Some ipareplica role had a few module calls with parameters set like
'some_argument | default(omit)' that were not actually available in such
modules. If a user provided 'some_argument', the paramater would then
be passed to the module and ipareplica deployment would fail.

By removing the parameters from the 'install' task, ipareplica
deployment works even if the variables are set by the user.

ipauser: Make return value depending on users parameter

ipaclient: Defer creating the final krb5.conf on clients

Add subid option to select the sssd profile with-subid.

This is an ansible-freeipa update for the freeipa RFE:
https://pagure.io/freeipa/issue/9159


"`ipa-client-install` should provide option to enable `subid: sss`
in `/etc/nsswitch.conf`".

This option allows to configure authselect with the sssd
profile + with-subid feature, in order to have SSSD setup as
a datasource for subid in /etc/nsswitch.conf.

The default behavior remains unchanged: without the option,
/etc/nsswitch.conf keeps the line subid: files

Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>

Migrated to SPDX license.

The way how randompasswords are returned by the ipauser module depends
so far on the number of users that are handled by the module.

This is unexpected if for example a json file is provided with the users
parameter. As it might be unknown how many users are in the json file,
this behaviour is unexpected. The return should not vary in this case.

This chamge makes the return simply depend on the use of the users
paramater. As soon as this parameter is used, the return will always be:

"user": { "<the user>": { "randompassword": "<the user random password>" } }

In the simply case with one user it will be still

"user": { "randompassword": "<the user random password>" }

Fixes: #1052 (ipauser should consitently return randompasswords when
              used with users)

A temporary krb5 configuration was used to join the domain in
ipaclient_join. After that the final krkb5 configuration was created
with enabled DNS discovery and used for the remainaing tasks, where also
a connection to the IPA API was done.

With several servers the DNS discovery could have picked up a different
server. If the client deployment was faster than the replication this
could have lead to an unknown host error.

The issue was seen in performance testing where many simultaneous client
enrollments have been done..

The goal is to keep server affinity as long as possible within the
deployment process:

The temporary krb5.conf that was used before in ipaclient_join was
pulled out into an own module. The generated temporary krb5.conf is now
used in ipaclient_join and also ipaclient_api.

The generation of the final krb5.conf is moved to the end of the
deployment process.

Same as: https://pagure.io/freeipa/issue/9228

The setup of certmonger has been pulled out of ipaclient_setup_nss and moved
to the end of the process after generating the final krb5.conf as it will
use t will only use /etc/krb5.conf.

Certificate issuance may fail during deployment due to using the final
krb5.conf, but certmonger will re-try the request in this case.

Same as: https://pagure.io/freeipa/issue/9246

According to [1] all Fedora packages need to be updated to use a SPDX
expression. This patch updates the ansible-freeipa spec template to
comply with this change.

[1] https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1

Fix ansible-lint on tests

A dangling 'when:' clause was failing anisble-lint tests as the task did
not match any valid schema. The dangling clause was removed, and the
usage of 'shell' was changed from free form to use the 'cmd' parameter.

In latest ansible-lint versions, the use of "blocks" has a required
order to be implemented. According to ansible-lint error mesage, the
order is name, when, block, rescue, always.

As not following this rule is now an error, this patch fixes all tests
for the 'key-order[task]' error.

ansible-lint is issuing an warning when using '# noqa 505' instead of
'#noqa missing-import' on playbooks. This patch changes all occurrences
of the tag to use the newer format.

ipaclient: Fix allow_repair with removed krb5.conf and DNS lookup

The test in ipaclient_test_keytab is at first trying to use an existing
krb5.conf to test if the host keytab can be used. With working DNS lookup
an absent krb5.conf is not reported as an error as DNS lookup is
silently used instead.

A temporary krb5.conf is now used in this test that forces to deactivate
DNS lookups and also to load /etc/krb5.conf. A missing krb5.conf is now
detected properly as the kinit call fails now properly. Thanks to Julien
Rische for this proposal.

ipaclient_test_keytab is now properly returning the state of usable or
not usable krb5.conf in krb5_conf_ok. This fixes the handling of this
case later on in the role.

ipabackup: Use ipabackup_item again in copy_backup_to_server

ipabackup_item needs to be set again in copy_backup_to_server.yml. The
variable is later on used in restore.yml.

upstream CI: increase Azure test timeout.

Due to DNS issues and the increase number of tests, the timeout setting
used for upstream tests was being reached. As we still have room for
running the tests using Azure infrastructure, this patch increases the
timeout to 240 minutes (4h), per worker.

Use yml extension for pytest tests

The pytest .yaml files have been rename to .yml to enable
build-galaxy-release to fix the prefix of the ansible-freeipa modules.

playbooks: Fix automount tasks to make ansible-lint happy

dnszone tests: Fix typo on task names.

A few playbooks still had task name starting with lower case letters.

Ansible lint tests

pwpolicy: Fix new bool checks for IPA prior to 4.9.10

playbooks/automount: All playbooks should use .yml

The playbooks automount-map-absent.yaml and automount-map-present.yaml
have been using the wrong extention. The files have been renamed to use
.yml now.

This replaces double spaces by single spaces, fixes spaces in slices,
adds spaces before brackets and fixes bracket placing in when clauses.

This change removes the space between join and (): "join ()" to "join()"

The whole collection is tested with this change. Before it has been
limited to the roles and plugins folder.

The experimental tests is running several additional tests like for
example to check module arg values. It fails everytime a variable is
used to pass the value in.

Examples:
- playbooks/topology/add-topologysegments.yml:15: args[module]: value of
  suffix must be one of: domain, ca, domain+ca, got: {{ item.suffix }}
- tests/host/test_host.yml:21: args[module]: value of ipaapi_context must
  be one of: server, client, got: {{ ipa_context | default(omit) }}

The name template test is failing for every template use inside of a name.
This is forcing to have only generic names and nothing specific in the
log anymore.

These two tests have been deactivated to have less overflow in the
ansible-lint output.

pwpolicy: Fix tests for 'minlength: ""'

When clearing minimum length parameter, FreeIPA raises an error, and the
error is different when executing the playbook in server or client
context. Since the error message is evaluated in the text, both errors
must be accepted as "not a failure", since ansible-freeipa did the
correct call.

Once https://pagure.io/freeipa/issue/9297 is fixed, the test must be
updated to not accept any of these error messages.

.github/workflows/lint.yml: ansible-lint needs collection source dir

ansible-lint required to be run in a collection source directory with
correct and working galaxy.yml

As ansible-freeipa is not converted to a collection, the galaxy.yml file
can not be used to create the collection. This needs to be done with
utils/build-galaxy-release.sh. The script is fixing all the prefixes for
the roles and modules in all the yml files and also example snippets and
in the documentation.

Therefore utils/build-galaxy-release.sh is called with the "-k" option
to keep the directory that has been used to generate the collection with
the script. Afterwards ansible-lint is run in this build directory.

Fix ansible-test lint warnings in roles.