internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-27 22:03:05 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: internet:master
Branches Tags
internet:master internet:run_collection_playbooks internet:validate_emaildomain internet:0.4 internet:automember_verify_condition_keys internet:ipaautomember_documantation_fix internet:fix_image_build internet:t-woerner-permission-typo1 internet:fix-role-readme-title-1 internet:fix-role-readme-title internet:t-woerner-group-readme-external internet:fix_logger_info_calls
internet:v1.16.0 internet:v1.15.1 internet:v1.15.0 internet:v1.14.7 internet:v1.14.6 internet:v1.14.5 internet:v1.14.4 internet:v1.14.3 internet:v1.14.2 internet:v1.14.1 internet:v1.14.0 internet:v1.13.2 internet:v1.13.1 internet:v1.13.0 internet:v1.12.1 internet:v1.12.0 internet:v1.11.1 internet:v1.11.0 internet:v1.10.0 internet:v1.9.2 internet:v1.9.1 internet:v1.9.0 internet:v1.8.4 internet:v1.8.3 internet:v1.8.2 internet:v1.8.1 internet:v1.8.0 internet:v1.7.0 internet:v1.6.3 internet:v1.6.2 internet:v1.6.1 internet:v1.6.0 internet:v1.5.3 internet:v1.5.2 internet:v1.5.1 internet:v1.5.0 internet:v0.4.2 internet:v0.4.1 internet:v0.4.0 internet:v0.3.8 internet:v0.3.7 internet:v0.3.6 internet:v0.3.5 internet:v0.3.4 internet:v0.3.3 internet:v0.3.2 internet:v0.3.1 internet:v0.3.0 internet:v0.2.1 internet:v0.2.0 internet:v0.1.12 internet:v0.1.11 internet:v0.1.10 internet:v0.1.9 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0
..
compare: internet:fix_logger_info_calls
Branches Tags
internet:master internet:run_collection_playbooks internet:validate_emaildomain internet:0.4 internet:automember_verify_condition_keys internet:ipaautomember_documantation_fix internet:fix_image_build internet:t-woerner-permission-typo1 internet:fix-role-readme-title-1 internet:fix-role-readme-title internet:t-woerner-group-readme-external internet:fix_logger_info_calls
internet:v1.16.0 internet:v1.15.1 internet:v1.15.0 internet:v1.14.7 internet:v1.14.6 internet:v1.14.5 internet:v1.14.4 internet:v1.14.3 internet:v1.14.2 internet:v1.14.1 internet:v1.14.0 internet:v1.13.2 internet:v1.13.1 internet:v1.13.0 internet:v1.12.1 internet:v1.12.0 internet:v1.11.1 internet:v1.11.0 internet:v1.10.0 internet:v1.9.2 internet:v1.9.1 internet:v1.9.0 internet:v1.8.4 internet:v1.8.3 internet:v1.8.2 internet:v1.8.1 internet:v1.8.0 internet:v1.7.0 internet:v1.6.3 internet:v1.6.2 internet:v1.6.1 internet:v1.6.0 internet:v1.5.3 internet:v1.5.2 internet:v1.5.1 internet:v1.5.0 internet:v0.4.2 internet:v0.4.1 internet:v0.4.0 internet:v0.3.8 internet:v0.3.7 internet:v0.3.6 internet:v0.3.5 internet:v0.3.4 internet:v0.3.3 internet:v0.3.2 internet:v0.3.1 internet:v0.3.0 internet:v0.2.1 internet:v0.2.0 internet:v0.1.12 internet:v0.1.11 internet:v0.1.10 internet:v0.1.9 internet:v0.1.8 internet:v0.1.7 internet:v0.1.6 internet:v0.1.5 internet:v0.1.4 internet:v0.1.3 internet:v0.1.2 internet:v0.1.1 internet:v0.1.0

3 Commits
master ... fix_logger

Author SHA1 Message Date
Thomas Woerner
aff2703bdf Merge pull request #196 from rjeffman/fix_logger_info_calls 
Removes invalid and unnecessary calls to logger.info.
 2020-02-03 16:20:07 +01:00
Rafael Guterres Jeffman
fda761b4bf Removes invalid and unnecessary calls to logger.info. 2020-01-24 23:49:55 -03:00
Rafael Guterres Jeffman
daa9359bb7 Removes invalid and unnecessary calls to logger.info. 2020-01-24 21:41:04 -03:00
918 changed files with 19931 additions and 78001 deletions
Expand all files Collapse all files

41
.ansible-lint
View File

@@ -1,41 +0,0 @@
---
exclude_paths:
- .ansible-freeipa-tests/
- .cache/
- .github/
- .pre-commit-config.yaml
- .tox/
- .venv/
- .yamllint
- tests/azure/
- meta/runtime.yml
- requirements-docker.yml
- requirements-podman.yml
kinds:
- playbook: '**/tests/**/test_*.yml'
- playbook: '**/playbooks/**/*.yml'
- playbook: '**/tests/ca-less/install_*_without_ca.yml'
- playbook: '**/tests/ca-less/clean_up_certificates.yml'
- playbook: '**/tests/external-signed-ca-with-automatic-copy/install-server-with-external-ca-with-automatic-copy.yml'
- playbook: '**/tests/external-signed-ca-with-manual-copy/install-server-with-external-ca-with-manual-copy.yml'
- playbook: '**/tests/user/create_users_json.yml'
- tasks: '**/tasks_*.yml'
- tasks: '**/env_*.yml'
parseable: true
quiet: false
skip_list:
- '301' # Commands should not change things if nothing needs doing'
- '305' # Use shell only when shell functionality is required
- '306' # risky-shell-pipe
- yaml # yamllint should be executed separately.
- experimental # Do not run any experimental tests
- name[template] # Allow Jinja templating inside task names
- var-naming
use_default_rules: true
verbosity: 1

9
.copr/Makefile
View File

@@ -1,9 +0,0 @@
srpm:
# Setup development environment
echo "Installing base development environment"
dnf install -y dnf-plugins-core git-all
echo "Call SRPM build Script"
./utils/build-srpm.sh
if [[ "${outdir}" != "" ]]; then \
mv /builddir/build/SRPMS/* ${outdir}; \
fi

15
.github/workflows/ansible-test.yml vendored
View File

@@ -1,15 +0,0 @@
---
name: ansible-test sanity
on:
- push
- pull_request
jobs:
ansible_test:
name: Verify ansible-test sanity
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.1
with:
fetch-depth: 0
- name: Run ansible-test
run: bash tests/sanity/sanity.sh

73
.github/workflows/docs.yml vendored
View File

@@ -1,73 +0,0 @@
---
name: Verify Ansible documentation.
on:
- push
- pull_request
jobs:
check_docs_oldest_supported:
name: Check Ansible Documentation with ansible-core 2.16.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.1
with:
fetch-depth: 1
- uses: actions/setup-python@v5.1.0
with:
python-version: '3.x'
- name: Install Ansible 2.16
run: |
python -m pip install "ansible-core >=2.16,<2.17"
- name: Run ansible-doc-test
run: |
ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
check_docs_previous:
name: Check Ansible Documentation with ansible-core 2.18.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.1
with:
fetch-depth: 1
- uses: actions/setup-python@v5.1.0
with:
python-version: '3.x'
- name: Install Ansible 2.18
run: |
python -m pip install "ansible-core >=2.18,<2.19"
- name: Run ansible-doc-test
run: |
ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
check_docs_current:
name: Check Ansible Documentation with ansible-core 2.19.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.1
with:
fetch-depth: 1
- uses: actions/setup-python@v5.1.0
with:
python-version: '3.x'
- name: Install Ansible 2.20
run: |
python -m pip install "ansible-core <2.20"
- name: Run ansible-doc-test
run: |
ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins
check_docs_ansible_latest:
name: Check Ansible Documentation with latest Ansible version.
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.1
with:
fetch-depth: 1
- uses: actions/setup-python@v5.1.0
with:
python-version: '3.x'
- name: Install Ansible-latest
run: |
python -m pip install ansible
- name: Run ansible-doc-test
run: |
ANSIBLE_LIBRARY="." ANSIBLE_DOC_FRAGMENT_PLUGINS="." python utils/ansible-doc-test -v roles plugins

77
.github/workflows/lint.yml vendored
View File

@@ -1,77 +0,0 @@
---
name: Run Linters
on:
- push
- pull_request
jobs:
ansible_lint:
name: Verify ansible-lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.1
with:
fetch-depth: 0
- uses: actions/setup-python@v5.1.0
with:
python-version: "3.13"
- name: Run ansible-lint
run: |
pip install "ansible-core>=2.16,<2.17" 'ansible-lint==6.22'
utils/build-collection.sh -ki rpm
cd .collection-build
ansible-lint --profile production --exclude tests/integration/ --exclude tests/unit/ --parseable --nocolor
yamllint:
name: Verify yamllint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.1
with:
fetch-depth: 1
- uses: actions/setup-python@v5.1.0
with:
python-version: "3.x"
- name: Run yaml-lint
uses: ibiqlik/action-yamllint@v3.1.1
flake8:
name: Verify flake8
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.1
with:
fetch-depth: 1
- uses: actions/setup-python@v5.1.0
with:
python-version: "3.x"
- name: Run flake8
run: |
pip install flake8 flake8-bugbear
flake8
pylint:
name: Verify pylint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.1
with:
fetch-depth: 1
- uses: actions/setup-python@v5.1.0
with:
python-version: "3.x"
- name: Run pylint
run: |
pip install 'pylint>=3.0'
pylint plugins roles --disable=import-error
shellcheck:
name: Shellcheck
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.1
with:
fetch-depth: 1
- name: Run ShellCheck
uses: ludeeus/action-shellcheck@master
env:
SHELLCHECK_OPTS: -x

18
.github/workflows/readme.yml vendored
View File

@@ -1,18 +0,0 @@
---
name: readme test
on:
- push
- pull_request
jobs:
ansible_test:
name: Verify readme
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4.1.1
with:
fetch-depth: 1
- name: Run readme test
run: |
error=0
for i in roles/ipa*/README.md README-*.md; do grep -q $i README.md && echo "OK: $i" || { echo -e "\033[31;1mERROR: ${i} missing\033[0m"; error=1; } done
exit $error

13
.gitignore vendored
View File

@@ -1,15 +1,2 @@
*.pyc
*.retry
*.swp
# collection files
freeipa-ansible_freeipa*.tar.gz
redhat-rhel_idm*.tar.gz
importer_result.json
# ignore virtual environments
/.tox/
/.venv/
tests/logs/
TEST*.xml

56
.pre-commit-config.yaml
View File

@@ -1,56 +0,0 @@
---
repos:
- repo: https://github.com/ansible/ansible-lint.git
rev: v25.9.2
hooks:
- id: ansible-lint
always_run: false
pass_filenames: true
files: \.(yaml|yml)$
exclude: /env[^/]*.(yaml|yml)$
entry: |-
env
ANSIBLE_LIBRARY=./plugins/modules
ANSIBLE_MODULE_UTILS=./plugins/module_utils
ANSIBLE_DOC_FRAGMENT_PLUGINS=./plugins/doc_fragments
ansible-lint
--offline
--profile production
--exclude tests/integration/
--exclude tests/unit/
--parseable
--nocolor
- repo: https://github.com/adrienverge/yamllint.git
rev: v1.37.1
hooks:
- id: yamllint
files: \.(yaml|yml)$
- repo: https://github.com/pycqa/flake8
rev: 7.3.0
hooks:
- id: flake8
- repo: https://github.com/pycqa/pylint
rev: v4.0.2
hooks:
- id: pylint
args:
- --disable=import-error
files: \.py$
- repo: local
hooks:
- id: ansible-doc-test
name: Verify Ansible roles and module documentation.
language: python
entry: utils/ansible-doc-test
# args: ['-v', 'roles', 'plugins']
files: ^.*.py$
- repo: local
hooks:
- id: shellcheck
name: ShellCheck
language: system
entry: shellcheck
args: ['-x']
files: >
\.sh$
utils/sh*$

28
.yamllint
View File

@@ -1,28 +0,0 @@
---
ignore: |
/.tox/
/.venv/
/.github/
extends: default
rules:
braces:
max-spaces-inside: 1
level: error
brackets:
max-spaces-inside: 1
level: error
truthy:
allowed-values: ["yes", "no", "true", "false", "True", "False"]
level: error
line-length:
max: 160
# Disabled rules
indentation: disable
comments:
min-spaces-from-content: 1
comments-indentation: disable
octal-values:
forbid-implicit-octal: true
forbid-explicit-octal: true

121
CONTRIBUTING.md
View File

@@ -1,121 +0,0 @@
Contributing to ansible-freeipa
===============================
As part of the [FreeIPA] project, ansible-freeipa follows
[FreeIPA's Code of Conduct].
Reporting bugs or Features
--------------------------
ansible-freeipa uses [Github issues] for the upstream development, so all RFEs
and bug reports should be added there.
If you have questions about the usage of ansible-freeipa modules and roles,
you should also submit an issue, so that anyone that knows an answer can help.
Development
-----------
Contribute code by submitting a [pull request]. All pull requests should be
created against the `master` branch. If your PR fixes an open issue, please,
add this information to the commit message, like _"Fix issue #num"_.
Every PR will have to pass some automatic checks and be reviewed by another
developer(s). Once they are approved, they will be merged.
In your commits, use clear messages that include intent, summary of changes,
and expected result. Use a template commit message [for modules] and
[for roles].
Upon review, it is fine to `force push` the changes.
**Preparing the development environment**
There are some useful tools that will help you develop for ansible-freeipa,
and you should install, at least, the modules in `requirements.txt`. You
can install the modules with your distribution package manager, or use pip,
as in the example:
```
python3 -m pip install --user -r requirements-dev.txt
```
We recommend using [pre-commit] so that the basic checks that will be executed
for your PR are executed locally, on your commits. To setup the pre-commit
hooks, issue the command:
```
pre-commit install
```
**Developing new modules**
When developing new modules use the script `utils/new_module`. If the module
should have `action: member` support, use the flag `-m`.
This script will create the basic structure for the module, the required files
for tests, playbooks, documentation and source code, all at the appropriate
places.
**Other helpfull tools**
Under directory `utils`, you will find other useful tools, like
**lint-check.sh**, which will run the Python and YAML linters on your code,
and **ansible-doc-test** which will verify if the documentation added to the
roles and modules source code has the right format.
Testing
-------
When testing ansible-freeipa's roles and modules, we aim to check if they
do what they intend to do, report the results correctly, and if they are
idempotent (although, sometimes the operation performed is not, like when
renaming items). To achieve this, we use Ansible playbooks.
The Ansible playbooks test can be found under the [tests] directory. They
should test the behavior of the module or role, and, if possible, provide
test cases for all attributes.
There might be some limitation on the testing environment, as some attributes
or operations are only available in some circumstances, like specific FreeIPA
versions, or some more elaborate scenarios (for example, requiring a
configured trust to an AD domain). For these cases, there are some `facts`
available that will only enable the tests if the testing environment is
enabled.
The tests run automatically on every pull request, using Fedora, CentOS 7,
and CentOS 8 environments.
See the document [Running the tests] and also the section `Preparing the
development environment`, to prepare your environment.
Documentation
-------------
We do our best to provide a correct and complete documentation for the modules
and roles we provide, but we sometimes miss something that users find it
important to be documented.
If you think something could be made easier to understand, or found an error
or omission in the documentation, fixing it will help other users and make
the experience on using the project much better.
Also, the [playbooks] can be seen as part of the documentation, as they are
examples of commonly performed tasks.
---
[FreeIPA]: https://freeipa.org
[FreeIPA's Code of Conduct]: https://github.com/freeipa/freeipa/blob/master/CODE_OF_CONDUCT.md
[for modules]: https://github.com/freeipa/ansible-freeipa/pull/357
[for roles]: https://github.com/freeipa/ansible-freeipa/pull/430
[Github issues]: https://github.com/freeipa/ansible-freeipa/issues
[pull request]: https://github.com/freeipa/ansible-freeipa/pulls
[playbooks]: playbooks
[pre-commit]: https://pre-commit.com
[Running the tests]: tests/README.md
[tests]: tests/

288
README-automember.md
View File

@@ -1,288 +0,0 @@
Automember module
===========
Description
-----------
The automember module allows to ensure presence or absence of automember rules and manage automember rule conditions.
Features
--------
* Automember management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaautomember module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure group automember rule is present with no conditions.
```yaml
---
- name: Playbook to ensure a group automember rule is present with no conditions
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
name: admins
description: "my automember rule"
automember_type: group
```
Example playbook to make sure group automember rule is present with conditions:
```yaml
---
- name: Playbook to add a group automember rule with two conditions
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
name: admins
description: "my automember rule"
automember_type: group
inclusive:
- key: mail
expression: '@example.com$'
exclusive:
- key: uid
expression: "1234"
```
Example playbook to delete a group automember rule:
```yaml
- name: Playbook to delete a group automember rule
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
name: admins
description: "my automember rule"
automember_type: group
state: absent
```
Example playbook to add an inclusive condition to an existing rule
```yaml
- name: Playbook to add an inclusive condition to an existing rule
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
name: "My domain hosts"
description: "my automember condition"
automember_type: hostgroup
action: member
inclusive:
- key: fqdn
expression: ".*.mydomain.com"
```
Example playbook to ensure group membership for all users has been rebuilt
```yaml
- name: Playbook to ensure group membership for all users has been rebuilt
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: group
state: rebuilt
```
Example playbook to ensure group membership for given users has been rebuilt
```yaml
- name: Playbook to ensure group membership for given users has been rebuilt
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
users:
- user1
- user2
state: rebuilt
```
Example playbook to ensure hostgroup membership for all hosts has been rebuilt
```yaml
- name: Playbook to ensure hostgroup membership for all hosts has been rebuilt
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: hostgroup
state: rebuilt
```
Example playbook to ensure hostgroup membership for given hosts has been rebuilt
```yaml
- name: Playbook to ensure hostgroup membership for given hosts has been rebuilt
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
hosts:
- host1.mydomain.com
- host2.mydomain.com
state: rebuilt
```
Example playbook to ensure default group fallback_group for all unmatched group entries is set
```yaml
- name: Playbook to ensure default group fallback_group for all unmatched group entries is set
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: group
default_group: fallback_group
```
Example playbook to ensure default group for all unmatched group entries is not set
```yaml
- name: Playbook to ensure default group for all unmatched group entries is not set
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
default_group: ""
automember_type: group
state: absent
```
Example playbook to ensure default hostgroup fallback_hostgroup for all unmatched group entries
```yaml
- name: Playbook to ensure default hostgroup fallback_hostgroup for all unmatched group entries
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: hostgroup
default_group: fallback_hostgroup
```
Example playbook to ensure default hostgroup for all unmatched group entries is not set
```yaml
- name: Playbook to ensure default hostgroup for all unmatched group entries is not set
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: hostgroup
default_group: ""
state: absent
```
Example playbook to ensure all orphan automember group rules are removed:
```yaml
- name: Playbook to ensure all orphan automember group rules are removed
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: group
state: orphans_removed
```
Example playbook to ensure all orphan automember hostgroup rules are removed:
```yaml
- name: Playbook to ensure all orphan automember hostgroup rules are removed
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: hostgroup
state: orphans_removed
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | Automember rule. | yes
`description` | A description of this auto member rule. | no
`automember_type` | Grouping to which the rule applies. It can be one of `group`, `hostgroup`. | yes
`inclusive` | List of dictionaries in the format of `{'key': attribute, 'expression': inclusive_regex}` | no
`exclusive` | List of dictionaries in the format of `{'key': attribute, 'expression': exclusive_regex}` | no
`users` | Users to rebuild membership for. | no
`hosts` | Hosts to rebuild membership for. | no
`no_wait` | Don't wait for rebuilding membership. | no
`default_group` | Default (fallback) group for all unmatched entries. Use the empty string "" for ensuring the default group is not set. | no
`action` | Work on automember or member level. It can be one of `member` or `automember` and defaults to `automember`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, 'rebuilt'. 'orphans_removed' default: `present`. | no
Authors
=======
Mark Hahl
Thomas Woerner

112
README-automountkey.md
View File

@@ -1,112 +0,0 @@
Automountkey module
=====================
Description
-----------
The automountkey module allows management of keys within an automount map.
It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
Features
--------
* Automount key management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaautomountkey module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure presence of an automount key:
```yaml
---
- name: Playbook to manage automount key
hosts: ipaserver
tasks:
- name: ensure automount key TestKey is present
ipaautomountkey:
ipaadmin_password: SomeADMINpassword
location: TestLocation
mapname: TestMap
key: TestKey
info: 192.168.122.1:/exports
state: present
```
Example playbook to rename an automount map:
```yaml
---
- name: Playbook to add an automount map
hosts: ipaserver
tasks:
- name: ensure aumount key TestKey is renamed to NewKeyName
ipaautomountkey:
ipaadmin_password: password01
automountlocationcn: TestLocation
automountmapname: TestMap
automountkey: TestKey
newname: NewKeyName
state: renamed
```
Example playbook to ensure an automount key is absent:
```yaml
---
- name: Playbook to manage an automount key
hosts: ipaserver
tasks:
- name: ensure automount key TestKey is absent
ipaautomountkey:
ipaadmin_password: SomeADMINpassword
location: TestLocation
mapname: TestMap
key: TestKey
state: absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`location` \| `automountlocationcn` \| `automountlocation` | Location name. | yes
`mapname` \| `map` \| `automountmapname` \| `automountmap` | Map the key belongs to | yes
`key` \| `name` \| `automountkey` | Automount key to manage | yes
`rename` \| `new_name` \| `newautomountkey` | the name to change the key to if state is `renamed` | yes when state is `renamed`
`info` \| `information` \| `automountinformation` | Mount information for the key | yes when state is `present`
`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
Authors
=======
Chris Procter

113
README-automountlocation.md
View File

@@ -1,113 +0,0 @@
Automountlocation module
=====================
Description
-----------
The automountlocation module allows the addition and removal of locations for automount maps
It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
Features
--------
* Automount location management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaautomountlocation module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure presence of an automount location:
```yaml
---
- name: Playbook to add an automount location
hosts: ipaserver
become: true
tasks:
- name: ensure a automount location named DMZ exists
ipaautomountlocation:
ipaadmin_password: SomeADMINpassword
name: DMZ
state: present
```
Example playbook to ensure presence of multiple automount locations:
```yaml
---
- name: Playbook to add an automount location
hosts: ipaserver
become: true
tasks:
- name: ensure a automount location named DMZ exists
ipaautomountlocation:
ipaadmin_password: SomeADMINpassword
name:
- DMZ
- PROD
- development
- test
state: present
```
Example playbook to ensure absence of an automount location:
```yaml
---
- name: Playbook to ensure an automount location is absent
hosts: ipaserver
become: true
tasks:
- name: ensure automount locations LOCATION1 and LOCATION2 do not exist
ipaautomountlocation:
ipaadmin_password: SomeADMINpassword
name:
- LOCATION1
- LOCATION2
state: absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` \| `location` | List of one or more automountlocation names. | yes
`state` | The state to ensure. It can be one of `present`, or `absent`, default: `present`. | no
Authors
=======
Chris Procter

109
README-automountmap.md
View File

@@ -1,109 +0,0 @@
Automountmap module
=====================
Description
-----------
The automountmap module allows the addition and removal of maps within automount locations.
It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
Features
--------
* Automount map management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaautomountmap module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure presence of an automount map:
```yaml
---
- name: Playbook to add an automount map
hosts: ipaserver
become: no
tasks:
- name: ensure map named auto.DMZ in location DMZ is created
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
name: auto.DMZ
location: DMZ
desc: "this is a map for servers in the DMZ"
```
Automount maps can contain a submount key, which defines a mount location within the map the references another map. On FreeIPA, this is known as an indirect map. An indirect automount map is equivalent to adding a proper automount key to a map, referencyng another map (this second map is the indirect map). Use `parent` and `mount` parameters to create an indirect automount map with ansible-freeipa, without the need to directly manage the automount keys.
Example playbook to ensure an indirect automount map is present:
```yaml
---
- name: Playbook to add an indirect automount map
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
name: auto.indirect
location: DMZ
parent: auto.DMZ
mount: dmz_indirect
```
Example playbook to ensure auto.DMZi is absent:
```yaml
---
- name: Playbook to remove an automount map
hosts: ipaserver
become: no
tasks:
- name: ensure map auto.DMZ has been removed
ipaautomountmap:
ipaadmin_password: SomeADMINpassword
name: auto.DMZ
location: DMZ
state: absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`name` \| `mapname` \| `map` \| `automountmapname` | Name of the map to manage | yes
`location` \| `automountlocation` \| `automountlocationcn` | Location name. | yes
`parentmap` | Parent map of the indirect map. Can only be used when creating new maps. Default: auto.master | no
`mount` | Indirect map mount point, relative to parent map. | yes, if `parent` is used.
`desc` \| `description` | Description of the map | yes
`state` | The state to ensure. It can be one of `present`, or `absent`, default: `present`. | no
Authors
=======
- Chris Procter
- Rafael Jeffman

192
README-cert.md
View File

@@ -1,192 +0,0 @@
Cert module
============
Description
-----------
The cert module makes it possible to request, revoke and retrieve SSL certificates for hosts, services and users.
Features
--------
* Certificate request
* Certificate hold/release
* Certificate revocation
* Certificate retrieval
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipacert module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
* Some tool to generate a certificate signing request (CSR) might be needed, like `openssl`.
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to request a new certificate for a service:
```yaml
---
- name: Certificate request
hosts: ipaserver
tasks:
- name: Request a certificate for a web server
ipacert:
ipaadmin_password: SomeADMINpassword
state: requested
csr: |
-----BEGIN CERTIFICATE REQUEST-----
MIGYMEwCAQAwGTEXMBUGA1UEAwwOZnJlZWlwYSBydWxlcyEwKjAFBgMrZXADIQBs
HlqIr4b/XNK+K8QLJKIzfvuNK0buBhLz3LAzY7QDEqAAMAUGAytlcANBAF4oSCbA
5aIPukCidnZJdr491G4LBE+URecYXsPknwYb+V+ONnf5ycZHyaFv+jkUBFGFeDgU
SYaXm/gF8cDYjQI=
-----END CERTIFICATE REQUEST-----
principal: HTTP/www.example.com
register: cert
```
Example playbook to revoke an existing certificate:
```yaml
---
- name: Revoke certificate
hosts: ipaserver
tasks:
- name Revoke a certificate
ipacert:
ipaadmin_password: SomeADMINpassword
serial_number: 123456789
reason: 5
state: revoked
```
When revoking a certificate a mnemonic can also be used to set the revocation reason:
```yaml
---
- name: Revoke certificate
hosts: ipaserver
tasks:
- name Revoke a certificate
ipacert:
ipaadmin_password: SomeADMINpassword
serial_number: 123456789
reason: cessationOfOperation
state: revoked
```
Example to hold a certificate (alias for revoking a certificate with reason `certificateHold (6)`):
```yaml
---
- name: Hold a certificate
hosts: ipaserver
tasks:
- name: Hold certificate
ipacert:
ipaadmin_password: SomeADMINpassword
serial_number: 0xAB1234
state: held
```
Example playbook to release hold of certificate (may be used with any revoked certificates, despite of the rovoke reason):
```yaml
---
- name: Release hold
hosts: ipaserver
tasks:
- name: Take a revoked certificate off hold
ipacert:
ipaadmin_password: SomeADMINpassword
serial_number: 0xAB1234
state: released
```
Example playbook to retrieve a certificate and save it to a file in the target node:
```yaml
---
- name: Retriev certificate
hosts: ipaserver
tasks:
- name: Retrieve a certificate and save it to file 'cert.pem'
ipacert:
ipaadmin_password: SomeADMINpassword
certificate_out: cert.pem
state: retrieved
```
ipacert
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`csr` | X509 certificate signing request, in PEM format. | yes, if `state: requested`
`principal` | Host/service/user principal for the certificate. | yes, if `state: requested`
`add` \| `add_principal` | Automatically add the principal if it doesn't exist (service principals only). (bool) | no
`profile_id` \| `profile` | Certificate Profile to use | no
`ca` | Name of the issuing certificate authority. | no
`chain` | Include certificate chain in output. (bool) | no
`serial_number` | Certificate serial number. (int) | yes, if `state` is `retrieved`, `held`, `released` or `revoked`.
`revocation_reason` \| `reason` | Reason for revoking the certificate. Use one of the reason strings, or the corresponding value: "unspecified" (0), "keyCompromise" (1), "cACompromise" (2), "affiliationChanged" (3), "superseded" (4), "cessationOfOperation" (5), "certificateHold" (6), "removeFromCRL" (8), "privilegeWithdrawn" (9), "aACompromise" (10) | yes, if `state: revoked`
`certificate_out` | Write certificate (chain if `chain` is set) to this file, on the target node. | no
`state` | The state to ensure. It can be one of `requested`, `held`, `released`, `revoked`, or `retrieved`. `held` is the same as revoke with reason "certificateHold" (6). `released` is the same as `cert-revoke-hold` on IPA CLI, releasing the hold status of a certificate. | yes
Return Values
=============
Values are returned only if `state` is `requested` or `retrieved` and if `certificate_out` is not defined.
Variable | Description | Returned When
-------- | ----------- | -------------
`certificate` | Certificate fields and data. (dict) <br>Options: | if `state` is `requested` or `retrieved` and if `certificate_out` is not defined
&nbsp; | `certificate` - Issued X509 certificate in PEM encoding. Will include certificate chain if `chain: true`. (list) | always
&nbsp; | `san_dnsname` - X509 Subject Alternative Name. | When DNSNames are present in the Subject Alternative Name extension of the issued certificate.
&nbsp; | `issuer` - X509 distinguished name of issuer. | always
&nbsp; | `subject` - X509 distinguished name of certificate subject. | always
&nbsp; | `serial_number` - Serial number of the issued certificate. (int) | always
&nbsp; | `revoked` - Revoked status of the certificate. (bool) | if certificate was revoked
&nbsp; | `owner_user` - The username that owns the certificate. | if `state: retrieved` and certificate is owned by a user
&nbsp; | `owner_host` - The host that owns the certificate. | if `state: retrieved` and certificate is owned by a host
&nbsp; | `owner_service` - The service that owns the certificate. | if `state: retrieved` and certificate is owned by a service
&nbsp; | `valid_not_before` - Time when issued certificate becomes valid, in GeneralizedTime format (YYYYMMDDHHMMSSZ) | always
&nbsp; | `valid_not_after` - Time when issued certificate ceases to be valid, in GeneralizedTime format (YYYYMMDDHHMMSSZ) | always
Authors
=======
Sam Morris
Rafael Jeffman

191
README-config.md
View File

@@ -1,191 +0,0 @@
Config module
===========
Description
-----------
The config module allows the setting of global config parameters within IPA. If no parameters are specified it returns the list of all current parameters.
The config module is as compatible as possible to the Ansible upstream `ipa_config` module, but adds many additional parameters
Features
--------
* IPA server configuration management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaconfig module.
Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to read config options:
```yaml
---
- name: Playbook to handle global config options
hosts: ipaserver
become: true
tasks:
- name: return current values of the global configuration options
ipaconfig:
ipaadmin_password: password
register: result
- name: display default login shell
debug:
msg: '{{ result.config.defaultshell }}'
- name: ensure defaultloginshell and maxusernamelength are set as required
ipaconfig:
ipaadmin_password: password
defaultshell: /bin/bash
maxusername: 64
```
Example playbook to set global configuration options:
```yaml
---
- name: Playbook to ensure some config options are set
hosts: ipaserver
become: true
tasks:
- name: set defaultlogin and maxusername
ipaconfig:
ipaadmin_password: password
defaultlogin: /bin/bash
maxusername: 64
```
Example playbook to enable SID and generate users and groups SIDs:
```yaml
---
- name: Playbook to ensure SIDs are enabled and users and groups have SIDs
hosts: ipaserver
become: no
gather_facts: no
tasks:
- name: Enable SID and generate users and groups SIDS
ipaconfig:
ipaadmin_password: SomeADMINpassword
enable_sid: yes
add_sids: yes
```
Example playbook to change IPA domain NetBIOS name:
```yaml
---
- name: Playbook to change IPA domain netbios name
hosts: ipaserver
become: no
gather_facts: no
tasks:
- name: Set IPA domain netbios name
ipaconfig:
ipaadmin_password: SomeADMINpassword
enable_sid: yes
netbios_name: IPADOM
```
Variables
=========
**General Variables:**
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`maxusername` \| `ipamaxusernamelength` | Set the maximum username length (1 to 255) | no
`maxhostname` \| `ipamaxhostnamelength` | Set the maximum hostname length between 64-255. Only usable with IPA versions 4.8.0 and up. | no
`homedirectory` \| `ipahomesrootdir` | Set the default location of home directories | no
`defaultshell` \| `ipadefaultloginshell` | Set the default shell for new users | no
`defaultgroup` \| `ipadefaultprimarygroup` | Set the default group for new users | no
`emaildomain`\| `ipadefaultemaildomain` | Set the default e-mail domain | false
`searchtimelimit` \| `ipasearchtimelimit` | Set maximum amount of time (seconds) for a search -1 to 2147483647 (-1 or 0 is unlimited) | no
`searchrecordslimit` \| `ipasearchrecordslimit` | Set maximum number of records to search -1 to 2147483647 (-1 or 0 is unlimited) | no
`usersearch` \| `ipausersearchfields` | Set list of fields to search when searching for users | no
`groupsearch` \| `ipagroupsearchfields` | Set list of fields to search in when searching for groups | no
`enable_migration` \| `ipamigrationenabled` | Enable migration mode (choices: True, False ) | no
`groupobjectclasses` \| `ipagroupobjectclasses` | Set default group objectclasses (list) | no
`userobjectclasses` \| `ipauserobjectclasses` | Set default user objectclasses (list) | no
`pwdexpnotify` \| `ipapwdexpadvnotify` | Set number of days's notice of impending password expiration (0 to 2147483647) | no
`configstring` \| `ipaconfigstring` | Set extra hashes to generate in password plug-in (choices:`AllowNThash`, `KDC:Disable Last Success`, `KDC:Disable Lockout`, `KDC:Disable Default Preauth for SPNs`). Use `""` to clear this variable. | no
`selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | no
`selinuxusermapdefault`\| `ipaselinuxusermapdefault` | Set default SELinux user when no match is found in SELinux map rule | no
`pac_type` \| `ipakrbauthzdata` | set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`). Use `""` to clear this variable. | no
`user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `pkinit`, `hardened`, `idp`, `passkey`, `disabled`, `""`). An additional check ensures that only types can be used that are supported by the IPA version. Use `""` to clear this variable. | no
`domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
`ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
`enable_sid` | New users and groups automatically get a SID assigned. Cannot be deactivated once activated. Requires IPA 4.9.8+. (bool) | no
`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and SID generation to be activated. | no
`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and SID generation to be activated. (bool) | no
Return Values
=============
Variable | Description | Returned When
-------- | ----------- | -------------
`config` | config dict <br />Fields: | No values to configure are specified
&nbsp; | `maxusername` | &nbsp;
&nbsp; | `maxhostname` | &nbsp;
&nbsp; | `homedirectory` | &nbsp;
&nbsp; | `defaultshell` | &nbsp;
&nbsp; | `defaultgroup` | &nbsp;
&nbsp; | `emaildomain` | &nbsp;
&nbsp; | `searchtimelimit` | &nbsp;
&nbsp; | `searchrecordslimit` | &nbsp;
&nbsp; | `usersearch` | &nbsp;
&nbsp; | `groupsearch` | &nbsp;
&nbsp; | `enable_migration` | &nbsp;
&nbsp; | `groupobjectclasses` | &nbsp;
&nbsp; | `userobjectclasses` | &nbsp;
&nbsp; | `pwdexpnotify` | &nbsp;
&nbsp; | `configstring` | &nbsp;
&nbsp; | `selinuxusermapdefault` | &nbsp;
&nbsp; | `selinuxusermaporder` | &nbsp;
&nbsp; | `pac_type` | &nbsp;
&nbsp; | `user_auth_type` | &nbsp;
&nbsp; | `domain_resolution_order` | &nbsp;
&nbsp; | `ca_renewal_master_server` | &nbsp;
&nbsp; | `enable_sid` | &nbsp;
&nbsp; | `netbios_name` | &nbsp;
All returned fields take the same form as their namesake input parameters
Authors
=======
Chris Procter

156
README-delegation.md
View File

@@ -1,156 +0,0 @@
Delegation module
=================
Description
-----------
The delegation module allows to ensure presence, absence of delegations and delegation attributes.
Features
--------
* Delegation management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipadelegation module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure delegation "basic manager attributes" is present:
```yaml
---
- name: Playbook to manage IPA delegation.
hosts: ipaserver
become: yes
tasks:
- ipadelegation:
ipaadmin_password: SomeADMINpassword
name: "basic manager attributes"
permission: read
attribute:
- businesscategory
- employeetype
group: managers
membergroup: employees
```
Example playbook to make sure delegation "basic manager attributes" is absent:
```yaml
---
- name: Playbook to manage IPA delegation.
hosts: ipaserver
become: yes
tasks:
- ipadelegation:
ipaadmin_password: SomeADMINpassword
name: "basic manager attributes"
state: absent
```
Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are present:
```yaml
---
- name: Playbook to manage IPA delegation.
hosts: ipaserver
become: yes
tasks:
- ipadelegation:
ipaadmin_password: SomeADMINpassword
name: "basic manager attributes"
attribute:
- employeenumber
- employeetype
action: member
```
Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are absent:
```yaml
---
- name: Playbook to manage IPA delegation.
hosts: ipaserver
become: yes
tasks:
- ipadelegation:
ipaadmin_password: SomeADMINpassword
name: "basic manager attributes"
attribute:
- employeenumber
- employeetype
action: member
state: absent
```
Example playbook to make sure delegation "basic manager attributes" is absent:
```yaml
---
- name: Playbook to manage IPA delegation.
hosts: ipaserver
become: yes
tasks:
- ipadelegation:
ipaadmin_password: SomeADMINpassword
name: "basic manager attributes"
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `aciname` | The list of delegation name strings. | yes
`permission` \| `permissions` | The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
`attribute` \| `attrs` | The attribute list to which the delegation applies. | no
`membergroup` \| `memberof` | The user group to apply delegation to. | no
`group` | User group ACI grants access to. | no
`action` | Work on delegation or member level. It can be on of `member` or `delegation` and defaults to `delegation`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
Authors
=======
Thomas Woerner

141
README-dnsconfig.md
View File

@@ -1,141 +0,0 @@
DNSConfig module
============
Description
-----------
The dnsconfig module allows to modify global DNS configuration.
Features
--------
* Global DNS configuration
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipadnsconfig module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to set global DNS configuration:
```yaml
---
- name: Playbook to handle global DNS configuration
hosts: ipaserver
become: true
tasks:
# Set dnsconfig.
- ipadnsconfig:
forwarders:
- ip_address: 8.8.4.4
- ip_address: 2001:4860:4860::8888
port: 53
forward_policy: only
allow_sync_ptr: yes
```
Example playbook to ensure a global forwarder, with a custom port, is absent:
```yaml
---
- name: Playbook to handle global DNS configuration
hosts: ipaserver
become: true
tasks:
# Ensure global forwarder with a custom port is absent.
- ipadnsconfig:
forwarders:
- ip_address: 2001:4860:4860::8888
port: 53
action: member
state: absent
```
Example playbook to disable global forwarders:
```yaml
---
- name: Playbook to disable global DNS forwarders
hosts: ipaserver
become: true
tasks:
# Disable global forwarders.
- ipadnsconfig:
forward_policy: none
```
Example playbook to change global forward policy:
```yaml
---
- name: Playbook to change global forward policy
hosts: ipaserver
become: true
tasks:
# Disable global forwarders.
- ipadnsconfig:
forward_policy: first
```
Example playbook to disallow synchronization of forward (A, AAAA) and reverse (PTR) records:
```yaml
---
- name: Playbook to disallow reverse synchronization.
hosts: ipaserver
become: true
tasks:
# Disable global forwarders.
- ipadnsconfig:
allow_sync_ptr: no
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
&nbsp; | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
&nbsp; | `port` - The custom port that should be used on this server. | no
`forward_policy` \| `forwardpolicy` | The global forwarding policy. It can be one of `only`, `first`, or `none`. | no
`allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | yes
`action` | Work on dnsconfig or member level. It can be one of `member` or `dnsconfig` and defaults to `dnsconfig`. Only `forwarders` can be managed with `action: member`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. `absent` can only be used with `action: member` and `forwarders`. | yes
Authors
=======
Rafael Guterres Jeffman

123
README-dnsforwardzone.md
View File

@@ -1,123 +0,0 @@
Dnsforwardzone module
=====================
Description
-----------
The dnsforwardzone module allows the addition and removal of dns forwarders from the IPA DNS config.
It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
Features
--------
* DNS zone management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipadnsforwardzone module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure presence of a forwardzone to ipa DNS:
```yaml
---
- name: Playbook to handle add a forwarder
hosts: ipaserver
become: true
tasks:
- name: ensure presence of forwardzone with a single forwarder DNS server
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
- ip_address: 8.8.8.8
forwardpolicy: first
skip_overlap_check: true
- name: ensure the forward zone is disabled
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
name: example.com
state: disabled
- name: ensure presence of forwardzone with multiple forwarder DNS server
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
- ip_address: 8.8.8.8
- ip_address: 4.4.4.4
- name: ensure presence of another forwarder to any existing ones for example.com
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
- ip_address: 1.1.1.1
action: member
- name: ensure presence of forwardzone with single forwarder DNS server on non-stardard port
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
state: present
name: example.com
forwarders:
- ip_address: 4.4.4.4
port: 8053
- name: ensure the forward zone is absent
ipadnsforwardzone:
ipaadmin_password: SomeADMINpassword
name: example.com
state: absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | Zone name (FQDN). | yes if `state` == `present`
`forwarders` \| `idnsforwarders` | Per-zone forwarders. A custom port can be specified for each forwarder. Options | no
&nbsp; | `ip_address`: The forwarder IP address. | yes
&nbsp; | `port`: The forwarder IP port. | no
`forwardpolicy` \| `idnsforwardpolicy` \| `forward_policy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
`skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
`permission` | Allow DNS Forward Zone to be managed. (bool) | no
`action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | yes
Authors
=======
Chris Procter

356
README-dnsrecord.md
View File

@@ -1,356 +0,0 @@
DNSRecord module
================
Description
-----------
The dnsrecord module allows management of DNS records and is as compatible as possible with the Ansible upstream `ipa_dnsrecord` module, but provide some other features like multiple record management in one execution and support for more DNS record types.
Features
--------
* DNS record management.
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipadnsrecord module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.example.com
```
Example playbook to ensure an AAAA record is present:
```yaml
---
- ipadnsrecord:
ipaadmin_password: SomeADMINpassword
name: host01
zone_name: example.com
record_type: 'AAAA'
record_value: '::1'
```
Example playbook to ensure an AAAA record is present, with a TTL of 300:
```yaml
---
- ipadnsrecord:
ipaadmin_password: SomeADMINpassword
name: host01
zone_name: example.com
record_type: 'AAAA'
record_value: '::1'
record_ttl: 300
```
Example playbook to ensure an AAAA record is present, with a reverse PTR record:
```yaml
---
- ipadnsrecord:
ipaadmin_password: SomeADMINpassword
name: host02
zone_name: example.com
record_type: 'AAAA'
record_value: 'fd00::0002'
create_reverse: yes
```
Example playbook to ensure a LOC record is present, given its individual attributes:
```yaml
---
- ipadnsrecord:
ipaadmin_password: SomeADMINpassword
zone_name: example.com
name: host03
loc_lat_deg: 52
loc_lat_min: 22
loc_lat_sec: 23.000
loc_lat_dir: N
loc_lon_deg: 4
loc_lon_min: 53
loc_lon_sec: 32.00
loc_lon_dir: E
loc_altitude: -2.00
loc_size: 1.00
loc_h_precision: 10000
loc_v_precision: 10
```
Example playbook to ensure multiple DNS records are present:
```yaml
---
ipadnsrecord:
ipaadmin_password: SomeADMINpassword
records:
- name: host02
zone_name: example.com
record_type: A
record_value:
- "{{ ipv4_prefix }}.112"
- "{{ ipv4_prefix }}.122"
- name: host02
zone_name: example.com
record_type: AAAA
record_value: ::1
```
Example playbook to ensure multiple CNAME records are present:
```yaml
---
- name: Ensure that 'host03' and 'host04' have CNAME records.
ipadnsrecord:
ipaadmin_password: SomeADMINpassword
zone_name: example.com
records:
- name: host03
cname_hostname: host03.example.com
- name: host04
cname_hostname: host04.example.com
```
Example playbook to ensure NS record is absent:
```yaml
---
- ipadnsrecord:
ipaadmin_password: SomeADMINpassword
zone_name: example.com
name: host04
ns_hostname: host04
state: absent
```
Example playbook to ensure LOC record is present, with fields:
```yaml
---
- ipadnsrecord:
ipaadmin_password: SomeADMINpassword
zone_name: example.com
name: host04
loc_lat_deg: 52
loc_lat_min: 22
loc_lat_sec: 23.000
loc_lat_dir: N
loc_lon_deg: 4
loc_lon_min: 53
loc_lon_sec: 32.000
loc_lon_dir: E
loc_altitude: -2.00
loc_size: 0.00
loc_h_precision: 10000
loc_v_precision: 10
```
Change value of an existing LOC record:
```yaml
---
- ipadnsrecord:
ipaadmin_password: SomeADMINpassword
zone_name: example.com
name: host04
loc_size: 1.00
loc_rec: 52 22 23 N 4 53 32 E -2 0 10000 10
```
Example playbook to ensure multiple A records are present:
```yaml
- ipadnsrecord:
ipaadmin_password: SomeADMINpassword
zone_name: example.com
name: host04
a_rec:
- 192.168.122.221
- 192.168.122.222
- 192.168.122.223
- 192.168.122.224
```
Example playbook to ensure A and AAAA records are present, with reverse records (PTR):
```yaml
- ipadnsrecord:
ipaadmin_password: SomeADMINpassword
zone_name: example.com
name: host01
a_rec:
- 192.168.122.221
- 192.168.122.222
aaaa_rec:
- fd00:;0001
- fd00::0002
create_reverse: yes
```
Example playbook to ensure multiple A and AAAA records are present, but only A records have reverse records:
```yaml
- ipadnsrecord:
ipaadmin_password: SomeADMINpassword
zone_name: example.com
name: host01
a_ip_address: 192.168.122.221
aaaa_ip_address: fd00::0001
a_create_reverse: yes
```
Example playbook to ensure multiple DNS records are absent:
```yaml
---
- ipadnsrecord:
ipaadmin_password: SomeADMINpassword
zone_name: example.com
records:
- name: host01
del_all: yes
- name: host02
del_all: yes
- name: host03
del_all: yes
- name: host04
del_all: yes
- name: _ftp._tcp
del_all: yes
- name: _sip._udp
del_all: yes
state: absent
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`zone_name` \| `dnszone` | The DNS zone name to which DNS record needs to be managed. You can use one global zone name for multiple records. | no
required: true
`records` | The list of dns records dicts. Each `records` dict entry can contain **record variables**. | no
&nbsp; | **Record variables** | no
**Record variables** | Used when defining a single record. | no
`state` | The state to ensure. It can be one of `present` or `absent`, and defaults to `present`. | yes
**Record Variables:**
Variable | Description | Required
-------- | ----------- | --------
`zone_name` \| `dnszone` | The DNS zone name to which DNS record needs to be managed. You can use one global zone name for multiple records. When used on a `records` dict, overrides the global `zone_name`. | yes
`name` \| `record_name` | The DNS record name to manage. | yes
`record_type` | The type of DNS record. Supported values are `A`, `AAAA`, `A6`, `AFSDB`, `CERT`, `CNAME`, `DLV`, `DNAME`, `DS`, `KX`, `LOC`, `MX`, `NAPTR`, `NS`, `PTR`, `SRV`, `SSHFP`, `TLSA`, `TXT`, `URI`, and defaults to `A`. | no
`record_value` | Manage DNS record name with this values. | no
`record_ttl` | Set the TTL for the record. (int) | no
`del_all` | Delete all associated records. (bool) | no
`a_rec` \| `a_record` | Raw A record. | no
`aaaa_rec` \| `aaaa_record` | Raw AAAA record. | no
`a6_rec` \| `a6_record` | Raw A6 record data. | no
`afsdb_rec` \| `afsdb_record` | Raw AFSDB record. | no
`cert_rec` \| `cert_record` | Raw CERT record. | no
`cname_rec` \| `cname_record` | Raw CNAME record. | no
`dlv_rec` \| `dlv_record` | Raw DLV record. | no
`dname_rec` \| `dname_record` | Raw DNAM record. | no
`ds_rec` \| `ds_record` | Raw DS record. | no
`kx_rec` \| `kx_record` | Raw KX record. | no
`loc_rec` \| `loc_record` | Raw LOC record. | no
`mx_rec` \| `mx_record` | Raw MX record. | no
`naptr_rec` \| `naptr_record` | Raw NAPTR record. | no
`ns_rec` \| `ns_record` | Raw NS record. | no
`ptr_rec` \| `ptr_record` | Raw PTR record. | no
`srv_rec` \| `srv_record` | Raw SRV record. | no
`sshfp_rec` \| `sshfp_record` | Raw SSHFP record. | no
`tlsa_rec` \| `tlsa_record` | Raw TLSA record. | no
`txt_rec` \| `txt_record` | Raw TXT record. | no
`uri_rec` \| `uri_record` | Raw URI record. | no
`ip_address` | IP adress for A or AAAA records. Set `record_type` to `A` or `AAAA`. | no
`create_reverse` \| `reverse` | Create reverse records for `A` and `AAAA` record types. There is no equivalent to remove reverse records. (bool) | no
`a_ip_address` | IP adress for A records. Set `record_type` to `A`. | no
`a_create_reverse` | Create reverse records only for `A` records. There is no equivalent to remove reverse records. (bool) | no
`aaaa_ip_address` | IP adress for AAAA records. Set `record_type` `AAAA`. | no
`aaaa_create_reverse` | Create reverse records only for `AAAA` record types. There is no equivalent to remove reverse records. (bool) | no
`a6_data` | A6 record. Set `record_type` to `A6`. | no
`afsdb_subtype` | AFSDB Subtype. Set `record_type` to `AFSDB`. (int) | no
`afsdb_hostname` | AFSDB Hostname. Set `record_type` to `AFSDB`. | no
`cert_type` | CERT Certificate Type. Set `record_type` to `CERT`. (int) | no
`cert_key_tag` | CERT Key Tag. Set `record_type` to `CERT`. (int) | no
`cert_algorithm` | CERT Algorithm. Set `record_type` to `CERT`. (int) | no
`cert_certificate_or_crl` | CERT Certificate or Certificate Revocation List (CRL). Set `record_type` to `CERT`. | no
`cname_hostname` | A hostname which this alias hostname points to. Set `record_type` to `CNAME`. | no
`dlv_key_tag` | DS Key Tag. Set `record_type` to `DLV`. (int) | no
`dlv_algorithm` | DLV Algorithm. Set `record_type` to `DLV`. (int) | no
`dlv_digest_type` | DLV Digest Type. Set `record_type` to `DLV`. (int) | no
`dlv_digest` | DLV Digest. Set `record_type` to `DLV`. | no
`dname_target` | DNAME Target. Set `record_type` to `DNAME`. | no
`ds_key_tag` | DS Key Tag. Set `record_type` to `DS`. (int) | no
`ds_algorithm` | DS Algorithm. Set `record_type` to `DS`. (int) | no
`ds_digest_type` | DS Digest Type. Set `record_type` to `DS`. (int) | no
`ds_digest` | DS Digest. Set `record_type` to `DS`. | no
`kx_preference` | Preference given to this exchanger. Lower values are more preferred. Set `record_type` to `KX`. (int) | no
`kx_exchanger` | A host willing to act as a key exchanger. Set `record_type` to `KX`. | no
`loc_lat_deg` | LOC Degrees Latitude. Set `record_type` to `LOC`. (int) | no
`loc_lat_min` | LOC Minutes Latitude. Set `record_type` to `LOC`. (int) | no
`loc_lat_sec` | LOC Seconds Latitude. Set `record_type` to `LOC`. (float) | no
`loc_lat_dir` | LOC Direction Latitude. Valid values are `N` or `S`. Set `record_type` to `LOC`. (int) | no
`loc_lon_deg` | LOC Degrees Longitude. Set `record_type` to `LOC`. (int) | no
`loc_lon_min` | LOC Minutes Longitude. Set `record_type` to `LOC`. (int) | no
`loc_lon_sec` | LOC Seconds Longitude. Set `record_type` to `LOC`. (float) | no
`loc_lon_dir` | LOC Direction Longitude. Valid values are `E` or `W`. Set `record_type` to `LOC`. (int) | no
`loc_altitude` | LOC Altitude. Set `record_type` to `LOC`. (float) | no
`loc_size` | LOC Size. Set `record_type` to `LOC`. (float) | no
`loc_h_precision` | LOC Horizontal Precision. Set `record_type` to `LOC`. (float) | no
`loc_v_precision` | LOC Vertical Precision. Set `record_type` to `LOC`. (float) | no
`mx_preference` | Preference given to this exchanger. Lower values are more preferred. Set `record_type` to `MX`. (int) | no
`mx_exchanger` | A host willing to act as a mail exchanger. Set `record_type` to `LOC`. | no
`naptr_order` | NAPTR Order. Set `record_type` to `NAPTR`. (int) | no
`naptr_preference` | NAPTR Preference. Set `record_type` to `NAPTR`. (int) | no
`naptr_flags` | NAPTR Flags. Set `record_type` to `NAPTR`. | no
`naptr_service` | NAPTR Service. Set `record_type` to `NAPTR`. | no
`naptr_regexp` | NAPTR Regular Expression. Set `record_type` to `NAPTR`. | no
`naptr_replacement` | NAPTR Replacement. Set `record_type` to `NAPTR`. | no
`ns_hostname` | NS Hostname. Set `record_type` to `NS`. | no
`ptr_hostname` | The hostname this reverse record points to. . Set `record_type` to `PTR`. | no
`srv_priority` | Lower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach. Set `record_type` to `SRV`. (int) | no
`srv_weight` | Relative weight for entries with the same priority. Set `record_type` to `SRV`. (int) | no
`srv_port` | SRV Port. Set `record_type` to `SRV`. (int) | no
`srv_target` | The domain name of the target host or '.' if the service is decidedly not available at this domain. Set `record_type` to `SRV`. | no
`sshfp_algorithm` | SSHFP Algorithm. Set `record_type` to `SSHFP`. (int) | no
`sshfp_fp_type` | SSHFP Fingerprint Type. Set `record_type` to `SSHFP`. (int) | no
`sshfp_fingerprint`| SSHFP Fingerprint. Set `record_type` to `SSHFP`. (int) | no
`txt_data` | TXT Text Data. Set `record_type` to `TXT`. | no
`tlsa_cert_usage` | TLSA Certificate Usage. Set `record_type` to `TLSA`. (int) | no
`tlsa_selector` | TLSA Selector. Set `record_type` to `TLSA`. (int) | no
`tlsa_matching_type` | TLSA Matching Type. Set `record_type` to `TLSA`. (int) | no
`tlsa_cert_association_data` | TLSA Certificate Association Data. Set `record_type` to `TLSA`. | no
`uri_target` | Target Uniform Resource Identifier according to RFC 3986. Set `record_type` to `URI`. | no
`uri_priority` | Lower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach. Set `record_type` to `URI`. (int) | no
`uri_weight` | Relative weight for entries with the same priority. Set `record_type` to `URI`. (int) | no
Authors
=======
Rafael Guterres Jeffman

260
README-dnszone.md
View File

@@ -1,260 +0,0 @@
DNSZone Module
==============
Description
-----------
The dnszone module allows to configure zones in DNS server.
Features
--------
* Add, remove, modify, enable or disable DNS zones.
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by ipadnszone module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
-----
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to create a simple DNS zone:
```yaml
---
- name: dnszone present
hosts: ipaserver
become: true
tasks:
- name: Ensure zone is present.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name: testzone.local
state: present
```
Example playbook to create a DNS zone with all currently supported variables:
```yaml
---
- name: dnszone present
hosts: ipaserver
become: true
tasks:
- name: Ensure zone is present.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name: testzone.local
allow_sync_ptr: true
dynamic_update: true
dnssec: true
allow_transfer:
- 1.1.1.1
- 2.2.2.2
allow_query:
- 1.1.1.1
- 2.2.2.2
forwarders:
- ip_address: 8.8.8.8
- ip_address: 8.8.4.4
port: 52
refresh: 3600
retry: 900
expire: 1209600
minimum: 3600
ttl: 60
default_ttl: 90
name_server: ipaserver.test.local.
admin_email: admin.admin@example.com
nsec3param_rec: "1 7 100 0123456789abcdef"
skip_overlap_check: true
skip_nameserver_check: true
state: present
```
Example playbook to disable a zone:
```yaml
---
- name: Playbook to disable DNS zone
hosts: ipaserver
become: true
tasks:
- name: Disable zone.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name: testzone.local
state: disabled
```
Example playbook to enable a zone:
```yaml
---
- name: Playbook to enable DNS zone
hosts: ipaserver
become: true
tasks:
- name: Enable zone.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name: testzone.local
state: enabled
```
Example playbook to allow per-zone privilege delegation:
```yaml
---
- name: Playbook to enable per-zone privilege delegation
hosts: ipaserver
become: true
tasks:
- name: Enable privilege delegation.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name: testzone.local
permission: true
```
Example playbook to remove a zone:
```yaml
---
- name: Playbook to remove DNS zone
hosts: ipaserver
become: true
tasks:
- name: Remove zone.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name: testzone.local
state: absent
```
Example playbook to create a zone for reverse DNS lookup, from an IP address:
```yaml
---
- name: dnszone present
hosts: ipaserver
become: true
tasks:
- name: Ensure zone for reverse DNS lookup is present.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name_from_ip: 192.168.1.2
state: present
```
Note that, on the previous example the zone created with `name_from_ip` might be "1.168.192.in-addr.arpa.", "168.192.in-addr.arpa.", or "192.in-addr.arpa.", depending on the DNS response the system get while querying for zones, and for this reason, when creating a zone using `name_from_ip`, the inferred zone name is returned to the controller, in the attribute `dnszone.name`. Since the zone inferred might not be what a user expects, `name_from_ip` can only be used with `state: present`. To have more control over the zone name, the prefix length for the IP address can be provided.
Example playbook to create a zone for reverse DNS lookup, from an IP address, given the prefix length and displaying the resulting zone name:
```yaml
---
- name: dnszone present
hosts: ipaserver
become: true
tasks:
- name: Ensure zone for reverse DNS lookup is present.
ipadnszone:
ipaadmin_password: SomeADMINpassword
name_from_ip: 192.168.1.2/24
state: present
register: result
- name: Display inferred zone name.
debug:
msg: "Zone name: {{ result.dnszone.name }}"
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `zone_name` | The zone name string or list of strings. | no
`name_from_ip` | Derive zone name from reverse of IP (PTR). Can only be used with `state: present`. | no
`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
&nbsp; | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
&nbsp; | `port` - The custom port that should be used on this server. | no
`forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`. | no
`allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | no
`state` | The state to ensure. It can be one of `present`, `enabled`, `disabled` or `absent`, default: `present`. | yes
`name_server`| Authoritative nameserver domain name | no
`admin_email`| Administrator e-mail address | no
`update_policy`| BIND update policy | no
`dynamic_update` \| `dynamicupdate` | Allow dynamic updates | no
`dnssec`| Allow inline DNSSEC signing of records in the zone | no
`allow_transfer`| List of IP addresses or networks which are allowed to transfer the zone | no
`allow_query`| List of IP addresses or networks which are allowed to issue queries | no
`refresh`| SOA record refresh time | no
`retry`| SOA record retry time | no
`expire`| SOA record expire time | no
`minimum`| How long should negative responses be cached | no
`ttl`| Time to live for records at zone apex | no
`default_ttl`| Time to live for records without explicit TTL definition | no
`nsec3param_rec`| NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt | no
`permission` \| `managedby` | Set per-zone access delegation permission. | no
`skip_overlap_check`| Force DNS zone creation even if it will overlap with an existing zone | no
`skip_nameserver_check` | Force DNS zone creation even if nameserver is not resolvable | no
Return Values
=============
Variable | Description | Returned When
-------- | ----------- | -------------
`dnszone` | DNS Zone dict with zone name infered from `name_from_ip`. <br>Options: | If `state` is `present`, `name_from_ip` is used, and a zone was created.
&nbsp; | `name` - The name of the zone created, inferred from `name_from_ip`. | Always
Authors
=======
- Sergio Oliveira Campos
- Thomas Woerner
- Rafael Jeffman

