diff --git a/.ansible-freeipa.metadata b/.ansible-freeipa.metadata
index 035cfbf..a00700e 100644
--- a/.ansible-freeipa.metadata
+++ b/.ansible-freeipa.metadata
@@ -1 +1 @@
-c4d984a5760e18c642703728f847fd9a8e4d2d7a SOURCES/ansible-freeipa-1.8.3.tar.gz
+03f590ebf93439a08c56f8b98e61f38619309556 SOURCES/ansible-freeipa-1.9.2.tar.gz
diff --git a/.gitignore b/.gitignore
index b89a6c4..b2787d0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/ansible-freeipa-1.8.3.tar.gz
+SOURCES/ansible-freeipa-1.9.2.tar.gz
diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132994.patch b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132994.patch
deleted file mode 100644
index be0dbca..0000000
--- a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132994.patch
+++ /dev/null
@@ -1,435 +0,0 @@
-From 3c8d6c7c7aec408b3b68440982929e30e7d69130 Mon Sep 17 00:00:00 2001
-From: Rafael Guterres Jeffman <rjeffman@redhat.com>
-Date: Mon, 5 Sep 2022 17:18:00 -0300
-Subject: [PATCH] ipaconfig: Add support for SID related attributes.
-
-Since FreeIPA 4.9.8 the 'config_mod' command has parameters to enable
-and configure SIDs, and set the Netbios name.
-
-This patch adds the following parameters to ipaconfig plugin:
- enable_sids: New users and groups automatically get a SID assigned
- add_sids: Add SIDs for existing users and groups
- netbios_name: NetBIOS name of the IPA domain
-
-Both add_sids and netbios_name requires 'enable_sid: yes'.
-
-'enable_sid' and 'netbios_name' are returned when querying IPA
-configuration.
-
-'add_sids' always generate SIDs for users and groups, so, muiltiple
-executions of the playbook with 'add_sids: yes' will return 'changed',
-even if users and groups SIDs are not modified.
-
-A new test playbook is available:
-
- tests/config/test_config_sid.yml
-
-New examples playbooks are available:
-
- playbooks/config/change-ipa-domain-netbios-name.yml
- playbooks/config/generate-users-groups-sids.yml
-
-Fixes: #781
-Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069174
-Related: https://bugzilla.redhat.com/show_bug.cgi?id=2069184
----
- README-config.md | 42 ++++++
- .../config/change-ipa-domain-netbios-name.yml | 12 ++
- .../config/generate-users-groups-sids.yml | 12 ++
- plugins/modules/ipaconfig.py | 120 +++++++++++++++++-
- tests/azure/templates/variables_centos-7.yaml | 9 +-
- tests/config/test_config_sid.yml | 70 ++++++++++
- 6 files changed, 256 insertions(+), 9 deletions(-)
- create mode 100644 playbooks/config/change-ipa-domain-netbios-name.yml
- create mode 100644 playbooks/config/generate-users-groups-sids.yml
- create mode 100644 tests/config/test_config_sid.yml
-
-diff --git a/README-config.md b/README-config.md
-index 17c85f1..13023ea 100644
---- a/README-config.md
-+++ b/README-config.md
-@@ -65,6 +65,9 @@ Example playbook to read config options:
- maxusername: 64
- ```
-
-+
-+Example playbook to set global configuration options:
-+
- ```yaml
- ---
- - name: Playbook to ensure some config options are set
-@@ -79,6 +82,40 @@ Example playbook to read config options:
- ```
-
-
-+Example playbook to enable SID and generate users and groups SIDs:
-+
-+```yaml
-+---
-+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
-+ hosts: ipaserver
-+ become: no
-+ gather_facts: no
-+
-+ tasks:
-+ - name: Enable SID and generate users and groups SIDS
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ enable_sid: yes
-+ add_sids: yes
-+```
-+
-+Example playbook to change IPA domain NetBIOS name:
-+
-+```yaml
-+---
-+- name: Playbook to change IPA domain netbios name
-+ hosts: ipaserver
-+ become: no
-+ gather_facts: no
-+
-+ tasks:
-+ - name: Set IPA domain netbios name
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ enable_sid: yes
-+ netbios_name: IPADOM
-+```
-+
- Variables
- =========
-
-@@ -111,6 +148,9 @@ Variable | Description | Required
- `user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
- `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
- `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
-+`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no
-+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
-+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
-
-
- Return Values
-@@ -140,6 +180,8 @@ Variable | Description | Returned When
- | `user_auth_type` |
- | `domain_resolution_order` |
- | `ca_renewal_master_server` |
-+ | `enable_sid` |
-+ | `netbios_name` |
-
- All returned fields take the same form as their namesake input parameters
-
-diff --git a/playbooks/config/change-ipa-domain-netbios-name.yml b/playbooks/config/change-ipa-domain-netbios-name.yml
-new file mode 100644
-index 0000000..04e56b3
---- /dev/null
-+++ b/playbooks/config/change-ipa-domain-netbios-name.yml
-@@ -0,0 +1,12 @@
-+---
-+- name: Playbook to change IPA domain netbios name
-+ hosts: ipaserver
-+ become: no
-+ gather_facts: no
-+
-+ tasks:
-+ - name: Set IPA domain netbios name
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ enable_sid: yes
-+ netbios_name: IPADOM
-diff --git a/playbooks/config/generate-users-groups-sids.yml b/playbooks/config/generate-users-groups-sids.yml
-new file mode 100644
-index 0000000..9df85ba
---- /dev/null
-+++ b/playbooks/config/generate-users-groups-sids.yml
-@@ -0,0 +1,12 @@
-+---
-+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
-+ hosts: ipaserver
-+ become: no
-+ gather_facts: no
-+
-+ tasks:
-+ - name: Enable SID and generate users and groups SIDS
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ enable_sid: yes
-+ add_sids: yes
-diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py
-index 6731e37..d1f1398 100644
---- a/plugins/modules/ipaconfig.py
-+++ b/plugins/modules/ipaconfig.py
-@@ -148,6 +148,24 @@ options:
- required: false
- type: list
- aliases: ["ipadomainresolutionorder"]
-+ enable_sid:
-+ description: >
-+ New users and groups automatically get a SID assigned.
