Merge pull request #227 from rjeffman/fix_host_reverse

Fixes behavior for host module attribute `reverse`

README-dnsconfig.md

@@ -0,0 +1,140 @@
+DNSConfig module
+============
+
+Description
+-----------
+
+The dnsconfig module allows to modify global DNS configuration.
+
+
+Features
+--------
+* Global DNS configuration
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipadnsconfig module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to set global DNS configuration:
+
+```yaml
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Set dnsconfig.
+  - ipadnsconfig:
+      forwarders:
+        - ip_address: 8.8.4.4
+        - ip_address: 2001:4860:4860::8888
+          port: 53
+      forward_policy: only
+      allow_sync_ptr: yes
+```
+
+Example playbook to ensure a global forwarder, with a custom port, is absent:
+
+```yaml
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure global forwarder with a custom port is absent.
+  - ipadnsconfig:
+      forwarders:
+          - ip_address: 2001:4860:4860::8888
+            port: 53
+      state: absent
+```
+
+Example playbook to disable global forwarders:
+
+```yaml
+---
+- name: Playbook to disable global DNS forwarders
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Disable global forwarders.
+  - ipadnsconfig:
+      forward_policy: none
+```
+
+Example playbook to change global forward policy:
+
+```yaml
+---
+- name: Playbook to change global forward policy
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Disable global forwarders.
+  - ipadnsconfig:
+      forward_policy: first
+```
+
+Example playbook to disallow synchronization of forward (A, AAAA) and reverse (PTR) records:
+
+```yaml
+---
+- name: Playbook to disallow reverse synchronization.
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Disable global forwarders.
+  - ipadnsconfig:
+      allow_sync_ptr: no
+```
+
+Variables
+=========
+
+ipadnsconfig
+------------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
+  | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
+  | `port` - The custom port that should be used on this server. | no
+`forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`.  | no
+`allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | yes
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
+
+
+Authors
+=======
+
+Rafael Guterres Jeffman

README-group.md

@@ -52,20 +52,20 @@ Example playbook to add groups:
   tasks:
   # Create group ops with gid 1234
   - ipagroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: ops
       gidnumber: 1234
 
   # Create group sysops
   - ipagroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: sysops
       user:
       - pinky
 
   # Create group appops
   - ipagroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: appops
 ```
 
@@ -80,7 +80,7 @@ Example playbook to add users to a group:
   tasks:
   # Add user member brain to group sysops
   - ipagroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: sysops
       action: member
       user:
@@ -100,7 +100,7 @@ Example playbook to add group members to a group:
   tasks:
   # Add group members sysops and appops to group sysops
   - ipagroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: ops
       group:
       - sysops
@@ -118,7 +118,7 @@ Example playbook to remove groups:
   tasks:
   # Remove goups sysops, appops and ops
   - ipagroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: sysops,appops,ops
       state: absent
 ```
@@ -138,7 +138,7 @@ Variable | Description | Required
 `description` | The group description string. | no
 `gid` \| `gidnumber` | The GID integer. | no
 `nonposix` | Create as a non-POSIX group. (bool) | no
-`external` | Allow adding external non-IPA members from trusted domains. (flag) | no
+`external` | Allow adding external non-IPA members from trusted domains. (bool) | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `user` | List of user name strings assigned to this group. | no
 `group` | List of group name strings assigned to this group. | no

README-hbacrule.md

@@ -50,7 +50,7 @@ Example playbook to make sure HBAC Rule login exists:
   tasks:
   # Ensure HBAC Rule login is present
   - ipahbacrule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: login
 ```
 
@@ -66,7 +66,7 @@ Example playbook to make sure HBAC Rule login exists with the only HBAC Service
   tasks:
   # Ensure HBAC Rule login is present with the only HBAC Service sshd
   - ipahbacrule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: login
       hbacsvc:
       - sshd
@@ -83,7 +83,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Rule login:
   tasks:
   # Ensure HBAC Service sshd is present in HBAC Rule login
   - ipahbacrule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: login
       hbacsvc:
       - sshd
@@ -101,7 +101,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Rule login:
   tasks:
   # Ensure HBAC Service sshd is present in HBAC Rule login
   - ipahbacrule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: login
       hbacsvc:
       - sshd
@@ -120,7 +120,7 @@ Example playbook to make sure HBAC Rule login is absent:
   tasks:
   # Ensure HBAC Rule login is present
   - ipahbacrule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: login
       state: absent
 ```

README-hbacsvc.md

@@ -50,7 +50,7 @@ Example playbook to make sure HBAC Service for http is present
   tasks:
   # Ensure HBAC Service for http is present
   - ipahbacsvc:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: http
       description: Web service
 ```
@@ -66,7 +66,7 @@ Example playbook to make sure HBAC Service for tftp is present
   tasks:
   # Ensure HBAC Service for tftp is present
   - ipahbacsvc:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: tftp
       description: TFTPWeb service
 ```
@@ -82,7 +82,7 @@ Example playbook to make sure HBAC Services for http and tftp are absent
   tasks:
   # Ensure HBAC Service for http and tftp are absent
   - ipahbacsvc:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: http,tftp
       state: absent
 ```

README-hbacsvcgroup.md

@@ -4,7 +4,7 @@ HBACsvcgroup module
 Description
 -----------
 
-The hbacsvcgroup (HBAC Service Group) module allows to ensure presence and absence of HBAP Service Groups and members of the groups.
+The hbacsvcgroup (HBAC Service Group) module allows to ensure presence and absence of HBAC Service Groups and members of the groups.
 
 
 Features
@@ -50,7 +50,7 @@ Example playbook to make sure HBAC Service Group login exists:
   tasks:
   # Ensure HBAC Service Group login is present
   - ipahbacsvcgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: login
 ```
 
@@ -66,7 +66,7 @@ Example playbook to make sure HBAC Service Group login exists with the only HBAC
   tasks:
   # Ensure HBAC Service Group login is present with the only HBAC Service sshd
   - ipahbacsvcgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: login
       hbacsvc:
       - sshd
@@ -83,7 +83,7 @@ Example playbook to make sure HBAC Service sshd is present in HBAC Service Group
   tasks:
   # Ensure HBAC Service sshd is present in HBAC Service Group login
   - ipahbacsvcgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: login
       hbacsvc:
       - sshd
@@ -101,7 +101,7 @@ Example playbook to make sure HBAC Service sshd is absent in HBAC Service Group
   tasks:
   # Ensure HBAC Service sshd is present in HBAC Service Group login
   - ipahbacsvcgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: login
       hbacsvc:
       - sshd
@@ -120,7 +120,7 @@ Example playbook to make sure HBAC Service Group login is absent:
   tasks:
   # Ensure HBAC Service Group login is present
   - ipahbacsvcgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: login
       state: absent
 ```

README-host.md

@@ -52,7 +52,7 @@ Example playbook to ensure host presence:
   tasks:
   # Ensure host is present
   - ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       description: Example host
       ip_address: 192.168.0.123
@@ -65,6 +65,79 @@ Example playbook to ensure host presence:
       - "52:54:00:BD:97:1E"
       state: present
 ```
+Compared to `ipa host-add` command no IP address conflict check is done as the ipahost module supports to have several IPv4 and IPv6 addresses for a host.
+
+
+Example playbook to ensure host presence with several IP addresses:
+
+```yaml
+---
+- name: Playbook to handle hosts
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host is present
+  - ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      description: Example host
+      ip_address:
+      - 192.168.0.123
+      - 192.168.0.124
+      - fe80::20c:29ff:fe02:a1b3
+      - fe80::20c:29ff:fe02:a1b4
+      locality: Lab
+      ns_host_location: Lab
+      ns_os_version: CentOS 7
+      ns_hardware_platform: Lenovo T61
+      mac_address:
+      - "08:00:27:E3:B1:2D"
+      - "52:54:00:BD:97:1E"
+      state: present
+```
+
+
+Example playbook to ensure IP addresses are present for a host:
+
+```yaml
+---
+- name: Playbook to handle hosts
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host is present
+  - ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      ip_address:
+      - 192.168.0.124
+      - fe80::20c:29ff:fe02:a1b4
+      action: member
+      state: present
+```
+
+
+Example playbook to ensure IP addresses are absent for a host:
+
+```yaml
+---
+- name: Playbook to handle hosts
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure host is present
+  - ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      ip_address:
+      - 192.168.0.124
+      - fe80::20c:29ff:fe02:a1b4
+      action: member
+      state: absent
+```
 
 
 Example playbook to ensure host presence without DNS:
@@ -78,7 +151,7 @@ Example playbook to ensure host presence without DNS:
   tasks:
   # Ensure host is present without DNS
   - ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host02.example.com
       description: Example host
       force: yes
@@ -96,7 +169,7 @@ Example playbook to ensure host presence with a random password:
   tasks:
   - name: Host host01.example.com present with random password
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       random: yes
       force: yes
@@ -120,7 +193,7 @@ Example playbook to ensure presence of several hosts with a random password:
   tasks:
   - name: Hosts host01.example.com and host01.example.com present with random passwords
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       hosts:
       - name: host01.example.com
         random: yes
@@ -152,7 +225,7 @@ Example playbook to ensure presence of host member principal:
   tasks:
   - name: Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       principal:
       - host/testhost01.example.com
@@ -171,7 +244,7 @@ Example playbook to ensure presence of host member certificate:
   tasks:
   - name: Host host01.example.com present with certificate
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       certificate:
       - MIIC/zCCAeegAwIBAg...
@@ -189,7 +262,7 @@ Example playbook to ensure presence of member managedby_host for serveral hosts:
 
   tasks:
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       hosts:
       - name: host01.exmaple.com
         managedby_host: server.exmaple.com
@@ -210,12 +283,12 @@ Example playbook to disable a host:
   tasks:
   # Ensure host is disabled
   - ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       update_dns: yes
       state: disabled
 ```
-`update_dns` controls if the DNS entries will be updated.
+`update_dns` controls if the DNS entries will be updated in this case. For `state` present it is controlling the update of the DNS SSHFP records, but not the the other DNS records.
 
 
 Example playbook to ensure a host is absent:
@@ -269,25 +342,25 @@ Variable | Description | Required
 `certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
 `managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
 `principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
-`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. <br>Options: | no
-`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. <br>Options: | no
-`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host. <br>Options: | no
-`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host. <br>Options: | no
-`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host. <br>Options: | no
-`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host. <br>Options: | no
-`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host. <br>Options: | no
-`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host. <br>Options: | no
+`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
+`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group` | Groups allowed to create a keytab of this host. | no
+`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host` | Hosts allowed to create a keytab of this host. | no
+`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_hostgroup` | Host groups allowed to create a keytab of this host. | no
+`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retieve a keytab of this host. | no
+`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retieve a keytab of this host. | no
 `mac_address` \| `macaddress` | List of hardware MAC addresses. | no
 `sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
 `userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
-`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened"] | no
+`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
 `ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
 `ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no
 `force` | Force host name even if not in DNS. | no
 `reverse` | Reverse DNS detection. | no
-`ip_address` \| `ipaddress` | The host IP address. | no
-`update_dns` | Update DNS entries. | no
+`ip_address` \| `ipaddress` | The host IP address list. It can contain IPv4 and IPv6 addresses. No conflict check for IP addresses is done. | no
+`update_dns` | For existing hosts: DNS SSHFP records are updated with `state` present and all DNS entries for a host removed with `state` absent. | no
 
 
 Return Values

README-hostgroup.md

@@ -52,7 +52,7 @@ Example playbook to make sure hostgroup databases exists:
   tasks:
   # Ensure host-group databases is present
   - ipahostgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: databases
       host:
       - db.example.com
@@ -72,7 +72,7 @@ Example playbook to make sure that hosts and hostgroups are present in existing
   tasks:
   # Ensure hosts and hostgroups are present in existing databases hostgroup
   - ipahostgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: databases
       host:
       - db.example.com
@@ -94,7 +94,7 @@ Example playbook to make sure hosts and hostgroups are absent in databases hostg
   tasks:
   # Ensure hosts and hostgroups are absent in databases hostgroup
   - ipahostgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: databases
       host:
       - db.example.com
@@ -116,7 +116,7 @@ Example playbook to make sure host-group databases is absent:
   tasks:
   # Ensure host-group databases is absent
   - ipahostgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: databases
       state: absent
 ```

README-pwpolicy.md

@@ -45,7 +45,7 @@ Example playbook to ensure presence of pwpolicies for exisiting group ops:
   tasks:
   - name: Ensure presence of pwpolicies for group ops
     ipapwpolicy:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: ops
       minlife: 7
       maxlife: 49
@@ -56,7 +56,7 @@ Example playbook to ensure presence of pwpolicies for exisiting group ops:
       maxfail: 3
 ```
 
-Example playbook to ensure absence of pwpolicies for group ops
+Example playbook to ensure absence of pwpolicies for group ops:
 
