact:
+ ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
+ when: ipaserver_domain is not defined
+
+ - name: Get IPv4 address prefix from server node
+ set_fact:
+ ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+ join('.') }}"
+
+ - name: Set test host FQDN
+ set_fact:
+ test_subdomain: testcert
+ test_host: "{{ 'testcert.' + ipaserver_domain }}"
+
+ - name: Host test absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ test_host }}"
+ update_dns: yes
+ state: absent
+
+ - name: Host test present
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ test_host }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ update_dns: yes
+
+ - name: Ensure testing group group01 is present.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: group01
+
+ - name: Ensure testing group group02 is present.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: group02
+
+ - name: Ensure services are absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ state: absent
+
+ # tests
+ - name: Ensure service is present
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ pac_type:
+ - MS-PAC
+ - PAD
+ auth_ind: otp
+ force: no
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is present, again
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ pac_type:
+ - MS_PAC
+ - PAD
+ auth_ind: otp
+ force: no
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service is disabled
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ state: disabled
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service member certificate is present.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ action: member
+ state: present
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service member certificate is present, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ action: member
+ state: present
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service multiple member certificates are present, with duplicate.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ - MIIC/zCCAeegAwIBAgIURhps6LEteMDCdBrlVkWe4cgSh0YwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQyNDBaFw0zMDAyMDExNDQyNDBaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4W56H0VraEKGlCxSTS2PqnaD11shMjruexmholmTEtYPePPnQHpwiiZlgK7CPBIOdCn4hHH+hXQDg/TJRMjrde1VzD0pFRBUq6H25sy8oOlfD0bDXkncWn82SOJu2UJHeL7htQLRxW14VIAO2YO9zaXdophy6/csTAkFq1ls/vTBp73pnnYp8D7TgzBB6bb95OZBSHeCzPIH2FSCJ/W0j6bHw4i7uHu/jWx0o0LR152fSFFwk0Wrmp8HHb2083OlnSBgTM+BZDg9rB7jpLCsIGHWXbjG36jmRaZu5z4vq2FNomJ8PXkX7mwUfaft6z+px7UlhrwUxEVWIXOoUBYcJAgMBAAGjUzBRMB0GA1UdDgQWBBTttCQn5UaQi+N5WRnA7ZTQlkVfRTAfBgNVHSMEGDAWgBTttCQn5UaQi+N5WRnA7ZTQlkVfRTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBW3vRR5wEDztuLVrcQDojn1XB24OOqn4C6OJyz3FUxd4MQA8J2vKN4P2QXhY0oYsauFKhR5xfOaDUcK2TukAtFz1mxqm1ygUVQHbrs8lBeIi4hoMc76ODJ/V9GNY7N/y/5xtD7XlyTVT2tb6tc6tmv8e4497PTPspuHp9YbbvzdSI12JENDW4hKCOpR/Uv7mRcCT+c2iMJdUL3f3YOFsGBbxVdTPmuhL4My8qR/CtCNpN0gBsaxUKFAP+/1AvFbFDChFVDEEdD8PLznH5x8HLmA9/K5x/cXbgqESUqK13P53f1XYOfggKb1f7yqBAZRnTY82+k9Kn9qWOcnyxSuUtZ
+ action: member
+ state: present
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service member certificate is absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service member certificate is absent, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service member certificates are absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ - MIIC/zCCAeegAwIBAgIURhps6LEteMDCdBrlVkWe4cgSh0YwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQyNDBaFw0zMDAyMDExNDQyNDBaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4W56H0VraEKGlCxSTS2PqnaD11shMjruexmholmTEtYPePPnQHpwiiZlgK7CPBIOdCn4hHH+hXQDg/TJRMjrde1VzD0pFRBUq6H25sy8oOlfD0bDXkncWn82SOJu2UJHeL7htQLRxW14VIAO2YO9zaXdophy6/csTAkFq1ls/vTBp73pnnYp8D7TgzBB6bb95OZBSHeCzPIH2FSCJ/W0j6bHw4i7uHu/jWx0o0LR152fSFFwk0Wrmp8HHb2083OlnSBgTM+BZDg9rB7jpLCsIGHWXbjG36jmRaZu5z4vq2FNomJ8PXkX7mwUfaft6z+px7UlhrwUxEVWIXOoUBYcJAgMBAAGjUzBRMB0GA1UdDgQWBBTttCQn5UaQi+N5WRnA7ZTQlkVfRTAfBgNVHSMEGDAWgBTttCQn5UaQi+N5WRnA7ZTQlkVfRTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBW3vRR5wEDztuLVrcQDojn1XB24OOqn4C6OJyz3FUxd4MQA8J2vKN4P2QXhY0oYsauFKhR5xfOaDUcK2TukAtFz1mxqm1ygUVQHbrs8lBeIi4hoMc76ODJ/V9GNY7N/y/5xtD7XlyTVT2tb6tc6tmv8e4497PTPspuHp9YbbvzdSI12JENDW4hKCOpR/Uv7mRcCT+c2iMJdUL3f3YOFsGBbxVdTPmuhL4My8qR/CtCNpN0gBsaxUKFAP+/1AvFbFDChFVDEEdD8PLznH5x8HLmA9/K5x/cXbgqESUqK13P53f1XYOfggKb1f7yqBAZRnTY82+k9Kn9qWOcnyxSuUtZ
