The ipauser module now supports all user settings and additionally to ensure
the presence of several users with the new users setting. The users setting
can also be used with other states, but it has to be limited to only contain
the name of the users.

There updated user management module is placed in the plugins folder:

  plugins/modules/ipauser.py

The user module now additionally allows to handle these user settings:

  initials
  principalexpiration
  random
  city
  userstate
  postalcode
  mobile
  pager
  fax
  orgunit
  manager
  carlicense
  sshpubkey
  userauthtype
  userclass
  radius
  radiususer
  departmentnumber
  employeenumber
  employeetype
  preferredlanguage
  certificate
  certmapdata
  noprivate
  nomembers

Here is the updated documentation for the module:

  README-user.md

New example playbooks have been added:

  playbooks/user/user_certificate_absent.yml
  playbooks/user/user_certificate_present.yml
  playbooks/user/user_present.yml
  playbooks/user/users_absent.yml
  playbooks/user/users_certificate_absent.yml
  playbooks/user/users_certificate_present.yml
  playbooks/user/users_present.yml
  plugins/modules/ipauser.py

New tests added for ipauser:

  tests/user/certificate/cert1.der
  tests/user/certificate/cert1.pem
  tests/user/certificate/cert2.der
  tests/user/certificate/cert2.pem
  tests/user/certificate/cert3.der
  tests/user/certificate/cert3.pem
  tests/user/certificate/private1.key
  tests/user/certificate/private2.key
  tests/user/certificate/private3.key
  tests/user/certificate/test_user_certificate.yml
  tests/user/certificate/test_users_certificate.yml
  tests/user/certmapdata/test_user_certmapdata.yml
  tests/user/certmapdata/test_user_certmapdata_issuer_subject.yml
  tests/user/certmapdata/test_users_certmapdata.yml
  tests/user/test_user.yml
  tests/user/test_users.yml
  tests/user/test_users_absent.yml
  tests/user/test_users_invalid_cert.yml
  tests/user/test_users_present.yml
  tests/user/test_users_present_slice.yml
  tests/user/users_absent.json
  tests/user/users_absent.sh
  tests/user/users_present.json
  tests/user/users_present.sh

The function api_get_realm is returning the realm of a connected FreeIPA
api. This is needed for proper principal checks in the extended ipauser
module that supports principals now.

The conversion is needed because older FreeIPA versions are returning
tuples in some cases instead of lists. To be able to compare them the
conversion to a list is needed.

to_text has not been imported from ansible.module_utils._text but it was
used in _afm_convert. The import has been added.

The module_params_get function can and should be used as a replacement of
ansible_module.params.get. For Python2 it is needed to convert parameters
to unicode. Otherwise there will be an error in the FreeIPA API command.

The private function _afm_convert has been added to do the conversion
recursively.

api_check_param can be used to verify if params are available for a command
in the used FreeIPA version. The function has been added as api is normally
not imported into modules.

The order of lists returned by find commands is not guaranteed. Therefore
lists are now converted to sets to compare them properly.

api_command is always used within try clause, therefore it is not needed
to have an extra try clause within api_command. Additionally it is needed
to get the dofferent errors in the next level.

fix various typos in README files

ipagroup: Rework to use same mechanisms as ipahostgroup module

The ipagroup module was not using the failed and completed items in the dict
that is returned with api_command. But it was creating add and remove
lists for users, groups and services. This is not needed if the failures
"already a member" and "not a member" in the result failures are ignored.
Only other failures are reported.

tests/external-signed-ca tests: Fix external-ca.sh to use proper serials

The serial numbers have not been set for the creation of the CA and also
to sign the request. Because of this the local time has been used, which
resulted sometimes in the use of the same time stamp for the CA and the
signing reuqest. The import failed then with same issuer and serial number
error.

The cat to generate the chain.crt has been replaces with openssl x509 calls.

Some comments have also been added.

The script in external-signed-ca-with-manual-copy has been replaced with a
link to the external-signed-ca-with-automatic-copy directory.

New hostgroup management module

ipaservcer:vars has been changed to ipaserver:vars.

The states member_present and member_absent are not used and should also not
be used. This is a remain of the first try to ensure absence and presence
of users (members) in the group. This has been replaced with the setting
action: member.

There is a new hostgroup management module placed in the plugins folder:

  plugins/modules/ipahostgroup.py

The hostgroup module allows to add, remove and disable hosts.

The hostgroup module is as compatible as possible to the Ansible upstream
ipa_hostgroup module, but addtionally offers to ensure member presence and
absence.

