For certmapdata processing in ipauser it is needed to be able to load a cert
from a string given in the task to be able to get the issuer and subject of
the certificate. The format of the certifiacte here is lacking the markers
for the begin and end of the certificate. Therefore load_pem_x509_certificate
can not be used directly. Also in IPA < 4.5 it is needed to load the
certificate with load_certificate instead of load_pem_x509_certificate. The
function is implementing this properly.

group_remove_member is not able to handle services in old IPA releases.
In one case the check was missing and the removal of a user from a group
failed because of this with an older IPA version. The missing check has
been added.

Fixes #257 (ipagroup fails to remove user from group ipausers)

The host_find command had to be replaced to get the "has_password" and
"has_keytab" return values. This commit replaces the dnsrecord_find
with the dnsrecord_show command to have consistent find functions in
the module.

If random is enabled and update_password is limited to "create_only", the
random password may only be changed if the host does not exist yet.

Additionally the generation of the random password will fail, if the host
is already enrolled if update_password is "always" (default value). An
error will be reported early in this case now.

The command host_show is now used instead of host_find, as `has_password`
and `has_keytab` are only returned by host_show, but not by host_find. The
find_host function has been adapated for this change.

Resolves: #253 (ipahost is not idempotent)

The find_user function was not using encode_certificate for certificates
that are stored in the user record. This could lead to some issues with
older ipa releases and Python 2.

Because of a missing check member attributes (for use with action: member)
are cleared when a non-member attribute is changed. The fix simply adds a
check for None (parameter not set) to gen_add_del_lists in
ansible_freeipa_module to make sure that the parameter is only changed if
it should be changed.

All places where the add and removal lists have been generated manually
have been changed to also use gen_add_del_lists.

Resolves: #252 (The "Manager" attribute is removed when updating any user
                attribute)

Even after obtaining Kerberos TGT with temp_kinit(), when connecting to
the IPA API with context `ansible-freeipa`, the API commands complained
that Kerberos credentials were not available. This patch fixes this
behavior.

In the case that the admin password has been set and become was not set
the call to backend.connect in api_connect failed. The solution is simply
to set os.environ["KRB5CCNAME"] in temp_kinit after kinit_password has
been called using the temporary ccache. os.environ["KRB5CCNAME"] is not
used automatically by api.Backend.[ldap2,rpcclient].connect. Afterwards
os.environ["KRB5CCNAME"] is unset in temp_kdestroy if ccache_name is not
None.

Fixes: #249 (Kerberos errors while using the modules with a non-sudoer user)

This patch allows the removal of option `all` from user, host, and
service categories, by allowing an empty string as a valid choice
for each option.

This patch allows the removal of option `all` from user, host, group,
runasuser, and runasgroup categories, by allowing an empty string as
a valid choice for each option.

When accessing an instance of AnsibleFreeIPAParams with .get the obj was
by-passing the call to _afm_convert which was the primaty reason why it
was created.

Also the class now extends Mapping instead of dict.

    There is a new management module placed in the plugins folder:

    plugins/modules/ipadnszone.py

    The dnszone module allows to manage DNS zones.

    Here is the documentation for the module:

    README-dnszone.md

    New example playbooks have been added:

    playbooks/dnszone/disable-zone-forwarders.yml
    playbooks/dnszone/dnszone-absent.yml
    playbooks/dnszone/dnszone-all-params.yml
    playbooks/dnszone/dnszone-disable.yml
    playbooks/dnszone/dnszone-enable.yml
    playbooks/dnszone/dnszone-present.yml

    New tests for the module:

    tests/dnszone/test_dnszone.yml
    tests/dnszone/test_dnszone_mod.yml

Due to setting aaaa_extra_create_reverse or a_extra_create_reverse when not
needed, host module fails to add a host with reverse address. This patch
fixes the behavior  by only adding *_extra_create_reverse when needed.

There is a new vaultcontainer management module placed in the plugins folder:

plugins/modules/ipadnsconfig.py

The dnsconfig module allows to modify global DNS configuration.

Here is the documentation for the module:

README-dnsconfig.md

New example playbooks have been added:

playbooks/dnsconfig/set_configuration.yml
playbooks/dnsconfig/disable-global-forwarders.yml
playbooks/dnsconfig/disallow-reverse-sync.yml

New tests for the module:

tests/dnsconfig/test_dnsconfig.yml

Add missing documentation for the `principal` variable.

There is a new service management module placed in the pluginsfolder:

  plugins/modules/ipaservice.py

The service module allows to ensure presence and absence of services, and
manage members and certificates of the service.

Here is the documentation for the module:

  README-service.md

New example playbooks have been added:

    playbooks/service/service-host-is-absent.yml
    playbooks/service/service-host-is-present.yml
    playbooks/service/service-is-absent.yml
    playbooks/service/service-is-disabled.yml
    playbooks/service/service-is-present-with-all-attributes.yml
    playbooks/service/service-is-present-without-host-object.yml
    playbooks/service/service-is-present.yml
    playbooks/service/service-member-allow_create_keytab-absent.yml
    playbooks/service/service-member-allow_create_keytab-present.yml
    playbooks/service/service-member-allow_retrieve_keytab-absent.yml
    playbooks/service/service-member-allow_retrieve_keytab-present.yml
    playbooks/service/service-member-certificate-absent.yml
    playbooks/service/service-member-certificate-present.yml
    playbooks/service/service-member-principal-absent.yml
    playbooks/service/service-member-principal-present.yml

New tests added for the module:

  tests/service/test-service.yml

Use SomeADMINpassword as the admin password also in the examples in the
management modules.

For beeing able to catch ipalib.errors.NotFound errors in ipahost it is
needed to import ipalib.errors. ipalib.errors is now imported as
ipalib_errors to not have name conflicts with the errors list used in some
of the modules.

Related: https://bugzilla.redhat.com/show_bug.cgi?id=1804838

If no IP address is given and either DNS is not configured or if the zone is
not found then ipahost may not fail in dnsrecord_find.

The error happened for example by ensuring the absence of a host that is not
part of the domain or for a host that has been added with force and is using
a domain that is not served by the DNS server in the domain. It also
happened if there was no DNS server in the domain at all.

A new test case has been added to test_host_ipaddresses.yml

The fix requires ipalib_errors provided by ansible_freeipa_module.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1804838

The check to make sure that member can not be used on non existing hosts
has bee missing. Also the reverse flag for the dnsrecord_add call was None
if the varaible was not set.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1803026

This change is needed to properly handle base64 encoding of certificates
stored as bytes, under Python 3, as used by IPA service. It does not
affect Python 2.7 as bytes are identical to str in this version of the
language.

When retireving certificates stored by FreeIPA service data is returned
as bytes, under Python 3, and encoding then breaks, as there is no
bytes.public_bytes method. In Python 3, encoding with base64 will be the
same for strings and bytes.

ipahost was so far ignoring IP addresses when the host already existed.
This happened because host_mod is not providing functionality to do this.
Now ipaddress is a list and it is possible to ensure a host with several
IP addresses (these can be IPv4 and IPv6). Also it is possible to ensure
presence and absence of IP addresses for an exising host using action
member.

There are no IP address conclict checks as this would lead into issues with
updating an existing host that already is using a duplicate IP address for
example for round-robin (RR). Also this might lead into issues with ensuring
a new host with several IP addresses in this case. Also to ensure a list of
hosts with changing the IP address of one host to another in the list would
result in issues here.

New example playbooks have been added:

    playbooks/host/host-present-with-several-ip-addresses.yml
    playbooks/host/host-member-ipaddresses-absent.yml
    playbooks/host/host-member-ipaddresses-present.yml

A new test has been added for verification:

    tests/host/test_host_ipaddresses.yml

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1783976
       https://bugzilla.redhat.com/show_bug.cgi?id=1783979

Bool types are not iterable. Therefore the comparison using sets was failing
with a TypeError. This prevented to change the bool parameters for hosts.