197
README-group.md
View File

@@ -9,13 +9,6 @@ The group module allows to ensure presence and absence of groups and members of
The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group.
Notes
-----
* Ensuring presence (adding) of several groups with mixed types (`external`, `nonposix` and `posix`) requires a fix in FreeIPA. The module implements a workaround to automatically use `client` context if the fix is not present in the target node FreeIPA and if more than one group is provided to the task using the `groups` parameter. If `ipaapi_context` is forced to be `server`, the module will fail in this case.
* Using `externalmember` or `idoverrideuser` is only supported with `ipaapi_context: server`. With 'client' context, module execution will fail.
Features
--------
* Group management
@@ -26,14 +19,12 @@ Supported FreeIPA Versions
FreeIPA versions 4.4.0 and up are supported by the ipagroup module.
Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
Requirements
------------
**Controller**
* Ansible version: 2.14+
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
@@ -61,118 +52,23 @@ Example playbook to add groups:
tasks:
# Create group ops with gid 1234
- ipagroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: ops
gidnumber: 1234
# Create group sysops
- ipagroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: sysops
user:
- pinky
# Create group appops
- ipagroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: appops
```
These three `ipagroup` module calls can be combined into one with the `groups` variable:
```yaml
---
- name: Playbook to handle groups
hosts: ipaserver
tasks:
- name: Ensure groups ops, sysops and appops are present
ipagroup:
ipaadmin_password: SomeADMINpassword
groups:
- name: ops
gidnumber: 1234
- name: sysops
user:
- pinky
- name: appops
```
You can also alternatively use a json file containing the groups, here `groups_present.json`:
```json
{
"groups": [
{
"name": "group1",
"description": "description group1"
},
{
"name": "group2",
"description": "description group2"
}
]
}
```
And ensure the presence of the groups with this example playbook:
```yaml
---
- name: Tests
hosts: ipaserver
gather_facts: false
tasks:
- name: Include groups_present.json
include_vars:
file: groups_present.json
- name: Groups present
ipagroup:
ipaadmin_password: SomeADMINpassword
groups: "{{ groups }}"
```
Example playbook to rename a group:
```yaml
---
- name: Playbook to rename a single group
hosts: ipaserver
become: false
gather_facts: false
tasks:
- name: Rename group appops to webops
ipagroup:
ipaadmin_password: SomeADMINpassword
name: appops
rename: webops
state: renamed
```
Several groups can also be renamed with a single task, as in the example playbook:
```yaml
---
- name: Playbook to rename multiple groups
hosts: ipaserver
become: false
gather_facts: false
tasks:
- name: Rename group1 to newgroup1 and group2 to newgroup2
ipagroup:
ipaadmin_password: SomeADMINpassword
groups:
- name: group1
rename: newgroup1
- name: group2
rename: newgroup2
state: renamed
```
Example playbook to add users to a group:
```yaml
@@ -184,7 +80,7 @@ Example playbook to add users to a group:
tasks:
# Add user member brain to group sysops
- ipagroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: sysops
action: member
user:
@@ -202,51 +98,15 @@ Example playbook to add group members to a group:
become: true
tasks:
# Add group members sysops and appops to group ops
# Add group members sysops and appops to group sysops
- ipagroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: ops
group:
- sysops
- appops
```
Example playbook to add members from a trusted realm to an external group:
```yaml
---
- name: Playbook to handle groups.
hosts: ipaserver
tasks:
- name: Create an external group and add members from a trust to it.
ipagroup:
ipaadmin_password: SomeADMINpassword
name: extgroup
external: yes
externalmember:
- WINIPA\\Web Users
- WINIPA\\Developers
```
Example playbook to add nonposix and external groups:
```yaml
---
- name: Playbook to add nonposix and external groups
hosts: ipaserver
tasks:
- name: Add nonposix group sysops and external group appops
ipagroup:
ipaadmin_password: SomeADMINpassword
groups:
- name: sysops
nonposix: true
- name: appops
external: true
```
Example playbook to remove groups:
```yaml
@@ -256,63 +116,38 @@ Example playbook to remove groups:
become: true
tasks:
# Remove groups sysops, appops and ops
# Remove goups sysops, appops and ops
- ipagroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: sysops,appops,ops
state: absent
```
Example playbook to ensure groups are absent:
```yaml
---
- name: Playbook to handle groups
hosts: ipaserver
tasks:
- name: Ensure groups ops and sysops are absent
ipagroup:
ipaadmin_password: SomeADMINpassword
groups:
- name: ops
- name: sysops
state: absent
```
Variables
=========
ipagroup
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to <br/>. (bool) | no
`name` \| `cn` | The list of group name strings. | no
`groups` | The list of group dicts. Each `groups` dict entry can contain group variables.<br>There is one required option in the `groups` dict:| no
&nbsp; | `name` - The group name string of the entry. | yes
`description` | The group description string. | no
`gid` \| `gidnumber` | The GID integer. | no
`posix` | Create a non-POSIX group or change a non-POSIX to a posix group. `nonposix`, `posix` and `external` are mutually exclusive. (bool) | no
`nonposix` | Create as a non-POSIX group. `nonposix`, `posix` and `external` are mutually exclusive. (bool) | no
`external` | Allow adding external non-IPA members from trusted domains. `nonposix`, `posix` and `external` are mutually exclusive. (bool) | no
`nonposix` | Create as a non-POSIX group. (bool) | no
`external` | Allow adding external non-IPA members from trusted domains. (flag) | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`user` | List of user name strings assigned to this group. | no
`group` | List of group name strings assigned to this group. | no
`service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
`membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
`externalmember` \| `ipaexternalmember` \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. Requires "server" context. | no
`idoverrideuser` | List of user ID overrides to manage. Only usable with IPA versions 4.8.7 and up. Requires "server" context. | no
`rename` \| `new_name` | Rename the user object to the new name string. Only usable with `state: renamed`. | no
`action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | yes
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
Authors
=======
- Thomas Woerner
- Rafael Jeffman
Thomas Woerner

33
README-hbacrule.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.14+
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
@@ -44,13 +44,13 @@ Example playbook to make sure HBAC Rule login exists:
```yaml
---
- name: Playbook to handle hbacrules
hosts: ipaserver
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Rule login is present
- ipahbacrule:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: login
```
@@ -60,13 +60,13 @@ Example playbook to make sure HBAC Rule login exists with the only HBAC Service
```yaml
---
- name: Playbook to handle hbacrules
hosts: ipaserver
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Rule login is present with the only HBAC Service sshd
- ipahbacrule:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: login
hbacsvc:
- sshd
@@ -77,13 +77,13 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
```yaml
---
- name: Playbook to handle hbacrules
hosts: ipaserver
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Service sshd is present in HBAC Rule login
- ipahbacrule:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: login
hbacsvc:
- sshd
@@ -95,13 +95,13 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
```yaml
---
- name: Playbook to handle hbacrules
hosts: ipaserver
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Service sshd is present in HBAC Rule login
- ipahbacrule:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: login
hbacsvc:
- sshd
@@ -114,13 +114,13 @@ Example playbook to make sure HBAC Rule login is absent:
```yaml
---
- name: Playbook to handle hbacrules
hosts: ipaserver
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Rule login is present
- ipahbacrule:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: login
state: absent
```
@@ -129,17 +129,18 @@ Example playbook to make sure HBAC Rule login is absent:
Variables
=========
ipahbacrule
---------------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of hbacrule name strings. | yes
`description` | The hbacrule description string. | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all", ""] | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all"] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all"] | no
`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all"] | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this hbacrule. | no
`hostgroup` | List of host group name strings assigned to this hbacrule. | no

13
README-hbacsvc.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.14+
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
@@ -50,7 +50,7 @@ Example playbook to make sure HBAC Service for http is present
tasks:
# Ensure HBAC Service for http is present
- ipahbacsvc:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: http
description: Web service
```
@@ -66,7 +66,7 @@ Example playbook to make sure HBAC Service for tftp is present
tasks:
# Ensure HBAC Service for tftp is present
- ipahbacsvc:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: tftp
description: TFTPWeb service
```
@@ -82,7 +82,7 @@ Example playbook to make sure HBAC Services for http and tftp are absent
tasks:
# Ensure HBAC Service for http and tftp are absent
- ipahbacsvc:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: http,tftp
state: absent
```
@@ -91,12 +91,13 @@ Example playbook to make sure HBAC Services for http and tftp are absent
Variables
=========
ipahbacsvc
----------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` \| `service` | The list of hbacsvc name strings. | no
`description` | The hbacsvc description string. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no

27
README-hbacsvcgroup.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.14+
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
@@ -44,13 +44,13 @@ Example playbook to make sure HBAC Service Group login exists:
```yaml
---
- name: Playbook to handle hbacsvcgroups
hosts: ipaserver
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Service Group login is present
- ipahbacsvcgroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: login
```
@@ -60,13 +60,13 @@ Example playbook to make sure HBAC Service Group login exists with the only HBAC
```yaml
---
- name: Playbook to handle hbacsvcgroups
hosts: ipaserver
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Service Group login is present with the only HBAC Service sshd
- ipahbacsvcgroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: login
hbacsvc:
- sshd
@@ -77,13 +77,13 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Service Group
```yaml
---
- name: Playbook to handle hbacsvcgroups
hosts: ipaserver
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Service sshd is present in HBAC Service Group login
- ipahbacsvcgroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: login
hbacsvc:
- sshd
@@ -95,13 +95,13 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Service Group
```yaml
---
- name: Playbook to handle hbacsvcgroups
hosts: ipaserver
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Service sshd is present in HBAC Service Group login
- ipahbacsvcgroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: login
hbacsvc:
- sshd
@@ -114,13 +114,13 @@ Example playbook to make sure HBAC Service Group login is absent:
```yaml
---
- name: Playbook to handle hbacsvcgroups
hosts: ipaserver
hbacsvcs: ipaserver
become: true
tasks:
# Ensure HBAC Service Group login is present
- ipahbacsvcgroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: login
state: absent
```
@@ -129,12 +129,13 @@ Example playbook to make sure HBAC Service Group login is absent:
Variables
=========
ipahbacsvcgroup
---------------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of hbacsvcgroup name strings. | no
`description` | The hbacsvcgroup description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no

135
README-host.md
View File

@@ -24,7 +24,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.14+
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
@@ -52,7 +52,7 @@ Example playbook to ensure host presence:
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: host01.example.com
description: Example host
ip_address: 192.168.0.123
@@ -65,79 +65,6 @@ Example playbook to ensure host presence:
- "52:54:00:BD:97:1E"
state: present
```
Compared to `ipa host-add` command no IP address conflict check is done as the ipahost module supports to have several IPv4 and IPv6 addresses for a host.
Example playbook to ensure host presence with several IP addresses:
```yaml
---
- name: Playbook to handle hosts
hosts: ipaserver
become: true
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address:
- 192.168.0.123
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b3
- fe80::20c:29ff:fe02:a1b4
locality: Lab
ns_host_location: Lab
ns_os_version: CentOS 7
ns_hardware_platform: Lenovo T61
mac_address:
- "08:00:27:E3:B1:2D"
- "52:54:00:BD:97:1E"
state: present
```
Example playbook to ensure IP addresses are present for a host:
```yaml
---
- name: Playbook to handle hosts
hosts: ipaserver
become: true
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
ip_address:
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b4
action: member
state: present
```
Example playbook to ensure IP addresses are absent for a host:
```yaml
---
- name: Playbook to handle hosts
hosts: ipaserver
become: true
tasks:
# Ensure host is present
- ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
ip_address:
- 192.168.0.124
- fe80::20c:29ff:fe02:a1b4
action: member
state: absent
```
Example playbook to ensure host presence without DNS:
@@ -151,7 +78,7 @@ Example playbook to ensure host presence without DNS:
tasks:
# Ensure host is present without DNS
- ipahost:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: host02.example.com
description: Example host
force: yes
@@ -169,18 +96,18 @@ Example playbook to ensure host presence with a random password:
tasks:
- name: Host host01.example.com present with random password
ipahost:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: host01.example.com
random: yes
force: yes
update_password: on_create
register: ipahost
- name: Print generated random password
debug:
var: ipahost.host.randompassword
```
Please remember that a new random password will be generated for an existing but not enrolled host if `update_password` is not limited to `on_create`. For an already enrolled host the task will fail with `update_password` default setting `always`.
Please remember that the `force` tag will also force the generation of a new random password even if the host already exists and if `update_password` is limited to `on_create`.
Example playbook to ensure presence of several hosts with a random password:
@@ -193,16 +120,14 @@ Example playbook to ensure presence of several hosts with a random password:
tasks:
- name: Hosts host01.example.com and host01.example.com present with random passwords
ipahost:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
hosts:
- name: host01.example.com
random: yes
force: yes
update_password: on_create
- name: host02.example.com
random: yes
force: yes
update_password: on_create
register: ipahost
- name: Print generated random password for host01.example.com
@@ -213,7 +138,7 @@ Example playbook to ensure presence of several hosts with a random password:
debug:
var: ipahost.host["host02.example.com"].randompassword
```
Please remember that a new random password will be generated for an existing but not enrolled host if `update_password` is not limited to `on_create`. For an already enrolled host the task will fail with `update_password` default setting `always`.
Please remember that the `force` tag will also force the generation of a new random password even if the host alreay exists and if `update_password` is limited to `on_create`.
Example playbook to ensure presence of host member principal:
@@ -227,7 +152,7 @@ Example playbook to ensure presence of host member principal:
tasks:
- name: Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com
ipahost:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: host01.example.com
principal:
- host/testhost01.example.com
@@ -246,7 +171,7 @@ Example playbook to ensure presence of host member certificate:
tasks:
- name: Host host01.example.com present with certificate
ipahost:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: host01.example.com
certificate:
- MIIC/zCCAeegAwIBAg...
@@ -264,12 +189,12 @@ Example playbook to ensure presence of member managedby_host for serveral hosts:
tasks:
ipahost:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
hosts:
- name: host01.example.com
managedby_host: server.example.com
- name: host02.example.com
managedby_host: server.example.com
- name: host01.exmaple.com
managedby_host: server.exmaple.com
- name: host02.exmaple.com
managedby_host: server.exmaple.com
action: member
```
@@ -285,12 +210,12 @@ Example playbook to disable a host:
tasks:
# Ensure host is disabled
- ipahost:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: host01.example.com
update_dns: yes
state: disabled
```
`update_dns` controls if the DNS entries will be updated in this case. For `state` present it is controlling the update of the DNS SSHFP records, but not the the other DNS records.
`update_dns` controls if the DNS entries will be updated.
Example playbook to ensure a host is absent:
@@ -313,12 +238,13 @@ Example playbook to ensure a host is absent:
Variables
=========
ipahost
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `fqdn` | The list of host name strings. `name` with *host variables* or `hosts` containing *host variables* need to be used. | no
**Host variables** | Only used with `name` variable in the first level. | no
`hosts` | The list of host dicts. Each `hosts` dict entry can contain **host variables**.<br>There is one required option in the `hosts` dict:| no
@@ -335,13 +261,13 @@ Variable | Description | Required
-------- | ----------- | --------
`description` | The host description. | no
`locality` | Host locality (e.g. "Baltimore, MD"). | no
`location` \| `ns_host_location` | Host physical location hint (e.g. "Lab 2"). | no
`location` \| `ns_host_location` | Host location (e.g. "Lab 2"). | no
`platform` \| `ns_hardware_platform` | Host hardware platform (e.g. "Lenovo T61"). | no
`os` \| `ns_os_version` | Host operating system and version (e.g. "Fedora 9"). | no
`password` \| `user_password` \| `userpassword` | Password used in bulk enrollment for absent or not enrolled hosts. | no
`random` \| `random_password` | Initiate the generation of a random password to be used in bulk enrollment for absent or not enrolled hosts. | no
`password` \| `user_password` \| `userpassword` | Password used in bulk enrollment. | no
`random` \| `random_password` | Initiate the generation of a random password to be used in bulk enrollment. | no
`certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
`managedby_host` | List of hosts that can manage this host | no
`managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
`principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no
@@ -354,26 +280,29 @@ Variable | Description | Required
`mac_address` \| `macaddress` | List of hardware MAC addresses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
`userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. An additional check ensures that only types can be used that are supported by the IPA version. Choices: ["radius", "otp", "pkinit", "hardened", "idp", "passkey", ""] | no
`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no
`force` | Force host name even if not in DNS. | no
`reverse` | Reverse DNS detection. | no
`ip_address` \| `ipaddress` | The host IP address list. It can contain IPv4 and IPv6 addresses. No conflict check for IP addresses is done. | no
`update_dns` | For existing hosts: DNS SSHFP records are updated with `state` present and all DNS entries for a host removed with `state` absent. | no
`ip_address` \| `ipaddress` | The host IP address. | no
`update_dns` | Update DNS entries. | no
Return Values
=============
ipahost
-------
There are only return values if one or more random passwords have been generated.
Variable | Description | Returned When
-------- | ----------- | -------------
`host` | Host dict with random password. (dict) <br>Options: | If random is yes and host did not exist or update_password is yes
&nbsp; | `randompassword` - The generated random password | If only one host is handled by the module without using the `hosts` parameter.
&nbsp; | `name` - The host name of the host that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several hosts are handled by the module with the `hosts` parameter.
&nbsp; | `randompassword` - The generated random password | If only one host is handled by the module
&nbsp; | `name` - The host name of the host that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several hosts are handled by the module
Authors

40
README-hostgroup.md
View File

@@ -19,14 +19,12 @@ Supported FreeIPA Versions
FreeIPA versions 4.4.0 and up are supported by the ipahostgroup module.
Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
Requirements
------------
**Controller**
* Ansible version: 2.14+
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
@@ -54,7 +52,7 @@ Example playbook to make sure hostgroup databases exists:
tasks:
# Ensure host-group databases is present
- ipahostgroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: databases
host:
- db.example.com
@@ -74,7 +72,7 @@ Example playbook to make sure that hosts and hostgroups are present in existing
tasks:
# Ensure hosts and hostgroups are present in existing databases hostgroup
- ipahostgroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: databases
host:
- db.example.com
@@ -96,7 +94,7 @@ Example playbook to make sure hosts and hostgroups are absent in databases hostg
tasks:
# Ensure hosts and hostgroups are absent in databases hostgroup
- ipahostgroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: databases
host:
- db.example.com
@@ -107,23 +105,6 @@ Example playbook to make sure hosts and hostgroups are absent in databases hostg
state: absent
```
Example playbook to rename an existing playbook:
```yaml
---
- name: Playbook to handle hostgroups
hosts: ipaserver
become: true
tasks:
# Ensure host-group databases is absent
- ipahostgroup:
ipaadmin_password: SomeADMINpassword
name: databases
rename: datalake
state: renamed
```
Example playbook to make sure host-group databases is absent:
```yaml
@@ -135,30 +116,29 @@ Example playbook to make sure host-group databases is absent:
tasks:
# Ensure host-group databases is absent
- ipahostgroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: databases
state: absent
```
Variables
=========
ipahostgroup
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of hostgroup name strings. | no
`description` | The hostgroup description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this hostgroup. | no
`hostgroup` | List of hostgroup name strings assigned to this hostgroup. | no
`membermanager_user` | List of member manager users assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
`membermanager_group` | List of member manager groups assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
`rename` \| `new_name` | Rename hostgroup to the provided name. Only usable with IPA versions 4.8.7 and up. | no
`action` | Work on hostgroup or member level. It can be on of `member` or `hostgroup` and defaults to `hostgroup`. | no
`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
Authors

233
README-idoverridegroup.md
View File

@@ -1,233 +0,0 @@
Idoverridegroup module
============
Description
-----------
The idoverridegroup module allows to ensure presence and absence of idoverridegroups and idoverridegroup members.
Use Cases
---------
With idoverridegroup it is possible to manage group attributes within ID views. These attributes are for example the group name or gid.
Features
--------
* Idoverridegroup management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaidoverridegroup module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure test group test_group is present in idview test_idview
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is present in idview test_idview.
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
```
Example playbook to make sure test group test_group is present in idview test_idview with description
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is present in idview test_idview with description
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
description: "test_group description"
```
Example playbook to make sure test group test_group is present in idview test_idview without description
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is present in idview test_idview without description
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
description: ""
```
Example playbook to make sure test group test_group is present in idview test_idview with internal name test_123_group
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is present in idview test_idview with internal name test_123_group
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
name: test_123_group
```
Example playbook to make sure test group test_group is present in idview test_idview without internal name
```yaml
---
- name: Playbook to manage idoverridegroup
- name: Ensure test group test_group is present in idview test_idview without internal name
hosts: ipaserver
become: false
tasks:
- ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
name: ""
```
Example playbook to make sure test group test_group is present in idview test_idview with gid 20001
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is present in idview test_idview with gid 20001
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
gid: 20001
```
Example playbook to make sure test group test_group is present in idview test_idview without gid
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is present in idview test_idview without gid
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
gid: ""
```
Example playbook to make sure test group test_group is present in idview test_idview with enabling falling back to AD DC LDAP when resolving AD trusted objects. (For two-way trusts only.)
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is present in idview test_idview with fallback_to_ldap enabled
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
fallback_to_ldap: true
```
Example playbook to make sure test group test_group is absent in idview test_idview
```yaml
---
- name: Playbook to manage idoverridegroup
hosts: ipaserver
become: false
tasks:
- name: Ensure test group test_group is absent in idview test_idview
ipaidoverridegroup:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_group
continue: true
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
`idview` \| `idviewcn` | The doverridegroup idview string. | yes
`anchor` \| `ipaanchoruuid` | The list of anchors to override. | yes
`description` \| `desc` | Description | no
`name` \| `group_name` \| `cn` | The group. | no
`gid` \| `gidnumber` | Group ID Number (int or "") | no
`fallback_to_ldap` | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. | no
`delete_continue` \| `continue` | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
Authors
=======
Thomas Woerner