-+ Requires IPA 4.9.8+.
-+ required: false
-+ type: bool
-+ netbios_name:
-+ description: >
-+ NetBIOS name of the IPA domain.
-+ Requires IPA 4.9.8+ and 'enable_sid: yes'.
-+ required: false
-+ type: string
-+ add_sids:
-+ description: >
-+ Add SIDs for existing users and groups.
-+ Requires IPA 4.9.8+ and 'enable_sid: yes'.
-+ required: false
-+ type: bool
- '''
-
- EXAMPLES = '''
-@@ -169,6 +187,24 @@ EXAMPLES = '''
- ipaadmin_password: SomeADMINpassword
- defaultshell: /bin/bash
- maxusername: 64
-+
-+- name: Playbook to enable SID and generate users and groups SIDs
-+ hosts: ipaserver
-+ tasks:
-+ - name: Enable SID and generate users and groups SIDS
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ enable_sid: yes
-+ add_sids: yes
-+
-+- name: Playbook to change IPA domain netbios name
-+ hosts: ipaserver
-+ tasks:
-+ - name: Enable SID and generate users and groups SIDS
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ enable_sid: yes
-+ netbios_name: IPADOM
- '''
-
- RETURN = '''
-@@ -247,6 +283,14 @@ config:
- domain_resolution_order:
- description: list of domains used for short name qualification
- returned: always
-+ enable_sid:
-+ description: >
-+ new users and groups automatically get a SID assigned.
-+ Requires IPA 4.9.8+.
-+ returned: always
-+ netbios_name:
-+ description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+.
-+ returned: if enable_sid is True
- '''
-
-
-@@ -260,6 +304,28 @@ def config_show(module):
- return _result["result"]
-
-
-+def get_netbios_name(module):
-+ try:
-+ _result = module.ipa_command_no_name("trustconfig_show", {"all": True})
-+ except Exception: # pylint: disable=broad-except
-+ return None
-+ else:
-+ return _result["result"]["ipantflatname"][0]
-+
-+
-+def is_enable_sid(module):
-+ """When 'enable-sid' is true admin user and admins group have SID set."""
-+ _result = module.ipa_command("user_show", "admin", {"all": True})
-+ sid = _result["result"].get("ipantsecurityidentifier", [""])
-+ if not sid[0].endswith("-500"):
-+ return False
-+ _result = module.ipa_command("group_show", "admins", {"all": True})
-+ sid = _result["result"].get("ipantsecurityidentifier", [""])
-+ if not sid[0].endswith("-512"):
-+ return False
-+ return True
-+
-+
- def main():
- ansible_module = IPAAnsibleModule(
- argument_spec=dict(
-@@ -313,7 +379,10 @@ def main():
- aliases=["ipauserauthtype"]),
- ca_renewal_master_server=dict(type="str", required=False),
- domain_resolution_order=dict(type="list", required=False,
-- aliases=["ipadomainresolutionorder"])
-+ aliases=["ipadomainresolutionorder"]),
-+ enable_sid=dict(type="bool", required=False),
-+ add_sids=dict(type="bool", required=False),
-+ netbios_name=dict(type="str", required=False),
- ),
- supports_check_mode=True,
- )
-@@ -344,7 +413,10 @@ def main():
- "pac_type": "ipakrbauthzdata",
- "user_auth_type": "ipauserauthtype",
- "ca_renewal_master_server": "ca_renewal_master_server",
-- "domain_resolution_order": "ipadomainresolutionorder"
-+ "domain_resolution_order": "ipadomainresolutionorder",
-+ "enable_sid": "enable_sid",
-+ "netbios_name": "netbios_name",
-+ "add_sids": "add_sids",
- }
- allow_empty_string = ["pac_type", "user_auth_type", "configstring"]
- reverse_field_map = {v: k for k, v in field_map.items()}
-@@ -394,11 +466,47 @@ def main():
- changed = False
- exit_args = {}
-
-- # Connect to IPA API
-- with ansible_module.ipa_connect():
-+ # Connect to IPA API (enable-sid requires context == 'client')
-+ with ansible_module.ipa_connect(context="client"):
-+ has_enable_sid = ansible_module.ipa_command_param_exists(
-+ "config_mod", "enable_sid")
-
- result = config_show(ansible_module)
-+
- if params:
-+ netbios_name = params.get("netbios_name")
-+ if netbios_name:
-+ netbios_name = netbios_name.upper()
-+ add_sids = params.get("add_sids")
-+ enable_sid = params.get("enable_sid")
-+ required_sid = any([netbios_name, add_sids])
-+ if required_sid and not enable_sid:
-+ ansible_module.fail_json(
-+ "'enable-sid: yes' required for 'netbios_name' "
-+ "and 'add-sids'."
