Skip to content
  1. Mar 26, 2024
  2. Mar 21, 2024
  3. Mar 20, 2024
    • Thomas Woerner's avatar
      utils/build-galaxy-release.sh: Enable offline generation for rpm · fe16df8a
      Thomas Woerner authored
      Two new options have been added to enable the offline build within rpm:
      
          -o <A.B.C>  Build offline without using git, using version A.B.C
                      Also enables -a
          -p <path>   Installation the generated collection in the path, the
                      ansible_collections sub directory will be created and will
                      contain the collection: ansible_collections/<namespace>/<name>
                      Also enables -i
      
      The usage text has been fixed also for specifying namespace and name.
      The collection variable has been renamed to name.
      
      Example usage:
      
          utils/build-galaxy-release.sh -o 1.12.1 \
              -p %{buildroot}%{_datadir}/ansible/collections \
              freeipa ansible_freeipa
      fe16df8a
  4. Mar 14, 2024
  5. Mar 13, 2024
    • Thomas Woerner's avatar
      ipaserver: Run custodia setup only once · 0cad1fa8
      Thomas Woerner authored
      The custodia setup is executed twice. At first in
      ipaserver_setup_custodia and then additionally in ipaserver_setup_ca.
      
      The custodia setup code in ipaserver_setup_ca.py has been adapted to fit
      the code in ipaserver_setup_custodia.py.
      
      The extra Setup custodia step in the server roles has been removed
      together with ipaserver_setup_custodia.py.
      0cad1fa8
  6. Mar 11, 2024
  7. Mar 05, 2024
    • Thomas Woerner's avatar
      Fix ca-less test to use X.509 v3 certificates · b92da826
      Thomas Woerner authored
      The generated certificates have been X.509 v1. This is not supported any
      more. Only X.509 v3 is supported.
      
      A new certificates/extensions.conf file has been added to make v3
      certificates.
      
      The existing certificates/pkinit/extensions.conf has been renamed to
      certificates/pkinit-extensions.conf with additional changes. For example
      "[kdc_cert]" had to be removed for v3.
      
      The extensions config files are using environment variables, which are
      set by the generate-certificates.sh script before calling openssl.
      
      The script generate-certificates.sh has been reworked for a simpler
      structure, also new options have been added: "ca" and "cleanup".
      b92da826
  8. Feb 27, 2024
  9. Feb 15, 2024
  10. Feb 12, 2024
  11. Feb 10, 2024
    • Rafael Guterres Jeffman's avatar
      ipahostgroup: Fix idempotence issues due to capitalization · 22401d18
      Rafael Guterres Jeffman authored
      ipahostgroup parameters 'host', 'hostgroup', 'membermanager_user' and
      'membermanager_group' must be compared in a case insensitive manner
      and stored as lower case strings.
      
      This patch fixes the comparison and storage of this parameters, and
      change the handling of members to use the same structure as in newer
      modules.
      
      Two new tests files were added:
      
          tests/hostgroup/test_hostgroup_case_insensitive.yml
          tests/hostgroup/test_hostgroup_membermanager_case_insensitive.yml
      22401d18
  12. Feb 09, 2024
  13. Feb 07, 2024
  14. Feb 06, 2024
    • Rafael Guterres Jeffman's avatar
      ipahbacrule: Fix handling of hbacsvcgroup in members · b87b346a
      Rafael Guterres Jeffman authored
      FreeIPA provides a default hbacsvcgroup named "Sudo", with capital 'S',
      that is different from every other hbacsvcgroup, which are all
      represented by lower case letters.
      
      As data from IPA API was not modified, this causes an idempotence error
      when using different capitalization with the 'hbacsvcgroup' parameter.
      
      This patch fixes the issue by using the CaseInsensitive comparator to
      create the hbacsvcgroup list.
      
      Tests were update to make sure a regression is not included in the
      future.
      b87b346a
    • Thomas Woerner's avatar
      ipaclient: Enable SELinux for SSSD · e92db5c5
      Thomas Woerner authored
      This is "ipa-client-install: enable SELinux for SSSD"
      https://github.com/freeipa/freeipa/pull/6978 for ansible-freeipa:
      
      For passkeys (FIDO2) support, SSSD uses libfido2 library which needs
      access to USB devices. Add SELinux booleans handling to ipa-client-install
      so that correct SELinux booleans can be enabled and disabled during
      install and uninstall. Ignore and record a warning when SELinux policy
      does not support the boolean.
      
      Fixes: https://pagure.io/freeipa/issue/9434
      e92db5c5
  15. Jan 25, 2024
  16. Jan 23, 2024
    • Rafael Guterres Jeffman's avatar
      ipasudorule: Allow setting groups for runasuser. · 1fde1764
      Rafael Guterres Jeffman authored
      On IPA CLI sudorule-add/del-runasuser accept 'group' as a parameter,
      and this option was missing in ansible-freeipa ipasudorule module.
      
      This patch adds a new parameter 'runasuser_group' to allow setting
      Groups of RunAs Users, as allowed by CLI and WebUI.
      
      New example playboks can be found at:
      
          playbooks/sudorule/ensure-sudorule-runasusesr-group-is-absent.yml
          playbooks/sudorule/ensure-sudorule-runasusesr-group-is-present.yml
      1fde1764
  17. Dec 21, 2023
  18. Dec 20, 2023
  19. Dec 19, 2023
    • Rafael Guterres Jeffman's avatar
      ipauser: Add support for renaming users · 3eb86b2c
      Rafael Guterres Jeffman authored
      FreeIPA suports renaming user objects with the CLI parameter "rename",
      and this parameter was missing in ansible-freeipa ipauser module.
      
      This patch adds support for a new state 'renamed' and the 'rename'
      parameter.
      
      Tests were updated to cope with the changes.
      
      Related to RHBZ#2234379, RHBZ#2234380
      
      Fixes #1103
      3eb86b2c
    • Rafael Guterres Jeffman's avatar
      ipadnszone: Add support for per-zone privilege delegation · 3bd68ac0
      Rafael Guterres Jeffman authored
      IPA DNS Zones management can be delegated by adding a "Manage DNS zone"
      permission. The CLI commands that manage these permissions are
      dnszone-add-permission and dnszone-remove-permission.
      
      The ansible-freeipa module ipadnszone did not have this capability, and
      it now support dnszone per-zone management delegation by setting the
      module parameter 'permission'. If set to 'true' the permission will be
      assigned to the zone, if set to false the permission will be removed.
      3bd68ac0