There is a new role management module placed in the plugins folder:

    plugins/modules/iparole.py

The role module allows to ensure presence or absence of roles and
manage role members.

Here is the documentation for the module:

    README-role.md

New example playbooks have been added:

    playbooks/role/role-is-absent.yml
    playbooks/role/role-is-present.yml
    playbooks/role/role-member-group-absent.yml
    playbooks/role/role-member-group-present.yml
    playbooks/role/role-member-host-absent.yml
    playbooks/role/role-member-host-present.yml
    playbooks/role/role-member-hostgroup-absent.yml
    playbooks/role/role-member-hostgroup-present.yml
    playbooks/role/role-member-privilege-absent.yml
    playbooks/role/role-member-privilege-present.yml
    playbooks/role/role-member-service-absent.yml
    playbooks/role/role-member-service-present.yml
    playbooks/role/role-member-user-absent.yml
    playbooks/role/role-member-user-present.yml
    playbooks/role/role-members-absent.yml
    playbooks/role/role-members-present.yml
    playbooks/role/role-rename.yml

New tests for the module:

    tests/role/test_role.yml
    tests/role/test_role_service_member.yml

There is a new dnsrecord managem module placed in the plugins folder:

    plugins/modules/ipadnsrecord.py

The dnsrecord module allows management of DNS records and is as compatible
as possible with the Ansible upstream `ipa_dnsrecord` module, but provide
some other features like multiple record management in one execution,
support for more DNS record types, and more.

Here is the documentation for the module:

    README-dnsrecord

New example playbooks have been added:

    playbooks/dnsrecord/ensure-dnsrecord-is-absent.yml
    playbooks/dnsrecord/ensure-dnsrecord-is-present.yml
    playbooks/dnsrecord/ensure-presence-multiple-records.yml
    playbooks/dnsrecord/ensure-dnsrecord-with-reverse-is-present.yml
    playbooks/dnsrecord/ensure-multiple-A-records-are-present.yml
    playbooks/dnsrecord/ensure-A-and-AAAA-records-are-absent.yml
    playbooks/dnsrecord/ensure-A-and-AAAA-records-are-present.yml
    playbooks/dnsrecord/ensure-CNAME-record-is-absent.yml
    playbooks/dnsrecord/ensure-CNAME-record-is-present.yml
    playbooks/dnsrecord/ensure-MX-record-is-present.yml
    playbooks/dnsrecord/ensure-PTR-record-is-present.yml
    playbooks/dnsrecord/ensure-SRV-record-is-present.yml
    playbooks/dnsrecord/ensure-SSHFP-record-is-present.yml
    playbooks/dnsrecord/ensure-TLSA-record-is-present.yml
    playbooks/dnsrecord/ensure-TXT-record-is-present.yml
    playbooks/dnsrecord/ensure-URI-record-is-present.yml

New tests for the module can be found at:

    tests/dnsrecord/test_dnsrecord.yml
    tests/dnsrecord/test_compatibility_with_ansible_module.yml
    tests/dnsrecord/test_dnsrecord_full_records.yml

    There is a new management module placed in the plugins folder:

    plugins/modules/ipadnszone.py

    The dnszone module allows to manage DNS zones.

    Here is the documentation for the module:

    README-dnszone.md

    New example playbooks have been added:

    playbooks/dnszone/disable-zone-forwarders.yml
    playbooks/dnszone/dnszone-absent.yml
    playbooks/dnszone/dnszone-all-params.yml
    playbooks/dnszone/dnszone-disable.yml
    playbooks/dnszone/dnszone-enable.yml
    playbooks/dnszone/dnszone-present.yml

    New tests for the module:

    tests/dnszone/test_dnszone.yml
    tests/dnszone/test_dnszone_mod.yml

There is a new vaultcontainer management module placed in the plugins folder:

plugins/modules/ipadnsconfig.py

The dnsconfig module allows to modify global DNS configuration.

Here is the documentation for the module:

README-dnsconfig.md

New example playbooks have been added:

playbooks/dnsconfig/set_configuration.yml
playbooks/dnsconfig/disable-global-forwarders.yml
playbooks/dnsconfig/disallow-reverse-sync.yml

New tests for the module:

tests/dnsconfig/test_dnsconfig.yml

Removed a trailling space on README.md because it was often removed by
text editors, adding an unnecessary line to the update patch.

There is a new service management module placed in the pluginsfolder:

  plugins/modules/ipaservice.py

The service module allows to ensure presence and absence of services, and
manage members and certificates of the service.

Here is the documentation for the module:

  README-service.md

New example playbooks have been added:

    playbooks/service/service-host-is-absent.yml
    playbooks/service/service-host-is-present.yml
    playbooks/service/service-is-absent.yml
    playbooks/service/service-is-disabled.yml
    playbooks/service/service-is-present-with-all-attributes.yml
    playbooks/service/service-is-present-without-host-object.yml
    playbooks/service/service-is-present.yml
    playbooks/service/service-member-allow_create_keytab-absent.yml
    playbooks/service/service-member-allow_create_keytab-present.yml
    playbooks/service/service-member-allow_retrieve_keytab-absent.yml
    playbooks/service/service-member-allow_retrieve_keytab-present.yml
    playbooks/service/service-member-certificate-absent.yml
    playbooks/service/service-member-certificate-present.yml
    playbooks/service/service-member-principal-absent.yml
    playbooks/service/service-member-principal-present.yml

New tests added for the module:

  tests/service/test-service.yml

There is a new vault management module placed in the plugins folder:

  plugins/modules/ipavault.py

The vault module allows to ensure presence and absence of vaults, manage
members and owner of the vault, and archive data in the vault.