 ```yaml
 ---
@@ -67,11 +67,26 @@ Example playbook to ensure absence of pwpolicies for group ops
   tasks:
   # Ensure absence of pwpolicies for group ops
   - ipapwpolicy:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: ops
       state: absent
 ```
 
+Example playbook to ensure maxlife is set to 49 in global policy:
+
+```yaml
+---
+- name: Playbook to handle pwpolicies
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  # Ensure absence of pwpolicies for group ops
+  - ipapwpolicy:
+      ipaadmin_password: SomeADMINpassword
+      maxlife: 49
+```
+
 
 Variables
 =========
@@ -83,7 +98,7 @@ Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
-`name` \| `cn` | The list of pwpolicy name strings. | no
+`name` \| `cn` | The list of pwpolicy name strings. If name is not given, `global_policy` will be used automatically. | no
 `maxlife` \| `krbmaxpwdlife` | Maximum password lifetime in days. (int) | no
 `minlife` \| `krbminpwdlife` | Minimum password lifetime in hours. (int) | no
 `history` \| `krbpwdhistorylength` | Password history size. (int) | no

README-service.md

@@ -0,0 +1,320 @@
+Service module
+==============
+
+Description
+-----------
+
+The service module allows to ensure presence and absence of services.
+
+
+Features
+--------
+
+* Service management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipaservice module.
+
+Option `skip_host_check` requires FreeIPA version 4.7.0 or later.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FReeIPA version (see above)
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+
+Example playbook to make sure service is present:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: HTTP/www.example.com
+      certificate:
+        - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
+        DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
+        ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
+        VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
+        LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
+        oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
+        4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
+        xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
+        UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
+        eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
+        5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
+        uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
+        2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
+        obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
+        /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+      pac_type: PAD
+      auth_ind: otp
+      requires_pre_auth: false
+      ok_as_delegate: false
+      ok_to_auth_as_delegate: false
+      skip-host-check: true
+      force: true
+```
+
+
+Example playbook to make sure service is absent:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: HTTP/www.example.com
+      state: absent
+```
+
+
+Example playbook to make sure service is disabled:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: HTTP/www.example.com
+      state: disabled
+```
+
+Example playbook to add a service even if the host object does not exist, but only if it does have a DNS entry:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: HTTP/www.example.com
+      skip_host_check: true
+      force: false
+```
+
+Example playbook to add a service if it does have a DNS entry, but host object exits:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: HTTP/www.example.com
+      skip_host_check: false
+      force: true
+```
+
+Example playbook to ensure service has a certificate:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service member certificate is present.
+  - ipaservice:
+      ipaadmin_password: SomeADMINpassword
+      name: HTTP/www.example.com
+      certificate:
+        - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
+        DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
+        ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
+        VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM
+        LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT
+        oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s
+        4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc
+        xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1
+        UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q
+        eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs
+        5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic
+        uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH
+        2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no
+        obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC
+        /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq
+      action: member
+      state: present
+```
+
+Example playbook to add a principal to the service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+    # Principal host/principal.example.com present in service.
+    - ipaservice:
+        ipaadmin_password: SomeADMINpassword
+        name: HTTP/www.example.com
+        principal: host/principal.example.com
+        action: member
+```
+
+Example playbook to enable a host to manage service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+    # Ensure host can manage service, again.
+    - ipaservice:
+        ipaadmin_password: SomeADMINpassword
+        name: HTTP/www.example.com
+        host: host1.example.com
+        action: member
+```
+
+Example playbook to allow users, groups, hosts or hostgroups to create a keytab of this service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+    # Allow users, groups, hosts or host groups to create a keytab of this service.
+    - ipaservice:
+        ipaadmin_password: SomeADMINpassword
+        name: HTTP/www.example.com
+        allow_create_keytab_user:
+        - user01
+        - user02
+        allow_create_keytab_group:
+        - group01
+        - group02
+        allow_create_keytab_host:
+        - host1.example.com
+        - host2.example.com
+        allow_create_keytab_hostgroup:
+        - hostgroup01
+        - hostgroup02
+        action: member
+```
+
+Example playbook to allow users, groups, hosts or hostgroups to retrieve a keytab of this service:
+
+```yaml
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+    # Allow users, groups, hosts or host groups to retrieve a keytab of this service.
+    - ipaservice:
+        ipaadmin_password: SomeADMINpassword
+        name: HTTP/www.example.com
+        allow_retrieve_keytab_user:
+        - user01
+        - user02
+        allow_retrieve_keytab_group:
+        - group01
+        - group02
+        allow_retrieve_keytab_host:
+        - "{{ host1_fqdn }}"
+        - "{{ host2_fqdn }}"
+        allow_retrieve_keytab_hostgroup:
+        - hostgroup01
+        - hostgroup02
+        action: member
+```
+
+
+Variables
+---------
+
+ipaservice
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `service` | The list of service name strings. | yes
+`certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
+`pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
+`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
+`requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
+`ok_as_delegate` \|  `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
+`ok_to_auth_as_delegate` \|  `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
+`skip_host_check` | Force service to be created even when host object does not exist to manage it. Default to false. (bool)| no
+`force` | Force principal name even if host not in DNS. Default to false. (bool) | no
+`host` \| `managedby_host`| Hosts that can manage the service. | no
+`principal` \| `krbprincipalname` | List of principal aliases for the service. | no
+`allow_create_keytab_user` \| `ipaallowedtoperform_write_keys_user` | Users allowed to create a keytab of this host. | no
+`allow_create_keytab_group` \| `ipaallowedtoperform_write_keys_group`| Groups allowed to create a keytab of this host. | no
+`allow_create_keytab_host` \| `ipaallowedtoperform_write_keys_host`| Hosts allowed to create a keytab of this host. | no
+`allow_create_keytab_hostgroup` \| `ipaallowedtoperform_write_keys_group`| Host groups allowed to create a keytab of this host. | no
+`allow_retrieve_keytab_user` \| `ipaallowedtoperform_read_keys_user` | Users allowed to retrieve a keytab of this host. | no
+`allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
+`allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
+`allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
+`action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
+`state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
+
+
+Authors
+=======
+
+Rafael Jeffman

README-sudocmd.md

@@ -52,7 +52,7 @@ Example playbook to make sure sudocmd exists:
   tasks:
   # Ensure sudocmd is present
   - ipasudocmd:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: /usr/bin/su
       state: present
 ```
@@ -68,7 +68,7 @@ Example playbook to make sure sudocmd is absent:
   tasks:
   # Ensure sudocmd are absent
   - ipahostgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: /usr/bin/su
       state: absent
 ```

README-sudocmdgroup.md

@@ -52,7 +52,7 @@ Example playbook to make sure sudocmdgroup is present:
   tasks:
   # Ensure sudocmdgroup is present
   - ipasudocmdgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: group01
       description: Group of important commands
 ```
@@ -68,7 +68,7 @@ Example playbook to make sure that a sudo command and sudocmdgroups are present
   tasks:
   # Ensure sudo commands are present in existing sudocmdgroup
   - ipasudocmdgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: group01
       sudocmd:
       - /usr/bin/su
@@ -88,7 +88,7 @@ Example playbook to make sure that a sudo command and sudocmdgroups are absent i
   tasks:
   # Ensure sudocmds are absent in existing sudocmdgroup
   - ipasudocmdgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: group01
       sudocmd:
       - /usr/bin/su
@@ -108,7 +108,7 @@ Example playbook to make sure sudocmdgroup is absent:
   tasks:
   # Ensure sudocmdgroup is absent
   - ipasudocmdgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: group01
       state: absent
 ```

README-sudorule.md

@@ -50,7 +50,7 @@ Example playbook to make sure Sudo Rule is present:
   tasks:
   # Ensure Sudo Rule is present
   - ipasudorule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: testrule1
 ```
 
@@ -66,9 +66,9 @@ Example playbook to make sure sudocmds are present in Sudo Rule:
   tasks:
   # Ensure Sudo Rule is present
   - ipasudorule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: testrule1
-      cmd:
+      allow_sudocmd:
       - /sbin/ifconfig
       action: member
 ```
@@ -85,9 +85,9 @@ Example playbook to make sure sudocmds are not present in Sudo Rule:
   tasks:
   # Ensure Sudo Rule is present
   - ipasudorule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: testrule1
-      cmd:
+      allow_sudocmd:
       - /sbin/ifconfig
       action: member
       state: absent
@@ -104,8 +104,9 @@ Example playbook to make sure Sudo Rule is absent:
   tasks:
   # Ensure Sudo Rule is present
   - ipasudorule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: testrule1
+      state: absent
 ```
 
