---

- name: Playbook to handle server configuration

  hosts: ipaserver

  become: true

  gather_facts: false

  tasks:

  # Retrieve current configuration.

  - name: return current values of the global configuration options

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

    register: previousconfig

  - debug:

      msg: "{{previousconfig}}"

  # setup environment.

  - name: create test group

    ipagroup:

      ipaadmin_password: 'SomeADMINpassword'

      name: somedefaultgroup

  - name: Ensure the default e-mail domain is ipa.test.

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      emaildomain: ipa.test

  - name: set default shell to '/bin/sh'

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      defaultshell: /bin/sh

  - name: set default group

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      defaultgroup: ipausers

  - name: set default home directory

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      homedirectory: /home

  - name: clear pac-type

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      pac_type: ""

  - name: set maxusername to 255

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      maxusername: 255

  - name: set maxhostname to 255

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      maxhostname: 255

  - name: set pwdexpnotify to 0

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      pwdexpnotify: 0

  - name: set searchrecordslimit to 10

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      searchrecordslimit: 10

  - name: set searchtimelimit to 1

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      searchtimelimit: 1

  - name: clear configstring

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      configstring: ""

  - name: set configstring to AllowNThash

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      configstring: 'KDC:Disable Lockout'

  - name: set selinuxusermapdefault

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      selinuxusermapdefault: "staff_u:s0-s0:c0.c1023"

  - name: set selinuxusermaporder

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023'

  - name: set usersearch to `uid`

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      usersearch: uid

  - name: set groupsearch to `cn`

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      groupsearch: cn

  # tests

  - name: Ensure the default e-mail domain is somedomain.test.

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      emaildomain: somedomain.test

    register: result

    failed_when: not result.changed

  - name: Ensure the default e-mail domain is somedomain.test, again.

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      emaildomain: somedomain.test

    register: result

    failed_when: result.changed

  - name: set default shell to '/bin/someshell'

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      defaultshell: /bin/someshell

    register: result

    failed_when: not result.changed

  - name: set default shell to '/bin/someshell', again.

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      defaultshell: /bin/someshell

    register: result

    failed_when: result.changed

  - name: set default group

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      defaultgroup: somedefaultgroup

    register: result

    failed_when: not result.changed

  - name: set default group

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      defaultgroup: somedefaultgroup

    register: result

    failed_when: result.changed

  - name: set default home directory

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      homedirectory: /Users

    register: result

    failed_when: not result.changed

  - name: set default home directory

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      homedirectory: /Users

    register: result

    failed_when: result.changed

  - name: set pac-type

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      pac_type: "nfs:NONE"

    register: result

    failed_when: not result.changed

  - name: set pac-type, again.

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      pac_type: "nfs:NONE"

    register: result

    failed_when: result.changed

  - name: set maxusername to 33

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      maxusername: 33

    register: result

    failed_when: not result.changed

  - name: set maxusername to 33, again.

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      maxusername: 33

    register: result

    failed_when: result.changed

  - name: set maxhostname to 77

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      maxhostname: 77

    register: result

    failed_when: not result.changed

  - name: set maxhostname to 77, again

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      maxhostname: 77

    register: result

    failed_when: result.changed

  - name: set pwdexpnotify to 17

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      pwdexpnotify: 17

    register: result

    failed_when: not result.changed

  - name: set pwdexpnotify to 17, again

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      pwdexpnotify: 17

    register: result

    failed_when: result.changed

  - name: set searchrecordslimit to -1

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      searchrecordslimit: -1

    register: result

    failed_when: not result.changed

  - name: set searchrecordslimit to -1, again.

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      searchrecordslimit: -1

    register: result

    failed_when: result.changed

  - name: set searchtimelimit to 12345

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      searchtimelimit: 12345

    register: result

    failed_when: not result.changed

  - name: set searchtimelimit to 12345, again.

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      searchtimelimit: 12345

    register: result

    failed_when: result.changed

  - name: change enable_migration

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      enable_migration: '{{ not previousconfig.config.enable_migration }}'

    register: result

    failed_when: not result.changed

  - name: change enable_migration, again

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      enable_migration: '{{ not previousconfig.config.enable_migration }}'

    register: result

    failed_when: result.changed

  - name: set configstring to AllowNThash

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      configstring: AllowNThash

    register: result

    failed_when: not result.changed

  - name: set configstring to AllowNThash, again.

