diff --git a/README-config.md b/README-config.md
index 608df548f5f432f7e44c6adbfce3f80502463ddc..ee96981673d43917c726938f6e221baad6dfcfb9 100644
--- a/README-config.md
+++ b/README-config.md
@@ -90,25 +90,27 @@ Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
-`maxusername` \| `ipamaxusernamelength` |  Set the maximum username length (1 to 255) | false
-`homedirectory` \| `ipahomesrootdir` |  Set the default location of home directories | false
-`defaultshell` \| `ipadefaultloginshell` |  Set the default shell for new users | false
-`defaultgroup` \| `ipadefaultprimarygroup` |  Set the default group for new users | false
+`maxusername` \| `ipamaxusernamelength` |  Set the maximum username length (1 to 255) | no
+`maxhostname` \| `ipamaxhostnamelength` |  Set the maximum hostname length between 64-255 | no
+`homedirectory` \| `ipahomesrootdir` |  Set the default location of home directories | no
+`defaultshell` \| `ipadefaultloginshell` |  Set the default shell for new users | no
+`defaultgroup` \| `ipadefaultprimarygroup` |  Set the default group for new users | no
 `emaildomain`\| `ipadefaultemaildomain`  |  Set the default e-mail domain | false
-`searchtimelimit` \| `ipasearchtimelimit` |  Set maximum amount of time (seconds) for a search -1 to 2147483647 (-1 or 0 is unlimited) | false
-`searchrecordslimit` \| `ipasearchrecordslimit` |  Set maximum number of records to search -1 to 2147483647 (-1 or 0 is unlimited) | false
-`usersearch` \| `ipausersearchfields` |  Set list of fields to search when searching for users | false
-`groupsearch` \| `ipagroupsearchfields` |  Set list of fields to search in when searching for groups | false
-`enable_migration` \| `ipamigrationenabled` |  Enable migration mode (choices: True, False ) | false
-`groupobjectclasses` \| `ipagroupobjectclasses` |  Set default group objectclasses (list) | false
-`userobjectclasses` \| `ipauserobjectclasses` |  Set default user objectclasses (list) | false
-`pwdexpnotify` \| `ipapwdexpadvnotify` |  Set number of days's notice of impending password expiration (0 to 2147483647) | false
-`configstring` \| `ipaconfigstring` |  Set extra hashes to generate in password plug-in (choices:`AllowNThash`, `KDC:Disable Last Success`, `KDC:Disable Lockout`, `KDC:Disable Default Preauth for SPNs`) | false
-`selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | false
-`selinuxusermapdefault`\| `ipaselinuxusermapdefault` |  Set default SELinux user when no match is found in SELinux map rule | false
-`pac_type` \| `ipakrbauthzdata` |  set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`)
-`user_auth_type` \| `ipauserauthtype` |  set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`) | false
-`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | false
+`searchtimelimit` \| `ipasearchtimelimit` |  Set maximum amount of time (seconds) for a search -1 to 2147483647 (-1 or 0 is unlimited) | no
+`searchrecordslimit` \| `ipasearchrecordslimit` |  Set maximum number of records to search -1 to 2147483647 (-1 or 0 is unlimited) | no
+`usersearch` \| `ipausersearchfields` |  Set list of fields to search when searching for users | no
+`groupsearch` \| `ipagroupsearchfields` |  Set list of fields to search in when searching for groups | no
+`enable_migration` \| `ipamigrationenabled` |  Enable migration mode (choices: True, False ) | no
+`groupobjectclasses` \| `ipagroupobjectclasses` |  Set default group objectclasses (list) | no
+`userobjectclasses` \| `ipauserobjectclasses` |  Set default user objectclasses (list) | no
+`pwdexpnotify` \| `ipapwdexpadvnotify` |  Set number of days's notice of impending password expiration (0 to 2147483647) | no
+`configstring` \| `ipaconfigstring` |  Set extra hashes to generate in password plug-in (choices:`AllowNThash`, `KDC:Disable Last Success`, `KDC:Disable Lockout`, `KDC:Disable Default Preauth for SPNs`). Use `""` to clear this variable. | no
+`selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | no
+`selinuxusermapdefault`\| `ipaselinuxusermapdefault` |  Set default SELinux user when no match is found in SELinux map rule | no
+`pac_type` \| `ipakrbauthzdata` |  set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`). Use `""` to clear this variable. | no
+`user_auth_type` \| `ipauserauthtype` |  set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
+`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
+`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
 
