|
 |
7d56d3 |
From 4dd1d25eacd1481be0a881a017144ff4d3396ccd Mon Sep 17 00:00:00 2001
|
|
|
7d56d3 |
From: Thomas Woerner <twoerner@redhat.com>
|
|
|
7d56d3 |
Date: Thu, 6 Feb 2020 15:38:00 +0100
|
|
|
7d56d3 |
Subject: [PATCH] ipapwpolicy: Use global_policy if name is not set
|
|
|
7d56d3 |
|
|
|
7d56d3 |
If the name is not set, the policy global_policy is now used. It was needed
|
|
|
7d56d3 |
before to explicitly name the global_policy. Also a check has been added
|
|
|
7d56d3 |
to fail early if global_policy is used with state absent.
|
|
|
7d56d3 |
|
|
|
7d56d3 |
The README for pwpolicy has been extended with an example for global_policy
|
|
|
7d56d3 |
and also the description of the name variable.
|
|
|
7d56d3 |
|
|
|
7d56d3 |
The test has also been extended to check a change of maxlife for
|
|
|
7d56d3 |
global_policy and that global_policy can not be used with state: absent
|
|
|
7d56d3 |
|
|
|
7d56d3 |
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1797532
|
|
|
7d56d3 |
---
|
|
|
7d56d3 |
README-pwpolicy.md | 19 +++++++++++--
|
|
|
7d56d3 |
plugins/modules/ipapwpolicy.py | 9 ++++--
|
|
|
7d56d3 |
tests/pwpolicy/test_pwpolicy.yml | 49 ++++++++++++++++++++++++++++++++
|
|
|
7d56d3 |
3 files changed, 73 insertions(+), 4 deletions(-)
|
|
|
7d56d3 |
|
|
|
7d56d3 |
diff --git a/README-pwpolicy.md b/README-pwpolicy.md
|
|
|
7d56d3 |
index 16306b7..847b32d 100644
|
|
|
7d56d3 |
--- a/README-pwpolicy.md
|
|
|
7d56d3 |
+++ b/README-pwpolicy.md
|
|
|
7d56d3 |
@@ -56,7 +56,7 @@ Example playbook to ensure presence of pwpolicies for exisiting group ops:
|
|
|
7d56d3 |
maxfail: 3
|
|
|
7d56d3 |
```
|
|
|
7d56d3 |
|
|
|
7d56d3 |
-Example playbook to ensure absence of pwpolicies for group ops
|
|
|
7d56d3 |
+Example playbook to ensure absence of pwpolicies for group ops:
|
|
|
7d56d3 |
|
|
|
7d56d3 |
```yaml
|
|
|
7d56d3 |
---
|
|
|
7d56d3 |
@@ -72,6 +72,21 @@ Example playbook to ensure absence of pwpolicies for group ops
|
|
|
7d56d3 |
state: absent
|
|
|
7d56d3 |
```
|
|
|
7d56d3 |
|
|
|
7d56d3 |
+Example playbook to ensure maxlife is set to 49 in global policy:
|
|
|
7d56d3 |
+
|
|
|
7d56d3 |
+```yaml
|
|
|
7d56d3 |
+---
|
|
|
7d56d3 |
+- name: Playbook to handle pwpolicies
|
|
|
7d56d3 |
+ hosts: ipaserver
|
|
|
7d56d3 |
+ become: true
|
|
|
7d56d3 |
+
|
|
|
7d56d3 |
+ tasks:
|
|
|
7d56d3 |
+ # Ensure absence of pwpolicies for group ops
|
|
|
7d56d3 |
+ - ipapwpolicy:
|
|
|
7d56d3 |
+ ipaadmin_password: MyPassword123
|
|
|
7d56d3 |
+ maxlife: 49
|
|
|
7d56d3 |
+```
|
|
|
7d56d3 |
+
|
|
|
7d56d3 |
|
|
|
7d56d3 |
Variables
|
|
|
7d56d3 |
=========
|
|
|
7d56d3 |