503
README-idoverrideuser.md
View File

@@ -1,503 +0,0 @@
Idoverrideuser module
============
Description
-----------
The idoverrideuser module allows to ensure presence and absence of idoverrideusers and idoverrideuser members.
Use Cases
---------
With idoverrideuser it is possible to manage user attributes within ID views. These attributes are for example the login name, home directory, certificate for authentication or SSH keys.
Features
--------
* Idoverrideuser management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaidoverrideuser module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure test user test_user is present in idview test_idview
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview.
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
```
Example playbook to make sure test user test_user is present in idview test_idview with description
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with description
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
description: "test_user description"
```
Example playbook to make sure test user test_user is present in idview test_idview without description
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without description
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
description: ""
```
Example playbook to make sure test user test_user is present in idview test_idview with internal name test_123_user
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with internal name test_123_user
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
name: test_123_user
```
Example playbook to make sure test user test_user is present in idview test_idview without internal name
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without internal name
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
name: ""
```
Example playbook to make sure test user test_user is present in idview test_idview with uid 20001
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with uid 20001
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
uid: 20001
```
Example playbook to make sure test user test_user is present in idview test_idview without uid
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without uid
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
uid: ""
```
Example playbook to make sure test user test_user is present in idview test_idview with gecos "Gecos Test"
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with gecos "Gecos Test"
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
gecos: Gecos Test
```
Example playbook to make sure test user test_user is present in idview test_idview without gecos
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without gecos
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
gecos: ""
```
Example playbook to make sure test user test_user is present in idview test_idview with gidnumber
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with gidnumber
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
gidnumber: 20001
```
Example playbook to make sure test user test_user is present in idview test_idview without gidnumber
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without gidnumber
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
gidnumber: ""
```
Example playbook to make sure test user test_user is present in idview test_idview with homedir /Users
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with homedir /Users
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
homedir: /Users
```
Example playbook to make sure test user test_user is present in idview test_idview without homedir
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without homedir
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
homedir: ""
```
Example playbook to make sure test user test_user is present in idview test_idview with shell
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with shell
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
shell: /bin/someshell
```
Example playbook to make sure test user test_user is present in idview test_idview without shell
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without shell
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
shell: ""
```
Example playbook to make sure test user test_user is present in idview test_idview with sshpubkey
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with sshpubkey
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
sshpubkey:
- ssh-rsa AAAAB3NzaC1yc2EAAADAQABAAABgQCqmVDpEX5gnSjKuv97Ay ...
```
Example playbook to make sure test user test_user is present in idview test_idview without sshpubkey
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without sshpubkey
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
sshpubkey: []
```
Example playbook to make sure test user test_user is present in idview test_idview with 1 certificate
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with 1 certificate
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
certificate:
- "{{ lookup('file', 'cert1.b64', rstrip=False) }}"
```
Example playbook to make sure test user test_user is present in idview test_idview with 3 certificate members
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with 3 certificate members
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
certificate:
- "{{ lookup('file', 'cert1.b64', rstrip=False) }}"
- "{{ lookup('file', 'cert2.b64', rstrip=False) }}"
- "{{ lookup('file', 'cert3.b64', rstrip=False) }}"
action: member
```
Example playbook to make sure test user test_user is present in idview test_idview without 2 certificate members
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without 2 certificate members
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
certificate:
- "{{ lookup('file', 'cert2.b64', rstrip=False) }}"
- "{{ lookup('file', 'cert3.b64', rstrip=False) }}"
action: member
state: absent
```
Example playbook to make sure test user test_user is present in idview test_idview without certificates
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview without certificates
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
certificate: []
```
Example playbook to make sure test user test_user is present in idview test_idview with enabling falling back to AD DC LDAP when resolving AD trusted objects. (For two-way trusts only.)
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is present in idview test_idview with fallback_to_ldap enabled
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
fallback_to_ldap: true
```
Example playbook to make sure test user test_user is absent in idview test_idview
```yaml
---
- name: Playbook to manage idoverrideuser
hosts: ipaserver
become: false
tasks:
- name: Ensure test user test_user is absent in idview test_idview
ipaidoverrideuser:
ipaadmin_password: SomeADMINpassword
idview: test_idview
anchor: test_user
continue: true
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
`idview` \| `idviewcn` | The doverrideuser idview string. | yes
`anchor` \| `ipaanchoruuid` | The list of anchors to override. | yes
`description` \| `desc` | Description | no
`name` \| `login` | The user (internally uid) | no
`uid` \| `uidnumber` | User ID Number (int or "") | no
`gecos` | GECOS | no
`gidnumber` | Group ID Number (int or ""). | no
`homedir` \| `homedirectory` | Home directory. | no
`shell` \| `loginshell` | Login shell. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
`certificate` \| `usercertificate` | List of Base-64 encoded user certificates. This variable can also be used with `action: member`. | no
`fallback_to_ldap` | Allow falling back to AD DC LDAP when resolving AD trusted objects. For two-way trusts only. | no
`delete_continue` \| `continue` | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
`nomembers` \| `no_members` | Suppress processing of membership attributes. Valid only if `state` is `absent`. | no
`action` | Work on idoverrideuser or member level. It can be on of `member` or `idoverrideuser` and defaults to `idoverrideuser`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
Authors
=======
Thomas Woerner

192
README-idp.md
View File

@@ -1,192 +0,0 @@
Idp module
============
Description
-----------
The idp module allows to ensure presence and absence of idps.
Features
--------
* Idp management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaidp module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure keycloak idp my-keycloak-idp is present:
```yaml
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure keycloak idp my-keycloak-idp is present
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-keycloak-idp
provider: keycloak
organization: main
base_url: keycloak.idm.example.com:8443/auth
client_id: my-client-id
```
Example playbook to make sure keycloak idp my-keycloak-idp is absent:
```yaml
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure keycloak idp my-keycloak-idp is absent
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-keycloak-idp
delete_continue: true
state: absent
```
Example playbook to make sure github idp my-github-idp is present:
```yaml
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure github idp my-github-idp is present
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-github-idp
provider: github
client_id: my-github-client-id
```
Example playbook to make sure google idp my-google-idp is present using provider defaults without specifying provider:
```yaml
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure google idp my-google-idp is present using provider defaults without specifying provider
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-google-idp
auth_uri: https://accounts.google.com/o/oauth2/auth
dev_auth_uri: https://oauth2.googleapis.com/device/code
token_uri: https://oauth2.googleapis.com/token
keys_uri: https://www.googleapis.com/oauth2/v3/certs
userinfo_uri: https://openidconnect.googleapis.com/v1/userinfo
client_id: my-google-client-id
scope: "openid email"
idp_user_id: email
```
Example playbook to make sure google idp my-google-idp is present using provider:
```yaml
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure google idp my-google-idp is present using provider
ipaidp:
ipaadmin_password: SomeADMINpassword
name: my-google-idp
provider: google
client_id: my-google-client-id
```
Example playbook to make sure idps my-keycloak-idp, my-github-idp and my-google-idp are absent:
```yaml
---
- name: Playbook to manage IPA idp.
hosts: ipaserver
become: false
tasks:
- name: Ensure idps my-keycloak-idp, my-github-idp and my-google-idp are absent
ipaidp:
ipaadmin_password: SomeADMINpassword
name:
- my-keycloak-idp
- my-github-idp
- my-google-idp
delete_continue: true
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | false
`name` \| `cn` | The list of idp name strings. | yes
auth_uri \| ipaidpauthendpoint | OAuth 2.0 authorization endpoint string. | no
dev_auth_uri \| ipaidpdevauthendpoint | Device authorization endpoint string. | no
token_uri \| ipaidptokenendpoint | Token endpoint string. | no
userinfo_uri \| ipaidpuserinfoendpoint | User information endpoint string. | no
keys_uri \| ipaidpkeysendpoint | JWKS endpoint string. | no
issuer_url \| ipaidpissuerurl | The Identity Provider OIDC URL string. | no
client_id \| ipaidpclientid | OAuth 2.0 client identifier string. | no
secret \| ipaidpclientsecret | OAuth 2.0 client secret string. | no
scope \| ipaidpscope | OAuth 2.0 scope string. Multiple scopes separated by space. | no
idp_user_id \| ipaidpsub | Attribute string for user identity in OAuth 2.0 userinfo. | no
provider \| ipaidpprovider | Pre-defined template string. This provides the provider defaults, which can be overridden with the other IdP options. Choices: ["google","github","microsoft","okta","keycloak"] | no
organization \| ipaidporg | Organization ID string or Realm name for IdP provider templates. | no
base_url \| ipaidpbaseurl | Base URL string for IdP provider templates. | no
rename \| new_name | New name for the Identity Provider server object. Only with `state: renamed`. | no
delete_continue \| continue | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `renamed`, default: `present`. | no
Authors
=======
Thomas Woerner

179
README-idrange.md
View File

@@ -1,179 +0,0 @@
Idrange module
============
Description
-----------
The idrange module allows the management of ID ranges.
In general it is not necessary to modify or delete ID ranges. If there is no other way to achieve a certain configuration than to modify or delete an ID range it should be done with great care. Because UIDs are stored in the file system and are used for access control it might be possible that users are allowed to access files of other users if an ID range got deleted and reused for a different domain.
Use cases
---------
* Add an ID range from a transitively trusted domain
If the trusted domain (A) trusts another domain (B) as well and this trust is transitive 'ipa trust-add domain-A' will only create a range for domain A. The ID range for domain B must be added manually.
* Add an additional ID range for the local domain
If the ID range of the local domain is exhausted, i.e. no new IDs can be assigned to Posix users or groups by the DNA plugin, a new range has to be created to allow new users and groups to be added. (Currently there is no connection between this range CLI and the DNA plugin, but a future version might be able to modify the configuration of the DNS plugin as well).
Features
--------
* ID Range management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaidrange module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure a local domain idrange is present:
```yaml
---
- name: Playbook to manage IPA idrange.
hosts: ipaserver
become: no
tasks:
- name: Ensure an ID Range for the local domain is present.
ipaidrange:
ipaadmin_password: SomeADMINpassword
name: local_domain_id_range
base_id: 150000
range_size: 200000
rid_base: 1000000
secondary_rid_base: 200000000
```
Example playbook to ensure an AD-trust idrange is present, with range type 'trust-ad' and using domain SID:
```yaml
---
- name: Playbook to manage IPA idrange.
hosts: ipaserver
become: no
tasks:
- name: Ensure AD-trust idrange is present
ipaidrange:
ipaadmin_password: SomeADMINpassword
name: ad_id_range
base_id: 150000000
range_size: 200000
idrange_type: ipa-ad-trust
dom_sid: S-1-5-21-2870384104-3340008087-3140804251
```
Example playbook to ensure an AD-trust idrange is present, with range type 'trust-ad-posix' and using domain SID:
```yaml
---
- name: Playbook to manage IPA idrange.
hosts: ipaserver
become: no
tasks:
- name: Ensure AD-trust idrange is present
ipaidrange:
name: ad_posix_id_range
base_id: 150000000
range_size: 200000
idrange_type: ipa-ad-trust-posix
dom_name: ad.ipa.test
```
Example playbook to ensure an AD-trust idrange has auto creation of groups set to 'hybrid':
```yaml
---
- name: Playbook to manage IPA idrange.
hosts: ipaserver
become: no
tasks:
- name: Modify AD-trust idrange 'auto_private_groups'
ipaidrange:
ipaadmin_password: SomeADMINpassword
ipaapi_context: "{{ ipa_context | default(omit) }}"
name: ad_id_range
auto_private_groups: "hybrid"
```
Example playbook to make sure an idrange is absent:
```yaml
---
- name: Playbook to manage IPA idrange.
hosts: ipaserver
become: no
tasks:
- name: Ensure ID range 'ad_id_range' is absent.
ipaidrange:
ipaadmin_password: SomeADMINpassword
name: ad_id_range
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of idrange name strings. | yes
`base_id` \| `ipabaseid` | First Posix ID of the range. (int) | yes, if `state: present`
`range_size` \| `ipaidrangesize` | Number of IDs in the range. (int) | yes, if `state: present`
`rid_base` \| `ipabaserid` | First RID of the corresponding RID range. (int) | yes, if `idrange_type: ipa-local` and `state: present` |
`secondary_rid_base` \| `ipasecondarybaserid` | First RID of the secondary RID range. (int) | yes, if `idrange_type: ipa-local` and `state: present` |
`dom_sid` \| `ipanttrusteddomainsid` | Domain SID of the trusted domain. | no
`idrange_type` \| `iparangetype` | ID range type, one of `ipa-ad-trust`, `ipa-ad-trust-posix`, `ipa-local`. Only valid if idrange does not exist. | no
`dom_name` \| `ipanttrusteddomainname` | Name of the trusted domain. Can only be used when `ipaapi_context: server`. | no
`auto_private_groups` \| `ipaautoprivategroups` | Auto creation of private groups, one of `true`, `false`, `hybrid`. | no
`delete_continue` \| `continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
Notes
=====
DNA plugin in 389-ds will allocate IDs based on the ranges configured for the local domain. Currently the DNA plugin *cannot* be reconfigured itself based on the local ranges set via this family of commands.
Manual configuration change has to be done in the DNA plugin configuration for the new local range. Specifically, The dnaNextRange attribute of 'cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config' has to be modified to match the new range.
Authors
=======
Rafael Guterres Jeffman

153
README-idview.md
View File

@@ -1,153 +0,0 @@
Idview module
============
Description
-----------
The idview module allows to ensure presence and absence of idviews and idview host members.
Use Cases
---------
With ID views it is possible to override user or group attributes for users stored in the LDAP server. For example the login name, home directory, certificate for authentication or SSH keys. An ID view is client-side and specifies new values for user or group attributes and also the client host or hosts on which the values apply.
The ID view and the applied hosts are managed with idview, the user attributes are managed with idoverrideuser and the group attributes with idoverridegroup.
Features
--------
* Idview management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaidview module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure idview "test_idview" is present:
```yaml
---
- name: Playbook to manage IPA idview.
hosts: ipaserver
become: false
tasks:
- ipaidview:
ipaadmin_password: SomeADMINpassword
name: test_idview
```
Example playbook to make sure idview "test_idview" member host "testhost.example.com" is present:
```yaml
---
- name: Playbook to manage IPA idview host member.
hosts: ipaserver
become: false
tasks:
- ipaidview:
ipaadmin_password: SomeADMINpassword
name: test_idview
host: testhost.example.com
action: member
```
Example playbook to make sure idview "test_idview" member host "testhost.example.com" is absent:
```yaml
---
- name: Playbook to manage IPA idview host member.
hosts: ipaserver
become: false
tasks:
- ipaidview:
ipaadmin_password: SomeADMINpassword
name: test_idview
host: testhost.example.com
action: member
state: absent
```
Example playbook to make sure idview "test_idview" is present with domain_resolution_order for "ad.example.com:ipa.example.com":
```yaml
---
- name: Playbook to manage IPA idview host member.
hosts: ipaserver
become: false
tasks:
- ipaidview:
ipaadmin_password: SomeADMINpassword
name: test_idview
domain_resolution_order: "ad.example.com:ipa.example.com"
```
Example playbook to make sure idview "test_idview" is absent:
```yaml
---
- name: Playbook to manage IPA idview.
hosts: ipaserver
become: false
tasks:
- ipaidview:
ipaadmin_password: SomeADMINpassword
name: test_idview
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
`name` \| `cn` | The list of idview name strings. | yes
`description` \| `desc` | The description string of the idview. | no
`domain_resolution_order` \| `ipadomainresolutionorder` | Colon-separated list of domains used for short name qualification. | no
`host` \| `hosts` | List of hosts to apply the ID View to. A host can only be applied to a single idview at any time. Applying a host that is already applied to a different idview will change the idview the host is applied to to the new one. | no
`rename` \| `new_name` | Rename the ID view object to the new name string. Only usable with `state: renamed`. | no
`delete_continue` \| `continue` | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no
`action` | Work on idview or member level. It can be on of `member` or `idview` and defaults to `idview`. | no
`state` | The state to ensure. It can be one of `present`, `absent` and `renamed`, default: `present`. | no
Authors
=======
Thomas Woerner

106
README-inventory-plugin-freeipa.md
View File

@@ -1,106 +0,0 @@
Inventory plugin
================
Description
-----------
The inventory plugin compiles a dynamic inventory from IPA domain. The servers can be filtered by their role(s).
This plugin is using the Python requests binding, that is only available for Python 3.7 and up.
Features
--------
* Dynamic inventory
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.6.0 and up are supported by the inventory plugin.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Configuration
=============
The inventory plugin is automatically enabled from the Ansible collection or from the top directory of the git repo if the `plugins` folder is linked to `~/.ansible`.
If `ansible.cfg` was modified to point to the roles and modules with `roles_path`, `library` and `module_utils` tag, then it is needed to set `inventory_plugins` also:
```
inventory_plugins = /my/dir/ansible-freeipa/plugins/inventory
```
Usage
=====
Example inventory file "freeipa.yml":
```yml
---
plugin: freeipa
server: server.ipa.local
ipaadmin_password: SomeADMINpassword
```
Example inventory file "freeipa.yml" with server TLS certificate verification using local copy of `/etc/ipa/ca.crt` from the server:
```yml
---
plugin: freeipa
server: server.ipa.local
ipaadmin_password: SomeADMINpassword
verify: ca.crt
```
How to use the plugin
---------------------
With the `ansible-inventory` command it is possible to show the generated inventorey:
```bash
ansible-inventory -v -i freeipa.yml --graph
```
Example inventory file "freeipa.yml" for use with `playbooks/config/retrieve-config.yml`:
```yml
---
plugin: freeipa
server: server.ipa.local
ipaadmin_password: SomeADMINpassword
inventory_group: ipaserver
```
```bash
ansible-playbook -u root -i ipa.yml playbooks/config/retrieve-config.yml
```
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`server` | The FQDN of server to start the scan. (string) | yes
`verify` | The server TLS certificate file for verification (/etc/ipa/ca.crt). Turned off if not set. (string) | yes
`role` | The role(s) of the server. If several roles are given, only servers that have all the roles are returned. (list of strings) (choices: "IPA master", "CA server", "KRA server", "DNS server", "AD trust controller", "AD trust agent") | no
`inventory_group` | The inventory group to create. The default group name is "ipaservers". | no
Authors
=======
- Thomas Woerner

91
README-location.md
View File

@@ -1,91 +0,0 @@
Location module
===============
Description
-----------
The location module allows to ensure presence and absence of locations.
Features
--------
* Location management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipalocation module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure location "my_location1" is present:
```yaml
---
- name: Playbook to manage IPA location.
hosts: ipaserver
become: yes
tasks:
- ipalocation:
ipaadmin_password: SomeADMINpassword
name: my_location1
description: My Location 1
```
Example playbook to make sure location "my_location1" is absent:
```yaml
---
- name: Playbook to manage IPA location.
hosts: ipaserver
become: yes
tasks:
- ipalocation:
ipaadmin_password: SomeADMINpassword
name: my_location1
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `idnsname` | The list of location name strings. | yes
`description` | The IPA location string | false
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
Authors
=======
Thomas Woerner

179
README-netgroup.md
View File

@@ -1,179 +0,0 @@
Netgroup module
============
Description
-----------
The netgroup module allows to ensure presence and absence of netgroups.
Features
--------
* Netgroup management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipanetgroup module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure netgroup "my_netgroup1" is present:
```yaml
---
- name: Playbook to manage IPA netgroup.
hosts: ipaserver
become: no
tasks:
- name: Ensure netgroup my_netgroup1 is present
ipanetgroup:
ipaadmin_password: SomeADMINpassword
name: my_netgroup1
description: My netgroup 1
```
Example playbook to make sure netgroup "my_netgroup1" is absent:
```yaml
---
- name: Playbook to manage IPA netgroup.
hosts: ipaserver
become: no
tasks:
- name: Ensure netgroup my_netgroup1 is absent
ipanetgroup:
ipaadmin_password: SomeADMINpassword
name: my_netgroup1
state: absent
```
Example playbook to make sure netgroup is present with user "user1"
```yaml
---
- name: Playbook to manage IPA netgroup.
hosts: ipaserver
become: no
tasks:
- name: Ensure netgroup is present with user "user1"
ipanetgroup:
ipaadmin_password: SomeADMINpassword
name: TestNetgroup1
user: user1
action: member
```
Example playbook to make sure netgroup user, "user1", is absent
```yaml
---
- name: Playbook to manage IPA netgroup.
hosts: ipaserver
become: no
tasks:
- name: Ensure netgroup user, "user1", is absent
ipanetgroup:
ipaadmin_password: SomeADMINpassword
name: TestNetgroup1
user: "user1"
action: member
state: absent
```
Example playbook to make sure netgroup is present with members
```yaml
---
- name: Playbook to manage IPA netgroup.
hosts: ipaserver
become: no
tasks:
- name: Ensure netgroup members are present
ipanetgroup:
ipaadmin_password: SomeADMINpassword
name: TestNetgroup1
user: user1,user2
group: group1
host: host1
hostgroup: ipaservers
netgroup: admins
action: member
```
Example playbook to make sure 2 netgroups TestNetgroup1, admins are absent
```yaml
---
- name: Playbook to manage IPA netgroup.
hosts: ipaserver
become: no
tasks:
- name: Ensure netgroups are absent
ipanetgroup:
ipaadmin_password: SomeADMINpassword
name:
- TestNetgroup1
- admins
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of netgroup name strings. | yes
`description` | Netgroup description | no
`nisdomain` | NIS domain name | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`user` | List of user name strings assigned to this netgroup. | no
`group` | List of group name strings assigned to this netgroup. | no
`host` | List of host name strings assigned to this netgroup. | no
`hostgroup` | List of hostgroup name strings assigned to this netgroup. | no
`netgroup` | List of netgroup name strings assigned to this netgroup. | no
`action` | Work on group or member level. It can be on of `member` or `netgroup` and defaults to `netgroup`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
Authors
=======
Denis Karpelevich

88
README-passkeyconfig.md
View File

@@ -1,88 +0,0 @@
Passkeyconfig module
============
Description
-----------
The passkeyconfig module allows to manage FreeIPA passkey configuration settings.
Features
--------
* Passkeyconfig management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipapasskeyconfig module.
Requirements
------------
**Controller**
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
By default, user verification for passkey authentication is turned on (`true`). Example playbook to ensure that the requirement for user verification for passkey authentication is turned off:
```yaml
---
- name: Playbook to manage IPA passkeyconfig.
hosts: ipaserver
become: false
tasks:
- name: Ensure require_user_verification is false
ipapasskeyconfig:
ipaadmin_password: SomeADMINpassword
require_user_verification: false
```
Example playbook to get current passkeyconfig:
```yaml
---
- name: Playbook to get IPA passkeyconfig.
hosts: ipaserver
become: false
tasks:
- name: Retrieve current passkey configuration
ipapasskeyconfig:
ipaadmin_password: SomeADMINpassword
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
`require_user_verification` \| `iparequireuserverification` | Require user verification for passkey authentication. (bool) | no
Authors
=======
Rafael Guterres Jeffman

187
README-permission.md
View File

@@ -1,187 +0,0 @@
Permission module
============
Description
-----------
The permission module allows to ensure presence and absence of permissions and permission members.
Features
--------
* Permission management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipapermission module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure permission "MyPermission" is present:
```yaml
---
- name: Playbook to handle IPA permissions
hosts: ipaserver
become: yes
tasks:
- name: Ensure permission MyPermission is present
ipapermission:
ipaadmin_password: SomeADMINpassword
name: MyPermission
object_type: host
right: all
```
Example playbook to ensure permission "MyPermission" is present with attr carlicense:
```yaml
---
- name: Playbook to handle IPA permissions
hosts: ipaserver
become: yes
tasks:
- name: Ensure permission "MyPermission" is present with attr carlicense
ipapermission:
ipaadmin_password: SomeADMINpassword
name: MyPermission
object_type: host
right: all
attrs:
- carlicense
```
Example playbook to ensure attr gecos is present in permission "MyPermission":
```yaml
---
- name: Playbook to handle IPA permissions
hosts: ipaserver
become: yes
tasks:
- name: Ensure attr gecos is present in permission "MyPermission"
ipapermission:
ipaadmin_password: SomeADMINpassword
name: MyPermission
attrs:
- gecos
action: member
```
Example playbook to ensure attr gecos is absent in permission "MyPermission":
```yaml
---
- name: Playbook to handle IPA permissions
hosts: ipaserver
become: yes
tasks:
- name: Ensure attr gecos is present in permission "MyPermission"
ipapermission:
ipaadmin_password: SomeADMINpassword
name: MyPermission
attrs:
- gecos
action: member
state: absent
```
Example playbook to make sure permission "MyPermission" is absent:
```yaml
---
- name: Playbook to handle IPA permissions
hosts: ipaserver
become: yes
tasks:
- name: Ensure permission "MyPermission" is absent
ipapermission:
ipaadmin_password: SomeADMINpassword
name: MyPermission
state: absent
```
Example playbook to make sure permission "MyPermission" is renamed to "MyNewPermission":
```yaml
---
- name: Playbook to handle IPA permissions
hosts: ipaserver
become: yes
tasks:
- name: Ensure permission "MyPermission" is renamed to "MyNewPermission
ipapermission:
ipaadmin_password: SomeADMINpassword
name: MyPermission
rename: MyNewPermission
state: renamed
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The permission name string. | yes
`right` \| `ipapermright` | Rights to grant. It can be a list of one or more of `read`, `search`, `compare`, `write`, `add`, `delete`, and `all` default: `all` | no
`attrs` | All attributes to which the permission applies. | no
`bindtype` \| `ipapermbindruletype` | Bind rule type. It can be one of `permission`, `all`, `self`, or `anonymous` defaults to `permission` for new permissions. Bind rule type `self` can only be used on IPA versions 4.8.7 or up.| no
`subtree` \| `ipapermlocation` | Subtree to apply permissions to | no
`filter` \| `extratargetfilter` | Extra target filter | no
`rawfilter` \| `ipapermtargetfilter` | All target filters | no
`target` \| `ipapermtarget` | Optional DN to apply the permission to | no
`targetto` \| `ipapermtargetto` | Optional DN subtree where an entry can be moved to | no
`targetfrom` \| `ipapermtargetfrom` | Optional DN subtree from where an entry can be moved | no
`memberof` | Target members of a group (sets memberOf targetfilter) | no
`targetgroup` | User group to apply permissions to (sets target) | no
`object_type` | Type of IPA object (sets subtree and objectClass targetfilter) | no
`no_members` | Suppress processing of membership | no
`rename` \| `new_name` | Rename the permission object | no
`action` | Work on permission or member level. It can be on of `member` or `permission` and defaults to `permission`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, or `renamed` default: `present`. | no
The `includedattrs` and `excludedattrs` variables are only usable for managed permisions and are not exposed by the module. Using `attrs` for managed permissions will result in the automatic generation of `includedattrs` and `excludedattrs` in the IPA server.
Authors
=======
Seth Kress

146
README-privilege.md
View File

@@ -1,146 +0,0 @@
Privilege module
================
Description
-----------
The privilege module allows to ensure presence and absence of privileges and privilege members.
Features
--------
* Privilege management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaprivilege module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure privilege "Broad Privilege" is present:
```yaml
---
- name: Playbook to manage IPA privilege.
hosts: ipaserver
become: yes
tasks:
- ipaprivilege:
ipaadmin_password: SomeADMINpassword
name: Broad Privilege
description: Broad Privilege
```
Example playbook to make sure privilege "Broad Privilege" member permission has multiple values:
```yaml
---
- name: Playbook to manage IPA privilege permission member.
hosts: ipaserver
become: yes
tasks:
- ipaprivilege:
ipaadmin_password: SomeADMINpassword
name: Broad Privilege
permission:
- "Write IPA Configuration"
- "System: Write DNS Configuration"
- "System: Update DNS Entries"
action: member
```
Example playbook to make sure privilege "Broad Privilege" member permission 'Write IPA Configuration' is absent:
```yaml
---
- name: Playbook to manage IPA privilege permission member.
hosts: ipaserver
become: yes
tasks:
- ipaprivilege:
ipaadmin_password: SomeADMINpassword
name: Broad Privilege
permission:
- "Write IPA Configuration"
action: member
state: absent
```
Example playbook to rename privilege "Broad Privilege" to "DNS Special Privilege":
```yaml
---
- name: Playbook to manage IPA privilege.
hosts: ipaserver
become: yes
tasks:
- ipaprivilege:
ipaadmin_password: SomeADMINpassword
name: Broad Privilege
rename: DNS Special Privilege
state: renamed
```
Example playbook to make sure privilege "DNS Special Privilege" is absent:
```yaml
---
- name: Playbook to manage IPA privilege.
hosts: ipaserver
become: yes
- name: Ensure privilege Broad Privilege is absent
ipaadmin_password: SomeADMINpassword
name: DNS Special Privilege
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin`. | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node. | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of privilege name strings. | yes
`description` | Privilege description. | no
`rename` \| `new_name` | Rename the privilege object. | no
`permission` | Permissions to be added to the privilege. | no
`action` | Work on privilege or member level. It can be one of `member` or `privilege` and defaults to `privilege`. | no
`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
Authors
=======
Rafael Guterres Jeffman

83
README-pwpolicy.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.14+
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
@@ -45,7 +45,7 @@ Example playbook to ensure presence of pwpolicies for exisiting group ops:
tasks:
- name: Ensure presence of pwpolicies for group ops
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: ops
minlife: 7
maxlife: 49
@@ -56,7 +56,7 @@ Example playbook to ensure presence of pwpolicies for exisiting group ops:
maxfail: 3
```
Example playbook to ensure absence of pwpolicies for group ops:
Example playbook to ensure absence of pwpolicies for group ops
```yaml
---
@@ -67,81 +67,32 @@ Example playbook to ensure absence of pwpolicies for group ops:
tasks:
# Ensure absence of pwpolicies for group ops
- ipapwpolicy:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: ops
state: absent
```
Example playbook to ensure maxlife is set to 49 in global policy:
```yaml
---
- name: Playbook to handle pwpolicies
hosts: ipaserver
become: true
tasks:
# Ensure maxlife is set to 49 in global policy
- ipapwpolicy:
ipaadmin_password: SomeADMINpassword
maxlife: 49
```
Example playbook to ensure password grace period is set to 3 in global policy:
```yaml
---
- name: Playbook to handle pwpolicies
hosts: ipaserver
become: true
tasks:
# Ensure maxlife is set to 49 in global policy
- ipapwpolicy:
ipaadmin_password: SomeADMINpassword
gracelimit: 3
```
Example playbook to ensure password grace period is set to unlimited in global policy:
```yaml
---
- name: Playbook to handle pwpolicies
hosts: ipaserver
become: true
tasks:
# Ensure maxlife is set to 49 in global policy
- ipapwpolicy:
ipaadmin_password: SomeADMINpassword
gracelimit: -1
```
Variables
=========
ipapwpolicy
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
`maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int or "") | no
`minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int or "") | no
`history` \| `krbpwdhistorylength` | Password history size. (int or "") | no
`minclasses` \| `krbpwdmindiffchars` | Minimum number of character classes. (int or "") | no
`minlength` \| `krbpwdminlength` | Minimum length of password. (int or "") | no
`priority` \| `cospriority` | Priority of the policy, higher number means lower priority. (int or "") | no
`maxfail` \| `krbpwdmaxfailure` | Consecutive failures before lockout. (int or "") | no
`failinterval` \| `krbpwdfailurecountinterval` | Period after which failure count will be reset in seconds. (int or "") | no
`lockouttime` \| `krbpwdlockoutduration` | Period for which lockout is enforced in seconds. (int or "") | no
`maxrepeat` \| `ipapwdmaxrepeat` | Maximum number of same consecutive characters. Requires IPA 4.9+ (int or "") | no
`maxsequence` \| `ipapwdmaxsequence` | The maximum length of monotonic character sequences (abcd). Requires IPA 4.9+ (int or "") | no
`dictcheck` \| `ipapwdictcheck` | Check if the password is a dictionary word. Requires IPA 4.9+. (bool or "") | no
`usercheck` \| `ipapwdusercheck` | Check if the password contains the username. Requires IPA 4.9+. (bool or "") | no
`gracelimit` \| `passwordgracelimit` | Number of LDAP authentications allowed after expiration. Requires IPA 4.9.10 (int or "") | no
`name` \| `cn` | The list of pwpolicy name strings. | no
`maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
`minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no
`history` \| `krbpwdhistorylength` | Password history size. (int) | no
`minclasses` \| `krbpwdmindiffchars` | Minimum number of character classes. (int) | no
`minlength` \| `krbpwdminlength` | Minimum length of password. (int) | no
`priority` \| `cospriority` | Priority of the policy, higher number means lower priority. (int) | no
`maxfail` \| `krbpwdmaxfailure` | Consecutive failures before lockout. (int) | no
`failinterval` \| `krbpwdfailurecountinterval` | Period after which failure count will be reset in seconds. (int) | no
`lockouttime` \| `krbpwdlockoutduration` | Period for which lockout is enforced in seconds. (int) | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes

267
README-role.md
View File

@@ -1,267 +0,0 @@
Role module
===========
Description
-----------
The role module allows to ensure presence, absence of roles and members of roles.
The role module is as compatible as possible to the Ansible upstream `ipa_role` module, but additionally offers role member management.
Features
--------
* Role management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the iparole module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure role is present with all members:
```yaml
---
- name: Playbook to manage IPA role with members.
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- iparole:
ipaadmin_password: SomeADMINpassword
name: somerole
user:
- pinky
group:
- group01
host:
- host01.example.com
hostgroup:
- hostgroup01
privilege:
- Group Administrators
- User Administrators
service:
- service01
```
Example playbook to rename a role:
```yaml
- iparole:
ipaadmin_password: SomeADMINpassword
name: somerole
rename: anotherrole
```
Example playbook to make sure role is absent:
```yaml
---
- name: Playbook to manage IPA role.
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- iparole:
ipaadmin_password: SomeADMINpassword
name: somerole
state: absent
```
Example playbook to ensure a user is a member of a role:
```yaml
---
- name: Playbook to manage IPA role member.
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- iparole:
ipaadmin_password: SomeADMINpassword
name: somerole
user:
- pinky
action: member
```
Example playbook to ensure a group is a member of a role:
```yaml
---
- name: Playbook to manage IPA role member.
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- iparole:
ipaadmin_password: SomeADMINpassword
name: somerole
host:
- host01.example.com
action: member
```
Example playbook to ensure a host is a member of a role:
```yaml
---
- name: Playbook to manage IPA role member.
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- iparole:
ipaadmin_password: SomeADMINpassword
name: somerole
host:
- host01.example.com
action: member
```
Example playbook to ensure a hostgroup is a member of a role:
```yaml
---
- name: Playbook to manage IPA role member.
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- iparole:
ipaadmin_password: SomeADMINpassword
name: somerole
hostgroup:
- hostgroup01
action: member
```
Example playbook to ensure a service is a member of a role:
```yaml
---
- name: Playbook to manage IPA role member.
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- iparole:
ipaadmin_password: SomeADMINpassword
name: somerole
service:
- service01
action: member
```
Example playbook to ensure a privilege is a member of a role:
```yaml
---
- name: Playbook to manage IPA role member.
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- iparole:
ipaadmin_password: SomeADMINpassword
name: somerole
privilege:
- Group Administrators
- User Administrators
action: member
```
Example playbook to ensure that different members are not associated with a role.
```yaml
---
- name: Playbook to manage IPA role member.
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- iparole:
ipaadmin_password: SomeADMINpassword
name: somerole
user:
- pinky
group:
- group01
host:
- host01.example.com
hostgroup:
- hostgroup01
privilege:
- Group Administrators
- User Administrators
service:
- service01
sysaccount:
- my-app
action: member
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of role name strings. | yes
`description` | A description for the role. | no
`rename` \| `new_name` | Rename the role object. | no
`privilege` | Privileges associated to this role. | no
`user` | List of users to be assigned or not assigned to the role. | no
`group` | List of groups to be assigned or not assigned to the role. | no
`host` | List of hosts to be assigned or not assigned to the role. | no
`hostgroup` | List of hostgroups to be assigned or not assigned to the role. | no
`service` | List of services to be assigned or not assigned to the role. | no
`sysaccount` | List of sysaccounts to be assigned or not assigned to the role. | no
`action` | Work on role or member level. It can be one of `member` or `role` and defaults to `role`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
Authors
=======
Rafael Jeffman
Thomas Woerner

150
README-selfservice.md
View File

@@ -1,150 +0,0 @@
Selfservice module
=================
Description
-----------
The selfservice module allows to ensure presence, absence of selfservices and selfservice attributes.
Features
--------
* Selfservice management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaselfservice module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure selfservice "Users can manage their own name details" is present:
```yaml
---
- name: Playbook to manage IPA selfservice.
hosts: ipaserver
become: yes
tasks:
- ipaselfservice:
ipaadmin_password: SomeADMINpassword
name: "Users can manage their own name details"
permission: read
attribute:
- title
- initials
```
Example playbook to make sure selfservice "Users can manage their own name details" is absent:
```yaml
---
- name: Playbook to manage IPA selfservice.
hosts: ipaserver
become: yes
tasks:
- ipaselfservice:
ipaadmin_password: SomeADMINpassword
name: "Users can manage their own name details"
state: absent
```
Example playbook to make sure "Users can manage their own name details" member attribute initials is present:
```yaml
---
- name: Playbook to manage IPA selfservice.
hosts: ipaserver
become: yes
tasks:
- ipaselfservice:
ipaadmin_password: SomeADMINpassword
name: "Users can manage their own name details"
attribute:
- initials
action: member
```
Example playbook to make sure "Users can manage their own name details" member attribute initials is absent:
```yaml
---
- name: Playbook to manage IPA selfservice.
hosts: ipaserver
become: yes
tasks:
- ipaselfservice:
ipaadmin_password: SomeADMINpassword
name: "Users can manage their own name details"
attribute:
- initials
action: member
state: absent
```
Example playbook to make sure selfservice "Users can manage their own name details" is absent:
```yaml
---
- name: Playbook to manage IPA selfservice.
hosts: ipaserver
become: yes
tasks:
- ipaselfservice:
ipaadmin_password: SomeADMINpassword
name: "Users can manage their own name details"
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `aciname` | The list of selfservice name strings. | yes
`permission` \| `permissions` | The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
`attribute` \| `attrs` | The attribute list to which the selfservice applies. | no
`action` | Work on selfservice or member level. It can be on of `member` or `selfservice` and defaults to `selfservice`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
Authors
=======
Thomas Woerner

266
README-server.md
View File

@@ -1,266 +0,0 @@
Server module
============
Description
-----------
The server module allows to ensure presence and absence of servers. The module requires an existing server, the deployment of a new server can not be done with the module.
Features
--------
* Server management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaserver module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure server "server.example.com" is already present in the topology:
```yaml
---
- name: Playbook to manage IPA server.
hosts: ipaserver
become: yes
tasks:
- ipaserver:
ipaadmin_password: SomeADMINpassword
name: server.example.com
```
This task is not deploying a new server, it is only checking if the server eists. It will therefore fail if the server does not exist.
Example playbook to make sure server "server.example.com" has location mylocation:
```yaml
---
- name: Playbook to manage IPA server.
hosts: ipaserver
become: yes
tasks:
- ipaserver:
ipaadmin_password: SomeADMINpassword
name: server.example.com
location: mylocation
```
Example playbook to make sure server "server.example.com" does not have a location:
```yaml
---
- name: Playbook to manage IPA server.
hosts: ipaserver
become: yes
tasks:
- ipaserver:
ipaadmin_password: SomeADMINpassword
name: server.example.com
location: ""
```
Example playbook to make sure server "server.example.com" has service weight 1:
```yaml
---
- name: Playbook to manage IPA server.
hosts: ipaserver
become: yes
tasks:
- ipaserver:
ipaadmin_password: SomeADMINpassword
name: server.example.com
service_weight: 1
```
Example playbook to make sure server "server.example.com" does not have a service weight:
```yaml
---
- name: Playbook to manage IPA server.
hosts: ipaserver
become: yes
tasks:
- ipaserver:
ipaadmin_password: SomeADMINpassword
name: server.example.com
service_weight: -1
```
Example playbook to make sure server "server.example.com" is hidden:
```yaml
---
- name: Playbook to manage IPA server.
hosts: ipaserver
become: yes
tasks:
- ipaserver:
ipaadmin_password: SomeADMINpassword
name: server.example.com
hidden: yes
```
Example playbook to make sure server "server.example.com" is not hidden:
```yaml
---
- name: Playbook to manage IPA server.
hosts: ipaserver
become: yes
tasks:
- ipaserver:
ipaadmin_password: SomeADMINpassword
name: server.example.com
hidden: no
```
Example playbook to make sure server "server.example.com" is absent from the topology:
```yaml
---
- name: Playbook to manage IPA server.
hosts: ipaserver
become: yes
tasks:
- ipaserver:
ipaadmin_password: SomeADMINpassword
name: server.example.com
state: absent
```
Example playbook to make sure server "server.example.com" is absent from the topology in continuous mode to ignore errors:
```yaml
---
- name: Playbook to manage IPA server.
hosts: ipaserver
become: yes
tasks:
- ipaserver:
ipaadmin_password: SomeADMINpassword
name: server.example.com
continue: yes
state: absent
```
Example playbook to make sure server "server.example.com" is absent from the topology with skipping the last of role check:
```yaml
---
- name: Playbook to manage IPA server.
hosts: ipaserver
become: yes
tasks:
- ipaserver:
ipaadmin_password: SomeADMINpassword
name: server.example.com
ignore_last_of_role: yes
state: absent
```
Example playbook to make sure server "server.example.com" is absent from the topology with skipping the topology disconnect check:
```yaml
---
- name: Playbook to manage IPA server.
hosts: ipaserver
become: yes
tasks:
- ipaserver:
ipaadmin_password: SomeADMINpassword
name: server.example.com
ignore_topology_disconnect: yes
state: absent
```
Example playbook to make sure server "server.example.com" is absent from the domain in force mode even if it does not exist:
```yaml
---
- name: Playbook to manage IPA server.
hosts: ipaserver
become: yes
tasks:
- ipaserver:
ipaadmin_password: SomeADMINpassword
name: server.example.com
force: yes
state: absent
```
This task will always report a change.
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of server name strings. | yes
`location` \| `ipalocation_location` | The server DNS location. Only available with 'state: present'. Use "" for location reset. | no
`service_weight` \| `ipaserviceweight` | Weight for server services. Type Values 0 to 65535, -1 for weight reset. Only available with 'state: present'. (int) | no
`hidden` | Set hidden state of a server. Only available with 'state: present'. (bool) | no
`no_members` | Suppress processing of membership attributes. Only avialable with 'state: present'. (bool) | no
`delete_continue` \| `continue` | Continuous mode: Don't stop on errors. Only available with 'state: absent'. (bool) | no
`ignore_last_of_role` | Skip a check whether the last CA master or DNS server is removed. Only available with 'state: absent'. (bool) | no
`ignore_topology_disconnect` | Ignore topology connectivity problems after removal. Only available with 'state: absent'. (bool) | no
`force` | Force server removal even if it does not exist. Will always result in changed. Only available with 'state: absent'. (bool) | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. `present` is only working with existing servers. | no
Authors
=======
Thomas Woerner

388
README-service.md
View File

@@ -1,388 +0,0 @@
Service module
==============
Description
-----------
The service module allows to ensure presence and absence of services.
Features
--------
* Service management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaservice module.
Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FReeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure service is present:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is present
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
certificate: |
- MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
pac_type: PAD
auth_ind: otp
requires_pre_auth: false
ok_as_delegate: false
ok_to_auth_as_delegate: false
skip_host_check: true
force: true
```
Example playbook to make sure service is absent:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is present
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
state: absent
```
Example playbook to make sure service is disabled:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is present
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
state: disabled
```
Example playbook to add a service even if the host object does not exist, but only if it does have a DNS entry:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is present
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
skip_host_check: true
force: false
```
Example playbook to add a service if it does have a DNS entry, but host object exits:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service is present
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
skip_host_check: false
force: true
```
Example playbook to ensure service has a certificate:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure service member certificate is present.
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
certificate: |
- MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
action: member
state: present
```
Example playbook to add a principal to the service:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Principal host/principal.example.com present in service.
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
principal: host/principal.example.com
action: member
```
Example playbook to enable a host to manage service:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Ensure host can manage service, again.
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
host: host1.example.com
action: member
```
Example playbook to allow users, groups, hosts or hostgroups to create a keytab of this service:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Allow users, groups, hosts or host groups to create a keytab of this service.
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
allow_create_keytab_user:
- user01
- user02
allow_create_keytab_group:
- group01
- group02
allow_create_keytab_host:
- host1.example.com
- host2.example.com
allow_create_keytab_hostgroup:
- hostgroup01
- hostgroup02
action: member
```
Example playbook to allow users, groups, hosts or hostgroups to retrieve a keytab of this service:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
# Allow users, groups, hosts or host groups to retrieve a keytab of this service.
- ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
allow_retrieve_keytab_user:
- user01
- user02
allow_retrieve_keytab_group:
- group01
- group02
allow_retrieve_keytab_host:
- "{{ host1_fqdn }}"
- "{{ host2_fqdn }}"
allow_retrieve_keytab_hostgroup:
- hostgroup01
- hostgroup02
action: member
```
Example playbook to ensure presence of serveral services in a single task:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
tasks:
- name: Ensure services are present
ipaservice:
ipaadmin_password: SomeADMINpassword
services:
- name: HTTP/www.example.com
principal:
- host/host1.example.com
- name: mysvc/www.example.com
pac_type: NONE
ok_as_delegate: yes
ok_to_auth_as_delegate: yes
- name: HTTP/www.example.com
allow_create_keytab_user:
- user01
- user02
allow_create_keytab_group:
- group01
- group02
allow_create_keytab_host:
- host1.example.com
- host2.example.com
allow_create_keytab_hostgroup:
- hostgroup01
- hostgroup02
- name: mysvc/host2.example.com
auth_ind: otp,radius
```
Example playbook to ensure presence of serveral services in a single task with `member` `action`:
```yaml
---
- name: Playbook to manage IPA service.
hosts: ipaserver
become: true
gather_facts: false
tasks:
- name: Ensure service host members are present
ipaservice:
ipaadmin_password: SomeADMINpassword
services:
- name: HTTP/www1.example.com
host: host1.example.com
- name: HTTP/www2.example.com
host: host2.example.com
action: member
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `service` | The list of service name strings. `name` with *service variables* or `services` containing *service variables* need to be used. | no
`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
**Service Variables:**
Variable | Description | Required
-------- | ----------- | --------
`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. Use empty string to reset pac_type to the initial value. | no
`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, `hardened`, `idp`, `passkey` or `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset auth_ind to the initial value. | no
`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
`ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
`ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
`skip_host_check` | Force service to be created even when host object does not exist to manage it. Only usable with IPA versions 4.7.0 and up. Default to false. (bool)| no
`force` | Force principal name even if host not in DNS. Default to false. (bool) | no
`host` \| `managedby_host`| Hosts that can manage the service. | no
`principal` \| `krbprincipalname` | List of principal aliases for the service. | no
`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group`| Groups allowed to create a keytab of this host. | no
`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host`| Hosts allowed to create a keytab of this host. | no
`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_group`| Host groups allowed to create a keytab of this host. | no
`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retrieve a keytab of this host. | no
`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
`smb` | Service is an SMB service. If set, `cifs/` will be prefixed to the service name if needed. | no
`netbiosname` | NETBIOS name for the SMB service. Only with `smb: yes`. | no
`continue` \| `delete_continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
Authors
=======
Rafael Jeffman

172
README-servicedelegationrule.md
View File

@@ -1,172 +0,0 @@
Servicedelegationrule module
============
Description
-----------
The servicedelegationrule module allows to ensure presence and absence of servicedelegationrules and servicedelegationrule members.
Features
--------
* Servicedelegationrule management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaservicedelegationrule module.
Host princpals are only usable with IPA versions 4.9.0 and up.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure servicedelegationrule delegation-rule is present:
```yaml
---
- name: Playbook to manage IPA servicedelegationrule
hosts: ipaserver
become: no
tasks:
- name: Ensure servicedelegationrule delegation-rule is present
ipaservicedelegationrule:
ipaadmin_password: SomeADMINpassword
name: delegation-rule
```
Example playbook to make sure servicedelegationrule delegation-rule member principal test/example.com is present:
```yaml
---
- name: Playbook to manage IPA servicedelegationrule
hosts: ipaserver
become: no
tasks:
- name: Ensure servicedelegationrule delegation-rule member principal test/example.com is present
ipaservicedelegationrule:
ipaadmin_password: SomeADMINpassword
name: delegation-rule
principal: test/example.com
action: member
```
Example playbook to make sure servicedelegationrule delegation-rule member principal test/example.com is absent:
```yaml
---
- name: Playbook to manage IPA servicedelegationrule
hosts: ipaserver
become: no
tasks:
- name: Ensure servicedelegationrule delegation-rule member principal test/example.com is absent
ipaservicedelegationrule:
ipaadmin_password: SomeADMINpassword
name: delegation-rule
principal: test/example.com
action: member
state: absent
state: absent
```
Example playbook to make sure servicedelegationrule delegation-rule member target delegation-target is present:
```yaml
---
- name: Playbook to manage IPA servicedelegationrule
hosts: ipaserver
become: no
tasks:
- name: Ensure servicedelegationrule delegation-rule member target delegation-target is present
ipaservicedelegationrule:
ipaadmin_password: SomeADMINpassword
name: delegation-rule
target: delegation-target
action: member
```
Example playbook to make sure servicedelegationrule delegation-rule member target delegation-target is absent:
```yaml
---
- name: Playbook to manage IPA servicedelegationrule
hosts: ipaserver
become: no
tasks:
- name: Ensure servicedelegationrule delegation-rule member target delegation-target is absent
ipaservicedelegationrule:
ipaadmin_password: SomeADMINpassword
name: delegation-rule
target: delegation-target
action: member
state: absent
state: absent
```
Example playbook to make sure servicedelegationrule delegation-rule is absent:
```yaml
---
- name: Playbook to manage IPA servicedelegationrule
hosts: ipaserver
become: no
tasks:
- name: Ensure servicedelegationrule delegation-rule is absent
ipaservicedelegationrule:
ipaadmin_password: SomeADMINpassword
name: delegation-rule
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of servicedelegationrule name strings. | yes
`principal` | The list of principals. A principal can be of the format: fqdn, fqdn@REALM, service/fqdn, service/fqdn@REALM, host/fqdn, host/fqdn@REALM, alias$, alias$@REALM, where fqdn and fqdn@REALM are host principals and the same as host/fqdn and host/fqdn@REALM. Host princpals are only usable with IPA versions 4.9.0 and up. | no
`target` \| `servicedelegationtarget` | The list of service delegation targets. | no
`action` | Work on servicedelegationrule or member level. It can be on of `member` or `servicedelegationrule` and defaults to `servicedelegationrule`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
Authors
=======
Thomas Woerner

133
README-servicedelegationtarget.md
View File

@@ -1,133 +0,0 @@
Servicedelegationtarget module
============
Description
-----------
The servicedelegationtarget module allows to ensure presence and absence of servicedelegationtargets and servicedelegationtarget members.
Features
--------
* Servicedelegationtarget management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipaservicedelegationtarget module.
Host princpals are only usable with IPA versions 4.9.0 and up.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure servicedelegationtarget delegation-target is present:
```yaml
---
- name: Playbook to manage IPA servicedelegationtarget
hosts: ipaserver
become: no
tasks:
- name: Ensure servicedelegationtarget delegation-target is present
ipaservicedelegationtarget:
ipaadmin_password: SomeADMINpassword
name: delegation-target
```
Example playbook to make sure servicedelegationtarget delegation-target member principal test/example.com is present:
```yaml
---
- name: Playbook to manage IPA servicedelegationtarget
hosts: ipaserver
become: no
tasks:
- name: Ensure servicedelegationtarget delegation-target member principal test/example.com is present
ipaservicedelegationtarget:
ipaadmin_password: SomeADMINpassword
name: delegation-target
principal: test/example.com
action: member
```
Example playbook to make sure servicedelegationtarget delegation-target member principal test/example.com is absent:
```yaml
---
- name: Playbook to manage IPA servicedelegationtarget
hosts: ipaserver
become: no
tasks:
- name: Ensure servicedelegationtarget delegation-target member principal test/example.com is absent
ipaservicedelegationtarget:
ipaadmin_password: SomeADMINpassword
name: delegation-target
principal: test/example.com
action: member
state: absent
state: absent
```
Example playbook to make sure servicedelegationtarget delegation-target is absent:
```yaml
---
- name: Playbook to manage IPA servicedelegationtarget
hosts: ipaserver
become: no
tasks:
- name: Ensure servicedelegationtarget delegation-target is absent
ipaservicedelegationtarget:
ipaadmin_password: SomeADMINpassword
name: delegation-target
state: absent
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of servicedelegationtarget name strings. | yes
`principal` | The list of principals. A principal can be of the format: fqdn, fqdn@REALM, service/fqdn, service/fqdn@REALM, host/fqdn, host/fqdn@REALM, alias$, alias$@REALM, where fqdn and fqdn@REALM are host principals and the same as host/fqdn and host/fqdn@REALM. Host princpals are only usable with IPA versions 4.9.0 and up. | no
`action` | Work on servicedelegationtarget or member level. It can be on of `member` or `servicedelegationtarget` and defaults to `servicedelegationtarget`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
Authors
=======
Thomas Woerner

13
README-sudocmd.md
View File

@@ -24,7 +24,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.14+
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
@@ -52,7 +52,7 @@ Example playbook to make sure sudocmd exists:
tasks:
# Ensure sudocmd is present
- ipasudocmd:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: /usr/bin/su
state: present
```
@@ -67,8 +67,8 @@ Example playbook to make sure sudocmd is absent:
tasks:
# Ensure sudocmd are absent
- ipasudocmd:
ipaadmin_password: SomeADMINpassword
- ipahostgroup:
ipaadmin_password: MyPassword123
name: /usr/bin/su
state: absent
```
@@ -76,12 +76,13 @@ Example playbook to make sure sudocmd is absent:
Variables
=========
ipasudocmd
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `sudocmd` | The sudo command strings. | yes
`description` | The command description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no

15
README-sudocmdgroup.md
View File

@@ -24,7 +24,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.14+
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
@@ -52,7 +52,7 @@ Example playbook to make sure sudocmdgroup is present:
tasks:
# Ensure sudocmdgroup is present
- ipasudocmdgroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: group01
description: Group of important commands
```
@@ -68,7 +68,7 @@ Example playbook to make sure that a sudo command and sudocmdgroups are present
tasks:
# Ensure sudo commands are present in existing sudocmdgroup
- ipasudocmdgroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: group01
sudocmd:
- /usr/bin/su
@@ -88,7 +88,7 @@ Example playbook to make sure that a sudo command and sudocmdgroups are absent i
tasks:
# Ensure sudocmds are absent in existing sudocmdgroup
- ipasudocmdgroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: group01
sudocmd:
- /usr/bin/su
@@ -108,7 +108,7 @@ Example playbook to make sure sudocmdgroup is absent:
tasks:
# Ensure sudocmdgroup is absent
- ipasudocmdgroup:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: group01
state: absent
```
@@ -116,12 +116,13 @@ Example playbook to make sure sudocmdgroup is absent:
Variables
=========
ipasudocmdgroup
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of sudocmdgroup name strings. | no
`description` | The sudocmdgroup description string. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no

105
README-sudorule.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.14+
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
@@ -50,7 +50,7 @@ Example playbook to make sure Sudo Rule is present:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: testrule1
```
@@ -66,9 +66,9 @@ Example playbook to make sure sudocmds are present in Sudo Rule:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmd:
cmd:
- /sbin/ifconfig
action: member
```
@@ -85,34 +85,14 @@ Example playbook to make sure sudocmds are not present in Sudo Rule:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: testrule1
allow_sudocmd:
cmd:
- /sbin/ifconfig
action: member
state: absent
```
Example playbook to ensure a Group of RunAs User is present in sudo rule:
```yaml
---
- name: Playbook to manage sudorule member
hosts: ipaserver
become: no
gather_facts: no
tasks:
- name: Ensure sudorule 'runasuser' has 'ipasuers' group as runas users.
ipasudorule:
ipaadmin_password: SomeADMINpassword
name: testrule1
runasuser_group: ipausers
action: member
```
Example playbook to make sure Sudo Rule is absent:
```yaml
@@ -124,87 +104,34 @@ Example playbook to make sure Sudo Rule is absent:
tasks:
# Ensure Sudo Rule is present
- ipasudorule:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: testrule1
state: absent
```
Example playbook to ensure multiple Sudo Rule are present using batch mode:
```yaml
---
- name: Playbook to handle sudorules
hosts: ipaserver
become: true
- name: Ensure multiple Sudo Rules are present using batch mode.
ipasudorule:
ipaadmin_password: SomeADMINpassword
sudorules:
- name: testrule1
hostmask:
- 192.168.122.1/24
- name: testrule2
hostcategory: all
```
Example playbook to ensure multiple Sudo Rule members are present using batch mode:
```yaml
---
- name: Playbook to handle sudorules
hosts: ipaserver
become: true
- name: Ensure multiple Sudo Rules are present using batch mode.
ipasudorule:
ipaadmin_password: SomeADMINpassword
action: member
sudorules:
- name: testrule1
user:
- user01
- user02
group:
- group01
- name: testrule2
hostgroup:
- hostgroup01
- hostgroup02
```
Variables
=========
ipasudorule
---------------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of sudorule name strings. | no
`sudorules` | The list of sudorule dicts. Each `sudorule` dict entry can contain sudorule variables.<br>There is one required option in the `sudorule` dict:| no
&nbsp; | `name` - The sudorule name string of the entry. | yes
`name` \| `cn` | The list of sudorule name strings. | yes
`description` | The sudorule description string. | no
`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
`cmdcategory` \| `cmdcat` | Command category the rule applies to. Choices: ["all", ""] | no
`runasusercategory` \| `runasusercat` | RunAs User category the rule applies to. Choices: ["all", ""] | no
`runasgroupcategory` \| `runasgroupcat` | RunAs Group category the rule applies to. Choices: ["all", ""] | no
`usercategory` | User category the rule applies to. Choices: ["all"] | no
`hostcategory` | Host category the rule applies to. Choices: ["all"] | no
`cmdcategory` | Command category the rule applies to. Choices: ["all"] | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`host` | List of host name strings assigned to this sudorule. | no
`hostgroup` | List of host group name strings assigned to this sudorule. | no
`hostmask` | List of host masks of allowed hosts | no
`user` | List of user name strings assigned to this sudorule. | no
`group` | List of user group name strings assigned to this sudorule. | no
`allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no
`deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no
`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no
`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no
`sudooption` \| `options` | List of options to the sudorule | no
`order` \| `sudoorder` | Integer to order the sudorule | no
`runasuser` | List of users for Sudo to execute as. | no
`runasgroup` | List of groups for Sudo to execute as. | no
`cmd` | List of sudocmd name strings assigned to this sudorule. | no
`cmdgroup` | List of sudocmd group name strings assigned wto this sudorule. | no
`action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no

196
README-sysaccount.md
View File

@@ -1,196 +0,0 @@
Sysaccount module
============
Description
-----------
The sysaccount module allows to ensure presence and absence of system accounts.
Features
--------
* Sysaccount management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipasysaccount module.
Requirements
------------
**Controller**
* Ansible version: 2.15+
**Node**
* Supported FreeIPA version (see above)
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to make sure sysaccount "my-app" is present with random password:
```yaml
---
- name: Playbook to manage IPA sysaccount.
hosts: ipaserver
become: false
tasks:
- name: Ensure sysaccount "my-app" is present with random password
ipasysaccount:
ipaadmin_password: SomeADMINpassword
name: my-app
random: true
register: result
- name: Print generated random password
debug:
var: result.sysaccount.randompassword
```
Example playbook to make sure sysaccount "my-app" is present with given password:
```yaml
---
- name: Playbook to manage IPA sysaccount.
hosts: ipaserver
become: false
tasks:
- name: Ensure sysaccount "my-app" is present with given password
ipasysaccount:
ipaadmin_password: SomeADMINpassword
name: my-app
password: SomeAPPpassword
```
Example playbook to make sure sysaccount "my-app" is absent:
```yaml
---
- name: Playbook to manage IPA sysaccount.
hosts: ipaserver
become: false
tasks:
- name: Ensure sysaccount "my-app" is absent
ipasysaccount:
ipaadmin_password: SomeADMINpassword
name: my-app
state: absent
```
Example playbook to ensure existing sysaccount my-app is privileged
```yaml
---
- name: Playbook to manage IPA sysaccount.
hosts: ipaserver
become: false
tasks:
- name: Ensure existing sysaccount my-app is privileged
ipasysaccount:
ipaadmin_password: SomeADMINpassword
name: my-app
privileged: true
```
Example playbook to ensure existing sysaccount my-app is not privileged
```yaml
---
- name: Playbook to manage IPA sysaccount.
hosts: ipaserver
become: false
tasks:
- name: Ensure existing sysaccount my-app is not privileged
ipasysaccount:
ipaadmin_password: SomeADMINpassword
name: my-app
privileged: false
```
Example playbook to ensure existing sysaccount my-app is disabled
```yaml
---
- name: Playbook to manage IPA sysaccount.
hosts: ipaserver
become: false
tasks:
- name: Ensure existing sysaccount my-app is disabled
ipasysaccount:
ipaadmin_password: SomeADMINpassword
name: my-app
state: disabled
```
Example playbook to ensure existing sysaccount my-app is enabled
```yaml
---
- name: Playbook to manage IPA sysaccount.
hosts: ipaserver
become: false
tasks:
- name: Ensure existing sysaccount my-app is enabled
ipasysaccount:
ipaadmin_password: SomeADMINpassword
name: my-app
state: enabled
```
Variables
---------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no
`name` \| `login` | The list of sysaccount name strings - internally uid. (list of strings) | yes
`description` | A description for the sysaccount. (string) | no
`privileged` | Allow password updates without reset. This flag is not replicated. It is needed to set privileged on all servers, where it is needed. (bool) | no
`random` | Generate a random user password. (bool) | no
`password` \| `userpassword` | Set the password. (string) | no
`update_password` | Set password for a sysaccount in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, 'enabled', 'disabled', default: `present`. | no
Return Values
=============
There are only return values if a random passwords has been generated.
Variable | Description | Returned When
-------- | ----------- | -------------
`sysaccount` | Sysaccount dict (dict) <br>Options: | Always
&nbsp; | `randompassword` - The generated random password | If random is yes and sysaccount did not exist or update_password is yes
Authors
=======
Thomas Woerner

16
README-topology.md
View File

@@ -22,7 +22,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.14+
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
@@ -50,7 +50,7 @@ Example playbook to add a topology segment with default name (cn):
tasks:
- name: Add topology segment
ipatopologysegment:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -70,7 +70,7 @@ Example playbook to delete a topology segment:
tasks:
- name: Delete topology segment
ipatopologysegment:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -90,7 +90,7 @@ Example playbook to reinitialize a topology segment:
tasks:
- name: Reinitialize topology segment
ipatopologysegment:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
suffix: domain
left: ipareplica1.test.local
right: ipareplica2.test.local
@@ -111,7 +111,7 @@ Example playbook to verify a topology suffix:
tasks:
- name: Verify topology suffix
ipatopologysuffix:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
suffix: domain
state: verified
```
@@ -159,13 +159,11 @@ Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`suffix` | The topology suffix to be used, this can either be `domain`, `ca` or `domain+ca` | yes
`name` \| `cn` | The topology segment name (cn) is the unique identifier for a segment. | no
`left` \| `leftnode` | The left replication node string - an IPA server | no
`right` \| `rightnode` | The right replication node string - an IPA server | no
`direction` | The direction a segment will be reinitialized. It can either be `left-to-right` or `right-to-left` and only used with `state: reinitialized` | no
`direction` | The direction a segment will be reinitialized. It can either be `left-to-right` or `right-to-left` and only used with `state: reinitialized` |
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `checked` or `reinitialized` | yes
@@ -178,8 +176,6 @@ Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`suffix` | The topology suffix to be used, this can either be `domain` or `ca` | yes
`state` | The state to ensure. It can only be `verified` | yes

