Skip to content
  1. May 12, 2020
    • Thomas Woerner's avatar
      ansible_freeipa_module: New function DN_x500_text · 6a69bbea
      Thomas Woerner authored
      This function is needed to properly convert issuer and subject from a
      certificate or the issuer and subject parameters in ipauser for certmapdata
      to the data representation where the items in DN are reversed.
      
      The function additionally provides a fallback solution for IPA < 4.5.
      Certmapdata is not supported for IPA < 4.5, but the conversion is done
      before the API version can be checked.
      6a69bbea
    • Thomas Woerner's avatar
      ansible_freeipa_module: New function load_cert_from_str · 571cc210
      Thomas Woerner authored
      For certmapdata processing in ipauser it is needed to be able to load a cert
      from a string given in the task to be able to get the issuer and subject of
      the certificate. The format of the certifiacte here is lacking the markers
      for the begin and end of the certificate. Therefore load_pem_x509_certificate
      can not be used directly. Also in IPA < 4.5 it is needed to load the
      certificate with load_certificate instead of load_pem_x509_certificate. The
      function is implementing this properly.
      571cc210
  2. May 06, 2020
    • Thomas Woerner's avatar
      Do not remove member attributes while updating others · 457050c6
      Thomas Woerner authored
      Because of a missing check member attributes (for use with action: member)
      are cleared when a non-member attribute is changed. The fix simply adds a
      check for None (parameter not set) to gen_add_del_lists in
      ansible_freeipa_module to make sure that the parameter is only changed if
      it should be changed.
      
      All places where the add and removal lists have been generated manually
      have been changed to also use gen_add_del_lists.
      
      Resolves: #252 (The "Manager" attribute is removed when updating any user
                      attribute)
      457050c6
  3. Apr 26, 2020
  4. Apr 16, 2020
    • Thomas Woerner's avatar
      ansible_freeipa_module: Set KRB5CCNAME for api_connect (non root) · 871cce52
      Thomas Woerner authored
      In the case that the admin password has been set and become was not set
      the call to backend.connect in api_connect failed. The solution is simply
      to set os.environ["KRB5CCNAME"] in temp_kinit after kinit_password has
      been called using the temporary ccache. os.environ["KRB5CCNAME"] is not
      used automatically by api.Backend.[ldap2,rpcclient].connect. Afterwards
      os.environ["KRB5CCNAME"] is unset in temp_kdestroy if ccache_name is not
      None.
      
      Fixes: #249 (Kerberos errors while using the modules with a non-sudoer user)
      871cce52
  5. Mar 26, 2020
    • Sergio Oliveira Campos's avatar
      Fixed a bug in AnsibleFreeIPAParams · 22059072
      Sergio Oliveira Campos authored
      When accessing an instance of AnsibleFreeIPAParams with .get the obj was
      by-passing the call to _afm_convert which was the primaty reason why it
      was created.
      
      Also the class now extends Mapping instead of dict.
      22059072
  6. Mar 24, 2020
  7. Feb 20, 2020
  8. Feb 13, 2020
    • Rafael Guterres Jeffman's avatar
      Properly handle base64 enconding of certificates stored as bytes. · 1a3c9114
      Rafael Guterres Jeffman authored
      This change is needed to properly handle base64 encoding of certificates
      stored as bytes, under Python 3, as used by IPA service. It does not
      affect Python 2.7 as bytes are identical to str in this version of the
      language.
      
      When retireving certificates stored by FreeIPA service data is returned
      as bytes, under Python 3, and encoding then breaks, as there is no
      bytes.public_bytes method. In Python 3, encoding with base64 will be the
      same for strings and bytes.
      1a3c9114
    • Thomas Woerner's avatar
      ipahost: Add support for several IP addresses and also to change them · 167c7631
      Thomas Woerner authored
      ipahost was so far ignoring IP addresses when the host already existed.
      This happened because host_mod is not providing functionality to do this.
      Now ipaddress is a list and it is possible to ensure a host with several
      IP addresses (these can be IPv4 and IPv6). Also it is possible to ensure
      presence and absence of IP addresses for an exising host using action
      member.
      