@@ -83,7 +98,7 @@ Variable | Description | Required
|
|
|
7d56d3 |
-------- | ----------- | --------
|
|
|
7d56d3 |
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
|
|
|
7d56d3 |
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
|
|
|
7d56d3 |
-`name` \| `cn` | The list of pwpolicy name strings. | no
|
|
|
7d56d3 |
+`name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
|
|
|
7d56d3 |
`maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
|
|
|
7d56d3 |
`minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no
|
|
|
7d56d3 |
`history` \| `krbpwdhistorylength` | Password history size. (int) | no
|
|
|
7d56d3 |
diff --git a/plugins/modules/ipapwpolicy.py b/plugins/modules/ipapwpolicy.py
|
|
|
7d56d3 |
index 9437b59..f168703 100644
|
|
|
7d56d3 |
--- a/plugins/modules/ipapwpolicy.py
|
|
|
7d56d3 |
+++ b/plugins/modules/ipapwpolicy.py
|
|
|
7d56d3 |
@@ -167,7 +167,7 @@ def main():
|
|
|
7d56d3 |
ipaadmin_password=dict(type="str", required=False, no_log=True),
|
|
|
7d56d3 |
|
|
|
7d56d3 |
name=dict(type="list", aliases=["cn"], default=None,
|
|
|
7d56d3 |
- required=True),
|
|
|
7d56d3 |
+ required=False),
|
|
|
7d56d3 |
# present
|
|
|
7d56d3 |
|
|
|
7d56d3 |
maxlife=dict(type="int", aliases=["krbmaxpwdlife"], default=None),
|
|
|
7d56d3 |
@@ -218,6 +218,9 @@ def main():
|
|
|
7d56d3 |
|
|
|
7d56d3 |
# Check parameters
|
|
|
7d56d3 |
|
|
|
7d56d3 |
+ if names is None:
|
|
|
7d56d3 |
+ names = ["global_policy"]
|
|
|
7d56d3 |
+
|
|
|
7d56d3 |
if state == "present":
|
|
|
7d56d3 |
if len(names) != 1:
|
|
|
7d56d3 |
ansible_module.fail_json(
|
|
|
7d56d3 |
@@ -225,8 +228,10 @@ def main():
|
|
|
7d56d3 |
|
|
|
7d56d3 |
if state == "absent":
|
|
|
7d56d3 |
if len(names) < 1:
|
|
|
7d56d3 |
+ ansible_module.fail_json(msg="No name given.")
|
|
|
7d56d3 |
+ if "global_policy" in names:
|
|
|
7d56d3 |
ansible_module.fail_json(
|
|
|
7d56d3 |
- msg="No name given.")
|
|
|
7d56d3 |
+ msg="'global_policy' can not be made absent.")
|
|
|
7d56d3 |
invalid = ["maxlife", "minlife", "history", "minclasses",
|
|
|
7d56d3 |
"minlength", "priority", "maxfail", "failinterval",
|
|
|
7d56d3 |
"lockouttime"]
|
|
|
7d56d3 |
diff --git a/tests/pwpolicy/test_pwpolicy.yml b/tests/pwpolicy/test_pwpolicy.yml
|
|
|
7d56d3 |
index 5c69345..f93f275 100644
|
|
|
7d56d3 |
--- a/tests/pwpolicy/test_pwpolicy.yml
|
|
|
7d56d3 |
+++ b/tests/pwpolicy/test_pwpolicy.yml
|
|
|
7d56d3 |
@@ -5,10 +5,30 @@
|
|
|
7d56d3 |
gather_facts: false
|
|
|
7d56d3 |
|
|
|
7d56d3 |
tasks:
|
|
|
7d56d3 |
+ - name: Ensure maxlife of 90 for global_policy
|
|
|
7d56d3 |
+ ipapwpolicy:
|
|
|
7d56d3 |