119
README-trust.md
View File

@@ -1,119 +0,0 @@
Trust module
============
Description
-----------
The trust module allows to ensure presence and absence of a domain trust.
Features
--------
* Trust management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.4.0 and up are supported by the ipatrust module.
Requirements
------------
**Controller**
* Ansible version: 2.14+
**Node**
* Supported FreeIPA version (see above)
* samba-4
* ipa-server-trust-ad
Usage
=====
Example inventory file
```ini
[ipaserver]
ipaserver.test.local
```
Example playbook to ensure a one-way trust is present:
Omitting the two_way option implies the default of one-way
```yaml
---
- name: Playbook to ensure a one-way trust is present
hosts: ipaserver
become: true
tasks:
- name: ensure the one-way trust present
ipatrust:
realm: ad.example.test
admin: Administrator
password: secret_password
state: present
```
Example playbook to ensure a two-way trust is present using a shared-secret:
```yaml
---
- name: Playbook to ensure a two-way trust is present
hosts: ipaserver
become: true
tasks:
- name: ensure the two-way trust is present
ipatrust:
realm: ad.example.test
trust_secret: my_share_Secret
two_way: True
state: present
```
Example playbook to ensure a trust is absent:
```yaml
---
- name: Playbook to ensure a trust is absent
hosts: ipaserver
become: true
tasks:
- name: ensure the trust is absent
ipatrust:
realm: ad.example.test
state: absent
```
This will only delete the ipa-side of the trust and it does NOT delete the id-range that matches the trust,
Variables
=========
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`realm` | The realm name string. | yes
`admin` | Active Directory domain administrator string. | no
`password` | Active Directory domain administrator's password string. | no
`server` | Domain controller for the Active Directory domain string. | no
`trust_secret` | Shared secret for the trust string. | no
`trust_type` | Trust type. Currently, only 'ad' for Active Directory is supported. | no
`base_id` | First posix id for the trusted domain integer. | no
`range_size` | Size of the ID range reserved for the trusted domain integer. | no
`range_type` | Type of trusted domain ID range, It can be one of `ipa-ad-trust` or `ipa-ad-trust-posix`and defaults to `ipa-ad-trust`. | no
`two_way` | Establish bi-directional trust. By default trust is inbound one-way only. (bool) | no
`external` | Establish external trust to a domain in another forest. The trust is not transitive beyond the domain. (bool) | no
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
Authors
=======
Rob Verduijn

121
README-user.md
View File

@@ -24,7 +24,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.14+
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
@@ -52,13 +52,12 @@ Example playbook to ensure a user is present:
tasks:
# Ensure user pinky is present
- ipauser:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: pinky
first: pinky
last: Acme
uid: 10001
gid: 100
gecos: "The Pinky"
phone: "+555123457"
email: pinky@acme.com
passwordexpiration: "2023-01-19 23:59:59"
@@ -67,7 +66,7 @@ Example playbook to ensure a user is present:
# Ensure user brain is present
- ipauser:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: brain
first: brain
last: Acme
@@ -86,7 +85,7 @@ These two `ipauser` module calls can be combined into one with the `users` varia
tasks:
# Ensure users pinky and brain are present
- ipauser:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
users:
- name: pinky
first: pinky
@@ -154,7 +153,7 @@ Ensure user pinky is present with a generated random password and print the rand
tasks:
# Ensure user pinky is present with a random password
- ipauser:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: brain
first: brain
last: Acme
@@ -177,7 +176,7 @@ Ensure users pinky and brain are present with a generated random password and pr
tasks:
# Ensure users pinky and brain are present with random password
- ipauser:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
users:
- name: pinky
first: pinky
@@ -213,7 +212,7 @@ Example playbook to delete a user, but preserve it:
tasks:
# Remove but preserve user pinky
- ipauser:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: pinky
preserve: yes
state: absent
@@ -232,7 +231,7 @@ Example playbook to delete a user, but preserve it using the `users` variable:
tasks:
# Remove but preserve user pinky
- ipauser:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
users:
- name: pinky
preserve: yes
@@ -253,7 +252,7 @@ Example playbook to undelete a preserved user.
tasks:
# Undelete preserved user pinky
- ipauser:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: pinky
state: undeleted
```
@@ -272,13 +271,14 @@ Example playbook to disable a user:
tasks:
# Disable user pinky
- ipauser:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: pinky
state: disabled
```
This can also be done as an alternative with the `users` variable containing only names.
Example playbook to enable users:
```yaml
@@ -290,29 +290,13 @@ Example playbook to enable users:
tasks:
# Enable user pinky and brain
- ipauser:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: pinky,brain
state: enabled
```
This can also be done as an alternative with the `users` variable containing only names.
Example playbook to rename users:
```yaml
---
- name: Playbook to handle users
hosts: ipaserver
become: true
tasks:
# Rename user pinky to reddy
- ipauser:
ipaadmin_password: SomeADMINpassword
name: pinky
rename: reddy
state: renamed
```
Example playbook to unlock users:
@@ -325,7 +309,7 @@ Example playbook to unlock users:
tasks:
# Unlock user pinky and brain
- ipauser:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: pinky,brain
state: unlocked
```
@@ -342,7 +326,7 @@ Example playbook to ensure users are absent:
tasks:
# Ensure users pinky and brain are absent
- ipauser:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: pinky,brain
state: absent
```
@@ -361,52 +345,26 @@ Example playbook to ensure users are absent:
tasks:
# Ensure users pinky and brain are absent
- ipauser:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
users:
- name: pinky
- name: brain
state: absent
```
When using FreeIPA 4.8.0+, SMB logon script, profile, home directory and home drive can be set for users.
In the example playbook to set SMB attributes note that `smb_profile_path` and `smb_home_dir` use paths in UNC format, which includes backslashes ('\\`). If the paths are quoted, the backslash needs to be escaped becoming "\\", so the path `\\server\dir` becomes `"\\\\server\\dir"`. If the paths are unquoted the slashes do not have to be escaped.
The YAML specification states that a colon (':') is a key separator and a dash ('-') is an item marker, only with a space after them, so using both unquoted as part of a path should not be a problem. If a space is needed after a colon or a dash, then a quoted string must be used as in `"user - home"`. For the `smb_home_drive` attribute is is recomended that a quoted string is used, to improve readability.
Example playbook to set SMB attributes:
```yaml
---
- name: Plabook to handle users
hosts: ipaserver
become: false
tasks:
- name: Ensure user 'smbuser' is present with smb attributes
ipauser:
ipaadmin_password: SomeADMINpassword
name: smbuser
first: SMB
last: User
smb_logon_script: N:\logonscripts\startup
smb_profile_path: \\server\profiles\some_profile
smb_home_dir: \\users\home\smbuser
smb_home_drive: "U:"
```
Variables
=========
ipauser
-------
**General Variables:**
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` | The list of user name strings. `name` with *user variables* or `users` containing *user variables* need to be used. | no
**User variables** | Only used with `name` variable in the first level. | no
`users` | The list of user dicts. Each `users` dict entry can contain **user variables**.<br>There is one required option in the `users` dict:| no
@@ -416,7 +374,7 @@ Variable | Description | Required
`update_password` | Set password for a user in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
`preserve` | Delete a user, keeping the entry available for future use. (bool) | no
`action` | Work on user or member level. It can be on of `member` or `user` and defaults to `user`. | no
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `renamed`, `unlocked` or `undeleted`, default: `present`. Only `names` or `users` with only `name` set are allowed if state is not `present`. | yes
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `unlocked` or `undeleted`, default: `present`. Only `names` or `users` with only `name` set are allowed if state is not `present`. | yes
@@ -424,8 +382,8 @@ Variable | Description | Required
Variable | Description | Required
-------- | ----------- | --------
`first` \| `givenname` | The first name string. Required if user does not exist. | no
`last` \| `sn` | The last name string. Required if user does not exist. | no
`first` \| `givenname` | The first name string. | no
`last` \| `sn` | The last name string. | no
`fullname` \| `cn` | The full name string. | no
`displayname` | The display name string. | no
`homedir` | The home directory string. | no
@@ -436,10 +394,8 @@ Variable | Description | Required
`passwordexpiration` \| `krbpasswordexpiration` | The kerberos password expiration date. Possible formats: `YYYYMMddHHmmssZ`, `YYYY-MM-ddTHH:mm:ssZ`, `YYYY-MM-ddTHH:mmZ`, `YYYY-MM-ddZ`, `YYYY-MM-dd HH:mm:ssZ` or `YYYY-MM-dd HH:mmZ`. The trailing 'Z' can be skipped. Only usable with IPA versions 4.7 and up. | no
`password` | The user password string. | no
`random` | Generate a random user password | no
`uid` \| `uidnumber` | User ID Number (system will assign one if not provided). | no
`gid` \| `gidnumber` | Group ID Number. | no
`gecos` | GECOS | no
`street` | Street address | no
`uid` \| `uidnumber` | The UID integer. | no
`gid` \| `gidnumber` | The GID integer. | no
`city` | City | no
`userstate` \| `st` | State/Province | no
`postalcode` \| `zip` | Postalcode/ZIP | no
@@ -452,7 +408,7 @@ Variable | Description | Required
`manager` | List of manager user names. | no
`carlicense` | List of car licenses. | no
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
`userauthtype` \| `ipauserauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp`, `pkinit`, `hardened`, `idp`, `passkey` and `""`. An additional check ensures that only types can be used that are supported by the IPA version. Use empty string to reset userauthtype to the initial value. | no
`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp` and ``. Use empty string to reset userauthtype to the initial value. | no
`userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
`radius` | RADIUS proxy configuration | no
`radiususer` | RADIUS proxy username | no
@@ -460,37 +416,32 @@ Variable | Description | Required
`employeenumber` | Employee Number | no
`employeetype` | Employee Type | no
`preferredlanguage` | Preferred Language | no
`idp` \| `ipaidpconfiglink` | External IdP configuration | no
`idp_user_id` \| `ipaidpsub` | A string that identifies the user at external IdP | no
`certificate` | List of base-64 encoded user certificates. | no
`certmapdata` | List of certificate mappings. Either `data` or `certificate` or `issuer` together with `subject` need to be specified. Only usable with IPA versions 4.5 and up. <br>Options: | no
&nbsp; | `certificate` - Base-64 encoded user certificate, not usable with other certmapdata options. | no
&nbsp; | `issuer` - Issuer of the certificate, only usable together with `usbject` option. | no
&nbsp; | `subject` - Subject of the certificate, only usable together with `issuer` option. | no
&nbsp; | `data` - Certmap data, not usable with other certmapdata options. | no
`certmapdata` | List of certificate mappings. Either `certificate` or `issuer` together with `subject` need to be specified. <br>Options: | no
&nbsp; | `certificate` - Base-64 encoded user certificate | no
&nbsp; | `issuer` - Issuer of the certificate | no
&nbsp; | `subject` - Subject of the certificate | no
`noprivate` | Do not create user private group. (bool) | no
`smb_logon_script` \| `ipantlogonscript` | SMB logon script path. Requires FreeIPA version 4.8.0+. | no
`smb_profile_path:` \| `ipantprofilepath` | SMB profile path, in UNC format. Requires FreeIPA version 4.8.0+. | no
`smb_home_dir` \| `ipanthomedirectory` | SMB Home Directory, in UNC format. Requires FreeIPA version 4.8.0+. | no
`smb_home_drive` \| `ipanthomedirectorydrive` | SMB Home Directory Drive, a single upercase letter (A-Z) followed by a colon (:), for example "U:". Requires FreeIPA version 4.8.0+. | no
`rename` \| `new_name` | Rename the user object to the new name string. Only usable with `state: renamed`. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
Return Values
=============
ipauser
-------
There are only return values if one or more random passwords have been generated.
Variable | Description | Returned When
-------- | ----------- | -------------
`user` | User dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
&nbsp; | `randompassword` - The generated random password | If only one user is handled by the module without using the `users` parameter.
&nbsp; | `name` - The user name of the user that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several users are handled by the module with the `users` parameter.
`host` | Host dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
&nbsp; | `randompassword` - The generated random password | If only one user is handled by the module
&nbsp; | `name` - The user name of the user that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several users are handled by the module
Authors
=======
- Thomas Woerner
- Rafael Jeffman
Thomas Woerner

114
README-vault.md
View File

@@ -24,7 +24,7 @@ Requirements
------------
**Controller**
* Ansible version: 2.14+
* Ansible version: 2.8+
**Node**
* Supported FreeIPA version (see above)
@@ -41,7 +41,7 @@ Example inventory file
ipaserver.test.local
```
Example playbook to make sure vault is present (by default, vault type is `symmetric`):
Example playbook to make sure vault is present:
```yaml
---
@@ -51,9 +51,10 @@ Example playbook to make sure vault is present (by default, vault type is `symme
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: symvault
password: SomeVAULTpassword
username: admin
vault_password: MyVaultPassword123
description: A standard private vault.
```
@@ -67,7 +68,7 @@ Example playbook to make sure that a vault and its members are present:
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: symvault
username: admin
users: user01
@@ -85,7 +86,7 @@ Example playbook to make sure that a vault member is present in vault:
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: symvault
username: admin
users: user01
@@ -102,7 +103,7 @@ Example playbook to make sure that a vault owner is absent in vault:
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: symvault
username: admin
owner: user01
@@ -120,40 +121,16 @@ Example playbook to make sure vault data is present in a symmetric vault:
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: symvault
username: admin
password: SomeVAULTpassword
data: >
vault_password: MyVaultPassword123
vault_data: >
Data archived.
More data archived.
action: member
```
When retrieving data from a vault, it is recommended that `no_log: yes` is used, so that sensitive data stored in a vault is not logged by Ansible. The data is returned in a dict `vault`, in the field `data` (e.g. `result.vault.data`). An example playbook to retrieve data from a symmetric vault:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- name: Retrieve data from vault and register it in 'ipavault'
ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
username: admin
password: SomeVAULTpassword
state: retrieved
no_log: yes
register: ipavault
- name: Print retrieved data from vault
debug:
var: ipavault.vault.data
```
Example playbook to make sure vault data is absent in a symmetric vault:
```yaml
@@ -164,30 +141,14 @@ Example playbook to make sure vault data is absent in a symmetric vault:
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: symvault
username: admin
password: SomeVAULTpassword
vault_password: MyVaultPassword123
action: member
state: absent
```
Example playbook to change the password of a symmetric:
```yaml
---
- name: Playbook to handle vaults
hosts: ipaserver
become: true
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
name: symvault
old_password: SomeVAULTpassword
new_password: SomeNEWpassword
```
Example playbook to make sure vault is absent:
```yaml
@@ -198,61 +159,36 @@ Example playbook to make sure vault is absent:
tasks:
- ipavault:
ipaadmin_password: SomeADMINpassword
ipaadmin_password: MyPassword123
name: symvault
username: admin
state: absent
register: result
- debug:
msg: "{{ result.vault.data }}"
```
Variables
=========
ipavault
-------
Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`ipaapi_context` | The context in which the module will execute. Currently only `client` is supported by this module, and use of `server` will raise a failure. | no
`ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no
`name` \| `cn` | The list of vault name strings. | yes
`description` | The vault description string. | no
`password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no
`password_file` \| `vault_password_file` \| `old_password_file`| File containing Base64 encoded Vault password. | no
`new_password` | Vault new password. | no
`new_password_file` | File containing Base64 encoded new Vault password. | no
`public_key ` \| `vault_public_key` \| `ipavaultpublickey` \| `new_public_key` | Base64 encoded vault public key. | no
`public_key_file` \| `vault_public_key_file` \| `new_public_key_file` | Path to file with public key. | no
`private_key `\| `vault_private_key` \| `ipavaultprivatekey` | Base64 encoded vault private key. Used only to retrieve data. | no
`private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
`salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no
`nomembers` | Suppress processing of membership attributes. (bool) | no
`vault_public_key` \| `ipavaultpublickey` | Vault public key. | no
`vault_salt` \| `ipavaultsalt` | Vault salt. | no
`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
`username` \| `user` | Any user can own one or more user vaults. | no
`service` | Any service can own one or more service vaults. | no
`user` | Any user can own one or more user vaults. | no
`shared` | Vault is shared. Default to false. (bool) | no
`users` | List of users that are members of the vault. | no
`groups` | List of groups that are member of the vault. | no
`services` | List of services that are member of the vault. | no
`owners` \| `ownerusers` | List of users that are owners of the vault. | no
`ownergroups` | List of groups that are owners of the vault. | no
`ownerservices` | List of services that are owners of the vault. | no
`data` \|`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
`in` \| `datafile_in` | Path to file with data to be stored in the vault. | no
`out` \| `datafile_out` | Path to file to store data retrieved from the vault. | no
`users` | Users that are members of the vault. | no
`groups` | Groups that are member of the vault. | no
`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
`state` | The state to ensure. It can be one of `present`, `absent` or `retrieved`, default: `present`. | no
Return Values
=============
There is only a return value if `state` is `retrieved`.
Variable | Description | Returned When
-------- | ----------- | -------------
`vault` | Vault dict with archived data. (dict) <br>Options: | If `state` is `retrieved` and `out` is not defined.
&nbsp; | `data` - The vault data. | Always
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
Notes

115
README.md
View File

@@ -3,7 +3,7 @@ FreeIPA Ansible collection
This repository contains [Ansible](https://www.ansible.com/) roles and playbooks to install and uninstall [FreeIPA](https://www.freeipa.org/) `servers`, `replicas` and `clients`. Also modules for group, host, topology and user management.
**Note**: The Ansible playbooks and roles require a configured Ansible environment where the Ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
**Note**: The ansible playbooks and roles require a configured ansible environment where the ansible nodes are reachable and are properly set up to have an IP address and a working package manager.
Features
--------
@@ -11,56 +11,24 @@ Features
* Cluster deployments: Server, replicas and clients in one playbook
* One-time-password (OTP) support for client installation
* Repair mode for clients
* Backup and restore, also to and from controller
* Smartcard setup for servers and clients
* Inventory plugin freeipa
* Modules for automembership rule management
* Modules for automount key management
* Modules for automount location management
* Modules for automount map management
* Modules for certificate management
* Modules for config management
* Modules for delegation management
* Modules for dns config management
* Modules for dns forwarder management
* Modules for dns record management
* Modules for dns zone management
* Modules for group management
* Modules for hbacrule management
* Modules for hbacsvc management
* Modules for hbacsvcgroup management
* Modules for host management
* Modules for hostgroup management
* Modules for idoverridegroup management
* Modules for idoverrideuser management
* Modules for idp management
* Modules for idrange management
* Modules for idview management
* Modules for location management
* Modules for netgroup management
* Modules for passkeyconfig management
* Modules for permission management
* Modules for privilege management
* Modules for pwpolicy management
* Modules for role management
* Modules for self service management
* Modules for server management
* Modules for service management
* Modules for service delegation rule management
* Modules for service delegation target management
* Modules for sudocmd management
* Modules for sudocmdgroup management
* Modules for sudorule management
* Modules for sysaccount management
* Modules for topology management
* Modules for trust management
* Modules for user management
* Modules for vault management
Supported FreeIPA Versions
--------------------------
FreeIPA versions 4.6 and up are supported by all roles.
FreeIPA versions 4.6 and up are supported by all roles.
The client role supports versions 4.4 and up, the server role is working with versions 4.5 and up, the replica role is currently only working with versions 4.6 and up.
@@ -68,7 +36,7 @@ Supported Distributions
-----------------------
* RHEL/CentOS 7.4+
* Fedora 40+
* Fedora 26+
* Ubuntu
* Debian 10+ (ipaclient only, no server or replica!)
@@ -76,7 +44,9 @@ Requirements
------------
**Controller**
* Ansible version: 2.14+
* Ansible version: 2.8+ (ansible-freeipa is an Ansible Collection)
* /usr/bin/kinit is required on the controller if a one time password (OTP) is used
* python3-gssapi is required on the controller if a one time password (OTP) is used with keytab to install the client.
**Node**
* Supported FreeIPA version (see above)
@@ -111,10 +81,9 @@ You can use the roles directly within the top directory of the git repo, but to
You can either adapt ansible.cfg:
```
roles_path = /my/dir/ansible-freeipa/roles
library = /my/dir/ansible-freeipa/plugins/modules
module_utils = /my/dir/ansible-freeipa/plugins/module_utils
inventory_plugins = /my/dir/ansible-freeipa/plugins/inventory
roles_path = /my/dir/ansible-freeipa/roles
library = /my/dir/ansible-freeipa/plugins/modules
module_utils = /my/dir/ansible-freeipa/plugins/module_utils
```
Or you can link the directories:
@@ -127,9 +96,9 @@ ansible-freeipa/plugins/module_utils to ~/.ansible/plugins/
**RPM package**
There are RPM packages available for Fedora. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
There are RPM packages available for Fedora 29+. These are installing the roles and modules into the global Ansible directories for `roles`, `plugins/modules` and `plugins/module_utils` in the `/usr/share/ansible` directory. Therefore is it possible to use the roles and modules without adapting the names like it is done in the example playbooks.
**Ansible Galaxy**
**Ansible galaxy**
This command will get the whole collection from galaxy:
@@ -137,13 +106,23 @@ This command will get the whole collection from galaxy:
ansible-galaxy collection install freeipa.ansible_freeipa
```
Installing collections using the ansible-galaxy command is only supported with ansible 2.9+.
The mazer tool can be used for to install the collection for ansible 2.8:
```bash
mazer install freeipa.ansible_freeipa
```
Ansible galaxy does not support the use of dash ('-') in a name and is automatically replacing this with an underscore ('\_'). Therefore the name is `ansible_freeipa`. The ansible_freeipa collection will be placed in the directory `~/.ansible/collections/ansible_collections/freeipa/ansible_freeipa` where it will be automatically be found for this user.
The needed adaptions of collection prefixes for `modules` and `module_utils` will be done with ansible-freeipa release `0.1.6` for galaxy.
Ansible inventory file
----------------------
The most important parts of the inventory file is the definition of the nodes, settings and the management modules. Please remember to use [Ansible Vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) for passwords. The examples here are not using vault for better readability.
The most important parts of the inventory file is the definition of the nodes, settings and the management modules. Please remember to use [Ansible vault](https://docs.ansible.com/ansible/latest/user_guide/vault.html) for passwords. The examples here are not using vault for better readability.
**Master server**
@@ -161,7 +140,7 @@ ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
```
The admin principal is ```admin``` by default. Please set ```ipaadmin_principal``` if you need to change it.
The admin principle is ```admin``` by default. Please set ```ipaadmin_principal``` if you need to change it.
You can also add more setting here, like for example to enable the DNS server or to set auto-forwarders:
```yaml
@@ -287,8 +266,7 @@ ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
```
For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the (first) server.
For enhanced security it is possible to use a auto-generated one-time-password (OTP). This will be generated on the controller using the (first) server. It is needed to have the Python gssapi bindings installed on the controller for this.
To enable the generation of the one-time-password:
```yaml
[ipaclients:vars]
@@ -353,7 +331,7 @@ With this playbook it is possible to add a list of topology segments using the `
Playbooks
=========
The playbooks needed to deploy or undeploy servers, replicas and clients are part of the repository and placed in the playbooks folder. There are also playbooks to deploy and undeploy clusters. With them it is only needed to add an inventory file:
The playbooks needed to deploy or undeploy server, replicas and clients are part of the repository and placed in the playbooks folder. There are also playbooks to deploy and undeploy clusters. With them it is only needed to add an inventory file:
```
playbooks\
install-client.yml
@@ -374,7 +352,7 @@ ansible-playbook -v -i inventory/hosts install-server.yml
```
This will deploy the master server defined in the inventory file.
If Ansible Vault is used for passwords, then it is needed to adapt the playbooks in this way:
If Ansible vault is used for passwords, then it is needed to adapt the playbooks in this way:
```yaml
---
- name: Playbook to configure IPA servers
@@ -424,60 +402,21 @@ Roles
* [Server](roles/ipaserver/README.md)
* [Replica](roles/ipareplica/README.md)
* [Client](roles/ipaclient/README.md)
* [Backup](roles/ipabackup/README.md)
* [SmartCard server](roles/ipasmartcard_server/README.md)
* [SmartCard client](roles/ipasmartcard_client/README.md)
Modules in plugin/modules
=========================
* [ipaautomember](README-automember.md)
* [ipaautomountkey](README-automountkey.md)
* [ipaautomountlocation](README-automountlocation.md)
* [ipaautomountmap](README-automountmap.md)
* [ipacert](README-cert.md)
* [ipaconfig](README-config.md)
* [ipadelegation](README-delegation.md)
* [ipadnsconfig](README-dnsconfig.md)
* [ipadnsforwardzone](README-dnsforwardzone.md)
* [ipadnsrecord](README-dnsrecord.md)
* [ipadnszone](README-dnszone.md)
* [ipagroup](README-group.md)
* [ipahbacrule](README-hbacrule.md)
* [ipahbacsvc](README-hbacsvc.md)
* [ipahbacsvcgroup](README-hbacsvcgroup.md)
* [ipahbacsvcgroup](README-hbacsvc.md)
* [ipahost](README-host.md)
* [ipahostgroup](README-hostgroup.md)
* [idoverridegroup](README-idoverridegroup.md)
* [idoverrideuser](README-idoverrideuser.md)
* [idp](README-idp.md)
* [idrange](README-idrange.md)
* [idview](README-idview.md)
* [ipalocation](README-location.md)
* [ipanetgroup](README-netgroup.md)
* [ipapasskeyconfig](README-passkeyconfig.md)
* [ipapermission](README-permission.md)
* [ipaprivilege](README-privilege.md)
* [ipapwpolicy](README-pwpolicy.md)
* [iparole](README-role.md)
* [ipaselfservice](README-selfservice.md)
* [ipaserver](README-server.md)
* [ipaservice](README-service.md)
* [ipaservicedelegationrule](README-servicedelegationrule.md)
* [ipaservicedelegationtarget](README-servicedelegationtarget.md)
* [ipasudocmd](README-sudocmd.md)
* [ipasudocmdgroup](README-sudocmdgroup.md)
* [ipasudorule](README-sudorule.md)
* [ipasysaccount](README-sysaccount.md)
* [ipatopologysegment](README-topology.md)
* [ipatopologysuffix](README-topology.md)
* [ipatrust](README-trust.md)
* [ipauser](README-user.md)
* [ipavault](README-vault.md)
If you want to write a new module please read [writing a new module](plugins/modules/README.md).
Inventory plugins in plugin/inventory
=====================================
* [freeipa](README-inventory-plugin-freeipa.md)