 
 Return Values
@@ -117,6 +119,8 @@ Return Values
 Variable | Description | Returned When
 -------- | ----------- | -------------
 `config` | config dict <br />Fields: | No values to configure are specified
+&nbsp; | `maxusername` | &nbsp;
+&nbsp; | `maxhostname` | &nbsp;
 &nbsp; | `homedirectory` | &nbsp;
 &nbsp; | `defaultshell` | &nbsp;
 &nbsp; | `defaultgroup` | &nbsp;
@@ -130,14 +134,14 @@ Variable | Description | Returned When
 &nbsp; | `userobjectclasses` | &nbsp;
 &nbsp; | `pwdexpnotify` | &nbsp;
 &nbsp; | `configstring` | &nbsp;
-&nbsp; | `selinuxusermaporder` | &nbsp;
 &nbsp; | `selinuxusermapdefault` | &nbsp;
+&nbsp; | `selinuxusermaporder` | &nbsp;
 &nbsp; | `pac_type` | &nbsp;
 &nbsp; | `user_auth_type` | &nbsp;
 &nbsp; | `domain_resolution_order` | &nbsp;
+&nbsp; | `ca_renewal_master_server` | &nbsp;
 
-
-All returned fields take the same form as their namesake input parameters 
+All returned fields take the same form as their namesake input parameters
 
 Authors
 =======
diff --git a/playbooks/config/retrieve-config.yml b/playbooks/config/retrieve-config.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7f05e802e2730a7d6cf83e02dbd1c4f91ed766fc
--- /dev/null
+++ b/playbooks/config/retrieve-config.yml
@@ -0,0 +1,14 @@
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: Query IPA global configuration
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+    register: serverconfig
+
+  - debug:
+      msg: "{{ serverconfig }}"
diff --git a/playbooks/config/set-ca-renewal-master-server.yml b/playbooks/config/set-ca-renewal-master-server.yml
new file mode 100644
index 0000000000000000000000000000000000000000..128ac8d96a9c2f74fbecf6518e33a69dbe50d206
--- /dev/null
+++ b/playbooks/config/set-ca-renewal-master-server.yml
@@ -0,0 +1,11 @@
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: no
+  gather_facts: no
+
+  tasks:
+  - name: set ca_renewal_master_server
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      ca_renewal_master_server: carenewal.example.com
diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py
index d4383adcb17716e0a8c66b002d3bef9acaadcb40..41a6d0a877a177bd30ecc312534c51dbe66dbe1f 100644
--- a/plugins/modules/ipaconfig.py
+++ b/plugins/modules/ipaconfig.py
@@ -45,6 +45,10 @@ options:
         description: Set the maximum username length between 1-255
         required: false
         aliases: ['ipamaxusernamelength']
+    maxhostname:
+        description: Set the maximum hostname length between 64-255
+        required: false
+        aliases: ['ipamaxhostnamelength']
     homedirectory:
         description: Set the default location of home directories
         required: false
@@ -87,7 +91,7 @@ options:
         description: Enable migration mode
         type: bool
         required: false
-        aliases: ['enable-migration','ipamigrationenabled']
+        aliases: ['ipamigrationenabled']
     groupobjectclasses:
         description: Set default group objectclasses (comma-separated list)
         required: false
@@ -113,6 +117,7 @@ options:
         - "KDC:Disable Last Success"
         - "KDC:Disable Lockout"
         - "KDC:Disable Default Preauth for SPNs"
+        - ""
         aliases: ['ipaconfigstring']
     selinuxusermaporder:
         description: Set order in increasing priority of SELinux users
@@ -127,21 +132,23 @@ options:
         description: set default types of PAC supported for services
         required: false
         type: list
-        choices: ["MS-PAC", "PAD", "nfs:NONE"]
-        aliases: ["pac-type","ipakrbauthzdata"]
+        choices: ["MS-PAC", "PAD", "nfs:NONE", ""]
+        aliases: ["ipakrbauthzdata"]
     user_auth_type:
         description: set default types of supported user authentication
         required: false
         type: list
-        choices: ["password", "radius", "otp", "disabled"]
-        aliases: ["user-auth_type","user-auth-type","ipauserauthtype"]
+        choices: ["password", "radius", "otp", "disabled", ""]
+        aliases: ["ipauserauthtype"]
+    ca_renewal_master_server:
+        description: Renewal master for IPA certificate authority.
+        required: false
+        type: string
     domain_resolution_order:
         description: set list of domains used for short name qualification
         required: false
         type: list
-        aliases: ["domain-resolution_order",
-                  "domain-resolution-order",
-                  "ipadomainresolutionorder"]
+        aliases: ["ipadomainresolutionorder"]
 '''
 
