From beb724ee656b67178bc66771cc1b7268e4eabf1e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= Date: Mon, 1 Sep 2025 11:18:34 +0200 Subject: [PATCH] IPA: setup a permission to modify group managers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Aurélien Bompard --- inventory/group_vars/all | 1 + inventory/group_vars/staging | 1 + roles/ipa/server/tasks/toddlers.yml | 17 +++++++++++++++++ .../openshift/ipa-client/templates/default.conf | 2 +- roles/openshift/ipa-client/templates/ldap.conf | 2 +- 5 files changed, 21 insertions(+), 2 deletions(-) diff --git a/inventory/group_vars/all b/inventory/group_vars/all index baf8f13509..bcff53f21a 100644 --- a/inventory/group_vars/all +++ b/inventory/group_vars/all @@ -125,6 +125,7 @@ freezes: true install_noc: none ipa_admin_password: "{{ ipa_prod_admin_password }}" ipa_realm: FEDORAPROJECT.ORG +ipa_basedn: dc=fedoraproject,dc=org ipa_server: ipa01.rdu3.fedoraproject.org ipa_server_nodes: - ipa01.rdu3.fedoraproject.org diff --git a/inventory/group_vars/staging b/inventory/group_vars/staging index ad404ee9d3..c07cde801e 100644 --- a/inventory/group_vars/staging +++ b/inventory/group_vars/staging @@ -13,6 +13,7 @@ freezes: false host_group: staging ipa_admin_password: "{{ ipa_stg_admin_password }}" ipa_realm: STG.FEDORAPROJECT.ORG +ipa_basedn: dc=stg,dc=fedoraproject,dc=org # IPA details ipa_server: ipa01.stg.rdu3.fedoraproject.org ipa_server_nodes: diff --git a/roles/ipa/server/tasks/toddlers.yml b/roles/ipa/server/tasks/toddlers.yml index 8301cac4f4..c752414d42 100644 --- a/roles/ipa/server/tasks/toddlers.yml +++ b/roles/ipa/server/tasks/toddlers.yml @@ -7,6 +7,22 @@ host: os-control01{{ env_suffix }}.{{ datacenter }}.fedoraproject.org # noqa: var-naming[no-role-prefix] service: toddlers-sync-group # noqa: var-naming[no-role-prefix] +- name: Create the permission to modify member managers + ansible.builtin.command: + argv: + - ipa + - permission-add + - Modify Group Managers + - --right=write + - --attrs=membermanager + - --bindtype=permission + - --subtree=cn=groups,cn=accounts,{{ipa_basedn}} + - --filter=(!(cn=admins)) + - --filter=(objectclass=ipausergroup) + register: output + changed_when: "'already exists' not in output.stderr" + failed_when: "'already exists' not in output.stderr and output.rc != 0" + - name: Create the privilege ansible.builtin.command: argv: @@ -25,6 +41,7 @@ - privilege-add-permission - Group Membership Synchronization - "--permissions=System: Modify Group Membership" + - "--permissions=Modify Group Managers" register: output changed_when: "'Number of permissions added 0' not in output.stdout" failed_when: "'Number of permissions added 0' not in output.stdout and output.rc != 0" diff --git a/roles/openshift/ipa-client/templates/default.conf b/roles/openshift/ipa-client/templates/default.conf index 9181d59067..d8d6a9717d 100644 --- a/roles/openshift/ipa-client/templates/default.conf +++ b/roles/openshift/ipa-client/templates/default.conf @@ -1,5 +1,5 @@ [global] -basedn = {% if env == "staging" %}dc=stg,{% endif %}dc=fedoraproject,dc=org +basedn = {{ ipa_basedn }} realm = {{ ipa_realm }} domain = {{ ipa_realm | lower }} server = {{ ipa_server }} diff --git a/roles/openshift/ipa-client/templates/ldap.conf b/roles/openshift/ipa-client/templates/ldap.conf index 58f2cead25..af9e1101f3 100644 --- a/roles/openshift/ipa-client/templates/ldap.conf +++ b/roles/openshift/ipa-client/templates/ldap.conf @@ -1,5 +1,5 @@ SASL_NOCANON on URI ldaps://{{ ipa_server }} -BASE {% if env == "staging" %}dc=stg,{% endif %}dc=fedoraproject,dc=org +BASE {{ ipa_basedn }} TLS_CACERT /etc/ipa/ca.crt SASL_MECH GSSAPI