-+ )
-+ if enable_sid:
-+ if not has_enable_sid:
-+ ansible_module.fail_json(
-+ "This version of IPA does not support 'enable-sid'.")
-+ if (
-+ netbios_name
-+ and netbios_name == get_netbios_name(ansible_module)
-+ ):
-+ del params["netbios_name"]
-+ netbios_name = None
-+ if not add_sids and "add_sids" in params:
-+ del params["add_sids"]
-+ if (
-+ not any([netbios_name, add_sids])
-+ and is_enable_sid(ansible_module)
-+ ):
-+ del params["enable_sid"]
-+ else:
-+ for param in ["enable_sid", "netbios_name", "add_sids"]:
-+ if param in params:
-+ del params[params]
-+
- params = {
- k: v for k, v in params.items()
- if k not in result or result[k] != v
-@@ -458,6 +566,10 @@ def main():
- # Add empty domain_resolution_order if it is not set
- if "domain_resolution_order" not in exit_args:
- exit_args["domain_resolution_order"] = []
-+ # Set enable_sid
-+ if has_enable_sid:
-+ exit_args["enable_sid"] = is_enable_sid(ansible_module)
-+ exit_args["netbios_name"] = get_netbios_name(ansible_module)
-
- # Done
- ansible_module.exit_json(changed=changed, config=exit_args)
-#diff --git a/tests/azure/templates/variables_centos-7.yaml b/tests/azure/templates/variables_centos-7.yaml
-#index 586d5ec..8628af2 100644
-#--- a/tests/azure/templates/variables_centos-7.yaml
-#+++ b/tests/azure/templates/variables_centos-7.yaml
-#@@ -12,8 +12,7 @@
-# #
-# ---
-# variables:
-#- empty: true
-#-# ipa_enabled_modules: >-
-#-# ipa_enabled_tests: >-
-#-# ipa_disabled_modules: >-
-#-# ipa_disabled_tests: >-
-#+ # ipa_enabled_modules: >-
-#+ # ipa_enabled_tests: >-
-#+ # ipa_disabled_modules: >-
-#+ ipa_disabled_tests: test_config_sid
-diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml
-new file mode 100644
-index 0000000..1761795
---- /dev/null
-+++ b/tests/config/test_config_sid.yml
-@@ -0,0 +1,70 @@
-+---
-+- name: Test config
-+ hosts: "{{ ipa_test_host | default('ipaserver') }}"
-+ become: no
-+ gather_facts: no
-+
-+ tasks:
-+
-+ # GET CURRENT CONFIG
-+
-+ - name: Return current values of the global configuration options
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ ipaapi_context: "{{ ipa_context | default(omit) }}"
-+ register: previous
-+
-+ # TESTS
-+ - block:
-+ - name: Ensure SID is enabled.
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ ipaapi_context: "{{ ipa_context | default(omit) }}"
-+ enable_sid: yes
-+ register: result
-+ failed_when: result.failed or previous.config.enable_sid == result.changed
-+
-+ - name: Ensure SID is enabled, again.
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ ipaapi_context: "{{ ipa_context | default(omit) }}"
-+ enable_sid: yes
-+ register: result
-+ failed_when: result.failed or result.changed
-+
-+ - name: Ensure netbios_name is "IPATESTPLAY"
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ ipaapi_context: "{{ ipa_context | default(omit) }}"
-+ enable_sid: yes
-+ netbios_name: IPATESTPLAY
-+ register: result
-+ failed_when: result.failed or not result.changed
-+
-+ - name: Ensure netbios_name is "IPATESTPLAY", again
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ ipaapi_context: "{{ ipa_context | default(omit) }}"
-+ enable_sid: yes
-+ netbios_name: IPATESTPLAY
-+ register: result
-+ failed_when: result.failed or result.changed
-+
-+ # add_sids is not idempotent as it always tries to generate the missing
-+ # SIDs for users and groups.
-+ - name: Add SIDs to users and groups.
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ ipaapi_context: "{{ ipa_context | default(omit) }}"
-+ enable_sid: yes
-+ add_sids: yes
-+
-+ # REVERT TO PREVIOUS CONFIG
-+ always:
-+ # Once SID is enabled, it cannot be reverted.
-+ - name: Revert netbios_name to original configuration
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ ipaapi_context: "{{ ipa_context | default(omit) }}"
-+ netbios_name: "{{ previous.config.netbios_name | default(omit) }}"
-+ enable_sid: yes
---
-2.37.3
-
diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-allow-enable_sid-set-to-False_rhbz#2135754.patch b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-allow-enable_sid-set-to-False_rhbz#2135754.patch
deleted file mode 100644
index ed62b05..0000000
--- a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-allow-enable_sid-set-to-False_rhbz#2135754.patch
+++ /dev/null
@@ -1,113 +0,0 @@
-From 320168071ff56c00ff65870e781a261075fccc66 Mon Sep 17 00:00:00 2001
-From: Rafael Guterres Jeffman <rjeffman@redhat.com>
-Date: Wed, 21 Sep 2022 18:28:55 -0300
-Subject: [PATCH] ipaconfig: Do not allow enable_sid set to False.
