IPA: setup a permission to modify group managers

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
2026-03-20 03:57:02 +08:00 · 2025-09-01 11:18:34 +02:00
parent 2f2a22dcd9
commit beb724ee65
5 changed files with 21 additions and 2 deletions
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -125,6 +125,7 @@ freezes: true
 install_noc: none
 ipa_admin_password: "{{ ipa_prod_admin_password }}"
 ipa_realm: FEDORAPROJECT.ORG
+ipa_basedn: dc=fedoraproject,dc=org
 ipa_server: ipa01.rdu3.fedoraproject.org
 ipa_server_nodes:
  - ipa01.rdu3.fedoraproject.org
--- a/inventory/group_vars/staging
+++ b/inventory/group_vars/staging
@@ -13,6 +13,7 @@ freezes: false
 host_group: staging
 ipa_admin_password: "{{ ipa_stg_admin_password }}"
 ipa_realm: STG.FEDORAPROJECT.ORG
+ipa_basedn: dc=stg,dc=fedoraproject,dc=org
 # IPA details
 ipa_server: ipa01.stg.rdu3.fedoraproject.org
 ipa_server_nodes:
--- a/roles/ipa/server/tasks/toddlers.yml
+++ b/roles/ipa/server/tasks/toddlers.yml
@@ -7,6 +7,22 @@
    host: os-control01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org # noqa: var-naming[no-role-prefix]
    service: toddlers-sync-group # noqa: var-naming[no-role-prefix]

+- name: Create the permission to modify member managers
+  ansible.builtin.command:
+    argv:
+      - ipa
+      - permission-add
+      - Modify Group Managers
+      - --right=write
+      - --attrs=membermanager
+      - --bindtype=permission
+      - --subtree=cn=groups,cn=accounts,{{ipa_basedn}}
+      - --filter=(!(cn=admins))
+      - --filter=(objectclass=ipausergroup)
+  register: output
+  changed_when: "'already exists' not in output.stderr"
+  failed_when: "'already exists' not in output.stderr and output.rc != 0"
+
 - name: Create the privilege
  ansible.builtin.command:
    argv:
@@ -25,6 +41,7 @@
      - privilege-add-permission
      - Group Membership Synchronization
      - "--permissions=System: Modify Group Membership"
+      - "--permissions=Modify Group Managers"
  register: output
  changed_when: "'Number of permissions added 0' not in output.stdout"
  failed_when: "'Number of permissions added 0' not in output.stdout and output.rc != 0"
--- a/roles/openshift/ipa-client/templates/default.conf
+++ b/roles/openshift/ipa-client/templates/default.conf
@@ -1,5 +1,5 @@
 [global]
-basedn = {% if env == "staging" %}dc=stg,{% endif %}dc=fedoraproject,dc=org
+basedn = {{ ipa_basedn }}
 realm = {{ ipa_realm }}
 domain = {{ ipa_realm | lower }}
 server = {{ ipa_server }}
--- a/roles/openshift/ipa-client/templates/ldap.conf
+++ b/roles/openshift/ipa-client/templates/ldap.conf
@@ -1,5 +1,5 @@
 SASL_NOCANON on
 URI ldaps://{{ ipa_server }}
-BASE {% if env == "staging" %}dc=stg,{% endif %}dc=fedoraproject,dc=org
+BASE {{ ipa_basedn }}
 TLS_CACERT /etc/ipa/ca.crt
 SASL_MECH GSSAPI