With ansible-2.13 it is required to use jinja for list concatenation.

  list: "[] + ['a'] + ['b']"

needs to become

  list: "{{ [] + ['a'] + ['b'] }}"

copy_external_cert.yml needed to be changed.

ERROR: Found 6 pylint issue(s) which need to be resolved:
ERROR: plugins/modules/ipaserver_prepare.py:395:4: invalid-name: Variable name "e" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/library/ipaserver_prepare.py:395:4: invalid-name: Variable name "e" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:333:12: invalid-name: Variable name "ds" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:348:12: invalid-name: Variable name "ds" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:361:12: invalid-name: Variable name "ip" doesn't conform to snake_case naming style
ERROR: roles/ipaserver/module_utils/ansible_ipa_server.py:364:12: invalid-name: Variable name "e" doesn't conform to snake_case naming style

e has been replaced with err, ds with _ds, ip with _ip.

Fix pylint warnings raised by enabling linter on ansible-freeipa roles.

Recently added Ubuntu configuration filesi for roles miss document
start marker.

Ubuntu Bionic Beaver must use python2 as Python interpreter due to
the way python-ipalib package is defined.

Before using the role for installation, one  must install package
python2.7 before executing this role.

Based on the work by Manuel Laurent (@mlaurent205 on Github).

This patch is needed to pass Automation Hub tests.

This patch is needed to pass Automation Hub tests.

This patch is needed to pass Automation Hub tests.

This patch is needed to pass Automation Hub tests.

When loading variables in all ansible-freeipa roles, it is expected
that a file with these variables is present for each supported Linux
distribution, and then, based on the information about the distribution
provided by Ansible, the correct file is loaded.

Previously, only the facts `distribution` and dinstribution version
related facts were used, which required specific files, or links to
files for distributions in the same "family", which will probably have
the same variables set.

This change adds searching for files based on the `os_family` fact,
allowing distributions that follow the same family rules to be
supported, without any changes to the codebase. It is still possible
that a specific distribution configuration overrides the default
behavior, as `os_family` has lower priority than `distribution`.

For example, distributions on the `RedHat` family, like Oracle Linux,
Alma Linux, and Rocky Linux, work withoutadding new files, or links to
files, to fill the `vars`.

Fix issue #573. Fix issue #523.

Line too long and too many blank line errors and a trailing whitespace have
been fixed.

Without this change the "Import variables specific to distribution"
tasks fail with "Could not find file on the Ansible Controller..."
on environments with inject facts disabled.

This changes the tests to run with ansible with
inject_facts_as_vars = false and fixes other roles and playbooks.

* prevents failures on Ansible 2.9 during module build due to https://github.com/ansible/ansible/issues/68361
* fixes https://github.com/freeipa/ansible-freeipa/issues/315

The common_check function in the replica installer code has been changed
for the new memory checker code. With this the server and replica command
line installers got the option --skip-mem-check.

The server and replica role now also support the memory cheker and there
are new variables for server and replica:

    ipaserver_mem_check - for ipaserver
    ipareplica_mem_check - for ipaserver

These bool values default to yes and can be turned off in the inventory
or playbook if needed.

Related to freeipa PR https://pagure.io/freeipa/issue/8404 (Detect and
fail if not enough memory is available for installation)

Fixes: #450 (IPA Replica Installation Fails)

Currently the certifaictes are copied ot the server with the complete
path that is provided within the playbook. This could result in
unexpected file placements. Certificates should be placed in the /root
folder for the deployment.

Fixes #405 (copy_external_cert does not handle pathed items)

https://pagure.io/freeipa/issue/8458 moved more things to the ipalib and
ipalib.facts:

- sysrestore has been moved from ipalib.install to ipalib
- is_ipa_configured has been moved from ipaserver.install.installutils to
  ipalib.facts

Fixes: #394 (TASK [ipaclient : Install - IPA client test] Error: module
                  'ipalib.install.sysrestore' has no attribute
                  'SYSRESTORE_STATEFILE')

These tests have been deactivated for some time with b51397eb and are
removed now.

The new variables ipa[server,replica]_firewalld_zone have been added to
be able to set the zone in which the needed services for IPA are enabled.

New tasks have been added to check if the zone is available in the runtime
and also permamanet environment.

The code to enable firewalld has been moved out of thee
ipa[server,replica]_install_packages blocks to make sure that the firewalld
service is also enabled if the package is already installed.

Fixes: issue #177 (How to set up firewalld zones?)

IPA_MODULES has been moved from ipaserver.install.installutils to
ipalib.facts with https://pagure.io/freeipa/issue/8458

These are links to the Red Hat Enterprise linux files.

With the CA-less patches the types for the pkcs12 infos have been changed
to lists in the modules. This is resulting in a bad conversion from None
to [''] for the parameters. Because of this a normal replica deployment is
failing as [''] is not a valid value.

The install.yml files for ipareplica and also ipaserver have been changed
in the way that the pkcs12 values are checked if they are None. The
parameter will simply be omitted in this case and the parameter in the
module will become None by default.

The ca-less PR introduced a bug when http_ca_cert is not set. The test
for loading the certificate is testing for None, but the string will only
be empty in this case.

Related: #298 (Install server and replicas without CA)

With the encoded _http_ca_cert from ipaserver_test it is possible to revert
back to the IPA upstream code to write the pkcs12 http certificates.

The passed _http_ca_cert only needs to be decoded with decode_certificate.

The created temporary pkcs12 copies need to be removed in all cases. A
new task has been added.

The function load_pkcs12 should not be skipped to verify the given
certificates. After the certificates have been verified and the temporary
certificate copies have been generated, these files are copied to
/etc/ipa/.tmp_pkcs12_* as the temporary files will simply be removed as
soon as the file descriptors have been closed.

Additionally the [http,dirsrv,pkinit]_pkcs12_info is recreated to point to
the copied temporary files.

With this revertion the need to change other modules has been rediced to
the minium, the IPA upstream code can simply be used.

The passed back certificates [http,dirsrv,pkinit]_ca_cert are encoded using
encode_certificate.

The encode_certificate and decode_certificate are needed to encode and
decode a certificate in the way that it can be passed back from a module
and imported back into a usable certificate in another module.

For newer IPA versions the certificate is normally an IPACertificate for
older IPA versions it is simply a bytes array. But in both cases it needs
to be converted not to break Ansible.

Added useful notes and the missing variable ipaserver_no_pkinit.

Corrected variable names and description

The use of "default: idstart+199999" in the description of the idmax
parameter was resulting in the galaxy import error:

  Cannot parse "DOCUMENTATION": mapping values are not allowed here in
  "<unicode string>", line 52, column 58: ... value for the IDs range
  (default: idstart+199999)

The ":" has simply been removed to fix this issue.

The import of ansible_ipa_server, ansible_ipa_replica and ansible_ipa_client
might result in a permission denied error for the log file. It seems that
for collections the module utils seem to be loaded before the needed
permissions are aquired now.

The fix simply adds a wrapper for standard_logging_setup that is called in
all the modules of the server, replica and client roles to do the loggin
setup as one of the first steps of the module execution and not before.

Gracefully handle RuntimeError raised during parameter validation
in fail_json.

Fixes: #115

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>

Modify examples in server and replica roles for consistency with client
role, by defining language for code blocks.

The use of zone_overlay_check for the domain name validation is not good
for a repeated execution of the server deployment where setup_dns is
enabled. The zone overlay check will fail with "DNS zone X already exists
in DNS". zone_overlay_check is later on used in dns.install_check so it is
not needed to do it here also.

Fixes issues #164 (domain option validator should not call zone overlap..)