# This test uses skip_host_check, so it will fail if not using # FreeIPA version 4.7.0 or later. # # To test against earlier versions, use test_without_skip_host_check.yml. # # This test define 6 hosts: # - www.ansible.com: a host with a DNS setup (external), not present in IPA # - no.idontexist.info: a host without DNS and not present in IPA. # - svc.ihavenodns.inf: a host without DNS, but present in IPA. # - svc_fqdn: a host with DNS and present in IPA. # - host1_fqdn and host2_fqdn: used for member actions only. # --- - name: Test service hosts: ipaserver become: yes tasks: # setup - name: Get Domain from server name set_fact: ipaserver_domain: "{{ groups.ipaserver[0].split('.')[1:] | join ('.') }}" when: ipaserver_domain is not defined - name: Set host1, host2 and svc hosts fqdn set_fact: host1_fqdn: "{{ 'host1.' + ipaserver_domain }}" host2_fqdn: "{{ 'host2.' + ipaserver_domain }}" svc_fqdn: "{{ 'svc.' + ipaserver_domain }}" - name: Host absent ipahost: ipaadmin_password: SomeADMINpassword name: - www.ansible.com - no.idontexist.info - svc.ihavenodns.info - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" - "{{ svc_fqdn }}" update_dns: no state: absent - name: Get IPv4 address prefix from server node set_fact: ipv4_prefix: "{{ ansible_default_ipv4.address.split('.')[:-1] | join('.') }}" - name: Add hosts for tests. ipahost: ipaadmin_password: SomeADMINpassword hosts: - name: "{{ host1_fqdn }}" force: yes - name: "{{ host2_fqdn }}" force: yes - name: "{{ svc_fqdn }}" ip_address: "{{ ipv4_prefix + '.201' }}" - name: svc.ihavenodns.info force: yes - name: Ensure testing user user01 is present. ipauser: ipaadmin_password: SomeADMINpassword name: user01 first: user01 last: last - name: Ensure testing user user02 is present. ipauser: ipaadmin_password: SomeADMINpassword name: user02 first: user02 last: last - name: Ensure testing group group01 is present. ipagroup: ipaadmin_password: SomeADMINpassword name: group01 - name: Ensure testing group group02 is present. ipagroup: ipaadmin_password: SomeADMINpassword name: group02 - name: Ensure testing hostgroup hostgroup01 is present. ipahostgroup: ipaadmin_password: SomeADMINpassword name: hostgroup01 - name: Ensure testing hostgroup hostgroup02 is present. ipahostgroup: ipaadmin_password: SomeADMINpassword name: hostgroup02 - name: Ensure services are absent. ipaservice: ipaadmin_password: SomeADMINpassword name: - "HTTP/{{ svc_fqdn }}" - HTTP/www.ansible.com - HTTP/svc.ihavenodns.info - HTTP/no.idontexist.info state: absent # tests - name: Ensure service is present ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" pac_type: - MS-PAC - PAD auth_ind: otp skip_host_check: no force: yes requires_pre_auth: yes ok_as_delegate: no ok_to_auth_as_delegate: no register: result failed_when: not result.changed - name: Ensure service is present, again ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" pac_type: - MS_PAC - PAD auth_ind: otp skip_host_check: no force: no requires_pre_auth: yes ok_as_delegate: no ok_to_auth_as_delegate: no register: result failed_when: result.changed - name: Modify service. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" pac_type: NONE ok_as_delegate: yes ok_to_auth_as_delegate: yes register: result failed_when: not result.changed - name: Modify service, again. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" pac_type: NONE ok_as_delegate: yes ok_to_auth_as_delegate: yes register: result failed_when: result.changed - name: Ensure service is present, without host object. ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/www.ansible.com skip_host_check: yes register: result failed_when: not result.changed - name: Ensure service is present, without host object, again. ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/www.ansible.com skip_host_check: yes register: result failed_when: result.changed - name: Ensure service is present, with host not in DNS. ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/svc.ihavenodns.info skip_host_check: no force: yes register: result failed_when: not result.changed - name: Ensure service is present, with host not in DNS, again. ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/svc.ihavenodns.info skip_host_check: no force: yes register: result failed_when: result.changed - name: Ensure service is present, whithout host object and with host not in DNS. ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/no.idontexist.info skip_host_check: yes force: yes register: result failed_when: not result.changed - name: Ensure service is present, whithout host object and with host not in DNS, again. ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/no.idontexist.info skip_host_check: yes force: yes register: result failed_when: result.changed - name: Principal host/test.example.com present in service. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" principal: - host/test.example.com action: member register: result failed_when: not result.changed - name: Principal host/test.example.com present in service, again. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" principal: - host/test.example.com action: member register: result failed_when: result.changed - name: Principal host/test.example.com absent in service. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" principal: - host/test.example.com action: member state: absent register: result failed_when: not result.changed - name: Principal host/test.example.com absent in service, again. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" principal: - host/test.example.com action: member state: absent register: result failed_when: result.changed - name: Ensure host can manage service. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" host: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" action: member register: result failed_when: not result.changed - name: Ensure host can manage service, again. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" host: "{{ host1_fqdn }}" action: member register: result failed_when: result.changed - name: Ensure host cannot manage service. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" host: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" action: member state: absent register: result failed_when: not result.changed - name: Ensure host cannot manage service, again. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" host: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" action: member state: absent register: result failed_when: result.changed - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" allow_create_keytab_user: - user01 - user02 allow_create_keytab_group: - group01 - group02 allow_create_keytab_host: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" allow_create_keytab_hostgroup: - hostgroup01 - hostgroup02 action: member register: result failed_when: not result.changed - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab present for users, groups, hosts and hostgroups, again. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" allow_create_keytab_user: - user01 - user02 allow_create_keytab_group: - group01 - group02 allow_create_keytab_host: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" allow_create_keytab_hostgroup: - hostgroup01 - hostgroup02 action: member register: result failed_when: result.changed - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" allow_create_keytab_user: - user01 - user02 allow_create_keytab_group: - group01 - group02 allow_create_keytab_host: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" allow_create_keytab_hostgroup: - hostgroup01 - hostgroup02 action: member state: absent register: result failed_when: not result.changed - name: Service "HTTP/{{ svc_fqdn }}" members allow_create_keytab absent for users, groups, hosts and hostgroups, again. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" allow_create_keytab_user: - user01 - user02 allow_create_keytab_group: - group01 - group02 allow_create_keytab_host: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" allow_create_keytab_hostgroup: - hostgroup01 - hostgroup02 action: member state: absent register: result failed_when: result.changed - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" allow_retrieve_keytab_user: - user01 - user02 allow_retrieve_keytab_group: - group01 - group02 allow_retrieve_keytab_host: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" allow_retrieve_keytab_hostgroup: - hostgroup01 - hostgroup02 action: member register: result failed_when: not result.changed - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab present for users, groups, hosts and hostgroups, again. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" allow_retrieve_keytab_user: - user01 - user02 allow_retrieve_keytab_group: - group01 - group02 allow_retrieve_keytab_host: - "{{ host1_fqdn }}" - host02.exampl "{{ groups.ipaserver[0] }}"e.com allow_retrieve_keytab_hostgroup: - hostgroup01 - hostgroup02 action: member register: result failed_when: result.changed - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" allow_retrieve_keytab_user: - user01 - user02 allow_retrieve_keytab_group: - group01 - group02 allow_retrieve_keytab_host: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" allow_retrieve_keytab_hostgroup: - hostgroup01 - hostgroup02 action: member state: absent register: result failed_when: not result.changed - name: Service "HTTP/{{ svc_fqdn }}" members allow_retrieve_keytab absent for users, groups, hosts and hostgroups, again. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" allow_retrieve_keytab_user: - user01 - user02 allow_retrieve_keytab_group: - group01 - group02 allow_retrieve_keytab_host: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" allow_retrieve_keytab_hostgroup: - hostgroup01 - hostgroup02 action: member state: absent register: result failed_when: result.changed # - name: Ensure service is absent ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" state: absent register: result failed_when: not result.changed - name: Ensure service is absent, again ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" state: absent register: result failed_when: result.changed - name: Ensure service is present, with multiple auth_ind values. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" auth_ind: otp,radius skip_host_check: no force: yes register: result failed_when: not result.changed - name: Ensure service is present, with multiple auth_ind values, again. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" auth_ind: otp,radius skip_host_check: no force: yes register: result failed_when: result.changed - name: Clear auth_ind. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" auth_ind: "" skip_host_check: no force: yes register: result failed_when: not result.changed - name: Clear auth_ind, again. ipaservice: ipaadmin_password: SomeADMINpassword name: "HTTP/{{ svc_fqdn }}" auth_ind: "" skip_host_check: no force: yes register: result failed_when: result.changed - name: Ensure services are absent. ipaservice: ipaadmin_password: SomeADMINpassword name: - "HTTP/{{ svc_fqdn }}" - HTTP/www.ansible.com - HTTP/svc.ihavenodns.info - HTTP/no.idontexist.local continue: yes state: absent register: result failed_when: not result.changed - name: Ensure services are absent. ipaservice: ipaadmin_password: SomeADMINpassword name: - "HTTP/{{ svc_fqdn }}" - HTTP/www.ansible.com - HTTP/svc.ihavenodns.info - HTTP/no.idontexist.local continue: yes state: absent register: result failed_when: result.changed - name: Ensure SMB service is present. ipaservice: ipaadmin_password: MyPassword123 name: "{{ host1_fqdn }}" smb: yes netbiosname: SAMBASVC register: result failed_when: not result.changed - name: Ensure SMB service is again. ipaservice: ipaadmin_password: MyPassword123 name: "{{ host1_fqdn }}" smb: yes netbiosname: SAMBASVC register: result failed_when: result.changed - name: Ensure SMB service is absent. ipaservice: ipaadmin_password: MyPassword123 name: "cifs/{{ host1_fqdn }}" state: absent register: result failed_when: not result.changed - name: Ensure SMB service is absent, again. ipaservice: ipaadmin_password: MyPassword123 name: "cifs/{{ host1_fqdn }}" state: absent register: result failed_when: result.changed # cleanup - name: Ensure services are absent. ipaservice: ipaadmin_password: SomeADMINpassword name: - "HTTP/{{ svc_fqdn }}" - HTTP/www.ansible.com - HTTP/svc.ihavenodns.info - HTTP/no.idontexist.local - "cifs/{{ host1_fqdn }}" state: absent - name: Ensure host "{{ svc_fqdn }}" is absent ipahost: ipaadmin_password: SomeADMINpassword name: "{{ svc_fqdn }}" update_dns: yes state: absent - name: Ensure host is absent ipahost: ipaadmin_password: SomeADMINpassword name: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" - www.ansible.com - svc.ihavenodns.info update_dns: no state: absent - name: Ensure testing users are absent. ipauser: ipaadmin_password: SomeADMINpassword name: - user01 - user02 state: absent - name: Ensure testing groups are absent. ipagroup: ipaadmin_password: SomeADMINpassword name: - group01 - group02 state: absent - name: Ensure testing hostgroup hostgroup01 is absent. ipagroup: ipaadmin_password: SomeADMINpassword name: - hostgroup01 state: absent - name: Ensure testing hostgroup hostgroup02 is absent. ipagroup: ipaadmin_password: SomeADMINpassword name: - hostgroup02 state: absent