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service multiple member certificates is present.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ certificate:
+ - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+ action: member
+ state: present
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is disabled
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ state: disabled
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is disabled, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ state: disabled
+ register: result
+ failed_when: result.changed
+
+ # cleanup
+ - name: Ensure services are absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ test_host }}"
+ state: absent
+
+ - name: Ensure host is absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ test_host }}"
+ update_dns: yes
+ state: absent
diff --git a/tests/service/test_service.yml b/tests/service/test_service.yml
new file mode 100644
index 0000000000000000000000000000000000000000..10d1285a372402de92a0660914fc7ac29bad0fed
--- /dev/null
+++ b/tests/service/test_service.yml
@@ -0,0 +1,536 @@
+# This test uses skip_host_check, so it will fail if not using
+# FreeIPA version 4.7.0 or later.
+#
+# To test against earlier versions, use test_without_skip_host_check.yml.
+#
+# This test define 6 hosts:
+# - www.ansible.com: a host with a DNS setup (external), not present in IPA
+# - no.idontexist.info: a host without DNS and not present in IPA.
+# - svc.ihavenodns.inf: a host without DNS, but present in IPA.
+# - svc_fqdn: a host with DNS and present in IPA.
+# - host1_fqdn and host2_fqdn: used for member actions only.
+#
+---
+- name: Test service
+ hosts: ipaserver
+ become: yes
+
+ tasks:
+ # setup
+ - name: Get Domain from server name
+ set_fact:
+ ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
+ when: ipaserver_domain is not defined
+
+ - name: Set host1, host2 and svc hosts fqdn
+ set_fact:
+ host1_fqdn: "{{ 'host1.' + ipaserver_domain }}"
+ host2_fqdn: "{{ 'host2.' + ipaserver_domain }}"
+ svc_fqdn: "{{ 'svc.' + ipaserver_domain }}"
+
+ - name: Host absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - www.ansible.com
+ - no.idontexist.info
+ - svc.ihavenodns.info
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ - "{{ svc_fqdn }}"
+ update_dns: no
+ state: absent
+
+ - name: Get IPv4 address prefix from server node
+ set_fact:
+ ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+ join('.') }}"
+
+ - name: Add hosts for tests.
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host1_fqdn }}"
+ force: yes
+ - name: "{{ host2_fqdn }}"
+ force: yes
+ - name: "{{ svc_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ - name: svc.ihavenodns.info
+ force: yes
+
+ - name: Ensure testing user user01 is present.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name: user01
+ first: user01
+ last: last
+
+ - name: Ensure testing user user02 is present.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name: user02
+ first: user02
+ last: last
+
+ - name: Ensure testing group group01 is present.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: group01
+
+ - name: Ensure testing group group02 is present.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: group02
+
+ - name: Ensure testing hostgroup hostgroup01 is present.
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: hostgroup01
+
+ - name: Ensure testing hostgroup hostgroup02 is present.
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: hostgroup02
+
+ - name: Ensure services are absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "HTTP/{{ svc_fqdn }}"
+ - HTTP/www.ansible.com
+ - HTTP/svc.ihavenodns.info
+ - HTTP/no.idontexist.info
+ state: absent
+
+ # tests
+ - name: Ensure service is present
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type:
+ - MS-PAC
+ - PAD
+ auth_ind: otp
+ skip_host_check: no
+ force: no
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is present, again
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type:
+ - MS_PAC
+ - PAD
+ auth_ind: otp
+ skip_host_check: no
+ force: no
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: result.changed
+
+ - name: Modify service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type: NONE
+ ok_as_delegate: yes
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Modify service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type: NONE
+ ok_as_delegate: yes
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service is present, without host object.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.ansible.com
+ skip_host_check: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is present, without host object, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/www.ansible.com
+ skip_host_check: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service is present, with host not in DNS.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/svc.ihavenodns.info
+ skip_host_check: no
+ force: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is present, with host not in DNS, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/svc.ihavenodns.info
+ skip_host_check: no
+ force: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service is present, whithout host object and with host not in DNS.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/no.idontexist.info
+ skip_host_check: yes
+ force: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is present, whithout host object and with host not in DNS, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/no.idontexist.info
+ skip_host_check: yes
+ force: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Principal host/test.example.com present in service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Principal host/test.example.com present in service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Principal host/test.example.com absent in service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Principal host/test.example.com absent in service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure host can manage service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host can manage service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host: "{{ host1_fqdn }}"
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure host cannot manage service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host cannot manage service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - host02.exampl "{{ groups.ipaserver[0] }}"e.com
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ #
+ - name: Ensure service is absent
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is absent, again
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ # cleanup
+
+ - name: Ensure services are absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "HTTP/{{ svc_fqdn }}"
+ - HTTP/www.ansible.com
+ - HTTP/svc.ihavenodns.info
+ - HTTP/no.idontexist.local
+ state: absent
+
+ - name: Ensure host "{{ svc_fqdn }}" is absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name: "{{ svc_fqdn }}"
+ update_dns: yes
+ state: absent
+
+ - name: Ensure host is absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ - www.ansible.com
+ - svc.ihavenodns.info
+ update_dns: no
+ state: absent
+
+ - name: Ensure testing users are absent.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - user01
+ - user02
+ state: absent
+
+ - name: Ensure testing groups are absent.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - group01
+ - group02
+ state: absent
+
+ - name: Ensure testing hostgroup hostgroup01 is absent.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - hostgroup01
+ state: absent
+
+ - name: Ensure testing hostgroup hostgroup02 is absent.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - hostgroup02
+ state: absent
diff --git a/tests/service/test_service_without_skip_host_check.yml b/tests/service/test_service_without_skip_host_check.yml
new file mode 100644
index 0000000000000000000000000000000000000000..147da0c97d0bd21f1fa4f7def9585a16254cb69a
--- /dev/null
+++ b/tests/service/test_service_without_skip_host_check.yml
@@ -0,0 +1,476 @@
+---
+- name: Test service without using option skip_host_check
+ hosts: ipaserver
+ become: yes
+
+ tasks:
+ # setup
+ - name: Get Domain from server name
+ set_fact:
+ ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}"
+ when: ipaserver_domain is not defined
+
+ - name: Set host1, host2 and svc hosts fqdn
+ set_fact:
+ host1_fqdn: "{{ 'host1.' + ipaserver_domain }}"
+ host2_fqdn: "{{ 'host2.' + ipaserver_domain }}"
+ svc_fqdn: "{{ 'svc.' + ipaserver_domain }}"
+
+ - name: Host absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - svc.ihavenodns.info
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ - "{{ svc_fqdn }}"
+ update_dns: yes
+ state: absent
+
+ - name: Get IPv4 address prefix from server node
+ set_fact:
+ ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] |
+ join('.') }}"
+
+ - name: Add hosts for tests.
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ hosts:
+ - name: "{{ host1_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.201' }}"
+ update_dns: yes
+ - name: "{{ host2_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.202' }}"
+ update_dns: yes
+ - name: "{{ svc_fqdn }}"
+ ip_address: "{{ ipv4_prefix + '.203' }}"
+ update_dns: yes
+ - name: svc.ihavenodns.info
+ update_dns: no
+ force: yes
+
+ - name: Ensure testing user user01 is present.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name: user01
+ first: user01
+ last: last
+
+ - name: Ensure testing user user02 is present.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name: user02
+ first: user02
+ last: last
+
+ - name: Ensure testing group group01 is present.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: group01
+
+ - name: Ensure testing group group02 is present.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: group02
+
+ - name: Ensure testing hostgroup hostgroup01 is present.
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: hostgroup01
+
+ - name: Ensure testing hostgroup hostgroup02 is present.
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: hostgroup02
+
+ - name: Ensure services are absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "HTTP/{{ svc_fqdn }}"
+ - HTTP/svc.ihavenodns.info
+ state: absent
+
+ # tests
+ - name: Ensure service is present
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type:
+ - MS-PAC
+ - PAD
+ auth_ind: otp
+ force: no
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is present, again
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type:
+ - MS_PAC
+ - PAD
+ auth_ind: otp
+ force: no
+ requires_pre_auth: yes
+ ok_as_delegate: no
+ ok_to_auth_as_delegate: no
+ register: result
+ failed_when: result.changed
+
+ - name: Modify service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type: NONE
+ ok_as_delegate: yes
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Modify service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ pac_type: NONE
+ ok_as_delegate: yes
+ ok_to_auth_as_delegate: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure service is present, with host not in DNS.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/svc.ihavenodns.info
+ force: yes
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is present, with host not in DNS, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: HTTP/svc.ihavenodns.info
+ force: yes
+ register: result
+ failed_when: result.changed
+
+ - name: Principal host/test.example.com present in service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Principal host/test.exabple.com present in service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Principal host/test.example.com absent in service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Principal host/test.example.com absent in service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ principal:
+ - host/test.example.com
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure host can manage service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host can manage service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host: "{{ host1_fqdn }}"
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure host cannot manage service.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure host cannot manage service, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_create_keytab_user:
+ - user01
+ - user02
+ allow_create_keytab_group:
+ - group01
+ - group02
+ allow_create_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_create_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - host02.exampl "{{ groups.ipaserver[0] }}"e.com
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups, again.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ allow_retrieve_keytab_user:
+ - user01
+ - user02
+ allow_retrieve_keytab_group:
+ - group01
+ - group02
+ allow_retrieve_keytab_host:
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ allow_retrieve_keytab_hostgroup:
+ - hostgroup01
+ - hostgroup02
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ #
+ - name: Ensure service is absent
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service is absent, again
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name: "HTTP/{{ svc_fqdn }}"
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ # cleanup
+
+ - name: Ensure services are absent.
+ ipaservice:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "HTTP/{{ svc_fqdn }}"
+ - HTTP/svc.ihavenodns.info
+ state: absent
+
+ - name: Ensure host is absent
+ ipahost:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - "{{ svc_fqdn }}"
+ - "{{ host1_fqdn }}"
+ - "{{ host2_fqdn }}"
+ - svc.ihavenodns.info
+ state: absent
+
+ - name: Ensure testing users are absent.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - user01
+ - user02
+ state: absent
+
+ - name: Ensure testing groups are absent.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - group01
+ - group02
+ state: absent
+
+ - name: Ensure testing hostgroup hostgroup01 is absent.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - hostgroup01
+ state: absent
+
+ - name: Ensure testing hostgroup hostgroup02 is absent.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - hostgroup02
+ state: absent
diff --git a/tests/sudocmd/test_sudocmd.yml b/tests/sudocmd/test_sudocmd.yml
index 97427869fc2b430f79b92138274465213f16e1f3..c66e8108e1939e2822d9de4f0c6f2c894568aae9 100644
--- a/tests/sudocmd/test_sudocmd.yml
+++ b/tests/sudocmd/test_sudocmd.yml
@@ -1,6 +1,6 @@
---
-- name: Tests
+- name: Test sudocmd
hosts: ipaserver
become: true
gather_facts: false
@@ -8,7 +8,7 @@
tasks:
- name: Ensure sudocmds are absent
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/bin/su
- /usr/sbin/ifconfig
@@ -17,7 +17,7 @@
- name: Ensure sudocmd is present
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: present
register: result
@@ -25,7 +25,7 @@
- name: Ensure sudocmd is present again
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: present
register: result
@@ -33,7 +33,7 @@
- name: Ensure sudocmd is absent
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: absent
register: result
@@ -41,7 +41,7 @@
- name: Ensure sudocmd is absent again
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: absent
register: result
@@ -49,7 +49,7 @@
- name: Ensure multiple sudocmd are present
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
- /usr/sbin/iwlist
@@ -59,7 +59,7 @@
- name: Ensure multiple sudocmd are present again
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
- /usr/sbin/iwlist
@@ -69,7 +69,7 @@
- name: Ensure multiple sudocmd are absent
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
- /usr/sbin/iwlist
@@ -79,7 +79,7 @@
- name: Ensure multiple sudocmd are absent again
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
- /usr/sbin/iwlist
@@ -88,7 +88,7 @@
failed_when: result.changed
- name: Ensure sudocmds are absent
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/bin/su
- /usr/sbin/ifconfig
@@ -97,21 +97,21 @@
- name: Ensure sudocmds are absent
