ipagroup: Fix management of AD objects #1335
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When managing AD objects the SID of the objects are stored in FreeIPA database, but a user would still use the human readable values, like "AD\\user" or "[email protected]". This can cause idempotence issues in many cases, and prevent some actions to be performed, like ensure absence of the object. The methods added allow the conversion of one or multiple objects, and will be used by any module that manages AD objects. Signed-off-by: Rafael Guterres Jeffman <[email protected]>
This patch improves tests/env_freeipa_facts.yml by ensuring ipaserver_realm is set, making AD server availability discoverable, and allowing playbooks to run with 'gather_facts: false' by gathering minimal facts.
rjeffman
force-pushed
the
ipagroup_fix_1
branch
from
7671c37 to
ce1b9be
Compare
varunmylaraiah
approved these changes
Jan 29, 2025
There was a problem hiding this comment.
Fix is working fine.
[root@master ~]# ipa group-show external-group1
Group name: external-group1
External member: [email protected], [email protected]
[root@ansible ~]# cat external_group_remove.yaml
---
- name: Playbook to ensure external member is absent from the external group(external-group1)
hosts: ipaserver
become: true
tasks:
- ipagroup:
ipaadmin_password: <xxxxxxxxx>
name: external-group1
action: member
externalmember:
- [email protected]
- [email protected]
state: absent
PLAY [Playbook to ensure external member is absent from the external group(external-group1)] **************************************************************************************
TASK [Gathering Facts] ************************************************************************************************************************************************************
task path: /root/external_group_remove.yaml:2
ok: [master.ipadomain.test]
TASK [ipagroup] *******************************************************************************************************************************************************************
task path: /root/external_group_remove.yaml:6
changed: [master.ipadomain.test] => {"changed": true}
PLAY RECAP ************************************************************************************************************************************************************************
master.ipadomain.test : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
[root@master ~]# ipa group-show external-group1
Group name: external-group1
External member: [email protected]
|
@varunmylaraiah in this example shouldn't both the members should have been excluded? |
rjeffman
force-pushed
the
ipagroup_fix_1
branch
from
ce1b9be to
adfb93f
Compare
|
|
Please add a failure in case of external_member usage with client context. Please also add this to the docs (README and documentation sections in the module). |
rjeffman
force-pushed
the
ipagroup_fix_1
branch
2 times, most recently
from
9c98caa to
6e17212
Compare
|
Added the test to fail in case @t-woerner, please, review de documentation. |
When using AD objects, a user expects to use the more human readable form, like "[email protected]", but this impose some dificulties on evaluating which object is being referenced as AD has several forms to refer to the same object. Each object is AD is identified uniquely by its SID, and this is the identifier that IPA stores in its database. When managing AD objects, IPA finds its SID and works with that value. ansible-freeipa tried to process these objects using the human readable values, and it cause idempontence error when ensuring the values were present or modified, and, at least in some cases, prevented the objects to be made absent, as the object list created didn't match the SID to the value used as module parameter. By using SID to process the AD objects in ipagroup, the addition or removal of members works and idempotence of these members is ensured. The only issue with thils approach is that it only works no server nodes. In client nodes, the conversion to SID is not available and the same issues that existed before will still be present. Tests were updated to reflect these changes, a new test, specific to idempotence issues of AD objects was added: tests/group/test_group_ad_users.yml Resolves: https://issues.redhat.com/browse/RHEL-70023
rjeffman
force-pushed
the
ipagroup_fix_1
branch
from
6e17212 to
6925503
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When using AD objects, a user expects to use the more human readable
form, like "[email protected]", but this impose some dificulties on
evaluating which object is being referenced as AD has several forms to
refer to the same object.
Each object is AD is identified uniquely by its SID, and this is the
identifier that IPA stores in its database. When managing AD objects,
IPA finds its SID and works with that value.
ansible-freeipa tried to process these objects using the human readable
values, and it cause idempontence error when ensuring the values were
present or modified, and, at least in some cases, prevented the objects
to be made absent, as the object list created didn't match the SID to
the value used as module parameter.
By using SID to process the AD objects in ipagroup, the addition or
removal of members works and idempotence of these members is ensured.
The only issue with thils approach is that it only works no server
nodes. In client nodes, the conversion to SID is not available and the
same issues that existed before will still be present.
Tests were updated to reflect these changes, a new test, specific to
idempotence issues of AD objects was added:
tests/group/test_group_ad_users.yml
Resolves: https://issues.redhat.com/browse/RHEL-70023
For information on some changes required to finish or test this changes, please, refer to the specific commits.