diff --git a/README-config.md b/README-config.md index 608df548f5f432f7e44c6adbfce3f80502463ddc..ee96981673d43917c726938f6e221baad6dfcfb9 100644 --- a/README-config.md +++ b/README-config.md @@ -90,25 +90,27 @@ Variable | Description | Required -------- | ----------- | -------- `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no -`maxusername` \| `ipamaxusernamelength` | Set the maximum username length (1 to 255) | false -`homedirectory` \| `ipahomesrootdir` | Set the default location of home directories | false -`defaultshell` \| `ipadefaultloginshell` | Set the default shell for new users | false -`defaultgroup` \| `ipadefaultprimarygroup` | Set the default group for new users | false +`maxusername` \| `ipamaxusernamelength` | Set the maximum username length (1 to 255) | no +`maxhostname` \| `ipamaxhostnamelength` | Set the maximum hostname length between 64-255 | no +`homedirectory` \| `ipahomesrootdir` | Set the default location of home directories | no +`defaultshell` \| `ipadefaultloginshell` | Set the default shell for new users | no +`defaultgroup` \| `ipadefaultprimarygroup` | Set the default group for new users | no `emaildomain`\| `ipadefaultemaildomain` | Set the default e-mail domain | false -`searchtimelimit` \| `ipasearchtimelimit` | Set maximum amount of time (seconds) for a search -1 to 2147483647 (-1 or 0 is unlimited) | false -`searchrecordslimit` \| `ipasearchrecordslimit` | Set maximum number of records to search -1 to 2147483647 (-1 or 0 is unlimited) | false -`usersearch` \| `ipausersearchfields` | Set list of fields to search when searching for users | false -`groupsearch` \| `ipagroupsearchfields` | Set list of fields to search in when searching for groups | false -`enable_migration` \| `ipamigrationenabled` | Enable migration mode (choices: True, False ) | false -`groupobjectclasses` \| `ipagroupobjectclasses` | Set default group objectclasses (list) | false -`userobjectclasses` \| `ipauserobjectclasses` | Set default user objectclasses (list) | false -`pwdexpnotify` \| `ipapwdexpadvnotify` | Set number of days's notice of impending password expiration (0 to 2147483647) | false -`configstring` \| `ipaconfigstring` | Set extra hashes to generate in password plug-in (choices:`AllowNThash`, `KDC:Disable Last Success`, `KDC:Disable Lockout`, `KDC:Disable Default Preauth for SPNs`) | false -`selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | false -`selinuxusermapdefault`\| `ipaselinuxusermapdefault` | Set default SELinux user when no match is found in SELinux map rule | false -`pac_type` \| `ipakrbauthzdata` | set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`) -`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`) | false -`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | false +`searchtimelimit` \| `ipasearchtimelimit` | Set maximum amount of time (seconds) for a search -1 to 2147483647 (-1 or 0 is unlimited) | no +`searchrecordslimit` \| `ipasearchrecordslimit` | Set maximum number of records to search -1 to 2147483647 (-1 or 0 is unlimited) | no +`usersearch` \| `ipausersearchfields` | Set list of fields to search when searching for users | no +`groupsearch` \| `ipagroupsearchfields` | Set list of fields to search in when searching for groups | no +`enable_migration` \| `ipamigrationenabled` | Enable migration mode (choices: True, False ) | no +`groupobjectclasses` \| `ipagroupobjectclasses` | Set default group objectclasses (list) | no +`userobjectclasses` \| `ipauserobjectclasses` | Set default user objectclasses (list) | no +`pwdexpnotify` \| `ipapwdexpadvnotify` | Set number of days's notice of impending password expiration (0 to 2147483647) | no +`configstring` \| `ipaconfigstring` | Set extra hashes to generate in password plug-in (choices:`AllowNThash`, `KDC:Disable Last Success`, `KDC:Disable Lockout`, `KDC:Disable Default Preauth for SPNs`). Use `""` to clear this variable. | no +`selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | no +`selinuxusermapdefault`\| `ipaselinuxusermapdefault` | Set