-
-Once enabled, SID cannot be disabled. This patch ensures that an error
-is raised if one tries to disable SID.
----
- README-config.md | 2 +-
- plugins/modules/ipaconfig.py | 15 ++++++++-------
- tests/config/test_config_sid.yml | 13 +++++++++++++
- 3 files changed, 22 insertions(+), 8 deletions(-)
-
-diff --git a/README-config.md b/README-config.md
-index 13023ea..d6fe40a 100644
---- a/README-config.md
-+++ b/README-config.md
-@@ -148,7 +148,7 @@ Variable | Description | Required
- `user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
- `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
- `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
--`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no
-+`enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no
- `netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
- `add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
-
-diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py
-index 87810b2..9c19afb 100644
---- a/plugins/modules/ipaconfig.py
-+++ b/plugins/modules/ipaconfig.py
-@@ -175,7 +175,7 @@ options:
- enable_sid:
- description: >
- New users and groups automatically get a SID assigned.
-- Requires IPA 4.9.8+.
-+ Cannot be deactivated once activated. Requires IPA 4.9.8+.
- required: false
- type: bool
- netbios_name:
-@@ -525,11 +525,16 @@ def main():
- result = config_show(ansible_module)
-
- if params:
-+ enable_sid = params.get("enable_sid")
-+ sid_is_enabled = has_enable_sid and is_enable_sid(ansible_module)
-+
-+ if sid_is_enabled and enable_sid is False:
-+ ansible_module.fail_json(msg="SID cannot be disabled.")
-+
- netbios_name = params.get("netbios_name")
- if netbios_name:
- netbios_name = netbios_name.upper()
- add_sids = params.get("add_sids")
-- enable_sid = params.get("enable_sid")
- required_sid = any([netbios_name, add_sids])
- if required_sid and not enable_sid:
- ansible_module.fail_json(
-@@ -551,13 +556,9 @@ def main():
- del params["add_sids"]
- if (
- not any([netbios_name, add_sids])
-- and is_enable_sid(ansible_module)
-+ and sid_is_enabled
- ):
- del params["enable_sid"]
-- else:
-- for param in ["enable_sid", "netbios_name", "add_sids"]:
-- if param in params:
-- del params[params]
-
- params = {
- k: v for k, v in params.items()
-diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml
-index 1761795..bd550a5 100644
---- a/tests/config/test_config_sid.yml
-+++ b/tests/config/test_config_sid.yml
-@@ -6,6 +6,9 @@
-
- tasks:
-
-+ - name: Set FreeIPA facts.
-+ include_tasks: ../env_freeipa_facts.yml
-+
- # GET CURRENT CONFIG
-
- - name: Return current values of the global configuration options
-@@ -32,6 +35,14 @@
- register: result
- failed_when: result.failed or result.changed
-
-+ - name: Try to Ensure SID is disabled.
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ ipaapi_context: "{{ ipa_context | default(omit) }}"
-+ enable_sid: no
-+ register: result
-+ failed_when: not result.failed or "SID cannot be disabled." not in result.msg
-+
- - name: Ensure netbios_name is "IPATESTPLAY"
- ipaconfig:
- ipaadmin_password: SomeADMINpassword
-@@ -59,6 +70,8 @@
- enable_sid: yes
- add_sids: yes
-
-+ # only run tests if version supports enable-sid
-+ when: ipa_version is version("4.9.8", ">=")
- # REVERT TO PREVIOUS CONFIG
- always:
- # Once SID is enabled, it cannot be reverted.
---
-2.37.3
-
diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-require-enable_sid-for-add_sids-or-_RHBZ#2135775.patch b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-require-enable_sid-for-add_sids-or-_RHBZ#2135775.patch
deleted file mode 100644
index 66cc686..0000000
--- a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Do-not-require-enable_sid-for-add_sids-or-_RHBZ#2135775.patch
+++ /dev/null
@@ -1,218 +0,0 @@
-Adapted version of
-
-From c808ad6e3408c2145ba660025c75531920f05d73 Mon Sep 17 00:00:00 2001
-From: Rafael Guterres Jeffman <rjeffman@redhat.com>
-Date: Tue, 18 Oct 2022 10:26:01 -0300
-Subject: [PATCH] ipaconfig: Do not require enable_sid for add_sids or
- netbios_name
-
-Current behavior of ipaconfig mimics FreeIPA CLI and requires that
-'enable_sid' is set to True every time add_sids or netbios_name are
-used. It is sufficient that SID generation is enabled to use add_sids
-and netbios_name, but the IPA API requires 'enable_sid' so that the
-operations are executed.
-
-This patch allows ansible-freeipa plugin ipaconfig to run 'add_sids' or
-set 'netbios_name without requiring 'enable_sid' to be set on the
-playbook.
-
-If SID generation is enabled, 'add_sids' and 'netbios_name' can be used
-without 'enable_sid: yes'. If SID generation is not enabled, an error
-message will be raised if 'enable_sid: yes' is not used.
