ipa_group not idempotent

[missnebun]

Thank you for this modules ... really save some times.

We have our IDM integrated with AD.

1. So I need to create external groups and assign external users to that groups.
2. Then I need to create POSIX groups and assign the AD group to it.

Here is my playbook:

---

• hosts: idm

  vars:
  ipa_host:
  ipa_principal: ansibleidm
  ipa_principal_password: !vault |
  $ANSIBLE_VAULT;1.1;AES256
  31343135323433356639386233313439336362313436333933643234363966353437393534383530
  6562313366663266363938616561353065646139656466320a333132383835343961663933383533
  62393365373962646561366161616565386463386162643566386139653163396331383837323238
  6266613935353366650a653965383834326133353136396339386136376463616232646230333430
  6234
  ipa_groups:
  ssbu-ad:
  ipa_group_external: yes
  ipa_nonposix: yes
  ipa_group_state: present
  ipa_users:
  - user1@example.com
  - user2@example.com

  tasks:

  • name: Add Users to groups
    ipa_group:
    ipa_host: "{{ ipa_host }}"
    ipa_user: "{{ ipa_principal }}"
    ipa_pass: "{{ ipa_principal_password }}"
    name: "{{ item.key }}"
    state: "{{ item.value.ipa_group_state|default('present') }}"
    external: "{{ item.value.ipa_group_external|default('no')}}"
    nonposix: "{{ item.value.ipa_nonposix | default('no')}}"
    user: "{{ item.value.ipa_users }}"
    with_dict: "{{ ipa_groups }}"

#Run the playbook
ansible-playbook -i test_hosts.txt test_groups.yml --vault-password-file ~/.ansible_vault.txt -vvv

changed: [idm01.example.com] => (item={'key': u'ssbu-ad', 'value': {u'ipa_group_external': True, u'ipa_nonposix': True, u'ipa_users': [u'user01@example.com', u'user02@example.com'], u'ipa_group_state': u'present'}}) => {
"changed": true,
"group": {
"cn": [
"ssbu-ad"
],
"dn": "cn=ssbu-ad,cn=groups,cn=accounts,dc=example,dc=org",
"ipauniqueid": [
"7524d8a8-5033-11e7-abd6-0050569e2795"
],
"objectclass": [
"ipaobject",
"top",
"nestedgroup",
"ipausergroup",
"groupofnames",
"ipaexternalgroup"
]
},
"invocation": {
"module_args": {
"cn": "ssbu-ad",
"description": null,
"external": true,
"gidnumber": null,
"group": null,
"ipa_host": "idm01.example.com",
"ipa_pass": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"ipa_port": 443,
"ipa_prot": "https",
"ipa_user": "ansibleidm",
"name": "ssbu-ad",
"nonposix": true,
"state": "present",
"user": [
"user01@example.com",
"user02@example.com"
],
"validate_certs": true
}
},
"item": {
"key": "ssbu-ad",
"value": {
"ipa_group_external": true,
"ipa_group_state": "present",
"ipa_nonposix": true,
"ipa_users": [
"user01@example.com",
"user02@example.com"
]
}
}
}
META: ran handlers
META: ran handlers

PLAY RECAP ********************************************************************************************************************************************************************************************************
idm01.example.com : ok=2 changed=1 unreachable=0 failed=0

1st Problem.

The external users never gets created.

2nd Problem
The modules is not idempotent

If I run the playbook again I get:

failed: [idm01.example.com] (item={'key': u'ssbu-ad', 'value': {u'ipa_group_external': True, u'ipa_nonposix': True, u'ipa_users': [u'user01@example.com', u'user02@example.com'], u'ipa_group_state': u'present'}}) => {
"failed": true,
"invocation": {
"module_args": {
"cn": "ssbu-ad",
"description": null,
"external": true,
"gidnumber": null,
"group": null,
"ipa_host": "idm01.example.com",
"ipa_pass": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"ipa_port": 443,
"ipa_prot": "https",
"ipa_user": "ansibleidm",
"name": "ssbu-ad",
"nonposix": true,
"state": "present",
"user": [
"user01@example.com",
"user02@example.com"
],
"validate_certs": true
}
},
"item": {
"key": "ssbu-ad",
"value": {
"ipa_group_external": true,
"ipa_group_state": "present",
"ipa_nonposix": true,
"ipa_users": [
"user01@example.com",
"user02@example.com"
]
}
},
"msg": "repsonse group_mod: This group already allows external members"
}
to retry, use: --limit @/home/ansible/test/test_groups.retry

PLAY RECAP ********************************************************************************************************************************************************************************************************
idm01.example.com : ok=1 changed=0 unreachable=0 failed=1

[Nosmoht]

Hi @missnebun ,

do you get the same behaviour using the IPA modules shipped with Ansible 2.3?

[missnebun]

Hi Thomas, Thank you for getting back to me. I am using ansible 2.3.1.0 and the modules from there. Here is how I create external groups and add external users to it. #Add External non POSIX Group ipa group-add --desc=‘Example AD group' --nonposix --external example-ad #Add external users Members to the group ipa -n group-add-member example-ad --external test.user01@example.com #Create a POSIX Group ipa group-add —desc='Example IDM group' example-idm #Add AD group to the POSIX group ipa group-add-member example-idm --groups=example-ad On the module I do not have the option to specify if the user is external. I opened an issue on ansible as well. ansible/ansible#25660 Regards, Gabriel

…

On Jun 19, 2017, at 7:29 AM, Thomas Krahn ***@***.***> wrote: Hi @missnebun , do you get the same behaviour using the IPA modules shipped with Ansible 2.3? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[simdevmat]

I am having the same issues

[jorgemarti]

Having the same issue. External users are never added to the nonposix group.