default SELinux user when no match is found in SELinux map rule | no +`pac_type` \| `ipakrbauthzdata` | set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`). Use `""` to clear this variable. | no +`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no +`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no +`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no Return Values @@ -117,6 +119,8 @@ Return Values Variable | Description | Returned When -------- | ----------- | ------------- `config` | config dict <br />Fields: | No values to configure are specified + | `maxusername` | + | `maxhostname` | | `homedirectory` | | `defaultshell` | | `defaultgroup` | @@ -130,14 +134,14 @@ Variable | Description | Returned When | `userobjectclasses` | | `pwdexpnotify` | | `configstring` | - | `selinuxusermaporder` | | `selinuxusermapdefault` | + | `selinuxusermaporder` | | `pac_type` | | `user_auth_type` | | `domain_resolution_order` | + | `ca_renewal_master_server` | - -All returned fields take the same form as their namesake input parameters +All returned fields take the same form as their namesake input parameters Authors ======= diff --git a/playbooks/config/retrieve-config.yml b/playbooks/config/retrieve-config.yml new file mode 100644 index 0000000000000000000000000000000000000000..7f05e802e2730a7d6cf83e02dbd1c4f91ed766fc --- /dev/null +++ b/playbooks/config/retrieve-config.yml @@ -0,0 +1,14 @@ +--- +- name: Playbook to handle global DNS configuration + hosts: ipaserver + become: no + gather_facts: no + + tasks: + - name: Query IPA global configuration + ipaconfig: + ipaadmin_password: SomeADMINpassword + register: serverconfig + + - debug: + msg: "{{ serverconfig }}" diff --git a/playbooks/config/set-ca-renewal-master-server.yml b/playbooks/config/set-ca-renewal-master-server.yml new file mode 100644 index 0000000000000000000000000000000000000000..128ac8d96a9c2f74fbecf6518e33a69dbe50d206 --- /dev/null +++ b/playbooks/config/set-ca-renewal-master-server.yml @@ -0,0 +1,11 @@ +--- +- name: Playbook to handle global DNS configuration + hosts: ipaserver + become: no + gather_facts: no + + tasks: + - name: set ca_renewal_master_server + ipaconfig: + ipaadmin_password: SomeADMINpassword + ca_renewal_master_server: carenewal.example.com diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py index d4383adcb17716e0a8c66b002d3bef9acaadcb40..41a6d0a877a177bd30ecc312534c51dbe66dbe1f 100644 --- a/plugins/modules/ipaconfig.py +++ b/plugins/modules/ipaconfig.py @@ -45,6 +45,10 @@ options: description: Set the maximum username length between 1-255 required: false aliases: ['ipamaxusernamelength'] + maxhostname: + description: Set the maximum hostname length between 64-255 + required: false + aliases: ['ipamaxhostnamelength'] homedirectory: description: Set the default location of home directories required: false @@ -87,7 +91,7 @@ options: description: Enable migration mode type: bool required: false - aliases: ['enable-migration','ipamigrationenabled'] + aliases: ['ipamigrationenabled'] groupobjectclasses: description: Set default group objectclasses (comma-separated list) required: false @@ -113,6 +117,7 @@ options: - "KDC:Disable Last Success" - "KDC:Disable Lockout" - "KDC:Disable Default Preauth for SPNs" + - "" aliases: ['ipaconfigstring'] selinuxusermaporder: description: Set order in increasing priority of SELinux users @@ -127,21 +132,23 @@ options: description: set default types of PAC supported for services required: false type: list - choices: ["MS-PAC", "PAD", "nfs:NONE"] - aliases: ["pac-type","ipakrbauthzdata"] + choices: ["MS-PAC", "PAD", "nfs:NONE", ""] + aliases: ["ipakrbauthzdata"] user_auth_type: description: set default types of supported user authentication required: false type: list - choices: ["password", "radius", "otp", "disabled"] - aliases: ["user-auth_type","user-auth-type","ipauserauthtype"] + choices: ["password", "radius", "otp", "disabled", ""] + aliases: ["ipauserauthtype"] + ca_renewal_master_server: + description: Renewal master for IPA certificate authority. + required: false + type: string domain_resolution_order: description: set list of domains used for short name qualification required: false type: list - aliases: ["domain-resolution_order", - "domain-resolution-order", - "ipadomainresolutionorder"] + aliases: ["ipadomainresolutionorder"] ''' EXAMPLES = ''' @@ -174,6 +181,9 @@ config: maxusername: description: maximum username length returned: always + maxhostname: + description: maximum hostname length + returned: always homedirectory: description: default location of home directories returned: always @@ -232,6 +242,9 @@ config: user_auth_type: description: default types of supported user authentication returned: always + ca_renewal_master_server: + description: master for IPA certificate authority. + returned: always domain_resolution_order: description: list of domains used for short name qualification returned: always @@ -242,6 +255,7 @@ from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.ansible_freeipa_module import temp_kinit, \ temp_kdestroy, valid_creds, api_connect, api_command_no_name, \ compare_args_ipa, module_params_get +import ipalib.errors def config_show(module): @@ -267,6 +281,8 @@ def main(): ipaadmin_password=dict(type="str", required=False, no_log=True), maxusername=dict(type="int", required=False, aliases=['ipamaxusernamelength']), + maxhostname=dict(type="int", required=False, + aliases=['ipamaxhostnamelength']), homedirectory=dict(type="str", required=False, aliases=['ipahomesrootdir']), defaultshell=dict(type="str", required=False, @@ -285,8 +301,7 @@ def main(): groupsearch=dict(type="list", required=False, aliases=['ipagroupsearchfields']), enable_migration=dict(type="bool", required=False, - aliases=['ipamigrationenabled', - 'enable-migration']), + aliases=['ipamigrationenabled']), groupobjectclasses=dict(type="list", required=False, aliases=['ipagroupobjectclasses']), userobjectclasses=dict(type="list", required=False, @@ -298,22 +313,22 @@ def main(): choices=["AllowNThash", "KDC:Disable Last Success", "KDC:Disable Lockout", - "KDC:Disable Default Preauth for SPNs"]), # noqa E128 + "KDC:Disable Default Preauth for SPNs", + ""]), # noqa E128 selinuxusermaporder=dict(type="list", required=False, aliases=['ipaselinuxusermaporder']), selinuxusermapdefault=dict(type="str", required=False, aliases=['ipaselinuxusermapdefault']), pac_type=dict(type="list", required=False, - aliases=["ipakrbauthzdata", "pac-type"], - choices=["MS-PAC", "PAD", "nfs:NONE"]), + aliases=["ipakrbauthzdata"], + choices=["MS-PAC", "PAD", "nfs:NONE", ""]), user_auth_type=dict(type="list", required=False, - aliases=["ipauserauthtype", - "user-auth_type", - "user-auth-type"]), + choices=["password", "radius", "otp", + "disabled", ""], + aliases=["ipauserauthtype"]), + ca_renewal_master_server=dict(type="str", required=False), domain_resolution_order=dict(type="list", required=False, - aliases=["ipadomainresolutionorder", - "domain-resolution_order", - "domain-resolution-order"]) + aliases=["ipadomainresolutionorder"]) ), supports_check_mode=True, ) @@ -330,6 +345,7 @@ def main(): field_map = { "maxusername": "ipamaxusernamelength", + "maxhostname": "ipamaxhostnamelength", "homedirectory": "ipahomesrootdir", "defaultshell": "ipadefaultloginshell", "defaultgroup": "ipadefaultprimarygroup", @@ -347,6 +363,7 @@ def main(): "selinuxusermapdefault": "ipaselinuxusermapdefault", "pac_type": "ipakrbauthzdata", "user_auth_type": "ipauserauthtype", + "ca_renewal_master_server": "ca_renewal_master_server", "domain_resolution_order": "ipadomainresolutionorder" } reverse_field_map = {v: k for k, v in field_map.items()} @@ -378,22 +395,19 @@ def main(): params["ipagroupsearchfields"] = \ ",".join(params["ipagroupsearchfields"]) - if params.get("ipamaxusernamelength", 0) > 255 \ - or params.get("ipamaxusernamelength", 2) < 1: - ansible_module.fail_json( - msg="Argument 'maxusername' mustn range 1 to 255") - - for x in ["ipasearchtimelimit", - "ipasearchrecordslimit", - "ipapwdexpadvnotify"]: - if params.get(x, 0) > 2147483647: + # verify limits on INT values. + args_with_limits = [ + ("ipamaxusernamelength", 1, 255), + ("ipamaxhostnamelength", 64, 255), + ("ipasearchtimelimit", -1, 2147483647), + ("ipasearchrecordslimit", -1, 2147483647), + ("ipapwdexpadvnotify", 0, 2147483647), + ] + for arg, min, max in args_with_limits: + if arg in params and (params[arg] > max or params[arg] < min): ansible_module.fail_json( - msg="Argument '%s' has a maximum value of 2147483647" % (x)) - - for x in ["ipasearchtimelimit", "ipasearchrecordslimit"]: - if params.get(x, 0) < -2147483648: - ansible_module.fail_json( - msg="Argument '%s' has minimum value of -2147483648" % (x)) + msg="Argument '%s' must be between %d and %d." + % (arg, min, max)) changed = False exit_args = {} @@ -405,10 +419,14 @@ def main(): ccache_dir, ccache_name = temp_kinit(ipaadmin_principal, ipaadmin_password) api_connect() - - if params.keys(): + if params: res_show = config_show(ansible_module) - if not compare_args_ipa(ansible_module, params, res_show): + params = { + k: v for k, v in params.items() + if k not in res_show or res_show[k] != v + } + if params \ + and not compare_args_ipa(ansible_module, params, res_show): changed = True api_command_no_name(ansible_module, "config_mod", params) @@ -445,7 +463,8 @@ def main(): exit_args[k] = (v[0] == "TRUE") else: exit_args[k] = v - + except ipalib.errors.EmptyModlist: + changed = False except Exception as e: ansible_module.fail_json(msg="%s %s" % (params, str(e))) diff --git a/tests/config/test_config.yml b/tests/config/test_config.yml index efa169de3e6213b174db7bbc458a14d59c000c62..c288e45197c749756dd1c46395edac3ca40299c2 100644 --- a/tests/config/test_config.yml +++ b/tests/config/test_config.yml @@ -5,6 +5,7 @@ gather_facts: false tasks: + # Retrieve current configuration. - name: return current values of the global configuration options ipaconfig: ipaadmin_password: SomeADMINpassword @@ -13,131 +14,375 @@ - debug: msg: "{{previousconfig}}" - - name: set default shell to default value + # setup environment. + - name: create test group + ipagroup: + ipaadmin_password: 'SomeADMINpassword' + name: somedefaultgroup + + - name: Ensure the default e-mail domain is ipa.test. + ipaconfig: + ipaadmin_password: SomeADMINpassword + emaildomain: ipa.test + + - name: set default shell to '/bin/sh' ipaconfig: ipaadmin_password: SomeADMINpassword defaultshell: /bin/sh + + - name: set default group + ipaconfig: + ipaadmin_password: SomeADMINpassword + defaultgroup: ipausers + + - name: set default home directory + ipaconfig: + ipaadmin_password: SomeADMINpassword + homedirectory: /home + + - name: clear pac-type + ipaconfig: + ipaadmin_password: SomeADMINpassword + pac_type: "" + + - name: set maxusername to 255 + ipaconfig: + ipaadmin_password: SomeADMINpassword + maxusername: 255 + + - name: set maxhostname to 255 + ipaconfig: + ipaadmin_password: SomeADMINpassword + maxhostname: 255 + + - name: set pwdexpnotify to 0 + ipaconfig: + ipaadmin_password: SomeADMINpassword + pwdexpnotify: 0 + + - name: set searchrecordslimit to 10 + ipaconfig: + ipaadmin_password: SomeADMINpassword + searchrecordslimit: 10 + + - name: set searchtimelimit to 1 + ipaconfig: + ipaadmin_password: SomeADMINpassword + searchtimelimit: 1 + + - name: clear configstring + ipaconfig: + ipaadmin_password: SomeADMINpassword + configstring: "" + + - name: set configstring to AllowNThash + ipaconfig: + ipaadmin_password: SomeADMINpassword + configstring: 'KDC:Disable Lockout' + + - name: set selinuxusermapdefault + ipaconfig: + ipaadmin_password: SomeADMINpassword + selinuxusermapdefault: "staff_u:s0-s0:c0.c1023" + + - name: set selinuxusermaporder + ipaconfig: + ipaadmin_password: SomeADMINpassword + selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023' + + - name: set usersearch to `uid` + ipaconfig: + ipaadmin_password: SomeADMINpassword + usersearch: uid + + - name: set