search

univention / ansible-modules

Ansible Modules for UCS
GNU General Public License v3.0
10 stars 4 forks source link

udm: Deletion by DN not possible #11

Open s3lph opened 1 year ago

s3lph commented 1 year ago

Description

Consider the following Ansible task:

- name: Delete examusers container
  univention.ucs_modules.univention_directory_manager:
    module: container/cn
    dn: cn=examusers,ou=demoschool,dc=example,dc=org
    state: absent

This should perform tasks equivalent to udm container/cn remove --dn cn=examusers,ou=demoschool,dc=example,dc=org

Expected behavior

Assuming the container/cn object exited, I'd expect something like this:

{
    "changed": true,
    "invocation": {
        "module_args": {
            "dn": "cn=examusers,ou=demoschool,dc=example,dc=org",
            "filter": null,
            "module": "container/cn",
            "options": null,
            "policies": null,
            "position": "ou=demoschool,dc=example,dc=org",
            "set_properties": [
                {
                    "property": "name",
                    "value": "examusers"
                }
            ],
            "state": "absent",
            "superordinate": null,
            "unset_properties": null
        }
    },
    "meta": {
        "changed_objects": [
            "cn=examusers,ou=demoschool,dc=example,dc=org"
        ],
        "created": {},
        "modified": {},
        "removed": {
            "cn=examusers,ou=demoschool,dc=example,dc=org": {
                "options": [
                    "default"
                ],
                "policies": [],
                "properties": {
                    "computerPath": "0",
                    "description": null,
                    "dhcpPath": "0",
                    "dnsPath": "0",
                    "domaincontrollerPath": "0",
                    "groupPath": "0",
                    "licensePath": "0",
                    "mailPath": "0",
                    "name": "examusers",
                    "networkPath": "0",
                    "policyPath": "0",
                    "printerPath": "0",
                    "sharePath": "0",
                    "userPath": "0"
                }
            }
        }
    },
    "msg": "removed objects: cn=examusers,ou=demoschool,dc=example,dc=org"

Assuming the container did NOT exist, I'd expect something like this:

{
    "changed": false,
    "invocation": {
        "module_args": {
            "dn": "cn=examusers,ou=demoschool,dc=example,dc=org",
            "filter": null,
            "module": "container/cn",
            "options": null,
            "policies": null,
            "position": "ou=demoschool,dc=example,dc=org",
            "set_properties": [
                {
                    "property": "name",
                    "value": "examusers"
                }
            ],
            "state": "absent",
            "superordinate": null,
            "unset_properties": null
        }
    },
    "meta": {
        "changed_objects": [],
        "created": {},
        "modified": {},
        "removed": {}
    },
    "msg": "nothing changed"
}

Actual behavior

The exact opposite of what you'd expect happens: If the container exists, nothing is changed:

{
    "changed": false,
    "invocation": {
        "module_args": {
            "dn": "cn=examusers,ou=demoschool,dc=example,dc=org",
            "filter": null,
            "module": "container/cn",
            "options": null,
            "policies": null,
            "position": "ou=demoschool,dc=example,dc=org",
            "set_properties": [
                {
                    "property": "name",
                    "value": "examusers"
                }
            ],
            "state": "absent",
            "superordinate": null,
            "unset_properties": null
        }
    },
    "meta": {
        "changed_objects": [],
        "created": {},
        "modified": {},
        "removed": {}
    },
    "msg": "nothing changed"
}

And if the container did not exist, the module claims it has deleted it (even though it hasn't been there in the first place):

{
    "changed": true,
    "invocation": {
        "module_args": {
            "dn": "cn=examusers,ou=demoschool,dc=example,dc=org",
            "filter": null,
            "module": "container/cn",
            "options": null,
            "policies": null,
            "position": "ou=demoschool,dc=example,dc=org",
            "set_properties": [
                {
                    "property": "name",
                    "value": "examusers"
                }
            ],
            "state": "absent",
            "superordinate": null,
            "unset_properties": null
        }
    },
    "meta": {
        "changed_objects": [
            "cn=examusers,ou=demoschool,dc=example,dc=org"
        ],
        "created": {},
        "modified": {},
        "removed": {
            "cn=examusers,ou=demoschool,dc=example,dc=org": {
                "options": [
                    "default"
                ],
                "policies": [],
                "properties": {
                    "computerPath": "0",
                    "description": null,
                    "dhcpPath": "0",
                    "dnsPath": "0",
                    "domaincontrollerPath": "0",
                    "groupPath": "0",
                    "licensePath": "0",
                    "mailPath": "0",
                    "name": "examusers",
                    "networkPath": "0",
                    "policyPath": "0",
                    "printerPath": "0",
                    "sharePath": "0",
                    "userPath": "0"
                }
            }
        }
    },
    "msg": "removed objects: cn=examusers,ou=demoschool,dc=example,dc=org"

This renders the UDM Ansible module unusable for deleting objects by their DN. Deleting objects identified by a filter expression works though. Unfortunately, in this case (where we have a lot of schools, and each school has an examusers container), those containers can't be distinguished using the filter argument.

Environment

Controller:

Target node:

HunterZeroSix commented 11 months ago

Hi @s3lph Thanks for your report. This seams indeed wrong.

Do you know if there are any other objects below cn=examusers,ou=demoschool,dc=example,dc=org?

s3lph commented 11 months ago

This was a fresh UCS@school installation, so the cn=examusers container SHOULD have been empty, as the exam users are created and deleted on demand when an exam is scheduled.