 
@@ -124,13 +125,21 @@ Variable | Description | Required
 `usercategory` | User category the rule applies to. Choices: ["all"] | no
 `hostcategory` | Host category the rule applies to. Choices: ["all"] | no
 `cmdcategory` | Command category the rule applies to. Choices: ["all"] | no
+`runasusercategory` | RunAs User category the rule applies to. Choices: ["all"] | no
+`runasgroupcategory` | RunAs Group category the rule applies to. Choices: ["all"] | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `host` | List of host name strings assigned to this sudorule. | no
 `hostgroup` | List of host group name strings assigned to this sudorule. | no
 `user` | List of user name strings assigned to this sudorule. | no
 `group` | List of user group name strings assigned to this sudorule. | no
-`cmd` | List of sudocmd name strings assigned to this sudorule. | no
-`cmdgroup` | List of sudocmd group name strings assigned wto this sudorule. | no
+`allow_sudocmd` | List of sudocmd name strings assigned to the allow group of this sudorule. | no
+`deny_sudocmd` | List of sudocmd name strings assigned to the deny group of this sudorule. | no
+`allow_sudocmdgroup` | List of sudocmd groups name strings assigned to the allow group of this sudorule. | no
+`deny_sudocmdgroup` | List of sudocmd groups name strings assigned to the deny group of this sudorule. | no
+`sudooption` \| `option` | List of options to the sudorule | no
+`order` | Integer to order the sudorule | no
+`runasuser` | List of users for Sudo to execute as. | no
+`runasgroup` | List of groups for Sudo to execute as. | no
 `action` | Work on sudorule or member level. It can be on of `member` or `sudorule` and defaults to `sudorule`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | no
 

README-topology.md

@@ -50,7 +50,7 @@ Example playbook to add a topology segment with default name (cn):
   tasks:
   - name: Add topology segment
     ipatopologysegment:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       suffix: domain
       left: ipareplica1.test.local
       right: ipareplica2.test.local
@@ -70,7 +70,7 @@ Example playbook to delete a topology segment:
   tasks:
   - name: Delete topology segment
     ipatopologysegment:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       suffix: domain
       left: ipareplica1.test.local
       right: ipareplica2.test.local
@@ -90,7 +90,7 @@ Example playbook to reinitialize a topology segment:
   tasks:
   - name: Reinitialize topology segment
     ipatopologysegment:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       suffix: domain
       left: ipareplica1.test.local
       right: ipareplica2.test.local
@@ -111,7 +111,7 @@ Example playbook to verify a topology suffix:
   tasks:
   - name: Verify topology suffix
     ipatopologysuffix:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       suffix: domain
       state: verified
 ```

README-user.md

@@ -52,7 +52,7 @@ Example playbook to ensure a user is present:
   tasks:
   # Ensure user pinky is present
   - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: pinky
       first: pinky
       last: Acme
@@ -66,7 +66,7 @@ Example playbook to ensure a user is present:
 
   # Ensure user brain is present
   - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: brain
       first: brain
       last: Acme
@@ -85,7 +85,7 @@ These two `ipauser` module calls can be combined into one with the `users` varia
   tasks:
   # Ensure users pinky and brain are present
   - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       users:
       - name: pinky
         first: pinky
@@ -153,7 +153,7 @@ Ensure user pinky is present with a generated random password and print the rand
   tasks:
   # Ensure user pinky is present with a random password
   - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: brain
       first: brain
       last: Acme
@@ -176,7 +176,7 @@ Ensure users pinky and brain are present with a generated random password and pr
   tasks:
   # Ensure users pinky and brain are present with random password
   - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       users:
       - name: pinky
         first: pinky
@@ -212,7 +212,7 @@ Example playbook to delete a user, but preserve it:
   tasks:
   # Remove but preserve user pinky
   - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: pinky
       preserve: yes
       state: absent
@@ -231,7 +231,7 @@ Example playbook to delete a user, but preserve it using the `users` variable:
   tasks:
   # Remove but preserve user pinky
   - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       users:
       - name: pinky
       preserve: yes
@@ -252,7 +252,7 @@ Example playbook to undelete a preserved user.
   tasks:
   # Undelete preserved user pinky
   - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: pinky
       state: undeleted
 ```
@@ -271,7 +271,7 @@ Example playbook to disable a user:
   tasks:
   # Disable user pinky
   - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: pinky
       state: disabled
 ```
@@ -290,7 +290,7 @@ Example playbook to enable users:
   tasks:
   # Enable user pinky and brain
   - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: pinky,brain
       state: enabled
 ```
@@ -309,7 +309,7 @@ Example playbook to unlock users:
   tasks:
   # Unlock user pinky and brain
   - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: pinky,brain
       state: unlocked
 ```
@@ -326,7 +326,7 @@ Example playbook to ensure users are absent:
   tasks:
   # Ensure users pinky and brain are absent
   - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: pinky,brain
       state: absent
 ```
@@ -345,7 +345,7 @@ Example playbook to ensure users are absent:
   tasks:
   # Ensure users pinky and brain are absent
   - ipauser:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       users:
       - name: pinky
       - name: brain
@@ -408,7 +408,7 @@ Variable | Description | Required
 `manager` | List of manager user names. | no
 `carlicense` | List of car licenses. | no
 `sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
-`userauthtype` | List of supported user authentication types. Choices: `password`, `radius` and `otp` | no
+`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp` and ``. Use empty string to reset userauthtype to the initial value. | no
 `userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
 `radius` | RADIUS proxy configuration  | no
 `radiususer` | RADIUS proxy username | no

README-vault.md

@@ -0,0 +1,203 @@
+Vault module
+===================
+
+Description
+-----------
+
+The vault module allows to ensure presence and absence of vault and members of vaults.
+
+The vault module is as compatible as possible to the Ansible upstream `ipa_vault` module, and additionally offers to make sure that vault members, groups and owners are present or absent in a vault, and allow the archival of data in vaults.
+
+
+Features
+--------
+* Vault management
+
+
+Supported FreeIPA Versions
+--------------------------
+
+FreeIPA versions 4.4.0 and up are supported by the ipavault module.
+
+
+Requirements
+------------
+
+**Controller**
+* Ansible version: 2.8+
+
+**Node**
+* Supported FreeIPA version (see above)
+* KRA service must be enabled
+
+
+Usage
+=====
+
+Example inventory file
+
+```ini
+[ipaserver]
+ipaserver.test.local
+```
+
+Example playbook to make sure vault is present:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      vault_password: MyVaultPassword123
+      description: A standard private vault.
+```
+
+Example playbook to make sure that a vault and its members are present:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      users: user01
+```
+
+`action` controls if the vault, data, member or owner will be handled. To add or remove members or vault data, set `action` to `member`.
+
+Example playbook to make sure that a vault member is present in vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      users: user01
+      action: member
+```
+
+Example playbook to make sure that a vault owner is absent in vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      owner: user01
+      action: member
+      state: absent
+```
+
+Example playbook to make sure vault data is present in a symmetric vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      vault_password: MyVaultPassword123
+      vault_data: >
+        Data archived.
+        More data archived.
+      action: member
+```
+
+Example playbook to make sure vault data is absent in a symmetric vault:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      vault_password: MyVaultPassword123
+      action: member
+      state: absent
+```
+
+Example playbook to make sure vault is absent:
+
+```yaml
+---
+- name: Playbook to handle vaults
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - ipavault:
+      ipaadmin_password: SomeADMINpassword
+      name: symvault
+      username: admin
+      state: absent
+```
+
+Variables
+=========
+
+ipavault
+-------
+
+Variable | Description | Required
+-------- | ----------- | --------
+`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
+`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
+`name` \| `cn` | The list of vault name strings. | yes
+`description` | The vault description string. | no
+`nomembers` | Suppress processing of membership attributes. (bool) | no
+`vault_public_key` \| `ipavaultpublickey` | Vault public key. | no
+`vault_salt` \| `ipavaultsalt` | Vault salt. | no
+`vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
+`service` | Any service can own one or more service vaults. | no
+`user` | Any user can own one or more user vaults. | no
+`shared` | Vault is shared. Default to false. (bool) | no
+`users` | Users that are members of the vault. | no
+`groups` | Groups that are member of the vault. | no
+`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
+`action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
+`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+
+
+Notes
+=====
+
+ipavault uses a client context to execute, and it might affect execution time.
+
+
+Authors
+=======
+
+Rafael Jeffman