 EXAMPLES = '''
@@ -174,6 +181,9 @@ config:
     maxusername:
         description: maximum username length
         returned: always
+    maxhostname:
+        description: maximum hostname length
+        returned: always
     homedirectory:
         description: default location of home directories
         returned: always
@@ -232,6 +242,9 @@ config:
     user_auth_type:
         description: default types of supported user authentication
         returned: always
+    ca_renewal_master_server:
+        description: master for IPA certificate authority.
+        returned: always
     domain_resolution_order:
         description: list of domains used for short name qualification
         returned: always
@@ -242,6 +255,7 @@ from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.ansible_freeipa_module import temp_kinit, \
     temp_kdestroy, valid_creds, api_connect, api_command_no_name, \
     compare_args_ipa, module_params_get
+import ipalib.errors
 
 
 def config_show(module):
@@ -267,6 +281,8 @@ def main():
             ipaadmin_password=dict(type="str", required=False, no_log=True),
             maxusername=dict(type="int", required=False,
                              aliases=['ipamaxusernamelength']),
+            maxhostname=dict(type="int", required=False,
+                             aliases=['ipamaxhostnamelength']),
             homedirectory=dict(type="str", required=False,
                                aliases=['ipahomesrootdir']),
             defaultshell=dict(type="str", required=False,
@@ -285,8 +301,7 @@ def main():
             groupsearch=dict(type="list", required=False,
                              aliases=['ipagroupsearchfields']),
             enable_migration=dict(type="bool", required=False,
-                                  aliases=['ipamigrationenabled',
-                                           'enable-migration']),
+                                  aliases=['ipamigrationenabled']),
             groupobjectclasses=dict(type="list", required=False,
                                     aliases=['ipagroupobjectclasses']),
             userobjectclasses=dict(type="list", required=False,
@@ -298,22 +313,22 @@ def main():
                               choices=["AllowNThash",
                                        "KDC:Disable Last Success",
                                        "KDC:Disable Lockout",
-                                       "KDC:Disable Default Preauth for SPNs"]), # noqa E128
+                                       "KDC:Disable Default Preauth for SPNs",
+                                       ""]), # noqa E128
             selinuxusermaporder=dict(type="list", required=False,
                                      aliases=['ipaselinuxusermaporder']),
             selinuxusermapdefault=dict(type="str", required=False,
                                        aliases=['ipaselinuxusermapdefault']),
             pac_type=dict(type="list", required=False,
-                          aliases=["ipakrbauthzdata", "pac-type"],
-                          choices=["MS-PAC", "PAD", "nfs:NONE"]),
+                          aliases=["ipakrbauthzdata"],
+                          choices=["MS-PAC", "PAD", "nfs:NONE", ""]),
             user_auth_type=dict(type="list", required=False,
-                                aliases=["ipauserauthtype",
-                                         "user-auth_type",
-                                         "user-auth-type"]),
+                                choices=["password", "radius", "otp",
+                                         "disabled", ""],
+                                aliases=["ipauserauthtype"]),
+            ca_renewal_master_server=dict(type="str", required=False),
             domain_resolution_order=dict(type="list", required=False,
-                                         aliases=["ipadomainresolutionorder",
-                                                  "domain-resolution_order",
-                                                  "domain-resolution-order"])
+                                         aliases=["ipadomainresolutionorder"])
         ),
         supports_check_mode=True,
     )
@@ -330,6 +345,7 @@ def main():
 