groupsearch to `cn` + ipaconfig: + ipaadmin_password: SomeADMINpassword + groupsearch: cn + + # tests + - name: Ensure the default e-mail domain is somedomain.test. + ipaconfig: + ipaadmin_password: SomeADMINpassword + emaildomain: somedomain.test + register: result + failed_when: not result.changed + + - name: Ensure the default e-mail domain is somedomain.test, again. + ipaconfig: + ipaadmin_password: SomeADMINpassword + emaildomain: somedomain.test register: result failed_when: result.changed - - name: set default shell to new value + - name: set default shell to '/bin/someshell' ipaconfig: ipaadmin_password: SomeADMINpassword - defaultshell: /bin/bash + defaultshell: /bin/someshell register: result failed_when: not result.changed - - name: check default shell is changed + - name: set default shell to '/bin/someshell', again. ipaconfig: ipaadmin_password: SomeADMINpassword - defaultshell: /bin/bash + defaultshell: /bin/someshell register: result failed_when: result.changed - - name: reset default shell to old value + - name: set default group ipaconfig: ipaadmin_password: SomeADMINpassword - defaultshell: '{{previousconfig.config.defaultshell }}' + defaultgroup: somedefaultgroup register: result failed_when: not result.changed - - name: check default shell is reset + - name: set default group ipaconfig: ipaadmin_password: SomeADMINpassword - defaultshell: '{{previousconfig.config.defaultshell }}' + defaultgroup: somedefaultgroup register: result failed_when: result.changed - - name: Ensure the default e-mail domain is ansible.com. + - name: set default home directory ipaconfig: ipaadmin_password: SomeADMINpassword - emaildomain: ansible.com + homedirectory: /Users register: result failed_when: not result.changed - - name: Ensure the default e-mail domain is set + - name: set default home directory ipaconfig: ipaadmin_password: SomeADMINpassword - emaildomain: ansible.com + homedirectory: /Users register: result failed_when: result.changed - - name: reset default e-mail domain + - name: set pac-type ipaconfig: ipaadmin_password: SomeADMINpassword - emaildomain: '{{previousconfig.config.emaildomain }}' + pac_type: "nfs:NONE" register: result failed_when: not result.changed - - name: set pac-type + - name: set pac-type, again. + ipaconfig: + ipaadmin_password: SomeADMINpassword + pac_type: "nfs:NONE" + register: result + failed_when: result.changed + + - name: set maxusername to 33 + ipaconfig: + ipaadmin_password: SomeADMINpassword + maxusername: 33 + register: result + failed_when: not result.changed + + - name: set maxusername to 33, again. + ipaconfig: + ipaadmin_password: SomeADMINpassword + maxusername: 33 + register: result + failed_when: result.changed + + - name: set maxhostname to 77 + ipaconfig: + ipaadmin_password: SomeADMINpassword + maxhostname: 77 + register: result + failed_when: not result.changed + + - name: set maxhostname to 77, again + ipaconfig: + ipaadmin_password: SomeADMINpassword + maxhostname: 77 + register: result + failed_when: result.changed + + - name: set pwdexpnotify to 17 + ipaconfig: + ipaadmin_password: SomeADMINpassword + pwdexpnotify: 17 + register: result + failed_when: not result.changed + + - name: set pwdexpnotify to 17, again + ipaconfig: + ipaadmin_password: SomeADMINpassword + pwdexpnotify: 17 + register: result + failed_when: result.changed + + - name: set searchrecordslimit to -1 + ipaconfig: + ipaadmin_password: SomeADMINpassword + searchrecordslimit: -1 + register: result + failed_when: not result.changed + + - name: set searchrecordslimit to -1, again. + ipaconfig: + ipaadmin_password: SomeADMINpassword + searchrecordslimit: -1 + register: result + failed_when: result.changed + + - name: set searchtimelimit to 12345 ipaconfig: ipaadmin_password: SomeADMINpassword - pac_type: - - nfs:NONE + searchtimelimit: 12345 register: result failed_when: not result.changed - - name: reset pac-type + - name: set searchtimelimit to 12345, again. + ipaconfig: + ipaadmin_password: SomeADMINpassword + searchtimelimit: 12345 + register: result + failed_when: result.changed + + - name: change enable_migration ipaconfig: ipaadmin_password: SomeADMINpassword - pac_type: '{{previousconfig.config.pac_type}}' + enable_migration: '{{ not previousconfig.config.enable_migration }}' register: result failed_when: not result.changed - - name: set usersearch + - name: change enable_migration, again + ipaconfig: + ipaadmin_password: SomeADMINpassword + enable_migration: '{{ not previousconfig.config.enable_migration }}' + register: result + failed_when: result.changed + + - name: set configstring to AllowNThash ipaconfig: ipaadmin_password: SomeADMINpassword - usersearch: - - uid + configstring: AllowNThash register: result failed_when: not result.changed - - name: check usersearch + - name: set configstring to AllowNThash, again. ipaconfig: ipaadmin_password: SomeADMINpassword - usersearch: - - uid + configstring: AllowNThash + register: result + failed_when: result.changed + + - name: set selinuxusermaporder + ipaconfig: + ipaadmin_password: SomeADMINpassword + selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' + register: result + failed_when: not result.changed + + - name: set selinuxusermaporder, again + ipaconfig: + ipaadmin_password: SomeADMINpassword + selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' + register: result + failed_when: result.changed + + - name: set selinuxusermapdefault + ipaconfig: + ipaadmin_password: SomeADMINpassword + selinuxusermapdefault: 'user_u:s0' + register: result + failed_when: not result.changed + + - name: set selinuxusermapdefault, again + ipaconfig: + ipaadmin_password: SomeADMINpassword + selinuxusermapdefault: 'user_u:s0' + register: result + failed_when: result.changed + + - name: set groupsearch to `description` + ipaconfig: + ipaadmin_password: SomeADMINpassword + groupsearch: description + register: result + failed_when: not result.changed + + - name: set groupsearch to `gidNumber`, again + ipaconfig: + ipaadmin_password: SomeADMINpassword + groupsearch: description + register: result + failed_when: result.changed + + - name: set usersearch to `uidNumber` + ipaconfig: + ipaadmin_password: SomeADMINpassword + usersearch: uidNumber + register: result + failed_when: not result.changed + + - name: set usersearch to `uidNumber`, again + ipaconfig: + ipaadmin_password: SomeADMINpassword + usersearch: uidNumber register: result failed_when: result.changed - name: reset changed fields ipaconfig: ipaadmin_password: 'SomeADMINpassword' - configstring: '{{previousconfig.config.configstring}}' - emaildomain: '{{previousconfig.config.emaildomain}}' - defaultshell: '{{previousconfig.config.defaultshell}}' - defaultgroup: '{{previousconfig.config.defaultgroup}}' - groupsearch: '{{previousconfig.config.groupsearch}}' - homedirectory: '{{previousconfig.config.homedirectory}}' - pac_type: '{{previousconfig.config.pac_type}}' - maxusername: '{{previousconfig.config.maxusername}}' - enable_migration: '{{previousconfig.config.enable_migration}}' - pwdexpnotify: '{{previousconfig.config.pwdexpnotify}}' - searchrecordslimit: '{{previousconfig.config.searchrecordslimit}}' - searchtimelimit: '{{previousconfig.config.searchtimelimit}}' - selinuxusermapdefault: '{{previousconfig.config.selinuxusermapdefault}}' - selinuxusermaporder: '{{previousconfig.config.selinuxusermaporder}}' - usersearch: '{{previousconfig.config.usersearch}}' - register: result - failed_when: not result.changed - - - name: check reset fields + maxusername: '{{previousconfig.config.maxusername | default(omit)}}' + maxhostname: '{{previousconfig.config.maxhostname | default(omit)}}' + homedirectory: '{{previousconfig.config.homedirectory | default(omit)}}' + defaultshell: '{{previousconfig.config.defaultshell | default(omit)}}' + defaultgroup: '{{previousconfig.config.defaultgroup | default(omit)}}' + emaildomain: '{{previousconfig.config.emaildomain | default(omit)}}' + searchtimelimit: '{{previousconfig.config.searchtimelimit | default(omit)}}' + searchrecordslimit: '{{previousconfig.config.searchrecordslimit | default(omit)}}' + usersearch: '{{previousconfig.config.usersearch | default(omit)}}' + groupsearch: '{{previousconfig.config.groupsearch | default(omit)}}' + enable_migration: '{{previousconfig.config.enable_migration | default(omit)}}' + groupobjectclasses: '{{previousconfig.config.groupobjectclasses | default(omit)}}' + userobjectclasses: '{{previousconfig.config.userobjectclasses | default(omit)}}' + pwdexpnotify: '{{previousconfig.config.pwdexpnotify | default(omit)}}' + configstring: '{{previousconfig.config.configstring | default(omit)}}' + selinuxusermapdefault: '{{previousconfig.config.selinuxusermapdefault | default(omit)}}' + selinuxusermaporder: '{{previousconfig.config.selinuxusermaporder | default(omit)}}' + pac_type: '{{previousconfig.config.pac_type | default(omit)}}' + user_auth_type: '{{previousconfig.config.user_auth_type | default(omit)}}' + domain_resolution_order: '{{previousconfig.config.domain_resolution_order | default(omit)}}' + ca_renewal_master_server: '{{previousconfig.config.ca_renewal_master_server | default(omit)}}' + register: result + failed_when: not result.changed + + - name: reset changed fields, again ipaconfig: ipaadmin_password: 'SomeADMINpassword' - configstring: '{{previousconfig.config.configstring}}' - emaildomain: '{{previousconfig.config.emaildomain}}' - defaultshell: '{{previousconfig.config.defaultshell}}' - defaultgroup: '{{previousconfig.config.defaultgroup}}' - groupsearch: '{{previousconfig.config.groupsearch}}' - homedirectory: '{{previousconfig.config.homedirectory}}' - pac_type: '{{previousconfig.config.pac_type}}' - maxusername: '{{previousconfig.config.maxusername}}' - enable_migration: '{{previousconfig.config.enable_migration}}' - pwdexpnotify: '{{previousconfig.config.pwdexpnotify}}' - searchrecordslimit: '{{previousconfig.config.searchrecordslimit}}' - searchtimelimit: '{{previousconfig.config.searchtimelimit}}' - selinuxusermapdefault: '{{previousconfig.config.selinuxusermapdefault}}' - selinuxusermaporder: '{{previousconfig.config.selinuxusermaporder}}' - usersearch: '{{previousconfig.config.usersearch}}' + maxusername: '{{previousconfig.config.maxusername | default(omit)}}' + maxhostname: '{{previousconfig.config.maxhostname | default(omit)}}' + homedirectory: '{{previousconfig.config.homedirectory | default(omit)}}' + defaultshell: '{{previousconfig.config.defaultshell | default(omit)}}' + defaultgroup: '{{previousconfig.config.defaultgroup | default(omit)}}' + emaildomain: '{{previousconfig.config.emaildomain | default(omit)}}' + searchtimelimit: '{{previousconfig.config.searchtimelimit | default(omit)}}' + searchrecordslimit: '{{previousconfig.config.searchrecordslimit | default(omit)}}' + usersearch: '{{previousconfig.config.usersearch | default(omit)}}' + groupsearch: '{{previousconfig.config.groupsearch | default(omit)}}' + enable_migration: '{{previousconfig.config.enable_migration | default(omit)}}' + groupobjectclasses: '{{previousconfig.config.groupobjectclasses | default(omit)}}' + userobjectclasses: '{{previousconfig.config.userobjectclasses | default(omit)}}' + pwdexpnotify: '{{previousconfig.config.pwdexpnotify | default(omit)}}' + configstring: '{{previousconfig.config.configstring | default(omit)}}' + selinuxusermapdefault: '{{previousconfig.config.selinuxusermapdefault | default(omit)}}' + selinuxusermaporder: '{{previousconfig.config.selinuxusermaporder | default(omit)}}' + pac_type: '{{previousconfig.config.pac_type | default(omit)}}' + user_auth_type: '{{previousconfig.config.user_auth_type | default(omit)}}' + domain_resolution_order: '{{previousconfig.config.domain_resolution_order | default(omit)}}' + ca_renewal_master_server: '{{previousconfig.config.ca_renewal_master_server | default(omit)}}' register: result failed_when: result.changed + + # cleanup + + - name: cleanup test group + ipagroup: + ipaadmin_password: 'SomeADMINpassword' + name: somedefaultgroup + state: absent