ipa_group not idempotent #16
Comments
|
Hi @missnebun , do you get the same behaviour using the IPA modules shipped with Ansible 2.3? |
|
Hi Thomas,
Thank you for getting back to me. I am using ansible 2.3.1.0 and the modules from there.
Here is how I create external groups and add external users to it.
#Add External non POSIX Group
ipa group-add --desc=‘Example AD group' --nonposix --external example-ad
#Add external users Members to the group
ipa -n group-add-member example-ad --external [email protected]
#Create a POSIX Group
ipa group-add —desc='Example IDM group' example-idm
#Add AD group to the POSIX group
ipa group-add-member example-idm --groups=example-ad
On the module I do not have the option to specify if the user is external.
I opened an issue on ansible as well. ansible/ansible#25660
Regards,
Gabriel
… On Jun 19, 2017, at 7:29 AM, Thomas Krahn ***@***.***> wrote:
Hi @missnebun ,
do you get the same behaviour using the IPA modules shipped with Ansible 2.3?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
I am having the same issues |
|
Having the same issue. External users are never added to the nonposix group. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you for this modules ... really save some times.
We have our IDM integrated with AD.
Here is my playbook:
hosts: idm
vars:
ipa_host:
ipa_principal: ansibleidm
ipa_principal_password: !vault |
$ANSIBLE_VAULT;1.1;AES256
31343135323433356639386233313439336362313436333933643234363966353437393534383530
6562313366663266363938616561353065646139656466320a333132383835343961663933383533
62393365373962646561366161616565386463386162643566386139653163396331383837323238
6266613935353366650a653965383834326133353136396339386136376463616232646230333430
6234
ipa_groups:
ssbu-ad:
ipa_group_external: yes
ipa_nonposix: yes
ipa_group_state: present
ipa_users:
- [email protected]
- [email protected]
tasks:
ipa_group:
ipa_host: "{{ ipa_host }}"
ipa_user: "{{ ipa_principal }}"
ipa_pass: "{{ ipa_principal_password }}"
name: "{{ item.key }}"
state: "{{ item.value.ipa_group_state|default('present') }}"
external: "{{ item.value.ipa_group_external|default('no')}}"
nonposix: "{{ item.value.ipa_nonposix | default('no')}}"
user: "{{ item.value.ipa_users }}"
with_dict: "{{ ipa_groups }}"
#Run the playbook
ansible-playbook -i test_hosts.txt test_groups.yml --vault-password-file ~/.ansible_vault.txt -vvv
changed: [idm01.example.com] => (item={'key': u'ssbu-ad', 'value': {u'ipa_group_external': True, u'ipa_nonposix': True, u'ipa_users': [u'[email protected]', u'[email protected]'], u'ipa_group_state': u'present'}}) => {
"changed": true,
"group": {
"cn": [
"ssbu-ad"
],
"dn": "cn=ssbu-ad,cn=groups,cn=accounts,dc=example,dc=org",
"ipauniqueid": [
"7524d8a8-5033-11e7-abd6-0050569e2795"
],
"objectclass": [
"ipaobject",
"top",
"nestedgroup",
"ipausergroup",
"groupofnames",
"ipaexternalgroup"
]
},
"invocation": {
"module_args": {
"cn": "ssbu-ad",
"description": null,
"external": true,
"gidnumber": null,
"group": null,
"ipa_host": "idm01.example.com",
"ipa_pass": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"ipa_port": 443,
"ipa_prot": "https",
"ipa_user": "ansibleidm",
"name": "ssbu-ad",
"nonposix": true,
"state": "present",
"user": [
"[email protected]",
"[email protected]"
],
"validate_certs": true
}
},
"item": {
"key": "ssbu-ad",
"value": {
"ipa_group_external": true,
"ipa_group_state": "present",
"ipa_nonposix": true,
"ipa_users": [
"[email protected]",
"[email protected]"
]
}
}
}
META: ran handlers
META: ran handlers
PLAY RECAP ********************************************************************************************************************************************************************************************************
idm01.example.com : ok=2 changed=1 unreachable=0 failed=0
1st Problem.
The external users never gets created.
2nd Problem
The modules is not idempotent
If I run the playbook again I get:
failed: [idm01.example.com] (item={'key': u'ssbu-ad', 'value': {u'ipa_group_external': True, u'ipa_nonposix': True, u'ipa_users': [u'[email protected]', u'[email protected]'], u'ipa_group_state': u'present'}}) => {
"failed": true,
"invocation": {
"module_args": {
"cn": "ssbu-ad",
"description": null,
"external": true,
"gidnumber": null,
"group": null,
"ipa_host": "idm01.example.com",
"ipa_pass": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"ipa_port": 443,
"ipa_prot": "https",
"ipa_user": "ansibleidm",
"name": "ssbu-ad",
"nonposix": true,
"state": "present",
"user": [
"[email protected]",
"[email protected]"
],
"validate_certs": true
}
},
"item": {
"key": "ssbu-ad",
"value": {
"ipa_group_external": true,
"ipa_group_state": "present",
"ipa_nonposix": true,
"ipa_users": [
"[email protected]",
"[email protected]"
]
}
},
"msg": "repsonse group_mod: This group already allows external members"
}
to retry, use: --limit @/home/ansible/test/test_groups.retry
PLAY RECAP ********************************************************************************************************************************************************************************************************
idm01.example.com : ok=1 changed=0 unreachable=0 failed=1
The text was updated successfully, but these errors were encountered: