search

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA
GNU General Public License v3.0
482 stars 230 forks source link

Permission module fails when using filter Variable #1175

Closed arozmarin closed 8 months ago

arozmarin commented 8 months ago

Hi guys, I could't make it work. I try to use Permission module and

that is my task

and task always fails

"msg": "permission_add: Self Service Password reset: invalid 'filter': must be enclosed in parentheses"

I tried different variables for filter eve remove variable and write value like

filter: '(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))' filter: "(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))"

I get always same error. Any idea how should I write filter value that module will work. If I don't include filter in task, task works ok.

thanks

rjeffman commented 8 months ago

This seems to have something to do with the way Ansible/Jinja2 handle string and lists.

The issue is that your filter is being treated as a list of filters, thus the IPA API error reporting.

I was able to fix this with the following change to filter:

  - name: Ensure permission perm-test-1 is present
    ipapermission:
      name: perm-test-1
      object_type: host
      memberof: rbacgroup1
      filter: 
        - '(!(memberOf=cn=admins,cn=groups,cn=accounts,dc=example,dc=com))'
      right: all

Note that my filter is now a list entry, so (somehow) it is not considered a list of filters anymore (maybe because Ansible expect a list of strings, but I have digged deeper).

arozmarin commented 8 months ago

Perfect thanks for help. It's working now