search

univention / ansible-modules

Ansible Modules for UCS
GNU General Public License v3.0
11 stars 6 forks source link

univention_directory_manager module: `--policy-reference` and `--policy-dereference` options not available #18

Open Daenou opened 8 months ago

Daenou commented 8 months ago

Today I tried to create and reference a policy with the univention.ucs_modules.univention_directory_manager ansible module, only to find out that the option --policy-reference and --policy-dereference options are not implemented in this module at all.

As a workaround, instead of using an ansible shell command I created an extended attribute, so I can reference and dereference policies of groups in this example:

# Workaround
# univention.ucs_modules.univention_directory_manager doesn't support the "--policy-reference" and "--policy-dereference" commands yet.
# So I create an extended attibute to still be able to set policy references for groups via UDM.
# See issue: <url>
- name: Get LDAP base
  ansible.builtin.command: ucr get ldap/base
  check_mode: false
  changed_when: false
  register: "register_ea_ldap_base"
  when:
    - "ucschool_register_serverrole.stdout == 'domaincontroller_master'"

- name: Create univentionLastUsedValue extended attribute
  univention.ucs_modules.univention_directory_manager:
    module: settings/extended_attribute
    position: "cn=custom attributes,cn=univention,{{ register_ea_ldap_base.stdout }}"
    dn: "cn=univentionPolicyReference,cn=custom attributes,cn=univention,{{ register_ea_ldap_base.stdout }}"
    set_properties:
      - property: "name"
        value: "univentionPolicyReference"
      - property: "CLIName"
        value: "univentionPolicyReference"
      - property: "ldapMapping"
        value: "univentionPolicyReference"
      - property: "module"
        value: "groups/group"
      - property: "objectClass"
        value: "univentionPolicyReference"
      - property: "shortDescription"
        value: "univentionPolicyReference:"
      - property: "syntax"
        value: "string"
      - property: "multivalue"
        value: "1"
      - property: "mayChange"
        value: "1"
  when:
    - "ucschool_register_serverrole.stdout == 'domaincontroller_master'"

Works fine with this code:

- name: Reference adm-accounts-read-only policy on ADM Accounts Read Only group
  univention.ucs_modules.univention_directory_manager:
    module: "groups/group"
    dn: "cn=ADM Accounts Read Only,cn=groups,dc=ldap,dc=base"
    set_properties:
      - property: univentionPolicyReference
        value: "cn=adm-accounts-read-only,cn=UMC,cn=policies,dc=ldap,dc=base"
  when:
    - "ucschool_register_serverrole.stdout == 'domaincontroller_master'"

Of course, you'd need additional extended attributes to reference policies to users/user and containers/ou objects.

Would be nice if this feature would be implemented

tbreiden commented 4 months ago

in your example you can add a list of to set policies as:

  tasks:
    - name: "create user"
      univention_directory_manager:
        module: 'users/user'
        state: 'present'
        position: 'dc=ucs,dc=test'
        policies:
          - 'cn=udm-license,cn=operations,cn=UMC,cn=univention,dc=ucs,dc=test'
          - 'XY'
        set_properties:
          - property: 'username'
            value: 'testuser1'
          - property: 'lastname'
            value: 'testuser1'

We should document this.