      There are no IP address conclict checks as this would lead into issues with
      updating an existing host that already is using a duplicate IP address for
      example for round-robin (RR). Also this might lead into issues with ensuring
      a new host with several IP addresses in this case. Also to ensure a list of
      hosts with changing the IP address of one host to another in the list would
      result in issues here.
      
      New example playbooks have been added:
      
          playbooks/host/host-present-with-several-ip-addresses.yml
          playbooks/host/host-member-ipaddresses-absent.yml
          playbooks/host/host-member-ipaddresses-present.yml
      
      A new test has been added for verification:
      
          tests/host/test_host_ipaddresses.yml
      
      Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1783976
             https://bugzilla.redhat.com/show_bug.cgi?id=1783979
      167c7631
  9. Feb 11, 2020
  10. Dec 11, 2019
    • Rafael Guterres Jeffman's avatar
      Allow execution of API commands that do not require a name. · 0210899e
      Rafael Guterres Jeffman authored
      There are some commands in the IPA API that do not require
      arguments, and current implementation does not allow these
      commands to be execute.
      
      This patch adds api_command_no_name to allow the execution
      of such commands, which is required, for example, to create
      a vaultcontainer management module.
      0210899e
  11. Dec 02, 2019
    • Thomas Woerner's avatar
      ipahost: Extension to be able handle several hosts and all settings · 94b1f25b
      Thomas Woerner authored
      The ipahost management module was not able to add several hosts at once.
      Addtionally there have been settings missing.
      
      ansible_freeipa_module has been extended to provide two additional functions
      that are needed to simplify the extension of the ipahost module:
      
          gen_add_del_lists(user_list, res_list)
          encode_certificate(cert)
      
      gen_add_del_lists will generate the lists for the addition and removal of
      members using the provided user and ipa settings.
      
      encode_certificate will encode a certificate using base64 with also taking
      FreeIPA and Python versions into account.
      
      The missing settings in ipahost have been:
      
          certificate
          managedby_host
          principal
          create_keytab_[user,group,host,hostgroup]
          retrieve_keytab_[user,group,host,hostgroup]
          sshpubkey
          userclass
          auth_ind
          requires_pre_auth
          ok_as_delegate
          ok_to_auth_as_delegate
      
      The README-host.md file has been updated to provide information about the
      new settings and also the members. Also examples for the new things have
      been added.
      
      New example playbooks have been added:
      
          playbooks/host/add-host.yml
          playbooks/host/host-member-allow_create_keytab-absent.yml
          playbooks/host/host-member-allow_create_keytab-present.yml
          playbooks/host/host-member-allow_retrieve_keytab-absent.yml
          playbooks/host/host-member-allow_retrieve_keytab-present.yml
          playbooks/host/host-member-certificate-absent.yml
          playbooks/host/host-member-certificate-present.yml
          playbooks/host/host-member-managedby_host-absent.yml
          playbooks/host/host-member-managedby_host-present.yml
          playbooks/host/host-member-principal-absent.yml
          playbooks/host/host-member-principal-present.yml
          playbooks/host/host-present-with-allow_create_keytab.yml
          playbooks/host/host-present-with-allow_retrieve_keytab.yml
          playbooks/host/host-present-with-certificate.yml
          playbooks/host/host-present-with-managedby_host.yml
          playbooks/host/host-present-with-principal.yml
          playbooks/host/host-present-with-randompassword.yml
          playbooks/host/host-present.yml
          playbooks/host/hosts-member-certificate-absent.yml
          playbooks/host/hosts-member-certificate-present.yml
          playbooks/host/hosts-member-managedby_host-absent.yml
          playbooks/host/hosts-member-managedby_host-present.yml
          playbooks/host/hosts-member-principal-absent.yml
          playbooks/host/hosts-member-principal-present.yml
          playbooks/host/hosts-present-with-certificate.yml
          playbooks/host/hosts-present-with-managedby_host.yml
          playbooks/host/hosts-present-with-randompasswords.yml
      
