Merge pull request #398 from t-woerner/ipalib_facts_changes

ipa[server,replica,client]: Fix moved sysrestore and is_ipa_configured

.ansible-lint

@@ -0,0 +1,23 @@
+exclude_paths:
+  - roles
+  - .tox
+  - .venv
+
+parseable: true
+
+quiet: false
+
+skip_list:
+  - '201'  # Trailing whitespace
+  - '204'  # Lines should be no longer than 160 chars
+  - '206'  # Variables should have spaces before and after: {{ var_name }}'
+  - '208'  # File permissions not mentioned
+  - '301'  # Commands should not change things if nothing needs doing'
+  - '305'  # Use shell only when shell functionality is required'
+  - '306'  # Shells that use pipes should set the pipefail option'
+  - '502'  # All tasks should be named
+  - '505'  # Referenced missing file
+
+use_default_rules: true
+
+verbosity: 1

.copr/Makefile

@@ -0,0 +1,9 @@
+srpm:
+	# Setup development environment
+	echo "Installing base development environment"
+	dnf install -y dnf-plugins-core git-all
+	echo "Call SRPM build Script"
+	./utils/build-srpm.sh
+	if [[ "${outdir}" != "" ]]; then \
+		mv /builddir/build/SRPMS/* ${outdir}; \
+	fi

.github/workflows/lint.yml

@@ -0,0 +1,33 @@
+---
+name: Run Linters
+on:
+  - push
+  - pull_request
+jobs:
+  linters:
+    name: Run Linters
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v2
+        with:
+          python-version: "3.6"
+
+      - name: Run ansible-lint
+        uses: ansible/ansible-lint-action@master
+        with:
+          targets: |
+            tests/*.yml
+            tests/*/*.yml
+            tests/*/*/*.yml
+            playbooks/*.yml
+            playbooks/*/*.yml
+        env:
+          ANSIBLE_MODULE_UTILS: plugins/module_utils
+          ANSIBLE_LIBRARY: plugins/modules
+
+      - name: Run yaml-lint
+        uses: ibiqlik/action-yamllint@v1
+
+      - name: Run Python linters
+        uses: rjeffman/python-lint-action@master

.gitignore

@@ -1,2 +1,8 @@
 *.pyc
 *.retry
+
+# ignore virtual environments
+/.tox/
+/.venv/
+
+tests/logs/

.yamllint

@@ -0,0 +1,28 @@
+---
+ignore: |
+  /.tox/
+  /.venv/
+  /.github/
+
+extends: default
+
+rules:
+  braces:
+    max-spaces-inside: 1
+    level: error
+  brackets:
+    max-spaces-inside: 1
+    level: error
+  truthy:
+    allowed-values: ["yes", "no", "true", "false", "True", "False"]
+    level: error
+  # Disabled rules
+  document-start: disable
+  indentation: disable
+  line-length: disable
+  colons: disable
+  empty-lines: disable
+  comments: disable
+  comments-indentation: disable
+  trailing-spaces: disable
+  new-line-at-end-of-file: disable

README-config.md

@@ -19,6 +19,7 @@ Supported FreeIPA Versions
 
 FreeIPA versions 4.4.0 and up are supported by the ipaconfig module.
 
+Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 
 Requirements
 ------------
@@ -91,7 +92,7 @@ Variable | Description | Required
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `maxusername` \| `ipamaxusernamelength` |  Set the maximum username length (1 to 255) | no
-`maxhostname` \| `ipamaxhostnamelength` |  Set the maximum hostname length between 64-255 | no
+`maxhostname` \| `ipamaxhostnamelength` |  Set the maximum hostname length between 64-255. Only usable with IPA versions 4.8.0 and up. | no
 `homedirectory` \| `ipahomesrootdir` |  Set the default location of home directories | no
 `defaultshell` \| `ipadefaultloginshell` |  Set the default shell for new users | no
 `defaultgroup` \| `ipadefaultprimarygroup` |  Set the default group for new users | no

README-delegation.md

@@ -0,0 +1,157 @@
+Delegation module
+=================
+
+Description
+-----------
+
+The delegation module allows to ensure presence, absence of delegations and delegation attributes.
+
+
+Features
+--------
+
+* Delegation management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipadelegation module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure delegation "basic manager attributes" is present:
+
+```yaml
+---
+- name: Playbook to manage IPA delegation.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      permission: read
+      attribute:
+      - businesscategory
+      - employeetype
+      group: managers
+      membergroup: employees
+```
+
+
+Example playbook to make sure delegation "basic manager attributes" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA delegation.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      state: absent
+```
+
+
+Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are present:
+
+```yaml
+---
+- name: Playbook to manage IPA delegation.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      attribute:
+      - employeenumber
+      - employeetype
+      action: member
+```
+
+
+Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are absent:
+
+```yaml
+---
+- name: Playbook to manage IPA delegation.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      attribute:
+      - employeenumber
+      - employeetype
+      action: member
+      state: absent
+```
+
+
+Example playbook to make sure delegation "basic manager attributes" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA delegation.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      state: absent
+```
+
+
+Variables
+---------
+
+ipadelegation
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `aciname` | The list of delegation name strings. | yes
+`permission` \| `permissions` |  The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
+`attribute` \| `attrs` | The attribute list to which the delegation applies. | no
+`membergroup` \| `memberof` | The user group to apply delegation to. | no
+`group` | User group ACI grants access to. | no
+`action` | Work on delegation or member level. It can be on of `member` or `delegation` and defaults to `delegation`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner

README-dnsforwardzone.md

@@ -49,7 +49,7 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
   tasks:
   - name: ensure presence of forwardzone for DNS requests for example.com to 8.8.8.8
     ipadnsforwardzone:
-      ipaadmin_password: password01
+      ipaadmin_password: SomeADMINpassword
       state: present
       name: example.com
       forwarders:
@@ -59,13 +59,13 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
 