+ ipaadmin_password: SomeADMINpassword
|
|
|
7d56d3 |
+ maxlife: 90
|
|
|
7d56d3 |
+
|
|
|
7d56d3 |
+ - name: Ensure absence of group ops
|
|
|
7d56d3 |
+ ipagroup:
|
|
|
7d56d3 |
+ ipaadmin_password: SomeADMINpassword
|
|
|
7d56d3 |
+ name: ops
|
|
|
7d56d3 |
+ state: absent
|
|
|
7d56d3 |
+
|
|
|
7d56d3 |
+ - name: Ensure absence of pwpolicies for group ops
|
|
|
7d56d3 |
+ ipapwpolicy:
|
|
|
7d56d3 |
+ ipaadmin_password: SomeADMINpassword
|
|
|
7d56d3 |
+ name: ops
|
|
|
7d56d3 |
+ state: absent
|
|
|
7d56d3 |
+
|
|
|
7d56d3 |
- name: Ensure presence of group ops
|
|
|
7d56d3 |
ipagroup:
|
|
|
7d56d3 |
ipaadmin_password: SomeADMINpassword
|
|
|
7d56d3 |
name: ops
|
|
|
7d56d3 |
+ state: present
|
|
|
7d56d3 |
+ register: result
|
|
|
7d56d3 |
+ failed_when: not result.changed
|
|
|
7d56d3 |
|
|
|
7d56d3 |
- name: Ensure presence of pwpolicies for group ops
|
|
|
7d56d3 |
ipapwpolicy:
|
|
|
7d56d3 |
@@ -42,6 +62,28 @@
|
|
|
7d56d3 |
register: result
|
|
|
7d56d3 |
failed_when: result.changed
|
|
|
7d56d3 |
|
|
|
7d56d3 |
+ - name: Ensure maxlife of 49 for global_policy
|
|
|
7d56d3 |
+ ipapwpolicy:
|
|
|
7d56d3 |
+ ipaadmin_password: SomeADMINpassword
|
|
|
7d56d3 |
+ maxlife: 49
|
|
|
7d56d3 |
+ register: result
|
|
|
7d56d3 |
+ failed_when: not result.changed
|
|
|
7d56d3 |
+
|
|
|
7d56d3 |
+ - name: Ensure maxlife of 49 for global_policy again
|
|
|
7d56d3 |
+ ipapwpolicy:
|
|
|
7d56d3 |
+ ipaadmin_password: SomeADMINpassword
|
|
|
7d56d3 |
+ maxlife: 49
|
|
|
7d56d3 |
+ register: result
|
|
|
7d56d3 |
+ failed_when: result.changed
|
|
|
7d56d3 |
+
|
|
|
7d56d3 |
+ - name: Ensure absence of pwpoliciy global_policy will fail
|
|
|
7d56d3 |
+ ipapwpolicy:
|
|
|
7d56d3 |
+ ipaadmin_password: SomeADMINpassword
|
|
|
7d56d3 |
+ state: absent
|
|
|
7d56d3 |
+ register: result
|
|
|
7d56d3 |
+ ignore_errors: True
|
|
|
7d56d3 |
+ failed_when: result is defined and result
|
|
|
7d56d3 |
+
|
|
|
7d56d3 |
- name: Ensure absence of pwpolicies for group ops
|
|
|
7d56d3 |
ipapwpolicy:
|
|
|
7d56d3 |
ipaadmin_password: SomeADMINpassword
|
|
|
7d56d3 |
@@ -50,6 +92,13 @@
|
|
|
7d56d3 |
register: result
|
|
|
7d56d3 |
failed_when: not result.changed
|
|
|
7d56d3 |
|
|
|
7d56d3 |
+ - name: Ensure maxlife of 90 for global_policy
|
|
|
7d56d3 |
+ ipapwpolicy:
|
|
|
7d56d3 |
+ ipaadmin_password: MyPassword123
|
|
|
7d56d3 |
+ maxlife: 90
|
|
|
7d56d3 |
+ register: result
|
|
|
7d56d3 |
+ failed_when: not result.changed
|
|
|
7d56d3 |
+
|
|
|
7d56d3 |
- name: Ensure absence of pwpolicies for group ops
|
|
|
7d56d3 |
ipapwpolicy:
|
|
|
7d56d3 |
ipaadmin_password: SomeADMINpassword
|