community / community.general / 3.8.10 / module / ipa_pwpolicy Manage FreeIPA password policies | "added in version" 2.0.0 of community.general" Authors: Adralioh (@adralioh)community.general.ipa_pwpolicy (3.8.10) — module
Install with ansible-galaxy collection install community.general:==3.8.10
collections: - name: community.general version: 3.8.10
Add, modify, or delete a password policy using the IPA API.
- name: Modify the global password policy community.general.ipa_pwpolicy: maxpwdlife: '90' minpwdlife: '1' historylength: '8' minclasses: '3' minlength: '16' maxfailcount: '6' failinterval: '60' lockouttime: '600' ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
- name: Ensure the password policy for the group admins is present community.general.ipa_pwpolicy: group: admins state: present maxpwdlife: '60' minpwdlife: '24' historylength: '16' minclasses: '4' priority: '10' maxfailcount: '4' failinterval: '600' lockouttime: '1200' ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
- name: Ensure that the group sysops does not have a unique password policy community.general.ipa_pwpolicy: group: sysops state: absent ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
group: aliases: - name description: - Name of the group that the policy applies to. - If omitted, the global policy is used. type: str state: choices: - absent - present default: present description: State to ensure. type: str ipa_host: default: ipa.example.com description: - IP or hostname of IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_HOST) will be used instead. - If both the environment variable C(IPA_HOST) and the value are not specified in the task, then DNS will be used to try to discover the FreeIPA server. - The relevant entry needed in FreeIPA is the 'ipa-ca' entry. - If neither the DNS entry, nor the environment C(IPA_HOST), nor the value are available in the task, then the default value will be used. - Environment variable fallback mechanism is added in Ansible 2.5. type: str ipa_pass: description: - Password of administrative user. - If the value is not specified in the task, the value of environment variable C(IPA_PASS) will be used instead. - Note that if the 'urllib_gssapi' library is available, it is possible to use GSSAPI to authenticate to FreeIPA. - If the environment variable C(KRB5CCNAME) is available, the module will use this kerberos credentials cache to authenticate to the FreeIPA server. - If the environment variable C(KRB5_CLIENT_KTNAME) is available, and C(KRB5CCNAME) is not; the module will use this kerberos keytab to authenticate. - If GSSAPI is not available, the usage of 'ipa_pass' is required. - Environment variable fallback mechanism is added in Ansible 2.5. type: str ipa_port: default: 443 description: - Port of FreeIPA / IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_PORT) will be used instead. - If both the environment variable C(IPA_PORT) and the value are not specified in the task, then default value is set. - Environment variable fallback mechanism is added in Ansible 2.5. type: int ipa_prot: choices: - http - https default: https description: - Protocol used by IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_PROT) will be used instead. - If both the environment variable C(IPA_PROT) and the value are not specified in the task, then default value is set. - Environment variable fallback mechanism is added in Ansible 2.5. type: str ipa_user: default: admin description: - Administrative account used on IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_USER) will be used instead. - If both the environment variable C(IPA_USER) and the value are not specified in the task, then default value is set. - Environment variable fallback mechanism is added in Ansible 2.5. type: str priority: description: - Priority of the policy. - High number means lower priority. - Required when C(cn) is not the global policy. type: str minlength: description: Minimum password length. type: str maxpwdlife: description: Maximum password lifetime (in days). type: str minclasses: description: Minimum number of character classes. type: str minpwdlife: description: Minimum password lifetime (in hours). type: str ipa_timeout: default: 10 description: - Specifies idle timeout (in seconds) for the connection. - For bulk operations, you may want to increase this in order to avoid timeout from IPA server. - If the value is not specified in the task, the value of environment variable C(IPA_TIMEOUT) will be used instead. - If both the environment variable C(IPA_TIMEOUT) and the value are not specified in the task, then default value is set. type: int lockouttime: description: Period (in seconds) for which users are locked out. type: str failinterval: description: Period (in seconds) after which the number of failed login attempts is reset. type: str maxfailcount: description: Maximum number of consecutive failures before lockout. type: str historylength: description: - Number of previous passwords that are remembered. - Users cannot reuse remembered passwords. type: str validate_certs: default: true description: - This only applies if C(ipa_prot) is I(https). - If set to C(no), the SSL certificates will not be validated. - This should only set to C(no) used on personally controlled sites using self-signed certificates. type: bool
pwpolicy: description: Password policy as returned by IPA API. returned: always sample: cn: - admins cospriority: - '10' dn: cn=admins,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbmaxpwdlife: - '60' krbminpwdlife: - '24' krbpwdfailurecountinterval: - '600' krbpwdhistorylength: - '16' krbpwdlockoutduration: - '1200' krbpwdmaxfailure: - '4' krbpwdmindiffchars: - '4' objectclass: - top - nscontainer - krbpwdpolicy type: dict