10
galaxy.yml
View File

@@ -1,4 +1,3 @@
---
namespace: "freeipa"
name: "ansible_freeipa"
version: "A.B.C"
@@ -13,11 +12,12 @@ homepage: "https://github.com/freeipa/ansible-freeipa"
issues: "https://github.com/freeipa/ansible-freeipa/issues"
readme: "README.md"
license:
- "GPL-3.0-or-later"
license: "GPL-3.0-or-later"
license_file: "COPYING"
dependencies:
tags:
- "linux"
- "system"
- "identity"
- "ipa"
- "freeipa"

73
infra/azure/azure-pipelines.yml
View File

@@ -1,73 +0,0 @@
---
trigger:
- master
pool:
vmImage: 'ubuntu-24.04'
variables:
ansible_version: "-core >=2.18,<2.19"
ansible_latest: "-core"
ansible_minimum: "-core <2.16"
distros: "fedora-latest,c9s,c10s,fedora-rawhide"
stages:
- stage: fedora_latest_ansible_latest
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: fedora-latest
ansible_version: ${{ variables.ansible_latest }}
skip_git_test: true
- stage: fedora_latest_ansible_2_15
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: fedora-latest
ansible_version: ${{ variables.ansbile_minimum }}
skip_git_test: true
# Supported distros
- ${{ each distro in split(variables.distros, ',') }}:
- stage: ${{ replace(distro, '-', '_') }}_ansible_2_18
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: ${{ distro }}
ansible_version: ${{ variables.ansible_version }}
skip_git_test: true
test_galaxy: false
# Galaxy on Fedora
- stage: galaxy_fedora_latest_ansible_2_18
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: fedora-latest
ansible_version: ${{ variables.ansible_version }}
skip_git_test: true
test_galaxy: true
# CentOS 8 Stream, latest supported Ansible version.
- stage: c8s_ansible_2_16
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: c8s
ansible_version: "-core <2.17"
skip_git_test: true

35
infra/azure/build-containers.yml
View File

@@ -1,35 +0,0 @@
---
schedules:
- cron: "0 0 * * 0"
displayName: Weekly Sunday midnight build
branches:
include:
- master
always: true
trigger: none
pool:
vmImage: 'ubuntu-24.04'
variables: { distros: "fedora-latest,fedora-rawhide,c9s,c10s" }
stages:
- ${{ each distro in split(variables.distros, ',') }}:
- stage: build_${{ join('_', split(distro, '-')) }}
dependsOn: []
jobs:
- template: templates/build_container.yml
parameters:
distro: ${{ distro }}
# Special case for CentOS 8 Stream
- stage: CentOS_8_Stream
dependsOn: []
jobs:
- template: templates/build_container.yml
parameters:
distro: c8s
# ansible-core 2.17+ cannot be used to deploy on CentOS 8 Stream.
ansible_core_version: "<2.17"

104
infra/azure/nightly.yml
View File

@@ -1,104 +0,0 @@
---
schedules:
- cron: "0 19 * * *"
displayName: Nightly Builds
branches:
include:
- master
always: true
trigger: none
pool:
vmImage: 'ubuntu-24.04'
parameters:
# Not really a parameter, but variables cannot be arrays or dicts
# This maps the distro LATEST version to the avaiable ansible-core
# version of the latest released compose.
- name: "distro_ansible_map"
type: object
default:
- { distro: "c8s", ansible_version: "<2.17", version_name: "2.16" }
# c9s should use 2.14, but this version has an invalid certificate
# and so is unsuable against ansible-galaxy.
- { distro: "c9s", ansible_version: "<2.17", version_name: "2.16" }
- { distro: "c10s", ansible_version: "<2.17", version_name: "2.16" }
variables:
distros: "fedora-latest,c10s,c9s,fedora-rawhide"
ansible_version: "-core >=2.18,<2.19"
ansible_latest: "-core"
ansible_minimum: "-core <2.16"
stages:
# Minimum ansible
- ${{ each distro in split(variables.distros, ',') }}:
- stage: ${{ replace(distro, '-', '_') }}_ansible_2_15
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: fedora-latest
ansible_version: ${{ variables.ansible_minimum }}
skip_git_test: true
test_galaxy: false
# Latest ansible
- ${{ each distro in split(variables.distros, ',') }}:
- stage: ${{ replace(distro, '-', '_') }}_ansible_latest
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: ${{ distro }}
ansible_version: ${{ variables.ansible_latest }}
skip_git_test: true
test_galaxy: false
# Galaxy with Latest ansible
- ${{ each distro in split(variables.distros, ',') }}:
- stage: galaxy_${{ replace(distro, '-', '_') }}_ansible_latest
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: ${{ distro }}
ansible_version: ${{ variables.ansible_latest }}
skip_git_test: true
test_galaxy: true
# Test with pinned ansible version for the distro
- ${{ each config in parameters.distro_ansible_map }}:
- stage: ${{ config.distro }}_distro_ansible_${{ replace(config.version_name, '.', '_') }}
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: ${{ config.distro }}
ansible_version: -core${{ config.ansible_version }}
skip_git_test: true
test_galaxy: false
# Test Galaxy collection with pinned ansible version for the distro
- ${{ each config in parameters.distro_ansible_map }}:
- stage: galaxy_${{ config.distro }}_distro_ansible_${{ replace(config.version_name, '.', '_') }}
dependsOn: []
jobs:
- template: templates/group_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: ${{ config.distro }}
ansible_version: -core${{ config.ansible_version }}
skip_git_test: true
test_galaxy: true

67
infra/azure/pr-pipeline.yml
View File

@@ -1,67 +0,0 @@
---
trigger:
- master
pool:
vmImage: 'ubuntu-24.04'
parameters:
# Not really a parameter, but variables cannot be arrays or dicts
# This maps the distro LATEST version to the avaiable ansible-core
# version of the latest released compose.
- name: "distro_ansible_map"
type: object
default:
- { distro: "c8s", ansible_version: "<2.17", version_name: "2.16" }
# c9s should use 2.14, but this version has an invalid certificate
# and so is unsuable against ansible-galaxy.
- { distro: "c9s", ansible_version: "<2.17", version_name: "2.16" }
- { distro: "c10s", ansible_version: "<2.17", version_name: "2.16" }
variables:
distros: "fedora-latest,c10s,c9s,fedora-rawhide"
ansible_version: "-core >=2.18,<2.19"
stages:
# Test with repository in all "current" distros
- ${{ each distro in split(variables.distros, ',') }}:
- stage: ${{ replace(distro, '-', '_') }}_ansible_2_18
dependsOn: []
jobs:
- template: templates/run_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: ${{ distro }}
ansible_version: ${{ variables.ansible_version }}
skip_git_test: false
test_galaxy: false
# Galaxy on Fedora
- stage: galaxy_fedora_latest_ansible_2_18
dependsOn: []
jobs:
- template: templates/run_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: fedora-latest
ansible_version: ${{ variables.ansible_version }}
skip_git_test: false
test_galaxy: true
# Test with pinned ansible version for the distro
- ${{ each config in parameters.distro_ansible_map }}:
- stage: ${{ config.distro }}_distro_ansible_${{ replace(config.version_name, '.', '_') }}
dependsOn: []
jobs:
- template: templates/run_tests.yml
parameters:
build_number: $(Build.BuildNumber)
distro: ${{ config.distro }}
ansible_version: -core${{ config.ansible_version }}
skip_git_test: false
test_galaxy: false

214
infra/azure/scripts/get_test_modules.py
View File

@@ -1,214 +0,0 @@
"""Filter tests based on plugin modifications."""
import sys
import os
from importlib.machinery import SourceFileLoader
import types
from unittest import mock
import yaml
PYTHON_IMPORT = __import__
def get_plugins_from_playbook(playbook):
"""Get all plugins called in the given playbook."""
def get_tasks(task_block):
"""
Get all plugins used on tasks.
Recursively process "block", "include_tasks" and "import_tasks".
"""
_result = set()
for tasks in task_block:
for task in tasks:
original_task = task
if task == "block":
_result.update(get_tasks(tasks["block"]))
elif task in ["include_tasks", "import_tasks"
"ansible.builtin.include_tasks",
"ansible.builtin.import_tasks"]:
parent = os.path.dirname(playbook)
include_task = tasks[task]
if isinstance(include_task, dict):
include_file = os.path.join(
parent, include_task["file"]
)
else:
include_file = os.path.join(parent, include_task)
_result.update(get_plugins_from_playbook(include_file))
elif task in ["include_role",
"ansible.builtin.include_role"]:
_result.add(f"_{tasks[original_task]['name']}")
elif task.startswith("ipa"):
# assume we are only interested in 'ipa*' modules/roles
_result.add(task)
elif task == "role":
# not really a "task", but we'll handle the same way.
_result.add(f"_{tasks[task]}")
return _result
def load_playbook(filename):
"""Load playbook file using Python's YAML parser."""
if not (filename.endswith("yml") or filename.endswith("yaml")):
return []
# print("Processing:", playbook)
try:
with open(filename, "rt") as playbook_file:
data = yaml.safe_load(playbook_file)
except yaml.scanner.ScannerError: # If not a YAML/JSON file.
return []
except yaml.parser.ParserError: # If not a YAML/JSON file.
return []
return data if data else []
data = load_playbook(playbook)
task_blocks = [t.get("tasks", []) if "tasks" in t else [] for t in data]
role_blocks = [t.get("roles", []) if "roles" in t else [] for t in data]
# assume file is a list of tasks if no "tasks" entry found.
if not task_blocks:
task_blocks = [data]
_result = set()
for task_block in task_blocks:
_result.update(get_tasks(task_block))
# roles
for role_block in role_blocks:
_result.update(get_tasks(role_block))
return _result
def import_mock(name, *args):
"""Intercept 'import' calls and store module name."""
if not hasattr(import_mock, "call_list"):
setattr(import_mock, "call_list", set()) # noqa: B010
import_mock.call_list.add(name) # pylint: disable=no-member
try:
# print("NAME:", name)
return PYTHON_IMPORT(name, *args)
except ModuleNotFoundError:
# We're not really interested in loading the module
# if it can't be imported, it is not something we really care.
return mock.Mock()
except Exception: # pylint: disable=broad-except
print(
"An unexpected error occured. Do you have all requirements set?",
file=sys.stderr
)
sys.exit(1)
def parse_playbooks(test_module):
"""Load all playbooks for 'test_module' directory."""
if test_module.name[0] in [".", "_"] or test_module.name == "pytests":
return []
_files = set()
for arg in os.scandir(test_module):
if arg.is_dir():
_files.update(parse_playbooks(arg))
else:
for playbook in get_plugins_from_playbook(arg.path):
if playbook.startswith("_"):
source = f"roles/{playbook[1:]}"
if os.path.isdir(source):
_files.add(source)
else:
source = f"plugins/modules/{playbook}.py"
if os.path.isfile(source):
_files.add(source)
# If a plugin imports a module from the repository,
# we'l find it by patching the builtin __import__
# function and importing the module from the source
# file. The modules imported as a result of the import
# will be added to the import_mock.call_list list.
with mock.patch(
"builtins.__import__", side_effect=import_mock
):
# pylint: disable=no-value-for-parameter
try:
loader = SourceFileLoader(playbook, source)
loader.exec_module(
types.ModuleType(loader.name)
)
except Exception: # pylint: disable=broad-except
# If import fails, we'll assume there's no
# plugin to be loaded. This is of little risk
# it is rare that a plugin includes another.
pass
# pylint: disable=no-member
candidates = [
f.split(".")[1:]
for f in import_mock.call_list
if f.startswith("ansible.")
]
# pylint: enable=no-member
files = [
"plugins/" + "/".join(f) + ".py"
for f in candidates
]
_files.update([f for f in files if os.path.isfile(f)])
else:
source = f"roles/{playbook}"
if os.path.isdir(source):
_files.add(source)
return _files
def map_test_module_sources(base):
"""Create a map of 'test-modules' to 'plugin-sources', from 'base'."""
# Find root directory of playbook tests.
script_dir = os.path.dirname(__file__)
test_root = os.path.realpath(os.path.join(script_dir, f"../../../{base}"))
# create modules:source_files map
_result = {}
for test_module in [d for d in os.scandir(test_root) if d.is_dir()]:
_depends_on = parse_playbooks(test_module)
if _depends_on:
_result[test_module.name] = _depends_on
return _result
def usage(err=0):
print("get_test_modules.py [-h|--help] [-p|--pytest] PY_SRC...")
print(
"""
Print a comma-separated list of modules that should be tested if
PY_SRC is modified.
Options:
-h, --help Print this message and exit.
-p, --pytest Evaluate pytest tests (playbooks only).
"""
)
sys.exit(err)
def main():
"""Program entry point."""
if "-h" in sys.argv or "--help" in sys.argv:
usage()
_base = "tests"
if "-p" in sys.argv or "--pytest" in sys.argv:
_base = "tests/pytests"
call_args = [x for x in sys.argv[1:] if x not in ["-p", "--pytest"]]
_mapping = map_test_module_sources(_base)
_test_suits = (
[
_module for _module, _files in _mapping.items()
for _arg in call_args
for _file in _files
if _file.startswith(_arg)
] + [
_role for _role in [x for x in _mapping if x.endswith("_role")]
for _arg in call_args
if _arg.startswith("roles/ipa" + _role[:-5])
]
)
if _test_suits:
print(",".join(sorted(_test_suits)))
if __name__ == "__main__":
main()

67
infra/azure/scripts/set_test_modules
View File

@@ -1,67 +0,0 @@
#!/bin/bash -eu
# This file shoud be source'd (. set_test_modules) rather than executed.
#
# Set SKIP_GIT_TEST="True" or use -a to prevent git modification comparison.
#
RED="\033[31;1m"
RST="\033[0m"
die() {
echo -e "${RED}${*}${RST}" >&2
}
BASEDIR="$(readlink -f "$(dirname "${BASH_SOURCE[0]}")")"
TOPDIR="$(readlink -f "${BASEDIR}/../../..")"
[ -n "$(command -v python3)" ] && python="$(command -v python3)" || python="$(command -v python2)"
pushd "${TOPDIR}" >/dev/null 2>&1 || die "Failed to change directory."
SKIP_GIT_TEST=${SKIP_GIT_TEST:-"False"}
while getopts ":a" opt
do
case "${opt}" in
a) SKIP_GIT_TEST="True" ;;
*) ;; # ignore other options
esac
done
files_list=$(mktemp)
enabled_modules="None"
enabled_tests="None"
if [ "${SKIP_GIT_TEST}" != "True" ]
then
remote="$(basename "$(mktemp -u remote_XXXXXX)")"
git remote add "${remote}" https://github.com/freeipa/ansible-freeipa
git fetch --prune --no-tags --quiet "${remote}"
git diff "${remote}/master" --name-only > "${files_list}"
git remote remove "${remote}"
# shellcheck disable=SC2046
enabled_modules="$(${python} "${BASEDIR}/get_test_modules.py" $(cat "${files_list}"))"
[ -z "${enabled_modules}" ] && enabled_modules="None"
# Get individual tests that should be executed
mapfile -t tests < <(sed -n 's#.*/\(test_[^/]*\).yml#\1#p' "${files_list}" | tr -d " ")
[ ${#tests[@]} -gt 0 ] && enabled_tests=$(IFS=, ; echo "${tests[*]}")
[ -z "${enabled_tests}" ] && enabled_tests="None"
[ -n "${enabled_tests}" ] && IPA_ENABLED_TESTS="${enabled_tests},${IPA_ENABLED_TESTS}"
[ -n "${enabled_modules}" ] && IPA_ENABLED_MODULES="${enabled_modules},${IPA_ENABLED_MODULES}"
rm -f "${files_list}"
fi
# Get all modules that should have tests executed
export IPA_ENABLED_MODULES
export IPA_ENABLED_TESTS
echo "IPA_ENABLED_MODULES = [${IPA_ENABLED_MODULES}]"
echo "IPA_ENABLED_TESTS = [${IPA_ENABLED_TESTS}]"
popd >/dev/null 2>&1 || die "Failed to change back to original directory."

45
infra/azure/templates/build_container.yml
View File

@@ -1,45 +0,0 @@
---
parameters:
- name: distro
type: string
- name: python_version
type: string
default: 3.x
- name: ansible_core_version
default: ""
jobs:
- job: BuildTestImage_${{ join('_', split(parameters.distro, '-')) }}
displayName: Build ${{ parameters.distro }} test container
steps:
- task: UsePythonVersion@0
inputs:
versionSpec: '${{ parameters.python_version }}'
- script: python -m pip install --upgrade pip "ansible-core${{ parameters.ansible_core_version }}"
retryCountOnTaskFailure: 5
displayName: Install tools
- script: ansible-galaxy collection install containers.podman
displayName: Install Ansible Galaxy collections
- script: infra/image/build.sh -s ${{ parameters.distro }}
displayName: Build ${{ parameters.distro }} base image
env:
ANSIBLE_ROLES_PATH: "${PWD}/roles"
ANSIBLE_LIBRARY: "${PWD}/plugins/modules"
ANSIBLE_MODULE_UTILS: "${PWD}/plugins/module_utils"
- script: podman login -u="$QUAY_ROBOT_USERNAME" -p="$QUAY_ROBOT_TOKEN" quay.io
displayName: Registry login
env:
# Secrets needs to be mapped as env vars to work properly
QUAY_ROBOT_TOKEN: $(QUAY_ROBOT_TOKEN)
- script: |
podman push quay.io/ansible-freeipa/upstream-tests:${{parameters.distro}}-base quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-base
displayName: Push base image
- script: |
podman push quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-server quay.io/ansible-freeipa/upstream-tests:${{ parameters.distro }}-server
displayName: Push server image

30
infra/azure/templates/group_tests.yml
View File

@@ -1,30 +0,0 @@
---
parameters:
- name: distro
type: string
default: fedora-latest
- name: build_number
type: string
- name: ansible_version
type: string
default: ""
- name: skip_git_test
type: boolean
default: false
- name: test_galaxy
type: boolean
default: false
jobs:
- ${{ each group in split('1,2,3', ',') }}:
- template: run_tests.yml
parameters:
group_number: ${{ group }}
number_of_groups: 3
build_number: ${{ parameters.build_number }}
distro: ${{ parameters.distro }}
ansible_version: ${{ parameters.ansible_version }}
python_version: '< 3.12'
skip_git_test: ${{ parameters.skip_git_test }}
test_galaxy: ${{ parameters.test_galaxy }}

30
infra/azure/templates/prepare_environment.yaml
View File

@@ -1,30 +0,0 @@
---
parameters:
- name: distro
type: string
default: fedora-latest
- name: ansible_version
type: string
default: ""
- name: python_version
type: string
default: 3.x
- name: build_number
type: string
steps:
- task: UsePythonVersion@0
inputs:
versionSpec: '${{ parameters.python_version }}'
- script: |
pip install "ansible${{ parameters.ansible_version }}" -r requirements-tests.txt
retryCountOnTaskFailure: 5
displayName: Install test dependencies
- script: ansible-galaxy collection install -r requirements-podman.yml
retryCountOnTaskFailure: 5
displayName: Install Ansible collections
- script: infra/image/start.sh ${{ parameters.distro }}-server
displayName: Setup target container for ${{ parameters.distro }}

98
infra/azure/templates/run_tests.yml
View File

@@ -1,98 +0,0 @@
---
parameters:
- name: group_number
type: number
default: 1
- name: number_of_groups
type: number
default: 1
- name: distro
type: string
default: fedora-latest
- name: ansible_version
type: string
default: ""
- name: python_version
type: string
default: 3.x
- name: build_number
type: string
- name: skip_git_test
type: boolean
default: true
- name: test_type
type: string
default: "playbook"
- name: test_galaxy
type: boolean
default: false
jobs:
- job: Test_Group${{ parameters.group_number }}
displayName: Run playbook tests ${{ parameters.distro }} (${{ parameters.group_number }}/${{ parameters.number_of_groups }})
timeoutInMinutes: 360
variables:
- template: variables.yaml
- template: variables_${{ parameters.distro }}.yaml
steps:
- template: prepare_environment.yaml
parameters:
build_number: ${{ parameters.build_number }}
distro: ${{ parameters.distro }}
ansible_version: ${{ parameters.ansible_version }}
python_version: ${{ parameters.python_version }}
- bash: echo "##vso[task.setvariable variable=TOPDIR]${PWD}"
displayName: Set repo rootdir
- script: |
. "${TOPDIR}/infra/azure/scripts/set_test_modules"
python3 utils/check_test_configuration.py ${{ parameters.distro }}
displayName: Check test configuration
env:
SKIP_GIT_TEST: ${{ parameters.skip_git_test }}
- script: |
git fetch --unshallow
utils/build-collection.sh -i rpm
retryCountOnTaskFailure: 5
displayName: Build Galaxy release
condition: ${{ parameters.test_galaxy }}
- script: |
echo "PWD: ${PWD}"
echo "TOPDIR: ${TOPDIR}"
echo "ROLES: ${ANSIBLE_ROLES_PATH}"
echo "LIBRARY: ${ANSIBLE_LIBRARY}"
echo "MODULE_UTILS: ${ANSIBLE_MODULE_UTILS}"
. "${TOPDIR}/infra/azure/scripts/set_test_modules"
[ "${{ parameters.test_galaxy }}" == "True" ] && cd ~/.ansible/collections/ansible_collections/freeipa/ansible_freeipa
pytest \
-m "${{ parameters.test_type }}" \
--verbose \
--color=yes \
--splits=${{ parameters.number_of_groups }} \
--group=${{ parameters.group_number }} \
--randomly-seed=$(date "+%Y%m%d") \
--suppress-no-test-exit-code \
--junit-xml=TEST-results-pr-check.xml
displayName: Run playbook tests
env:
SKIP_GIT_TEST: ${{ parameters.skip_git_test }}
${{ if not(parameters.test_galaxy) }}:
ANSIBLE_ROLES_PATH: "${PWD}/roles"
ANSIBLE_LIBRARY: "${PWD}/plugins"
ANSIBLE_MODULE_UTILS: "${PWD}/plugins/module_utils"
IPA_SERVER_HOST: ansible-freeipa-tests
RUN_TESTS_IN_DOCKER: podman
IPA_DISABLED_MODULES: ${{ variables.ipa_disabled_modules }}
IPA_DISABLED_TESTS: ${{ variables.ipa_disabled_tests }}
IPA_ENABLED_MODULES: ${{ variables.ipa_enabled_modules }}
IPA_ENABLED_TESTS: ${{ variables.ipa_enabled_tests }}
IPA_VERBOSITY: "-vvv"
- task: PublishTestResults@2
inputs:
mergeTestResults: true
testRunTitle: PlaybookTests-Build${{ parameters.build_number }}
condition: succeededOrFailed()

23
infra/azure/templates/variables.yaml
View File

@@ -1,23 +0,0 @@
#
# Variables must be defined as comma separated lists.
# For easier management of items to enable/disable,
# use one test/module on each line, followed by a comma.
#
# If no variable is to be set, add 'empty: true', as the
# 'variables' dict cannot be empty.
#
# Example:
#
# disabled_modules: >-
# dnsconfig,
# group,
# hostgroup
#
---
variables:
# empty: true
# ipa_enabled_modules: >-
# ipa_enabled_tests: >-
ipa_disabled_modules: >-
config
# ipa_disabled_tests: >-

21
infra/azure/templates/variables_c10s.yaml
View File

@@ -1,21 +0,0 @@
#
# Variables must be defined as comma separated lists.
# For easier management of items to enable/disable,
# use one test/module on each line, followed by a comma.
#
# Example:
#
# ipa_disabled_modules: >-
# dnsconfig,
# group,
# hostgroup
#
# If no variables are set, set "empty: true" as at least
# one item is needed in the set.
---
variables:
empty: true
# ipa_enabled_modules: >-
# ipa_enabled_tests: >-
# ipa_disabled_modules: >-
# ipa_disabled_tests: >-

21
infra/azure/templates/variables_c8s.yaml
View File

@@ -1,21 +0,0 @@
#
# Variables must be defined as comma separated lists.
# For easier management of items to enable/disable,
# use one test/module on each line, followed by a comma.
#
# Example:
#
# ipa_disabled_modules: >-
# dnsconfig,
# group,
# hostgroup
#
# If no variables are set, set "empty: true" as at least
# one item is needed in the set.
---
variables:
empty: true
# ipa_enabled_modules: >-
# ipa_enabled_tests: >-
# ipa_disabled_modules: >-
# ipa_disabled_tests: >-

21
infra/azure/templates/variables_c9s.yaml
View File

@@ -1,21 +0,0 @@
#
# Variables must be defined as comma separated lists.
# For easier management of items to enable/disable,
# use one test/module on each line, followed by a comma.
#
# Example:
#
# ipa_disabled_modules: >-
# dnsconfig,
# group,
# hostgroup
#
# If no variables are set, set "empty: true" as at least
# one item is needed in the set.
---
variables:
empty: true
# ipa_enabled_modules: >-
# ipa_enabled_tests: >-
# ipa_disabled_modules: >-
# ipa_disabled_tests: >-

20
infra/azure/templates/variables_centos-7.yaml
View File

@@ -1,20 +0,0 @@
#
# Variables must be defined as comma separated lists.
# For easier management of items to enable/disable,
# use one test/module on each line, followed by a comma.
#
# Example:
#
# ipa_disabled_modules: >-
# dnsconfig,
# group,
# hostgroup
#
# If no variables are set, set "empty: true" as at least
# one item is needed in the set.
---
variables:
# ipa_enabled_modules: >-
# ipa_enabled_tests: >-
# ipa_disabled_modules: >-
ipa_disabled_tests: test_config_sid

22
infra/azure/templates/variables_fedora-latest.yaml
View File

@@ -1,22 +0,0 @@
#
#
# Variables must be defined as comma separated lists.
# For easier management of items to enable/disable,
# use one test/module on each line, followed by a comma.
#
# Example:
#
# ipa_disabled_modules: >-
# dnsconfig,
# group,
# hostgroup
#
# If no variables are set, set "empty: true" as at least
# one item is needed in the set.
---
variables:
empty: true
# ipa_enabled_modules: >-
# ipa_enabled_tests: >-
# ipa_disabled_modules: >-
# ipa_disabled_tests: >-

21
infra/azure/templates/variables_fedora-rawhide.yaml
View File

@@ -1,21 +0,0 @@
#
# Variables must be defined as comma separated lists.
# For easier management of items to enable/disable,
# use one test/module on each line, followed by a comma.
#
# Example:
#
# ipa_disabled_modules: >-
# dnsconfig,
# group,
# hostgroup
#
# If no variables are set, set "empty: true" as at least
# one item is needed in the set.
---
variables:
empty: true
# ipa_enabled_modules: >-
# ipa_enabled_tests: >-
# ipa_disabled_modules: >-
# ipa_disabled_tests: >-

15
infra/image/build-inventory
View File

@@ -1,15 +0,0 @@
[ipaserver]
ansible-freeipa-image-builder ansible_connection=podman
[ipaserver:vars]
ipaadmin_password=SomeADMINpassword
ipadm_password=SomeDMpassword
ipaserver_domain=test.local
ipaserver_realm=TEST.LOCAL
ipaserver_setup_dns=true
ipaserver_auto_forwarders=true
ipaserver_no_dnssec_validation=true
ipaserver_auto_reverse=true
ipaserver_setup_kra=true
ipaserver_setup_firewalld=false
ipaclient_no_ntp=true