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
state: absent
- name: Ensure sudocmds are present
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/iwlist
state: present
- name: Ensure multiple sudocmd are absent when only one was present
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
- /usr/sbin/iwlist
diff --git a/tests/sudocmdgroup/test_sudocmdgroup.yml b/tests/sudocmdgroup/test_sudocmdgroup.yml
index 226e986f65e58bcde5fbef07096cbbb63800c592..ce149de64c848634b5ad80f080311c3c82b20c26 100644
--- a/tests/sudocmdgroup/test_sudocmdgroup.yml
+++ b/tests/sudocmdgroup/test_sudocmdgroup.yml
@@ -1,6 +1,6 @@
---
-- name: Tests
+- name: Test sudocmdgroup
hosts: ipaserver
become: true
gather_facts: false
@@ -8,7 +8,7 @@
tasks:
- name: Ensure sudocmds are present
ipasudocmd:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- /usr/bin/su
- /usr/sbin/ifconfig
@@ -17,13 +17,13 @@
- name: Ensure sudocmdgroup is absent
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
state: absent
- name: Ensure sudocmdgroup is present
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
state: present
register: result
@@ -31,7 +31,7 @@
- name: Ensure sudocmdgroup is present again
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
state: present
register: result
@@ -39,7 +39,7 @@
- name: Ensure sudocmdgroup is absent
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
state: absent
register: result
@@ -47,7 +47,7 @@
- name: Ensure sudocmdgroup is absent again
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
state: absent
register: result
@@ -55,7 +55,7 @@
- name: Ensure testing sudocmdgroup is present
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
state: present
register: result
@@ -63,7 +63,7 @@
- name: Ensure sudo commands are present in existing sudocmdgroup
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -74,7 +74,7 @@
- name: Ensure sudo commands are present in existing sudocmdgroup, again
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -85,7 +85,7 @@
- name: Ensure sudo commands are absent in existing sudocmdgroup
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -97,7 +97,7 @@
- name: Ensure sudo commands are absent in existing sudocmdgroup, again
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -109,7 +109,7 @@
- name: Ensure sudo commands are present in sudocmdgroup
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -121,7 +121,7 @@
- name: Ensure one sudo command is not present in sudocmdgroup
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -132,7 +132,7 @@
- name: Ensure one sudo command is present in sudocmdgroup
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig
@@ -143,7 +143,7 @@
- name: Ensure the other sudo command is not present in sudocmdgroup
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/iwlist
@@ -154,7 +154,7 @@
- name: Ensure the other sudo commandsis not present in sudocmdgroup, again
ipasudocmdgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/iwlist
diff --git a/tests/sudorule/test_sudorule.yml b/tests/sudorule/test_sudorule.yml
index 88ed90abdabb5797e43357ef482e74389769b21a..0c4aef7f5ceeaae978bf30021f4dc612352971b0 100644
--- a/tests/sudorule/test_sudorule.yml
+++ b/tests/sudorule/test_sudorule.yml
@@ -1,6 +1,6 @@
---
-- name: Tests
+- name: Test sudorule
hosts: ipaserver
become: true
gather_facts: false
@@ -9,22 +9,29 @@
- name: Ensure hostgroup is present, with a host.
ipahostgroup:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: cluster
host:
- "{{ groups.ipaserver[0] }}"
- name: Ensure some sudocmds are available
ipasudocmd:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name:
- /sbin/ifconfig
- /usr/bin/vim
state: present
+ - name: Ensure sudocmdgroup is available
+ ipasudocmdgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: test_sudorule
+ sudocmd: /usr/bin/vim
+ state: present
+
- name: Ensure sudorules are absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name:
- testrule1
- allusers
@@ -34,21 +41,21 @@
- name: Ensure sudorule is present
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
register: result
failed_when: not result.changed
- name: Ensure sudorule is present again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
register: result
failed_when: result.changed
- name: Ensure sudorule is present, runAsUserCategory.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
runAsUserCategory: all
register: result
@@ -56,7 +63,7 @@
- name: Ensure sudorule is present, with usercategory 'all'
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
register: result
@@ -64,7 +71,7 @@
- name: Ensure sudorule is present, with usercategory 'all', again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allusers
usercategory: all
register: result
@@ -72,7 +79,7 @@
- name: Ensure sudorule is present, with hostategory 'all'
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allhosts
hostcategory: all
register: result
@@ -80,7 +87,7 @@
- name: Ensure sudorule is present, with hostategory 'all', again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allhosts
hostcategory: all
register: result
@@ -88,13 +95,13 @@
- name: Ensure sudorule is disabled
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: disabled
- name: Ensure sudorule is disabled, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: disabled
register: result
@@ -102,7 +109,7 @@
- name: Ensure sudorule is enabled
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: enabled
register: result
@@ -110,37 +117,77 @@
- name: Ensure sudorule is enabled, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: enabled
register: result
failed_when: result.changed
- - name: Ensure sudorule is present and some sudocmd are a member of it.
+ - name: Ensure sudorule is present and some sudocmd are allowed.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
- - /usr/bin/vim
action: member
register: result
failed_when: not result.changed
- - name: Ensure sudorule is present and some sudocmd are a member of it, again.
