search

ansible-collections / community.general

Ansible Community General Collection
https://galaxy.ansible.com/ui/repo/published/community/general/
GNU General Public License v3.0
818 stars 1.5k forks source link

ipa_user tries to enable an account when making edits #8296

Open dan-esc opened 5 months ago

dan-esc commented 5 months ago

Summary

https://github.com/ansible-collections/community.general/blob/main/plugins/modules/ipa_user.py#L321 nsaccountlock = state == 'disabled'

I created a service account that only had permissions to change specific attributes about users when trying to run a playbook, it failed because it was unable to change NSaccount lock

Insufficient access: Insufficient 'write' privilege to the 'nsAccountLock' attribute of entry

We should be able to change attributes about users even if they are disabled

Issue Type

Bug Report

Component Name

ipa_user

Ansible Version

$ ansible --version
ansible [core 2.15.10]
  config file = ~/Documents/aap-ldap-ipa-edits/ansible.cfg
  configured module search path = ['~/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = ~/Library/Python/3.9/lib/python/site-packages/ansible
  ansible collection location = ~/.ansible/collections:/usr/share/ansible/collections
  executable location = ~/Library/Python/3.9/bin/ansible
  python version = 3.9.6 (default, Feb  3 2024, 15:58:27) [Clang 15.0.0 (clang-1500.3.9.4)] (/Applications/Xcode.app/Contents/Developer/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general
Collection        Version
----------------- -------
community.general 8.6.0  

Collection        Version
----------------- -------
community.general 7.5.2

Configuration

OS / Environment

No response

Steps to Reproduce

- name: Setting the shell in IPA
  community.general.ipa_user:
    name: "{{ user_to_edit }}"
    state: present
    loginshell: "{{ shell }}"
    ipa_host: "{{ cluster[env]['ipa'] }}"
    ipa_user: "{{ sa_username }}"
    ipa_pass: "{{ ldap_editor_pw }}"

Expected Results

Expect the shell to be set and no other attributes

Actual Results

Code of Conduct

ansibullbot commented 5 months ago

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 5 months ago

cc @Akasurde @Nosmoht @justchris1 click here for bot help