README.md

@@ -18,16 +18,18 @@ Features
 * Modules for host management
 * Modules for hostgroup management
 * Modules for pwpolicy management
+* Modules for service management
 * Modules for sudocmd management
 * Modules for sudocmdgroup management
 * Modules for sudorule management
 * Modules for topology management
 * Modules for user management
+* Modules for vault management
 
 Supported FreeIPA Versions
 --------------------------
 
-FreeIPA versions 4.6 and up are supported by all roles. 
+FreeIPA versions 4.6 and up are supported by all roles.
 
 The client role supports versions 4.4 and up, the server role is working with versions 4.5 and up, the replica role is currently only working with versions 4.6 and up.
 
@@ -155,6 +157,7 @@ ipaserver_install_packages=no
 ipaserver_setup_firewalld=no
 ```
 The installation of packages and also the configuration of the firewall are by default enabled.
+Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
 
 For more server settings, please have a look at the [server role documentation](roles/ipaserver/README.md).
 
@@ -230,6 +233,7 @@ ipareplica_setup_firewalld=no
 ```
 
 The installation of packages and also the configuration of the firewall are by default enabled.
+Note that it is not enough to mask systemd firewalld service to skip the firewalld configuration. You need to set the variable to `no`.
 
 For more replica settings, please have a look at the [replica role documentation](roles/ipareplica/README.md).
 
@@ -403,6 +407,7 @@ Roles
 Modules in plugin/modules
 =========================
 
+* [ipadnsconfig](README-dnsconfig.md)
 * [ipagroup](README-group.md)
 * [ipahbacrule](README-hbacrule.md)
 * [ipahbacsvc](README-hbacsvc.md)
@@ -410,9 +415,11 @@ Modules in plugin/modules
 * [ipahost](README-host.md)
 * [ipahostgroup](README-hostgroup.md)
 * [ipapwpolicy](README-pwpolicy.md)
+* [ipaservice](README-service.md)
 * [ipasudocmd](README-sudocmd.md)
 * [ipasudocmdgroup](README-sudocmdgroup.md)
 * [ipasudorule](README-sudorule.md)
 * [ipatopologysegment](README-topology.md)
 * [ipatopologysuffix](README-topology.md)
 * [ipauser](README-user.md)
+* [ipavault](README-vault.md)

galaxy.yml

@@ -15,6 +15,8 @@ readme: "README.md"
 license: "GPL-3.0-or-later"
 license_file: "COPYING"
 
+dependencies:
+
 tags:
   - "identity"
   - "ipa"

playbooks/dnsconfig/disable-global-forwarders.yml

@@ -0,0 +1,9 @@
+---
+- name: Playbook to disable global DNS forwarders
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Disable global forwarders.
+    ipadnsconfig:
+      forward_policy: none

playbooks/dnsconfig/disallow-reverse-sync.yml

@@ -0,0 +1,9 @@
+---
+- name: Playbook to disallow reverse record synchronization.
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Disallow reverse record synchronization.
+    ipadnsconfig:
+      allow_sync_ptr: no

playbooks/dnsconfig/forwarders-absent.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Set dnsconfig.
+    ipadnsconfig:
+      forwarders:
+        - ip_address: 8.8.4.4
+        - ip_address: 2001:4860:4860::8888
+          port: 53
+      state: absent

playbooks/dnsconfig/set-configuration.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to handle global DNS configuration
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Set dnsconfig.
+    ipadnsconfig:
+      forwarders:
+        - ip_address: 8.8.4.4
+        - ip_address: 2001:4860:4860::8888
+          port: 53
+      forward_policy: only
+      allow_sync_ptr: yes

playbooks/hbacrule/ensure-hbarule-allhosts-absent.yml

@@ -7,6 +7,6 @@
   tasks:
   - name: Ensure HBAC Rule allhosts is absent
     ipahbacrule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: allhosts
       state: absent

playbooks/hbacrule/ensure-hbarule-allhosts-disabled.yml

@@ -7,6 +7,6 @@
   tasks:
   - name: Ensure HBAC Rule allhosts is disabled
     ipahbacrule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: allhosts
       state: disabled

playbooks/hbacrule/ensure-hbarule-allhosts-enabled.yml

@@ -7,6 +7,6 @@
   tasks:
   - name: Ensure HBAC Rule allhosts is enabled
     ipahbacrule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: allhosts
       state: enabled

playbooks/hbacrule/ensure-hbarule-allhosts-present.yml

@@ -7,6 +7,6 @@
   tasks:
   - name: Ensure HBAC Rule allhosts is present
     ipahbacrule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: allhosts
       usercategory: all

playbooks/hbacrule/ensure-hbarule-allhosts-server-member-absent.yml

@@ -7,7 +7,7 @@
   tasks:
   - name: Ensure host server is absent in HBAC Rule allhosts
     ipahbacrule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: allhosts
       host: server
       action: member

playbooks/hbacrule/ensure-hbarule-allhosts-server-member-present.yml

@@ -7,7 +7,7 @@
   tasks:
   - name: Ensure host server is present in HBAC Rule allhosts
     ipahbacrule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: allhosts
       host: server
       action: member

playbooks/hbacsvc/ensure-hbacsvc-absent.yml

@@ -7,6 +7,6 @@
   tasks:
   - name: Ensure HBAC Services for http and tftp are absent
     ipahbacsvc:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: http,tftp
       state: absent

playbooks/hbacsvc/ensure-hbacsvc-present.yml

@@ -7,12 +7,12 @@
   tasks:
   - name: Ensure HBAC Service for http is present
     ipahbacsvc:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: http
       description: Web service
 