   - name: ensure the forward zone is disabled
     ipadnsforwardzone:
-      ipaadmin_password: password01
+      ipaadmin_password: SomeADMINpassword
       name: example.com
       state: disabled
 
   - name: ensure presence of multiple upstream DNS servers for example.com
     ipadnsforwardzone:
-      ipaadmin_password: password01
+      ipaadmin_password: SomeADMINpassword
       state: present
       name: example.com
       forwarders:
@@ -74,7 +74,7 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
 
   - name: ensure presence of another forwarder to any existing ones for example.com
     ipadnsforwardzone:
-      ipaadmin_password: password01
+      ipaadmin_password: SomeADMINpassword
       state: present
       name: example.com
       forwarders:
@@ -83,7 +83,7 @@ Example playbook to ensure presence of a forwardzone to ipa DNS:
 
   - name: ensure the forwarder for example.com does not exists (delete it if needed)
     ipadnsforwardzone:
-      ipaadmin_password: password01
+      ipaadmin_password: SomeADMINpassword
       name: example.com
       state: absent
 ```
@@ -99,9 +99,12 @@ Variable | Description | Required
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | Zone name (FQDN). | yes if `state` == `present`
-`forwarders` \| `idnsforwarders` |  Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`) | no
-`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
+`forwarders` \| `idnsforwarders` |  Per-zone forwarders. A custom port can be specified for each forwarder. Options | no
+  | `ip_address`: The forwarder IP address. | yes
+  | `port`: The forwarder IP port. | no
+`forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
 `skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
+`permission` | Allow DNS Forward Zone to be managed. (bool) | no
 `action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | yes
 

README-dnszone.md

@@ -152,6 +152,46 @@ Example playbook to remove a zone:
 
 ```
 
+Example playbook to create a zone for reverse DNS lookup, from an IP address:
+
+```yaml
+
+---
+- name: dnszone present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure zone for reverse DNS lookup is present.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name_from_ip: 192.168.1.2
+      state: present
+```
+
+Note that, on the previous example the zone created with `name_from_ip` might be "1.168.192.in-addr.arpa.", "168.192.in-addr.arpa.", or "192.in-addr.arpa.", depending on the DNS response the system get while querying for zones, and for this reason, when creating a zone using `name_from_ip`, the inferred zone name is returned to the controller, in the attribute `dnszone.name`. Since the zone inferred might not be what a user expects, `name_from_ip` can only be used with `state: present`. To have more control over the zone name, the prefix length for the IP address can be provided.
+
+Example playbook to create a zone for reverse DNS lookup, from an IP address, given the prefix length and displaying the resulting zone name:
+
+```yaml
+
+---
+- name: dnszone present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure zone for reverse DNS lookup is present.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name_from_ip: 192.168.1.2/24
+      state: present
+    register: result
+  - name: Display inferred zone name.
+    debug:
+      msg: "Zone name: {{ result.dnszone.name }}"
+```
+
 
 Variables
 =========
@@ -163,7 +203,8 @@ Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
-`name` \| `zone_name` | The zone name string. | yes
+`name` \| `zone_name` | The zone name string or list of strings. | no
+`name_from_ip` | Derive zone name from reverse of IP (PTR). Can only be used with `state: present`. | no
 `forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
   | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
   | `port` - The custom port that should be used on this server. | no
@@ -189,6 +230,17 @@ Variable | Description | Required
 `skip_nameserver_check` | Force DNS zone creation even if nameserver is not resolvable | no
 
 
+Return Values
+=============
+
+ipadnszone
+----------
+
+Variable | Description | Returned When
+-------- | ----------- | -------------
+`dnszone` | DNS Zone dict with zone name infered from `name_from_ip`. <br>Options: |  If `state` is `present`, `name_from_ip` is used, and a zone was created.
+&nbsp; | `name` - The name of the zone created, inferred from `name_from_ip`. | Always
+
 Authors
 =======
 

README-group.md

@@ -19,6 +19,8 @@ Supported FreeIPA Versions
 
 FreeIPA versions 4.4.0 and up are supported by the ipagroup module.
 
+Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
+
 
 Requirements
 ------------
@@ -137,6 +139,7 @@ Variable | Description | Required
 `name` \| `cn` | The list of group name strings. | no
 `description` | The group description string. | no
 `gid` \| `gidnumber` | The GID integer. | no
+`posix` | Create a non-POSIX group or change a non-POSIX to a posix group. (bool) | no
 `nonposix` | Create as a non-POSIX group. (bool) | no
 `external` | Allow adding external non-IPA members from trusted domains. (bool) | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no

README-host.md

@@ -355,7 +355,7 @@ Variable | Description | Required
 `mac_address` \| `macaddress` | List of hardware MAC addresses. | no
 `sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
 `userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
-`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
+`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
 `ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
 `ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no

README-hostgroup.md

@@ -19,6 +19,8 @@ Supported FreeIPA Versions
 
 FreeIPA versions 4.4.0 and up are supported by the ipahostgroup module.
 
+Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
+
 
 Requirements
 ------------
@@ -105,6 +107,23 @@ Example playbook to make sure hosts and hostgroups are absent in databases hostg
       state: absent
 ```
 
+Example playbook to rename an existing playbook:
+
+```yaml
+---
+- name: Playbook to handle hostgroups
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host-group databases is absent
+  - ipahostgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: databases
+      rename: datalake
+      state: renamed
+```
+
 Example playbook to make sure host-group databases is absent:
 