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      configstring: AllowNThash

    register: result

    failed_when: result.changed

  - name: set selinuxusermaporder

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'

    register: result

    failed_when: not result.changed

  - name: set selinuxusermaporder, again

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023'

    register: result

    failed_when: result.changed

  - name: set selinuxusermapdefault

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      selinuxusermapdefault: 'user_u:s0'

    register: result

    failed_when: not result.changed

  - name: set selinuxusermapdefault, again

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      selinuxusermapdefault: 'user_u:s0'

    register: result

    failed_when: result.changed

  - name: set groupsearch to `description`

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      groupsearch: description

    register: result

    failed_when: not result.changed

  - name: set groupsearch to `gidNumber`, again

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      groupsearch: description

    register: result

    failed_when: result.changed

  - name: set usersearch to `uidNumber`

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      usersearch: uidNumber

    register: result

    failed_when: not result.changed

  - name: set usersearch to `uidNumber`, again

    ipaconfig:

      ipaadmin_password: SomeADMINpassword

      usersearch: uidNumber

    register: result

    failed_when: result.changed

  - name: reset changed fields

    ipaconfig:

      ipaadmin_password: 'SomeADMINpassword'

      maxusername: '{{previousconfig.config.maxusername | default(omit)}}'

      maxhostname: '{{previousconfig.config.maxhostname | default(omit)}}'

      homedirectory: '{{previousconfig.config.homedirectory | default(omit)}}'

      defaultshell: '{{previousconfig.config.defaultshell | default(omit)}}'

      defaultgroup: '{{previousconfig.config.defaultgroup | default(omit)}}'

      emaildomain: '{{previousconfig.config.emaildomain | default(omit)}}'

      searchtimelimit: '{{previousconfig.config.searchtimelimit | default(omit)}}'

      searchrecordslimit: '{{previousconfig.config.searchrecordslimit | default(omit)}}'

      usersearch: '{{previousconfig.config.usersearch | default(omit)}}'

      groupsearch: '{{previousconfig.config.groupsearch | default(omit)}}'

      enable_migration: '{{previousconfig.config.enable_migration | default(omit)}}'

      groupobjectclasses: '{{previousconfig.config.groupobjectclasses | default(omit)}}'

      userobjectclasses: '{{previousconfig.config.userobjectclasses | default(omit)}}'

      pwdexpnotify: '{{previousconfig.config.pwdexpnotify | default(omit)}}'

      configstring: '{{previousconfig.config.configstring | default(omit)}}'

      selinuxusermapdefault: '{{previousconfig.config.selinuxusermapdefault | default(omit)}}'

      selinuxusermaporder: '{{previousconfig.config.selinuxusermaporder | default(omit)}}'

      pac_type: '{{previousconfig.config.pac_type | default(omit)}}'

      user_auth_type: '{{previousconfig.config.user_auth_type | default(omit)}}'

      domain_resolution_order: '{{previousconfig.config.domain_resolution_order | default(omit)}}'

      ca_renewal_master_server: '{{previousconfig.config.ca_renewal_master_server | default(omit)}}'

    register: result

    failed_when: not result.changed

  - name: reset changed fields, again

    ipaconfig:

      ipaadmin_password: 'SomeADMINpassword'

      maxusername: '{{previousconfig.config.maxusername | default(omit)}}'

      maxhostname: '{{previousconfig.config.maxhostname | default(omit)}}'

      homedirectory: '{{previousconfig.config.homedirectory | default(omit)}}'

      defaultshell: '{{previousconfig.config.defaultshell | default(omit)}}'

      defaultgroup: '{{previousconfig.config.defaultgroup | default(omit)}}'

      emaildomain: '{{previousconfig.config.emaildomain | default(omit)}}'

      searchtimelimit: '{{previousconfig.config.searchtimelimit | default(omit)}}'

      searchrecordslimit: '{{previousconfig.config.searchrecordslimit | default(omit)}}'

      usersearch: '{{previousconfig.config.usersearch | default(omit)}}'

      groupsearch: '{{previousconfig.config.groupsearch | default(omit)}}'

      enable_migration: '{{previousconfig.config.enable_migration | default(omit)}}'

      groupobjectclasses: '{{previousconfig.config.groupobjectclasses | default(omit)}}'

      userobjectclasses: '{{previousconfig.config.userobjectclasses | default(omit)}}'

      pwdexpnotify: '{{previousconfig.config.pwdexpnotify | default(omit)}}'

      configstring: '{{previousconfig.config.configstring | default(omit)}}'

      selinuxusermapdefault: '{{previousconfig.config.selinuxusermapdefault | default(omit)}}'

      selinuxusermaporder: '{{previousconfig.config.selinuxusermaporder | default(omit)}}'

      pac_type: '{{previousconfig.config.pac_type | default(omit)}}'

      user_auth_type: '{{previousconfig.config.user_auth_type | default(omit)}}'

      domain_resolution_order: '{{previousconfig.config.domain_resolution_order | default(omit)}}'

      ca_renewal_master_server: '{{previousconfig.config.ca_renewal_master_server | default(omit)}}'

    register: result

    failed_when: result.changed

  # cleanup

  - name: cleanup test group

    ipagroup:

      ipaadmin_password: 'SomeADMINpassword'

      name: somedefaultgroup

      state: absent