|
|
e788bc |
diff -up ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml.ipaconfig_sid ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml
|
|
|
e788bc |
--- ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200
|
|
|
e788bc |
+++ ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml 2022-10-07 17:12:51.172335899 +0200
|
|
|
e788bc |
@@ -0,0 +1,12 @@
|
|
|
e788bc |
+---
|
|
|
e788bc |
+- name: Playbook to change IPA domain netbios name
|
|
|
e788bc |
+ hosts: ipaserver
|
|
|
e788bc |
+ become: no
|
|
|
e788bc |
+ gather_facts: no
|
|
|
e788bc |
+
|
|
|
e788bc |
+ tasks:
|
|
|
e788bc |
+ - name: Set IPA domain netbios name
|
|
|
e788bc |
+ ipaconfig:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ enable_sid: yes
|
|
|
e788bc |
+ netbios_name: IPADOM
|
|
|
e788bc |
diff -up ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml.ipaconfig_sid ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml
|
|
|
e788bc |
--- ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200
|
|
|
e788bc |
+++ ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml 2022-10-07 17:12:51.172335899 +0200
|
|
|
e788bc |
@@ -0,0 +1,12 @@
|
|
|
e788bc |
+---
|
|
|
e788bc |
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
|
|
|
e788bc |
+ hosts: ipaserver
|
|
|
e788bc |
+ become: no
|
|
|
e788bc |
+ gather_facts: no
|
|
|
e788bc |
+
|
|
|
e788bc |
+ tasks:
|
|
|
e788bc |
+ - name: Enable SID and generate users and groups SIDS
|
|
|
e788bc |
+ ipaconfig:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ enable_sid: yes
|
|
|
e788bc |
+ add_sids: yes
|
|
|
e788bc |
diff -up ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py.ipaconfig_sid ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py
|
|
|
e788bc |
--- ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py.ipaconfig_sid 2022-01-27 14:05:04.000000000 +0100
|
|
|
e788bc |
+++ ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py 2022-10-07 17:18:43.193785596 +0200
|
|
|
e788bc |
@@ -148,6 +148,24 @@ options:
|
|
|
e788bc |
required: false
|
|
|
e788bc |
type: list
|
|
|
e788bc |
aliases: ["ipadomainresolutionorder"]
|
|
|
e788bc |
+ enable_sid:
|
|
|
e788bc |
+ description: >
|
|
|
e788bc |
+ New users and groups automatically get a SID assigned.
|
|
|
e788bc |
+ Requires IPA 4.9.8+.
|
|
|
e788bc |
+ required: false
|
|
|
e788bc |
+ type: bool
|
|
|
e788bc |
+ netbios_name:
|
|
|
e788bc |
+ description: >
|
|
|
e788bc |
+ NetBIOS name of the IPA domain.
|
|
|
e788bc |
+ Requires IPA 4.9.8+ and 'enable_sid: yes'.
|
|
|
e788bc |
+ required: false
|
|
|
e788bc |
+ type: string
|
|
|
e788bc |
+ add_sids:
|
|
|
e788bc |
+ description: >
|
|
|
e788bc |
+ Add SIDs for existing users and groups.
|
|
|
e788bc |
+ Requires IPA 4.9.8+ and 'enable_sid: yes'.
|
|
|
e788bc |
+ required: false
|
|
|
e788bc |
+ type: bool
|
|
|
e788bc |
'''
|
|
|
e788bc |
|
|
|
e788bc |
EXAMPLES = '''
|
|
|
e788bc |
@@ -169,6 +187,24 @@ EXAMPLES = '''
|
|
|
e788bc |
ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
defaultshell: /bin/bash
|
|
|
e788bc |
maxusername: 64
|
|
|
e788bc |
+
|
|
|
e788bc |
+- name: Playbook to enable SID and generate users and groups SIDs
|
|
|
e788bc |
+ hosts: ipaserver
|
|
|
e788bc |
+ tasks:
|
|
|
e788bc |
+ - name: Enable SID and generate users and groups SIDS
|
|
|
e788bc |
+ ipaconfig:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ enable_sid: yes
|
|
|
e788bc |
+ add_sids: yes
|
|
|
e788bc |
+
|
|
|
e788bc |
+- name: Playbook to change IPA domain netbios name
|
|
|
e788bc |
+ hosts: ipaserver
|
|
|
e788bc |
+ tasks:
|
|
|
e788bc |
+ - name: Enable SID and generate users and groups SIDS
|
|
|
e788bc |
+ ipaconfig:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ enable_sid: yes
|
|
|
e788bc |
+ netbios_name: IPADOM
|
|
|
e788bc |
'''
|
|
|
e788bc |
|
|
|
e788bc |
RETURN = '''
|
|
|
e788bc |
@@ -247,6 +283,14 @@ config:
|
|
|
e788bc |
domain_resolution_order:
|
|
|
e788bc |
description: list of domains used for short name qualification
|
|
|
e788bc |
returned: always
|
|
|
e788bc |
+ enable_sid:
|
|
|
e788bc |
+ description: >
|
|
|
e788bc |
+ new users and groups automatically get a SID assigned.
|
|
|
e788bc |
+ Requires IPA 4.9.8+.
|
|
|
e788bc |
+ returned: always
|
|
|
e788bc |
+ netbios_name:
|
|
|
e788bc |
+ description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+.
|
|
|
e788bc |
+ returned: if enable_sid is True
|
|
|
e788bc |
'''
|
|
|
e788bc |
|
|
|
e788bc |
|
|
|
e788bc |
@@ -260,6 +304,28 @@ def config_show(module):
|
|
|
e788bc |
return _result["result"]
|
|
|
e788bc |
|
|
|
e788bc |
|
|
|
e788bc |
+def get_netbios_name(module):
|
|
|
e788bc |
+ try:
|
|
|
e788bc |
+ _result = module.ipa_command_no_name("trustconfig_show", {"all": True})
|
|
|
e788bc |
+ except Exception: # pylint: disable=broad-except
|
|
|
e788bc |
+ return None
|
|
|
e788bc |
+ else:
|
|
|
e788bc |
+ return _result["result"]["ipantflatname"][0]
|
|
|
e788bc |
+
|
|
|
e788bc |
+
|
|
|
e788bc |
+def is_enable_sid(module):
|
|
|
e788bc |
+ """When 'enable-sid' is true admin user and admins group have SID set."""
|
|
|
e788bc |
+ _result = module.ipa_command("user_show", "admin", {"all": True})
|
|
|
e788bc |
+ sid = _result["result"].get("ipantsecurityidentifier", [""])
|
|
|
e788bc |
+ if not sid[0].endswith("-500"):
|
|
|
e788bc |
+ return False
|
|
|
e788bc |
+ _result = module.ipa_command("group_show", "admins", {"all": True})
|
|
|
e788bc |
+ sid = _result["result"].get("ipantsecurityidentifier", [""])
|
|
|
e788bc |
+ if not sid[0].endswith("-512"):
|
|
|
e788bc |
+ return False
|
|
|
e788bc |
+ return True
|
|
|
e788bc |
+
|
|
|
e788bc |
+
|
|
|
e788bc |
def main():
|
|
|
e788bc |
ansible_module = IPAAnsibleModule(
|
|
|
e788bc |
argument_spec=dict(
|
|
|
e788bc |
@@ -313,7 +379,10 @@ def main():
|
|
|
e788bc |
aliases=["ipauserauthtype"]),
|
|
|
e788bc |
ca_renewal_master_server=dict(type="str", required=False),
|
|
|
e788bc |
domain_resolution_order=dict(type="list", required=False,
|
|
|
e788bc |
- aliases=["ipadomainresolutionorder"])
|
|
|
e788bc |
+ aliases=["ipadomainresolutionorder"]),
|
|
|
e788bc |
+ enable_sid=dict(type="bool", required=False),
|
|
|
e788bc |
+ add_sids=dict(type="bool", required=False),
|
|
|
e788bc |
+ netbios_name=dict(type="str", required=False),
|
|
|
e788bc |
),
|
|
|
e788bc |
supports_check_mode=True,
|
|
|
e788bc |
)
|
|
|
e788bc |
@@ -344,7 +413,10 @@ def main():
|
|
|
e788bc |
"pac_type": "ipakrbauthzdata",
|
|
|
e788bc |
"user_auth_type": "ipauserauthtype",
|
|
|
e788bc |
"ca_renewal_master_server": "ca_renewal_master_server",
|
|
|
e788bc |
- "domain_resolution_order": "ipadomainresolutionorder"
|
|
|
e788bc |
+ "domain_resolution_order": "ipadomainresolutionorder",
|
|
|
e788bc |
+ "enable_sid": "enable_sid",
|
|
|
e788bc |
+ "netbios_name": "netbios_name",
|
|
|
e788bc |
+ "add_sids": "add_sids",
|
|
|
e788bc |
}
|
|
|
e788bc |
reverse_field_map = {v: k for k, v in field_map.items()}
|
|
|
e788bc |
|
|
|
e788bc |
@@ -392,11 +464,47 @@ def main():
|
|
|
e788bc |
changed = False
|
|
|
e788bc |
exit_args = {}
|
|
|
e788bc |
|
|
|
e788bc |
- # Connect to IPA API
|
|
|
e788bc |
- with ansible_module.ipa_connect():
|
|
|
e788bc |
+ # Connect to IPA API (enable-sid requires context == 'client')
|
|
|
e788bc |
+ with ansible_module.ipa_connect(context="client"):
|
|
|
e788bc |
+ has_enable_sid = ansible_module.ipa_command_param_exists(
|
|
|
e788bc |
+ "config_mod", "enable_sid")
|
|
|
e788bc |
|
|
|
e788bc |
result = config_show(ansible_module)
|
|
|
e788bc |
+
|
|
|
e788bc |
if params:
|
|
|
e788bc |
+ netbios_name = params.get("netbios_name")
|
|
|
e788bc |
+ if netbios_name:
|
|
|
e788bc |
+ netbios_name = netbios_name.upper()
|
|
|
e788bc |
+ add_sids = params.get("add_sids")
|
|
|
e788bc |
+ enable_sid = params.get("enable_sid")
|
|
|
e788bc |
+ required_sid = any([netbios_name, add_sids])
|
|
|
e788bc |
+ if required_sid and not enable_sid:
|
|
|
e788bc |
+ ansible_module.fail_json(
|
|
|
e788bc |
+ "'enable-sid: yes' required for 'netbios_name' "
|
|
|
e788bc |
+ "and 'add-sids'."
|
|
|
e788bc |
+ )
|
|
|
e788bc |
+ if enable_sid:
|
|
|
e788bc |
+ if not has_enable_sid:
|
|
|
e788bc |
+ ansible_module.fail_json(
|
|
|
e788bc |
+ "This version of IPA does not support 'enable-sid'.")
|
|
|
e788bc |
+ if (
|
|
|
e788bc |
+ netbios_name
|
|
|
e788bc |
+ and netbios_name == get_netbios_name(ansible_module)
|
|
|
e788bc |
+ ):
|
|
|
e788bc |
+ del params["netbios_name"]
|
|
|
e788bc |
+ netbios_name = None
|
|
|
e788bc |
+ if not add_sids and "add_sids" in params:
|
|
|
e788bc |
+ del params["add_sids"]
|
|
|
e788bc |
+ if (
|
|
|
e788bc |
+ not any([netbios_name, add_sids])
|
|
|
e788bc |
+ and is_enable_sid(ansible_module)
|
|
|
e788bc |
+ ):
|
|
|
e788bc |
+ del params["enable_sid"]
|
|
|
e788bc |
+ else:
|
|
|
e788bc |
+ for param in ["enable_sid", "netbios_name", "add_sids"]:
|
|
|
e788bc |
+ if param in params:
|
|
|
e788bc |
+ del params[params]
|
|
|
e788bc |
+
|
|
|
e788bc |
params = {
|
|
|
e788bc |
k: v for k, v in params.items()
|
|
|
e788bc |
if k not in result or result[k] != v
|
|
|
e788bc |
@@ -441,6 +549,10 @@ def main():
|
|
|
e788bc |
