community.general icon indicating copy to clipboard operation
community.general copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

ipa_host does not return all the host information if called without update_password: true

Open itcultus opened this issue 3 years ago • 2 comments

Summary

The return values ipa_host module are vastly different if we use the random_password: true or not. Calling the module with random password to false, (or not set), the returned attributes are:

      cn:
      - client.example.com
      description:
      - client.example.com
      dn: fqdn=client.example.com,cn=computers,cn=accounts,dc=idm,dc=example,dc=com
      fqdn:
      - client.example.com
      ipakrbokasdelegate: false
      ipakrboktoauthasdelegate: false
      ipakrbrequirespreauth: true
      ipasshpubkey:
      - ssh-rsa AAAAB3NzaC1yc....L [email protected]
      - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYT...7v+Ng= [email protected]
      - ssh-ed25519 AAAAC3Nza.....JdBPZwt1pzFY9aj3AAemSL6wpPB3F
      ipauniqueid:
      - 45a0.....6a9a
      krbcanonicalname:
      - host/[email protected]
      krbextradata:
      - __base64__: AAII+MNic...VWLkNPUlAA
      krbprincipalname:
      - host/[email protected]
      krbpwdpolicyreference:
      - cn=Default Host Password Policy,cn=computers,cn=accounts,dc=idm,dc=example,dc=com
      managedby_host:
      - client.example.com
      managing_host:
      - client.example.com
      memberof_hostgroup:
      - hg1
      - hg2
      memberofindirect_hbacrule:
      - hbac1
      - hbac2
      memberofindirect_netgroup:
      - hg1
      - hg2
      objectclass:
      - ipaobject
      - nshost
      - ipahost
      - pkiuser
      - ipaservice
      - krbprincipalaux
      - krbprincipal
      - ieee802device
      - ipasshhost
      - top
      - ipaSshGroupOfPubKeys
      serverhostname:
      - client
      sshpubkeyfp:
      - SHA256:7bKIq+edO...tA6k6w6a7YZ84 [email protected] (ssh-rsa)
      - SHA256:/ihgaIpTYq....mLfGW/eidHFqSg [email protected] (ecdsa-sha2-nistp256)
      - SHA256:zAPdkAEFv7....djbYQc (ssh-ed25519)
      userclass:
      - whatever_I_want

This is the example of a host that is listed in IdM client is not enrolled.

Calling the modules with random password to true, for the same host we get:

      description:
      - client.example.com
      fqdn:
      - client.example.com
      has_keytab: false
      has_password: true
      krbcanonicalname:
      - host/[email protected]
      krbprincipalname:
      - host/[email protected]
      managedby_host:
      - client.example.com
      memberof_hostgroup:
      - hg1
      - hg2
      memberofindirect_hbacrule:
      - hbac1
      - hbac2
      randompassword: 8Pj&0ddr;]B}r>pcb8tllp
      sshpubkeyfp:
      - SHA256:7bKIq+edObs.....a7YZ84 [email protected] (ssh-rsa)
      - SHA256:/ihgaI.....LfGW/eidHFqSg [email protected] (ecdsa-sha2-nistp256)
      - SHA256:zAPdk.....bYQc (ssh-ed25519)
      userclass:
      - whatever_I_want

There are a few striking differences. I don't see the logic behind the different output and even if I accept that there are important reasons for this difference, the has_keytab and has_password attributes are very important and they should be returned in both cases!

If there is a reason why the outputs are not identical, then please add the has_keytab and has_password attributes in both of them since the are decision-making ones.

Issue Type

Bug Report

Component Name

ipa_host

Ansible Version

$ ansible --version
ansible [core 2.12.7]
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.10/site-packages/ansible
  ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.10.5 (main, Jun  9 2022, 00:00:00) [GCC 12.1.1 20220507 (Red Hat 12.1.1-1)]
  jinja version = 3.0.3
  libyaml = True

Community.general Version

$ ansible-galaxy collection list community.general
ansible-galaxy collection list community.general

# /usr/share/ansible/collections/ansible_collections
Collection        Version
----------------- -------
community.general 4.8.3  

# /usr/lib/python3.10/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 4.8.2

Configuration

$ ansible-config dump --only-changed

OS / Environment

Fedora 36

Steps to Reproduce

    ipa_host:
      ipa_host: "{{ master_hostname | default(groups['master'][0]) }}"
      ipa_user: "{{ enroll_principal }}"
      ipa_pass: "{{ enroll_principal_password }}"
      name: "{{ inventory_hostname }}"
      description: "{{ hostvars[inventory_hostname]['host_description'] | default(inventory_hostname) | trim }}"
      random_password: true
      state: present
    register: host_status

Expected Results

I would expect the return values to be identical.

Actual Results

Code of Conduct

  • [X] I agree to follow the Ansible Code of Conduct

itcultus avatar Jul 05 '22 10:07 itcultus

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot avatar Jul 05 '22 10:07 ansibullbot

cc @Akasurde @Nosmoht @fxfitz @justchris1 click here for bot help

ansibullbot avatar Jul 05 '22 10:07 ansibullbot

Files identified in the description:

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot avatar Nov 10 '22 11:11 ansibullbot