130
infra/image/build.sh
View File

@@ -1,130 +0,0 @@
#!/bin/bash -eu
BASEDIR="$(readlink -f "$(dirname "$0")")"
TOPDIR="$(readlink -f "${BASEDIR}/../..")"
# shellcheck disable=SC1091
. "${BASEDIR}/shcontainer"
# shellcheck disable=SC1091
. "${TOPDIR}/utils/shfun"
valid_distro() {
find "${BASEDIR}/dockerfile" -type f -printf "%f\n" | tr "\n" " "
}
usage() {
local prog="${0##*/}"
cat << EOF
usage: ${prog} [-h] [-n HOSTNAME] [-s] distro
${prog} build a container image to test ansible-freeipa.
EOF
}
help() {
cat << EOF
positional arguments:
distro The base distro to build the test container.
Availble distros: $(valid_distro)
optional arguments:
-n HOSTNAME Container hostname
-p Give extended privileges to the container
-s Deploy IPA server
EOF
}
name="ansible-freeipa-image-builder"
hostname="ipaserver.test.local"
cpus="2"
memory="3g"
quayname="quay.io/ansible-freeipa/upstream-tests"
deploy_server="N"
deploy_capabilities="SYS_ADMIN,SYSLOG"
capabilities=""
while getopts ":hn:s" option
do
case "${option}" in
h) help && exit 0 ;;
n) hostname="${OPTARG}" ;;
s) deploy_server="Y" ;;
*) die -u "Invalid option: ${option}" ;;
esac
done
shift $((OPTIND - 1))
distro=${1:-}
[ -n "${distro}" ] || die "Distro needs to be given.\nUse one of: $(valid_distro)"
[ -f "${BASEDIR}/dockerfile/${distro}" ] \
|| die "${distro} is not a valid distro target.\nUse one of: $(valid_distro)"
container_check
if [ "${deploy_server}" == "Y" ]
then
capabilities="${deploy_capabilities}"
[ -n "$(command -v "ansible-playbook")" ] || die "ansible-playbook is required to install FreeIPA."
deploy_playbook="${TOPDIR}/playbooks/install-server.yml"
[ -f "${deploy_playbook}" ] || die "Can't find playbook '${deploy_playbook}'"
inventory_file="${BASEDIR}/build-inventory"
[ -f "${inventory_file}" ] || die "Can't find inventory '${inventory_file}'"
fi
container_state=$(container_get_state "${name}")
tag="${distro}-base"
server_tag="${distro}-server"
container_remove_image_if_exists "${tag}"
[ "${deploy_server}" == "Y" ] && \
container_remove_image_if_exists "${server_tag}"
container_build "${tag}" "${BASEDIR}/dockerfile/${distro}" "${BASEDIR}"
container_create "${name}" "${tag}" \
"hostname=${hostname}" \
"memory=${memory}" \
"cpus=${cpus}" \
"${capabilities:+capabilities=$capabilities}"
container_commit "${name}" "${quayname}:${tag}"
if [ "${deploy_server}" == "Y" ]
then
deployed=false
# Set path to ansible-freeipa roles
[ -z "${ANSIBLE_ROLES_PATH:-""}" ] && export ANSIBLE_ROLES_PATH="${TOPDIR}/roles"
# Install collection containers.podman if not available
if [ -z "$(ansible-galaxy collection list containers.podman)" ]
then
tmpdir="$(mktemp -d)"
export ANSIBLE_COLLECTIONS_PATH="${tmpdir}"
ansible-galaxy collection install -p "${tmpdir}" containers.podman
fi
[ "${container_state}" != "running" ] && container_start "${name}"
container_wait_for_journald "${name}"
log info "= Deploying IPA ="
if ansible-playbook -u root -i "${inventory_file}" "${deploy_playbook}"
then
deployed=true
fi
echo
container_stop "${name}"
$deployed || die "Deployment failed"
container_commit "${name}" "${quayname}:${server_tag}"
fi
log info "= DONE: Image created. ="

41
infra/image/dockerfile/c10s
View File

@@ -1,41 +0,0 @@
FROM quay.io/centos/centos:stream10
ENV container=podman
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/dnf-3 \
sudo \
bash \
systemd \
procps-ng \
iproute \
hostname; \
rm -rf /var/cache/dnf/;
RUN (cd /lib/systemd/system/; \
if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
ln -s dbus-broker.service dbus.service; \
fi \
)
COPY system-service/container-ipa.target /lib/systemd/system/
RUN systemctl set-default container-ipa.target
RUN (cd /etc/systemd/system/; \
rm -rf multi-user.target.wants \
&& mkdir container-ipa.target.wants \
&& ln -s container-ipa.target.wants multi-user.target.wants \
)
COPY system-service/fixnet.sh /root/
COPY system-service/fixipaip.sh /root/
COPY system-service/fixnet.service /etc/systemd/system/
COPY system-service/fixipaip.service /etc/systemd/system/
RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
RUN systemctl enable fixnet.service
RUN systemctl enable fixipaip.service
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

46
infra/image/dockerfile/c8s
View File

@@ -1,46 +0,0 @@
FROM quay.io/centos/centos:stream8
ENV container=podman
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
sed -i s/mirror.centos.org/vault.centos.org/g /etc/yum.repos.d/*.repo; \
sed -i s/^#.*baseurl=http/baseurl=http/g /etc/yum.repos.d/*.repo; \
sed -i s/^mirrorlist=http/#mirrorlist=http/g /etc/yum.repos.d/*.repo; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/dnf-3 \
sudo \
bash \
systemd \
procps-ng \
hostname \
iproute; \
dnf clean all; \
rm -rf /var/cache/dnf/;
RUN (cd /lib/systemd/system/; \
if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
ln -s dbus-broker.service dbus.service; \
fi \
)
COPY system-service/container-ipa.target /lib/systemd/system/
RUN systemctl set-default container-ipa.target
RUN (cd /etc/systemd/system/; \
rm -rf multi-user.target.wants \
&& mkdir container-ipa.target.wants \
&& ln -s container-ipa.target.wants multi-user.target.wants \
)
COPY system-service/fixnet.sh /root/
COPY system-service/fixipaip.sh /root/
COPY system-service/fixnet.service /etc/systemd/system/
COPY system-service/fixipaip.service /etc/systemd/system/
RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
RUN systemctl enable fixnet.service
RUN systemctl enable fixipaip.service
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

41
infra/image/dockerfile/c9s
View File

@@ -1,41 +0,0 @@
FROM quay.io/centos/centos:stream9
ENV container=podman
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/dnf-3 \
sudo \
bash \
systemd \
procps-ng \
hostname \
iproute; \
rm -rf /var/cache/dnf/;
RUN (cd /lib/systemd/system/; \
if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
ln -s dbus-broker.service dbus.service; \
fi \
)
COPY system-service/container-ipa.target /lib/systemd/system/
RUN systemctl set-default container-ipa.target
RUN (cd /etc/systemd/system/; \
rm -rf multi-user.target.wants \
&& mkdir container-ipa.target.wants \
&& ln -s container-ipa.target.wants multi-user.target.wants \
)
COPY system-service/fixnet.sh /root/
COPY system-service/fixipaip.sh /root/
COPY system-service/fixnet.service /etc/systemd/system/
COPY system-service/fixipaip.service /etc/systemd/system/
RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
RUN systemctl enable fixnet.service
RUN systemctl enable fixipaip.service
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

44
infra/image/dockerfile/fedora-latest
View File

@@ -1,44 +0,0 @@
FROM fedora:latest
ENV container=podman
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/python3 \
/usr/bin/python3-config \
python3-libdnf5 \
sudo \
bash \
systemd \
procps-ng \
hostname \
iproute; \
dnf clean all; \
rm -rf /var/cache/dnf/;
RUN (cd /lib/systemd/system/; \
if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
ln -s dbus-broker.service dbus.service; \
fi \
)
COPY system-service/container-ipa.target /lib/systemd/system/
RUN systemctl set-default container-ipa.target
RUN (cd /etc/systemd/system/; \
rm -rf multi-user.target.wants \
&& mkdir container-ipa.target.wants \
&& ln -s container-ipa.target.wants multi-user.target.wants \
)
COPY system-service/fixnet.sh /root/
COPY system-service/fixipaip.sh /root/
COPY system-service/fixnet.service /etc/systemd/system/
COPY system-service/fixipaip.service /etc/systemd/system/
RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
RUN systemctl enable fixnet.service
RUN systemctl enable fixipaip.service
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

44
infra/image/dockerfile/fedora-rawhide
View File

@@ -1,44 +0,0 @@
FROM fedora:rawhide
ENV container=podman
RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
dnf makecache; \
dnf --assumeyes install \
/usr/bin/python3 \
/usr/bin/python3-config \
python3-libdnf5 \
sudo \
bash \
systemd \
procps-ng \
hostname \
iproute; \
dnf clean all; \
rm -rf /var/cache/dnf/;
RUN (cd /lib/systemd/system/; \
if [ -e dbus-broker.service ] && [ ! -e dbus.service ]; then \
ln -s dbus-broker.service dbus.service; \
fi \
)
COPY system-service/container-ipa.target /lib/systemd/system/
RUN systemctl set-default container-ipa.target
RUN (cd /etc/systemd/system/; \
rm -rf multi-user.target.wants \
&& mkdir container-ipa.target.wants \
&& ln -s container-ipa.target.wants multi-user.target.wants \
)
COPY system-service/fixnet.sh /root/
COPY system-service/fixipaip.sh /root/
COPY system-service/fixnet.service /etc/systemd/system/
COPY system-service/fixipaip.service /etc/systemd/system/
RUN chmod +x /root/fixnet.sh /root/fixipaip.sh
RUN systemctl enable fixnet.service
RUN systemctl enable fixipaip.service
STOPSIGNAL RTMIN+3
VOLUME ["/sys/fs/cgroup"]
CMD ["/usr/sbin/init"]

6
infra/image/inventory
View File

@@ -1,6 +0,0 @@
[ipaserver]
ansible-freeipa-tests ansible_connection=podman
[ipaserver:vars]
ipaadmin_password=SomeADMINpassword
ipadm_password=SomeDMpassword

249
infra/image/shcontainer
View File

@@ -1,249 +0,0 @@
#!/bin/bash -eu
# This file is meant to be source'd by other scripts
SCRIPTDIR="$(dirname -- "$(readlink -f "${BASH_SOURCE[0]}")")"
TOPDIR="$(readlink -f "${SCRIPTDIR}/../..")"
# shellcheck disable=SC1091
. "${SCRIPTDIR}/shdefaults"
# shellcheck disable=SC1091
. "${TOPDIR}/utils/shfun"
container_create() {
local name=${1}
local image=${2}
shift 2
declare -a extra_opts
readarray -t extra_opts < \
<(sed -e "s/-/--cap-drop=/g" -e "s/+/--cap-add=/g" \
<<< "$(printf '%s\n' "${CAP_DEFAULTS[@]}")")
for opt in "$@"
do
[ -z "${opt}" ] && continue
case "${opt}" in
hostname=*) extra_opts+=("--${opt}") ;;
cpus=*) extra_opts+=("--${opt}") ;;
memory=*) extra_opts+=("--${opt}") ;;
capabilities=*) extra_opts+=("--cap-add=${opt##*=}") ;;
volume=*) extra_opts+=("--volume=${opt##*=}") ;;
*) log error "container_create: Invalid option: ${opt}" ;;
esac
done
# ensure default values are set
[[ " ${extra_opts[*]} " =~ " --cpus=" ]] || extra_opts+=("--cpus=2")
[[ " ${extra_opts[*]} " =~ " --hostname=" ]] \
|| extra_opts+=("--hostname=ipaserver.test.local")
log info "= Creating ${name} ="
podman create \
--security-opt label=disable \
--network bridge:interface_name=eth0 \
--systemd true \
--name "${name}" \
--memory-swap -1 \
--no-hosts \
--replace \
"${extra_opts[@]}" \
"${image}"
echo
}
container_start() {
local name="${1}"
log info "= Starting ${name} ="
podman start "${name}"
# Add host entry to /etc/hosts
ip=$(podman inspect "${name}" --format "{{.NetworkSettings.IPAddress}}")
hostname=$(podman inspect "${name}" --format "{{.Config.Hostname}}")
if [ -n "${ip}" ] && [ -n "${hostname}" ]; then
cmd=$(cat <<EOF
sed -i -E "/\s+${hostname}(\s|$)/d" /etc/hosts
echo -e "$ip\t${hostname} ${hostname%%.*}" >> /etc/hosts
EOF
)
podman exec "${name}" bash -c "$cmd"
fi
# Ensure /etc/shadow is readable
podman exec "${name}" bash -c "chmod u+r /etc/shadow"
echo
}
container_stop() {
local name="${1}"
log info "= Stopping ${name} ="
podman stop "${name}"
echo
}
container_wait_for_journald() {
local name=${1}
log info "= Waiting till systemd-journald is running ="
max=20
wait=2
count=0
while ! podman exec "${name}" ps -x | grep -q "systemd-journald"
do
if [ $count -ge $max ]; then
die "Timeout: systemd-journald is not starting up"
fi
count=$((count+1))
log info "Waiting ${wait} seconds .."
sleep ${wait}
done
log info "done"
echo
}
container_wait_up() {
local name="${1}"
log info "= Waiting till all services are started ="
max=20
wait=15
count=0
while podman exec "${name}" systemctl list-jobs | \
grep -qvi "no jobs running"
do
if [ $count -ge $max ]; then
die "Timeout: Services are not starting up"
fi
count=$((count+1))
log info "Waiting ${wait} seconds .."
sleep ${wait}
done
log info "done"
echo
}
container_build() {
local tag="${1}"
local file="${2}"
local dir="${3}"
log info "= Building ${tag} ="
podman build -t "${tag}" -f "${file}" "${dir}"
echo
}
container_commit() {
local name="${1}"
local image="${2}"
log info "= Committing \"${image}\" ="
podman commit "${name}" "${image}"
echo
}
container_exec() {
local name="${1}"
shift 1
# "@Q" is only needed for the log output, the exec command is properly
# working without also for args containing spaces.
log info "= Executing \"${*@Q}\" ="
podman exec -t "${name}" "${@}"
echo
}
container_remove_image_if_exists()
{
# In older (as in Ubuntu 22.04) podman versions,
# 'podman image rm --force' fails if the image
# does not exist.
local tag_to_remove="${1}"
if podman image exists "${tag_to_remove}"
then
log info "= Cleanup ${tag_to_remove} ="
podman image rm "${tag_to_remove}" --force
echo
fi
}
container_get_state()
{
local name="${1}"
state=$(podman ps -q --all --format "{{.State}}" --filter "name=${name}")
echo "${state}"
}
container_pull() {
local source="${1}"
image=$(podman pull "${source}")
echo "${image}"
}
container_image_list() {
local source="${1}"
# Append "$" for an exact match if the source does not end with ":" to
# search for the repo only.
if [[ ${source} != *: ]]; then
source="${source}$"
fi
image=$(podman image list --format "{{ .Repository }}:{{ .Tag }}" | \
grep "^${source}")
echo "${image}"
}
container_check() {
[ -n "$(command -v "podman")" ] || die "podman is required."
}
container_copy() {
local name="${1}"
local source="${2}"
local destination="${3}"
log info "= Copying ${source} to ${name}:${destination} ="
podman cp "${source}" "${name}:${destination}"
echo
}
container_fetch() {
local name="${1}"
local source="${2}"
local destination="${3}"
log info "= Copying ${name}:${source} to ${destination} ="
podman cp "${name}:${source}" "${destination}"
echo
}
container_tee() {
local name=${1}
local destination=${2}
tmpfile=$(mktemp /tmp/container-temp.XXXXXX)
log info "= Creating ${name}:${destination} from stdin ="
cat - > "${tmpfile}"
podman cp "${tmpfile}" "${name}:${destination}"
rm "${tmpfile}"
echo
}
container_save() {
local name=${1}
archive="${name}.tar"
log info "= Saving ${name} to ${archive} ="
# podman is not able to overwrite the archive
[ -f "${archive}" ] && rm "${archive}"
podman save -o "${archive}" "${name}"
echo
}
container_load() {
local name=${1}
image_name=$(podman load -q -i "${name}" | sed -e "s/^Loaded image: //")
image=$(podman image list -q "${image_name}")
echo "$image"
}

11
infra/image/shdefaults
View File

@@ -1,11 +0,0 @@
#!/bin/bash -eu
# This file is meant to be source'd by other scripts
# Set default capabilities options for freeipa containers.
# Use +CAP to add the capability and -CAP to drop the capability.
CAP_DEFAULTS=(
"+DAC_READ_SEARCH" # Required for SSSD
"+SYS_PTRACE" # Required for debugging
"+SYS_ADMIN" # Required to make dbus-brokder for systemd 258 work
# Should be "+AUDIT_WRITE", "+SETUID", "+SETGID"
)

95
infra/image/start.sh
View File

@@ -1,95 +0,0 @@
#!/bin/bash -eu
BASEDIR="$(readlink -f "$(dirname "$0")")"
TOPDIR="$(readlink -f "${BASEDIR}/../..")"
# shellcheck disable=SC1091
. "${BASEDIR}/shcontainer"
# shellcheck disable=SC1091
. "${TOPDIR}/utils/shfun"
usage() {
local prog="${0##*/}"
cat << EOF
usage: ${prog} [-h] [-l] [-n HOSTNAME ] image
${prog} start a prebuilt ansible-freeipa test container image.
EOF
}
help() {
cat << EOF
positional arguments:
image The image to start, leave empty to get list of images
optional arguments:
-h Show this message
-l Try to use local image first, if not found download.
-n HOSTNAME Set container hostname
NOTE:
- The hostname must be the same as the hostname of the container
when FreeIPA was deployed. Use only if you built the image and
defined its hostname.
EOF
}
list_images() {
local quay_api="https://quay.io/api/v1/repository/ansible-freeipa/upstream-tests/tag"
log info "Available images on quay:"
curl --silent -L "${quay_api}" | jq '.tags[]|.name' | tr -d '"'| sort | uniq | sed "s/.*/ &/"
echo
log info "Local images (use -l):"
local_image=$(container_image_list "${repo}:")
echo "${local_image}" | sed -e "s/.*://" | sed "s/.*/ &/"
echo
}
repo="quay.io/ansible-freeipa/upstream-tests"
name="ansible-freeipa-tests"
hostname="ipaserver.test.local"
try_local_first="N"
while getopts ":hln:" option
do
case "${option}" in
h) help && exit 0 ;;
l) try_local_first="Y" ;;
n) hostname="${OPTARG}" ;;
*) die -u "Invalid option: ${option}" ;;
esac
done
shift $((OPTIND - 1))
image=${1:-}
container_check
if [ -z "${image}" ]; then
list_images
exit 0
fi
local_image=
if [ "${try_local_first}" == "Y" ]; then
log info "= Trying to use local image first ="
local_image=$(container_image_list "${repo}:${image}")
[ -n "${local_image}" ] && log info "Found ${local_image}"
echo
fi
if [ -z "${local_image}" ]; then
log info "= Downloading from quay ="
local_image=$(container_pull "${repo}:${image}")
echo
fi
[ -z "${local_image}" ] && die "Image '${image}' is not valid"
container_create "${name}" "${local_image}" "hostname=${hostname}"
container_start "${name}"
container_wait_for_journald "${name}"
container_wait_up "${name}"
log info "Container ${name} is ready to be used."

6
infra/image/system-service/container-ipa.target
View File

@@ -1,6 +0,0 @@
[Unit]
Description=Minimal target for containerized FreeIPA server
DefaultDependencies=false
AllowIsolate=yes
Requires=systemd-tmpfiles-setup.service systemd-journald.service dbus.service
After=systemd-tmpfiles-setup.service systemd-journald.service dbus.service

13
infra/image/system-service/fixipaip.service
View File

@@ -1,13 +0,0 @@
[Unit]
Description=Fix IPA server IP in IPA Server
After=ipa.service
PartOf=ipa.service
[Service]
Type=oneshot
ExecStart=/root/fixipaip.sh
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=ipa.service

85
infra/image/system-service/fixipaip.sh
View File

@@ -1,85 +0,0 @@
#!/bin/bash -eu
function valid_fqdn()
{
local name="${1}"
[[ "${name}" =~ [[:space:]] ]] && return 1
[[ "${name}" =~ \. ]] || return 1
[[ "${name}" =~ \.\. ]] && return 1
for i in ${name//./ }; do
[[ "${i}" =~ ^[a-z0-9_/]+$ ]] || return 1
done
[[ "${name}" == "localhost.localdomain" ]] && return 1
return 0
}
function valid_ipv4()
{
local ip="${1}"
local rematch="^([0-9]{1,3}\.){3}[0-9]{1,3}$"
[[ "${ip}" =~ ${rematch} ]] || return 1
for i in ${ip//./ }; do
[[ ${i} -le 255 ]] || return 1
done
return 0
}
HOSTNAME=$(hostname)
IP=$(hostname -I | cut -d " " -f 1)
export KRB5CCNAME=ansible_freeipa_cache
if [ -z "${HOSTNAME}" ] || ! valid_fqdn "${HOSTNAME}" ; then
echo "ERROR: Got invalid hostname: '${HOSTNAME}'"
exit 1
fi
if [ -z "${IP}" ] || ! valid_ipv4 "${IP}" ; then
echo "ERROR: Got invalid IPv4 address: '${IP}'"
exit 1
fi
PTR=$(echo "${IP}" | awk -F"." '{print $4}')
if [ -z "${PTR}" ] || [ -n "${PTR//[0-9]}" ]; then
echo "ERROR: Failed to get PTR from IPv4 address: '${PTR}'"
exit 1
fi
FORWARDER=$(grep -s -m 1 ^nameserver /etc/resolv.conf.fixnet | cut -d" " -f 2)
if [ -z "${FORWARDER}" ] || [ "${FORWARDER}" == "127.0.0.1" ]; then
FORWARDER="8.8.8.8"
fi
echo "Fix IPA:"
echo " HOSTNAME: '${HOSTNAME}'"
echo " IP: '${IP}'"
echo " PTR: '${PTR}'"
echo " FORWARDER: '${FORWARDER}'"
ZONES=$(ipa -e in_server=true dnszone-find --name-from-ip="${HOSTNAME}." \
--raw --pkey-only | grep "idnsname:" | awk -F": " '{print $2}')
for zone in ${ZONES}; do
echo
if [[ "${zone}" == *".in-addr.arpa."* ]]; then
echo "Fixing reverse zone ${zone}:"
OLD_PTR=$(ipa -e in_server=true dnsrecord-find "${zone}" \
--ptr-rec="${HOSTNAME}." --raw | grep "idnsname:" | \
awk -F": " '{print $2}')
if [ -z "${OLD_PTR}" ] || [ -n "${OLD_PTR//[0-9]}" ]; then
echo "ERROR: Failed to get old PTR from '${zone}': '${OLD_PTR}'"
else
ipa -e in_server=true dnsrecord-mod "${zone}" "${OLD_PTR}" \
--ptr-rec="${HOSTNAME}." --rename="${PTR}" || true
fi
else
echo "Fixing forward zone ${zone}:"
ipa -e in_server=true dnsrecord-mod test.local "${HOSTNAME%%.*}" \
--a-rec="$IP" || true
ipa -e in_server=true dnsrecord-mod test.local ipa-ca \
--a-rec="$IP" || true
fi
done
ipa -e in_server=true dnsserver-mod "${HOSTNAME}" \
--forwarder="${FORWARDER}" || true
exit 0

11
infra/image/system-service/fixnet.service
View File

@@ -1,11 +0,0 @@
[Unit]
Description=Fix /etc/hosts and with local DNS also /etc/resolv.conf
[Service]
Type=oneshot
ExecStart=/root/fixnet.sh
StandardOutput=journal
StandardError=journal
[Install]
WantedBy=container-ipa.target

75
infra/image/system-service/fixnet.sh
View File

@@ -1,75 +0,0 @@
#!/bin/bash -eu
function valid_fqdn()
{
local name="${1}"
[[ "${name}" =~ [[:space:]] ]] && return 1
[[ "${name}" =~ \. ]] || return 1
[[ "${name}" =~ \.\. ]] && return 1
for i in ${name//./ }; do
[[ "${i}" =~ ^[a-z0-9_/]+$ ]] || return 1
done
[[ "${name}" == "localhost.localdomain" ]] && return 1
return 0
}
function valid_ipv4()
{
local ip="${1}"
local rematch="^([0-9]{1,3}\.){3}[0-9]{1,3}$"
[[ "${ip}" =~ ${rematch} ]] || return 1
for i in ${ip//./ }; do
[[ ${i} -le 255 ]] || return 1
done
return 0
}
HOSTNAME=$(hostname)
IP=$(hostname -I | cut -d " " -f 1)
if [ -z "${HOSTNAME}" ] || ! valid_fqdn "${HOSTNAME}" ; then
echo "ERROR: Failed to retrieve hostname."
exit 1
fi
if [ -z "${IP}" ] || ! valid_ipv4 "${IP}" ; then
echo "ERROR: Got invalid IPv4 address: '${IP}'"
exit 1
fi
DOMAIN=${HOSTNAME#*.}
echo "Fix NET:"
echo " HOSTNAME: '${HOSTNAME}'"
echo " DOMAIN: '${DOMAIN}'"
echo " IP: '${IP}'"
echo
# /etc/hosts
sed -i -E "/\s+${HOSTNAME}(\s|$)/d" /etc/hosts
echo -e "$IP\t${HOSTNAME} ${HOSTNAME%%.*}" >> /etc/hosts
echo "/etc/hosts:"
cat "/etc/hosts"
# /etc/resolv.conf
# If bind is not installed, exit
[ -f "/etc/named.conf" ] || exit 0
# If dyndb is not enabled for bind, exit
grep -q '^dyndb "ipa"' "/etc/named.conf" || exit 0
cp -a /etc/resolv.conf /etc/resolv.conf.fixnet
cat > /etc/resolv.conf <<EOF
search ${DOMAIN}
nameserver 127.0.0.1
EOF
echo
echo "/etc/resolv.conf:"
cat "/etc/resolv.conf"
exit 0

2
meta/runtime.yml
View File

@@ -1,2 +0,0 @@
---
requires_ansible: ">=2.14.0"

10
playbooks/automember/automember-default-group-not-set.yml
View File

@@ -1,10 +0,0 @@
---
- name: Automember default group not set
hosts: ipaserver
become: true
tasks:
- name: Ensure automember default group is not set
ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: group
default_group: ""

10
playbooks/automember/automember-default-group-set.yml
View File

@@ -1,10 +0,0 @@
---
- name: Automember default group set
hosts: ipaserver
become: true
tasks:
- name: Ensure automember default group is set
ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: group
default_group: fallback_group

10
playbooks/automember/automember-default-hostgroup-not-set.yml
View File

@@ -1,10 +0,0 @@
---
- name: Automember default hostgroup not set
hosts: ipaserver
become: true
tasks:
- name: Ensure automember default hostgroup is not set
ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: hostgroup
default_group: ""

10
playbooks/automember/automember-default-hostgroup-set.yml
View File

@@ -1,10 +0,0 @@
---
- name: Automember default hostgroup set
hosts: ipaserver
become: true
tasks:
- name: Ensure automember default hostgroup is set
ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: hostgroup
default_group: fallback_hostgroup

11
playbooks/automember/automember-group-absent.yml
View File

@@ -1,11 +0,0 @@
---
- name: Automember group absent example
hosts: ipaserver
become: true
tasks:
- name: Ensure group automember rule admins is absent
ipaautomember:
ipaadmin_password: SomeADMINpassword
name: admins
automember_type: group
state: absent

10
playbooks/automember/automember-group-membership-all-users-rebuilt.yml
View File

@@ -1,10 +0,0 @@
---
- name: Automember group membership for all users rebuilt example
hosts: ipaserver
become: true
tasks:
- name: Ensure group automember rule admins is present
ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: group
state: rebuilt

12
playbooks/automember/automember-group-membership-users-rebuilt.yml
View File

@@ -1,12 +0,0 @@
---
- name: Automember group membership for given users rebuilt example
hosts: ipaserver
become: true
tasks:
- name: Ensure group membership for given users has been rebuilt
ipaautomember:
ipaadmin_password: SomeADMINpassword
users:
- user1
- user2
state: rebuilt

10
playbooks/automember/automember-group-orphans-removed.yml
View File

@@ -1,10 +0,0 @@
---
- name: Automember orphan group rules are removed example
hosts: ipaserver
become: true
tasks:
- name: Ensure orphan group rules are removed
ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: group
state: orphans_removed

11
playbooks/automember/automember-group-present.yml
View File

@@ -1,11 +0,0 @@
---
- name: Automember group present example
hosts: ipaserver
become: true
tasks:
- name: Ensure group automember rule admins is present
ipaautomember:
ipaadmin_password: SomeADMINpassword
name: admins
automember_type: group
state: present

11
playbooks/automember/automember-hostgroup-absent.yml
View File

@@ -1,11 +0,0 @@
---
- name: Automember hostgroup absent example
hosts: ipaserver
become: true
tasks:
- name: Ensure hostgroup automember rule ipaservers is absent
ipaautomember:
ipaadmin_password: SomeADMINpassword
name: ipaservers
automember_type: hostgroup
state: absent

10
playbooks/automember/automember-hostgroup-membership-all-hosts-rebuilt.yml
View File

@@ -1,10 +0,0 @@
---
- name: Automember hostgroup membership for all hosts rebuilt example
hosts: ipaserver
become: true
tasks:
- name: Ensure hostgroup membership for all hosts has been rebuilt
ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: hostgroup
state: rebuilt

Some files were not shown because too many files have changed in this diff Show More