Fix typo in README-permission.md

There is a typo "Eure" instead of "Ensure" in the rename task.
Merge pull request #484 from t-woerner/permission_fix_attrs_drop_privilege
2026-05-14 21:42:17 +00:00 · 2021-01-11 12:21:30 +01:00 · 2021-01-08 16:12:01 -03:00 · 2021-01-08 14:17:23 +01:00 · 2021-01-08 13:59:37 +01:00 · 2021-01-08 13:49:34 +01:00
450 changed files with 26191 additions and 11993 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -0,0 +1,23 @@
 exclude_paths:
  - roles
  - .tox
  - .venv
 parseable: true
 quiet: false
 skip_list:
  - '201'  # Trailing whitespace
  - '204'  # Lines should be no longer than 160 chars
  - '206'  # Variables should have spaces before and after: {{ var_name }}'
  - '208'  # File permissions not mentioned
  - '301'  # Commands should not change things if nothing needs doing'
  - '305'  # Use shell only when shell functionality is required'
  - '306'  # Shells that use pipes should set the pipefail option'
  - '502'  # All tasks should be named
  - '505'  # Referenced missing file
 use_default_rules: true
 verbosity: 1
--- a/.copr/Makefile
+++ b/.copr/Makefile
@@ -0,0 +1,9 @@
 srpm:
 	# Setup development environment
 	echo "Installing base development environment"
 	dnf install -y dnf-plugins-core git-all
 	echo "Call SRPM build Script"
 	./utils/build-srpm.sh
 	if [[ "${outdir}" != "" ]]; then \
 		mv /builddir/build/SRPMS/* ${outdir}; \
 	fi
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -0,0 +1,16 @@
 ---
 name: Verify Ansible documentation.
 on:
  - push
  - pull_request
 jobs:
  check_docs:
    name: Check Ansible Documentation.
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: '3.x'
      - name: Run ansible-doc-test
        run: ANSIBLE_LIBRARY="." python utils/ansible-doc-test roles plugins
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,33 @@
 ---
 name: Run Linters
 on:
  - push
  - pull_request
 jobs:
  linters:
    name: Run Linters
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-python@v2
        with:
          python-version: "3.6"
      - name: Run ansible-lint
        uses: ansible/ansible-lint-action@master
        with:
          targets: |
            tests/*.yml
            tests/*/*.yml
            tests/*/*/*.yml
            playbooks/*.yml
            playbooks/*/*.yml
        env:
          ANSIBLE_MODULE_UTILS: plugins/module_utils
          ANSIBLE_LIBRARY: plugins/modules
      - name: Run yaml-lint
        uses: ibiqlik/action-yamllint@v1
      - name: Run Python linters
        uses: rjeffman/python-lint-action@v2
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,8 @@
 *.pyc
 *.retry
 # ignore virtual environments
 /.tox/
 /.venv/
 tests/logs/
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,31 @@
 ---
 repos:
 - repo: https://github.com/ansible/ansible-lint.git
  rev: v4.3.5
  hooks:
  - id: ansible-lint
    always_run: false
    pass_filenames: true
    files: \.(yaml|yml)$
    entry: env ANSIBLE_LIBRARY=./plugins/modules ANSIBLE_MODULE_UTILS=./plugins/module_utils ansible-lint --force-color
 - repo: https://github.com/adrienverge/yamllint.git
  rev: v1.25.0
  hooks:
  - id: yamllint
    files: \.(yaml|yml)$
 - repo: https://gitlab.com/pycqa/flake8
  rev: 3.8.4
  hooks:
  - id: flake8
 - repo: https://gitlab.com/pycqa/pydocstyle
  rev: 5.1.1
  hooks:
  - id: pydocstyle
 - repo: local
  hooks:
  - id: ansible-doc-test
    name: Verify Ansible roles and module documentation.
    language: script
    entry: utils/ansible-doc-test
    # args: ['-v', 'roles', 'plugins']
    files: ^.*.py$
--- a/.yamllint
+++ b/.yamllint
@@ -0,0 +1,28 @@
 ---
 ignore: |
  /.tox/
  /.venv/
  /.github/
 extends: default
 rules:
  braces:
    max-spaces-inside: 1
    level: error
  brackets:
    max-spaces-inside: 1
    level: error
  truthy:
    allowed-values: ["yes", "no", "true", "false", "True", "False"]
    level: error
  # Disabled rules
  document-start: disable
  indentation: disable
  line-length: disable
  colons: disable
  empty-lines: disable
  comments: disable
  comments-indentation: disable
  trailing-spaces: disable
  new-line-at-end-of-file: disable
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,121 @@
 Contributing to ansible-freeipa
 ===============================
 As part of the [FreeIPA] project, ansible-freeipa follows
 [FreeIPA's Code of Conduct].
 Reporting bugs or Features
 --------------------------
 ansible-freeipa uses [Github issues] for the upstream development, so all RFEs
 and bug reports should be added there.
 If you have questions about the usage of ansible-freeipa modules and roles,
 you should also submit an issue, so that anyone that knows an answer can help.
 Development
 -----------
 Contribute code by submitting a [pull request]. All pull requests should be
 created against the `master` branch. If your PR fixes an open issue, please,
 add this information to the commit message, like _"Fix issue #num"_.
 Every PR will have to pass some automatic checks and be reviewed by another
 developer(s). Once they are approved, they will be merged.
 In your commits, use clear messages that include intent, summary of changes,
 and expected result. Use a template commit message [for modules] and
 [for roles].
 Upon review, it is fine to `force push` the changes.
 **Preparing the development environment**
 There are some useful tools that will help you develop for ansible-freeipa,
 and you should install, at least, the modules in `requirements.txt`. You
 can install the modules with your distribution package manager, or use pip,
 as in the example:
 ```
 python3 -m pip install --user -r requirements-dev.txt
 ```
 We recommend using [pre-commit] so that the basic checks that will be executed
 for your PR are executed locally, on your commits. To setup the pre-commit
 hooks, issue the command:
 ```
 pre-commit install
 ```
 **Developing new modules**
 When developing new modules use the script `utils/new_module`. If the module
 should have `action: member` support, use the flag `-m`.
 This script will create the basic structure for the module, the required files
 for tests, playbooks, documentation and source code, all at the appropriate
 places.
 **Other helpfull tools**
 Under directory `utils`, you will find other useful tools, like
 **lint-check.sh**, which will run the Python and YAML linters on your code,
 and **ansible-doc-test** which will verify if the documentation added to the
 roles and modules source code has the right format.
 Testing
 -------
 When testing ansible-freeipa's roles and modules, we aim to check if they
 do what they intend to do, report the results correctly, and if they are
 idempotent (although, sometimes the operation performed is not, like when
 renaming items). To achieve this, we use Ansible playbooks.
 The Ansible playbooks test can be found under the [tests] directory. They
 should test the behavior of the module or role, and, if possible, provide
 test cases for all attributes.
 There might be some limitation on the testing environment, as some attributes
 or operations are only available in some circumstances, like specific FreeIPA
 versions, or some more elaborate scenarios (for example, requiring a
 configured trust to an AD domain). For these cases, there are some `facts`
 available that will only enable the tests if the testing environment is
 enabled.
 The tests run automatically on every pull request, using Fedora, CentOS 7,
 and CentOS 8 environments.
 See the document [Running the tests] and also the section `Preparing the
 development environment`, to prepare your environment.
 Documentation
 -------------
 We do our best to provide a correct and complete documentation for the modules
 and roles we provide, but we sometimes miss something that users find it
 important to be documented.
 If you think something could be made easier to understand, or found an error
 or omission in the documentation, fixing it will help other users and make
 the experience on using the project much better.
 Also, the [playbooks] can be seen as part of the documentation, as they are
 examples of commonly performed tasks.
 ---
 [FreeIPA]: https://freeipa.org
 [FreeIPA's Code of Conduct]: https://github.com/freeipa/freeipa/blob/master/CODE_OF_CONDUCT.md
 [for modules]: https://github.com/freeipa/ansible-freeipa/pull/357
 [for roles]: https://github.com/freeipa/ansible-freeipa/pull/430
 [Github issues]: https://github.com/freeipa/ansible-freeipa/issues
 [pull request]: https://github.com/freeipa/ansible-freeipa/pulls
 [playbooks]: playbooks
 [pre-commit]: https://pre-commit.com
 [Running the tests]: tests/README.md
 [tests]: tests/
--- a/README-config.md
+++ b/README-config.md
@@ -0,0 +1,150 @@
 Config module
 ===========
 Description
 -----------
 The config module allows the setting of global config parameters within IPA. If no parameters are specified it returns the list of all current parameters.
 The config module is as compatible as possible to the Ansible upstream `ipa_config` module, but adds many additional parameters
 Features
 --------
 * IPA server configuration management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipaconfig module.
 Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to read config options:
 ```yaml
 ---
 - name: Playbook to handle global config options
  hosts: ipaserver
  become: true
  tasks:
    - name: return current values of the global configuration options
      ipaconfig:
        ipaadmin_password: password
      register: result
    - name: display default login shell
      debug:
        msg: '{{result.config.defaultlogin }}'
    - name: ensure defaultloginshell and maxusernamelength are set as required
      ipaconfig:
        ipaadmin_password: password
        defaultlogin: /bin/bash
        maxusername: 64
 ```
 ```yaml
 ---
 - name: Playbook to ensure some config options are set
  hosts: ipaserver
  become: true
  tasks:
    - name: set defaultlogin and maxusername
      ipaconfig:
        ipaadmin_password: password
        defaultlogin: /bin/bash
        maxusername: 64
 ```
 Variables
 =========
 ipauser
 -------
 **General Variables:**
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `maxusername` \| `ipamaxusernamelength` |  Set the maximum username length (1 to 255) | no
 `maxhostname` \| `ipamaxhostnamelength` |  Set the maximum hostname length between 64-255. Only usable with IPA versions 4.8.0 and up. | no
 `homedirectory` \| `ipahomesrootdir` |  Set the default location of home directories | no
 `defaultshell` \| `ipadefaultloginshell` |  Set the default shell for new users | no
 `defaultgroup` \| `ipadefaultprimarygroup` |  Set the default group for new users | no
 `emaildomain`\| `ipadefaultemaildomain`  |  Set the default e-mail domain | false
 `searchtimelimit` \| `ipasearchtimelimit` |  Set maximum amount of time (seconds) for a search -1 to 2147483647 (-1 or 0 is unlimited) | no
 `searchrecordslimit` \| `ipasearchrecordslimit` |  Set maximum number of records to search -1 to 2147483647 (-1 or 0 is unlimited) | no
 `usersearch` \| `ipausersearchfields` |  Set list of fields to search when searching for users | no
 `groupsearch` \| `ipagroupsearchfields` |  Set list of fields to search in when searching for groups | no
 `enable_migration` \| `ipamigrationenabled` |  Enable migration mode (choices: True, False ) | no
 `groupobjectclasses` \| `ipagroupobjectclasses` |  Set default group objectclasses (list) | no
 `userobjectclasses` \| `ipauserobjectclasses` |  Set default user objectclasses (list) | no
 `pwdexpnotify` \| `ipapwdexpadvnotify` |  Set number of days's notice of impending password expiration (0 to 2147483647) | no
 `configstring` \| `ipaconfigstring` |  Set extra hashes to generate in password plug-in (choices:`AllowNThash`, `KDC:Disable Last Success`, `KDC:Disable Lockout`, `KDC:Disable Default Preauth for SPNs`). Use `""` to clear this variable. | no
 `selinuxusermaporder` \| `ipaselinuxusermaporder`| Set ordered list in increasing priority of SELinux users | no
 `selinuxusermapdefault`\| `ipaselinuxusermapdefault` |  Set default SELinux user when no match is found in SELinux map rule | no
 `pac_type` \| `ipakrbauthzdata` |  set default types of PAC supported for services (choices: `MS-PAC`, `PAD`, `nfs:NONE`). Use `""` to clear this variable. | no
 `user_auth_type` \| `ipauserauthtype` |  set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no
 `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no
 `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no
 Return Values
 =============
 Variable | Description | Returned When
 -------- | ----------- | -------------
 `config` | config dict <br />Fields: | No values to configure are specified
 &nbsp; | `maxusername` | &nbsp;
 &nbsp; | `maxhostname` | &nbsp;
 &nbsp; | `homedirectory` | &nbsp;
 &nbsp; | `defaultshell` | &nbsp;
 &nbsp; | `defaultgroup` | &nbsp;
 &nbsp; | `emaildomain` | &nbsp;
 &nbsp; | `searchtimelimit` | &nbsp;
 &nbsp; | `searchrecordslimit` | &nbsp;
 &nbsp; | `usersearch` | &nbsp;
 &nbsp; | `groupsearch` | &nbsp;
 &nbsp; | `enable_migration` | &nbsp;
 &nbsp; | `groupobjectclasses` | &nbsp;
 &nbsp; | `userobjectclasses` | &nbsp;
 &nbsp; | `pwdexpnotify` | &nbsp;
 &nbsp; | `configstring` | &nbsp;
 &nbsp; | `selinuxusermapdefault` | &nbsp;
 &nbsp; | `selinuxusermaporder` | &nbsp;
 &nbsp; | `pac_type` | &nbsp;
 &nbsp; | `user_auth_type` | &nbsp;
 &nbsp; | `domain_resolution_order` | &nbsp;
 &nbsp; | `ca_renewal_master_server` | &nbsp;
 All returned fields take the same form as their namesake input parameters
 Authors
 =======
 Chris Procter
--- a/README-delegation.md
+++ b/README-delegation.md
@@ -0,0 +1,157 @@
 Delegation module
 =================
 Description
 -----------
 The delegation module allows to ensure presence, absence of delegations and delegation attributes.