Here is the documentation for the module:

    README-vault.md

New example playbooks have been added:

    playbooks/vault/data-archive-in-asymmetric-vault.yml
    playbooks/vault/data-archive-in-symmetric-vault.yml
    playbooks/vault/ensure-asymetric-vault-is-absent.yml
    playbooks/vault/ensure-asymetric-vault-is-present.yml
    playbooks/vault/ensure-service-vault-is-absent.yml
    playbooks/vault/ensure-service-vault-is-present.yml
    playbooks/vault/ensure-shared-vault-is-absent.yml
    playbooks/vault/ensure-shared-vault-is-present.yml
    playbooks/vault/ensure-standard-vault-is-absent.yml
    playbooks/vault/ensure-standard-vault-is-present.yml
    playbooks/vault/ensure-symetric-vault-is-absent.yml
    playbooks/vault/ensure-symetric-vault-is-present.yml
    playbooks/vault/ensure-vault-is-present-with-members.yml
    playbooks/vault/ensure-vault-member-group-is-absent.yml
    playbooks/vault/ensure-vault-member-group-is-present.yml
    playbooks/vault/ensure-vault-member-user-is-absent.yml
    playbooks/vault/ensure-vault-member-user-is-present.yml
    playbooks/vault/ensure-vault-owner-is-absent.yml
    playbooks/vault/ensure-vault-owner-is-present.yml

New tests added for the module:

    tests/vault/test_vault.yml

ipareplica role by default tries to configure firewalld but it didn't
check if firewalld related packages were installed.

Similar to DNS and trust to AD features, install firewalld-related
packages before trying to configure firewalld.

Additionally, enable and start firewalld.service because otherwise
firewall-cmd cannot communicate with firewalld itself (it is not
starting on demand).

If and administrator considers not to use firewalld, a default for
ipareplica_setup_firewalld variable has to be set to 'no'.

Fixes: https://github.com/freeipa/ansible-freeipa/issues/116

ipaserver role by default tries to configure firewalld but it didn't
check if firewalld related packages were installed.

Similar to DNS and trust to AD features, install firewalld-related
packages before trying to configure firewalld.

Additionally, enable and start firewalld.service because otherwise
firewall-cmd cannot communicate with firewalld itself (it is not
starting on demand).

If and administrator considers not to use firewalld, a default for
ipaserver_setup_firewalld variable has to be set to 'no'.

Fixes: https://github.com/freeipa/ansible-freeipa/issues/116

Add command and information about ansible-galaxy collection install. Installing collections
using the ansible-galaxy command is only supported with ansible 2.9+. The mazer tool can
be used for to install the collection for ansible 2.8:

There is a new sudorule (Sudo Rule) management module placed in the plugins
folder:

  plugins/modules/ipasudorule.py

The sudorule module allows to ensure presence and absence of Sudo Rules.

Here is the documentation for the module:

  README-sudorule.md

New example playbooks have been added:

    playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
    playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
    playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
    playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
    playbooks/sudorule/ensure-sudorule-is-absent.yml
    playbooks/sudorule/ensure-sudorule-is-disabled.yml
    playbooks/sudorule/ensure-sudorule-is-enabled.yml
    playbooks/sudorule/ensure-sudorule-is-present.yml
    playbooks/sudorule/ensure-sudorule-sudocmd-is-absent.yml
    playbooks/sudorule/ensure-sudorule-sudocmd-is-present.yml

New tests added for the module:

  tests/hbacrule/test_sudorule.yml

There is a new hbacrule (HBAC Rule) management module placed in the plugins
folder:

  plugins/modules/ipahbacrule.py

The hbacrule module allows to ensure presence and absence of HBAC Rules.

Here is the documentation for the module:

  README-hbacrule.md

New example playbooks have been added:

  playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
  playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
  playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
  playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
  playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
  playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml

New tests added for the module:

  tests/hbacrule/test_hbacrule.yml

There is a new hbacsvcgroup (HBAC Service Group) management module placed
in the plugins folder:

  plugins/modules/ipahbacsvcgroup.py

The hbacsvc module allows to ensure presence and absence of HBAC Service
Groups.

Here is the documentation for the module:

  README-hbacsvcgroup.md

New example playbooks have been added:

  playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
  playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
  playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
  playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml

New tests added for the module:

   tests/hbacsvcgroup/test_hbacsvcgroup.yml

There is a new hbacsvc (HBAC Service) management module placed in the plugins
folder:

  plugins/modules/ipahbacsvc.py

The hbacsvc module allows to ensure presence and absence of HBAC Services.