+ - name: Ensure sudorule is present and some sudocmd are allowed, again.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
+ allow_sudocmd:
- /sbin/ifconfig
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure sudorule is present and some sudocmd are denyed.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ deny_sudocmd:
- /usr/bin/vim
action: member
register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present and some sudocmd are denyed, again.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ deny_sudocmd:
+ - /usr/bin/vim
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure sudorule is present and, sudocmds are absent.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ allow_sudocmd: /sbin/ifconfig
+ deny_sudocmd: /usr/bin/vim
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present and, sudocmds are absent, again.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ allow_sudocmd: /sbin/ifconfig
+ deny_sudocmd: /usr/bin/vim
+ action: member
+ state: absent
+ register: result
failed_when: result.changed
- name: Ensure sudorule is present with cmdcategory 'all'.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allcommands
cmdcategory: all
register: result
@@ -148,7 +195,7 @@
- name: Ensure sudorule is present with cmdcategory 'all', again.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allcommands
cmdcategory: all
register: result
@@ -156,7 +203,7 @@
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
host: "{{ groups.ipaserver[0] }}"
action: member
@@ -165,7 +212,7 @@
- name: Ensure host "{{ groups.ipaserver[0] }}" is present in sudorule, again.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
host: "{{ groups.ipaserver[0] }}"
action: member
@@ -174,7 +221,7 @@
- name: Ensure hostgroup is present in sudorule.
ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
hostgroup: cluster
action: member
@@ -183,32 +230,84 @@
- name: Ensure hostgroup is present in sudorule, again.
ipasudorule:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: testrule1
hostgroup: cluster
action: member
register: result
failed_when: result.changed
- - name: Ensure sudorule sudocmds are absent
+ - name: Ensure sudorule is present, with an allow_sudocmdgroup.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
- - /sbin/ifconfig
- - /usr/bin/vim
+ allow_sudocmdgroup: test_sudorule
+ state: present
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present, with an allow_sudocmdgroup, again.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ allow_sudocmdgroup: test_sudorule
+ state: present
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ allow_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
failed_when: not result.changed
- - name: Ensure sudorule sudocmds are absent, again
+ - name: Ensure sudorule is present, but allow_sudocmdgroup is absent.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
- cmd:
- - /sbin/ifconfig
- - /usr/bin/vim
+ allow_sudocmdgroup: test_sudorule
+ action: member
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure sudorule is present, with an deny_sudocmdgroup.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ deny_sudocmdgroup: test_sudorule
+ state: present
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present, with an deny_sudocmdgroup, again.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ deny_sudocmdgroup: test_sudorule
+ state: present
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure sudorule is present, but deny_sudocmdgroup is absent.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ deny_sudocmdgroup: test_sudorule
+ action: member
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure sudorule is present, but deny_sudocmdgroup is absent, again.
+ ipasudorule:
+ ipaadmin_password: SomeADMINpassword
+ name: testrule1
+ deny_sudocmdgroup: test_sudorule
action: member
state: absent
register: result
@@ -216,7 +315,7 @@
- name: Ensure sudorule is absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: absent
register: result
@@ -224,7 +323,7 @@
- name: Ensure sudorule is absent, again.
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: testrule1
state: absent
register: result
@@ -232,7 +331,7 @@
- name: Ensure sudorule allhosts is absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allhosts
state: absent
register: result
@@ -240,7 +339,7 @@
- name: Ensure sudorule allhosts is absent, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allhosts
state: absent
register: result
@@ -248,7 +347,7 @@
- name: Ensure sudorule allusers is absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allusers
state: absent
register: result
@@ -256,7 +355,7 @@
- name: Ensure sudorule allusers is absent, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allusers
state: absent
register: result
@@ -264,7 +363,7 @@
- name: Ensure sudorule allcommands is absent
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allcommands
state: absent
register: result
@@ -272,8 +371,29 @@
- name: Ensure sudorule allcommands is absent, again
ipasudorule:
- ipaadmin_password: pass1234
+ ipaadmin_password: SomeADMINpassword
name: allcommands
state: absent
register: result
failed_when: result.changed
+
+ # cleanup
+ - name : Ensure sudocmdgroup is absent
+ ipasudocmdgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: test_sudorule
+ state: absent
+
+ - name: Ensure hostgroup is absent.