 Features
 --------
 * Delegation management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipadelegation module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure delegation "basic manager attributes" is present:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      permission: read
      attribute:
      - businesscategory
      - employeetype
      group: managers
      membergroup: employees
 ```
 Example playbook to make sure delegation "basic manager attributes" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      state: absent
 ```
 Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are present:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
      - employeenumber
      - employeetype
      action: member
 ```
 Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are absent:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
      - employeenumber
      - employeetype
      action: member
      state: absent
 ```
 Example playbook to make sure delegation "basic manager attributes" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA delegation.
  hosts: ipaserver
  become: yes
  tasks:
  - ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      state: absent
 ```
 Variables
 ---------
 ipadelegation
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `aciname` | The list of delegation name strings. | yes
 `permission` \| `permissions` |  The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
 `attribute` \| `attrs` | The attribute list to which the delegation applies. | no
 `membergroup` \| `memberof` | The user group to apply delegation to. | no
 `group` | User group ACI grants access to. | no
 `action` | Work on delegation or member level. It can be on of `member` or `delegation` and defaults to `delegation`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-dnsforwardzone.md
+++ b/README-dnsforwardzone.md
@@ -0,0 +1,124 @@
 Dnsforwardzone module
 =====================
 Description
 -----------
 The dnsforwardzone module allows the addition and removal of dns forwarders from the IPA DNS config.
 It is desgined to follow the IPA api as closely as possible while ensuring ease of use.
 Features
 --------
 * DNS zone management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipadnsforwardzone module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to ensure presence of a forwardzone to ipa DNS:
 ```yaml
 ---
 - name: Playbook to handle add a forwarder
  hosts: ipaserver
  become: true
  tasks:
  - name: ensure presence of forwardzone with a single forwarder DNS server
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      state: present
      name: example.com
      forwarders:
        - ip_address: 8.8.8.8
      forwardpolicy: first
      skip_overlap_check: true
  - name: ensure the forward zone is disabled
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      name: example.com
      state: disabled
  - name: ensure presence of forwardzone with multiple forwarder DNS server
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      state: present
      name: example.com
      forwarders:
        - ip_address: 8.8.8.8
        - ip_address: 4.4.4.4
  - name: ensure presence of another forwarder to any existing ones for example.com
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      state: present
      name: example.com
      forwarders:
        - ip_address: 1.1.1.1
      action: member
  - name: ensure presence of forwardzone with single forwarder DNS server on non-stardard port
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      state: present
      name: example.com
      forwarders:
        - ip_address: 4.4.4.4
          port: 8053
  - name: ensure the forward zone is absent
    ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      name: example.com
      state: absent
 ```
 Variables
 =========
 ipagroup
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | Zone name (FQDN). | yes if `state` == `present`
 `forwarders` \| `idnsforwarders` |  Per-zone forwarders. A custom port can be specified for each forwarder. Options | no
 &nbsp; | `ip_address`: The forwarder IP address. | yes
 &nbsp; | `port`: The forwarder IP port. | no
 `forwardpolicy` \| `idnsforwardpolicy` | Per-zone conditional forwarding policy. Possible values are `only`, `first`, `none`. Set to "none" to disable forwarding to global forwarder for this zone. In that case, conditional zone forwarders are disregarded. | no
 `skip_overlap_check` | Force DNS zone creation even if it will overlap with an existing zone. Defaults to False. | no
 `permission` | Allow DNS Forward Zone to be managed. (bool) | no
 `action` | Work on group or member level. It can be on of `member` or `dnsforwardzone` and defaults to `dnsforwardzone`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, `enabled` or `disabled`, default: `present`. | yes
 Authors
 =======
 Chris Procter
--- a/README-dnsrecord.md
+++ b/README-dnsrecord.md
@@ -0,0 +1,357 @@
 DNSRecord module
 ================
 Description
 -----------
 The dnsrecord module allows management of DNS records and is as compatible as possible with the Ansible upstream `ipa_dnsrecord` module, but provide some other features like multiple record management in one execution and support for more DNS record types.
 Features
 --------
 * DNS record management.
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipadnsrecord module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.example.com
 ```
 Example playbook to ensure an AAAA record is present:
 ```yaml
 ---
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    name: host01
    zone_name: example.com
    record_type: 'AAAA'
    record_value: '::1'
 ```
 Example playbook to ensure an AAAA record is present, with a TTL of 300:
 ```yaml
 ---
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    name: host01
    zone_name: example.com
    record_type: 'AAAA'
    record_value: '::1'
    record_ttl: 300
 ```
 Example playbook to ensure an AAAA record is present, with a reverse PTR record:
 ```yaml
 ---
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    name: host02
    zone_name: example.com
    record_type: 'AAAA'
    record_value: 'fd00::0002'
    create_reverse: yes
 ```
 Example playbook to ensure a LOC record is present, given its individual attributes:
 ```yaml
 ---
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    name: host03
    loc_lat_deg: 52
    loc_lat_min: 22
    loc_lat_sec: 23.000
    loc_lat_dir: N
    loc_lon_deg: 4
    loc_lon_min: 53
    loc_lon_sec: 32.00
    loc_lon_dir: E
    loc_altitude: -2.00
    loc_size: 1.00
    loc_h_precision: 10000
    loc_v_precision: 10
 ```
 Example playbook to ensure multiple DNS records are present:
 ```yaml
 ---
 ipadnsrecord:
  ipaadmin_password: SomeADMINpassword
  records:
    - name: host02
      zone_name: example.com
      record_type: A
      record_value:
        - "{{ ipv4_prefix }}.112"
        - "{{ ipv4_prefix }}.122"
    - name: host02
      zone_name: example.com
      record_type: AAAA
      record_value: ::1
 ```
 Example playbook to ensure multiple CNAME records are present:
 ```yaml
 ---
 - name: Ensure that 'host03' and 'host04' have CNAME records.
  ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    records:
    - name: host03
      cname_hostname: host03.example.com
    - name: host04
      cname_hostname: host04.example.com
 ```
 Example playbook to ensure NS record is absent:
 ```yaml
 ---
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    name: host04
    ns_hostname: host04
    state: absent
 ```
 Example playbook to ensure LOC record is present, with fields:
 ```yaml
 ---
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    name: host04
    loc_lat_deg: 52
    loc_lat_min: 22
    loc_lat_sec: 23.000
    loc_lat_dir: N
    loc_lon_deg: 4
    loc_lon_min: 53
    loc_lon_sec: 32.000
    loc_lon_dir: E
    loc_altitude: -2.00
    loc_size: 0.00
    loc_h_precision: 10000
    loc_v_precision: 10
 ```
 Change value of an existing LOC record:
 ```yaml
 ---
 - ipadnsrecord:
  ipaadmin_password: SomeADMINpassword
  zone_name: example.com
  name: host04
  loc_size: 1.00
  loc_rec: 52 22 23 N 4 53 32 E -2 0 10000 10
 ```
 Example playbook to ensure multiple A records are present:
 ```yaml
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    name: host04
    a_rec:
      - 192.168.122.221
      - 192.168.122.222
      - 192.168.122.223
      - 192.168.122.224
 ```
 Example playbook to ensure A and AAAA records are present, with reverse records (PTR):
 ```yaml
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    name: host01
    a_rec:
      - 192.168.122.221
      - 192.168.122.222
    aaaa_rec:
      - fd00:;0001
      - fd00::0002
    create_reverse: yes
 ```
 Example playbook to ensure multiple A and AAAA records are present, but only A records have reverse records:
 ```yaml
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    name: host01
    a_ip_address: 192.168.122.221
    aaaa_ip_address: fd00::0001
    a_create_reverse: yes
 ```
 Example playbook to ensure multiple DNS records are absent:
 ```yaml
 ---
 - ipadnsrecord:
    ipaadmin_password: SomeADMINpassword
    zone_name: example.com
    records:
    - name: host01
      del_all: yes
    - name: host02
      del_all: yes
    - name: host03
      del_all: yes
    - name: host04
      del_all: yes
    - name: _ftp._tcp
      del_all: yes
    - name: _sip._udp
      del_all: yes
    state: absent
 ```
 Variables
 =========
 ipadnsrecord
 ------------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `zone_name` \| `dnszone` | The DNS zone name to which DNS record needs to be managed. You can use one global zone name for multiple records. | no
  required: true
 `records` | The list of dns records dicts. Each `records` dict entry can contain **record variables**. | no
 &nbsp; | **Record variables** | no
 **Record variables** | Used when defining a single record. | no
 `state` | The state to ensure. It can be one of `present` or `absent`, and defaults to `present`. | yes
 **Record Variables:**
 Variable | Description | Required
 -------- | ----------- | --------
 `zone_name` \| `dnszone` | The DNS zone name to which DNS record needs to be managed. You can use one global zone name for multiple records. When used on a `records` dict, overrides the global `zone_name`. | yes
 `name` \| `record_name` | The DNS record name to manage. | yes
 `record_type` | The type of DNS record. Supported values are  `A`, `AAAA`, `A6`, `AFSDB`, `CERT`, `CNAME`, `DLV`, `DNAME`, `DS`, `KX`, `LOC`, `MX`, `NAPTR`, `NS`, `PTR`, `SRV`, `SSHFP`, `TLSA`, `TXT`, `URI`, and defaults to `A`. | no
 `record_value` | Manage DNS record name with this values. | no
 `record_ttl` | Set the TTL for the record. (int) | no
 `del_all` | Delete all associated records. (bool) | no
 `a_rec` \| `a_record` | Raw A record. | no
 `aaaa_rec` \| `aaaa_record` |  Raw AAAA record. | no
 `a6_rec` \| `a6_record` | Raw A6 record data. | no
 `afsdb_rec` \| `afsdb_record` | Raw AFSDB record. | no
 `cert_rec` \| `cert_record` | Raw CERT record. | no
 `cname_rec` \| `cname_record` | Raw CNAME record. | no
 `dlv_rec` \| `dlv_record` |  Raw DLV record. | no
 `dname_rec` \| `dname_record` | Raw DNAM record. | no
 `ds_rec` \| `ds_record` | Raw DS record. | no
 `kx_rec` \| `kx_record` |  Raw KX record. | no
 `loc_rec` \| `loc_record` | Raw LOC record. | no
 `mx_rec` \| `mx_record` | Raw MX record. | no
 `naptr_rec` \| `naptr_record` | Raw NAPTR record. | no
 `ns_rec` \| `ns_record` | Raw NS record. | no
 `ptr_rec` \| `ptr_record` | Raw PTR record. | no
 `srv_rec` \| `srv_record` | Raw SRV record. | no
 `sshfp_rec` \| `sshfp_record` | Raw SSHFP record. | no
 `tlsa_rec` \| `tlsa_record` | Raw TLSA record. | no
