ipauser: Support for External IdP attributes.

Add support for 'ipd' and 'ipa_user_id' to ipauser plugin.

FreeIPA 4.10.0, or later, is required for both attributes.

README-user.md

@@ -410,14 +410,16 @@ Variable | Description | Required
 `manager` | List of manager user names. | no
 `carlicense` | List of car licenses. | no
 `sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
-`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp` and ``. Use empty string to reset userauthtype to the initial value. | no
+`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp`, `idp` and ``. Use empty string to reset userauthtype to the initial value. | no
 `userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
 `radius` | RADIUS proxy configuration | no
 `radiususer` | RADIUS proxy username | no
 `departmentnumber` | Department Number | no
 `employeenumber` | Employee Number | no
 `employeetype` | Employee Type | no
 `preferredlanguage` | Preferred Language | no
+`idp` \| `ipaidpconfiglink` | External IdP configuration | no
+`idp_user_id` \| `ipaidpsub` | A string that identifies the user at external IdP | no
 `certificate` | List of base-64 encoded user certificates. | no
 `certmapdata` | List of certificate mappings. Either `data` or `certificate` or `issuer` together with `subject` need to be specified. Only usable with IPA versions 4.5 and up. <br>Options: | no
 &nbsp; | `certificate` - Base-64 encoded user certificate, not usable with other certmapdata options. | no

plugins/modules/ipauser.py

@@ -208,7 +208,7 @@
  Use empty string to reset userauthtype to the initial value.
  type: list
  elements: str
- choices: ['password', 'radius', 'otp', '']
+ choices: ['password', 'radius', 'otp', 'idp', '']
  required: false
  aliases: ["ipauserauthtype"]
  userclass:
@@ -246,6 +246,16 @@
  description: Preferred Language
  type: str
  required: false
+ idp:
+ description: External IdP configuration
+ type: str
+ required: false
+ aliases: ["ipaidpconfiglink"]
+ idp_user_id:
+ description: A string that identifies the user at external IdP
+ type: str
+ required: false
+ aliases: ["ipaidpsub"]
  certificate:
  description: List of base-64 encoded user certificates
  type: list
@@ -440,7 +450,7 @@
  Use empty string to reset userauthtype to the initial value.
  type: list
  elements: str
- choices: ['password', 'radius', 'otp', '']
+ choices: ['password', 'radius', 'otp', 'idp', '']
  required: false
  aliases: ["ipauserauthtype"]
  userclass:
@@ -478,6 +488,16 @@
  description: Preferred Language
  type: str
  required: false
+ idp:
+ description: External IdP configuration
+ type: str
+ required: false
+ aliases: ["ipaidpconfiglink"]
+ idp_user_id:
+ description: A string that identifies the user at external IdP
+ type: str
+ required: false
+ aliases: ["ipaidpsub"]
  certificate:
  description: List of base-64 encoded user certificates
  type: list
@@ -673,8 +693,8 @@ def gen_args(first, last, fullname, displayname, initials, homedir, gecos,
  random, uid, gid, street, city, userstate, postalcode, phone,
  mobile, pager, fax, orgunit, title, carlicense, sshpubkey,
  userauthtype, userclass, radius, radiususer, departmentnumber,
- employeenumber, employeetype, preferredlanguage, noprivate,
- nomembers):
+ employeenumber, employeetype, preferredlanguage, idp, idp_user_id,
+ noprivate, nomembers):
  # principal, manager, certificate and certmapdata are handled not in here
  _args = {}
  if first is not None:
@@ -747,6 +767,10 @@ def gen_args(first, last, fullname, displayname, initials, homedir, gecos,
  _args["employeetype"] = employeetype
  if preferredlanguage is not None:
  _args["preferredlanguage"] = preferredlanguage
+ if idp is not None:
+ _args["ipaidpconfiglink"] = idp
+ if idp_user_id is not None:
+ _args["ipaidpsub"] = idp_user_id
  if noprivate is not None:
  _args["noprivate"] = noprivate
  if nomembers is not None:
@@ -761,7 +785,9 @@ def check_parameters( # pylint: disable=unused-argument
  mobile, pager, fax, orgunit, title, manager, carlicense, sshpubkey,
  userauthtype, userclass, radius, radiususer, departmentnumber,
  employeenumber, employeetype, preferredlanguage, certificate,
- certmapdata, noprivate, nomembers, preserve, update_password):
+ certmapdata, noprivate, nomembers, preserve, update_password,
+ idp, ipa_user_id,
+):
  if state == "present" and action == "user":
  invalid = ["preserve"]
  else:
@@ -773,7 +799,7 @@ def check_parameters( # pylint: disable=unused-argument
  "sshpubkey", "userauthtype", "userclass", "radius", "radiususer",
  "departmentnumber", "employeenumber", "employeetype",
  "preferredlanguage", "noprivate", "nomembers", "update_password",
- "gecos",
+ "gecos", "idp", "idp_user_id",
  ]
 
  if state == "present" and action == "member":
@@ -950,7 +976,7 @@ def main():
  default=None),
  userauthtype=dict(type='list', elements="str",
  aliases=["ipauserauthtype"], default=None,
- choices=['password', 'radius', 'otp', '']),
+ choices=['password', 'radius', 'otp', 'idp', '']),
  userclass=dict(type="list", elements="str", aliases=["class"],
  default=None),
  radius=dict(type="str", aliases=["ipatokenradiusconfiglink"],
@@ -1073,6 +1099,8 @@ def main():
  employeenumber = ansible_module.params_get("employeenumber")
  employeetype = ansible_module.params_get("employeetype")
  preferredlanguage = ansible_module.params_get("preferredlanguage")
+ idp = ansible_module.params_get("idp")
+ idp_user_id = ansible_module.params_get("idp_user_id")
  certificate = ansible_module.params_get("certificate")
  certmapdata = ansible_module.params_get("certmapdata")
  noprivate = ansible_module.params_get("noprivate")
@@ -1105,7 +1133,7 @@ def main():
  manager, carlicense, sshpubkey, userauthtype, userclass, radius,
  radiususer, departmentnumber, employeenumber, employeetype,
  preferredlanguage, certificate, certmapdata, noprivate, nomembers,
- preserve, update_password)
+ preserve, update_password, idp, idp_user_id)
  certmapdata = convert_certmapdata(certmapdata)
 
  # Use users if names is None
@@ -1191,6 +1219,8 @@ def main():
  employeenumber = user.get("employeenumber")
  employeetype = user.get("employeetype")
  preferredlanguage = user.get("preferredlanguage")
+ idp = user.get("idp")
+ idp_user_id = user.get("ipd_user_id")
  certificate = user.get("certificate")
  certmapdata = user.get("certmapdata")
  noprivate = user.get("noprivate")
@@ -1206,7 +1236,7 @@ def main():
  radiususer, departmentnumber, employeenumber,
  employeetype, preferredlanguage, certificate,
  certmapdata, noprivate, nomembers, preserve,
- update_password)
+ update_password, idp, idp_user_id)
  certmapdata = convert_certmapdata(certmapdata)
 
  # Extend email addresses
@@ -1248,6 +1278,17 @@ def main():
  msg="The use of certmapdata is not supported by "
  "your IPA version")
 
+ # Check if IdP support is available
+ if (
+ idp is not None or idp_user_id is not None
+ or userauthtype == "idp"
+ and ansible_module.ipa_command_param_exists(
+ "user_add", "ipaidpconfiglink"
+ )
+ ):
+ ansible_module.fail_json(
+ msg="Your IPA version does not support External IdP.")
+
  # Make sure user exists
  res_find = find_user(ansible_module, name)
 
@@ -1262,7 +1303,7 @@ def main():
  postalcode, phone, mobile, pager, fax, orgunit, title,
  carlicense, sshpubkey, userauthtype, userclass, radius,
  radiususer, departmentnumber, employeenumber, employeetype,
- preferredlanguage, noprivate, nomembers)
+ preferredlanguage, idp, idp_user_id, noprivate, nomembers)
 
  if action == "user":
  # Found the user