----
- README-config.md | 4 +--
- plugins/modules/ipaconfig.py | 53 +++++++++++++++++---------------
- tests/config/test_config_sid.yml | 48 +++++++++++++++++++++++++++--
- 3 files changed, 76 insertions(+), 29 deletions(-)
-
-diff --git a/README-config.md b/README-config.md
-index d6fe40a..a1d6117 100644
---- a/README-config.md
-+++ b/README-config.md
-@@ -149,8 +149,8 @@ Variable | Description | Required
- `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
- `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
- `enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no
--`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no
--`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no
-+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and SID generation to be activated. | no
-+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and SID generation to be activated. (bool) | no
-
-
- Return Values
-diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py
-index 9c19afb..7e78492 100644
---- a/plugins/modules/ipaconfig.py
-+++ b/plugins/modules/ipaconfig.py
-@@ -180,14 +180,14 @@ options:
- type: bool
- netbios_name:
- description: >
-- NetBIOS name of the IPA domain.
-- Requires IPA 4.9.8+ and 'enable_sid: yes'.
-+ NetBIOS name of the IPA domain. Requires IPA 4.9.8+
-+ and SID generation to be activated.
- required: false
- type: string
- add_sids:
- description: >
-- Add SIDs for existing users and groups.
-- Requires IPA 4.9.8+ and 'enable_sid: yes'.
-+ Add SIDs for existing users and groups. Requires IPA 4.9.8+
-+ and SID generation to be activated.
- required: false
- type: bool
- '''
-@@ -362,7 +362,7 @@ def get_netbios_name(module):
-
-
- def is_enable_sid(module):
-- """When 'enable-sid' is true admin user and admins group have SID set."""
-+ """When 'enable_sid' is true admin user and admins group have SID set."""
- _result = module.ipa_command("user_show", "admin", {"all": True})
- sid = _result["result"].get("ipantsecurityidentifier", [""])
- if not sid[0].endswith("-500"):
-@@ -517,7 +517,7 @@ def main():
- changed = False
- exit_args = {}
-
-- # Connect to IPA API (enable-sid requires context == 'client')
-+ # Connect to IPA API (enable_sid requires context == 'client')
- with ansible_module.ipa_connect(context="client"):
- has_enable_sid = ansible_module.ipa_command_param_exists(
- "config_mod", "enable_sid")
-@@ -532,20 +532,8 @@ def main():
- ansible_module.fail_json(msg="SID cannot be disabled.")
-
- netbios_name = params.get("netbios_name")
-- if netbios_name:
-- netbios_name = netbios_name.upper()
- add_sids = params.get("add_sids")
-- required_sid = any([netbios_name, add_sids])
-- if required_sid and not enable_sid:
-- ansible_module.fail_json(
-- msg="'enable-sid: yes' required for 'netbios_name' "
-- "and 'add-sids'."
-- )
-- if enable_sid:
-- if not has_enable_sid:
-- ansible_module.fail_json(
-- msg="This version of IPA does not support enable-sid."
-- )
-+ if has_enable_sid:
- if (
- netbios_name
- and netbios_name == get_netbios_name(ansible_module)
-@@ -554,12 +542,27 @@ def main():
- netbios_name = None
- if not add_sids and "add_sids" in params:
- del params["add_sids"]
-- if (
-- not any([netbios_name, add_sids])
-- and sid_is_enabled
-- ):
-- del params["enable_sid"]
--
-+ if any([netbios_name, add_sids]):
-+ if sid_is_enabled:
-+ params["enable_sid"] = True
-+ else:
-+ if not enable_sid:
-+ ansible_module.fail_json(
-+ msg="SID generation must be enabled for "
-+ "'netbios_name' and 'add_sids'. Use "
-+ "'enable_sid: yes'."
-+ )
-+ else:
-+ if sid_is_enabled and "enable_sid" in params:
-+ del params["enable_sid"]
-+
-+ else:
-+ if any([enable_sid, netbios_name, add_sids is not None]):
-+ ansible_module.fail_json(
-+ msg="This version of IPA does not support enable_sid, "
-+ "add_sids or netbios_name setting through the "
-+ "config module"
-+ )
- params = {
- k: v for k, v in params.items()
- if k not in result or result[k] != v
-diff --git a/tests/config/test_config_sid.yml b/tests/config/test_config_sid.yml
-index bd550a5..d8d78f1 100644
---- a/tests/config/test_config_sid.yml
-+++ b/tests/config/test_config_sid.yml
-@@ -19,6 +19,32 @@
-
- # TESTS
- - block:
-+ - name: Check if SID is enabled.
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ ipaapi_context: "{{ ipa_context | default(omit) }}"
-+ enable_sid: yes
-+ check_mode: yes
-+ register: sid_disabled
-+
-+ - name: Ensure netbios_name can't be changed without SID enabled.
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ ipaapi_context: "{{ ipa_context | default(omit) }}"
-+ netbios_name: IPATESTPLAY
-+ register: result
-+ failed_when: not result.failed and "SID generation must be enabled" in result.msg
-+ when: sid_disabled.changed
-+
-+ - name: Ensure SIDs can't be changed without SID enabled.
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ ipaapi_context: "{{ ipa_context | default(omit) }}"
-+ add_sids: yes
-+ register: result
-+ failed_when: not result.failed and "SID generation must be enabled" in result.msg
-+ when: sid_disabled.changed
-+
- - name: Ensure SID is enabled.
- ipaconfig:
- ipaadmin_password: SomeADMINpassword
-@@ -56,18 +82,36 @@
- ipaconfig:
- ipaadmin_password: SomeADMINpassword
- ipaapi_context: "{{ ipa_context | default(omit) }}"
-- enable_sid: yes
- netbios_name: IPATESTPLAY
- register: result
- failed_when: result.failed or result.changed
-
-+ - name: Ensure netbios_name cannot be set with lowercase characters
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ ipaapi_context: "{{ ipa_context | default(omit) }}"
-+ netbios_name: IPATESTplay
-+ register: result
-+ failed_when:
-+ (not result.failed
-+ and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message)
-+
-+ - name: Ensure netbios_name cannot be set different lowercase characters
-+ ipaconfig:
-+ ipaadmin_password: SomeADMINpassword
-+ ipaapi_context: "{{ ipa_context | default(omit) }}"
-+ netbios_name: otherPLAY
-+ register: result
-+ failed_when:
-+ (not result.failed
-+ and "Up to 15 characters and only uppercase ASCII letters, digits and dashes are allowed" not in result.message)
-+
- # add_sids is not idempotent as it always tries to generate the missing
- # SIDs for users and groups.
- - name: Add SIDs to users and groups.
- ipaconfig:
- ipaadmin_password: SomeADMINpassword
- ipaapi_context: "{{ ipa_context | default(omit) }}"
-- enable_sid: yes
- add_sids: yes
-
- # only run tests if version supports enable-sid
---
-2.37.3
-
diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Fix-fail_json-calls_rhbz#2135753.patch b/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Fix-fail_json-calls_rhbz#2135753.patch
deleted file mode 100644
index ef3d7f2..0000000
--- a/SOURCES/ansible-freeipa-1.8.3-ipaconfig-Fix-fail_json-calls_rhbz#2135753.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From 4da89de1d41a752e561d17f628dd6c2cbda3f326 Mon Sep 17 00:00:00 2001
-From: Rafael Guterres Jeffman <rjeffman@redhat.com>
-Date: Wed, 21 Sep 2022 10:10:52 -0300
-Subject: [PATCH] ipaconfig: Fix fail_json calls.
-
-Ansible's fail_json() method required that the message paramater was
-passed with a keyword parameter, rather than a positional one. Although
-this seems to work with ansible-core 2.13+, it might not work with
-previous versions of Ansible.
-
-This patch fixes the behaviour for all supported Ansible versions.
----
- plugins/modules/ipaconfig.py | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/plugins/modules/ipaconfig.py b/plugins/modules/ipaconfig.py
-index b0b4062..87810b2 100644
---- a/plugins/modules/ipaconfig.py
-+++ b/plugins/modules/ipaconfig.py
-@@ -533,13 +533,14 @@ def main():
- required_sid = any([netbios_name, add_sids])
- if required_sid and not enable_sid:
- ansible_module.fail_json(
-- "'enable-sid: yes' required for 'netbios_name' "
-- "and 'add-sids'."
-+ msg="'enable-sid: yes' required for 'netbios_name' "
-+ "and 'add-sids'."
- )
- if enable_sid:
- if not has_enable_sid:
- ansible_module.fail_json(
-- "This version of IPA does not support 'enable-sid'.")
-+ msg="This version of IPA does not support enable-sid."
-+ )
- if (
- netbios_name
- and netbios_name == get_netbios_name(ansible_module)
---
-2.37.3
-
diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132974.patch b/SOURCES/ansible-freeipa-1.8.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132974.patch
deleted file mode 100644
index 0fcb881..0000000
--- a/SOURCES/ansible-freeipa-1.8.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132974.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From de8911af504c6b6f51c906e8cec7da12ff4eed09 Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Tue, 30 Aug 2022 16:38:42 +0200
-Subject: [PATCH] ipaserver: Add missing idstart check
-
-The idstart needs to be larger than UID_MAX or GID_MAX from /etc/login.defs.
-This is "Require idstart to be larger than UID_MAX" for freeipa.