Here is the documentation for the module:

  README-hostgroup.md

New example playbooks have been added:

  playbooks/hostgroup/ensure-hostgroup-is-absent.yml
  playbooks/hostgroup/ensure-hostgroup-is-present.yml
  playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
  playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml

There is a new hostgroup management module placed in the plugins folder:

  plugins/modules/ipahostgroup.py

The hostgroup module allows to add, remove and disable hosts.

The hostgroup module is as compatible as possible to the Ansible upstream
ipa_hostgroup module, but addtionally offers to ensure member presence and
absence.

Here is the documentation for the module:

  README-hostgroup.md

New example playbooks have been added:

  playbooks/hostgroup/ensure-hostgroup-is-absent.yml
  playbooks/hostgroup/ensure-hostgroup-is-present.yml
  playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
  playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml

With Ansible there is no add or remove user, there is only ensure presence
or absence of users. The descriptions have been adapted to make sure that
the description is correct now.

There is a new user management module placed in the plugins folder:

  plugins/modules/ipauser.py

The host module allows to add, remove and disable hosts.

The host module is as compatible as possible to the Ansible upstream
ipa_host` module, but addtionally offers to disable hosts.

Here is the documentation for the module:

  README-host.md

New example playbooks have been added:

  playbooks/host/add-host.yml
  playbooks/host/delete-host.yml
  playbooks/host/disable-host.yml

configure_nsswitch_database has been removed with the freeipa commit

https://github.com/freeipa/freeipa/commit/41ef8fba31ddbb32e2e5b7cccdc9b582a0809111

The 4.4 compatibility hack leads to a ALREADY installed error in
ipaclient_test because of the removal. This affects ipaclient and
ipareplica roles and also the ipaclient deployment part in ipaserver.

configure_nsswitch_database is not used any more in ipaclient role modules
and therefore simply can be removed from ansible_ipa_client.

This option defines the verbose level for the internal ansible-playbook
run.

This is option is used in test scripts.

The GSSAPI can be enabled in the management modules with either the
KRB5CCNAME or the KRB5_CLIENT_KTNAME environment variable.

For KRB5CCNAME it is needed to create a ccache file

  kinit admin@TEST.LOCAL -c /root/admin.ccache

that is transferred to the nodes (here into /root) and activated in the
playbook with

  environment:
    KRB5CCNAME: /root/admin.ccache

For KRB5_CLIENT_KTNAME a admin keytab has to be generated

  ipa-getkeytab -s ipaserver.test.local -p admin@TEST.LOCAL -k \
  /root/admin.keytab

that is transferred to the nodes (here into /root) and activated in the
playbook with

  environment:
    KRB5_CLIENT_KTNAME: /root/admin.keytab

It will be needed to set ipaadmin_principal if the admin principal is not
admin.

The management modules can be used without a password in this case.

For debug and error reporting it is needed to have the ansible module also
in the valid_creds function.

This option is the same as the --become-method option with ansible-playbook.
If this option is set, become_method will be set in the generated playbook.

Excessive args are printed now. The simple print of the message too many
arguments was not helping.

The p.wait() call has been missing in the normal case, therefore no proper
returncode has been returned.

If the --playbook-dir option is used, the inventory and playbook files will
be generated in this directory. The files will not be removed after the
playbook processing ended.

If the directory does not exist an error message will be printed and the
utility will not continue.

These settings are file descriptors if external certificates are used and
are not used later in the roles. Therefore these settings have been removed.

Fixes: #110 (Ansible error with external certificates)

The used code for continuous output from the ansible-playbook call was
only working for Python2. The output has only been printed when the command
finised. This code has been replaced with code that is working with Python2
and Python3.

The wrong name has been used for the option of _install_packages.

/usr/bin/python should be used by default. Fixed typo in _install_packages
setting in the inventory file.

These are utils scripts to do a server,replica or client deployment and
undeployment using the ansible roles. A client inventory and playbook is
generated by the script which is then used with ansible-playbook.

The command line options or the normal command line installers
ipa-server-install, ipa-replica-install and ipa-client-install are all
supported also by these scripts.

Additonally to the commadn line of the normal installers it is needed to
add the fqdn of the host to be installed.

It is needed that the ansible-freeipa roles are available and also usable
by ansible.

ipatopologysegment: Fail if given entry can not be found for reinitia…

Currently it is ignored if the entry for reinitialized can not be found if
the name or left and right are not correct. Now there is a failure in this
case.

Fixes: #107 (Reinitialize are failed to find the node in ipatopology ..)
Signed-off-by: Thomas Woerner <twoerner@redhat.com>

ipatopologysegment: Store suffix for commands in command list