community / community.general / 3.8.10 / module / ipa_config Manage Global FreeIPA Configuration Settings Authors: Fran Fitzpatrick (@fxfitz)community.general.ipa_config (3.8.10) — module
Install with ansible-galaxy collection install community.general:==3.8.10
collections: - name: community.general version: 3.8.10
Modify global configuration settings of a FreeIPA Server.
- name: Ensure password plugin features DC:Disable Last Success and KDC:Disable Lockout are enabled community.general.ipa_config: ipaconfigstring: ["KDC:Disable Last Success", "KDC:Disable Lockout"] ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the default login shell is bash community.general.ipa_config: ipadefaultloginshell: /bin/bash ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the default e-mail domain is ansible.com community.general.ipa_config: ipadefaultemaildomain: ansible.com ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the default primary group is set to ipausers community.general.ipa_config: ipadefaultprimarygroup: ipausers ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the group search fields are set to 'cn,description' community.general.ipa_config: ipagroupsearchfields: ['cn', 'description'] ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the home directory location is set to /home community.general.ipa_config: ipahomesrootdir: /home ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the default types of PAC supported for services is set to MS-PAC and PAD community.general.ipa_config: ipakrbauthzdata: ["MS-PAC", "PAD"] ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the maximum user name length is set to 32 community.general.ipa_config: ipamaxusernamelength: 32 ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the password expiration notice is set to 4 days community.general.ipa_config: ipapwdexpadvnotify: 4 ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the search record limit is set to 100 community.general.ipa_config: ipasearchrecordslimit: 100 ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the search time limit is set to 2 seconds community.general.ipa_config: ipasearchtimelimit: 2 ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the default user auth type is password community.general.ipa_config: ipauserauthtype: ['password'] ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the user search fields is set to 'uid,givenname,sn,ou,title' community.general.ipa_config: ipausersearchfields: ['uid', 'givenname', 'sn', 'ou', 'title'] ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the SELinux user map order is set community.general.ipa_config: ipaselinuxusermaporder: - "guest_u:s0" - "xguest_u:s0" - "user_u:s0" - "staff_u:s0-s0:c0.c1023" - "unconfined_u:s0-s0:c0.c1023" ipa_host: localhost ipa_user: admin ipa_pass: supersecret
ipa_host: default: ipa.example.com description: - IP or hostname of IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_HOST) will be used instead. - If both the environment variable C(IPA_HOST) and the value are not specified in the task, then DNS will be used to try to discover the FreeIPA server. - The relevant entry needed in FreeIPA is the 'ipa-ca' entry. - If neither the DNS entry, nor the environment C(IPA_HOST), nor the value are available in the task, then the default value will be used. - Environment variable fallback mechanism is added in Ansible 2.5. type: str ipa_pass: description: - Password of administrative user. - If the value is not specified in the task, the value of environment variable C(IPA_PASS) will be used instead. - Note that if the 'urllib_gssapi' library is available, it is possible to use GSSAPI to authenticate to FreeIPA. - If the environment variable C(KRB5CCNAME) is available, the module will use this kerberos credentials cache to authenticate to the FreeIPA server. - If the environment variable C(KRB5_CLIENT_KTNAME) is available, and C(KRB5CCNAME) is not; the module will use this kerberos keytab to authenticate. - If GSSAPI is not available, the usage of 'ipa_pass' is required. - Environment variable fallback mechanism is added in Ansible 2.5. type: str ipa_port: default: 443 description: - Port of FreeIPA / IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_PORT) will be used instead. - If both the environment variable C(IPA_PORT) and the value are not specified in the task, then default value is set. - Environment variable fallback mechanism is added in Ansible 2.5. type: int ipa_prot: choices: - http - https default: https description: - Protocol used by IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_PROT) will be used instead. - If both the environment variable C(IPA_PROT) and the value are not specified in the task, then default value is set. - Environment variable fallback mechanism is added in Ansible 2.5. type: str ipa_user: default: admin description: - Administrative account used on IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_USER) will be used instead. - If both the environment variable C(IPA_USER) and the value are not specified in the task, then default value is set. - Environment variable fallback mechanism is added in Ansible 2.5. type: str ipa_timeout: default: 10 description: - Specifies idle timeout (in seconds) for the connection. - For bulk operations, you may want to increase this in order to avoid timeout from IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_TIMEOUT) will be used instead. - If both the environment variable C(IPA_TIMEOUT) and the value are not specified in the task, then default value is set. type: int validate_certs: default: true description: - This only applies if C(ipa_prot) is I(https). - If set to C(no), the SSL certificates will not be validated. - This should only set to C(no) used on personally controlled sites using self-signed certificates. type: bool ipaconfigstring: aliases: - configstring choices: - AllowNThash - KDC:Disable Last Success - KDC:Disable Lockout - KDC:Disable Default Preauth for SPNs description: Extra hashes to generate in password plug-in. elements: str type: list version_added: 2.5.0 version_added_collection: community.general ipahomesrootdir: aliases: - homesrootdir description: Default location of home directories. type: str version_added: 2.5.0 version_added_collection: community.general ipakrbauthzdata: aliases: - krbauthzdata choices: - MS-PAC - PAD - nfs:NONE description: Default types of PAC supported for services. elements: str type: list version_added: 2.5.0 version_added_collection: community.general ipauserauthtype: aliases: - userauthtype choices: - password - radius - otp - pkinit - hardened - disabled description: The authentication type to use by default. elements: str type: list version_added: 2.5.0 version_added_collection: community.general ipapwdexpadvnotify: aliases: - pwdexpadvnotify description: Notice of impending password expiration, in days. type: int version_added: 2.5.0 version_added_collection: community.general ipasearchtimelimit: aliases: - searchtimelimit description: Maximum amount of time (seconds) for a search (-1 or 0 is unlimited). type: int version_added: 2.5.0 version_added_collection: community.general ipausersearchfields: aliases: - usersearchfields description: A list of fields to search in when searching for users. elements: str type: list version_added: 2.5.0 version_added_collection: community.general ipadefaultloginshell: aliases: - loginshell description: Default shell for new users. type: str ipagroupsearchfields: aliases: - groupsearchfields description: A list of fields to search in when searching for groups. elements: str type: list version_added: 2.5.0 version_added_collection: community.general ipamaxusernamelength: aliases: - maxusernamelength description: Maximum length of usernames. type: int version_added: 2.5.0 version_added_collection: community.general ipadefaultemaildomain: aliases: - emaildomain description: Default e-mail domain for new users. type: str ipasearchrecordslimit: aliases: - searchrecordslimit description: Maximum number of records to search (-1 or 0 is unlimited). type: int version_added: 2.5.0 version_added_collection: community.general ipadefaultprimarygroup: aliases: - primarygroup description: Default group for new users. type: str version_added: 2.5.0 version_added_collection: community.general ipaselinuxusermaporder: aliases: - selinuxusermaporder description: The SELinux user map order (order in increasing priority of SELinux users). elements: str type: list version_added: 3.7.0 version_added_collection: community.general
config: description: Configuration as returned by IPA API. returned: always type: dict