   - name: Ensure HBAC Service for tftp is present
     ipahbacsvc:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: tftp
       description: TFTP service

playbooks/hbacsvcgroup/ensure-hbacsvcgroup-absent.yml

@@ -7,7 +7,7 @@
   tasks:
   - name: Ensure HBAC Service Group login is absent
     ipahbacsvcgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: login
       hbacsvc:
       - sshd

playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-absent.yml

@@ -7,7 +7,7 @@
   tasks:
   - name: Ensure HBAC Services sshd is absent in HBAC Service Group login
     ipahbacsvcgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: login
       hbacsvc:
       - sshd

playbooks/hbacsvcgroup/ensure-hbacsvcgroup-member-present.yml

@@ -7,7 +7,7 @@
   tasks:
   - name: Ensure HBAC Service sshd is present in HBAC Service Group login
     ipahbacsvcgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: login
       hbacsvc:
       - sshd

playbooks/hbacsvcgroup/ensure-hbacsvcgroup-present.yml

@@ -7,7 +7,7 @@
   tasks:
   - name: Ensure HBAC Service sshd is present in HBAC Service Group login
     ipahbacsvcgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: login
       hbacsvc:
       - sshd

playbooks/host/delete-host.yml

@@ -6,6 +6,6 @@
   tasks:
   - name: Ensure host host01.example.com is absent
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       state: absent

playbooks/host/disable-host.yml

@@ -6,6 +6,6 @@
   tasks:
   - name: Disable host host01.example.com
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       state: disabled

playbooks/host/ensure_host_with_randompassword.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Host "{{ 'host1.' + ipaserver_domain }}" present with random password
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: "{{ 'host1.' + ipaserver_domain }}"
       random: yes
       force: yes

playbooks/host/host-member-allow_create_keytab-absent.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Host host1.example.com members allow_create_keytab absent for users, groups, hosts and hostgroups
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       allow_create_keytab_user:
       - user01

playbooks/host/host-member-allow_create_keytab-present.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Host host1.example.com members allow_create_keytab present for users, groups, hosts and hostgroups
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       allow_create_keytab_user:
       - user01

playbooks/host/host-member-allow_retrieve_keytab-absent.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Host host1.example.com members allow_retrieve_keytab absent for users, groups, hosts and hostgroups
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       allow_retrieve_keytab_user:
       - user01

playbooks/host/host-member-allow_retrieve_keytab-present.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Host host1.example.com members allow_retrieve_keytab present for users, groups, hosts and hostgroups
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       allow_retrieve_keytab_user:
       - user01

playbooks/host/host-member-certificate-absent.yml

@@ -5,7 +5,7 @@
   tasks:
   - name: Host host01.example.com member certificate absent
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       certificate:
       - MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3

playbooks/host/host-member-certificate-present.yml

@@ -5,7 +5,7 @@
   tasks:
   - name: Host host01.example.com member certificate present
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       certificate:
       - MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3

playbooks/host/host-member-ipaddresses-absent.yml

@@ -0,0 +1,17 @@
+---
+- name: Host member IP addresses absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure host01.example.com IP addresses absent
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      ip_address:
+      - 192.168.0.123
+      - fe80::20c:29ff:fe02:a1b3
+      - 192.168.0.124
+      - fe80::20c:29ff:fe02:a1b4
+      action: member
+      state: absent

playbooks/host/host-member-ipaddresses-present.yml

@@ -0,0 +1,16 @@
+---
+- name: Host member IP addresses present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure host01.example.com IP addresses present
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      ip_address:
+      - 192.168.0.123
+      - fe80::20c:29ff:fe02:a1b3
+      - 192.168.0.124
+      - fe80::20c:29ff:fe02:a1b4
+      action: member

playbooks/host/host-member-managedby_host-absent.yml

@@ -5,7 +5,7 @@
 
   tasks:
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       managedby_host: server.exmaple.com
       action: member

playbooks/host/host-member-managedby_host-present.yml

@@ -5,7 +5,7 @@
 
   tasks:
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       managedby_host: server.exmaple.com
       action: member

playbooks/host/host-member-principal-absent.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Host host01.example.com principals host/testhost01.example.com and host/myhost01.example.com absent
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       principal:
       - host/testhost01.example.com

playbooks/host/host-member-principal-present.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Host host01.example.com principals host/testhost01.example.com and host/myhost01.example.com present
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       principal:
       - host/testhost01.example.com

playbooks/host/host-present-with-allow_create_keytab.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Host host1.example.com present with allow_create_keytab for users, groups, hosts and hostgroups
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       allow_create_keytab_user:
       - user01

playbooks/host/host-present-with-allow_retrieve_keytab.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Host host1.example.com present with allow_retrieve_keytab for users, groups, hosts and hostgroups
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       allow_retrieve_keytab_user:
       - user01

playbooks/host/host-present-with-certificate.yml

@@ -5,7 +5,7 @@
   tasks:
   - name: Host host01.example.com present with certificate
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       certificate:
       - MIIC/zCCAeegAwIBAgIUZGHLaSYg1myp6EI4VGWSC27vOrswDQYJKoZIhvcNAQELBQAwDzENMAsGA1UEAwwEdGVzdDAeFw0xOTEwMTQxNjI4MzVaFw0yMDEwMTMxNjI4MzVaMA8xDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDER/lB8wUAmPTSwSc/NOXNlzdpPOQDSwrhKH6XsqZF4KpQoSY/nmCjAhJmOVpOUo4K2fGRZ0yAH9fkGv6yJP6c7IAFjLeec7GPHVwN4bZrP1DXfTAmfmXhcRQbCYkV+wmq8Puzw/+xA9EJrrodnJPPsE6E8HnSVLF6Ys9+cJMJ7HuwOI+wYt3gkmspsir1tccmf4x1PP+yHJWdcXyetlFRcmZ8gspjqOR2jb89xSQsh8gcyDW6rPNlSTzYZ2FmNtjES6ZhCsYL31fQbF2QglidlLGpAlvHUUS+xCigW73cvhFPMWXcfO51Mr15RcgYTckY+7QZ2nYqplRBoDlQl6DnAgMBAAGjUzBRMB0GA1UdDgQWBBTPG99XVRdxpOXMZo3Nhy+ldnf13TAfBgNVHSMEGDAWgBTPG99XVRdxpOXMZo3Nhy+ldnf13TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQAjWTcnIl2mpNbfHAN8DB4Kk+RNRmhsH0y+r/47MXVTMMMToCfofeNY3Jeohu+2lIXMPQfTvXUbDTkNAGsGLv6LtQEUfSREqgk1eY7bT9BFfpH1uV2ZFhCO9jBA+E4bf55Kx7bgUNG31ykBshOsOblOJM1lS/0q4TWHAxrsU2PNwPi8X0ten+eGeB8aRshxS17Ij2cH0fdAMmSA+jMAvTIZl853Bxe0HuozauKwOFWL4qHm61c4O/j1mQCLqJKYfJ9mBDWFQLszd/tF+ePKiNhZCQly60F8Lumn2CDZj5UIkl8wk9Wls5n1BIQs+M8AN65NAdv7+js8jKUKCuyji8r3

playbooks/host/host-present-with-managedby_host.yml

@@ -5,7 +5,7 @@
 
   tasks:
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.exmaple.com
       managedby_host: server.exmaple.com
       force: yes

playbooks/host/host-present-with-principal.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Host host01.example.com present with principals host/testhost01.example.com and host/myhost01.example.com
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       principal:
       - host/testhost01.example.com

playbooks/host/host-present-with-randompassword.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Host host01.example.com present with random password
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       random: yes
       force: yes

playbooks/host/host-present-with-several-ip-addresses.yml

@@ -0,0 +1,24 @@
+---
+- name: Host present with several IP addresses
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Ensure host is present
+    ipahost:
+      ipaadmin_password: SomeADMINpassword
+      name: host01.example.com
+      description: Example host
+      ip_address:
+      - 192.168.0.123
+      - fe80::20c:29ff:fe02:a1b3
+      - 192.168.0.124
+      - fe80::20c:29ff:fe02:a1b4
+      locality: Lab
+      ns_host_location: Lab
+      ns_os_version: CentOS 7
+      ns_hardware_platform: Lenovo T61
+      mac_address:
+      - "08:00:27:E3:B1:2D"
+      - "52:54:00:BD:97:1E"
+      state: present

playbooks/host/host-present.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Ensure host is present
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: host01.example.com
       description: Example host
       ip_address: 192.168.0.123

playbooks/host/hosts-member-certificate-absent.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Hosts host01.example.com and host01.exmaple.com member certificate absent
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       hosts:
       - name: host01.example.com
         certificate:

playbooks/host/hosts-member-certificate-present.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Hosts host01.example.com and host01.exmaple.com member certificate present
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       hosts:
       - name: host01.example.com
         certificate:

playbooks/host/hosts-member-managedby_host-absent.yml

@@ -5,7 +5,7 @@
 
   tasks:
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       hosts:
       - name: host01.exmaple.com
         managedby_host: server.exmaple.com

playbooks/host/hosts-member-managedby_host-present.yml

@@ -5,7 +5,7 @@
 
   tasks:
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       hosts:
       - name: host01.exmaple.com
         managedby_host: server.exmaple.com

playbooks/host/hosts-member-principal-absent.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Hosts host01.exmaple.com and host02.exmaple.com member principals host/testhost0X.exmaple.com absent
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       hosts:
       - name: host01.exmaple.com
         principal:

playbooks/host/hosts-member-principal-present.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Hosts host01.exmaple.com and host02.exmaple.com member principals host/testhost0X.exmaple.com present
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       hosts:
       - name: host01.exmaple.com
         principal:

playbooks/host/hosts-present-with-certificate.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Hosts host01.example.com and host01.exmaple.com present with certificate
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       hosts:
       - name: host01.example.com
         certificate:

playbooks/host/hosts-present-with-managedby_host.yml

@@ -5,7 +5,7 @@
 
   tasks:
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       hosts:
       - name: host01.exmaple.com
         managedby_host: server.exmaple.com

playbooks/host/hosts-present-with-randompasswords.yml

@@ -6,7 +6,7 @@
   tasks:
   - name: Hosts host01.example.com and host01.example.com present with random passwords
     ipahost:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       hosts:
       - name: host01.example.com
         random: yes

playbooks/hostgroup/ensure-hostgroup-is-absent.yml

@@ -6,6 +6,6 @@
   tasks:
   # Ensure host-group databases is present
   - ipahostgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: databases
       state: absent

playbooks/hostgroup/ensure-hostgroup-is-present.yml

@@ -6,7 +6,7 @@
   tasks:
   # Ensure host-group databases is present
   - ipahostgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: databases
       host:
       - db.example.com

playbooks/hostgroup/ensure-hosts-and-hostgroups-are-absent-in-hostgroup.yml

@@ -6,7 +6,7 @@
   tasks:
   # Ensure hosts and hostgroups are present in existing databases hostgroup
   - ipahostgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: databases
       host:
       - db.example.com

playbooks/hostgroup/ensure-hosts-and-hostgroups-are-present-in-hostgroup.yml

@@ -6,7 +6,7 @@
   tasks:
   # Ensure hosts and hostgroups are present in existing databases hostgroup
   - ipahostgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: databases
       host:
       - db.example.com

playbooks/service/service-host-is-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure management host is absent.
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      host: "{{ groups.ipaserver[0] }}"
+      action: member
+      state: absent

playbooks/service/service-host-is-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure management host is present.
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      host: "{{ groups.ipaserver[0] }}"
+      action: member

playbooks/service/service-is-absent.yml

@@ -0,0 +1,12 @@
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is absent
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      state: absent

playbooks/service/service-is-disabled.yml

@@ -0,0 +1,12 @@
+---
+- name: Playbook to disable IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is disabled
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      state: disabled

playbooks/service/service-is-present-with-all-attributes.yml

@@ -0,0 +1,23 @@
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      certificate:
+        - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
+      pac_type:
+        - MS-PAC
+        - PAD
+      auth_ind: otp
+      force: no
+      requires_pre_auth: yes
+      ok_as_delegate: no
+      ok_to_auth_as_delegate: no
+      action: service
+      state: present

playbooks/service/service-is-present-with-host-force.yml

@@ -0,0 +1,13 @@
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/ihavenodns.info
+      force: yes
+      # state: absent

playbooks/service/service-is-present-without-host-object.yml

@@ -0,0 +1,12 @@
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.ansible.com
+      skip_host_check: yes

playbooks/service/service-is-present.yml

@@ -0,0 +1,11 @@
+---
+- name: Playbook to manage IPA service.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service is present
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com

playbooks/service/service-member-allow_create_keytab-absent.yml

@@ -0,0 +1,24 @@
+---
+- name: Service member allow_create_keytab absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Service HTTP/www.example.com members allow_create_keytab absent for users, groups, hosts and hostgroups
+    ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      allow_create_keytab_user:
+      - user01
+      - user02
+      allow_create_keytab_group:
+      - group01
+      - group02
+      allow_create_keytab_host:
+      - host01.example.com
+      - host02.example.com
+      allow_create_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
+      state: absent

playbooks/service/service-member-allow_create_keytab-present.yml

@@ -0,0 +1,23 @@
+---
+- name: Service member allow_create_keytab present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Service HTTP/www.example.com members allow_create_keytab present for users, groups, hosts and hostgroups
+    ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      allow_create_keytab_user:
+      - user01
+      - user02
+      allow_create_keytab_group:
+      - group01
+      - group02
+      allow_create_keytab_host:
+      - host01.example.com
+      - host02.example.com
+      allow_create_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member

playbooks/service/service-member-allow_retrieve_keytab-absent.yml

@@ -0,0 +1,24 @@
+---
+- name: Service member allow_retrieve_keytab absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Service HTTP/www.example.com members allow_retrieve_keytab absent for users, groups, hosts and hostgroups
+    ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      allow_retrieve_keytab_user:
+      - user01
+      - user02
+      allow_retrieve_keytab_group:
+      - group01
+      - group02
+      allow_retrieve_keytab_host:
+      - host01.example.com
+      - host02.example.com
+      allow_retrieve_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member
+      state: absent