 ```yaml
@@ -121,7 +140,6 @@ Example playbook to make sure host-group databases is absent:
       state: absent
 ```
 
-
 Variables
 =========
 
@@ -139,8 +157,9 @@ Variable | Description | Required
 `hostgroup` | List of hostgroup name strings assigned to this hostgroup. | no
 `membermanager_user` | List of member manager users assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
 `membermanager_group` | List of member manager groups assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
+`rename` \| `new_name` | Rename hostgroup to the provided name. Only usable with IPA versions 4.8.7 and up. | no
 `action` | Work on hostgroup or member level. It can be on of `member` or `hostgroup` and defaults to `hostgroup`. | no
-`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
 
 
 Authors

README-location.md

@@ -0,0 +1,92 @@
+Location module
+===============
+
+Description
+-----------
+
+The location module allows to ensure presence and absence of locations.
+
+Features
+--------
+
+* Location management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipalocation module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure location "my_location1" is present:
+
+```yaml
+---
+- name: Playbook to manage IPA location.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipalocation:
+      ipaadmin_password: SomeADMINpassword
+      name: my_location1
+      description: My Location 1
+```
+
+
+Example playbook to make sure location "my_location1" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA location.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipalocation:
+      ipaadmin_password: SomeADMINpassword
+      name: my_location1
+      state: absent
+```
+
+
+Variables
+---------
+
+ipalocation
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `idnsname` | The list of location name strings. | yes
+`description` | The IPA location string | false
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner

README-privilege.md

@@ -0,0 +1,147 @@
+Privilege module
+================
+
+Description
+-----------
+
+The privilege module allows to ensure presence and absence of privileges and privilege members.
+
+Features
+--------
+
+* Privilege management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaprivilege module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure privilege "Broad Privilege" is present:
+
+```yaml
+---
+- name: Playbook to manage IPA privilege.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      name: Broad Privilege
+      description: Broad Privilege
+```
+
+Example playbook to make sure privilege "Broad Privilege" member permission has multiple values:
+
+```yaml
+---
+- name: Playbook to manage IPA privilege permission member.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      name: Broad Privilege
+      permission:
+      - "Write IPA Configuration"
+      - "System: Write DNS Configuration"
+      - "System: Update DNS Entries"
+      action: member
+```
+
+
+Example playbook to make sure privilege "Broad Privilege" member permission 'Write IPA Configuration' is absent:
+
+
+```yaml
+---
+- name: Playbook to manage IPA privilege permission member.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      name: Broad Privilege
+      permission:
+      - "Write IPA Configuration"
+      action: member
+      state: absent
+```
+
+Example playbook to rename privilege "Broad Privilege" to "DNS Special Privilege":
+
+```yaml
+---
+- name: Playbook to manage IPA privilege.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      name: Broad Privilege
+      rename: DNS Special Privilege
+      state: renamed
+```
+
+Example playbook to make sure privilege "DNS Special Privilege" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA privilege.
+  hosts: ipaserver
+  become: yes
+  - name: Ensure privilege Broad Privilege is absent
+      ipaadmin_password: SomeADMINpassword
+      name: DNS Special Privilege
+      state: absent
+```
+
+
+Variables
+---------
+
+ipaprivilege
+------------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin`. | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node. | no
+`name` \| `cn` | The list of privilege name strings. | yes
+`description` | Privilege description. | no
+`rename` \| `new_name` | Rename the privilege object. | no
+`permission` | Permissions to be added to the privilege. | no
+`action` | Work on privilege or member level. It can be one of `member` or `privilege` and defaults to `privilege`. | no
+`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
+
+
+Authors
+=======
+
+Rafael Guterres Jeffman

README-role.md

@@ -0,0 +1,264 @@
+Role module
+===========
+
+Description
+-----------
+
+The role module allows to ensure presence, absence of roles and members of roles.
+
+The role module is as compatible as possible to the Ansible upstream `ipa_role` module, but additionally offers role member management.
+
+
+Features
+--------
+
+* Role management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the iparole module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure role is present with all members:
+
+```yaml
+---
+- name: Playbook to manage IPA role with members.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      user:
+      - pinky
+      group:
+      - group01
+      host:
+      - host01.example.com
+      hostgroup:
+      - hostgroup01
+      privilege:
+      - Group Administrators
+      - User Administrators
+      service:
+      - service01
+```
+
+Example playbook to rename a role:
+
+```yaml
+- iparole:
+    ipaadmin_password: SomeADMINpassword
+    name: somerole
+    rename: anotherrole
+```
+
+Example playbook to make sure role is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA role.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      state: absent
+```
+
+Example playbook to ensure a user is a member of a role:
+
+```yaml
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      user:
+      - pinky
+      action: member
+```
+
+Example playbook to ensure a group is a member of a role:
+
+```yaml
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      host:
+      - host01.example.com
+      action: member
+```
+
+Example playbook to ensure a host is a member of a role:
+
+```yaml
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      host:
+      - host01.example.com
+      action: member
+```
+
+Example playbook to ensure a hostgroup is a member of a role:
+
+```yaml
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      hostgroup:
+      - hostgroup01
+      action: member
+```
+
+Example playbook to ensure a service is a member of a role:
+
+```yaml
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      service:
+      - service01
+      action: member
+```
+
+Example playbook to ensure a privilege is a member of a role:
+
+```yaml
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      privilege:
+      - Group Administrators
+      - User Administrators
+      action: member
+```
+
+Example playbook to ensure that different members are not associated with a role.
+
+```yaml
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      user:
+      - pinky
+      group:
+      - group01
+      host:
+      - host01.example.com
+      hostgroup:
+      - hostgroup01
+      privilege:
+      - Group Administrators
+      - User Administrators
+      service:
+      - service01
+      action: member
+      state: absent
+```
+
+
+Variables
+---------
+
+iparole
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | The list of role name strings. | yes
+`description` | A description for the role. | no
+`rename` | Rename the role object. | no
+`privileges` | Privileges associated to this role. | no
+`user` | List of users to be assigned or not assigned to the role. | no
+`group` | List of groups to be assigned or not assigned to the role. | no
+`host` | List of hosts to be assigned or not assigned to the role. | no
+`hostgroup` | List of hostgroups to be assigned or not assigned to the role. | no
+`service` | List of services to be assigned or not assigned to the role. | no
+`action` | Work on role or member level. It can be on of `member` or `role` and defaults to `role`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Rafael Jeffman

README-selfservice.md

@@ -0,0 +1,151 @@
+Selfservice module
+=================
+
+Description
+-----------
+
+The selfservice module allows to ensure presence, absence of selfservices and selfservice attributes.
+
+
+Features
+--------
+
+* Selfservice management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaselfservice module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure selfservice "Users can manage their own name details" is present:
+
+```yaml
+---
+- name: Playbook to manage IPA selfservice.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaselfservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "Users can manage their own name details"
+      permission: read
+      attribute:
+      - title
+      - initials
+```
+
+
+Example playbook to make sure selfservice "Users can manage their own name details" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA selfservice.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaselfservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "Users can manage their own name details"
+      state: absent
+```
+
+
+Example playbook to make sure "Users can manage their own name details" member attribute initials is present:
+
+```yaml
+---
+- name: Playbook to manage IPA selfservice.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaselfservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "Users can manage their own name details"
+      attribute:
+      - initials
+      action: member
+```
+
+
+Example playbook to make sure "Users can manage their own name details" member attribute initials is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA selfservice.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaselfservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "Users can manage their own name details"
+      attribute:
+      - initials
+      action: member
+      state: absent
+```
+
+
+Example playbook to make sure selfservice "Users can manage their own name details" is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA selfservice.
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - ipaselfservice:
+      ipaadmin_password: SomeADMINpassword
+      name: "Users can manage their own name details"
+      state: absent
+```
+
+
+Variables
+---------
+
+ipaselfservice
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `aciname` | The list of selfservice name strings. | yes
+`permission` \| `permissions` |  The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
+`attribute` \| `attrs` | The attribute list to which the selfservice applies. | no
+`action` | Work on selfservice or member level. It can be on of `member` or `selfservice` and defaults to `selfservice`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
+
+
+Authors
+=======
+
+Thomas Woerner

README-service.md

@@ -18,7 +18,7 @@ Supported FreeIPA Versions
 
 FreeIPA versions 4.4.0 and up are supported by the ipaservice module.
 
-Option `skip_host_check` requires FreeIPA version 4.7.0 or later.
+Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 
 
 Requirements
@@ -56,7 +56,7 @@ Example playbook to make sure service is present:
   - ipaservice:
       ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
-      certificate:
+      certificate: |
         - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
         DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
         ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
@@ -77,7 +77,7 @@ Example playbook to make sure service is present:
       requires_pre_auth: false
       ok_as_delegate: false
       ok_to_auth_as_delegate: false
-      skip-host-check: true
+      skip_host_check: true
       force: true
 ```
 
