freeipa / ansible-freeipa

Ansible roles and modules for FreeIPA
GNU General Public License v3.0
503 stars 232 forks source link

Creating a new password policy fails: "pwpolicy_add: noexpire: 'cospriority' is required" #1304

Open Aethylred opened 1 month ago

Aethylred commented 1 month ago

Using the playbook to create a noexpire policy with a 10 year expiry period it fails with the error

` "pwpolicy_add: noexpire: 'cospriority' is required"``

Updadint the global_policy succeeds:

TASK [Create password policies] ******************************************************************************************************************************Tuesday 29 October 2024  03:22:59 +0000 (0:00:08.307)       0:00:14.595 ******* 
failed: [ipa01] (item={'name': 'noexpire', 'maxlife': 3652, 'history': 4, 'minlength': 12, 'maxfail': 5, 'failinterval': 300, 'lockouttime': 900, 'maxrepeat': 2, 'maxsequence': 2, 'usercheck': True, 'cospriority': 10}) => {"ansible_loop_var": "item", "changed": false, "item": {"cospriority": 10, "failinterval": 300, "history": 4, "lockouttime": 900, "maxfail": 5, "maxlife": 3652, "maxrepeat": 2, "maxsequence": 2, "minlength": 12, "name": "noexpire", "usercheck": true}, "msg": "pwpolicy_add: noexpire: 'cospriority' is required"}
ok: [ipa01] => (item={'name': 'global_policy', 'maxlife': 730, 'history': 4, 'minlength': 12, 'maxfail': 5, 'failinterval': 300, 'lockouttime': 900, 'maxrepeat': 2, 'maxsequence': 2, 'usercheck': True})

The variable being set:

ipa_pwpolicies:
  - name: noexpire
    maxlife: 3652
    history: 4
    minlength: 12
    maxfail: 5
    failinterval: 300
    lockouttime: 900
    maxrepeat: 2
    maxsequence: 2
    usercheck: true
    priority: 10
  - name: global_policy
    maxlife: 730
    history: 4
    minlength: 12
    maxfail: 5
    failinterval: 300
    lockouttime: 900
    maxrepeat: 2
    maxsequence: 2
    usercheck: true

The task being executed:

    - name: Create password policies # noqa: run-once[task]
      freeipa.ansible_freeipa.ipapwpolicy:
        name: "{{ item.name }}"
        maxlife: "{{ item.maxlife | default(omit) }}"
        minlife: "{{ item.minlife | default(omit) }}"
        history: "{{ item.history | default(omit) }}"
        minlength: "{{ item.minlength | default(omit) }}"
        minclasses: "{{ item.minclasses | default(omit) }}"
        failinterval: "{{ item.failinterval | default(omit) }}"
        lockouttime: "{{ item.lockouttime | default(omit) }}"
        maxrepeat: "{{ item.maxrepeat | default(omit) }}"
        maxsequence: "{{ item.maxsequence | default(omit) }}"
        dictcheck: "{{ item.dictcheck | default(omit) }}"
        usercheck: "{{ item.usercheck | default(omit) }}"
        gracelimit: "{{ item.gracelimit | default(omit) }}"
        state: "{{ item.state | default(omit) }}"
        ipaadmin_password: "{{ vault_ipa_admin_password }}"
      run_once: true
      loop: "{{ ipa_pwpolicies }}"
      when: ipa_pwpolicies is defined

Ansible version:

(ansible) [super@admin01 oversite-bootstrap]$ ansible --version
ansible [core 2.15.12]
  config file = /localhome/super/oversite-bootstrap/ansible.cfg
  configured module search path = ['/localhome/super/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /localhome/super/oversite-bootstrap/venvs/ansible/lib64/python3.9/site-packages/ansible
  ansible collection location = /localhome/super/oversite-bootstrap/ignore/collections
  executable location = /localhome/super/oversite-bootstrap/venvs/ansible/bin/ansible
  python version = 3.9.18 (main, Aug 23 2024, 00:00:00) [GCC 11.4.1 20231218 (Red Hat 11.4.1-3)] (/localhome/super/oversite-bootstrap/venvs/ansible/bin/python)
  jinja version = 3.1.4
  libyaml = True

Red Hat IdM version:

[root@ipa02 ~]# ipa --version
VERSION: 4.11.0, API_VERSION: 2.253
Aethylred commented 1 month ago

ok, my error here, I was not passing the priority variable through to the task.

However, the documentation for ipapwpolicy does not say that the priority is a required variable.

rjeffman commented 3 weeks ago

priority is not required by ipapwpolicy, as can be seen in the module playbook tests.

Maybe due to the specific rules your are creating it is required?