From cd5c64c8187fb20e69bdadc8622e4c29ebbd5851 Mon Sep 17 00:00:00 2001 From: Matthew Butch Date: Mon, 11 Mar 2019 06:14:06 -0400 Subject: [PATCH] FreeIPA: Fix ipa_user password option (#48453) Maintain idempotency in ipa_user while user update. --- .../rst/porting_guides/porting_guide_2.8.rst | 1 + lib/ansible/modules/identity/ipa/ipa_user.py | 29 +++++++++++++++++-- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/docs/docsite/rst/porting_guides/porting_guide_2.8.rst b/docs/docsite/rst/porting_guides/porting_guide_2.8.rst index 1b7c8fa732..d1cd7bfd13 100644 --- a/docs/docsite/rst/porting_guides/porting_guide_2.8.rst +++ b/docs/docsite/rst/porting_guides/porting_guide_2.8.rst @@ -314,6 +314,7 @@ Noteworthy module changes `_. Contributions to the role can be made `here `_. +* The ``ipa_user`` module originally always sent ``password`` to FreeIPA regardless of whether the password changed. Now the module only sends ``password`` if ``update_password`` is set to ``always``, which is the default. Plugins ======= diff --git a/lib/ansible/modules/identity/ipa/ipa_user.py b/lib/ansible/modules/identity/ipa/ipa_user.py index 924c660b06..f8e3db0726 100644 --- a/lib/ansible/modules/identity/ipa/ipa_user.py +++ b/lib/ansible/modules/identity/ipa/ipa_user.py @@ -21,6 +21,13 @@ description: options: displayname: description: Display name + update_password: + description: + - Set password for a user. + type: str + default: 'always' + choices: [ always, on_create ] + version_added: 2.8 givenname: description: First name krbpasswordexpiration: @@ -38,7 +45,7 @@ options: - If None is passed email addresses will not be checked or changed. password: description: - - Password for new user + - Password for a user. Will not be set for an existing user unless C(update_password) is set to C(always), which is the default. sn: description: Surname sshpubkey: @@ -77,7 +84,7 @@ requirements: ''' EXAMPLES = ''' -# Ensure pinky is present +# Ensure pinky is present and always reset password - ipa_user: name: pinky state: present @@ -104,6 +111,19 @@ EXAMPLES = ''' ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret + +# Ensure pinky is present but don't reset password if already exists +- ipa_user: + name: pinky + state: present + givenname: Pinky + sn: Acme + password: zounds + ipa_host: ipa.example.com + ipa_user: admin + ipa_pass: topsecret + update_password: on_create + ''' RETURN = ''' @@ -257,6 +277,7 @@ def ensure(module, client): userpassword=module.params['password'], gidnumber=module.params.get('gidnumber'), uidnumber=module.params.get('uidnumber')) + update_password = module.params.get('update_password') ipa_user = client.user_find(name=name) changed = False @@ -266,6 +287,8 @@ def ensure(module, client): if not module.check_mode: ipa_user = client.user_add(name=name, item=module_user) else: + if update_password == 'on_create': + module_user.pop('userpassword', None) diff = get_user_diff(client, ipa_user, module_user) if len(diff) > 0: changed = True @@ -284,6 +307,8 @@ def main(): argument_spec = ipa_argument_spec() argument_spec.update(displayname=dict(type='str'), givenname=dict(type='str'), + update_password=dict(type='str', default="always", + choices=['always', 'on_create']), krbpasswordexpiration=dict(type='str'), loginshell=dict(type='str'), mail=dict(type='list'),