--- - name: Playbook to handle server configuration hosts: ipaserver become: true gather_facts: false tasks: - include_tasks: ../env_freeipa_facts.yml # Retrieve current configuration. - name: return current values of the global configuration options ipaconfig: ipaadmin_password: SomeADMINpassword register: previousconfig - debug: msg: "{{previousconfig}}" # setup environment. - name: create test group ipagroup: ipaadmin_password: 'SomeADMINpassword' name: somedefaultgroup - name: Ensure the default e-mail domain is ipa.test. ipaconfig: ipaadmin_password: SomeADMINpassword emaildomain: ipa.test - name: set default shell to '/bin/sh' ipaconfig: ipaadmin_password: SomeADMINpassword defaultshell: /bin/sh - name: set default group ipaconfig: ipaadmin_password: SomeADMINpassword defaultgroup: ipausers - name: set default home directory ipaconfig: ipaadmin_password: SomeADMINpassword homedirectory: /home - name: clear pac-type ipaconfig: ipaadmin_password: SomeADMINpassword pac_type: "" - name: set maxhostname to 255 block: - ipaconfig: ipaadmin_password: SomeADMINpassword maxhostname: 255 when: ipa_version is version('4.8.0', '>=') - name: set maxusername to 45 ipaconfig: ipaadmin_password: SomeADMINpassword maxusername: 45 - name: set pwdexpnotify to 0 ipaconfig: ipaadmin_password: SomeADMINpassword pwdexpnotify: 0 - name: set searchrecordslimit to 10 ipaconfig: ipaadmin_password: SomeADMINpassword searchrecordslimit: 10 - name: set searchtimelimit to 1 ipaconfig: ipaadmin_password: SomeADMINpassword searchtimelimit: 1 - name: clear configstring ipaconfig: ipaadmin_password: SomeADMINpassword configstring: "" - name: set configstring to AllowNThash ipaconfig: ipaadmin_password: SomeADMINpassword configstring: 'KDC:Disable Lockout' - name: set selinuxusermapdefault ipaconfig: ipaadmin_password: SomeADMINpassword selinuxusermapdefault: "staff_u:s0-s0:c0.c1023" - name: set selinuxusermaporder ipaconfig: ipaadmin_password: SomeADMINpassword selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023' - name: set usersearch to `uid` ipaconfig: ipaadmin_password: SomeADMINpassword usersearch: uid - name: set groupsearch to `cn` ipaconfig: ipaadmin_password: SomeADMINpassword groupsearch: cn # tests - name: Ensure the default e-mail domain is somedomain.test. ipaconfig: ipaadmin_password: SomeADMINpassword emaildomain: somedomain.test register: result failed_when: not result.changed - name: Ensure the default e-mail domain is somedomain.test, again. ipaconfig: ipaadmin_password: SomeADMINpassword emaildomain: somedomain.test register: result failed_when: result.changed - name: set default shell to '/bin/someshell' ipaconfig: ipaadmin_password: SomeADMINpassword defaultshell: /bin/someshell register: result failed_when: not result.changed - name: set default shell to '/bin/someshell', again. ipaconfig: ipaadmin_password: SomeADMINpassword defaultshell: /bin/someshell register: result failed_when: result.changed - name: set default group ipaconfig: ipaadmin_password: SomeADMINpassword defaultgroup: somedefaultgroup register: result failed_when: not result.changed - name: set default group ipaconfig: ipaadmin_password: SomeADMINpassword defaultgroup: somedefaultgroup register: result failed_when: result.changed - name: set default home directory ipaconfig: ipaadmin_password: SomeADMINpassword homedirectory: /Users register: result failed_when: not result.changed - name: set default home directory ipaconfig: ipaadmin_password: SomeADMINpassword homedirectory: /Users register: result failed_when: result.changed - name: set pac-type ipaconfig: ipaadmin_password: SomeADMINpassword pac_type: "nfs:NONE" register: result failed_when: not result.changed - name: set pac-type, again. ipaconfig: ipaadmin_password: SomeADMINpassword pac_type: "nfs:NONE" register: result failed_when: result.changed - name: set maxusername to 33 ipaconfig: ipaadmin_password: SomeADMINpassword maxusername: 33 register: result failed_when: not result.changed - name: set maxusername to 33, again. ipaconfig: ipaadmin_password: SomeADMINpassword maxusername: 33 register: result failed_when: result.changed - name: set maxhostname to 77 block: - ipaconfig: ipaadmin_password: SomeADMINpassword maxhostname: 77 register: result failed_when: not result.changed - ipaconfig: ipaadmin_password: SomeADMINpassword maxhostname: 77 register: result failed_when: result.changed when: ipa_version is version('4.8.0', '>=') - name: set pwdexpnotify to 17 ipaconfig: ipaadmin_password: SomeADMINpassword pwdexpnotify: 17 register: result failed_when: not result.changed - name: set pwdexpnotify to 17, again ipaconfig: ipaadmin_password: SomeADMINpassword pwdexpnotify: 17 register: result failed_when: result.changed - name: set searchrecordslimit to -1 ipaconfig: ipaadmin_password: SomeADMINpassword searchrecordslimit: -1 register: result failed_when: not result.changed - name: set searchrecordslimit to -1, again. ipaconfig: ipaadmin_password: SomeADMINpassword searchrecordslimit: -1 register: result failed_when: result.changed - name: set searchtimelimit to 12345 ipaconfig: ipaadmin_password: SomeADMINpassword searchtimelimit: 12345 register: result failed_when: not result.changed - name: set searchtimelimit to 12345, again. ipaconfig: ipaadmin_password: SomeADMINpassword searchtimelimit: 12345 register: result failed_when: result.changed - name: change enable_migration ipaconfig: ipaadmin_password: SomeADMINpassword enable_migration: '{{ not previousconfig.config.enable_migration }}' register: result failed_when: not result.changed - name: change enable_migration, again ipaconfig: ipaadmin_password: SomeADMINpassword enable_migration: '{{ not previousconfig.config.enable_migration }}' register: result failed_when: result.changed - name: set configstring to AllowNThash ipaconfig: ipaadmin_password: SomeADMINpassword configstring: AllowNThash register: result failed_when: not result.changed - name: set configstring to AllowNThash, again. ipaconfig: ipaadmin_password: SomeADMINpassword configstring: AllowNThash register: result failed_when: result.changed - name: set selinuxusermaporder ipaconfig: ipaadmin_password: SomeADMINpassword selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' register: result failed_when: not result.changed - name: set selinuxusermaporder, again ipaconfig: ipaadmin_password: SomeADMINpassword selinuxusermaporder: 'user_u:s0$staff_u:s0-s0:c0.c1023$sysadm_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023' register: result failed_when: result.changed - name: set selinuxusermapdefault ipaconfig: ipaadmin_password: SomeADMINpassword selinuxusermapdefault: 'user_u:s0' register: result failed_when: not result.changed - name: set selinuxusermapdefault, again ipaconfig: ipaadmin_password: SomeADMINpassword selinuxusermapdefault: 'user_u:s0' register: result failed_when: result.changed - name: set groupsearch to `description` ipaconfig: ipaadmin_password: SomeADMINpassword groupsearch: description register: result failed_when: not result.changed - name: set groupsearch to `gidNumber`, again ipaconfig: ipaadmin_password: SomeADMINpassword groupsearch: description register: result failed_when: result.changed - name: set usersearch to `uidNumber` ipaconfig: ipaadmin_password: SomeADMINpassword usersearch: uidNumber register: result failed_when: not result.changed - name: set usersearch to `uidNumber`, again ipaconfig: ipaadmin_password: SomeADMINpassword usersearch: uidNumber register: result failed_when: result.changed - name: reset changed fields ipaconfig: ipaadmin_password: 