@@ -167,7 +167,7 @@ Example playbook to ensure service has a certificate:
   - ipaservice:
       ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
-      certificate:
+      certificate: |
         - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
         DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
         ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
@@ -294,11 +294,11 @@ Variable | Description | Required
 `name` \| `service` | The list of service name strings. | yes
 `certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
 `pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
-`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
+`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
 `ok_as_delegate` \|  `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
 `ok_to_auth_as_delegate` \|  `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
-`skip_host_check` | Force service to be created even when host object does not exist to manage it. Default to false. (bool)| no
+`skip_host_check` | Force service to be created even when host object does not exist to manage it. Only usable with IPA versions 4.7.0 and up. Default to false. (bool)| no
 `force` | Force principal name even if host not in DNS. Default to false. (bool) | no
 `host` \| `managedby_host`| Hosts that can manage the service. | no
 `principal` \| `krbprincipalname` | List of principal aliases for the service. | no

README-trust.md

@@ -0,0 +1,119 @@
+Trust module
+============
+
+Description
+-----------
+
+The trust module allows to ensure presence and absence of a domain trust.
+
+Features
+--------
+
+* Trust management
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipatrust module.
+
+Requirements
+------------
+
+**Controller**
+
+* Ansible version: 2.8+
+
+**Node**
+
+* Supported FreeIPA version (see above)
+* samba-4
+* ipa-server-trust-ad
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to ensure a one-way trust is present:
+Omitting the two_way option implies the default of one-way
+
+```yaml
+---
+- name: Playbook to ensure a one-way trust is present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: ensure the one-way trust present
+    ipatrust:
+      realm: ad.example.test
+      admin: Administrator
+      password: secret_password
+      state: present
+```
+
+Example playbook to ensure a two-way trust is present using a shared-secret:
+
+```yaml
+---
+- name: Playbook to ensure a two-way trust is present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: ensure the two-way trust is present
+    ipatrust:
+      realm: ad.example.test
+      trust_secret: my_share_Secret
+      two_way: True
+      state: present
+```
+
+Example playbook to ensure a trust is absent:
+
+```yaml
+---
+- name: Playbook to ensure a trust is absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: ensure the trust is absent
+    ipatrust:
+      realm: ad.example.test
+      state: absent
+```
+
+This will only delete the ipa-side of the trust and it does NOT delete the id-range that matches the trust,
+
+Variables
+=========
+
+ipatrust
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`realm` | The realm name string. | yes
+`admin` | Active Directory domain administrator string. | no
+`password` | Active Directory domain administrator's password string. | no
+`server` | Domain controller for the Active Directory domain string. | no
+`trust_secret` | Shared secret for the trust string. | no
+`base_id` | First posix id for the trusted domain integer. | no
+`range_size` | Size of the ID range reserved for the trusted domain integer. | no
+`range_type` | Type of trusted domain ID range, It can be one of `ipa-ad-trust` or `ipa-ad-trust-posix`and defaults to `ipa-ad-trust`. | no
+`two_way` | Establish bi-directional trust. By default trust is inbound one-way only. (bool) | no
+`external` | Establish external trust to a domain in another forest. The trust is not transitive beyond the domain. (bool) | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
+
+Authors
+=======
+
+Rob Verduijn

README-user.md

@@ -437,7 +437,7 @@ There are only return values if one or more random passwords have been generated
 
 Variable | Description | Returned When
 -------- | ----------- | -------------
-`host` | Host dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
+`user` | User dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
 &nbsp; | `randompassword` - The generated random password | If only one user is handled by the module
 &nbsp; | `name` - The user name of the user that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several users are handled by the module
 

README-vault.md

@@ -165,6 +165,22 @@ Example playbook to make sure vault data is absent in a symmetric vault:
       state: absent
 ```
 
+Example playbook to change the password of a symmetric:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      old_password: SomeVAULTpassword
+      new_password: SomeNEWpassword
+```
+
 Example playbook to make sure vault is absent:
 
 ```yaml
@@ -181,7 +197,7 @@ Example playbook to make sure vault is absent:
       state: absent
     register: result
   - debug:
-      msg: "{{ result.data }}"
+      msg: "{{ result.vault.data }}"
 ```
 
 Variables
@@ -197,8 +213,11 @@ Variable | Description | Required
 `name` \| `cn` | The list of vault name strings. | yes
 `description` | The vault description string. | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
-`password ` \| `vault_password` \| `ipavaultpassword` | Vault password. | no
-`public_key ` \| `vault_public_key` \| `ipavaultpublickey` | Base64 encoded vault public key. | no
+`password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no
+`password_file` \| `vault_password_file` \| `old_password_file`| File containing Base64 encoded Vault password. | no
+`new_password` | Vault new password. | no
+`new_password_file` | File containing Base64 encoded new Vault password. | no
+`public_key ` \| `vault_public_key` \| `old_password_file` | Base64 encoded vault public key. | no
 `public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
 `private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no
 `private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
@@ -227,7 +246,8 @@ There is only a return value if `state` is `retrieved`.
 
 Variable | Description | Returned When
 -------- | ----------- | -------------
-`data` | The data stored in the vault. | If `state` is `retrieved`.
+`vault` | Vault dict with archived data. (dict) <br>Options: | If `state` is `retrieved` and `out` is not defined.
+&nbsp; | `data` - The vault data. | Always
 
 
 Notes

README.md

@@ -21,11 +21,13 @@ Features
 * Modules for host management
 * Modules for hostgroup management
 * Modules for pwpolicy management
+* Modules for role management
 * Modules for service management
 * Modules for sudocmd management
 * Modules for sudocmdgroup management
 * Modules for sudorule management
 * Modules for topology management
+* Modules fot trust management
 * Modules for user management
 * Modules for vault management
 
@@ -421,12 +423,14 @@ Modules in plugin/modules
 * [ipahost](README-host.md)
 * [ipahostgroup](README-hostgroup.md)
 * [ipapwpolicy](README-pwpolicy.md)
+* [iparole](README-role.md)
 * [ipaservice](README-service.md)
 * [ipasudocmd](README-sudocmd.md)
 * [ipasudocmdgroup](README-sudocmdgroup.md)
 * [ipasudorule](README-sudorule.md)
 * [ipatopologysegment](README-topology.md)
 * [ipatopologysuffix](README-topology.md)
+* [ipatrust](README-trust.md)
 * [ipauser](README-user.md)
 * [ipavault](README-vault.md)
 

azure-pipelines.yml

@@ -1,22 +0,0 @@
-trigger:
-- master
-
-pool:
-  vmImage: 'ubuntu-18.04'
-
-steps:
-- task: UsePythonVersion@0
-  inputs:
-    versionSpec: '3.6'
-
-- script: python -m pip install --upgrade pip setuptools wheel
-  displayName: Install tools
-
-- script: pip install pydocstyle flake8
-  displayName: Install dependencies
-
-- script: flake8 .
-  displayName: Run flake8 checks
-
-- script: pydocstyle .
-  displayName: Verify docstings

molecule/centos-7-build/molecule.yml

@@ -0,0 +1,18 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: centos-7-build
+    image: centos/systemd
+    pre_build_image: true
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 8.8.8.8
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare-build.yml

molecule/centos-7/molecule.yml

@@ -0,0 +1,18 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: centos-7
+    image: quay.io/ansible-freeipa/upstream-tests:centos-7
+    pre_build_image: true
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 127.0.0.1
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare.yml

molecule/centos-8-build/molecule.yml

@@ -0,0 +1,18 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: centos-8-build
+    image: centos:8
+    pre_build_image: true
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 8.8.8.8
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare-build.yml

molecule/centos-8/molecule.yml

@@ -0,0 +1,18 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: centos-8
+    image: quay.io/ansible-freeipa/upstream-tests:centos-8
+    pre_build_image: true
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 127.0.0.1
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare.yml

molecule/default

@@ -0,0 +1 @@
+centos-8

molecule/fedora-latest-build/Dockerfile

@@ -0,0 +1,30 @@
+FROM fedora:latest
+ENV container=docker
+
+RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
+dnf makecache; \
+dnf --assumeyes install \
+    /usr/bin/python3 \
+    /usr/bin/python3-config \
+    /usr/bin/dnf-3 \
+    sudo \
+    bash \
+    systemd \
+    procps-ng \
+    iproute && \
+dnf clean all; \
+(cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
+rm -f /lib/systemd/system/multi-user.target.wants/*;\
+rm -f /etc/systemd/system/*.wants/*;\
+rm -f /lib/systemd/system/local-fs.target.wants/*; \
+rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
+rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
+rm -f /lib/systemd/system/basic.target.wants/*;\
+rm -f /lib/systemd/system/anaconda.target.wants/*; \
+rm -rf /var/cache/dnf/;
+
+STOPSIGNAL RTMIN+3
+
+VOLUME ["/sys/fs/cgroup"]
+
+CMD ["/usr/sbin/init"]

molecule/fedora-latest-build/molecule.yml

@@ -0,0 +1,18 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: fedora-latest-build
+    image: fedora-latest
+    dockerfile: Dockerfile
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 8.8.8.8
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare-build.yml

molecule/fedora-latest/molecule.yml

@@ -0,0 +1,18 @@
+---
+driver:
+  name: docker
+platforms:
+  - name: fedora-latest
+    image: quay.io/ansible-freeipa/upstream-tests:fedora-latest
+    pre_build_image: true
+    hostname: ipaserver.test.local
+    dns_servers:
+      - 127.0.0.1
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:ro
+    command: /usr/sbin/init
+    privileged: true
+provisioner:
+  name: ansible
+  playbooks:
+    prepare: ../resources/playbooks/prepare.yml

molecule/resources/playbooks/library

@@ -0,0 +1 @@
+../../../plugins/modules/

molecule/resources/playbooks/module_utils

@@ -0,0 +1 @@
+../../../plugins/module_utils/

molecule/resources/playbooks/prepare-build.yml

@@ -0,0 +1,27 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+  - include_tasks: prepare-common.yml
+
+  - name: Ensure sudo package is installed
+    package:
+      name: sudo
+
+  - name: Ensure nss package is updated
+    package:
+      name: nss
+      state: latest  # noqa 403
+
+  - include_role:
+      name: ipaserver
+    vars:
+      ipaserver_setup_dns: yes
+      ipaserver_setup_kra: yes
+      ipaserver_auto_forwarders: yes
+      ipaserver_no_dnssec_validation: yes
+      ipaserver_auto_reverse: yes
+      ipaadmin_password: SomeADMINpassword
+      ipadm_password: SomeDMpassword
+      ipaserver_domain: test.local
+      ipaserver_realm: TEST.LOCAL

molecule/resources/playbooks/prepare-common.yml

@@ -0,0 +1,33 @@
+# IPA depends on IPv6 and without it dirsrv service won't start.
+- name: Ensure IPv6 is ENABLED
+  sysctl:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    sysctl_set: yes
+    state: present
+    reload: yes
+  with_items :
+    - name: net.ipv6.conf.all.disable_ipv6
+      value: 0
+    - name: net.ipv6.conf.lo.disable_ipv6
+      value: 0
+    - name: net.ipv6.conf.eth0.disable_ipv6
+      value: 1
+
+# Set fs.protected_regular to 0
+#   This is needed in some IPA versions in order to get KRA enabled.
+#   See https://pagure.io/freeipa/issue/7906 for more information.
+- name: stat protected_regular
+  stat:
+    path: /proc/sys/fs/protected_regular
+  register: result
+
+- name: Ensure fs.protected_regular is disabled
+  sysctl:
+    name: fs.protected_regular
+    value: 0
+    sysctl_set: yes
+    state: present
+    reload: yes
+  when: result.stat.exists
+

molecule/resources/playbooks/prepare.yml

@@ -0,0 +1,26 @@
+---
+- name: Converge
+  hosts: all
+  tasks:
+  - include_tasks: prepare-common.yml
+
+  # In some distros DS won't start up after reboot
+  #   This is due to a problem in 389-ds. See tickets:
+  #   * https://pagure.io/389-ds-base/issue/47429
+  #   * https://pagure.io/389-ds-base/issue/51039
+  #
+  # To avoid this problem we create the directories before starting IPA.
+  - name: Ensure lock dirs for DS exists
+    file:
+      state: directory
+      owner: dirsrv
+      group: dirsrv
+      path: "{{ item }}"
+    loop:
+      - /var/lock/dirsrv/
+      - /var/lock/dirsrv/slapd-TEST-LOCAL/
+
+  - name: Ensure IPA server is up an running
+    service:
+      name: ipa
+      state: started

molecule/resources/playbooks/roles

@@ -0,0 +1 @@
+../../../roles/

playbooks/delegation/delegation-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Delegation absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure delegation "basic manager attributes" is absent
+    ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      state: absent

playbooks/delegation/delegation-member-absent.yml

@@ -0,0 +1,15 @@
+---
+- name: Delegation member absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure delegation "basic manager attributes" member attributes employeenumber and employeetype are absent
+    ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      attribute:
+      - employeenumber
+      - employeetype
+      action: member
+      state: absent

playbooks/delegation/delegation-member-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Delegation member present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure delegation "basic manager attributes" member attribute departmentnumber is present
+    ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      attribute:
+      - departmentnumber
+      action: member

playbooks/delegation/delegation-present.yml

@@ -0,0 +1,15 @@
+---
+- name: Delegation present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure delegation "basic manager attributes" is present
+    ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      permission: read
+      attribute:
+      - businesscategory
+      group: managers
+      membergroup: employees

playbooks/dnsforwardzone/ensure-dnsforwardzone-is-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage DNS forward zone
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure DNS zone is present
+  - ipadnsforwardzone:
+      ipaadmin_password: SomeADMINpassword
+      state: absent

playbooks/dnsforwardzone/ensure-dnsforwardzone-is-present.yml

@@ -0,0 +1,16 @@
+---
+- name: Playbook to manage DNS forward zone
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure DNS zone is present
+  - ipadnsforwardzone:
+      ipaadmin_password: SomeADMINpassword
+      name: example.com
+      forwarders:
+        - ip_address: 8.8.8.8
+      forwardpolicy: first
+      skip_overlap_check: true
+      permission: yes

playbooks/dnsforwardzone/ensure-dnsforwardzone-with-forwarder-port.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage DNS forward zone
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure DNS zone is present
+  - ipadnsforwardzone:
+      ipaadmin_password: SomeADMINpassword
+      name: example.com
+      forwarders:
+        - ip_address: 192.168.100.123
+          port: 8063

playbooks/dnszone/dnszone-reverse-from-ip.yml

@@ -0,0 +1,15 @@
+---
+- name: Playbook to ensure DNS zone exist
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure zone exist, finding zone name from IP address.
+    ipadnszone:
+      ipaadmin_password: SomeADMINpassword
+      name_from_ip: 10.1.2.3/24
+    register: result
+
+  - name: Zone name inferred from `name_from_ip`
+    debug:
+      msg: "Zone created: {{ result.dnszone.name }}"

playbooks/host/host-member-managedby_host-absent.yml

@@ -4,7 +4,7 @@
   become: true
 
   tasks:
-    ipahost:
+  - ipahost:
       ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       managedby_host: server.exmaple.com

playbooks/host/host-member-managedby_host-present.yml

@@ -4,7 +4,7 @@
   become: true
 
   tasks:
-    ipahost:
+  - ipahost:
       ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       managedby_host: server.exmaple.com

playbooks/host/host-present-with-managedby_host.yml

@@ -4,7 +4,7 @@
   become: true
 
   tasks:
-    ipahost:
+  - ipahost:
       ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       managedby_host: server.exmaple.com

playbooks/host/hosts-member-managedby_host-absent.yml

@@ -4,6 +4,7 @@
   become: true
 
   tasks:
+  - name: Ensure hosts manadegby_host is absent.
     ipahost:
       ipaadmin_password: SomeADMINpassword
       hosts:

playbooks/host/hosts-member-managedby_host-present.yml

@@ -4,6 +4,7 @@
   become: true
 
   tasks:
+  - name: Ensure hosts manadegby_host is absent.
     ipahost:
       ipaadmin_password: SomeADMINpassword
       hosts:

playbooks/host/hosts-present-with-managedby_host.yml

@@ -4,7 +4,7 @@
   become: true
 
   tasks:
-    ipahost:
+  - ipahost:
       ipaadmin_password: SomeADMINpassword
       hosts:
       - name: host01.exmaple.com

playbooks/host/hosts-present-with-randompasswords.yml

@@ -23,4 +23,3 @@
   - name: Print generated random password for host02.example.com
     debug:
       var: ipahost.host["host02.example.com"].randompassword
-

playbooks/hostgroup/rename-hostgroup.yml

@@ -0,0 +1,12 @@
+---
+- name: Playbook to handle hostgroups
+  hosts: ipaserver
+  become: yes
+
+  tasks:
+  - name : Rename host-group from `databases` to `datalake`
+    ipahostgroup:
+      ipaadmin_password: SomeADMINpassword
+      name: databases
+      rename: datalake
+      state: renamed

playbooks/location/location-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Location absent test
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure location my_location1 is absent
+    ipalocation:
+      ipaadmin_password: SomeADMINpassword
+      name: my_location1
+      state: absent

playbooks/location/location-present.yml

@@ -0,0 +1,10 @@
+---
+- name: Location present test
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure location my_location1 is present
+    ipalocation:
+      ipaadmin_password: SomeADMINpassword
+      name: my_location1

playbooks/privilege/privilege-absent.yml

@@ -0,0 +1,10 @@
+---
+- name: Privilege absent example
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure privilege "Broad Privilege" is absent
+    ipaprivilege:
+      name: Broad Privilege
+      state: absent

playbooks/privilege/privilege-member-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Privilege absent example
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure privilege "Broad Privilege" permission is absent
+    ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      name: Broad Privilege
+      permission:
+      - "System: Write IPA Configuration"
+      action: member
+      state: absent

playbooks/privilege/privilege-member-present.yml

@@ -0,0 +1,15 @@
+---
+- name: Privilege member present example
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure privilege "Broad Privilege" permissions are present
+    ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      name: Broad Privilege
+      permission:
+      - "System: Write IPA Configuration"
+      - "System: Write DNS Configuration"
+      - "System: Update DNS Entries"
+      action: member

playbooks/privilege/privilege-present.yml

@@ -0,0 +1,11 @@
+---
+- name: Privilege present example
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure privilege Broad Privilege is present
+    ipaprivilege:
+      ipaadmin_password: SomeADMINpassword
+      name: Broad Privilege
+      description: Broad Privilege

playbooks/role/role-is-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage IPA role.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      state: absent

playbooks/role/role-is-present.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage IPA role.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      description: A role in IPA.

playbooks/role/role-member-group-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      group:
+      - group01
+      action: member
+      state: absent

playbooks/role/role-member-group-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      group:
+      - group01
+      action: member

playbooks/role/role-member-host-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      host:
+      - host01.example.com
+      action: member
+      state: absent

playbooks/role/role-member-host-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      host:
+      - host01.example.com
+      action: member

playbooks/role/role-member-hostgroup-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      hostgroup:
+      - hostgroup01
+      action: member
+      state: absent

playbooks/role/role-member-hostgroup-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      hostgroup:
+      - hostgroup01
+      action: member

playbooks/role/role-member-privilege-absent.yml

@@ -0,0 +1,15 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      privilege:
+      - Group Administrators
+      - User Administrators
+      action: member
+      state: absent

playbooks/role/role-member-privilege-present.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      privilege:
+      - Group Administrators
+      - User Administrators
+      action: member

playbooks/role/role-member-service-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: testrole
+      service:
+      - http/www.example.com
+      action: member
+      state: absent

playbooks/role/role-member-service-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      service:
+      - service01
+      action: member

playbooks/role/role-member-user-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      user:
+      - pinky
+      action: member
+      state: absent

playbooks/role/role-member-user-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      user:
+      - pinky
+      action: member

playbooks/role/role-members-absent.yml

@@ -0,0 +1,25 @@
+---
+- name: Playbook to manage IPA role member.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      user:
+      - pinky
+      group:
+      - group01
+      host:
+      - host01.example.com
+      hostgroup:
+      - hostgroup01
+      privilege:
+      - Group Administrators
+      - User Administrators
+      service:
+      - service01
+      action: member
+      state: absent

playbooks/role/role-members-present.yml

@@ -0,0 +1,23 @@
+---
+- name: Playbook to manage IPA role with members.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      user:
+      - pinky
+      group:
+      - group01
+      host:
+      - host01.example.com
+      hostgroup:
+      - hostgroup01
+      privilege:
+      - Group Administrators
+      - User Administrators
+      service:
+      - service01

playbooks/role/role-rename.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage IPA role.
+  hosts: ipaserver
+  become: yes
+  gather_facts: no
+
+  tasks:
+  - iparole:
+      ipaadmin_password: SomeADMINpassword
+      name: somerole
+      rename: anotherrole

playbooks/selfservice/selfservice-absent.yml

@@ -0,0 +1,11 @@
+---
+- name: Delegation absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure delegation "basic manager attributes" is absent