+ ipahostgroup:
+ ipaadmin_password: SomeADMINpassword
+ name: cluster
+ state: absent
+
+ - name: Ensure sudocmds are absent
+ ipasudocmd:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - /sbin/ifconfig
+ - /usr/bin/vim
+ state: absent
diff --git a/tests/user/test_user.yml b/tests/user/test_user.yml
index c172049fa8126d4ac53fce42c98d8de20860e3d7..541ea7cfd151e39a2ae729fd53d73f615fd93020 100644
--- a/tests/user/test_user.yml
+++ b/tests/user/test_user.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test user
hosts: ipaserver
become: true
gather_facts: false
diff --git a/tests/user/test_user_random.yml b/tests/user/test_user_random.yml
index 47e4a35099f672c8cb120f8fb7d2c2500cad4073..44b9373aa1475f6bb29c1eb615752f4442726d08 100644
--- a/tests/user/test_user_random.yml
+++ b/tests/user/test_user_random.yml
@@ -6,7 +6,7 @@
tasks:
- name: Users user1 and user2 absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- user1
- user2
@@ -14,7 +14,7 @@
- name: User user1 present with random password
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name: user1
first: first1
last: last1
@@ -30,14 +30,14 @@
- name: User user1 absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- user1
state: absent
- name: Users user1 and user1 present with random password
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
users:
- name: user1
first: first1
@@ -63,7 +63,7 @@
- name: Users user1 and user2 absent
ipauser:
- ipaadmin_password: MyPassword123
+ ipaadmin_password: SomeADMINpassword
name:
- user1
- user2
diff --git a/tests/user/test_users.yml b/tests/user/test_users.yml
index 129594d380772873944873b0c992a98a19cc335e..d66115cb36f637a2eafec6cb0c625f9b0bbd0872 100644
--- a/tests/user/test_users.yml
+++ b/tests/user/test_users.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test users
hosts: ipaserver
become: true
gather_facts: false
diff --git a/tests/user/test_users_absent.yml b/tests/user/test_users_absent.yml
index eaab27f7a1ee79cc4cc97eefc1a8eccd7a3b0471..1611c6d3f29d18da8b4d74fcf02ef8a41f4947d9 100644
--- a/tests/user/test_users_absent.yml
+++ b/tests/user/test_users_absent.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test users absent
hosts: ipaserver
become: true
gather_facts: false
diff --git a/tests/user/test_users_present.yml b/tests/user/test_users_present.yml
index 370b1372e27b866aa356314f9160fb2ff45bd24c..9489c0d30cf8f36190f00cd15299cb06dc1a315a 100644
--- a/tests/user/test_users_present.yml
+++ b/tests/user/test_users_present.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test users present
hosts: ipaserver
become: true
gather_facts: false
diff --git a/tests/user/test_users_present_slice.yml b/tests/user/test_users_present_slice.yml
index 8c6524d8f1385ecc90b48ee2b5b36d9375dc6b59..f6e6710605c3b0fa792a9afe4bd840c7e50c65ea 100644
--- a/tests/user/test_users_present_slice.yml
+++ b/tests/user/test_users_present_slice.yml
@@ -1,5 +1,5 @@
---
-- name: Tests
+- name: Test users present slice
hosts: ipaserver
become: true
gather_facts: false
diff --git a/tests/vault/test_vault.yml b/tests/vault/test_vault.yml
new file mode 100644
index 0000000000000000000000000000000000000000..5b467f61f9e10069563ad9297f3341fb59757eca
--- /dev/null
+++ b/tests/vault/test_vault.yml
@@ -0,0 +1,562 @@
+---
+
+- name: Test vault
+ hosts: ipaserver
+ become: true
+ gather_facts: false
+
+ tasks:
+
+ - name: Ensure user vaults are absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - stdvault
+ - symvault
+ - asymvault
+ username: user01
+ state: absent
+
+ - name: Ensure test users do not exist.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - user01
+ - user02
+ - user03
+ state: absent
+
+ - name: Ensure test groups do not exist.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: vaultgroup
+ state: absent
+
+ - name: Ensure vaultgroup exists.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: vaultgroup
+
+ - name: Ensure user01 exists.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name: user01
+ first: First
+ last: Start
+
+ - name: Ensure user02 exists.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name: user02
+ first: Second
+ last: Middle
+
+ - name: Ensure user03 exists.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name: user03
+ first: Third
+ last: Last
+
+ - name: Ensure shared vaults are absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: sharedvault
+ shared: True
+ state: absent
+
+ - name: Ensure service vaults are absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: svcvault
+ service: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
+
+ - name: Ensure symmetric vault is present
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: user01
+ vault_password: MyVaultPassword123
+ vault_type: symmetric
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure symmetric vault is present, again
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: user01
+ vault_password: MyVaultPassword123
+ vault_type: symmetric
+ register: result
+ failed_when: result.changed
+
+ - name: Archive data to symmetric vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: user01
+ vault_password: MyVaultPassword123
+ vault_data: Hello World.
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Archive data with non-ASCII characters to symmetric vault
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: user01
+ vault_password: MyVaultPassword123
+ vault_data: The world of π is half rounded.
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure symmetric vault is absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: user01
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure symmetric vault is absent, again
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: symvault
+ username: user01
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure asymmetric vault is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ description: A symmetric private vault.