raise ValueError(
|
|
|
e788bc |
"Unexpected attribute type: %s" % arg_type)
|
|
|
e788bc |
exit_args[k] = type_map[arg_type](value)
|
|
|
e788bc |
+ # Set enable_sid
|
|
|
e788bc |
+ if has_enable_sid:
|
|
|
e788bc |
+ exit_args["enable_sid"] = is_enable_sid(ansible_module)
|
|
|
e788bc |
+ exit_args["netbios_name"] = get_netbios_name(ansible_module)
|
|
|
e788bc |
|
|
|
e788bc |
# Done
|
|
|
e788bc |
ansible_module.exit_json(changed=changed, config=exit_args)
|
|
|
e788bc |
diff -up ansible-freeipa-1.6.3/README-config.md.ipaconfig_sid ansible-freeipa-1.6.3/README-config.md
|
|
|
e788bc |
--- ansible-freeipa-1.6.3/README-config.md.ipaconfig_sid 2022-01-27 14:05:04.000000000 +0100
|
|
|
e788bc |
+++ ansible-freeipa-1.6.3/README-config.md 2022-10-07 17:12:51.172335899 +0200
|
|
|
e788bc |
@@ -65,6 +65,9 @@ Example playbook to read config options:
|
|
|
e788bc |
maxusername: 64
|
|
|
e788bc |
```
|
|
|
e788bc |
|
|
|
e788bc |
+
|
|
|
e788bc |
+Example playbook to set global configuration options:
|
|
|
e788bc |
+
|
|
|
e788bc |
```yaml
|
|
|
e788bc |
---
|
|
|
e788bc |
- name: Playbook to ensure some config options are set
|
|
|
e788bc |
@@ -79,6 +82,40 @@ Example playbook to read config options:
|
|
|
e788bc |
```
|
|
|
e788bc |
|
|
|
e788bc |
|
|
|
e788bc |
+Example playbook to enable SID and generate users and groups SIDs:
|
|
|
e788bc |
+
|
|
|
e788bc |
+```yaml
|
|
|
e788bc |
+---
|
|
|
e788bc |
+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
|
|
|
e788bc |
+ hosts: ipaserver
|
|
|
e788bc |
+ become: no
|
|
|
e788bc |
+ gather_facts: no
|
|
|
e788bc |
+
|
|
|
e788bc |
+ tasks:
|
|
|
e788bc |
+ - name: Enable SID and generate users and groups SIDS
|
|
|
e788bc |
+ ipaconfig:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ enable_sid: yes
|
|
|
e788bc |
+ add_sids: yes
|
|
|
e788bc |
+```
|
|
|
e788bc |
+
|
|
|
e788bc |
+Example playbook to change IPA domain NetBIOS name:
|
|
|
e788bc |
+
|
|
|
e788bc |
+```yaml
|
|
|
e788bc |
+---
|
|
|
e788bc |
+- name: Playbook to change IPA domain netbios name
|
|
|
e788bc |
+ hosts: ipaserver
|
|
|
e788bc |
+ become: no
|
|
|
e788bc |
+ gather_facts: no
|
|
|
e788bc |
+
|
|
|
e788bc |
+ tasks:
|
|
|
e788bc |
+ - name: Set IPA domain netbios name
|
|
|
e788bc |
+ ipaconfig:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ enable_sid: yes
|
|
|
e788bc |
+ netbios_name: IPADOM
|
|
|
e788bc |
+```
|
|
|
e788bc |
+
|
|
|
e788bc |
Variables
|
|
|
e788bc |
=========
|
|
|
e788bc |
|
|
|
e788bc |
@@ -111,6 +148,9 @@ Variable | Description | Required
|
|
|
e788bc |
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
|
|
|
e788bc |
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
|
|
|
e788bc |
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
|
|
|
e788bc |
+`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no
|
|
|
e788bc |
+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
|
|
|
e788bc |
+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
|
|
|
e788bc |
|
|
|
e788bc |
|
|
|
e788bc |
Return Values
|
|
|
e788bc |
@@ -140,6 +180,8 @@ Variable | Description | Returned When
|
|
|
e788bc |
| `user_auth_type` |
|
|
|
e788bc |
| `domain_resolution_order` |
|
|
|
e788bc |