A test for the host module has been added to verify that the bool parameters
can be modified.

New test:

  tests/host/test_host_bool_params.yml

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1784514

Changing members (host, hostgroup, hbacsvc, hbacsvcgroup, user, group) with
action hbacrule was not working due to the use of the wrong parameter
prefix. This has been fixed and the old members are removed correctly now.

The test script has been reworked completely to verify the fix.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1787996

If the name is not set, the policy global_policy is now used. It was needed
before to explicitly name the global_policy. Also a check has been added
to fail early if global_policy is used with state absent.

The README for pwpolicy has been extended with an example for global_policy
and also the description of the name variable.

The test has also been extended to check a change of maxlife for
global_policy and that global_policy can not be used with state: absent

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1797532

This patch adds the following attributes to ipasudorule:

    - order
    - sudooption
    - runasuser
    - runasgroup

It also fixes behavior of sudocmd assigned to the the sudorule, with the
adittion of the attributes:

    - allow_sudocmds
    - deny_sudocmds
    - allow_sudocmdgroups
    - deny_sudocmdgroups

README-sudorule and tests have been updated to comply with the changes.

This fixes the issue https://github.com/freeipa/ansible-freeipa/issues/185, where the python script was launching an exception
There was a lack of verification that the input string (for the description) was a text string

The failure message if member parameters like certificate, managedby_host,
principal, allow_create_keytab_* and allow_retrieve_keytab_* are used
without member action for state absent has been enhanced to propose the
member action.

It was not possible to reset the userauthtype. The empty string has been
added to userauthtype for this.

Also ipauser will only depend on given first and last name if the user
does not exist yet. For the update operation these parameters are not
needed anymore.

The choices for the auth_ind parameter have been wrong. The choices are now
['radius', 'otp', 'pkinit', 'hardened', '']. The empty string has been added
to be able to rest auth_ind for the host entry.

There is a new vault management module placed in the plugins folder:

  plugins/modules/ipavault.py

The vault module allows to ensure presence and absence of vaults, manage
members and owner of the vault, and archive data in the vault.

Here is the documentation for the module:

    README-vault.md

New example playbooks have been added:

    playbooks/vault/data-archive-in-asymmetric-vault.yml
    playbooks/vault/data-archive-in-symmetric-vault.yml
    playbooks/vault/ensure-asymetric-vault-is-absent.yml
    playbooks/vault/ensure-asymetric-vault-is-present.yml
    playbooks/vault/ensure-service-vault-is-absent.yml
    playbooks/vault/ensure-service-vault-is-present.yml
    playbooks/vault/ensure-shared-vault-is-absent.yml
    playbooks/vault/ensure-shared-vault-is-present.yml
    playbooks/vault/ensure-standard-vault-is-absent.yml
    playbooks/vault/ensure-standard-vault-is-present.yml
    playbooks/vault/ensure-symetric-vault-is-absent.yml
    playbooks/vault/ensure-symetric-vault-is-present.yml
    playbooks/vault/ensure-vault-is-present-with-members.yml
    playbooks/vault/ensure-vault-member-group-is-absent.yml
    playbooks/vault/ensure-vault-member-group-is-present.yml
    playbooks/vault/ensure-vault-member-user-is-absent.yml
    playbooks/vault/ensure-vault-member-user-is-present.yml
    playbooks/vault/ensure-vault-owner-is-absent.yml
    playbooks/vault/ensure-vault-owner-is-present.yml

New tests added for the module:

    tests/vault/test_vault.yml

If there is no domain set for email addresses, extend the email addresses
with the default email domain that is gathered from the config_show output.

This fixes RHBZ#1747413 ([ansible-freeipa] user module throwing an error if..)

There are some commands in the IPA API that do not require
arguments, and current implementation does not allow these
commands to be execute.

This patch adds api_command_no_name to allow the execution
of such commands, which is required, for example, to create
a vaultcontainer management module.