+ vault_public_key:
+ LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTR
+ HTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi
+ 9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM
+ 295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlV
+ bFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVk
+ tLS0tLQo=
+ vault_type: asymmetric
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure asymmetric vault is present, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ vault_public_key:
+ LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTR
+ HTkFEQ0JpUUtCZ1FDdGFudjRkK3ptSTZ0T3ova1RXdGowY3AxRAowUENoYy8vR0pJMTUzTi
+ 9CN3UrN0h3SXlRVlZoNUlXZG1UcCtkWXYzd09yeVpPbzYvbHN5eFJaZ2pZRDRwQ3VGCjlxM
+ 295VTFEMnFOZERYeGtSaFFETXBiUEVSWWlHbE1jbzdhN0hIVDk1bGNQbmhObVFkb3VGdHlV
+ bFBUVS96V1kKZldYWTBOeU1UbUtoeFRseUV3SURBUUFCCi0tLS0tRU5EIFBVQkxJQyBLRVk
+ tLS0tLQo=
+ vault_type: asymmetric
+ register: result
+ failed_when: result.changed
+
+ - name: Archive data in asymmetric vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ vault_data: Hello World.
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure asymmetric vault is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure asymmetric vault is absent, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: asymvault
+ username: user01
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure standard vault is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ vault_type: standard
+ username: user01
+ description: A standard private vault.
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure standard vault is present, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ vault_type: standard
+ description: A standard private vault.
+ register: result
+ failed_when: result.changed
+
+ - name: Archive data in standard vault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ vault_data: Hello World.
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure standard vault member user is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ users:
+ - user02
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure standard vault member user is present, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ users:
+ - user02
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure more vault member users are present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ users:
+ - user01
+ - user02
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault member user is still present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ users:
+ - user02
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault users are absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ users:
+ - user01
+ - user02
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault users are absent, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ users:
+ - user01
+ - user02
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault user is absent, once more.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ users:
+ - user01
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault member group is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ groups: vaultgroup
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault member group is present, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ groups: vaultgroup
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault member group is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ groups: vaultgroup
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault member group is absent, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ action: member
+ groups: vaultgroup
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault is absent, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ state: absent
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure shared vault is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: sharedvault
+ shared: True
+ ipavaultpassword: MyVaultPassword123
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure shared vault is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: sharedvault
+ shared: True
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service vault is present.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: svcvault
+ ipavaultpassword: MyVaultPassword123
+ service: "HTTP/{{ groups.ipaserver[0] }}"
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure service vault is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: svcvault
+ service: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault is present, with members.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ vault_type: standard
+ users:
+ - user02
+ - user03
+ groups:
+ - vaultgroup
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure vault is present, with members, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ vault_type: standard
+ users:
+ - user02
+ - user03
+ groups:
+ - vaultgroup
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure user02 is not a member of vault stdvault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ users: user02
+ state: absent
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure user02 is not a member of vault stdvault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ users: user02
+ state: absent
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure user02 is a member of vault stdvault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ users: user02
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure user02 is a member of vault stdvault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ users: user03
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure user03 owns vault stdvault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ owners: user03
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure user03 owns vault stdvault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ owners: user03
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure user03 is not owner of stdvault.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ owners: user03
+ state: absent
+ action: member
+ register: result
+ failed_when: not result.changed
+
+ - name: Ensure user03 is not owner of stdvault, again.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ owners: user03
+ state: absent
+ action: member
+ register: result
+ failed_when: result.changed
+
+ - name: Ensure vault is absent.
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: stdvault
+ username: user01
+ state: absent
+
+ # cleaup
+ - name: Ensure test vaults are absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - stdvault
+ - symvault
+ - asymvault
+ username: user01
+ state: absent
+
+ - name: Ensure shared vaults are absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: sharedvault
+ shared: True
+ state: absent
+
+ - name: Ensure service vaults are absent
+ ipavault:
+ ipaadmin_password: SomeADMINpassword
+ name: svcvault
+ service: "HTTP/{{ groups.ipaserver[0] }}"
+ state: absent
+
+ - name: Ensure test users do not exist.
+ ipauser:
+ ipaadmin_password: SomeADMINpassword
+ name:
+ - user01
+ - user02
+ - user03
+ state: absent
+
+ - name: Ensure test groups do not exist.
+ ipagroup:
+ ipaadmin_password: SomeADMINpassword
+ name: vaultgroup
+ state: absent
diff --git a/utils/build-galaxy-release.sh b/utils/build-galaxy-release.sh
index 4f4597e2e735868a6da131779c021fb9865bc6a2..fc6bcdd6a0b0af06f81bbe92dc964ef94e850eab 100644
--- a/utils/build-galaxy-release.sh
+++ b/utils/build-galaxy-release.sh
@@ -35,7 +35,7 @@ done
#git diff
-mazer build
+ansible-galaxy collection build
rm plugins/module_utils/ansible_ipa_*
rm plugins/modules/ipaserver_*