     field_map = {
         "maxusername": "ipamaxusernamelength",
+        "maxhostname": "ipamaxhostnamelength",
         "homedirectory": "ipahomesrootdir",
         "defaultshell": "ipadefaultloginshell",
         "defaultgroup": "ipadefaultprimarygroup",
@@ -347,6 +363,7 @@ def main():
         "selinuxusermapdefault": "ipaselinuxusermapdefault",
         "pac_type": "ipakrbauthzdata",
         "user_auth_type": "ipauserauthtype",
+        "ca_renewal_master_server": "ca_renewal_master_server",
         "domain_resolution_order": "ipadomainresolutionorder"
     }
     reverse_field_map = {v: k for k, v in field_map.items()}
@@ -378,22 +395,19 @@ def main():
         params["ipagroupsearchfields"] = \
              ",".join(params["ipagroupsearchfields"])
 
-    if params.get("ipamaxusernamelength", 0) > 255 \
-            or params.get("ipamaxusernamelength", 2) < 1:
-        ansible_module.fail_json(
-            msg="Argument 'maxusername' mustn range 1 to 255")
-
-    for x in ["ipasearchtimelimit",
-              "ipasearchrecordslimit",
-              "ipapwdexpadvnotify"]:
-        if params.get(x, 0) > 2147483647:
+    # verify limits on INT values.
+    args_with_limits = [
+        ("ipamaxusernamelength", 1, 255),
+        ("ipamaxhostnamelength", 64, 255),
+        ("ipasearchtimelimit", -1, 2147483647),
+        ("ipasearchrecordslimit", -1, 2147483647),
+        ("ipapwdexpadvnotify", 0, 2147483647),
+    ]
+    for arg, min, max in args_with_limits:
+        if arg in params and (params[arg] > max or params[arg] < min):
             ansible_module.fail_json(
-                msg="Argument '%s' has a maximum value of 2147483647" % (x))
-
-    for x in ["ipasearchtimelimit", "ipasearchrecordslimit"]:
-        if params.get(x, 0) < -2147483648:
-            ansible_module.fail_json(
-                msg="Argument '%s' has  minimum value of -2147483648" % (x))
+                msg="Argument '%s' must be between %d and %d."
+                    % (arg, min, max))
 
     changed = False
     exit_args = {}
@@ -405,10 +419,14 @@ def main():
             ccache_dir, ccache_name = temp_kinit(ipaadmin_principal,
                                                  ipaadmin_password)
         api_connect()
-
-        if params.keys():
+        if params:
             res_show = config_show(ansible_module)
-            if not compare_args_ipa(ansible_module, params, res_show):
+            params = {
+                k: v for k, v in params.items()
+                if k not in res_show or res_show[k] != v
+            }
+            if params \
+               and not compare_args_ipa(ansible_module, params, res_show):
                 changed = True
                 api_command_no_name(ansible_module, "config_mod", params)
 
@@ -445,7 +463,8 @@ def main():
                         exit_args[k] = (v[0] == "TRUE")
                     else:
                         exit_args[k] = v
-
+    except ipalib.errors.EmptyModlist:
+        changed = False
     except Exception as e:
         ansible_module.fail_json(msg="%s %s" % (params, str(e)))
 
diff --git a/tests/config/test_config.yml b/tests/config/test_config.yml
index efa169de3e6213b174db7bbc458a14d59c000c62..c288e45197c749756dd1c46395edac3ca40299c2 100644
--- a/tests/config/test_config.yml
+++ b/tests/config/test_config.yml
@@ -5,6 +5,7 @@
   gather_facts: false
 
   tasks:
+  # Retrieve current configuration.
   - name: return current values of the global configuration options
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
@@ -13,131 +14,375 @@
   - debug:
       msg: "{{previousconfig}}"
 