| `ca_renewal_master_server` |
|
|
|
e788bc |
+ | `enable_sid` |
|
|
|
e788bc |
+ | `netbios_name` |
|
|
|
e788bc |
|
|
|
e788bc |
All returned fields take the same form as their namesake input parameters
|
|
|
e788bc |
|
|
|
e788bc |
diff -up ansible-freeipa-1.6.3/tests/config/test_config_sid.yml.ipaconfig_sid ansible-freeipa-1.6.3/tests/config/test_config_sid.yml
|
|
|
e788bc |
--- ansible-freeipa-1.6.3/tests/config/test_config_sid.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200
|
|
|
e788bc |
+++ ansible-freeipa-1.6.3/tests/config/test_config_sid.yml 2022-10-07 17:12:51.172335899 +0200
|
|
|
e788bc |
@@ -0,0 +1,70 @@
|
|
|
e788bc |
+---
|
|
|
e788bc |
+- name: Test config
|
|
|
e788bc |
+ hosts: "{{ ipa_test_host | default('ipaserver') }}"
|
|
|
e788bc |
+ become: no
|
|
|
e788bc |
+ gather_facts: no
|
|
|
e788bc |
+
|
|
|
e788bc |
+ tasks:
|
|
|
e788bc |
+
|
|
|
e788bc |
+ # GET CURRENT CONFIG
|
|
|
e788bc |
+
|
|
|
e788bc |
+ - name: Return current values of the global configuration options
|
|
|
e788bc |
+ ipaconfig:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
+ register: previous
|
|
|
e788bc |
+
|
|
|
e788bc |
+ # TESTS
|
|
|
e788bc |
+ - block:
|
|
|
e788bc |
+ - name: Ensure SID is enabled.
|
|
|
e788bc |
+ ipaconfig:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
+ enable_sid: yes
|
|
|
e788bc |
+ register: result
|
|
|
e788bc |
+ failed_when: result.failed or previous.config.enable_sid == result.changed
|
|
|
e788bc |
+
|
|
|
e788bc |
+ - name: Ensure SID is enabled, again.
|
|
|
e788bc |
+ ipaconfig:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
+ enable_sid: yes
|
|
|
e788bc |
+ register: result
|
|
|
e788bc |
+ failed_when: result.failed or result.changed
|
|
|
e788bc |
+
|
|
|
e788bc |
+ - name: Ensure netbios_name is "IPATESTPLAY"
|
|
|
e788bc |
+ ipaconfig:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
+ enable_sid: yes
|
|
|
e788bc |
+ netbios_name: IPATESTPLAY
|
|
|
e788bc |
+ register: result
|
|
|
e788bc |
+ failed_when: result.failed or not result.changed
|
|
|
e788bc |
+
|
|
|
e788bc |
+ - name: Ensure netbios_name is "IPATESTPLAY", again
|
|
|
e788bc |
+ ipaconfig:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
+ enable_sid: yes
|
|
|
e788bc |
+ netbios_name: IPATESTPLAY
|
|
|
e788bc |
+ register: result
|
|
|
e788bc |
+ failed_when: result.failed or result.changed
|
|
|
e788bc |
+
|
|
|
e788bc |
+ # add_sids is not idempotent as it always tries to generate the missing
|
|
|
e788bc |
+ # SIDs for users and groups.
|
|
|
e788bc |
+ - name: Add SIDs to users and groups.
|
|
|
e788bc |
+ ipaconfig:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
+ enable_sid: yes
|
|
|
e788bc |
+ add_sids: yes
|
|
|
e788bc |
+
|
|
|
e788bc |
+ # REVERT TO PREVIOUS CONFIG
|
|
|
e788bc |
+ always:
|
|
|
e788bc |
+ # Once SID is enabled, it cannot be reverted.
|
|
|
e788bc |
+ - name: Revert netbios_name to original configuration
|
|
|
e788bc |
+ ipaconfig:
|
|
|
e788bc |
+ ipaadmin_password: SomeADMINpassword
|
|
|
e788bc |
+ ipaapi_context: "{{ ipa_context | default(omit) }}"
|
|
|
e788bc |
+ netbios_name: "{{ previous.config.netbios_name | default(omit) }}"
|
|
|
e788bc |
+ enable_sid: yes
|