Steampunk Ansible Documentation - community.general.ipa_group (8.5.0) - module

Install collection

Install with ansible-galaxy collection install community.general:==8.5.0

Add to requirements.yml

  collections:
    - name: community.general
      version: 8.5.0

Description

Add, modify and delete group within IPA server

Usage examples

Scanned by Steampunk Spotter

- name: Ensure group is present
  community.general.ipa_group:
    name: oinstall
    gidnumber: '54321'
    state: present
    ipa_host: ipa.example.com
    ipa_user: admin
    ipa_pass: topsecret

Scanned by Steampunk Spotter

- name: Ensure that groups sysops and appops are assigned to ops but no other group
  community.general.ipa_group:
    name: ops
    group:
    - sysops
    - appops
    ipa_host: ipa.example.com
    ipa_user: admin
    ipa_pass: topsecret

Scanned by Steampunk Spotter

- name: Ensure that users linus and larry are assign to the group, but no other user
  community.general.ipa_group:
    name: sysops
    user:
    - linus
    - larry
    ipa_host: ipa.example.com
    ipa_user: admin
    ipa_pass: topsecret

Scanned by Steampunk Spotter

- name: Ensure that new starter named john is member of the group, without removing other members
  community.general.ipa_group:
    name: developers
    user:
    - john
    append: true
    state: present
    ipa_host: ipa.example.com
    ipa_user: admin
    ipa_pass: topsecret

Scanned by Steampunk Spotter

- name: Add external user to a group
  community.general.ipa_group:
   name: developers
   external: true
   append: true
   external_user:
   - S-1-5-21-123-1234-12345-63421
   ipa_host: ipa.example.com
   ipa_user: admin
   ipa_pass: topsecret

Scanned by Steampunk Spotter

- name: Add a user from MYDOMAIN
  community.general.ipa_group:
   name: developers
   external: true
   append: true
   external_user:
   - MYDOMAIN\\john
   ipa_host: ipa.example.com
   ipa_user: admin
   ipa_pass: topsecret

Scanned by Steampunk Spotter

- name: Ensure group is absent
  community.general.ipa_group:
    name: sysops
    state: absent
    ipa_host: ipa.example.com
    ipa_user: admin
    ipa_pass: topsecret

Inputs

cn:
aliases:
- name
description:
- Canonical name.
- Can not be changed as it is the unique identifier.
required: true
type: str

user:
description:
- List of user names assigned to this group.
- If O(append=false) and an empty list is passed all users will be removed from this
group.
- Users that are already assigned but not passed will be removed.
- If O(append=true) the listed users will be assigned without removing other users.
- If option is omitted assigned users will not be checked or changed.
elements: str
type: list

group:
description:
- List of group names assigned to this group.
- If O(append=false) and an empty list is passed all groups will be removed from this
group.
- Groups that are already assigned but not passed will be removed.
- If O(append=true) the listed groups will be assigned without removing other groups.
- If option is omitted assigned groups will not be checked or changed.
elements: str
type: list

state:
choices:
- absent
- present
default: present
description:
- State to ensure
type: str

append:
default: false
description:
- If V(true), add the listed O(user) and O(group) to the group members.
- If V(false), only the listed O(user) and O(group) will be group members, removing
any other members.
type: bool
version_added: 4.0.0
version_added_collection: community.general

external:
description:
- Allow adding external non-IPA members from trusted domains.
type: bool

ipa_host:
default: ipa.example.com
description:
- IP or hostname of IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_HOST)
will be used instead.
- If both the environment variable E(IPA_HOST) and the value are not specified in
the task, then DNS will be used to try to discover the FreeIPA server.
- The relevant entry needed in FreeIPA is the C(ipa-ca) entry.
- If neither the DNS entry, nor the environment E(IPA_HOST), nor the value are available
in the task, then the default value will be used.
type: str

ipa_pass:
description:
- Password of administrative user.
- If the value is not specified in the task, the value of environment variable E(IPA_PASS)
will be used instead.
- Note that if the C(urllib_gssapi) library is available, it is possible to use GSSAPI
to authenticate to FreeIPA.
- If the environment variable E(KRB5CCNAME) is available, the module will use this
kerberos credentials cache to authenticate to the FreeIPA server.
- If the environment variable E(KRB5_CLIENT_KTNAME) is available, and E(KRB5CCNAME)
is not; the module will use this kerberos keytab to authenticate.
- If GSSAPI is not available, the usage of O(ipa_pass) is required.
type: str

ipa_port:
default: 443
description:
- Port of FreeIPA / IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_PORT)
will be used instead.
- If both the environment variable E(IPA_PORT) and the value are not specified in
the task, then default value is set.
type: int

ipa_prot:
choices:
- http
- https
default: https
description:
- Protocol used by IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_PROT)
will be used instead.
- If both the environment variable E(IPA_PROT) and the value are not specified in
the task, then default value is set.
type: str

ipa_user:
default: admin
description:
- Administrative account used on IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_USER)
will be used instead.
- If both the environment variable E(IPA_USER) and the value are not specified in
the task, then default value is set.
type: str

nonposix:
description:
- Create as a non-POSIX group.
type: bool

gidnumber:
aliases:
- gid
description:
- GID (use this option to set it manually).
type: str

description:
description:
- Description of the group.
type: str

ipa_timeout:
default: 10
description:
- Specifies idle timeout (in seconds) for the connection.
- For bulk operations, you may want to increase this in order to avoid timeout from
IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_TIMEOUT)
will be used instead.
- If both the environment variable E(IPA_TIMEOUT) and the value are not specified
in the task, then default value is set.
type: int

external_user:
description:
- List of external users assigned to this group.
- Behaves identically to O(user) with respect to O(append) attribute.
- List entries can be in V(DOMAIN\\\\username) or SID format.
- Unless SIDs are provided, the module will always attempt to make changes even if
the group already has all the users. This is because only SIDs are returned by IPA
query.
- O(external=true) is needed for this option to work.
elements: str
type: list
version_added: 6.3.0
version_added_collection: community.general

validate_certs:
default: true
description:
- This only applies if O(ipa_prot) is V(https).
- If set to V(false), the SSL certificates will not be validated.
- This should only set to V(false) used on personally controlled sites using self-signed
certificates.
type: bool

Outputs

group:
  description: Group as returned by IPA API
  returned: always
  type: dict