-  - name: set default shell to default value
+  # setup environment.
+  - name: create test group
+    ipagroup:
+      ipaadmin_password: 'SomeADMINpassword'
+      name: somedefaultgroup
+
+  - name: Ensure the default e-mail domain is ipa.test.
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      emaildomain: ipa.test
+
+  - name: set default shell to '/bin/sh'
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
       defaultshell: /bin/sh
+
+  - name: set default group
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      defaultgroup: ipausers
+
+  - name: set default home directory
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      homedirectory: /home
+
+  - name: clear pac-type
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      pac_type: ""
+
+  - name: set maxusername to 255
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      maxusername: 255
+
+  - name: set maxhostname to 255
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      maxhostname: 255
+
+  - name: set pwdexpnotify to 0
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      pwdexpnotify: 0
+
+  - name: set searchrecordslimit to 10
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      searchrecordslimit: 10
+
+  - name: set searchtimelimit to 1
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      searchtimelimit: 1
+
+  - name: clear configstring
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      configstring: ""
+
+  - name: set configstring to AllowNThash
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      configstring: 'KDC:Disable Lockout'
+
+  - name: set selinuxusermapdefault
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      selinuxusermapdefault: "staff_u:s0-s0:c0.c1023"
+
+  - name: set selinuxusermaporder
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023'
+
+  - name: set usersearch to `uid`
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      usersearch: uid
+
+  - name: set groupsearch to `cn`
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      groupsearch: cn
+
+  # tests
+  - name: Ensure the default e-mail domain is somedomain.test.
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      emaildomain: somedomain.test
+    register: result
+    failed_when: not result.changed
+
+  - name: Ensure the default e-mail domain is somedomain.test, again.
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      emaildomain: somedomain.test
     register: result
     failed_when: result.changed
 
-  - name: set default shell to new value
+  - name: set default shell to '/bin/someshell'
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
-      defaultshell: /bin/bash
+      defaultshell: /bin/someshell
     register: result
     failed_when: not result.changed
 
-  - name: check default shell is changed
+  - name: set default shell to '/bin/someshell', again.
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
-      defaultshell: /bin/bash
+      defaultshell: /bin/someshell
     register: result
     failed_when: result.changed
 
-  - name: reset default shell to old value
+  - name: set default group
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
-      defaultshell: '{{previousconfig.config.defaultshell }}'
+      defaultgroup: somedefaultgroup
     register: result
     failed_when: not result.changed
 
-  - name: check default shell is reset
+  - name: set default group
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
-      defaultshell: '{{previousconfig.config.defaultshell }}'
+      defaultgroup: somedefaultgroup
     register: result
     failed_when: result.changed
 
-  - name: Ensure the default e-mail domain is ansible.com.
+  - name: set default home directory
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
-      emaildomain: ansible.com
+      homedirectory: /Users
     register: result
     failed_when: not result.changed
 
-  - name: Ensure the default e-mail domain is set
+  - name: set default home directory
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
-      emaildomain: ansible.com
+      homedirectory: /Users
     register: result
     failed_when: result.changed
 
-  - name: reset default e-mail domain
+  - name: set pac-type
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
-      emaildomain: '{{previousconfig.config.emaildomain }}'
+      pac_type: "nfs:NONE"
     register: result
     failed_when: not result.changed
 
-  - name: set pac-type
+  - name: set pac-type, again.
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      pac_type: "nfs:NONE"
+    register: result
+    failed_when: result.changed
+
+  - name: set maxusername to 33
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      maxusername: 33
+    register: result
+    failed_when: not result.changed
+
+  - name: set maxusername to 33, again.
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      maxusername: 33
+    register: result
+    failed_when: result.changed
+
+  - name: set maxhostname to 77
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      maxhostname: 77
+    register: result
+    failed_when: not result.changed
+
+  - name: set maxhostname to 77, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      maxhostname: 77
+    register: result
+    failed_when: result.changed
+
+  - name: set pwdexpnotify to 17
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      pwdexpnotify: 17
+    register: result
+    failed_when: not result.changed
+
+  - name: set pwdexpnotify to 17, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      pwdexpnotify: 17
+    register: result
+    failed_when: result.changed
+
+  - name: set searchrecordslimit to -1
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      searchrecordslimit: -1
+    register: result
+    failed_when: not result.changed
+
+  - name: set searchrecordslimit to -1, again.
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      searchrecordslimit: -1
+    register: result
+    failed_when: result.changed
+
+  - name: set searchtimelimit to 12345
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
-      pac_type:
-        - nfs:NONE
+      searchtimelimit: 12345
     register: result
     failed_when: not result.changed
 
-  - name: reset pac-type
+  - name: set searchtimelimit to 12345, again.
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      searchtimelimit: 12345
+    register: result
+    failed_when: result.changed
+
+  - name: change enable_migration
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
-      pac_type: '{{previousconfig.config.pac_type}}'
+      enable_migration: '{{ not previousconfig.config.enable_migration }}'
     register: result
     failed_when: not result.changed
 