 `txt_rec` \| `txt_record` | Raw TXT record. | no
 `uri_rec` \| `uri_record` | Raw URI record. | no
 `ip_address` | IP adress for A or AAAA records. Set `record_type` to `A` or `AAAA`. | no
 `create_reverse` \| `reverse` | Create reverse records for `A` and `AAAA` record types. There is no equivalent to remove reverse records. (bool) | no
 `a_ip_address` | IP adress for A records. Set `record_type` to `A`. | no
 `a_create_reverse` | Create reverse records only for `A` records. There is no equivalent to remove reverse records. (bool) | no
 `aaaa_ip_address` | IP adress for AAAA records. Set `record_type` `AAAA`. | no
 `aaaa_create_reverse` | Create reverse records only for `AAAA` record types. There is no equivalent to remove reverse records. (bool) | no
 `a6_data` | A6 record. Set `record_type` to `A6`. | no
 `afsdb_subtype` | AFSDB Subtype. Set `record_type` to `AFSDB`. (int) | no
 `afsdb_hostname` | AFSDB Hostname. Set `record_type` to `AFSDB`. | no
 `cert_type` | CERT Certificate Type. Set `record_type` to `CERT`. (int) | no
 `cert_key_tag` | CERT Key Tag. Set `record_type` to `CERT`. (int) | no
 `cert_algorithm` | CERT Algorithm. Set `record_type` to `CERT`. (int) | no
 `cert_certificate_or_crl` | CERT Certificate or  Certificate Revocation List (CRL). Set `record_type` to `CERT`. | no
 `cname_hostname` | A hostname which this alias hostname points to. Set `record_type` to `CNAME`. | no
 `dlv_key_tag` | DS Key Tag. Set `record_type` to `DLV`. (int) | no
 `dlv_algorithm` | DLV Algorithm. Set `record_type` to `DLV`. (int) | no
 `dlv_digest_type` | DLV Digest Type. Set `record_type` to `DLV`. (int) | no
 `dlv_digest` | DLV Digest. Set `record_type` to `DLV`. | no
 `dname_target` | DNAME Target. Set `record_type` to `DNAME`. | no
 `ds_key_tag` | DS Key Tag. Set `record_type` to `DS`. (int) | no
 `ds_algorithm` | DS Algorithm. Set `record_type` to `DS`. (int) | no
 `ds_digest_type` | DS Digest Type. Set `record_type` to `DS`. (int) | no
 `ds_digest` | DS Digest. Set `record_type` to `DS`. | no
 `kx_preference` | Preference given to this exchanger. Lower values are more preferred. Set `record_type` to `KX`. (int) | no
 `kx_exchanger` | A host willing to act as a key exchanger.  Set `record_type` to `KX`. | no
 `loc_lat_deg` | LOC Degrees Latitude. Set `record_type` to `LOC`. (int) | no
 `loc_lat_min` | LOC Minutes Latitude. Set `record_type` to `LOC`. (int) | no
 `loc_lat_sec` | LOC Seconds Latitude. Set `record_type` to `LOC`. (float) | no
 `loc_lat_dir` | LOC Direction Latitude. Valid values are `N` or `S`. Set `record_type` to `LOC`. (int) | no
 `loc_lon_deg` | LOC Degrees Longitude. Set `record_type` to `LOC`. (int) | no
 `loc_lon_min` | LOC Minutes Longitude. Set `record_type` to `LOC`. (int) | no
 `loc_lon_sec` | LOC Seconds Longitude. Set `record_type` to `LOC`. (float) | no
 `loc_lon_dir` | LOC Direction Longitude. Valid values are `E` or `W`. Set `record_type` to `LOC`. (int) | no
 `loc_altitude` | LOC Altitude. Set `record_type` to `LOC`. (float) | no
 `loc_size` | LOC Size. Set `record_type` to `LOC`. (float) | no
 `loc_h_precision` | LOC Horizontal Precision. Set `record_type` to `LOC`. (float) | no
 `loc_v_precision` | LOC Vertical Precision. Set `record_type` to `LOC`. (float) | no
 `mx_preference` | Preference given to this exchanger. Lower values are more preferred. Set `record_type` to `MX`. (int) | no
 `mx_exchanger` | A host willing to act as a mail exchanger.  Set `record_type` to `LOC`. | no
 `naptr_order` | NAPTR Order. Set `record_type` to `NAPTR`. (int) | no
 `naptr_preference` | NAPTR Preference. Set `record_type` to `NAPTR`. (int) | no
 `naptr_flags` | NAPTR Flags. Set `record_type` to `NAPTR`. | no
 `naptr_service` | NAPTR Service. Set `record_type` to `NAPTR`. | no
 `naptr_regexp` | NAPTR Regular Expression. Set `record_type` to `NAPTR`. | no
 `naptr_replacement` | NAPTR Replacement. Set `record_type` to `NAPTR`. | no
 `ns_hostname` | NS Hostname. Set `record_type` to `NS`. | no
 `ptr_hostname` | The hostname this reverse record points to. . Set `record_type` to `PTR`. | no
 `srv_priority` | Lower number means higher priority. Clients will attempt to contact the server with the lowest-numbered priority they can reach. Set `record_type` to `SRV`. (int) | no
 `srv_weight` | Relative weight for entries with the same priority. Set `record_type` to `SRV`. (int) | no
 `srv_port` | SRV Port. Set `record_type` to `SRV`. (int) | no
 `srv_target` | The domain name of the target host or '.' if the service is decidedly not available at this domain. Set `record_type` to `SRV`. | no
 `sshfp_algorithm` | SSHFP Algorithm. Set `record_type` to `SSHFP`. (int) | no
 `sshfp_fp_type` | SSHFP Fingerprint Type. Set `record_type` to `SSHFP`. (int) | no
 `sshfp_fingerprint`| SSHFP Fingerprint. Set `record_type` to `SSHFP`. (int) | no
 `txt_data` | TXT Text Data. Set `record_type` to `TXT`. | no
 `tlsa_cert_usage` | TLSA Certificate Usage. Set `record_type` to `TLSA`. (int) | no
 `tlsa_selector` | TLSA Selector. Set `record_type` to `TLSA`. (int) | no
 `tlsa_matching_type` | TLSA Matching Type. Set `record_type` to `TLSA`. (int) | no
 `tlsa_cert_association_data` | TLSA Certificate Association Data. Set `record_type` to `TLSA`. | no
 `uri_target` | Target Uniform Resource Identifier according to RFC 3986. Set `record_type` to `URI`. | no
 `uri_priority` | Lower number means higher priority. Clients will attempt to contact the URI with the lowest-numbered priority they can reach. Set `record_type` to `URI`. (int) | no
 `uri_weight` | Relative weight for entries with the same priority. Set `record_type` to `URI`. (int) | no
 Authors
 =======
 Rafael Guterres Jeffman
--- a/README-dnszone.md
+++ b/README-dnszone.md
@@ -0,0 +1,247 @@
 DNSZone Module
 ==============
 Description
 -----------
 The dnszone module allows to configure zones in DNS server.
 Features
 --------
 * Add, remove, modify, enable or disable DNS zones.
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by ipadnszone module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 -----
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to create a simple DNS zone:
 ```yaml
 ---
 - name: dnszone present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone is present.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: present
 ```
 Example playbook to create a DNS zone with all currently supported variables:
 ```yaml
 ---
 - name: dnszone present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone is present.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      allow_sync_ptr: true
      dynamic_update: true
      dnssec: true
      allow_transfer:
        - 1.1.1.1
        - 2.2.2.2
      allow_query:
        - 1.1.1.1
        - 2.2.2.2
      forwarders:
        - ip_address: 8.8.8.8
        - ip_address: 8.8.4.4
          port: 52
      serial: 1234
      refresh: 3600
      retry: 900
      expire: 1209600
      minimum: 3600
      ttl: 60
      default_ttl: 90
      name_server: ipaserver.test.local.
      admin_email: admin.admin@example.com
      nsec3param_rec: "1 7 100 0123456789abcdef"
      skip_overlap_check: true
      skip_nameserver_check: true
      state: present
 ```
 Example playbook to disable a zone:
 ```yaml
 ---
 - name: Playbook to disable DNS zone
  hosts: ipaserver
  become: true
  tasks:
  - name: Disable zone.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: disabled
 ```
 Example playbook to enable a zone:
 ```yaml
 ---
 - name: Playbook to enable DNS zone
  hosts: ipaserver
  become: true
  tasks:
  - name: Enable zone.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: enabled
 ```
 Example playbook to remove a zone:
 ```yaml
 ---
 - name: Playbook to remove DNS zone
  hosts: ipaserver
  become: true
  tasks:
  - name: Remove zone.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: absent
 ```
 Example playbook to create a zone for reverse DNS lookup, from an IP address:
 ```yaml
 ---
 - name: dnszone present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone for reverse DNS lookup is present.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name_from_ip: 192.168.1.2
      state: present
 ```
 Note that, on the previous example the zone created with `name_from_ip` might be "1.168.192.in-addr.arpa.", "168.192.in-addr.arpa.", or "192.in-addr.arpa.", depending on the DNS response the system get while querying for zones, and for this reason, when creating a zone using `name_from_ip`, the inferred zone name is returned to the controller, in the attribute `dnszone.name`. Since the zone inferred might not be what a user expects, `name_from_ip` can only be used with `state: present`. To have more control over the zone name, the prefix length for the IP address can be provided.
 Example playbook to create a zone for reverse DNS lookup, from an IP address, given the prefix length and displaying the resulting zone name:
 ```yaml
 ---
 - name: dnszone present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone for reverse DNS lookup is present.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name_from_ip: 192.168.1.2/24
      state: present
    register: result
  - name: Display inferred zone name.
    debug:
      msg: "Zone name: {{ result.dnszone.name }}"
 ```
 Variables
 =========
 ipadnszone
 ----------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `zone_name` | The zone name string or list of strings. | no
 `name_from_ip` | Derive zone name from reverse of IP (PTR). Can only be used with `state: present`. | no
 `forwarders` | The list of forwarders dicts. Each `forwarders` dict entry has:| no
 &nbsp; | `ip_address` - The IPv4 or IPv6 address of the DNS server. | yes
 &nbsp; | `port` - The custom port that should be used on this server. | no
 `forward_policy` | The global forwarding policy. It can be one of `only`, `first`, or `none`.  | no
 `allow_sync_ptr` | Allow synchronization of forward (A, AAAA) and reverse (PTR) records (bool). | no
 `state` | The state to ensure. It can be one of `present`, `enabled`, `disabled` or `absent`, default: `present`. | yes
 `name_server`| Authoritative nameserver domain name | no
 `admin_email`| Administrator e-mail address | no
 `update_policy`| BIND update policy | no
 `dynamic_update` \| `dynamicupdate` | Allow dynamic updates | no
 `dnssec`| Allow inline DNSSEC signing of records in the zone | no
 `allow_transfer`| List of IP addresses or networks which are allowed to transfer the zone | no
 `allow_query`| List of IP addresses or networks which are allowed to issue queries | no
 `serial`| SOA record serial number | no
 `refresh`| SOA record refresh time | no
 `retry`| SOA record retry time | no
 `expire`| SOA record expire time | no
 `minimum`| How long should negative responses be cached | no
 `ttl`| Time to live for records at zone apex | no
 `default_ttl`| Time to live for records without explicit TTL definition | no
 `nsec3param_rec`| NSEC3PARAM record for zone in format: hash_algorithm flags iterations salt | no
 `skip_overlap_check`| Force DNS zone creation even if it will overlap with an existing zone | no
 `skip_nameserver_check` | Force DNS zone creation even if nameserver is not resolvable | no
 Return Values
 =============
 ipadnszone
 ----------
 Variable | Description | Returned When
 -------- | ----------- | -------------
 `dnszone` | DNS Zone dict with zone name infered from `name_from_ip`. <br>Options: |  If `state` is `present`, `name_from_ip` is used, and a zone was created.
 &nbsp; | `name` - The name of the zone created, inferred from `name_from_ip`. | Always
 Authors
 =======
 Sergio Oliveira Campos
--- a/README-group.md
+++ b/README-group.md
@@ -19,6 +19,8 @@ Supported FreeIPA Versions
 FreeIPA versions 4.4.0 and up are supported by the ipagroup module.
 Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 Requirements
 ------------
@@ -107,6 +109,24 @@ Example playbook to add group members to a group:
      - appops
 ```
 Example playbook to add members from a trusted realm to an external group:
 ```yaml
 --
 - name: Playbook to handle groups.
  hosts: ipaserver
  became: true
  - name: Create an external group and add members from a trust to it.
    ipagroup:
      ipaadmin_password: SomeADMINpassword
      name: extgroup
      external: yes
      externalmember:
      - WINIPA\\Web Users
      - WINIPA\\Developers
 ```
 Example playbook to remove groups:
 ```yaml
@@ -137,12 +157,16 @@ Variable | Description | Required
 `name` \| `cn` | The list of group name strings. | no
 `description` | The group description string. | no
 `gid` \| `gidnumber` | The GID integer. | no
 `posix` | Create a non-POSIX group or change a non-POSIX to a posix group. (bool) | no
 `nonposix` | Create as a non-POSIX group. (bool) | no
 `external` | Allow adding external non-IPA members from trusted domains. (bool) | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `user` | List of user name strings assigned to this group. | no
 `group` | List of group name strings assigned to this group. | no
 `service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
 `membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
 `externalmember` \| `ipaexternalmember`  \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
 `action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
--- a/README-hbacrule.md
+++ b/README-hbacrule.md
@@ -138,9 +138,9 @@ Variable | Description | Required
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of hbacrule name strings. | yes
 `description` | The hbacrule description string. | no
-`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all"] | no
+`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
-`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all"] | no
+`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
-`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all"] | no
+`servicecategory` \| `servicecat` | HBAC service category the rule applies to. Choices: ["all", ""] | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `host` | List of host name strings assigned to this hbacrule. | no
 `hostgroup` | List of host group name strings assigned to this hbacrule. | no
--- a/README-host.md
+++ b/README-host.md
@@ -173,14 +173,14 @@ Example playbook to ensure host presence with a random password:
      name: host01.example.com
      random: yes
      force: yes
      update_password: on_create
    register: ipahost
  - name: Print generated random password
    debug:
      var: ipahost.host.randompassword
 ```
-Please remember that the `force` tag will also force the generation of a new random password even if the host already exists and if `update_password` is limited to `on_create`.
+Please remember that a new random password will be generated for an existing but not enrolled host if `update_password` is not limited to `on_create`. For an already enrolled host the task will fail with `update_password` default setting `always`.
 Example playbook to ensure presence of several hosts with a random password:
@@ -198,9 +198,11 @@ Example playbook to ensure presence of several hosts with a random password:
      - name: host01.example.com
        random: yes
        force: yes
        update_password: on_create
      - name: host02.example.com
        random: yes
        force: yes
        update_password: on_create
    register: ipahost
  - name: Print generated random password for host01.example.com
@@ -211,7 +213,7 @@ Example playbook to ensure presence of several hosts with a random password:
    debug:
      var: ipahost.host["host02.example.com"].randompassword
 ```
-Please remember that the `force` tag will also force the generation of a new random password even if the host alreay exists and if `update_password` is limited to `on_create`.
+Please remember that a new random password will be generated for an existing but not enrolled host if `update_password` is not limited to `on_create`. For an already enrolled host the task will fail with `update_password` default setting `always`.
 Example playbook to ensure presence of host member principal:
@@ -337,8 +339,8 @@ Variable | Description | Required
 `location` \| `ns_host_location` | Host location (e.g. "Lab 2"). | no
 `platform` \| `ns_hardware_platform` | Host hardware platform (e.g. "Lenovo T61"). | no
 `os` \| `ns_os_version` | Host operating system and version (e.g. "Fedora 9"). | no
-`password` \| `user_password` \| `userpassword` | Password used in bulk enrollment. | no
+`password` \| `user_password` \| `userpassword` | Password used in bulk enrollment for absent or not enrolled hosts. | no
-`random` \| `random_password` |  Initiate the generation of a random password to be used in bulk enrollment. | no
+`random` \| `random_password` |  Initiate the generation of a random password to be used in bulk enrollment for absent or not enrolled hosts. | no
 `certificate` \| `usercertificate` | List of base-64 encoded host certificates | no
 `managedby` \| `principalname` \| `krbprincipalname` | List of hosts that can manage this host | no
 `principal` \| `principalname` \| `krbprincipalname` | List of principal aliases for this host | no
@@ -353,7 +355,7 @@ Variable | Description | Required
 `mac_address` \| `macaddress` | List of hardware MAC addresses. | no
 `sshpubkey` \| `ipasshpubkey` | List of SSH public keys | no
 `userclass` \| `class` | Host category (semantics placed on this attribute are for local interpretation) | no
-`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
+`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. Use 'otp' to allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications. Use empty string to reset auth_ind to the initial value. Other values may be used for custom configurations. choices: ["radius", "otp", "pkinit", "hardened", ""] | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service (bool) | no
 `ok_as_delegate` \| `ipakrbokasdelegate` | Client credentials may be delegated to the service (bool) | no
 `ok_to_auth_as_delegate` \| `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client (bool) | no
--- a/README-hostgroup.md
+++ b/README-hostgroup.md
@@ -19,6 +19,8 @@ Supported FreeIPA Versions
 FreeIPA versions 4.4.0 and up are supported by the ipahostgroup module.
 Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 Requirements
 ------------
@@ -105,6 +107,23 @@ Example playbook to make sure hosts and hostgroups are absent in databases hostg
      state: absent
 ```
 Example playbook to rename an existing playbook:
 ```yaml
 ---
 - name: Playbook to handle hostgroups
  hosts: ipaserver
  become: true
  tasks:
  # Ensure host-group databases is absent
  - ipahostgroup:
      ipaadmin_password: SomeADMINpassword
      name: databases
      rename: datalake
      state: renamed
 ```
 Example playbook to make sure host-group databases is absent:
 ```yaml
@@ -121,7 +140,6 @@ Example playbook to make sure host-group databases is absent:
      state: absent
 ```
 Variables
 =========
@@ -137,8 +155,11 @@ Variable | Description | Required
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `host` | List of host name strings assigned to this hostgroup. | no
 `hostgroup` | List of hostgroup name strings assigned to this hostgroup. | no
 `membermanager_user` | List of member manager users assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
 `membermanager_group` | List of member manager groups assigned to this hostgroup. Only usable with IPA versions 4.8.4 and up. | no
 `rename` \| `new_name` | Rename hostgroup to the provided name. Only usable with IPA versions 4.8.7 and up. | no
 `action` | Work on hostgroup or member level. It can be on of `member` or `hostgroup` and defaults to `hostgroup`. | no
-`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+`state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
 Authors
--- a/README-location.md
+++ b/README-location.md
@@ -0,0 +1,92 @@
 Location module
 ===============
 Description
 -----------
 The location module allows to ensure presence and absence of locations.
 Features
 --------
 * Location management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipalocation module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure location "my_location1" is present:
 ```yaml
 ---
 - name: Playbook to manage IPA location.
  hosts: ipaserver
  become: yes
  tasks:
  - ipalocation:
      ipaadmin_password: SomeADMINpassword
      name: my_location1
      description: My Location 1
 ```
 Example playbook to make sure location "my_location1" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA location.
  hosts: ipaserver
  become: yes
  tasks:
  - ipalocation:
      ipaadmin_password: SomeADMINpassword
      name: my_location1
      state: absent
 ```
 Variables
 ---------
 ipalocation
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `idnsname` | The list of location name strings. | yes
 `description` | The IPA location string | false
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-permission.md
+++ b/README-permission.md
@@ -0,0 +1,188 @@
 Permission module
 ============
 Description
 -----------
 The permission module allows to ensure presence and absence of permissions and permission members.
 Features
 --------
 * Permission management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipapermission module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure permission "MyPermission" is present:
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure permission MyPermission is present
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      object_type: host
      right: all
 ```
 Example playbook to ensure permission "MyPermission" is present with attr carlicense:
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure permission "MyPermission" is present with attr carlicense
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      object_type: host
      right: all
      attrs:
      - carlicense
 ```
 Example playbook to ensure attr gecos is present in permission "MyPermission":
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure attr gecos is present in permission "MyPermission"
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      attrs:
      - gecos
      action: member
 ```
 Example playbook to ensure attr gecos is absent in permission "MyPermission":
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure attr gecos is present in permission "MyPermission"
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      attrs:
      - gecos
      action: member
      state: absent
 ```
 Example playbook to make sure permission "MyPermission" is absent:
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure permission "MyPermission" is absent
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      state: absent
 ```
 Example playbook to make sure permission "MyPermission" is renamed to "MyNewPermission":
 ```yaml
 ---
 - name: Playbook to handle IPA permissions
  hosts: ipaserver
  become: yes
  tasks:
  - name: Ensure permission "MyPermission" is renamed to "MyNewPermission
    ipapermission:
      ipaadmin_password: SomeADMINpassword
      name: MyPermission
      rename: MyNewPermission
      state: renamed
 ```
 Variables
 ---------
 ipapermission
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The permission name string. | yes
 `right` \| `ipapermright` | Rights to grant. It can be a list of one or more of `read`, `search`, `compare`, `write`, `add`, `delete`, and `all` default: `all` | no
 `attrs` | All attributes to which the permission applies. | no
 `bindtype` \| `ipapermbindruletype` | Bind rule type. It can be one of `permission`, `all`, `self`, or `anonymous` defaults to `permission` for new permissions. Bind rule type `self` can only be used on IPA versions 4.8.7 or up.| no
 `subtree` \| `ipapermlocation` | Subtree to apply permissions to | no
 `filter` \| `extratargetfilter` | Extra target filter | no
 `rawfilter` \| `ipapermtargetfilter` | All target filters | no
 `target` \| `ipapermtarget` | Optional DN to apply the permission to | no
 `targetto` \| `ipapermtargetto` | Optional DN subtree where an entry can be moved to | no
 `targetfrom` \| `ipapermtargetfrom` | Optional DN subtree from where an entry can be moved | no
 `memberof` | Target members of a group (sets memberOf targetfilter) | no
 `targetgroup` | User group to apply permissions to (sets target) | no
 `object_type` | Type of IPA object (sets subtree and objectClass targetfilter) | no
 `no_members` | Suppress processing of membership | no
 `rename` | Rename the permission object | no
 `action` | Work on permission or member level. It can be on of `member` or `permission` and defaults to `permission`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, or `renamed` default: `present`. | no
 The `includedattrs` and `excludedattrs` variables are only usable for managed permisions and are not exposed by the module. Using `attrs` for managed permissions will result in the automatic generation of `includedattrs` and `excludedattrs` in the IPA server.
 Authors
 =======
 Seth Kress
--- a/README-privilege.md
+++ b/README-privilege.md
@@ -0,0 +1,147 @@
 Privilege module
 ================
 Description
 -----------
 The privilege module allows to ensure presence and absence of privileges and privilege members.
 Features
 --------
 * Privilege management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipaprivilege module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure privilege "Broad Privilege" is present:
 ```yaml
 ---
 - name: Playbook to manage IPA privilege.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      description: Broad Privilege
 ```
 Example playbook to make sure privilege "Broad Privilege" member permission has multiple values:
 ```yaml
 ---
 - name: Playbook to manage IPA privilege permission member.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      permission:
      - "Write IPA Configuration"
      - "System: Write DNS Configuration"
      - "System: Update DNS Entries"
      action: member
 ```
 Example playbook to make sure privilege "Broad Privilege" member permission 'Write IPA Configuration' is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA privilege permission member.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      permission:
      - "Write IPA Configuration"
      action: member
      state: absent
 ```
 Example playbook to rename privilege "Broad Privilege" to "DNS Special Privilege":
 ```yaml
 ---
 - name: Playbook to manage IPA privilege.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      rename: DNS Special Privilege
      state: renamed
 ```
 Example playbook to make sure privilege "DNS Special Privilege" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA privilege.
  hosts: ipaserver
  become: yes
  - name: Ensure privilege Broad Privilege is absent
      ipaadmin_password: SomeADMINpassword
      name: DNS Special Privilege
      state: absent
 ```
 Variables
 ---------
 ipaprivilege
 ------------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin`. | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node. | no
 `name` \| `cn` | The list of privilege name strings. | yes
 `description` | Privilege description. | no
 `rename` \| `new_name` | Rename the privilege object. | no
 `permission` | Permissions to be added to the privilege. | no
 `action` | Work on privilege or member level. It can be one of `member` or `privilege` and defaults to `privilege`. | no
 `state` | The state to ensure. It can be one of `present`, `absent` or `renamed`, default: `present`. | no
 Authors
 =======
 Rafael Guterres Jeffman
--- a/README-role.md
+++ b/README-role.md
@@ -0,0 +1,264 @@
 Role module
 ===========
 Description
 -----------
 The role module allows to ensure presence, absence of roles and members of roles.