'SomeADMINpassword' maxusername: '{{previousconfig.config.maxusername | default(omit)}}' homedirectory: '{{previousconfig.config.homedirectory | default(omit)}}' defaultshell: '{{previousconfig.config.defaultshell | default(omit)}}' defaultgroup: '{{previousconfig.config.defaultgroup | default(omit)}}' emaildomain: '{{previousconfig.config.emaildomain | default(omit)}}' searchtimelimit: '{{previousconfig.config.searchtimelimit | default(omit)}}' searchrecordslimit: '{{previousconfig.config.searchrecordslimit | default(omit)}}' usersearch: '{{previousconfig.config.usersearch | default(omit)}}' groupsearch: '{{previousconfig.config.groupsearch | default(omit)}}' enable_migration: '{{previousconfig.config.enable_migration | default(omit)}}' groupobjectclasses: '{{previousconfig.config.groupobjectclasses | default(omit)}}' userobjectclasses: '{{previousconfig.config.userobjectclasses | default(omit)}}' pwdexpnotify: '{{previousconfig.config.pwdexpnotify | default(omit)}}' configstring: '{{previousconfig.config.configstring | default(omit)}}' selinuxusermapdefault: '{{previousconfig.config.selinuxusermapdefault | default(omit)}}' selinuxusermaporder: '{{previousconfig.config.selinuxusermaporder | default(omit)}}' pac_type: '{{previousconfig.config.pac_type | default(omit)}}' user_auth_type: '{{previousconfig.config.user_auth_type | default(omit)}}' domain_resolution_order: '{{previousconfig.config.domain_resolution_order | default(omit)}}' ca_renewal_master_server: '{{previousconfig.config.ca_renewal_master_server | default(omit)}}' register: result failed_when: not result.changed - name: reset maxhostname block: - ipaconfig: ipaadmin_password: SomeADMINpassword maxhostname: '{{previousconfig.config.maxhostname | default(omit)}}' when: ipa_version is version('4.8.0', '>=') - name: reset changed fields, again ipaconfig: ipaadmin_password: 'SomeADMINpassword' maxusername: '{{previousconfig.config.maxusername | default(omit)}}' homedirectory: '{{previousconfig.config.homedirectory | default(omit)}}' defaultshell: '{{previousconfig.config.defaultshell | default(omit)}}' defaultgroup: '{{previousconfig.config.defaultgroup | default(omit)}}' emaildomain: '{{previousconfig.config.emaildomain | default(omit)}}' searchtimelimit: '{{previousconfig.config.searchtimelimit | default(omit)}}' searchrecordslimit: '{{previousconfig.config.searchrecordslimit | default(omit)}}' usersearch: '{{previousconfig.config.usersearch | default(omit)}}' groupsearch: '{{previousconfig.config.groupsearch | default(omit)}}' enable_migration: '{{previousconfig.config.enable_migration | default(omit)}}' groupobjectclasses: '{{previousconfig.config.groupobjectclasses | default(omit)}}' userobjectclasses: '{{previousconfig.config.userobjectclasses | default(omit)}}' pwdexpnotify: '{{previousconfig.config.pwdexpnotify | default(omit)}}' configstring: '{{previousconfig.config.configstring | default(omit)}}' selinuxusermapdefault: '{{previousconfig.config.selinuxusermapdefault | default(omit)}}' selinuxusermaporder: '{{previousconfig.config.selinuxusermaporder | default(omit)}}' pac_type: '{{previousconfig.config.pac_type | default(omit)}}' user_auth_type: '{{previousconfig.config.user_auth_type | default(omit)}}' domain_resolution_order: '{{previousconfig.config.domain_resolution_order | default(omit)}}' ca_renewal_master_server: '{{previousconfig.config.ca_renewal_master_server | default(omit)}}' register: result failed_when: result.changed - name: reset maxhostname block: - ipaconfig: ipaadmin_password: SomeADMINpassword maxhostname: '{{previousconfig.config.maxhostname | default(omit)}}' when: ipa_version is version('4.8.0', '>=') # cleanup - name: cleanup test group ipagroup: ipaadmin_password: 'SomeADMINpassword' name: somedefaultgroup state: absent