ipa_group not idempotent

[missnebun]

Thank you for this modules ... really save some times.

We have our IDM integrated with AD.

1. So I need to create external groups and assign external users to that groups.
2. Then I need to create POSIX groups and assign the AD group to it.

Here is my playbook:

---

• hosts: idm

  vars: ipa_host: ipa_principal: ansibleidm ipa_principal_password: !vault | $ANSIBLE_VAULT;1.1;AES256 31343135323433356639386233313439336362313436333933643234363966353437393534383530 6562313366663266363938616561353065646139656466320a333132383835343961663933383533 62393365373962646561366161616565386463386162643566386139653163396331383837323238 6266613935353366650a653965383834326133353136396339386136376463616232646230333430 6234 ipa_groups: ssbu-ad: ipa_group_external: yes ipa_nonposix: yes ipa_group_state: present ipa_users:

  • user1@example.com
  • user2@example.com

  tasks:

  • name: Add Users to groups ipa_group: ipa_host: "{{ ipa_host }}" ipa_user: "{{ ipa_principal }}" ipa_pass: "{{ ipa_principal_password }}" name: "{{ item.key }}" state: "{{ item.value.ipa_group_state|default('present') }}" external: "{{ item.value.ipa_group_external|default('no')}}" nonposix: "{{ item.value.ipa_nonposix | default('no')}}" user: "{{ item.value.ipa_users }}" with_dict: "{{ ipa_groups }}"

Run the playbook

ansible-playbook -i test_hosts.txt test_groups.yml --vault-password-file ~/.ansible_vault.txt -vvv

changed: [idm01.example.com] => (item={'key': u'ssbu-ad', 'value': {u'ipa_group_external': True, u'ipa_nonposix': True, u'ipa_users': [u'user01@example.com', u'user02@example.com'], u'ipa_group_state': u'present'}}) => { "changed": true, "group": { "cn": [ "ssbu-ad" ], "dn": "cn=ssbu-ad,cn=groups,cn=accounts,dc=example,dc=org", "ipauniqueid": [ "7524d8a8-5033-11e7-abd6-0050569e2795" ], "objectclass": [ "ipaobject", "top", "nestedgroup", "ipausergroup", "groupofnames", "ipaexternalgroup" ] }, "invocation": { "module_args": { "cn": "ssbu-ad", "description": null, "external": true, "gidnumber": null, "group": null, "ipa_host": "idm01.example.com", "ipa_pass": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "ipa_port": 443, "ipa_prot": "https", "ipa_user": "ansibleidm", "name": "ssbu-ad", "nonposix": true, "state": "present", "user": [ "user01@example.com", "user02@example.com" ], "validate_certs": true } }, "item": { "key": "ssbu-ad", "value": { "ipa_group_external": true, "ipa_group_state": "present", "ipa_nonposix": true, "ipa_users": [ "user01@example.com", "user02@example.com" ] } } } META: ran handlers META: ran handlers

PLAY RECAP **** idm01.example.com : ok=2 changed=1 unreachable=0 failed=0

1st Problem.

The external users never gets created.

2nd Problem The modules is not idempotent

If I run the playbook again I get:

failed: [idm01.example.com] (item={'key': u'ssbu-ad', 'value': {u'ipa_group_external': True, u'ipa_nonposix': True, u'ipa_users': [u'user01@example.com', u'user02@example.com'], u'ipa_group_state': u'present'}}) => { "failed": true, "invocation": { "module_args": { "cn": "ssbu-ad", "description": null, "external": true, "gidnumber": null, "group": null, "ipa_host": "idm01.example.com", "ipa_pass": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER", "ipa_port": 443, "ipa_prot": "https", "ipa_user": "ansibleidm", "name": "ssbu-ad", "nonposix": true, "state": "present", "user": [ "user01@example.com", "user02@example.com" ], "validate_certs": true } }, "item": { "key": "ssbu-ad", "value": { "ipa_group_external": true, "ipa_group_state": "present", "ipa_nonposix": true, "ipa_users": [ "user01@example.com", "user02@example.com" ] } }, "msg": "repsonse group_mod: This group already allows external members" } to retry, use: --limit @/home/ansible/test/test_groups.retry

PLAY RECAP **** idm01.example.com : ok=1 changed=0 unreachable=0 failed=1

[Nosmoht]

Hi @missnebun ,

do you get the same behaviour using the IPA modules shipped with Ansible 2.3?

[missnebun]

Hi Thomas,

Thank you for getting back to me. I am using ansible 2.3.1.0 and the modules from there.

Here is how I create external groups and add external users to it.

Add External non POSIX Group

ipa group-add --desc=‘Example AD group' --nonposix --external example-ad

Add external users Members to the group

ipa -n group-add-member example-ad --external test.user01@example.com

Create a POSIX Group

ipa group-add —desc='Example IDM group' example-idm

Add AD group to the POSIX group

ipa group-add-member example-idm --groups=example-ad

On the module I do not have the option to specify if the user is external.

I opened an issue on ansible as well. https://github.com/ansible/ansible/issues/25660

Regards, Gabriel

On Jun 19, 2017, at 7:29 AM, Thomas Krahn notifications@github.com wrote:

Hi @missnebun ,

do you get the same behaviour using the IPA modules shipped with Ansible 2.3?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.

[simdevmat]

I am having the same issues

[jorgemarti]

Having the same issue. External users are never added to the nonposix group.