playbooks/service/service-member-allow_retrieve_keytab-present.yml

@@ -0,0 +1,23 @@
+---
+- name: Service member allow_retrieve_keytab present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Service HTTP/www.example.com members allow_retrieve_keytab present for users, groups, hosts and hostgroups
+    ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      allow_retrieve_keytab_user:
+      - user01
+      - user02
+      allow_retrieve_keytab_group:
+      - group01
+      - group02
+      allow_retrieve_keytab_host:
+      - host01.example.com
+      - host02.example.com
+      allow_retrieve_keytab_hostgroup:
+      - hostgroup01
+      - hostgroup02
+      action: member

playbooks/service/service-member-certificate-absent.yml

@@ -0,0 +1,16 @@
+---
+- name: Service certificate absent.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service certificate is absent
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+
+      certificate:
+        - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
+      action: member
+      state: absent

playbooks/service/service-member-certificate-present.yml

@@ -0,0 +1,15 @@
+---
+- name: Service certificate present.
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure service certificate is present
+  - ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      certificate:
+        - MIICBjCCAW8CFHnm32VcXaUDGfEGdDL/erPSijUAMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjAwMTIzMDA1NjQ2WhcNMjEwMTIyMDA1NjQ2WjBCMQswCQYDVQQGEwJYWDEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBhbnkgTHRkMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDYrdVmsr7iT3f67DM5bb1osSEe5/c91UUMEIcFq5wrgBhzVfs8iIMDVC1yiUGTsDLJNJc4nb1tUxeR9K5fh25E6n/eWDBP75NStotjAXRU4Ahi3FNRhWFOKesds5xNqgDk5/dY8UekJv2yUblQuZzeF8b2XFrmHuCaYuFctzPfWwIDAQABMA0GCSqGSIb3DQEBCwUAA4GBACF+5RS8Ce0HRixGPu4Xd51i+Kzblg++lx8fDJ8GW5G16/Z1AsB72Hc7etJL2PksHlue/xCq6SA9fIfHc4TBNCiWjPSP1NhHJeYyoPiSkcYsqXuxWyoyRLbnAhBVvhoiqZbUt3u3tGB0uMMA0yJvj07mP7Nea2KdBYVH8X1pM0V+
+      action: member
+      state: present

playbooks/service/service-member-principal-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Service member principal absent
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Service HTTP/www.exmaple.com member principals host/test.exmaple.com absent
+    ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      principal:
+        - host/test.exmaple.com
+      action: member
+      state: absent

playbooks/service/service-member-principal-present.yml

@@ -0,0 +1,13 @@
+---
+- name: Service member principal present
+  hosts: ipaserver
+  become: true
+
+  tasks:
+  - name: Service HTTP/www.exmaple.com member principals host/test.exmaple.com present
+    ipaservice:
+      ipaadmin_password: MyPassword123
+      name: HTTP/www.example.com
+      principal:
+        - host/test.exmaple.com
+      action: member

playbooks/sudocmd/ensure-sudocmd-is-absent.yml

@@ -6,6 +6,6 @@
   tasks:
   # Ensure sudo command is absent
   - ipasudocmd:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: /usr/bin/su
       state: absent

playbooks/sudocmd/ensure-sudocmd-is-present.yml

@@ -6,6 +6,6 @@
   tasks:
   # Ensure sudo command is present
   - ipasudocmd:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: /usr/bin/su
       state: present

playbooks/sudocmdgroup/ensure-sudocmd-are-absent-in-sudocmdgroup.yml

@@ -6,7 +6,7 @@
   tasks:
   # Ensure sudocmds are absent in sudocmdgroup
   - ipasudocmdgroup:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: network
       sudocmd:
       - /usr/sbin/ifconfig

playbooks/sudocmdgroup/ensure-sudocmd-are-present-in-sudocmdgroup.yml

@@ -6,7 +6,7 @@
   tasks:
   # Ensure sudo commands are present
   - ipasudocmd:
-     ipaadmin_password: MyPassword123
+     ipaadmin_password: SomeADMINpassword
      name:
      - /usr/sbin/ifconfig
      - /usr/sbin/iwlist
@@ -14,7 +14,7 @@
 
   # Ensure sudo commands are present in existing sudocmdgroup
   - ipasudocmdgroup:
-     ipaadmin_password: MyPassword123
+     ipaadmin_password: SomeADMINpassword
      name: network
      sudocmd:
      - /usr/sbin/ifconfig

playbooks/sudorule/ensure-sudorule-does-not-have-sudooption.yml

@@ -0,0 +1,14 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure sudooption is absent in sudorule
+  - ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      sudooption: "!root"
+      action: member
+      state: absent

playbooks/sudorule/ensure-sudorule-has-sudooption.yml

@@ -0,0 +1,13 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure sudooption is present in sudorule
+  - ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      sudooption: "!root"
+      action: member

playbooks/sudorule/ensure-sudorule-host-member-is-absent.yml

@@ -7,7 +7,7 @@
   tasks:
   # Ensure host server is absent in Sudo Rule
   - ipasudorule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: testrule1
       host: server
       action: member

playbooks/sudorule/ensure-sudorule-host-member-is-present.yml

@@ -7,7 +7,7 @@
   tasks:
   # Ensure host server is present in Sudo Rule
   - ipasudorule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: testrule1
       host: server
       action: member

playbooks/sudorule/ensure-sudorule-hostgroup-member-is-absent.yml

@@ -7,7 +7,7 @@
   tasks:
   # Ensure hostgroup cluster is absent in Sudo Rule
   - ipasudorule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: testrule1
       hostgroup: cluster
       action: member

playbooks/sudorule/ensure-sudorule-hostgroup-member-is-present.yml

@@ -7,7 +7,7 @@
   tasks:
   # Ensure hostgrep cluster is present in Sudo Rule
   - ipasudorule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: testrule1
       hostgroup: cluster
       action: member

playbooks/sudorule/ensure-sudorule-is-disabled.yml

@@ -6,6 +6,6 @@
   tasks:
   # Ensure sudorule command is disabled
   - ipasudorule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: testrule1
       state: disabled

playbooks/sudorule/ensure-sudorule-is-enabled.yml

@@ -6,6 +6,6 @@
   tasks:
   # Ensure sudorule command is enabled
   - ipasudorule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: testrule1
       state: enabled

playbooks/sudorule/ensure-sudorule-is-present-with-order.yml

@@ -0,0 +1,12 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure sudorule is present with the given order.
+  - ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      order: 2

playbooks/sudorule/ensure-sudorule-is-present.yml

@@ -6,7 +6,9 @@
   tasks:
   # Ensure sudorule command is present
   - ipasudorule:
-      ipaadmin_password: MyPassword123
+      ipaadmin_password: SomeADMINpassword
       name: testrule1
       description: A test sudo rule.
+      allow_sudocmd: /bin/ls
+      deny_sudocmd: /bin/vim
       state: present

playbooks/sudorule/ensure-sudorule-runasuser-is-absent.yml

@@ -0,0 +1,14 @@
+---
+- name: Tests
+  hosts: ipaserver
+  become: true
+  gather_facts: false
+
+  tasks:
+  # Ensure sudorule is present with the given order.
+  - ipasudorule:
+      ipaadmin_password: SomeADMINpassword
+      name: testrule1
+      runasuser: admin
+      action: member
+      state: absent