internet/ansible-freeipa
4
0
Fork 0
mirror of https://github.com/freeipa/ansible-freeipa.git synced 2026-03-26 21:33:05 +00:00
Code Issues Projects Releases Wiki Activity
Files
master
ansible-freeipa/README-sysaccount.md
Thomas Woerner dc9b0ce4e8 New sysaccount management module 
There is a new sysaccount management module placed in the plugins folder:

    plugins/modules/ipasysaccount.py

The sysaccount module allows to ensure presence or absence of system
accounts.

Here is the documentation for the module:

    README-sysaccount.md

New sysaccount example playbooks:

    playbooks/sysaccount/sysaccount-absent.yml
    playbooks/sysaccount/sysaccount-disabled.yml
    playbooks/sysaccount/sysaccount-enabled.yml
    playbooks/sysaccount/sysaccount-present.yml
    playbooks/sysaccount/sysaccount-privileged.yml
    playbooks/sysaccount/sysaccount-unprivileged.yml

New tests for the module:

    tests/sysaccount/test_sysaccount.yml
    tests/sysaccount/test_sysaccount_client_context.yml
2026-01-05 16:36:26 +01:00

4.7 KiB
Raw Permalink Blame History

Sysaccount module

Description

The sysaccount module allows to ensure presence and absence of system accounts.

Features

  • Sysaccount management

Supported FreeIPA Versions

FreeIPA versions 4.4.0 and up are supported by the ipasysaccount module.

Requirements

Controller

  • Ansible version: 2.15+

Node

  • Supported FreeIPA version (see above)

Usage

Example inventory file

[ipaserver]
ipaserver.test.local

Example playbook to make sure sysaccount "my-app" is present with random password:

---
- name: Playbook to manage IPA sysaccount.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure sysaccount "my-app" is present with random password
    ipasysaccount:
      ipaadmin_password: SomeADMINpassword
      name: my-app
      random: true
    register: result

  - name: Print generated random password
    debug:
      var: result.sysaccount.randompassword

Example playbook to make sure sysaccount "my-app" is present with given password:

---
- name: Playbook to manage IPA sysaccount.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure sysaccount "my-app" is present with given password
    ipasysaccount:
      ipaadmin_password: SomeADMINpassword
      name: my-app
      password: SomeAPPpassword

Example playbook to make sure sysaccount "my-app" is absent:

---
- name: Playbook to manage IPA sysaccount.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure sysaccount "my-app" is absent
    ipasysaccount:
      ipaadmin_password: SomeADMINpassword
      name: my-app
      state: absent

Example playbook to ensure existing sysaccount my-app is privileged

---
- name: Playbook to manage IPA sysaccount.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure existing sysaccount my-app is privileged
    ipasysaccount:
      ipaadmin_password: SomeADMINpassword
      name: my-app
      privileged: true

Example playbook to ensure existing sysaccount my-app is not privileged

---
- name: Playbook to manage IPA sysaccount.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure existing sysaccount my-app is not privileged
    ipasysaccount:
      ipaadmin_password: SomeADMINpassword
      name: my-app
      privileged: false

Example playbook to ensure existing sysaccount my-app is disabled

---
- name: Playbook to manage IPA sysaccount.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure existing sysaccount my-app is disabled
    ipasysaccount:
      ipaadmin_password: SomeADMINpassword
      name: my-app
      state: disabled

Example playbook to ensure existing sysaccount my-app is enabled

---
- name: Playbook to manage IPA sysaccount.
  hosts: ipaserver
  become: false

  tasks:
  - name: Ensure existing sysaccount my-app is enabled
    ipasysaccount:
      ipaadmin_password: SomeADMINpassword
      name: my-app
      state: enabled

Variables

Variable Description Required
ipaadmin_principal The admin principal is a string and defaults to admin no
ipaadmin_password The admin password is a string and is required if there is no admin ticket available on the node no
ipaapi_context The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are server and client. no
ipaapi_ldap_cache Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) no
name | login The list of sysaccount name strings - internally uid. (list of strings) yes
description A description for the sysaccount. (string) no
privileged Allow password updates without reset. This flag is not replicated. It is needed to set privileged on all servers, where it is needed. (bool) no
random Generate a random user password. (bool) no
password | userpassword Set the password. (string) no
update_password Set password for a sysaccount in present state only on creation or always. It can be one of always or on_create and defaults to always. no
state The state to ensure. It can be one of present, absent, 'enabled', 'disabled', default: present. no

Return Values

There are only return values if a random passwords has been generated.

Variable Description Returned When
sysaccount Sysaccount dict (dict)
Options:		 Always
  randompassword - The generated random password If random is yes and sysaccount did not exist or update_password is yes

Authors

Thomas Woerner