-
-Fixes: #896 (Invalid RID/SID SSSD backtrace after deployment)
----
- roles/ipaserver/library/ipaserver_test.py | 13 ++++++++++++-
- roles/ipaserver/module_utils/ansible_ipa_server.py | 7 ++++++-
- 2 files changed, 18 insertions(+), 2 deletions(-)
-
-diff --git a/roles/ipaserver/library/ipaserver_test.py b/roles/ipaserver/library/ipaserver_test.py
-index 2158150..f830f37 100644
---- a/roles/ipaserver/library/ipaserver_test.py
-+++ b/roles/ipaserver/library/ipaserver_test.py
-@@ -225,7 +225,8 @@ from ansible.module_utils.ansible_ipa_server import (
- read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance,
- check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError,
- validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION,
-- encode_certificate, check_available_memory, getargspec, adtrustinstance
-+ encode_certificate, check_available_memory, getargspec, adtrustinstance,
-+ get_min_idstart
- )
- from ansible.module_utils import six
-
-@@ -579,6 +580,16 @@ def main():
- "'--ignore-topology-disconnect/--ignore-last-of-role' "
- "options can be used only during uninstallation")
-
-+ if get_min_idstart is not None:
-+ min_idstart = get_min_idstart()
-+ if self.idstart < min_idstart:
-+ raise RuntimeError(
-+ "idstart (%i) must be larger than UID_MAX/GID_MAX "
-+ "(%i) setting in /etc/login.defs." % (
-+ self.idstart, min_idstart
-+ )
-+ )
-+
- if self.idmax < self.idstart:
- raise RuntimeError(
- "idmax (%s) cannot be smaller than idstart (%s)" %
-diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py
-index aba6b68..5b1c4e5 100644
---- a/roles/ipaserver/module_utils/ansible_ipa_server.py
-+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
-@@ -41,7 +41,7 @@ __all__ = ["IPAChangeConf", "certmonger", "sysrestore", "root_logger",
- "adtrustinstance", "IPAAPI_USER", "sync_time", "PKIIniLoader",
- "default_subject_base", "default_ca_subject_dn",
- "check_ldap_conf", "encode_certificate", "decode_certificate",
-- "check_available_memory", "getargspec"]
-+ "check_available_memory", "getargspec", "get_min_idstart"]
-
- import sys
-
-@@ -200,6 +200,11 @@ else:
- from ipalib.x509 import load_certificate
- load_pem_x509_certificate = None
-
-+ try:
-+ from ipaserver.install.server.install import get_min_idstart
-+ except ImportError:
-+ get_min_idstart = None
-+
- else:
- # IPA version < 4.5
-
---
-2.37.3
-
diff --git a/SOURCES/ansible-freeipa-1.8.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132988.patch b/SOURCES/ansible-freeipa-1.8.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132988.patch
deleted file mode 100644
index c951d94..0000000
--- a/SOURCES/ansible-freeipa-1.8.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132988.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From 7077776de3432a321298df13076ea0cc59bc35b1 Mon Sep 17 00:00:00 2001
-From: Thomas Woerner <twoerner@redhat.com>
-Date: Mon, 5 Sep 2022 13:16:26 +0200
-Subject: [PATCH] ipaserver/ipareplica: Add isatty method to AnsibleModuleLog
-
-In some cases ipa code is using sys.stdout.isatty. As stdout is mapped
-to AnsibleModuleLog this call will lead in a traceback as it was not
-defined.
-
-The staticmethod isatty has been added to AnsibleModuleLog in ipaserver
-role module_utils/ansible_ipa_server.py and in ipareplica role
-module_utils/ansible_ipa_repica.py.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2120415
- ansible-freeipa Replica Install Setup DNS fails
-Fixes: #251 - 'AnsibleModuleLog' object has no attribute 'isatty'
-Fixes: #117 - 'AnsibleModuleLog' object has no attribute 'isatty'
----
- roles/ipareplica/module_utils/ansible_ipa_replica.py | 4 ++++
- roles/ipaserver/module_utils/ansible_ipa_server.py | 4 ++++
- 2 files changed, 8 insertions(+)
-
-diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py
-index 0e4e738..27ee13d 100644
---- a/roles/ipareplica/module_utils/ansible_ipa_replica.py
-+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py
-@@ -222,6 +222,10 @@ else:
- def info(self, msg):
- self.module.debug(msg)
-
-+ @staticmethod
-+ def isatty():
-+ return False
-+
- def write(self, msg):
- self.module.debug(msg)
- # self.module.warn(msg)
-diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py
-index 5b1c4e5..8e7be0b 100644
---- a/roles/ipaserver/module_utils/ansible_ipa_server.py
-+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py
-@@ -255,6 +255,10 @@ else:
- def info(self, msg):
- self.module.debug(msg)
-
-+ @staticmethod
-+ def isatty():
-+ return False
-+
- def write(self, msg):
- self.module.debug(msg)
- # self.module.warn(msg)
---
-2.37.3
-
diff --git a/SPECS/ansible-freeipa.spec b/SPECS/ansible-freeipa.spec
index 0fbe0f7..2fe9b9d 100644
--- a/SPECS/ansible-freeipa.spec
+++ b/SPECS/ansible-freeipa.spec
@@ -7,25 +7,20 @@
Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients
Name: ansible-freeipa
-Version: 1.8.3
-Release: 2%{?dist}
+Version: 1.9.2
+Release: 1%{?dist}
URL: https://github.com/freeipa/ansible-freeipa
License: GPLv3+
Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz
-Patch1: ansible-freeipa-1.8.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132974.patch
-Patch2: ansible-freeipa-1.8.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132988.patch
-Patch3: ansible-freeipa-1.8.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132994.patch
-Patch4: ansible-freeipa-1.8.3-ipaconfig-Fix-fail_json-calls_rhbz#2135753.patch
-Patch5: ansible-freeipa-1.8.3-ipaconfig-Do-not-allow-enable_sid-set-to-False_rhbz#2135754.patch
-Patch6: ansible-freeipa-1.8.3-ipaconfig-Do-not-require-enable_sid-for-add_sids-or-_RHBZ#2135775.patch
BuildArch: noarch
%if 0%{?fedora} >= 35 || 0%{?rhel} >= 9
Requires: ansible-core
%endif
%description
-Ansible roles and playbooks to install and uninstall FreeIPA servers, replicas
-and clients. Also modules management.
