ipagroup: Fix ensuring external group group members (without trust-ad) #1072

t-woerner · 2023-04-03T13:01:37Z

Due to an API misbehaviour in FreeIPA, ipaexternalmembers need to be
treated differently than other group members parameters. Even an empty
array triggers all tests for external members, including the check for
installed dcerpc bindings.

Therefore ipagroup module has been changed to not set ipaexternalmember
to an empty list if there are no external members to be added or
removed.

Due to an API misbehaviour in FreeIPA, ipaexternalmembers need to be treated differently than other group members parameters. Even an empty array triggers all tests for external members, including the check for installed dcerpc bindings. Therefore ipagroup module has been changed to not set ipaexternalmember to an empty list if there are no external members to be added or removed.

varunmylaraiah · 2023-04-03T13:16:38Z

PR works fine


[root@master ~]# rpm -qa ipa-server-trust-ad

[root@master ~]# ipa group-add testgroup01
-------------------------
Added group "testgroup01"
-------------------------
  Group name: testgroup01
  GID: 1078400013

[root@master ~]# ipa group-add 01externaltestgroup --external
---------------------------------
Added group "01externaltestgroup"
---------------------------------
  Group name: 01externaltestgroup


---
- name: Playbook to ensure a group member is present
  hosts: ipaserver
  become: true

  tasks:
  # add group member
  - ipagroup:
      ipaadmin_password: <XXXXXXXXX>
      name: 01externaltestgroup
      action: member
      group:
      - testgroup01


# ansible-playbook -v -i inventory/group.hosts extergroupmembers.yaml
Using /root/ansible.cfg as config file

PLAY [Playbook to ensure a group member is present] *************************************************************

TASK [Gathering Facts] ******************************************************************************************
ok: [master.ipadomain.test]

TASK [ipagroup] *************************************************************************************************
ok: [master.ipadomain.test] => {"changed": false}

PLAY RECAP ******************************************************************************************************
master.ipadomain.test      : ok=2    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0


[root@master ~]# ipa group-show 01externaltestgroup --all
  dn: cn=01externaltestgroup,cn=groups,cn=accounts,dc=ipadomain,dc=test
  Group name: 01externaltestgroup
  Member groups: testgroup01
  ipauniqueid: 346b5a30-d151-11ed-b95e-fa163e722887
  objectclass: top, groupofnames, nestedgroup, ipausergroup, ipaobject, ipaexternalgroup

varunmylaraiah · 2023-04-04T16:24:00Z

LGTM

rjeffman

LGTM

varunmylaraiah approved these changes Apr 3, 2023

View reviewed changes

rjeffman approved these changes Apr 4, 2023

View reviewed changes

rjeffman merged commit 82c0161 into freeipa:master Apr 4, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ipagroup: Fix ensuring external group group members (without trust-ad) #1072

ipagroup: Fix ensuring external group group members (without trust-ad) #1072

t-woerner commented Apr 3, 2023

varunmylaraiah commented Apr 3, 2023 •

edited

varunmylaraiah commented Apr 4, 2023

rjeffman left a comment

ipagroup: Fix ensuring external group group members (without trust-ad) #1072

ipagroup: Fix ensuring external group group members (without trust-ad) #1072

Conversation

t-woerner commented Apr 3, 2023

varunmylaraiah commented Apr 3, 2023 • edited

varunmylaraiah commented Apr 4, 2023

rjeffman left a comment

Choose a reason for hiding this comment

varunmylaraiah commented Apr 3, 2023 •

edited