 The role module is as compatible as possible to the Ansible upstream `ipa_role` module, but additionally offers role member management.
 Features
 --------
 * Role management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the iparole module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure role is present with all members:
 ```yaml
 ---
 - name: Playbook to manage IPA role with members.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      user:
      - pinky
      group:
      - group01
      host:
      - host01.example.com
      hostgroup:
      - hostgroup01
      privilege:
      - Group Administrators
      - User Administrators
      service:
      - service01
 ```
 Example playbook to rename a role:
 ```yaml
 - iparole:
    ipaadmin_password: SomeADMINpassword
    name: somerole
    rename: anotherrole
 ```
 Example playbook to make sure role is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA role.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      state: absent
 ```
 Example playbook to ensure a user is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      user:
      - pinky
      action: member
 ```
 Example playbook to ensure a group is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      host:
      - host01.example.com
      action: member
 ```
 Example playbook to ensure a host is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      host:
      - host01.example.com
      action: member
 ```
 Example playbook to ensure a hostgroup is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      hostgroup:
      - hostgroup01
      action: member
 ```
 Example playbook to ensure a service is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      service:
      - service01
      action: member
 ```
 Example playbook to ensure a privilege is a member of a role:
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      privilege:
      - Group Administrators
      - User Administrators
      action: member
 ```
 Example playbook to ensure that different members are not associated with a role.
 ```yaml
 ---
 - name: Playbook to manage IPA role member.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - iparole:
      ipaadmin_password: SomeADMINpassword
      name: somerole
      user:
      - pinky
      group:
      - group01
      host:
      - host01.example.com
      hostgroup:
      - hostgroup01
      privilege:
      - Group Administrators
      - User Administrators
      service:
      - service01
      action: member
      state: absent
 ```
 Variables
 ---------
 iparole
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of role name strings. | yes
 `description` | A description for the role. | no
 `rename` | Rename the role object. | no
 `privilege` | Privileges associated to this role. | no
 `user` | List of users to be assigned or not assigned to the role. | no
 `group` | List of groups to be assigned or not assigned to the role. | no
 `host` | List of hosts to be assigned or not assigned to the role. | no
 `hostgroup` | List of hostgroups to be assigned or not assigned to the role. | no
 `service` | List of services to be assigned or not assigned to the role. | no
 `action` | Work on role or member level. It can be on of `member` or `role` and defaults to `role`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 Authors
 =======
 Rafael Jeffman
--- a/README-selfservice.md
+++ b/README-selfservice.md
@@ -0,0 +1,151 @@
 Selfservice module
 =================
 Description
 -----------
 The selfservice module allows to ensure presence, absence of selfservices and selfservice attributes.
 Features
 --------
 * Selfservice management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipaselfservice module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to make sure selfservice "Users can manage their own name details" is present:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      permission: read
      attribute:
      - title
      - initials
 ```
 Example playbook to make sure selfservice "Users can manage their own name details" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      state: absent
 ```
 Example playbook to make sure "Users can manage their own name details" member attribute initials is present:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      attribute:
      - initials
      action: member
 ```
 Example playbook to make sure "Users can manage their own name details" member attribute initials is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      attribute:
      - initials
      action: member
      state: absent
 ```
 Example playbook to make sure selfservice "Users can manage their own name details" is absent:
 ```yaml
 ---
 - name: Playbook to manage IPA selfservice.
  hosts: ipaserver
  become: yes
  tasks:
  - ipaselfservice:
      ipaadmin_password: SomeADMINpassword
      name: "Users can manage their own name details"
      state: absent
 ```
 Variables
 ---------
 ipaselfservice
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `aciname` | The list of selfservice name strings. | yes
 `permission` \| `permissions` |  The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
 `attribute` \| `attrs` | The attribute list to which the selfservice applies. | no
 `action` | Work on selfservice or member level. It can be on of `member` or `selfservice` and defaults to `selfservice`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
 Authors
 =======
 Thomas Woerner
--- a/README-service.md
+++ b/README-service.md
@@ -18,7 +18,7 @@ Supported FreeIPA Versions
 FreeIPA versions 4.4.0 and up are supported by the ipaservice module.
-Option `skip_host_check` requires FreeIPA version 4.7.0 or later.
+Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
 Requirements
@@ -56,7 +56,7 @@ Example playbook to make sure service is present:
  - ipaservice:
      ipaadmin_password: SomeADMINpassword
      name: HTTP/www.example.com
-      certificate:
+      certificate: |
        - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
        DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
        ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
@@ -77,7 +77,7 @@ Example playbook to make sure service is present:
      requires_pre_auth: false
      ok_as_delegate: false
      ok_to_auth_as_delegate: false
-      skip-host-check: true
+      skip_host_check: true
      force: true
 ```
@@ -167,7 +167,7 @@ Example playbook to ensure service has a certificate:
  - ipaservice:
      ipaadmin_password: SomeADMINpassword
      name: HTTP/www.example.com
-      certificate:
+      certificate: |
        - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
        DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT
        ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH
@@ -294,11 +294,11 @@ Variable | Description | Required
 `name` \| `service` | The list of service name strings. | yes
 `certificate` \| `usercertificate` | Base-64 encoded service certificate. | no
 `pac_type` \| `ipakrbauthzdata` | Supported PAC type. It can be one of `MS-PAC`, `PAD`, or `NONE`. | no
-`auth_ind` \| `krbprincipalauthind` | Defines a whitelist for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
+`auth_ind` \| `krbprincipalauthind` | Defines an allow list for Authentication Indicators. It can be any of `otp`, `radius`, `pkinit`, or `hardened`. | no
 `requires_pre_auth` \| `ipakrbrequirespreauth` | Pre-authentication is required for the service. Default to true. (bool) | no
 `ok_as_delegate` \|  `ipakrbokasdelegate` | Client credentials may be delegated to the service. Default to false. (bool) | no
 `ok_to_auth_as_delegate` \|  `ipakrboktoauthasdelegate` | The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no
-`skip_host_check` | Force service to be created even when host object does not exist to manage it. Default to false. (bool)| no
+`skip_host_check` | Force service to be created even when host object does not exist to manage it. Only usable with IPA versions 4.7.0 and up. Default to false. (bool)| no
 `force` | Force principal name even if host not in DNS. Default to false. (bool) | no
 `host` \| `managedby_host`| Hosts that can manage the service. | no
 `principal` \| `krbprincipalname` | List of principal aliases for the service. | no
@@ -310,6 +310,7 @@ Variable | Description | Required
 `allow_retrieve_keytab_group` \| `ipaallowedtoperform_read_keys_group` | Groups allowed to retrieve a keytab of this host. | no
 `allow_retrieve_keytab_host` \| `ipaallowedtoperform_read_keys_host` | Hosts allowed to retrieve a keytab from of host. | no
 `allow_retrieve_keytab_hostgroup` \| `ipaallowedtoperform_read_keys_hostgroup` | Host groups allowed to retrieve a keytab of this host. | no
 `continue` | Continuous mode: don't stop on errors. Valid only if `state` is `absent`. Default: `no` (bool) | no
 `action` | Work on service or member level. It can be on of `member` or `service` and defaults to `service`. | no
 `state` | The state to ensure. It can be one of `present`, `absent`, or `disabled`, default: `present`. | no
--- a/README-sudorule.md
+++ b/README-sudorule.md
@@ -122,11 +122,11 @@ Variable | Description | Required
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `name` \| `cn` | The list of sudorule name strings. | yes
 `description` | The sudorule description string. | no
-`usercategory` | User category the rule applies to. Choices: ["all"] | no
+`usercategory` \| `usercat` | User category the rule applies to. Choices: ["all", ""] | no
-`hostcategory` | Host category the rule applies to. Choices: ["all"] | no
+`hostcategory` \| `hostcat` | Host category the rule applies to. Choices: ["all", ""] | no
-`cmdcategory` | Command category the rule applies to. Choices: ["all"] | no
+`cmdcategory` \| `cmdcat` | Command category the rule applies to. Choices: ["all", ""] | no
-`runasusercategory` | RunAs User category the rule applies to. Choices: ["all"] | no
+`runasusercategory` \| `rusasusercat` | RunAs User category the rule applies to. Choices: ["all", ""] | no
-`runasgroupcategory` | RunAs Group category the rule applies to. Choices: ["all"] | no
+`runasgroupcategory` \| `runasgroupcat` | RunAs Group category the rule applies to. Choices: ["all", ""] | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
 `host` | List of host name strings assigned to this sudorule. | no
 `hostgroup` | List of host group name strings assigned to this sudorule. | no
--- a/README-trust.md
+++ b/README-trust.md
@@ -0,0 +1,119 @@
 Trust module
 ============
 Description
 -----------
 The trust module allows to ensure presence and absence of a domain trust.
 Features
 --------
 * Trust management
 Supported FreeIPA Versions
 --------------------------
 FreeIPA versions 4.4.0 and up are supported by the ipatrust module.
 Requirements
 ------------
 **Controller**
 * Ansible version: 2.8+
 **Node**
 * Supported FreeIPA version (see above)
 * samba-4
 * ipa-server-trust-ad
 Usage
 =====
 Example inventory file
 ```ini
 [ipaserver]
 ipaserver.test.local
 ```
 Example playbook to ensure a one-way trust is present:
 Omitting the two_way option implies the default of one-way
 ```yaml
 ---
 - name: Playbook to ensure a one-way trust is present
  hosts: ipaserver
  become: true
  tasks:
  - name: ensure the one-way trust present
    ipatrust:
      realm: ad.example.test
      admin: Administrator
      password: secret_password
      state: present
 ```
 Example playbook to ensure a two-way trust is present using a shared-secret:
 ```yaml
 ---
 - name: Playbook to ensure a two-way trust is present
  hosts: ipaserver
  become: true
  tasks:
  - name: ensure the two-way trust is present
    ipatrust:
      realm: ad.example.test
      trust_secret: my_share_Secret
      two_way: True
      state: present
 ```
 Example playbook to ensure a trust is absent:
 ```yaml
 ---
 - name: Playbook to ensure a trust is absent
  hosts: ipaserver
  become: true
  tasks:
  - name: ensure the trust is absent
    ipatrust:
      realm: ad.example.test
      state: absent
 ```
 This will only delete the ipa-side of the trust and it does NOT delete the id-range that matches the trust,
 Variables
 =========
 ipatrust
 -------
 Variable | Description | Required
 -------- | ----------- | --------
 `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
 `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
 `realm` | The realm name string. | yes
 `admin` | Active Directory domain administrator string. | no
 `password` | Active Directory domain administrator's password string. | no
 `server` | Domain controller for the Active Directory domain string. | no
 `trust_secret` | Shared secret for the trust string. | no
 `base_id` | First posix id for the trusted domain integer. | no
 `range_size` | Size of the ID range reserved for the trusted domain integer. | no
 `range_type` | Type of trusted domain ID range, It can be one of `ipa-ad-trust` or `ipa-ad-trust-posix`and defaults to `ipa-ad-trust`. | no
 `two_way` | Establish bi-directional trust. By default trust is inbound one-way only. (bool) | no
 `external` | Establish external trust to a domain in another forest. The trust is not transitive beyond the domain. (bool) | no
 `state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
 Authors
 =======
 Rob Verduijn
--- a/README-user.md
+++ b/README-user.md
@@ -417,10 +417,11 @@ Variable | Description | Required
 `employeetype` | Employee Type | no
 `preferredlanguage` | Preferred Language | no
 `certificate` | List of base-64 encoded user certificates. | no
-`certmapdata` | List of certificate mappings. Either `certificate` or `issuer` together with `subject` need to be specified. <br>Options: | no
+`certmapdata` | List of certificate mappings. Either `data` or `certificate` or `issuer` together with `subject` need to be specified. Only usable with IPA versions 4.5 and up. <br>Options: | no
-&nbsp; | `certificate` - Base-64 encoded user certificate | no
+&nbsp; | `certificate` - Base-64 encoded user certificate, not usable with other certmapdata options. | no
-&nbsp; | `issuer` - Issuer of the certificate | no
+&nbsp; | `issuer` - Issuer of the certificate, only usable together with `usbject` option. | no
-&nbsp; | `subject` - Subject of the certificate | no
+&nbsp; | `subject` - Subject of the certificate, only usable together with `issuer` option. | no
 &nbsp; | `data` - Certmap data, not usable with other certmapdata options. | no
 `noprivate` | Do not create user private group. (bool) | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
@@ -436,7 +437,7 @@ There are only return values if one or more random passwords have been generated
 Variable | Description | Returned When
 -------- | ----------- | -------------
-`host` | Host dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
+`user` | User dict with random password. (dict) <br>Options: | If random is yes and user did not exist or update_password is yes
 &nbsp; | `randompassword` - The generated random password | If only one user is handled by the module
 &nbsp; | `name` - The user name of the user that got a new random password. (dict) <br> Options: <br> &nbsp; `randompassword` - The generated random password | If several users are handled by the module
--- a/README-vault.md
+++ b/README-vault.md
@@ -41,7 +41,7 @@ Example inventory file
 ipaserver.test.local
 ```
-Example playbook to make sure vault is present:
+Example playbook to make sure vault is present (by default, vault type is `symmetric`):
 ```yaml
 ---
@@ -53,8 +53,7 @@ Example playbook to make sure vault is present:
  - ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
-      username: admin
+      password: SomeVAULTpassword
      vault_password: MyVaultPassword123
      description: A standard private vault.
 ```
@@ -124,13 +123,37 @@ Example playbook to make sure vault data is present in a symmetric vault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      username: admin
-      vault_password: MyVaultPassword123
+      password: SomeVAULTpassword
-      vault_data: >
+      data: >
        Data archived.
        More data archived.
      action: member
 ```
 When retrieving data from a vault, it is recommended that `no_log: yes` is used, so that sensitive data stored in a vault is not logged by Ansible. The data is returned in a dict `vault`, in the field `data` (e.g. `result.vault.data`). An example playbook to retrieve data from a symmetric vault:
 ```yaml
 ---
 - name: Playbook to handle vaults
  hosts: ipaserver
  become: true
  tasks:
  - name: Retrieve data from vault and register it in 'ipavault'
    ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      username: admin
      password: SomeVAULTpassword
      state: retrieved
    no_log: yes
    register: ipavault
  - name: Print retrieved data from vault
    debug:
      var: ipavault.vault.data
 ```
 Example playbook to make sure vault data is absent in a symmetric vault:
 ```yaml
@@ -144,11 +167,27 @@ Example playbook to make sure vault data is absent in a symmetric vault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      username: admin
-      vault_password: MyVaultPassword123
+      password: SomeVAULTpassword
      action: member
      state: absent
 ```
 Example playbook to change the password of a symmetric:
 ```yaml
 ---
 - name: Playbook to handle vaults
  hosts: ipaserver
  become: true
  tasks:
  - ipavault:
      ipaadmin_password: SomeADMINpassword
      name: symvault
      old_password: SomeVAULTpassword
      new_password: SomeNEWpassword
 ```
 Example playbook to make sure vault is absent:
 ```yaml
@@ -163,6 +202,9 @@ Example playbook to make sure vault is absent:
      name: symvault
      username: admin
      state: absent
    register: result
  - debug:
      msg: "{{ result.vault.data }}"
 ```
 Variables
@@ -178,17 +220,41 @@ Variable | Description | Required
 `name` \| `cn` | The list of vault name strings. | yes
 `description` | The vault description string. | no
 `nomembers` | Suppress processing of membership attributes. (bool) | no
-`vault_public_key` \| `ipavaultpublickey` | Vault public key. | no
+`password` \| `vault_password` \| `ipavaultpassword` \| `old_password`| Vault password. | no
-`vault_salt` \| `ipavaultsalt` | Vault salt. | no
+`password_file` \| `vault_password_file` \| `old_password_file`| File containing Base64 encoded Vault password. | no
 `new_password` | Vault new password. | no
 `new_password_file` | File containing Base64 encoded new Vault password. | no
 `public_key ` \| `vault_public_key` \| `old_password_file` | Base64 encoded vault public key. | no
 `public_key_file` \| `vault_public_key_file` | Path to file with public key. | no
 `private_key `\| `vault_private_key` | Base64 encoded vault private key. Used only to retrieve data. | no
 `private_key_file` \| `vault_private_key_file` | Path to file with private key. Used only to retrieve data. | no
 `salt` \| `vault_salt` \| `ipavaultsalt` | Vault salt. | no
 `vault_type` \| `ipavaulttype` | Vault types are based on security level. It can be one of `standard`, `symmetric` or `asymmetric`, default: `symmetric` | no
 `user` \| `username` | Any user can own one or more user vaults. | no
 `service` | Any service can own one or more service vaults. | no
 `user` | Any user can own one or more user vaults. | no
 `shared` | Vault is shared. Default to false. (bool) | no
 `users` | Users that are members of the vault. | no
 `groups` | Groups that are member of the vault. | no
-`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
+`services` | Services that are member of the vault. | no
 `data` \|`vault_data` \| `ipavaultdata` | Data to be stored in the vault. | no
 `in` \| `datafile_in` | Path to file with data to be stored in the vault. | no
 `out` \| `datafile_out` | Path to file to store data retrieved from the vault. | no
 `action` | Work on vault or member level. It can be on of `member` or `vault` and defaults to `vault`. | no
-`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | no
+`state` | The state to ensure. It can be one of `present`, `absent` or `retrieved`, default: `present`. | no
 Return Values
 =============
 ipavault
 --------
 There is only a return value if `state` is `retrieved`.
 Variable | Description | Returned When
 -------- | ----------- | -------------
 `vault` | Vault dict with archived data. (dict) <br>Options: | If `state` is `retrieved` and `out` is not defined.
 &nbsp; | `data` - The vault data. | Always
 Notes
--- a/README.md
+++ b/README.md
@@ -11,18 +11,31 @@ Features
 * Cluster deployments: Server, replicas and clients in one playbook
 * One-time-password (OTP) support for client installation
 * Repair mode for clients
 * Backup and restore, also to and from controller
 * Modules for config management
 * Modules for delegation management
 * Modules for dns config management
 * Modules for dns forwarder management
 * Modules for dns record management
 * Modules for dns zone management
 * Modules for group management
 * Modules for hbacrule management
 * Modules for hbacsvc management
 * Modules for hbacsvcgroup management
 * Modules for host management
 * Modules for hostgroup management
 * Modules for location management
 * Modules for permission management
 * Modules for privilege management
 * Modules for pwpolicy management
 * Modules for role management
 * Modules for self service management
 * Modules for service management
 * Modules for sudocmd management
 * Modules for sudocmdgroup management
 * Modules for sudorule management
 * Modules for topology management
 * Modules fot trust management
 * Modules for user management
 * Modules for vault management
@@ -141,7 +154,7 @@ ipaserver_domain=test.local
 ipaserver_realm=TEST.LOCAL
 ```
-The admin principle is ```admin``` by default. Please set ```ipaadmin_principal``` if you need to change it.
+The admin principal is ```admin``` by default. Please set ```ipaadmin_principal``` if you need to change it.
 You can also add more setting here, like for example to enable the DNS server or to set auto-forwarders:
 ```yaml
@@ -403,23 +416,37 @@ Roles
 * [Server](roles/ipaserver/README.md)
 * [Replica](roles/ipareplica/README.md)
 * [Client](roles/ipaclient/README.md)
 * [Backup](roles/ipabackup/README.md)
 Modules in plugin/modules
 =========================
 * [ipaconfig](README-config.md)
 * [ipadelegation](README-delegation.md)
 * [ipadnsconfig](README-dnsconfig.md)
 * [ipadnsforwardzone](README-dnsforwardzone.md)
 * [ipadnsrecord](README-dnsrecord.md)
 * [ipadnszone](README-dnszone.md)
 * [ipagroup](README-group.md)
 * [ipahbacrule](README-hbacrule.md)
 * [ipahbacsvc](README-hbacsvc.md)
 * [ipahbacsvcgroup](README-hbacsvc.md)
 * [ipahost](README-host.md)
 * [ipahostgroup](README-hostgroup.md)
 * [ipalocation](README-ipalocation.md)
 * [ipapermission](README-ipapermission.md)
 * [ipaprivilege](README-ipaprivilege.md)
 * [ipapwpolicy](README-pwpolicy.md)
 * [iparole](README-role.md)
 * [ipaselfservice](README-ipaselfservice.md)
 * [ipaservice](README-service.md)
 * [ipasudocmd](README-sudocmd.md)
 * [ipasudocmdgroup](README-sudocmdgroup.md)
 * [ipasudorule](README-sudorule.md)
 * [ipatopologysegment](README-topology.md)
 * [ipatopologysuffix](README-topology.md)
 * [ipatrust](README-trust.md)
 * [ipauser](README-user.md)
 * [ipavault](README-vault.md)
 If you want to write a new module please read [writing a new module](plugins/modules/README.md).
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -13,11 +13,11 @@ issues: "https://github.com/freeipa/ansible-freeipa/issues"
 readme: "README.md"
 license: "GPL-3.0-or-later"
 license_file: "COPYING"
 dependencies:
 tags:
  - "system"
  - "identity"
  - "ipa"
  - "freeipa"
--- a/molecule/centos-7-build/molecule.yml
+++ b/molecule/centos-7-build/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-7-build
    image: centos/systemd
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
--- a/molecule/centos-7/molecule.yml
+++ b/molecule/centos-7/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-7
    image: quay.io/ansible-freeipa/upstream-tests:centos-7
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
--- a/molecule/centos-8-build/molecule.yml
+++ b/molecule/centos-8-build/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-8-build
    image: centos:8
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
--- a/molecule/centos-8/molecule.yml
+++ b/molecule/centos-8/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: centos-8
    image: quay.io/ansible-freeipa/upstream-tests:centos-8
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
--- a/molecule/default
+++ b/molecule/default
@@ -0,0 +1 @@
 centos-8
--- a/molecule/fedora-latest-build/Dockerfile
+++ b/molecule/fedora-latest-build/Dockerfile
@@ -0,0 +1,30 @@
 FROM fedora:latest
 ENV container=docker
 RUN rm -fv /var/cache/dnf/metadata_lock.pid; \
 dnf makecache; \
 dnf --assumeyes install \
    /usr/bin/python3 \
    /usr/bin/python3-config \
    /usr/bin/dnf-3 \
    sudo \
    bash \
    systemd \
    procps-ng \
    iproute && \
 dnf clean all; \
 (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
 rm -f /lib/systemd/system/multi-user.target.wants/*;\
 rm -f /etc/systemd/system/*.wants/*;\
 rm -f /lib/systemd/system/local-fs.target.wants/*; \
 rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
 rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
 rm -f /lib/systemd/system/basic.target.wants/*;\
 rm -f /lib/systemd/system/anaconda.target.wants/*; \
 rm -rf /var/cache/dnf/;
 STOPSIGNAL RTMIN+3
 VOLUME ["/sys/fs/cgroup"]
 CMD ["/usr/sbin/init"]
--- a/molecule/fedora-latest-build/molecule.yml
+++ b/molecule/fedora-latest-build/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: fedora-latest-build
    image: fedora-latest
    dockerfile: Dockerfile
    hostname: ipaserver.test.local
    dns_servers:
      - 8.8.8.8
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare-build.yml
--- a/molecule/fedora-latest/molecule.yml
+++ b/molecule/fedora-latest/molecule.yml
@@ -0,0 +1,18 @@
 ---
 driver:
  name: docker
 platforms:
  - name: fedora-latest
    image: quay.io/ansible-freeipa/upstream-tests:fedora-latest
    pre_build_image: true
    hostname: ipaserver.test.local
    dns_servers:
      - 127.0.0.1
    volumes:
      - /sys/fs/cgroup:/sys/fs/cgroup:ro
    command: /usr/sbin/init
    privileged: true
 provisioner:
  name: ansible
  playbooks:
    prepare: ../resources/playbooks/prepare.yml
--- a/molecule/resources/playbooks/library
+++ b/molecule/resources/playbooks/library
@@ -0,0 +1 @@
 ../../../plugins/modules/
--- a/molecule/resources/playbooks/module_utils
+++ b/molecule/resources/playbooks/module_utils
@@ -0,0 +1 @@
 ../../../plugins/module_utils/
--- a/molecule/resources/playbooks/prepare-build.yml
+++ b/molecule/resources/playbooks/prepare-build.yml
@@ -0,0 +1,27 @@
 ---
 - name: Converge
  hosts: all
  tasks:
  - include_tasks: prepare-common.yml
  - name: Ensure sudo package is installed
    package:
      name: sudo
  - name: Ensure nss package is updated
    package:
      name: nss
      state: latest  # noqa 403
  - include_role:
      name: ipaserver
    vars:
      ipaserver_setup_dns: yes
      ipaserver_setup_kra: yes
      ipaserver_auto_forwarders: yes
      ipaserver_no_dnssec_validation: yes
      ipaserver_auto_reverse: yes
      ipaadmin_password: SomeADMINpassword
      ipadm_password: SomeDMpassword
      ipaserver_domain: test.local
      ipaserver_realm: TEST.LOCAL
--- a/molecule/resources/playbooks/prepare-common.yml
+++ b/molecule/resources/playbooks/prepare-common.yml
@@ -0,0 +1,33 @@
 # IPA depends on IPv6 and without it dirsrv service won't start.
 - name: Ensure IPv6 is ENABLED
  sysctl:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    sysctl_set: yes
    state: present
    reload: yes
  with_items :
    - name: net.ipv6.conf.all.disable_ipv6
      value: 0
    - name: net.ipv6.conf.lo.disable_ipv6
      value: 0
    - name: net.ipv6.conf.eth0.disable_ipv6
      value: 1
 # Set fs.protected_regular to 0
 #   This is needed in some IPA versions in order to get KRA enabled.
 #   See https://pagure.io/freeipa/issue/7906 for more information.
 - name: stat protected_regular
  stat:
    path: /proc/sys/fs/protected_regular
  register: result
 - name: Ensure fs.protected_regular is disabled
  sysctl:
    name: fs.protected_regular
    value: 0
    sysctl_set: yes
    state: present
    reload: yes
  when: result.stat.exists
--- a/molecule/resources/playbooks/prepare.yml
+++ b/molecule/resources/playbooks/prepare.yml
@@ -0,0 +1,26 @@
 ---
 - name: Converge
  hosts: all
  tasks:
  - include_tasks: prepare-common.yml
  # In some distros DS won't start up after reboot
  #   This is due to a problem in 389-ds. See tickets:
  #   * https://pagure.io/389-ds-base/issue/47429
  #   * https://pagure.io/389-ds-base/issue/51039
  #
  # To avoid this problem we create the directories before starting IPA.
  - name: Ensure lock dirs for DS exists
    file:
      state: directory
      owner: dirsrv
      group: dirsrv
      path: "{{ item }}"
    loop:
      - /var/lock/dirsrv/
      - /var/lock/dirsrv/slapd-TEST-LOCAL/
  - name: Ensure IPA server is up an running
    service:
      name: ipa
      state: started
--- a/molecule/resources/playbooks/roles
+++ b/molecule/resources/playbooks/roles
@@ -0,0 +1 @@
 ../../../roles/
--- a/playbooks/backup-server-to-controller.yml
+++ b/playbooks/backup-server-to-controller.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to backup IPA server to controller
  hosts: ipaserver
  become: true
  vars:
    ipabackup_to_controller: yes
    # ipabackup_keep_on_server: yes
  roles:
  - role: ipabackup
    state: present
--- a/playbooks/backup-server.yml
+++ b/playbooks/backup-server.yml
@@ -0,0 +1,8 @@
 ---
 - name: Playbook to backup IPA server
  hosts: ipaserver
  become: true
  roles:
  - role: ipabackup
    state: present
--- a/playbooks/config/retrieve-config.yml
+++ b/playbooks/config/retrieve-config.yml
@@ -0,0 +1,14 @@
 ---
 - name: Playbook to handle global DNS configuration
  hosts: ipaserver
  become: no
  gather_facts: no
  tasks:
  - name: Query IPA global configuration
    ipaconfig:
      ipaadmin_password: SomeADMINpassword
    register: serverconfig
  - debug:
      msg: "{{ serverconfig }}"
--- a/playbooks/config/set-ca-renewal-master-server.yml
+++ b/playbooks/config/set-ca-renewal-master-server.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to handle global DNS configuration
  hosts: ipaserver
  become: no
  gather_facts: no
  tasks:
  - name: set ca_renewal_master_server
    ipaconfig:
      ipaadmin_password: SomeADMINpassword
      ca_renewal_master_server: carenewal.example.com
--- a/playbooks/copy-all-backups-from-server.yml
+++ b/playbooks/copy-all-backups-from-server.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to copy all backups from IPA server
  hosts: ipaserver
  become: true
  vars:
    ipabackup_name: all
    ipabackup_to_controller: yes
  roles:
  - role: ipabackup
    state: copied
--- a/playbooks/copy-backup-from-controller.yml
+++ b/playbooks/copy-backup-from-controller.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to copy a backup from controller to the IPA server
  hosts: ipaserver
  become: true
  vars:
    ipabackup_name: ipaserver.test.local_ipa-full-2020-10-22-11-11-44
    ipabackup_from_controller: yes
  roles:
  - role: ipabackup
    state: copied
--- a/playbooks/copy-backup-from-server.yml
+++ b/playbooks/copy-backup-from-server.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to copy backup from IPA server
  hosts: ipaserver
  become: true
  vars:
    ipabackup_name: ipa-full-2020-10-22-11-11-44
    ipabackup_to_controller: yes
  roles:
  - role: ipabackup
    state: copied
--- a/playbooks/delegation/delegation-absent.yml
+++ b/playbooks/delegation/delegation-absent.yml
@@ -0,0 +1,11 @@
 ---
 - name: Delegation absent
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" is absent
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      state: absent
--- a/playbooks/delegation/delegation-member-absent.yml
+++ b/playbooks/delegation/delegation-member-absent.yml
@@ -0,0 +1,15 @@
 ---
 - name: Delegation member absent
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" member attributes employeenumber and employeetype are absent
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
      - employeenumber
      - employeetype
      action: member
      state: absent
--- a/playbooks/delegation/delegation-member-present.yml
+++ b/playbooks/delegation/delegation-member-present.yml
@@ -0,0 +1,13 @@
 ---
 - name: Delegation member present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" member attribute departmentnumber is present
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      attribute:
      - departmentnumber
      action: member
--- a/playbooks/delegation/delegation-present.yml
+++ b/playbooks/delegation/delegation-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Delegation present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure delegation "basic manager attributes" is present
    ipadelegation:
      ipaadmin_password: SomeADMINpassword
      name: "basic manager attributes"
      permission: read
      attribute:
      - businesscategory
      group: managers
      membergroup: employees
--- a/playbooks/dnsforwardzone/ensure-dnsforwardzone-is-absent.yml
+++ b/playbooks/dnsforwardzone/ensure-dnsforwardzone-is-absent.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to manage DNS forward zone
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure DNS zone is present
  - ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      state: absent
--- a/playbooks/dnsforwardzone/ensure-dnsforwardzone-is-present.yml
+++ b/playbooks/dnsforwardzone/ensure-dnsforwardzone-is-present.yml
@@ -0,0 +1,16 @@
 ---
 - name: Playbook to manage DNS forward zone
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure DNS zone is present
  - ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      name: example.com
      forwarders:
        - ip_address: 8.8.8.8
      forwardpolicy: first
      skip_overlap_check: true
      permission: yes
--- a/playbooks/dnsforwardzone/ensure-dnsforwardzone-with-forwarder-port.yml
+++ b/playbooks/dnsforwardzone/ensure-dnsforwardzone-with-forwarder-port.yml
@@ -0,0 +1,14 @@
 ---
 - name: Playbook to manage DNS forward zone
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure DNS zone is present
  - ipadnsforwardzone:
      ipaadmin_password: SomeADMINpassword
      name: example.com
      forwarders:
        - ip_address: 192.168.100.123
          port: 8063
--- a/playbooks/dnsrecord/ensure-A-and-AAAA-records-are-absent.yml
+++ b/playbooks/dnsrecord/ensure-A-and-AAAA-records-are-absent.yml
@@ -0,0 +1,18 @@
 ---
 - name: Test PTR Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a PTR record is present
  - name: Ensure that 'host04' has A and AAAA records.
    ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      zone_name: ipatest.local
      records:
      - name: host04
        a_ip_address: 192.168.122.104
      - name: host04
        aaaa_ip_address: ::1
      state: absent
--- a/playbooks/dnsrecord/ensure-A-and-AAAA-records-are-present.yml
+++ b/playbooks/dnsrecord/ensure-A-and-AAAA-records-are-present.yml
@@ -0,0 +1,17 @@
 ---
 - name: Test PTR Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a PTR record is present
  - name: Ensure that 'host04' has A and AAAA records.
    ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      zone_name: ipatest.local
      records:
      - name: host04
        a_ip_address: 192.168.122.104
      - name: host04
        aaaa_ip_address: ::1
--- a/playbooks/dnsrecord/ensure-CNAME-record-is-absent.yml
+++ b/playbooks/dnsrecord/ensure-CNAME-record-is-absent.yml
@@ -0,0 +1,13 @@
 ---
 - name: Test CNAME Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure that 'host04' has CNAME, with cname_hostname
  - ipadnsrecord:
      zone_name: example.com
      name: host04
      cname_hostname: host04.example.com
      state: absent
--- a/playbooks/dnsrecord/ensure-CNAME-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-CNAME-record-is-present.yml
@@ -0,0 +1,12 @@
 ---
 - name: Test CNAME Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure that 'host04' has CNAME, with cname_hostname
  - ipadnsrecord:
      zone_name: example.com
      name: host04
      cname_hostname: host04.example.com
--- a/playbooks/dnsrecord/ensure-MX-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-MX-record-is-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Ensure MX Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure an MX record is absent
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: '@'
      record_type: 'MX'
      record_value: '1 mailserver.example.com'
      zone_name: example.com
      state: present
--- a/playbooks/dnsrecord/ensure-PTR-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-PTR-record-is-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Test PTR Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a PTR record is present
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: 5
      record_type: 'PTR'
      record_value: 'internal.ipa.example.com'
      zone_name: 2.168.192.in-addr.arpa
      state: present
--- a/playbooks/dnsrecord/ensure-SRV-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-SRV-record-is-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Test SRV Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a SRV record is present
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: _kerberos._udp.example.com
      record_type: 'SRV'
      record_value: '10 50 88 ipa.example.com'
      zone_name: example.com
      state: present
--- a/playbooks/dnsrecord/ensure-SSHFP-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-SSHFP-record-is-present.yml
@@ -0,0 +1,16 @@
 ---
 - name: Test SSHFP Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a SSHFP record is present
  # SSHFP fingerprint generated with `ssh-keygen -r host04.testzone.local`
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      zone_name: example.com
      name: host04
      sshfp_algorithm: 1
      sshfp_fp_type: 1
      sshfp_fingerprint: d21802c61733e055b8d16296cbce300efb8a167a
--- a/playbooks/dnsrecord/ensure-TLSA-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-TLSA-record-is-present.yml
@@ -0,0 +1,16 @@
 ---
 - name: Test SSHFP Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a SSHFP record is present
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      zone_name: example.com
      name: host04
      tlsa_cert_usage: 3
      tlsa_selector: 1
      tlsa_matching_type: 1
      tlsa_cert_association_data: 9c0ad776dbeae8d9d55b0ad42899d30235c114d5f918fd69746e4279e47bdaa2
--- a/playbooks/dnsrecord/ensure-TXT-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-TXT-record-is-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Test TXT Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a TXT record is absent
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: _kerberos
      record_type: 'TXT'
      record_value: 'EXAMPLE.COM'
      zone_name: example.com
      state: present
--- a/playbooks/dnsrecord/ensure-URI-record-is-present.yml
+++ b/playbooks/dnsrecord/ensure-URI-record-is-present.yml
@@ -0,0 +1,17 @@
 ---
 - name: Test URI Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure a URI record is absent
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: _ftp._tcp
      record_type: 'URI'
      uri_priority: 10
      uri_weight: 1
      uri_target: ftp://ftp.example.com/public
      zone_name: example.com
      state: present
--- a/playbooks/dnsrecord/ensure-dnsrecord-is-absent.yml
+++ b/playbooks/dnsrecord/ensure-dnsrecord-is-absent.yml
@@ -0,0 +1,15 @@
 ---
 - name: Test DNS Record is absent.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure that dns record is absent
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: host01
      zone_name: example.com
      record_type: 'AAAA'
      record_value: '::1'
      state: absent
--- a/playbooks/dnsrecord/ensure-dnsrecord-is-present.yml
+++ b/playbooks/dnsrecord/ensure-dnsrecord-is-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Test DNS Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure that dns record is present
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: host01
      zone_name: example.com
      record_type: 'AAAA'
      record_value: '::1'
      state: present
--- a/playbooks/dnsrecord/ensure-dnsrecord-with-reverse-is-present.yml
+++ b/playbooks/dnsrecord/ensure-dnsrecord-with-reverse-is-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Test DNS Record is present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure that dns record is present
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      name: host01
      zone_name: example.com
      ip_address: 192.160.123.45
      create_reverse: yes
      state: present
--- a/playbooks/dnsrecord/ensure-multiple-A-records-are-present.yml
+++ b/playbooks/dnsrecord/ensure-multiple-A-records-are-present.yml
@@ -0,0 +1,17 @@
 ---
 - name: Playbook to manage DNS records.
  hosts: ipaserver
  become: yes
  gather_facts: no
  tasks:
  - name: Ensure that 'host04' has multiple A records.
    ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      zone_name: ipatest.local
      name: host01
      a_rec:
        - 192.168.122.221
        - 192.168.122.222
        - 192.168.122.223
        - 192.168.122.224
--- a/playbooks/dnsrecord/ensure-presence-multiple-records.yml
+++ b/playbooks/dnsrecord/ensure-presence-multiple-records.yml
@@ -0,0 +1,21 @@
 ---
 - name: Test multiple DNS Records are present.
  hosts: ipaserver
  become: true
  gather_facts: false
  tasks:
  # Ensure that multiple dns records are present
  - ipadnsrecord:
      ipaadmin_password: SomeADMINpassword
      records:
        - name: host01
          zone_name: example.com
          record_type: A
          record_value:
            - 192.168.122.112
            - 192.168.122.122
        - name: host01
          zone_name: testzone.local
          record_type: AAAA
          record_value: ::1
--- a/playbooks/dnszone/disable-zone-forwarders.yml
+++ b/playbooks/dnszone/disable-zone-forwarders.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to disable DNS zone forwarders
  hosts: ipaserver
  become: true
  tasks:
  - name: Disable zone forwarders.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      forward_policy: none
--- a/playbooks/dnszone/dnszone-absent.yml
+++ b/playbooks/dnszone/dnszone-absent.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to ensure DNS zone is absent
  hosts: ipaserver
  become: true
  tasks:
  - name: Remove zone.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: absent
--- a/playbooks/dnszone/dnszone-all-params.yml
+++ b/playbooks/dnszone/dnszone-all-params.yml
@@ -0,0 +1,35 @@
 - name: dnszone present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone is present.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      allow_sync_ptr: true
      dynamic_update: true
      dnssec: true
      allow_transfer:
        - 1.1.1.1
        - 2.2.2.2
      allow_query:
        - 1.1.1.1
        - 2.2.2.2
      forwarders:
        - ip_address: 8.8.8.8
        - ip_address: 8.8.4.4
          port: 52
      #serial: 1234
      refresh: 3600
      retry: 900
      expire: 1209600
      minimum: 3600
      ttl: 60
      default_ttl: 90
      name_server: ipaserver.test.local.
      admin_email: admin.admin@example.com
      nsec3param_rec: "1 7 100 0123456789abcdef"
      skip_overlap_check: true
      skip_nameserver_check: true
      state: present
--- a/playbooks/dnszone/dnszone-disable.yml
+++ b/playbooks/dnszone/dnszone-disable.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to disable DNS zone
  hosts: ipaserver
  become: true
  tasks:
  - name: Disable zone.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: disabled
--- a/playbooks/dnszone/dnszone-enable.yml
+++ b/playbooks/dnszone/dnszone-enable.yml
@@ -0,0 +1,11 @@
 ---
 - name: Playbook to enable DNS zone
  hosts: ipaserver
  become: true
  tasks:
  - name: Enable zone.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: enabled
--- a/playbooks/dnszone/dnszone-present.yml
+++ b/playbooks/dnszone/dnszone-present.yml
@@ -0,0 +1,10 @@
 - name: dnszone present
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone is present.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name: testzone.local
      state: present
--- a/playbooks/dnszone/dnszone-reverse-from-ip.yml
+++ b/playbooks/dnszone/dnszone-reverse-from-ip.yml
@@ -0,0 +1,15 @@
 ---
 - name: Playbook to ensure DNS zone exist
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure zone exist, finding zone name from IP address.
    ipadnszone:
      ipaadmin_password: SomeADMINpassword
      name_from_ip: 10.1.2.3/24
    register: result
  - name: Zone name inferred from `name_from_ip`
    debug:
      msg: "Zone created: {{ result.dnszone.name }}"
--- a/playbooks/host/host-member-managedby_host-absent.yml
+++ b/playbooks/host/host-member-managedby_host-absent.yml
@@ -4,7 +4,7 @@
  become: true
  tasks:
-    ipahost:
+  - ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host01.exmaple.com
      managedby_host: server.exmaple.com
--- a/playbooks/host/host-member-managedby_host-present.yml
+++ b/playbooks/host/host-member-managedby_host-present.yml
@@ -4,7 +4,7 @@
  become: true
  tasks:
-    ipahost:
+  - ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host01.exmaple.com
      managedby_host: server.exmaple.com
--- a/playbooks/host/host-present-with-managedby_host.yml
+++ b/playbooks/host/host-present-with-managedby_host.yml
@@ -4,7 +4,7 @@
  become: true
  tasks:
-    ipahost:
+  - ipahost:
      ipaadmin_password: SomeADMINpassword
      name: host01.exmaple.com
      managedby_host: server.exmaple.com
--- a/playbooks/host/hosts-member-managedby_host-absent.yml
+++ b/playbooks/host/hosts-member-managedby_host-absent.yml
@@ -4,6 +4,7 @@
  become: true
  tasks:
  - name: Ensure hosts manadegby_host is absent.
    ipahost:
      ipaadmin_password: SomeADMINpassword
      hosts:
--- a/playbooks/host/hosts-member-managedby_host-present.yml
+++ b/playbooks/host/hosts-member-managedby_host-present.yml
@@ -4,6 +4,7 @@
  become: true
  tasks:
  - name: Ensure hosts manadegby_host is absent.
    ipahost:
      ipaadmin_password: SomeADMINpassword
      hosts:
--- a/playbooks/host/hosts-present-with-managedby_host.yml
+++ b/playbooks/host/hosts-present-with-managedby_host.yml
@@ -4,7 +4,7 @@
  become: true
  tasks:
-    ipahost:
+  - ipahost:
      ipaadmin_password: SomeADMINpassword
      hosts:
      - name: host01.exmaple.com
--- a/playbooks/host/hosts-present-with-randompasswords.yml
+++ b/playbooks/host/hosts-present-with-randompasswords.yml
@@ -23,4 +23,3 @@
  - name: Print generated random password for host02.example.com
    debug:
      var: ipahost.host["host02.example.com"].randompassword
--- a/playbooks/hostgroup/rename-hostgroup.yml
+++ b/playbooks/hostgroup/rename-hostgroup.yml
@@ -0,0 +1,12 @@
 ---
 - name: Playbook to handle hostgroups
  hosts: ipaserver
  become: yes
  tasks:
  - name : Rename host-group from `databases` to `datalake`
    ipahostgroup:
      ipaadmin_password: SomeADMINpassword
      name: databases
      rename: datalake
      state: renamed
--- a/playbooks/location/location-absent.yml
+++ b/playbooks/location/location-absent.yml
@@ -0,0 +1,11 @@
 ---
 - name: Location absent test
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure location my_location1 is absent
    ipalocation:
      ipaadmin_password: SomeADMINpassword
      name: my_location1
      state: absent
--- a/playbooks/location/location-present.yml
+++ b/playbooks/location/location-present.yml
@@ -0,0 +1,10 @@
 ---
 - name: Location present test
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure location my_location1 is present
    ipalocation:
      ipaadmin_password: SomeADMINpassword
      name: my_location1
--- a/playbooks/permission/permission-absent.yml
+++ b/playbooks/permission/permission-absent.yml
@@ -0,0 +1,11 @@
 ---
 - name: Permission absent example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure permission TestPerm1 is absent
    ipapermission:
      name: TestPerm1
      state: absent
--- a/playbooks/permission/permission-allow-read-employeenum.yml
+++ b/playbooks/permission/permission-allow-read-employeenum.yml
@@ -0,0 +1,15 @@
 ---
 - name: Permission Allow Read Employee Number Example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure permission TestPerm2 is present with Read rights to employeenumber
    ipapermission:
      name: TestPerm2
      object_type: user
      perm_rights: 
        - read
        - search
        - compare
      attrs: employeenumber
--- a/playbooks/permission/permission-member-absent.yml
+++ b/playbooks/permission/permission-member-absent.yml
@@ -0,0 +1,12 @@
 ---
 - name: Permission absent example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure privilege User Administrators privilege is absent on Permission TestPerm1
    ipapermission:
      name: TestPerm1
      privilege: "User Administrators"
      action: member
      state: absent
--- a/playbooks/permission/permission-member-present.yml
+++ b/playbooks/permission/permission-member-present.yml
@@ -0,0 +1,11 @@
 ---
 - name: Permission member present example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure permission TestPerm1 is present with the User Administrators privilege present
    ipapermission:
      name: TestPerm1
      privilege: "User Administrators"
      action: member
--- a/playbooks/permission/permission-present.yml
+++ b/playbooks/permission/permission-present.yml
@@ -0,0 +1,11 @@
 ---
 - name: Permission present example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure permission TestPerm1 is present
    ipapermission:
      name: TestPerm1
      object_type: host
      perm_rights: all
--- a/playbooks/permission/permission-renamed.yml
+++ b/playbooks/permission/permission-renamed.yml
@@ -0,0 +1,11 @@
 ---
 - name: Permission present example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure permission TestPerm1 is present
    ipapermission:
      name: TestPerm1
      rename: TestPermRenamed
      state: renamed
--- a/playbooks/privilege/privilege-absent.yml
+++ b/playbooks/privilege/privilege-absent.yml
@@ -0,0 +1,10 @@
 ---
 - name: Privilege absent example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure privilege "Broad Privilege" is absent
    ipaprivilege:
      name: Broad Privilege
      state: absent
--- a/playbooks/privilege/privilege-member-absent.yml
+++ b/playbooks/privilege/privilege-member-absent.yml
@@ -0,0 +1,14 @@
 ---
 - name: Privilege absent example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure privilege "Broad Privilege" permission is absent
    ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      permission:
      - "System: Write IPA Configuration"
      action: member
      state: absent
--- a/playbooks/privilege/privilege-member-present.yml
+++ b/playbooks/privilege/privilege-member-present.yml
@@ -0,0 +1,15 @@
 ---
 - name: Privilege member present example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure privilege "Broad Privilege" permissions are present
    ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      permission:
      - "System: Write IPA Configuration"
      - "System: Write DNS Configuration"
      - "System: Update DNS Entries"
      action: member
--- a/playbooks/privilege/privilege-present.yml
+++ b/playbooks/privilege/privilege-present.yml
@@ -0,0 +1,11 @@
 ---
 - name: Privilege present example
  hosts: ipaserver
  become: true
  tasks:
  - name: Ensure privilege Broad Privilege is present
    ipaprivilege:
      ipaadmin_password: SomeADMINpassword
      name: Broad Privilege
      description: Broad Privilege
--- a/Show More
+++ b/Show More