      New tests have been added for the module:
      
          tests/host/certificate/cert1.der
          tests/host/certificate/cert1.pem
          tests/host/certificate/cert2.der
          tests/host/certificate/cert2.pem
          tests/host/certificate/cert3.der
          tests/host/certificate/cert3.pem
          tests/host/certificate/private1.key
          tests/host/certificate/private2.key
          tests/host/certificate/private3.key
          tests/host/certificate/test_host_certificate.yml
          tests/host/certificate/test_hosts_certificate.yml
          tests/host/test_host.yml
          tests/host/test_host_allow_create_keytab.yml
          tests/host/test_host_allow_retrieve_keytab.yml
          tests/host/test_host_managedby_host.yml
          tests/host/test_host_principal.yml
          tests/host/test_host_random.yml
          tests/host/test_hosts.yml
          tests/host/test_hosts_managedby_host.yml
          tests/host/test_hosts_principal.yml
      94b1f25b
    • Thomas Woerner's avatar
      ansible_freeipa_module: Better support for KRB5CCNAME environment variable · e77f4daa
      Thomas Woerner authored
      The use of gssapi.creds.Credentials is not good if krb5 ticket forwarding
      is used. It will fail. gssapi.Credentials with usage and store is the proper
      way to do this.
      e77f4daa
  12. Nov 29, 2019
  13. Oct 22, 2019
  14. Oct 21, 2019
  15. Oct 18, 2019
  16. Oct 09, 2019
  17. Aug 12, 2019
    • Thomas Woerner's avatar
      ansible_freeipa_module: Add support for GSSAPI · 09ab29b4
      Thomas Woerner authored
      The GSSAPI can be enabled in the management modules with either the
      KRB5CCNAME or the KRB5_CLIENT_KTNAME environment variable.
      
      For KRB5CCNAME it is needed to create a ccache file
      
        kinit admin@TEST.LOCAL -c /root/admin.ccache
      
      that is transferred to the nodes (here into /root) and activated in the
      playbook with
      
        environment:
          KRB5CCNAME: /root/admin.ccache
      
      For KRB5_CLIENT_KTNAME a admin keytab has to be generated
      
        ipa-getkeytab -s ipaserver.test.local -p admin@TEST.LOCAL -k \
        /root/admin.keytab
      
      that is transferred to the nodes (here into /root) and activated in the
      playbook with
      
        environment:
          KRB5_CLIENT_KTNAME: /root/admin.keytab
      
      It will be needed to set ipaadmin_principal if the admin principal is not
      admin.
      
      The management modules can be used without a password in this case.
      09ab29b4
    • Thomas Woerner's avatar
      ansible_freeipa_module: Add ansible module argument to valid_creds function · c69d0bc5
      Thomas Woerner authored
      For debug and error reporting it is needed to have the ansible module also
      in the valid_creds function.
      c69d0bc5
  18. Jul 11, 2019
  19. Jul 09, 2019
  20. Jun 05, 2019
    • Thomas Woerner's avatar
      New topology managament modules · 62fd4cc1
      Thomas Woerner authored
      There are now two topology management modules placed in the plugins folder:
      
        plugins/modules/ipatopologysegment.py
        plugins/modules/ipatopologysuffix.py
      
      Topology segments can be added, removed and reinitialized with the
      ipatopologysegment module. Also it is possible to verify topology suffixes
      with the ipatopologysuffix module.
      
      A new module_utils for plugins has been added:
      
        plugins/module_utils/ansible_freeipa_module.py
      
      And documentation for the modules:
      
        README-topology.md
      
      New sample playbooks are available in playbooks/topology:
      
        playbooks/topology/add-topologysegment.yml
        playbooks/topology/delete-topologysegment.yml
        playbooks/topology/reinitialize-topologysegment.yml
        playbooks/topology/verify-topologysuffix.yml
      
      The plugins folder can be used with the new Ansible Collections supported
      by Ansible 2.8 and Ansible galaxy 3.2.
      62fd4cc1
Loading