From 98a68eff41328bb6ac3d79ba6cbc2e3993ee326f Mon Sep 17 00:00:00 2001 From: Packit Date: Sep 03 2020 10:11:48 +0000 Subject: Apply patch ansible-freeipa-0.1.8-ipahost-Fix-choices-of-auth_ind-parameter-allow-to-reset-parameter_rhbz#1783992.patch patch_name: ansible-freeipa-0.1.8-ipahost-Fix-choices-of-auth_ind-parameter-allow-to-reset-parameter_rhbz#1783992.patch present_in_specfile: true --- diff --git a/README-host.md b/README-host.md index edec8d9..be5ad79 100644 --- a/README-host.md +++ b/README-host.md @@ -280,7 +280,7 @@ Variable | Description | Required `mac_address` \| `macaddress` | List of hardware MAC addresses. | no `sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no `userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no -`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened"] | no +`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no `ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no `ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no diff --git a/plugins/modules/ipahost.py b/plugins/modules/ipahost.py index ec5e196..b130395 100644 --- a/plugins/modules/ipahost.py +++ b/plugins/modules/ipahost.py @@ -147,9 +147,10 @@ options: Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Other values may be used for custom configurations. + Use empty string to reset auth_ind to the initial value. type: list aliases: ["krbprincipalauthind"] - choices: ["radius", "otp", "pkinit", "hardened"] + choices: ["radius", "otp", "pkinit", "hardened", ""] required: false requires_pre_auth: description: Pre-authentication is required for the service @@ -277,9 +278,10 @@ options: Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Other values may be used for custom configurations. + Use empty string to reset auth_ind to the initial value. type: list aliases: ["krbprincipalauthind"] - choices: ["radius", "otp", "pkinit", "hardened"] + choices: ["radius", "otp", "pkinit", "hardened", ""] required: false requires_pre_auth: description: Pre-authentication is required for the service @@ -590,7 +592,7 @@ def main(): default=None), auth_ind=dict(type='list', aliases=["krbprincipalauthind"], default=None, - choices=['password', 'radius', 'otp']), + choices=['radius', 'otp', 'pkinit', 'hardened', '']), requires_pre_auth=dict(type="bool", aliases=["ipakrbrequirespreauth"], default=None), ok_as_delegate=dict(type="bool", aliases=["ipakrbokasdelegate"], @@ -835,6 +837,13 @@ def main(): if x in args: del args[x] + # Ignore auth_ind if it is empty (for resetting) + # and not set in for the host + if "krbprincipalauthind" not in res_find and \ + "krbprincipalauthind" in args and \ + args["krbprincipalauthind"] == ['']: + del args["krbprincipalauthind"] + # For all settings is args, check if there are # different settings in the find result. # If yes: modify