-  - name: set usersearch
+  - name: change enable_migration, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      enable_migration: '{{ not previousconfig.config.enable_migration }}'
+    register: result
+    failed_when: result.changed
+
+  - name: set configstring to AllowNThash
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
-      usersearch:
-        - uid
+      configstring: AllowNThash
     register: result
     failed_when: not result.changed
 
-  - name: check usersearch
+  - name: set configstring to AllowNThash, again.
     ipaconfig:
       ipaadmin_password: SomeADMINpassword
-      usersearch:
-        - uid
+      configstring: AllowNThash
+    register: result
+    failed_when: result.changed
+
+  - name: set selinuxusermaporder
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
+    register: result
+    failed_when: not result.changed
+
+  - name: set selinuxusermaporder, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'
+    register: result
+    failed_when: result.changed
+
+  - name: set selinuxusermapdefault
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      selinuxusermapdefault: 'user_u:s0'
+    register: result
+    failed_when: not result.changed
+
+  - name: set selinuxusermapdefault, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      selinuxusermapdefault: 'user_u:s0'
+    register: result
+    failed_when: result.changed
+
+  - name: set groupsearch to `description`
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      groupsearch: description
+    register: result
+    failed_when: not result.changed
+
+  - name: set groupsearch to `gidNumber`, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      groupsearch: description
+    register: result
+    failed_when: result.changed
+
+  - name: set usersearch to `uidNumber`
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      usersearch: uidNumber
+    register: result
+    failed_when: not result.changed
+
+  - name: set usersearch to `uidNumber`, again
+    ipaconfig:
+      ipaadmin_password: SomeADMINpassword
+      usersearch: uidNumber
     register: result
     failed_when: result.changed
 