Here is the documentation for the module:

  README-hbacsvc.md

New example playbooks have been added:

  playbooks/hbacsvc/ensure-hbacsvc-absent.yml
  playbooks/hbacsvc/ensure-hbacsvc-present.yml

New tests added for pwpolicy:

  tests/hbacsvc/test_hbacsvc.yml

There is a new pwpolicy management module placed in the plugins folder:

  plugins/modules/ipapwpolicy.py

The pwpolicy module allows to ensure presence and absence of pwpolicies for
groups.

Here is the documentation for the module:

  README-pwpolicy.md

New example playbooks have been added:

  playbooks/pwpolicy/pwpolicy_absent.yml
  playbooks/pwpolicy/pwpolicy_present.yml

New tests added for pwpolicy:

  tests/pwpolicy/test_pwpolicy.yml

There is a new sudocmdgroup management module placed in the plugins folder:

plugins/modules/ipasudocmdgroup.py

The sudocmdgroup module allows to add or remove sudo command groups..

The sudocmdgroup module is as compatible as possible to the Ansible upstream
ipa_sudocmdgroup module, and additionally offers to ensure member presence
and absence.

Here is the documentation for the module:

  README-sudocmdgroup.md

New example playbooks have been added:

  playbooks/sudocmd/ensure-sudocmdgroup-is-absent.yml
  playbooks/sudocmd/ensure-sudocmdgroup-is-present.yml
  playbooks/sudocmd/ensure-sudocmd-is-absent-in-sudocmdgroup.yml
  playbooks/sudocmd/ensure-sudocmd-is-present-in-sudocmdgroup.yml

A test playbook is provided in:

  tests/sudocmdgroup/test_sudocmdgroup.yml

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

There is a new sudocmd management module placed in the plugins folder:

  plugins/modules/ipasudocmd.py

The sudocmd module allows to add or remove sudo commands.

The sudocmd module is as compatible as possible to the Ansible upstream
ipa_sudocmd module.

Here is the documentation for the module:

  README-sudocmd.md

New example playbooks have been added:

  playbooks/sudocmd/ensure-sudocmd-is-absent.yml
  playbooks/sudocmd/ensure-sudocmd-is-present.yml

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

There is a new hostgroup management module placed in the plugins folder:

  plugins/modules/ipahostgroup.py

The hostgroup module allows to add, remove and disable hosts.

The hostgroup module is as compatible as possible to the Ansible upstream
ipa_hostgroup module, but addtionally offers to ensure member presence and
absence.

Here is the documentation for the module:

  README-hostgroup.md

New example playbooks have been added:

  playbooks/hostgroup/ensure-hostgroup-is-absent.yml
  playbooks/hostgroup/ensure-hostgroup-is-present.yml
  playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
  playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml

There is a new hostgroup management module placed in the plugins folder:

  plugins/modules/ipahostgroup.py

The hostgroup module allows to add, remove and disable hosts.

The hostgroup module is as compatible as possible to the Ansible upstream
ipa_hostgroup module, but addtionally offers to ensure member presence and
absence.

Here is the documentation for the module:

  README-hostgroup.md

New example playbooks have been added:

  playbooks/hostgroup/ensure-hostgroup-is-absent.yml
  playbooks/hostgroup/ensure-hostgroup-is-present.yml
  playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
  playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml

There is a new user management module placed in the plugins folder:

  plugins/modules/ipauser.py

The host module allows to add, remove and disable hosts.

The host module is as compatible as possible to the Ansible upstream
ipa_host` module, but addtionally offers to disable hosts.

Here is the documentation for the module:

  README-host.md

New example playbooks have been added:

  playbooks/host/add-host.yml
  playbooks/host/delete-host.yml
  playbooks/host/disable-host.yml

Add Information about needed /usr/bin/kinit on the controller when OTP is used

ansible-freeipa is a new Ansible Collection introduced with Ansible 2.8 and
Ansible Galaxy 3.2.

There are now two topology management modules placed in the plugins folder:

  plugins/modules/ipatopologysegment.py
  plugins/modules/ipatopologysuffix.py

Topology segments can be added, removed and reinitialized with the
ipatopologysegment module. Also it is possible to verify topology suffixes
with the ipatopologysuffix module.

A new module_utils for plugins has been added:

  plugins/module_utils/ansible_freeipa_module.py

And documentation for the modules:

  README-topology.md

New sample playbooks are available in playbooks/topology:

  playbooks/topology/add-topologysegment.yml
  playbooks/topology/delete-topologysegment.yml
  playbooks/topology/reinitialize-topologysegment.yml
  playbooks/topology/verify-topologysuffix.yml

The plugins folder can be used with the new Ansible Collections supported
by Ansible 2.8 and Ansible galaxy 3.2.

This will result in a better role documentation on galaxy.

gssapi is only needed for OTP if keytab is used. The common case with
password does not require gssapi.

This change also fixes the new ansible 2.8 failure if gssapi is not
installed on the controller. Ansible 2.8 seems to also transfer and load
action plugins to the node if they are not used.

Fixed wrong use of ipareplica name in ipaclient inventory examples.
Added tier1 and tier2 replica handling.