ome_domain_user_groups unable to import new directory groups with credential error

[MallocArray]

Summary

Using the module ome_domain_user_groups, we are able to manage existing imported directory groups and the module properly is able to change roles if the group has already been imported.

Attempting to import a new group from Active Directory, the task fails with an error "Unable to complete the operation because the entered domain username or domain password are invalid."

If the same group name is manually imported in the GUI and then the same playbook is ran, it will properly report the group as OK or change roles if the playbook defines different roles. This proves that the credentials are correct for connecting to OME/OME-M

When adding a group manually in the GUI, even if the user is currently logged into OME/OME-M, when clicking to import a directory group, after selecting an AD Directory Source, another prompt for credentials is presented. I wonder if the Ansible modules are not properly filling in this credential request, as it only is required when doing the original import. Editing an existing user/group to change a role does not require this second credential entry.

Component Name

ome_domain_user_groups

Ansible Version

 ansible --version
ansible 2.10.11
  config file = /home/username/Ansible/ansible.cfg
  configured module search path = ['/home/username/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.6.8 (default, Mar 18 2021, 08:58:41) [GCC 8.4.1 20200928 (Red Hat 8.4.1-1)]

iDRAC or OpenManage Enterprise version

OpenManage Enterprise Module 1.30.00 OpenManage Enterprise 3.7

Steps to Reproduce

Playbook used

    - name: Active Directory user groups
      dellemc.openmanage.ome_domain_user_groups:
        hostname: "{{ inventory_hostname }}"
        username: "{{ dell_ome_username }}"
        password: "{{ dell_ome_password }}"
        directory_name: domain.com
        group_name: "{{ item.group_name }}"
        role: "{{ item.role }}"
      loop: "{{ ome_groups }}"
      loop_control:
        label: "{{ item.group_name }} - {{ item.role }}"
      tags:
        - authentication
        - group

Example of ome_groups var that is looped through (OME specific in this example since Role value is different in OME-M)

ome_groups:
  - group_name: res.app.OpenManageEnterprise.admin
    role: ADMINISTRATOR
  - group_name: res.app.OpenManageEnterprise.readonly
    role: VIEWER

Expected Results

If the group exists in OME, the role is verified as same as expected or changed to match If the group does not exist in OME, it is imported from AD, and assigned the permissions (this is what is not working)

