search

freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA
GNU General Public License v3.0
491 stars 231 forks source link

ipapwpolicy priority needs default(omit) in general call or fails on global_policy #1287

Open parmstro opened 3 weeks ago

parmstro commented 3 weeks ago

With pwpolicy

pwpolicy:
  - group_name: global_policy
    maxlife: 120

executing task 

- name: "Ensure state for password policy"
  redhat.rhel_idm.ipapwpolicy:
    ipaadmin_principal: '{{ ipa_admin_principal }}'
    ipaadmin_password: '{{ ipa_admin_password }}'
    name: '{{ pwpolicy.group_name | default(none)}}'
    dictcheck: '{{ pwpolicy.dictcheck | default(true) }}'
    failinterval: '{{ pwpolicy.failinterval | default("") }}'  # seconds
    gracelimit: '{{ pwpolicy.gracelimit | default("") }}'      # count
    history: '{{ pwpolicy.history | default("") }}'            # count
    lockouttime: '{{ pwpolicy.lockouttime | default("") }}'    # seconds
    maxfail: '{{ pwpolicy.maxfail | default("") }}'            # count
    maxlife: '{{ pwpolicy.maxlife | default("") }}'            # days
    maxrepeat: '{{ pwpolicy.maxrepeat | default("") }}'        # count
    maxsequence: '{{ pwpolicy.maxsequence | default("") }}'    # count
    minclasses: '{{ pwpolicy.minclasses | default("") }}'      # count
    minlength: '{{ pwpolicy.minlength | default("") }}'        # count     <<< Fails here with "Minimum length must be >= 6 if maxrepeat, maxsequence, dictcheck or usercheck are defined"
    minlife: '{{ pwpolicy.minlife | default("") }}'            # hours
    priority: '{{ pwpolicy.priority | default("") }}'          # int     <<< Fails here default("") needs default(omit) contrary to docs
    usercheck: '{{ pwpolicy.usercheck | default(true) }}'
    state: '{{ pwpolicy.state | default("present") }}'

fails with weird error global_policy entry not found:

TASK [idm_password_policy : Ensure state for password policy] ************************************************************************************************************
fatal: [idm.example.ca]: FAILED! => {"changed": false, "msg": "pwpolicy_mod: global_policy: global_policy: entry not found"}

This works:

- name: "Ensure state for password policy"
  redhat.rhel_idm.ipapwpolicy:
    ipaadmin_principal: '{{ ipa_admin_principal }}'
    ipaadmin_password: '{{ ipa_admin_password }}'
    name: '{{ pwpolicy.group_name | default(none)}}'
    dictcheck: '{{ pwpolicy.dictcheck | default(true) }}'
    failinterval: '{{ pwpolicy.failinterval | default("") }}'  # seconds
    gracelimit: '{{ pwpolicy.gracelimit | default("") }}'      # count
    history: '{{ pwpolicy.history | default("") }}'            # count
    lockouttime: '{{ pwpolicy.lockouttime | default("") }}'    # seconds
    maxfail: '{{ pwpolicy.maxfail | default("") }}'            # count
    maxlife: '{{ pwpolicy.maxlife | default("") }}'            # days
    maxrepeat: '{{ pwpolicy.maxrepeat | default("") }}'        # count
    maxsequence: '{{ pwpolicy.maxsequence | default("") }}'    # count
    minclasses: '{{ pwpolicy.minclasses | default("") }}'      # count
    minlength: '{{ pwpolicy.minlength | default("6") }}'       # count
    minlife: '{{ pwpolicy.minlife | default("") }}'            # hours
    priority: '{{ pwpolicy.priority | default(omit) }}'        # int
    usercheck: '{{ pwpolicy.usercheck | default(true) }}'
    state: '{{ pwpolicy.state | default("present") }}'

Could the documentation be updated? Better error message?

parmstro commented 3 weeks ago

Actually, I think it would be good if the module implemented defaults for all parameters that reflect those set in the default global_policy. This would reflect a policy no less secure than the global_policy if the user did not specify values. If the user intentionally wants to set a less restrictive policy, they need to explicitly set it.