+Ansible roles to install and uninstall FreeIPA servers, replicas and clients,
+roles for backups and SmartCard configuration, modules for management and also
+playbooks for all roles and modules.
Note: The Ansible playbooks and roles require a configured Ansible environment
where the Ansible nodes are reachable and are properly set up to have an IP
@@ -57,6 +52,7 @@ Features
- Modules for hostgroup management
- Modules for idrange management
- Modules for location management
+- Modules for netgroup management
- Modules for permission management
- Modules for privilege management
- Modules for pwpolicy management
@@ -93,8 +89,6 @@ Requirements
Controller
- Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)
- - /usr/bin/kinit is required on the controller if a one time password (OTP)
- is used
Node
- Supported FreeIPA version (see above)
@@ -122,23 +116,17 @@ to get the needed requrements to run the tests.
%prep
%setup -q
# Do not create backup files with patches
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch4 -p1
-%patch5 -p1
-%patch6 -p1
# Fix python modules and module utils:
# - Remove shebang
# - Remove execute flag
-for i in roles/ipa*/library/*.py roles/ipa*/module_utils/*.py plugins/*/*.py; do
+for i in roles/ipa*/library/*.py roles/ipa*/module_utils/*.py plugins/*/*.py;
+do
sed -i '1{/\/usr\/bin\/python*/d;}' $i
chmod a-x $i
done
-for i in utils/*.py utils/ansible-ipa-*-install utils/new_module \
- utils/changelog utils/ansible-doc-test;
+for i in utils/*.py utils/new_module utils/changelog utils/ansible-doc-test;
do
sed -i '{s@/usr/bin/python*@%{python}@}' $i
done
@@ -191,19 +179,55 @@ cp -rp tests %{buildroot}%{_datadir}/ansible-freeipa/
%{_datadir}/ansible-freeipa/requirements-tests.txt
%changelog
--* Tue Oct 18 2022 Thomas Woerner <twoerner@redhat.com> - 1.8.3-2
-- ipaserver: Add missing idstart check
- Resolves: RHBZ#2132976
-- Replica Install Setup DNS fails
- Resolves: RHBZ#2132990
-- ipaconfig: Add support for SID related attributes
- Resolves: RHBZ#2132996
-- paconfig: Fix fail_json calls
- Resolves: RHBZ#2135756
+* Tue Jan 31 2023 Thomas Woerner <twoerner@redhat.com> - 1.9.2-1
+- Update to version 1.9.2
+ https://github.com/freeipa/ansible-freeipa/releases/tag/v1.9.2
+ Resolves: RHBZ#2125592
+- ipabackup: Use ipabackup_item again in copy_backup_to_server
+ Resolves: RHBZ#2165953
+
+* Mon Jan 30 2023 Thomas Woerner <twoerner@redhat.com> - 1.9.1-1
+- Update to version 1.9.1
+ https://github.com/freeipa/ansible-freeipa/releases/tag/v1.9.1
+ Resolves: RHBZ#2125592
+- pwpolicy: Allow clearing policy values
+ Resolves: RHBZ#2150334
+- Use netgroup_find instead of netgroup_show to workaround IPA bug
+ Resolves: RHBZ#2144725
+
+* Wed Dec 7 2022 Thomas Woerner <twoerner@redhat.com> - 1.9.0-1
+- Update to version 1.9.0
+ https://github.com/freeipa/ansible-freeipa/releases/tag/v1.9.0
+ Related: RHBZ#2125592
+- pwpolicy: Add support for password check and grace limit
+ Resolves: RHBZ#2127911
- ipaconfig: Do not allow enable_sid set to False
- Resolves: RHBZ#2135757
+ Resolves: RHBZ#2127446
+- ipaclient: No kinit on controller for deployment using OTP
+ Resolves: RHBZ#2127887
+- ipaclient: Configure DNS resolver
+ Resolves: RHBZ#2127895
+- New netgroup management module
+ Resolves: RHBZ#2127910
+- sudorule: Add support for 'hostmask' parameter
+ Resolves: RHBZ#2127913
+- ipaconfig: Fix fail_json calls
+ Resolves: RHBZ#2134375
- ipaconfig: Do not require enable_sid for add_sids or netbios_name
- Resolves: RHBZ#2135776
+ Resolves: RHBZ#2134505
+- ipaserver: Add missing idstart check
+ Resolves: RHBZ#2132731
+
+* Mon Sep 12 2022 Thomas Woerner <twoerner@redhat.com> - 1.8.4-1
+- Update to version 1.8.4
+ https://github.com/freeipa/ansible-freeipa/releases/tag/v1.8.4
+ Resolves: RHBZ#2125592
+- 'ansible-doc' -l lists most idm modules as 'UNDOCUMENTED'
+ Resolves: RHBZ#2125603
+- ansible-freeipa Replica Install Setup DNS fails
+ Resolves: RHBZ#2125616
+- ipaconfig does not support SID and netbios attributes
+ Resolves: RHBZ#2069184
* Tue Aug 16 2022 Thomas Woerner <twoerner@redhat.com> - 1.8.3-1
- Update to version 1.8.3