Actual Results

<ome-server.domain.com> ESTABLISH LOCAL CONNECTION FOR USER: username
<ome-server.domain.com> EXEC /bin/sh -c 'echo ~username && sleep 0'
<ome-server.domain.com> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/username/.ansible/tmp `"&& mkdir "` echo /home/username/.ansible/tmp/ansible-tmp-1631826439.046182-3974367-210832147547697 `" && echo ansible-tmp-1631826439.046182-3974367-210832147547697="` echo /home/username/.ansible/tmp/ansible-tmp-1631826439.046182-3974367-210832147547697 `" ) && sleep 0'
<ome-server.domain.com> Attempting python interpreter discovery
<ome-server.domain.com> EXEC /bin/sh -c 'echo PLATFORM; uname; echo FOUND; command -v '"'"'/usr/bin/python'"'"'; command -v '"'"'python3.7'"'"'; command -v '"'"'python3.6'"'"'; command -v '"'"'python3.5'"'"'; command -v '"'"'python2.7'"'"'; command -v '"'"'python2.6'"'"'; command -v '"'"'/usr/libexec/platform-python'"'"'; command -v '"'"'/usr/bin/python3'"'"'; command -v '"'"'python'"'"'; echo ENDFOUND && sleep 0'
<ome-server.domain.com> EXEC /bin/sh -c '/usr/bin/python3.6 && sleep 0'
Using module file /home/username/Ansible/collections/ansible_collections/dellemc/openmanage/plugins/modules/ome_domain_user_groups.py
<ome-server.domain.com> PUT /home/username/.ansible/tmp/ansible-local-3974358c715cqyi/tmphwaoh5lr TO /home/username/.ansible/tmp/ansible-tmp-1631826439.046182-3974367-210832147547697/AnsiballZ_ome_domain_user_groups.py
<ome-server.domain.com> EXEC /bin/sh -c 'chmod u+x /home/username/.ansible/tmp/ansible-tmp-1631826439.046182-3974367-210832147547697/ /home/username/.ansible/tmp/ansible-tmp-1631826439.046182-3974367-210832147547697/AnsiballZ_ome_domain_user_groups.py && sleep 0'
<ome-server.domain.com> EXEC /bin/sh -c '/usr/libexec/platform-python /home/username/.ansible/tmp/ansible-tmp-1631826439.046182-3974367-210832147547697/AnsiballZ_ome_domain_user_groups.py && sleep 0'
<ome-server.domain.com> EXEC /bin/sh -c 'rm -f -r /home/username/.ansible/tmp/ansible-tmp-1631826439.046182-3974367-210832147547697/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
  File "/tmp/ansible_dellemc.openmanage.ome_domain_user_groups_payload_zdaz3850/ansible_dellemc.openmanage.ome_domain_user_groups_payload.zip/ansible_collections/dellemc/openmanage/plugins/modules/ome_domain_user_groups.py", line 206, in search_directory
  File "/tmp/ansible_dellemc.openmanage.ome_domain_user_groups_payload_zdaz3850/ansible_dellemc.openmanage.ome_domain_user_groups_payload.zip/ansible_collections/dellemc/openmanage/plugins/module_utils/ome.py", line 166, in invoke_request
    raise err
  File "/tmp/ansible_dellemc.openmanage.ome_domain_user_groups_payload_zdaz3850/ansible_dellemc.openmanage.ome_domain_user_groups_payload.zip/ansible_collections/dellemc/openmanage/plugins/module_utils/ome.py", line 163, in invoke_request
    resp = open_url(url, data=data, **url_kwargs)
  File "/tmp/ansible_dellemc.openmanage.ome_domain_user_groups_payload_zdaz3850/ansible_dellemc.openmanage.ome_domain_user_groups_payload.zip/ansible/module_utils/urls.py", line 1399, in open_url
    unredirected_headers=unredirected_headers)
  File "/tmp/ansible_dellemc.openmanage.ome_domain_user_groups_payload_zdaz3850/ansible_dellemc.openmanage.ome_domain_user_groups_payload.zip/ansible/module_utils/urls.py", line 1304, in open
    return urllib_request.urlopen(request, None, timeout)
  File "/usr/lib64/python3.6/urllib/request.py", line 223, in urlopen
    return opener.open(url, data, timeout)
  File "/usr/lib64/python3.6/urllib/request.py", line 532, in open
    response = meth(req, response)
  File "/usr/lib64/python3.6/urllib/request.py", line 642, in http_response
    'http', request, response, code, msg, hdrs)
  File "/usr/lib64/python3.6/urllib/request.py", line 570, in error
    return self._call_chain(*args)
  File "/usr/lib64/python3.6/urllib/request.py", line 504, in _call_chain
    result = func(*args)
  File "/usr/lib64/python3.6/urllib/request.py", line 650, in http_error_default
    raise HTTPError(req.full_url, code, msg, hdrs, fp)
failed: [ome-server.domain.com] (item=res.app.OpenManageEnterprise.admin - ADMINISTRATOR) => {
    "ansible_facts": {
        "discovered_interpreter_python": "/usr/libexec/platform-python"
    },
    "ansible_loop_var": "item",
    "changed": false,
    "invocation": {
        "module_args": {
            "directory_id": null,
            "directory_name": "domain.com",
            "domain_password": null,
            "domain_username": null,
            "group_name": "res.app.OpenManageEnterprise.admin",
            "hostname": "ome-server.domain.com",
            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "port": 443,
            "role": "ADMINISTRATOR",
            "state": "present",
            "username": "domain\\scriptaccount"
        }
    },
    "item": {
        "group_name": "res.app.OpenManageEnterprise.admin",
        "role": "ADMINISTRATOR"
    },
    "msg": "Unable to complete the operation because the entered domain username or domain password are invalid."
}

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[MallocArray]

Closing issue. I had misread what this module was used for and thought it was adding groups OR users to OME/OME-M so I was leaving out the domain_username and domain_password fields, thinking they were used when adding a user.

I now see those fields are used for authentication to AD when adding a group. Once I added those parameters, it started working as expected. I'm using the same credentials I'm using to connect to OME.

Updated task:

    - name: Active Directory user groups
      dellemc.openmanage.ome_domain_user_groups:
        hostname: "{{ inventory_hostname }}"
        username: "{{ dell_ome_username }}"
        password: "{{ dell_ome_password }}"
        directory_name: domain.com
        group_name: "{{ item.group_name }}"
        role: "{{ item.role }}"
        domain_username: "{{ dell_ome_username }}"
        domain_password: "{{ dell_ome_password }}"
      loop: "{{ ome_groups }}"
      loop_control:
        label: "{{ item.group_name }} - {{ item.role }}"