   - name: reset changed fields
     ipaconfig:
       ipaadmin_password: 'SomeADMINpassword'
-      configstring: '{{previousconfig.config.configstring}}'
-      emaildomain: '{{previousconfig.config.emaildomain}}'
-      defaultshell: '{{previousconfig.config.defaultshell}}'
-      defaultgroup: '{{previousconfig.config.defaultgroup}}'
-      groupsearch: '{{previousconfig.config.groupsearch}}'
-      homedirectory: '{{previousconfig.config.homedirectory}}'
-      pac_type: '{{previousconfig.config.pac_type}}'
-      maxusername: '{{previousconfig.config.maxusername}}'
-      enable_migration: '{{previousconfig.config.enable_migration}}'
-      pwdexpnotify: '{{previousconfig.config.pwdexpnotify}}'
-      searchrecordslimit: '{{previousconfig.config.searchrecordslimit}}'
-      searchtimelimit: '{{previousconfig.config.searchtimelimit}}'
-      selinuxusermapdefault: '{{previousconfig.config.selinuxusermapdefault}}'
-      selinuxusermaporder: '{{previousconfig.config.selinuxusermaporder}}'
-      usersearch: '{{previousconfig.config.usersearch}}'
-    register: result
-    failed_when: not result.changed
-
-  - name: check reset fields
+      maxusername: '{{previousconfig.config.maxusername | default(omit)}}'
+      maxhostname: '{{previousconfig.config.maxhostname | default(omit)}}'
+      homedirectory: '{{previousconfig.config.homedirectory | default(omit)}}'
+      defaultshell: '{{previousconfig.config.defaultshell | default(omit)}}'
+      defaultgroup: '{{previousconfig.config.defaultgroup | default(omit)}}'
+      emaildomain: '{{previousconfig.config.emaildomain | default(omit)}}'
+      searchtimelimit: '{{previousconfig.config.searchtimelimit | default(omit)}}'
+      searchrecordslimit: '{{previousconfig.config.searchrecordslimit | default(omit)}}'
+      usersearch: '{{previousconfig.config.usersearch | default(omit)}}'
+      groupsearch: '{{previousconfig.config.groupsearch | default(omit)}}'
+      enable_migration: '{{previousconfig.config.enable_migration | default(omit)}}'
+      groupobjectclasses: '{{previousconfig.config.groupobjectclasses | default(omit)}}'
+      userobjectclasses: '{{previousconfig.config.userobjectclasses | default(omit)}}'
+      pwdexpnotify: '{{previousconfig.config.pwdexpnotify | default(omit)}}'
+      configstring: '{{previousconfig.config.configstring | default(omit)}}'
+      selinuxusermapdefault: '{{previousconfig.config.selinuxusermapdefault | default(omit)}}'
+      selinuxusermaporder: '{{previousconfig.config.selinuxusermaporder | default(omit)}}'
+      pac_type: '{{previousconfig.config.pac_type | default(omit)}}'
+      user_auth_type: '{{previousconfig.config.user_auth_type | default(omit)}}'
+      domain_resolution_order: '{{previousconfig.config.domain_resolution_order | default(omit)}}'
+      ca_renewal_master_server: '{{previousconfig.config.ca_renewal_master_server | default(omit)}}'
+    register: result
+    failed_when: not result.changed
+
+  - name: reset changed fields, again
     ipaconfig:
       ipaadmin_password: 'SomeADMINpassword'
-      configstring: '{{previousconfig.config.configstring}}'
-      emaildomain: '{{previousconfig.config.emaildomain}}'
-      defaultshell: '{{previousconfig.config.defaultshell}}'
-      defaultgroup: '{{previousconfig.config.defaultgroup}}'
-      groupsearch: '{{previousconfig.config.groupsearch}}'
-      homedirectory: '{{previousconfig.config.homedirectory}}'
-      pac_type: '{{previousconfig.config.pac_type}}'
-      maxusername: '{{previousconfig.config.maxusername}}'
-      enable_migration: '{{previousconfig.config.enable_migration}}'
-      pwdexpnotify: '{{previousconfig.config.pwdexpnotify}}'
-      searchrecordslimit: '{{previousconfig.config.searchrecordslimit}}'
-      searchtimelimit: '{{previousconfig.config.searchtimelimit}}'
-      selinuxusermapdefault: '{{previousconfig.config.selinuxusermapdefault}}'
-      selinuxusermaporder: '{{previousconfig.config.selinuxusermaporder}}'
-      usersearch: '{{previousconfig.config.usersearch}}'
+      maxusername: '{{previousconfig.config.maxusername | default(omit)}}'
+      maxhostname: '{{previousconfig.config.maxhostname | default(omit)}}'
+      homedirectory: '{{previousconfig.config.homedirectory | default(omit)}}'
+      defaultshell: '{{previousconfig.config.defaultshell | default(omit)}}'
+      defaultgroup: '{{previousconfig.config.defaultgroup | default(omit)}}'
+      emaildomain: '{{previousconfig.config.emaildomain | default(omit)}}'
+      searchtimelimit: '{{previousconfig.config.searchtimelimit | default(omit)}}'
+      searchrecordslimit: '{{previousconfig.config.searchrecordslimit | default(omit)}}'
+      usersearch: '{{previousconfig.config.usersearch | default(omit)}}'
+      groupsearch: '{{previousconfig.config.groupsearch | default(omit)}}'
+      enable_migration: '{{previousconfig.config.enable_migration | default(omit)}}'
+      groupobjectclasses: '{{previousconfig.config.groupobjectclasses | default(omit)}}'
+      userobjectclasses: '{{previousconfig.config.userobjectclasses | default(omit)}}'
+      pwdexpnotify: '{{previousconfig.config.pwdexpnotify | default(omit)}}'
+      configstring: '{{previousconfig.config.configstring | default(omit)}}'
+      selinuxusermapdefault: '{{previousconfig.config.selinuxusermapdefault | default(omit)}}'
+      selinuxusermaporder: '{{previousconfig.config.selinuxusermaporder | default(omit)}}'
+      pac_type: '{{previousconfig.config.pac_type | default(omit)}}'
+      user_auth_type: '{{previousconfig.config.user_auth_type | default(omit)}}'
+      domain_resolution_order: '{{previousconfig.config.domain_resolution_order | default(omit)}}'
+      ca_renewal_master_server: '{{previousconfig.config.ca_renewal_master_server | default(omit)}}'
     register: result
     failed_when: result.changed
+
+  # cleanup
+
+  - name: cleanup test group
+    ipagroup:
+      ipaadmin_password: 'SomeADMINpassword'
+      name: somedefaultgroup
+      state: absent