Skip shadow checks for users w/o shadow data

Users that are attached to a Kerberos realm do not have shadow data
on the system. This breaks two accounts-related tasks.

This patch cause Ansible to skip over any users that do not have
shadow data on the system. Without this patch, the playbook fails
with an error.

Closes-Bug: 1659232
Change-Id: Ibbd275681e65ba7ccfc4477caa499247ed052649

tasks/rhel7stig/accounts.yml

@@ -79,11 +79,15 @@
     - medium
     - V-71923
 
+# NOTE(mhayden): The "is mapping" check is required below because some users
+# may be attached to a Kerberos realm and they may not have shadow data on the
+# system. See bug 1659232 for more details.
 - name: Set minimum password lifetime limit to 24 hours for interactive accounts
   shell: "chage -m 1 {{ item.name }}"
   when:
+    - item.shadow is mapping
     - item.shadow.min_days != 1
-    - security_set_minimum_password_lifetime
+    - security_set_minimum_password_lifetime | bool
   with_items:
     - "{{ interactive_user_list.users }}"
   tags:
@@ -91,11 +95,15 @@
     - medium
     - V-71927
 
+# NOTE(mhayden): The "is mapping" check is required below because some users
+# may be attached to a Kerberos realm and they may not have shadow data on the
+# system. See bug 1659232 for more details.
 - name: Set maximum password lifetime limit to 60 days for interactive accounts
   shell: "chage -M 60 {{ item.name }}"
   when:
+    - item.shadow is mapping
     - item.shadow.max_days > 60
-    - security_set_maximum_password_lifetime
+    - security_set_maximum_password_lifetime | bool
   with_items:
     - "{{ interactive_user_list.users }}"
   tags: