internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity

Merge branch 'master' into master

Browse Source
This commit is contained in:
Thomas Woerner
2020-03-16 17:47:57 +01:00
committed by GitHub
parent 708675d9c2 73098a7ba9
commit d33935583c
218 changed files with 7650 additions and 1009 deletions
Download Patch File Download Diff File Expand all files Collapse all files

140
README-dnsconfig.md Normal file
View File

@@ -0,0 +1,140 @@
DNSConfig module
============
Description
-----------
The dnsconfig module allows to modify global DNS configuration.
Features
--------
* Global DNS configuration
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipadnsconfig module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to set global DNS configuration:
```yaml
---
- name: Playbook to handle global DNS configuration
hosts: ipaserver
become: true
tasks:
# Set dnsconfig.
- ipadnsconfig:
forwarders:
- ip_address: 8.8.4.4
- ip_address: 2001:4860:4860::8888
port: 53
forward_policy: only
allow_sync_ptr: yes
```
Example playbook to ensure a global forwarder, with a custom port, is absent:
```yaml
---
- name: Playbook to handle global DNS configuration
hosts: ipaserver
become: true
tasks:
# Ensure global forwarder with a custom port is absent.
- ipadnsconfig:
forwarders:
- ip_address: 2001:4860:4860::8888
port: 53
state: absent
```
Example playbook to disable global forwarders:
```yaml
---
- name: Playbook to disable global DNS forwarders
hosts: ipaserver
become: true
tasks:
# Disable global forwarders.
- ipadnsconfig:
forward_policy: none
```
Example playbook to change global forward policy:
```yaml
---
- name: Playbook to change global forward policy
hosts: ipaserver
become: true
tasks:
# Disable global forwarders.
- ipadnsconfig:
forward_policy: first
```
Example playbook to disallow synchronization of forward (A, AAAA) and reverse (PTR) records:
```yaml
---
- name: Playbook to disallow reverse synchronization.
hosts: ipaserver
become: true
tasks:
# Disable global forwarders.
- ipadnsconfig:
allow_sync_ptr: no
```
Variables
=========
ipadnsconfig
------------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
  | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
  | `port` - The custom port that should be used on this server. | no
`forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`. | no
`allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | yes
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
Authors
=======
Rafael Guterres Jeffman

14
README-group.md
View File

@@ -52,20 +52,20 @@ Example playbook to add groups:
tasks:
# Create group ops with gid 1234
- ipagroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: ops
gidnumber: 1234
# Create group sysops
- ipagroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: sysops
user:
- pinky
# Create group appops
- ipagroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: appops
```
@@ -80,7 +80,7 @@ Example playbook to add users to a group:
tasks:
# Add user member brain to group sysops
- ipagroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: sysops
action: member
user:
@@ -100,7 +100,7 @@ Example playbook to add group members to a group:
tasks:
# Add group members sysops and appops to group sysops
- ipagroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: ops
group:
- sysops
@@ -118,7 +118,7 @@ Example playbook to remove groups:
tasks:
# Remove goups sysops, appops and ops
- ipagroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: sysops,appops,ops
state: absent
```
@@ -138,7 +138,7 @@ Variable | Description | Required
`description` | The group description string. | no
`gid` \| `gidnumber` | The GID integer. | no
`nonposix` | Create as a non-POSIX group. (bool) | no
`external` | Allow adding external non-IPA members from trusted domains. (flag) | no
`external` | Allow adding external non-IPA members from trusted domains. (bool) | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`user` | List of user name strings assigned to this group. | no
`group` | List of group name strings assigned to this group. | no

10
README-hbacrule.md
View File

@@ -50,7 +50,7 @@ Example playbook to make sure HBAC Rule login exists:
tasks:
# Ensure HBAC Rule login is present
- ipahbacrule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: login
```
@@ -66,7 +66,7 @@ Example playbook to make sure HBAC Rule login exists with the only HBAC Service
tasks:
# Ensure HBAC Rule login is present with the only HBAC Service sshd
- ipahbacrule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -83,7 +83,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
tasks:
# Ensure HBAC Service sshd is present in HBAC Rule login
- ipahbacrule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -101,7 +101,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
tasks:
# Ensure HBAC Service sshd is present in HBAC Rule login
- ipahbacrule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -120,7 +120,7 @@ Example playbook to make sure HBAC Rule login is absent:
tasks:
# Ensure HBAC Rule login is present
- ipahbacrule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: login
state: absent
```

6
README-hbacsvc.md
View File

@@ -50,7 +50,7 @@ Example playbook to make sure HBAC Service for http is present
tasks:
# Ensure HBAC Service for http is present
- ipahbacsvc:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: http
description: Web service
```
@@ -66,7 +66,7 @@ Example playbook to make sure HBAC Service for tftp is present
tasks:
# Ensure HBAC Service for tftp is present
- ipahbacsvc:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: tftp
description: TFTPWeb service
```
@@ -82,7 +82,7 @@ Example playbook to make sure HBAC Services for http and tftp are absent
tasks:
# Ensure HBAC Service for http and tftp are absent
- ipahbacsvc:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: http,tftp
state: absent
```

12
README-hbacsvcgroup.md
View File

@@ -4,7 +4,7 @@ HBACsvcgroup module
Description
-----------
The hbacsvcgroup (HBAC Service Group) module allows to ensure presence and absence of HBAP Service Groups and members of the groups.
The hbacsvcgroup (HBAC Service Group) module allows to ensure presence and absence of HBAC Service Groups and members of the groups.
Features
@@ -50,7 +50,7 @@ Example playbook to make sure HBAC Service Group login exists:
tasks:
# Ensure HBAC Service Group login is present
- ipahbacsvcgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: login
```
@@ -66,7 +66,7 @@ Example playbook to make sure HBAC Service Group login exists with the only HBAC
tasks:
# Ensure HBAC Service Group login is present with the only HBAC Service sshd
- ipahbacsvcgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -83,7 +83,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Service Group
tasks:
# Ensure HBAC Service sshd is present in HBAC Service Group login
- ipahbacsvcgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -101,7 +101,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Service Group
tasks:
# Ensure HBAC Service sshd is present in HBAC Service Group login
- ipahbacsvcgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd
@@ -120,7 +120,7 @@ Example playbook to make sure HBAC Service Group login is absent:
tasks:
# Ensure HBAC Service Group login is present
- ipahbacsvcgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: login
state: absent
```

113
README-host.md
View File

@@ -52,7 +52,7 @@ Example playbook to ensure host presence:
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address: 192.168.0.123
@@ -65,6 +65,79 @@ Example playbook to ensure host presence:
- "52:54:00:BD:97:1E"
state: present
```
Compared to `ipa host-add` command no IP address conflict check is done as the ipahost module supports to have several IPv4 and IPv6 addresses for a host.
Example playbook to ensure host presence with several IP addresses:
```yaml
---
- name: Playbook to handle hosts
hosts: ipaserver
become: true
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address:
- 192.168.0.123
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b3
- fe80::20c:29ff:fe02:a1b4
locality: Lab
ns_host_location: Lab
ns_os_version: CentOS 7
ns_hardware_platform: Lenovo T61
mac_address:
- "08:00:27:E3:B1:2D"
- "52:54:00:BD:97:1E"
state: present
```
Example playbook to ensure IP addresses are present for a host:
```yaml
---
- name: Playbook to handle hosts
hosts: ipaserver
become: true
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
ip_address:
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b4
action: member
state: present
```
Example playbook to ensure IP addresses are absent for a host:
```yaml
---
- name: Playbook to handle hosts
hosts: ipaserver
become: true
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
ip_address:
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b4
action: member
state: absent
```
Example playbook to ensure host presence without DNS:
@@ -78,7 +151,7 @@ Example playbook to ensure host presence without DNS:
tasks:
# Ensure host is present without DNS
- ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host02.example.com
description: Example host
force: yes
@@ -96,7 +169,7 @@ Example playbook to ensure host presence with a random password:
tasks:
- name: Host host01.example.com present with random password
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
random: yes
force: yes
@@ -120,7 +193,7 @@ Example playbook to ensure presence of several hosts with a random password:
tasks:
- name: Hosts host01.example.com and host01.example.com present with random passwords
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
random: yes
@@ -152,7 +225,7 @@ Example playbook to ensure presence of host member principal:
tasks:
- name: Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
principal:
- host/testhost01.example.com
@@ -171,7 +244,7 @@ Example playbook to ensure presence of host member certificate:
tasks:
- name: Host host01.example.com present with certificate
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
certificate:
- MIIC/zCCAeegAwIBAg...
@@ -189,7 +262,7 @@ Example playbook to ensure presence of member managedby_host for serveral hosts:
tasks:
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
managedby_host: server.exmaple.com
@@ -210,12 +283,12 @@ Example playbook to disable a host:
tasks:
# Ensure host is disabled
- ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
update_dns: yes
state: disabled
```
`update_dns` controls if the DNS entries will be updated.
`update_dns` controls if the DNS entries will be updated in this case. For `state` present it is controlling the update of the DNS SSHFP records, but not the the other DNS records.
Example playbook to ensure a host is absent:
@@ -269,25 +342,25 @@ Variable | Description | Required
`certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
`managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
`principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. <br>Options: | no
`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. <br>Options: | no
`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host. <br>Options: | no
`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host. <br>Options: | no
`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host. <br>Options: | no
`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host. <br>Options: | no
`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host. <br>Options: | no
`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host. <br>Options: | no
`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no
`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host. | no
`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host. | no
`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host. | no
`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host. | no
`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host. | no
`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host. | no
`mac_address` \| `macaddress` | List of hardware MAC addresses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
`userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened"] | no
`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no
`force` | Force host name even if not in DNS. | no
`reverse` | Reverse DNS detection. | no
`ip_address` \| `ipaddress` | The host IP address. | no
`update_dns` | Update DNS entries. | no
`ip_address` \| `ipaddress` | The host IP address list. It can contain IPv4 and IPv6 addresses. No conflict check for IP addresses is done. | no
`update_dns` | For existing hosts: DNS SSHFP records are updated with `state` present and all DNS entries for a host removed with `state` absent. | no
Return Values

8
README-hostgroup.md
View File

@@ -52,7 +52,7 @@ Example playbook to make sure hostgroup databases exists:
tasks:
# Ensure host-group databases is present
- ipahostgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -72,7 +72,7 @@ Example playbook to make sure that hosts and hostgroups are present in existing
tasks:
# Ensure hosts and hostgroups are present in existing databases hostgroup
- ipahostgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -94,7 +94,7 @@ Example playbook to make sure hosts and hostgroups are absent in databases hostg
tasks:
# Ensure hosts and hostgroups are absent in databases hostgroup
- ipahostgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com
@@ -116,7 +116,7 @@ Example playbook to make sure host-group databases is absent:
tasks:
# Ensure host-group databases is absent
- ipahostgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: databases
state: absent
```

23
README-pwpolicy.md
View File

@@ -45,7 +45,7 @@ Example playbook to ensure presence of pwpolicies for exisiting group ops:
tasks:
- name: Ensure presence of pwpolicies for group ops
ipapwpolicy:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: ops
minlife: 7
maxlife: 49
@@ -56,7 +56,7 @@ Example playbook to ensure presence of pwpolicies for exisiting group ops:
maxfail: 3
```
Example playbook to ensure absence of pwpolicies for group ops
Example playbook to ensure absence of pwpolicies for group ops:
```yaml
---
@@ -67,11 +67,26 @@ Example playbook to ensure absence of pwpolicies for group ops
tasks:
# Ensure absence of pwpolicies for group ops
- ipapwpolicy:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: ops
state: absent
```
Example playbook to ensure maxlife is set to 49 in global policy:
```yaml
---
- name: Playbook to handle pwpolicies
hosts: ipaserver
become: true
tasks:
# Ensure absence of pwpolicies for group ops
- ipapwpolicy:
ipaadmin_password: SomeADMINpassword
maxlife: 49
```
Variables
=========
@@ -83,7 +98,7 @@ Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | The list of pwpolicy name strings. | no
`name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
`maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
`minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no
`history` \| `krbpwdhistorylength` | Password history size. (int) | no

320
README-service.md Normal file
View File

@@ -0,0 +1,320 @@
Service module
==============
Description
-----------
The service module allows to ensure presence and absence of services.
Features
--------
* Service management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaservice module.
Option `skip_host_check` requires FreeIPA version 4.7.0 or later.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FReeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure service is present:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is present
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
certificate:
- MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
pac_type: PAD
auth_ind: otp
requires_pre_auth: false
ok_as_delegate: false
ok_to_auth_as_delegate: false
skip-host-check: true
force: true
```
Example playbook to make sure service is absent:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is present
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
state: absent
```
Example playbook to make sure service is disabled:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is present
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
state: disabled
```
Example playbook to add a service even if the host object does not exist, but only if it does have a DNS entry:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is present
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
skip_host_check: true
force: false
```
Example playbook to add a service if it does have a DNS entry, but host object exits:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is present
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
skip_host_check: false
force: true
```
Example playbook to ensure service has a certificate:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service member certificate is present.
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
certificate:
- MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
action: member
state: present
```
Example playbook to add a principal to the service:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Principal host/principal.example.com present in service.
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
principal: host/principal.example.com
action: member
```
Example playbook to enable a host to manage service:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure host can manage service, again.
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
host: host1.example.com
action: member
```
Example playbook to allow users, groups, hosts or hostgroups to create a keytab of this service:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Allow users, groups, hosts or host groups to create a keytab of this service.
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
allow_create_keytab_user:
- user01
- user02
allow_create_keytab_group:
- group01
- group02
allow_create_keytab_host:
- host1.example.com
- host2.example.com
allow_create_keytab_hostgroup:
- hostgroup01
- hostgroup02
action: member
```
Example playbook to allow users, groups, hosts or hostgroups to retrieve a keytab of this service:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Allow users, groups, hosts or host groups to retrieve a keytab of this service.
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
allow_retrieve_keytab_user:
- user01
- user02
allow_retrieve_keytab_group:
- group01
- group02
allow_retrieve_keytab_host:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
allow_retrieve_keytab_hostgroup:
- hostgroup01
- hostgroup02
action: member
```
Variables
---------
ipaservice
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `service` | The list of service name strings. | yes
`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
`skip_host_check` | Force service to be created even when host object does not exist to manage it. Default to false. (bool)| no
`force` | Force principal name even if host not in DNS. Default to false. (bool) | no
`host` \| `managedby_host`| Hosts that can manage the service. | no
`principal` \| `krbprincipalname` | List of principal aliases for the service. | no
`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group`| Groups allowed to create a keytab of this host. | no
`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host`| Hosts allowed to create a keytab of this host. | no
`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_group`| Host groups allowed to create a keytab of this host. | no
`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retrieve a keytab of this host. | no
`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
Authors
=======
Rafael Jeffman

4
README-sudocmd.md
View File

@@ -52,7 +52,7 @@ Example playbook to make sure sudocmd exists:
tasks:
# Ensure sudocmd is present
- ipasudocmd:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: present
```
@@ -68,7 +68,7 @@ Example playbook to make sure sudocmd is absent:
tasks:
# Ensure sudocmd are absent
- ipahostgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: absent
```

8
README-sudocmdgroup.md
View File

@@ -52,7 +52,7 @@ Example playbook to make sure sudocmdgroup is present:
tasks:
# Ensure sudocmdgroup is present
- ipasudocmdgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: group01
description: Group of important commands
```
@@ -68,7 +68,7 @@ Example playbook to make sure that a sudo command and sudocmdgroups are present
tasks:
# Ensure sudo commands are present in existing sudocmdgroup
- ipasudocmdgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: group01
sudocmd:
- /usr/bin/su
@@ -88,7 +88,7 @@ Example playbook to make sure that a sudo command and sudocmdgroups are absent i
tasks:
# Ensure sudocmds are absent in existing sudocmdgroup
- ipasudocmdgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: group01
sudocmd:
- /usr/bin/su
@@ -108,7 +108,7 @@ Example playbook to make sure sudocmdgroup is absent:
tasks:
# Ensure sudocmdgroup is absent
- ipasudocmdgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: group01
state: absent
```

25
README-sudorule.md
View File

@@ -50,7 +50,7 @@ Example playbook to make sure Sudo Rule is present:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: testrule1
```
@@ -66,9 +66,9 @@ Example playbook to make sure sudocmds are present in Sudo Rule:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: testrule1
cmd:
allow_sudocmd:
- /sbin/ifconfig
action: member
```
@@ -85,9 +85,9 @@ Example playbook to make sure sudocmds are not present in Sudo Rule:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: testrule1
cmd:
allow_sudocmd:
- /sbin/ifconfig
action: member
state: absent
@@ -104,8 +104,9 @@ Example playbook to make sure Sudo Rule is absent:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: testrule1
state: absent
```
@@ -124,13 +125,21 @@ Variable | Description | Required
`usercategory` | User category the rule applies to. Choices: ["all"] | no
`hostcategory` | Host category the rule applies to. Choices: ["all"] | no
`cmdcategory` | Command category the rule applies to. Choices: ["all"] | no
`runasusercategory` | RunAs User category the rule applies to. Choices: ["all"] | no
`runasgroupcategory` | RunAs Group category the rule applies to. Choices: ["all"] | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this sudorule. | no
`hostgroup` | List of host group name strings assigned to this sudorule. | no
`user` | List of user name strings assigned to this sudorule. | no
`group` | List of user group name strings assigned to this sudorule. | no
`cmd` | List of sudocmd name strings assigned to this sudorule. | no
`cmdgroup` | List of sudocmd group name strings assigned wto this sudorule. | no
`allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no
`deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no
`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no
`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no
`sudooption` \| `option` | List of options to the sudorule | no
`order` | Integer to order the sudorule | no
`runasuser` | List of users for Sudo to execute as. | no
`runasgroup` | List of groups for Sudo to execute as. | no
`action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no

8
README-topology.md
View File

@@ -50,7 +50,7 @@ Example playbook to add a topology segment with default name (cn):
tasks:
- name: Add topology segment
ipatopologysegment:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -70,7 +70,7 @@ Example playbook to delete a topology segment:
tasks:
- name: Delete topology segment
ipatopologysegment:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -90,7 +90,7 @@ Example playbook to reinitialize a topology segment:
tasks:
- name: Reinitialize topology segment
ipatopologysegment:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -111,7 +111,7 @@ Example playbook to verify a topology suffix:
tasks:
- name: Verify topology suffix
ipatopologysuffix:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
suffix: domain
state: verified
```

28
README-user.md
View File

@@ -52,7 +52,7 @@ Example playbook to ensure a user is present:
tasks:
# Ensure user pinky is present
- ipauser:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: pinky
first: pinky
last: Acme
@@ -66,7 +66,7 @@ Example playbook to ensure a user is present:
# Ensure user brain is present
- ipauser:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: brain
first: brain
last: Acme
@@ -85,7 +85,7 @@ These two `ipauser` module calls can be combined into one with the `users` varia
tasks:
# Ensure users pinky and brain are present
- ipauser:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
users:
- name: pinky
first: pinky
@@ -153,7 +153,7 @@ Ensure user pinky is present with a generated random password and print the rand
tasks:
# Ensure user pinky is present with a random password
- ipauser:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: brain
first: brain
last: Acme
@@ -176,7 +176,7 @@ Ensure users pinky and brain are present with a generated random password and pr
tasks:
# Ensure users pinky and brain are present with random password
- ipauser:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
users:
- name: pinky
first: pinky
@@ -212,7 +212,7 @@ Example playbook to delete a user, but preserve it:
tasks:
# Remove but preserve user pinky
- ipauser:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: pinky
preserve: yes
state: absent
@@ -231,7 +231,7 @@ Example playbook to delete a user, but preserve it using the `users` variable:
tasks:
# Remove but preserve user pinky
- ipauser:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
users:
- name: pinky
preserve: yes
@@ -252,7 +252,7 @@ Example playbook to undelete a preserved user.
tasks:
# Undelete preserved user pinky
- ipauser:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: pinky
state: undeleted
```
@@ -271,7 +271,7 @@ Example playbook to disable a user:
tasks:
# Disable user pinky
- ipauser:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: pinky
state: disabled
```
@@ -290,7 +290,7 @@ Example playbook to enable users:
tasks:
# Enable user pinky and brain
- ipauser:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: enabled
```
@@ -309,7 +309,7 @@ Example playbook to unlock users:
tasks:
# Unlock user pinky and brain
- ipauser:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: unlocked
```
@@ -326,7 +326,7 @@ Example playbook to ensure users are absent:
tasks:
# Ensure users pinky and brain are absent
- ipauser:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: absent
```
@@ -345,7 +345,7 @@ Example playbook to ensure users are absent:
tasks:
# Ensure users pinky and brain are absent
- ipauser:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
users:
- name: pinky
- name: brain
@@ -408,7 +408,7 @@ Variable | Description | Required
`manager` | List of manager user names. | no
`carlicense` | List of car licenses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
`userauthtype` | List of supported user authentication types. Choices: `password`, `radius` and `otp` | no
`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp` and ``. Use empty string to reset userauthtype to the initial value. | no
`userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
`radius` | RADIUS proxy configuration | no
`radiususer` | RADIUS proxy username | no

203
README-vault.md Normal file
View File

@@ -0,0 +1,203 @@
Vault module
===================
Description
-----------
The vault module allows to ensure presence and absence of vault and members of vaults.
The vault module is as compatible as possible to the Ansible upstream `ipa_vault` module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
Features
--------
* Vault management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipavault module.
Requirements
------------
**Controller**
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
* KRA service must be enabled
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure vault is present:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
vault_password: MyVaultPassword123
description: A standard private vault.
```
Example playbook to make sure that a vault and its members are present:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
users: user01
```
`action` controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set `action` to `member`.
Example playbook to make sure that a vault member is present in vault:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
users: user01
action: member
```
Example playbook to make sure that a vault owner is absent in vault:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
owner: user01
action: member
state: absent
```
Example playbook to make sure vault data is present in a symmetric vault:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
vault_password: MyVaultPassword123
vault_data: >
Data archived.
More data archived.
action: member
```
Example playbook to make sure vault data is absent in a symmetric vault:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
vault_password: MyVaultPassword123
action: member
state: absent
```
Example playbook to make sure vault is absent:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
state: absent
```
Variables
=========
ipavault
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `cn` | The list of vault name strings. | yes
`description` | The vault description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`vault_public_key` \| `ipavaultpublickey` | Vault public key. | no
`vault_salt` \| `ipavaultsalt` | Vault salt. | no
`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
`service` | Any service can own one or more service vaults. | no
`user` | Any user can own one or more user vaults. | no
`shared` | Vault is shared. Default to false. (bool) | no
`users` | Users that are members of the vault. | no
`groups` | Groups that are member of the vault. | no
`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
Notes
=====
ipavault uses a client context to execute, and it might affect execution time.
Authors
=======
Rafael Jeffman

9
README.md
View File

@@ -19,16 +19,18 @@ Features
* Modules for host management
* Modules for hostgroup management
* Modules for pwpolicy management
* Modules for service management
* Modules for sudocmd management
* Modules for sudocmdgroup management
* Modules for sudorule management
* Modules for topology management
* Modules for user management
* Modules for vault management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.6 and up are supported by all roles.
FreeIPA versions 4.6 and up are supported by all roles.
The client role supports versions 4.4 and up, the server role is working with versions 4.5 and up, the replica role is currently only working with versions 4.6 and up.
@@ -156,6 +158,7 @@ ipaserver_install_packages=no
ipaserver_setup_firewalld=no
```
The installation of packages and also the configuration of the firewall are by default enabled.
Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
For more server settings, please have a look at the [server role documentation](roles/ipaserver/README.md).
@@ -231,6 +234,7 @@ ipareplica_setup_firewalld=no
```
The installation of packages and also the configuration of the firewall are by default enabled.
Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
For more replica settings, please have a look at the [replica role documentation](roles/ipareplica/README.md).
@@ -404,6 +408,7 @@ Roles
Modules in plugin/modules
=========================
* [ipadnsconfig](README-dnsconfig.md)
* [ipadnsforwardzone](README-dnsforwardzone.md)
* [ipagroup](README-group.md)
* [ipahbacrule](README-hbacrule.md)
@@ -412,9 +417,11 @@ Modules in plugin/modules
* [ipahost](README-host.md)
* [ipahostgroup](README-hostgroup.md)
* [ipapwpolicy](README-pwpolicy.md)
* [ipaservice](README-service.md)
* [ipasudocmd](README-sudocmd.md)
* [ipasudocmdgroup](README-sudocmdgroup.md)
* [ipasudorule](README-sudorule.md)
* [ipatopologysegment](README-topology.md)
* [ipatopologysuffix](README-topology.md)
* [ipauser](README-user.md)
* [ipavault](README-vault.md)

2
galaxy.yml
View File

@@ -15,6 +15,8 @@ readme: "README.md"
license: "GPL-3.0-or-later"
license_file: "COPYING"
dependencies:
tags:
- "identity"
- "ipa"

9
playbooks/dnsconfig/disable-global-forwarders.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Playbook to disable global DNS forwarders
hosts: ipaserver
become: true
tasks:
- name: Disable global forwarders.
ipadnsconfig:
forward_policy: none

9
playbooks/dnsconfig/disallow-reverse-sync.yml Normal file
View File

@@ -0,0 +1,9 @@
---
- name: Playbook to disallow reverse record synchronization.
hosts: ipaserver
become: true
tasks:
- name: Disallow reverse record synchronization.
ipadnsconfig:
allow_sync_ptr: no

13
playbooks/dnsconfig/forwarders-absent.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Playbook to handle global DNS configuration
hosts: ipaserver
become: true
tasks:
- name: Set dnsconfig.
ipadnsconfig:
forwarders:
- ip_address: 8.8.4.4
- ip_address: 2001:4860:4860::8888
port: 53
state: absent

14
playbooks/dnsconfig/set-configuration.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Playbook to handle global DNS configuration
hosts: ipaserver
become: true
tasks:
- name: Set dnsconfig.
ipadnsconfig:
forwarders:
- ip_address: 8.8.4.4
- ip_address: 2001:4860:4860::8888
port: 53
forward_policy: only
allow_sync_ptr: yes

2
playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml
View File

@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Rule allhosts is absent
ipahbacrule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: allhosts
state: absent

2
playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml
View File

@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Rule allhosts is disabled
ipahbacrule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: allhosts
state: disabled

2
playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml
View File

@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Rule allhosts is enabled
ipahbacrule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: allhosts
state: enabled

2
playbooks/hbacrule/ensure-hbarule-allhosts-present.yml
View File

@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Rule allhosts is present
ipahbacrule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: allhosts
usercategory: all

2
playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml
View File

@@ -7,7 +7,7 @@
tasks:
- name: Ensure host server is absent in HBAC Rule allhosts
ipahbacrule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: allhosts
host: server
action: member

2
playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml
View File

@@ -7,7 +7,7 @@
tasks:
- name: Ensure host server is present in HBAC Rule allhosts
ipahbacrule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: allhosts
host: server
action: member

2
playbooks/hbacsvc/ensure-hbacsvc-absent.yml
View File

@@ -7,6 +7,6 @@
tasks:
- name: Ensure HBAC Services for http and tftp are absent
ipahbacsvc:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: http,tftp
state: absent

4
playbooks/hbacsvc/ensure-hbacsvc-present.yml
View File

@@ -7,12 +7,12 @@
tasks:
- name: Ensure HBAC Service for http is present
ipahbacsvc:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: http
description: Web service
- name: Ensure HBAC Service for tftp is present
ipahbacsvc:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: tftp
description: TFTP service

2
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml
View File

@@ -7,7 +7,7 @@
tasks:
- name: Ensure HBAC Service Group login is absent
ipahbacsvcgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd

2
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml
View File

@@ -7,7 +7,7 @@
tasks:
- name: Ensure HBAC Services sshd is absent in HBAC Service Group login
ipahbacsvcgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd

2
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml
View File

@@ -7,7 +7,7 @@
tasks:
- name: Ensure HBAC Service sshd is present in HBAC Service Group login
ipahbacsvcgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd

2
playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml
View File

@@ -7,7 +7,7 @@
tasks:
- name: Ensure HBAC Service sshd is present in HBAC Service Group login
ipahbacsvcgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: login
hbacsvc:
- sshd

2
playbooks/host/delete-host.yml
View File

@@ -6,6 +6,6 @@
tasks:
- name: Ensure host host01.example.com is absent
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
state: absent

2
playbooks/host/disable-host.yml
View File

@@ -6,6 +6,6 @@
tasks:
- name: Disable host host01.example.com
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
state: disabled

2
playbooks/host/ensure_host_with_randompassword.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Host "{{ 'host1.' + ipaserver_domain }}" present with random password
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: "{{ 'host1.' + ipaserver_domain }}"
random: yes
force: yes

2
playbooks/host/host-member-allow_create_keytab-absent.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com members allow_create_keytab absent for users, groups, hosts and hostgroups
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_create_keytab_user:
- user01

2
playbooks/host/host-member-allow_create_keytab-present.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com members allow_create_keytab present for users, groups, hosts and hostgroups
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_create_keytab_user:
- user01

2
playbooks/host/host-member-allow_retrieve_keytab-absent.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com members allow_retrieve_keytab absent for users, groups, hosts and hostgroups
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_retrieve_keytab_user:
- user01

2
playbooks/host/host-member-allow_retrieve_keytab-present.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com members allow_retrieve_keytab present for users, groups, hosts and hostgroups
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_retrieve_keytab_user:
- user01

2
playbooks/host/host-member-certificate-absent.yml
View File

@@ -5,7 +5,7 @@
tasks:
- name: Host host01.example.com member certificate absent
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
certificate:
- MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3

2
playbooks/host/host-member-certificate-present.yml
View File

@@ -5,7 +5,7 @@
tasks:
- name: Host host01.example.com member certificate present
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
certificate:
- MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3

17
playbooks/host/host-member-ipaddresses-absent.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: Host member IP addresses absent
hosts: ipaserver
become: true
tasks:
- name: Ensure host01.example.com IP addresses absent
ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
ip_address:
- 192.168.0.123
- fe80::20c:29ff:fe02:a1b3
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b4
action: member
state: absent

16
playbooks/host/host-member-ipaddresses-present.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: Host member IP addresses present
hosts: ipaserver
become: true
tasks:
- name: Ensure host01.example.com IP addresses present
ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
ip_address:
- 192.168.0.123
- fe80::20c:29ff:fe02:a1b3
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b4
action: member

2
playbooks/host/host-member-managedby_host-absent.yml
View File

@@ -5,7 +5,7 @@
tasks:
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
managedby_host: server.exmaple.com
action: member

2
playbooks/host/host-member-managedby_host-present.yml
View File

@@ -5,7 +5,7 @@
tasks:
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
managedby_host: server.exmaple.com
action: member

2
playbooks/host/host-member-principal-absent.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Host host01.example.com principals host/testhost01.example.com and host/myhost01.example.com absent
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
principal:
- host/testhost01.example.com

2
playbooks/host/host-member-principal-present.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Host host01.example.com principals host/testhost01.example.com and host/myhost01.example.com present
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
principal:
- host/testhost01.example.com

2
playbooks/host/host-present-with-allow_create_keytab.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com present with allow_create_keytab for users, groups, hosts and hostgroups
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_create_keytab_user:
- user01

2
playbooks/host/host-present-with-allow_retrieve_keytab.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Host host1.example.com present with allow_retrieve_keytab for users, groups, hosts and hostgroups
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
allow_retrieve_keytab_user:
- user01

2
playbooks/host/host-present-with-certificate.yml
View File

@@ -5,7 +5,7 @@
tasks:
- name: Host host01.example.com present with certificate
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
certificate:
- MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3

2
playbooks/host/host-present-with-managedby_host.yml
View File

@@ -5,7 +5,7 @@
tasks:
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.exmaple.com
managedby_host: server.exmaple.com
force: yes

2
playbooks/host/host-present-with-principal.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
principal:
- host/testhost01.example.com

2
playbooks/host/host-present-with-randompassword.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Host host01.example.com present with random password
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
random: yes
force: yes

24
playbooks/host/host-present-with-several-ip-addresses.yml Normal file
View File

@@ -0,0 +1,24 @@
---
- name: Host present with several IP addresses
hosts: ipaserver
become: true
tasks:
- name: Ensure host is present
ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address:
- 192.168.0.123
- fe80::20c:29ff:fe02:a1b3
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b4
locality: Lab
ns_host_location: Lab
ns_os_version: CentOS 7
ns_hardware_platform: Lenovo T61
mac_address:
- "08:00:27:E3:B1:2D"
- "52:54:00:BD:97:1E"
state: present

2
playbooks/host/host-present.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Ensure host is present
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address: 192.168.0.123

2
playbooks/host/hosts-member-certificate-absent.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.example.com and host01.exmaple.com member certificate absent
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
certificate:

2
playbooks/host/hosts-member-certificate-present.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.example.com and host01.exmaple.com member certificate present
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
certificate:

2
playbooks/host/hosts-member-managedby_host-absent.yml
View File

@@ -5,7 +5,7 @@
tasks:
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
managedby_host: server.exmaple.com

2
playbooks/host/hosts-member-managedby_host-present.yml
View File

@@ -5,7 +5,7 @@
tasks:
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
managedby_host: server.exmaple.com

2
playbooks/host/hosts-member-principal-absent.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.exmaple.com and host02.exmaple.com member principals host/testhost0X.exmaple.com absent
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
principal:

2
playbooks/host/hosts-member-principal-present.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.exmaple.com and host02.exmaple.com member principals host/testhost0X.exmaple.com present
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
principal:

2
playbooks/host/hosts-present-with-certificate.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.example.com and host01.exmaple.com present with certificate
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
certificate:

2
playbooks/host/hosts-present-with-managedby_host.yml
View File

@@ -5,7 +5,7 @@
tasks:
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.exmaple.com
managedby_host: server.exmaple.com

2
playbooks/host/hosts-present-with-randompasswords.yml
View File

@@ -6,7 +6,7 @@
tasks:
- name: Hosts host01.example.com and host01.example.com present with random passwords
ipahost:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
random: yes

2
playbooks/hostgroup/ensure-hostgroup-is-absent.yml
View File

@@ -6,6 +6,6 @@
tasks:
# Ensure host-group databases is present
- ipahostgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: databases
state: absent

2
playbooks/hostgroup/ensure-hostgroup-is-present.yml
View File

@@ -6,7 +6,7 @@
tasks:
# Ensure host-group databases is present
- ipahostgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com

2
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml
View File

@@ -6,7 +6,7 @@
tasks:
# Ensure hosts and hostgroups are present in existing databases hostgroup
- ipahostgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com

2
playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml
View File

@@ -6,7 +6,7 @@
tasks:
# Ensure hosts and hostgroups are present in existing databases hostgroup
- ipahostgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: databases
host:
- db.example.com

14
playbooks/service/service-host-is-absent.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure management host is absent.
- ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.example.com
host: "{{ groups.ipaserver[0] }}"
action: member
state: absent

13
playbooks/service/service-host-is-present.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure management host is present.
- ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.example.com
host: "{{ groups.ipaserver[0] }}"
action: member

12
playbooks/service/service-is-absent.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is absent
- ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.example.com
state: absent

12
playbooks/service/service-is-disabled.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Playbook to disable IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is disabled
- ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.example.com
state: disabled

23
playbooks/service/service-is-present-with-all-attributes.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is present
- ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.example.com
certificate:
- MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
pac_type:
- MS-PAC
- PAD
auth_ind: otp
force: no
requires_pre_auth: yes
ok_as_delegate: no
ok_to_auth_as_delegate: no
action: service
state: present

13
playbooks/service/service-is-present-with-host-force.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is present
- ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/ihavenodns.info
force: yes
# state: absent

12
playbooks/service/service-is-present-without-host-object.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is present
- ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.ansible.com
skip_host_check: yes

11
playbooks/service/service-is-present.yml Normal file
View File

@@ -0,0 +1,11 @@
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is present
- ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.example.com

24
playbooks/service/service-member-allow_create_keytab-absent.yml Normal file
View File

@@ -0,0 +1,24 @@
---
- name: Service member allow_create_keytab absent
hosts: ipaserver
become: true
tasks:
- name: Service HTTP/www.example.com members allow_create_keytab absent for users, groups, hosts and hostgroups
ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.example.com
allow_create_keytab_user:
- user01
- user02
allow_create_keytab_group:
- group01
- group02
allow_create_keytab_host:
- host01.example.com
- host02.example.com
allow_create_keytab_hostgroup:
- hostgroup01
- hostgroup02
action: member
state: absent

23
playbooks/service/service-member-allow_create_keytab-present.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Service member allow_create_keytab present
hosts: ipaserver
become: true
tasks:
- name: Service HTTP/www.example.com members allow_create_keytab present for users, groups, hosts and hostgroups
ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.example.com
allow_create_keytab_user:
- user01
- user02
allow_create_keytab_group:
- group01
- group02
allow_create_keytab_host:
- host01.example.com
- host02.example.com
allow_create_keytab_hostgroup:
- hostgroup01
- hostgroup02
action: member

24
playbooks/service/service-member-allow_retrieve_keytab-absent.yml Normal file
View File

@@ -0,0 +1,24 @@
---
- name: Service member allow_retrieve_keytab absent
hosts: ipaserver
become: true
tasks:
- name: Service HTTP/www.example.com members allow_retrieve_keytab absent for users, groups, hosts and hostgroups
ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.example.com
allow_retrieve_keytab_user:
- user01
- user02
allow_retrieve_keytab_group:
- group01
- group02
allow_retrieve_keytab_host:
- host01.example.com
- host02.example.com
allow_retrieve_keytab_hostgroup:
- hostgroup01
- hostgroup02
action: member
state: absent

23
playbooks/service/service-member-allow_retrieve_keytab-present.yml Normal file
View File

@@ -0,0 +1,23 @@
---
- name: Service member allow_retrieve_keytab present
hosts: ipaserver
become: true
tasks:
- name: Service HTTP/www.example.com members allow_retrieve_keytab present for users, groups, hosts and hostgroups
ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.example.com
allow_retrieve_keytab_user:
- user01
- user02
allow_retrieve_keytab_group:
- group01
- group02
allow_retrieve_keytab_host:
- host01.example.com
- host02.example.com
allow_retrieve_keytab_hostgroup:
- hostgroup01
- hostgroup02
action: member

16
playbooks/service/service-member-certificate-absent.yml Normal file
View File

@@ -0,0 +1,16 @@
---
- name: Service certificate absent.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service certificate is absent
- ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.example.com
certificate:
- MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
action: member
state: absent

15
playbooks/service/service-member-certificate-present.yml Normal file
View File

@@ -0,0 +1,15 @@
---
- name: Service certificate present.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service certificate is present
- ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.example.com
certificate:
- MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
action: member
state: present

14
playbooks/service/service-member-principal-absent.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Service member principal absent
hosts: ipaserver
become: true
tasks:
- name: Service HTTP/www.exmaple.com member principals host/test.exmaple.com absent
ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.example.com
principal:
- host/test.exmaple.com
action: member
state: absent

13
playbooks/service/service-member-principal-present.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Service member principal present
hosts: ipaserver
become: true
tasks:
- name: Service HTTP/www.exmaple.com member principals host/test.exmaple.com present
ipaservice:
ipaadmin_password: MyPassword123
name: HTTP/www.example.com
principal:
- host/test.exmaple.com
action: member

2
playbooks/sudocmd/ensure-sudocmd-is-absent.yml
View File

@@ -6,6 +6,6 @@
tasks:
# Ensure sudo command is absent
- ipasudocmd:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: absent

2
playbooks/sudocmd/ensure-sudocmd-is-present.yml
View File

@@ -6,6 +6,6 @@
tasks:
# Ensure sudo command is present
- ipasudocmd:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: /usr/bin/su
state: present

2
playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml
View File

@@ -6,7 +6,7 @@
tasks:
# Ensure sudocmds are absent in sudocmdgroup
- ipasudocmdgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig

4
playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml
View File

@@ -6,7 +6,7 @@
tasks:
# Ensure sudo commands are present
- ipasudocmd:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name:
- /usr/sbin/ifconfig
- /usr/sbin/iwlist
@@ -14,7 +14,7 @@
# Ensure sudo commands are present in existing sudocmdgroup
- ipasudocmdgroup:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: network
sudocmd:
- /usr/sbin/ifconfig

14
playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudooption is absent in sudorule
- ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
sudooption: "!root"
action: member
state: absent

13
playbooks/sudorule/ensure-sudorule-has-sudooption.yml Normal file
View File

@@ -0,0 +1,13 @@
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudooption is present in sudorule
- ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
sudooption: "!root"
action: member

2
playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml
View File

@@ -7,7 +7,7 @@
tasks:
# Ensure host server is absent in Sudo Rule
- ipasudorule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: testrule1
host: server
action: member

2
playbooks/sudorule/ensure-sudorule-host-member-is-present.yml
View File

@@ -7,7 +7,7 @@
tasks:
# Ensure host server is present in Sudo Rule
- ipasudorule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: testrule1
host: server
action: member

2
playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml
View File

@@ -7,7 +7,7 @@
tasks:
# Ensure hostgroup cluster is absent in Sudo Rule
- ipasudorule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: testrule1
hostgroup: cluster
action: member

2
playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml
View File

@@ -7,7 +7,7 @@
tasks:
# Ensure hostgrep cluster is present in Sudo Rule
- ipasudorule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: testrule1
hostgroup: cluster
action: member

2
playbooks/sudorule/ensure-sudorule-is-disabled.yml
View File

@@ -6,6 +6,6 @@
tasks:
# Ensure sudorule command is disabled
- ipasudorule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: testrule1
state: disabled

2
playbooks/sudorule/ensure-sudorule-is-enabled.yml
View File

@@ -6,6 +6,6 @@
tasks:
# Ensure sudorule command is enabled
- ipasudorule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: testrule1
state: enabled

12
playbooks/sudorule/ensure-sudorule-is-present-with-order.yml Normal file
View File

@@ -0,0 +1,12 @@
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudorule is present with the given order.
- ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
order: 2

4
playbooks/sudorule/ensure-sudorule-is-present.yml
View File

@@ -6,7 +6,9 @@
tasks:
# Ensure sudorule command is present
- ipasudorule:
ipaadmin_password: MyPassword123
ipaadmin_password: SomeADMINpassword
name: testrule1
description: A test sudo rule.
allow_sudocmd: /bin/ls
deny_sudocmd: /bin/vim
state: present

14
playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml Normal file
View File

@@ -0,0 +1,14 @@
---
- name: Tests
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure sudorule is present with the given order.
- ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasuser: admin
action: member
state: absent

Some files were not shown because too many files have changed in this diff Show More