From 6606399bbca3001dfb0bed4f32584fb38714379c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aur=C3=A9lien=20Bompard?= <aurelien@bompard.org>
Date: Fri, 5 Feb 2021 16:46:39 +0100
Subject: [PATCH] Allow users to change some of their attributes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
---
 roles/ipa/server/tasks/main.yml | 64 +++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/roles/ipa/server/tasks/main.yml b/roles/ipa/server/tasks/main.yml
index 28d5fb1194..0db20f6f27 100644
--- a/roles/ipa/server/tasks/main.yml
+++ b/roles/ipa/server/tasks/main.yml
@@ -446,6 +446,70 @@
   when: ipa_initial
 
 
+# User selfservice permissions
+
+- name: Setup the selfservice permission for passwords
+  # When ansible-freeipa is upgraded, we'll get ipaselfservice
+  # ipaselfservice:
+  #   ipaadmin_password: "{{ipa_admin_password}}"
+  #   name: "Users can modify their own password"
+  #   permission: write
+  #   attribute:
+  #   - userPassword
+  #   - krbPrincipalKey
+  #   - sambaLMPassword
+  #   - sambaNTPassword
+  command:
+    argv:
+      - ipa
+      - selfservice-add
+      - "Users can modify their own password"
+      - --permissions=write
+      - --attrs=userPassword
+      - --attrs=krbPrincipalKey
+      - --attrs=sambaLMPassword
+      - --attrs=sambaNTPassword
+  register: output
+  changed_when: "'Added selfservice' in output.stdout"
+  failed_when: "'already exists' not in output.stderr and output.rc != 0"
+  tags:
+  - ipa/server
+  - config
+  when: ipa_initial and env == 'staging'
+
+
+- name: Setup the selfservice permission for addressbook attributes
+  # When ansible-freeipa is upgraded, we'll get ipaselfservice
+  # ipaselfservice:
+  #   ipaadmin_password: "{{ipa_admin_password}}"
+  #   name: "User Self service"
+  #   permission: write
+  #   attribute:
+  #   - givenname
+  #   - sn
+  #   - cn
+  #   - displayname
+  #   - gecos
+  command:
+    argv:
+      - ipa
+      - selfservice-add
+      - "User Self service"
+      - --permissions=write
+      - --attrs=givenName
+      - --attrs=sn
+      - --attrs=cn
+      - --attrs=displayName
+      - --attrs=gecos
+  register: output
+  changed_when: "'Added selfservice' in output.stdout"
+  failed_when: "'already exists' not in output.stderr and output.rc != 0"
+  tags:
+  - ipa/server
+  - config
+  when: ipa_initial and env == 'staging'
+
+
 - name: Set the members of the admin group
   ipa_group:
     name: admins