+    ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      state: absent

playbooks/selfservice/selfservice-member-absent.yml

@@ -0,0 +1,15 @@
+---
+- name: Delegation member absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure delegation "basic manager attributes" member attributes employeenumber and employeetype are absent
+    ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      attribute:
+      - employeenumber
+      - employeetype
+      action: member
+      state: absent

playbooks/selfservice/selfservice-member-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Delegation member present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure delegation "basic manager attributes" member attribute departmentnumber is present
+    ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      attribute:
+      - departmentnumber
+      action: member

playbooks/selfservice/selfservice-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Delegation present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure delegation "basic manager attributes" is present
+    ipadelegation:
+      ipaadmin_password: SomeADMINpassword
+      name: "basic manager attributes"
+      permission: read
+      attribute:
+      - businesscategory

playbooks/service/service-host-is-absent.yml

@@ -7,7 +7,7 @@
   tasks:
   # Ensure management host is absent.
   - ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
       host: "{{ groups.ipaserver[0] }}"
       action: member

playbooks/service/service-host-is-present.yml

@@ -7,7 +7,7 @@
   tasks:
   # Ensure management host is present.
   - ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
       host: "{{ groups.ipaserver[0] }}"
       action: member

playbooks/service/service-is-absent.yml

@@ -7,6 +7,6 @@
   tasks:
   # Ensure service is absent
   - ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
       state: absent

playbooks/service/service-is-disabled.yml

@@ -7,6 +7,6 @@
   tasks:
   # Ensure service is disabled
   - ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
       state: disabled

playbooks/service/service-is-present-with-all-attributes.yml

@@ -7,7 +7,7 @@
   tasks:
   # Ensure service is present
   - ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
       certificate:
         - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+

playbooks/service/service-is-present-with-host-force.yml

@@ -7,7 +7,7 @@
   tasks:
   # Ensure service is present
   - ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/ihavenodns.info
       force: yes
       # state: absent

playbooks/service/service-is-present-without-host-object.yml

@@ -7,6 +7,6 @@
   tasks:
   # Ensure service is present
   - ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.ansible.com
       skip_host_check: yes

playbooks/service/service-is-present.yml

@@ -7,5 +7,5 @@
   tasks:
   # Ensure service is present
   - ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com

playbooks/service/service-member-allow_create_keytab-absent.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Service HTTP/www.example.com members allow_create_keytab absent for users, groups, hosts and hostgroups
     ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
       allow_create_keytab_user:
       - user01

playbooks/service/service-member-allow_create_keytab-present.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Service HTTP/www.example.com members allow_create_keytab present for users, groups, hosts and hostgroups
     ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
       allow_create_keytab_user:
       - user01

playbooks/service/service-member-allow_retrieve_keytab-absent.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Service HTTP/www.example.com members allow_retrieve_keytab absent for users, groups, hosts and hostgroups
     ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
       allow_retrieve_keytab_user:
       - user01

playbooks/service/service-member-allow_retrieve_keytab-present.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Service HTTP/www.example.com members allow_retrieve_keytab present for users, groups, hosts and hostgroups
     ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
       allow_retrieve_keytab_user:
       - user01

playbooks/service/service-member-certificate-absent.yml

@@ -7,7 +7,7 @@
   tasks:
   # Ensure service certificate is absent
   - ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
 
       certificate:

playbooks/service/service-member-certificate-present.yml

@@ -7,7 +7,7 @@
   tasks:
   # Ensure service certificate is present
   - ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
       certificate:
         - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+

playbooks/service/service-member-principal-absent.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Service HTTP/www.exmaple.com member principals host/test.exmaple.com absent
     ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
       principal:
         - host/test.exmaple.com

playbooks/service/service-member-principal-present.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Service HTTP/www.exmaple.com member principals host/test.exmaple.com present
     ipaservice:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: HTTP/www.example.com
       principal:
         - host/test.exmaple.com

playbooks/trust/add-trust.yml

@@ -0,0 +1,12 @@
+---
+- name: Playbook to create a trust
+  hosts: ipaserver
+  become: true
+
+  tasks:
+    - name: ensure the trust is present
+      ipatrust:
+        realm: windows.local
+        admin: Administrator
+        password: secret_password
+        state: present

playbooks/trust/del-trust.yml

@@ -0,0 +1,10 @@
+---
+- name: Playbook to delete trust
+  hosts: ipaserver
+  become: true
+
+  tasks:
+    - name: ensure the trust is absent
+      ipatrust:
+        realm: windows.local
+        state: absent

playbooks/vault/change-password-symmetric-vault.yml

@@ -10,7 +10,7 @@
       ipaadmin_password: SomeADMINpassword
       name: symvault
       password: SomeVAULTpassword
-  - name: Change vault passord.
+  - name: Change vault password.
     ipavault:
       ipaadmin_password: SomeADMINpassword
       name: symvault

playbooks/vault/retrive-data-asymmetric-vault.yml

@@ -14,4 +14,4 @@
         state: retrieved
       register: result
     - debug:
-       msg: "Data: {{ result.data }}"
+       msg: "Data: {{ result.vault.data }}"

playbooks/vault/retrive-data-symmetric-vault.yml

@@ -14,4 +14,4 @@
         state: retrieved
       register: result
     - debug:
-        msg: "{{ result.data | b64decode }}"
+        msg: "{{ result.vault.data }}"