Try SpotterManage FreeIPA OTPs
| "added in version" 2.5.0 of community.general"
Authors: justchris1 (@justchris1)
Install with ansible-galaxy collection install community.general:==8.5.0
collections:
- name: community.general
version: 8.5.0Add, modify, and delete One Time Passwords in IPA.
- name: Create a totp for pinky, allowing the IPA server to generate using defaults
community.general.ipa_otptoken:
uniqueid: Token123
otptype: totp
owner: pinky
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
- name: Create a 8 digit hotp for pinky with sha256 with specified validity times
community.general.ipa_otptoken:
uniqueid: Token123
enabled: true
otptype: hotp
digits: 8
secretkey: UMKSIER00zT2T2tWMUlTRmNlekRCbFQvWFBVZUh2dElHWGR6T3VUR3IzK2xjaFk9
algorithm: sha256
notbefore: 20180121182123
notafter: 20220121182123
owner: pinky
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
- name: Update Token123 to indicate a vendor, model, serial number (info only), and description
community.general.ipa_otptoken:
uniqueid: Token123
vendor: Acme
model: acme101
serial: SerialNumber1
description: Acme OTP device
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
- name: Disable Token123
community.general.ipa_otptoken:
uniqueid: Token123
enabled: false
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
- name: Rename Token123 to TokenABC and enable it
community.general.ipa_otptoken:
uniqueid: Token123
newuniqueid: TokenABC
enabled: true
ipa_host: ipa.example.com
ipa_user: admin
ipa_pass: topsecret
model:
description: Token model (informational only).
type: str
owner:
description: Assigned user of the token.
type: str
state:
choices:
- present
- absent
default: present
description: State to ensure.
type: str
digits:
choices:
- 6
- 8
description:
- Number of digits each token code will have.
- B(Note:) Cannot be modified after OTP is created.
type: int
offset:
description:
- TOTP token / IPA server time difference.
- B(Note:) Cannot be modified after OTP is created.
type: int
serial:
description: Token serial (informational only).
type: str
vendor:
description: Token vendor name (informational only).
type: str
counter:
description:
- Initial counter for the HOTP token.
- B(Note:) Cannot be modified after OTP is created.
type: int
enabled:
default: true
description: Mark the token as enabled (default V(true)).
type: bool
otptype:
choices:
- totp
- hotp
description:
- Type of OTP.
- B(Note:) Cannot be modified after OTP is created.
type: str
interval:
description:
- Length of TOTP token code validity in seconds.
- B(Note:) Cannot be modified after OTP is created.
type: int
ipa_host:
default: ipa.example.com
description:
- IP or hostname of IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_HOST)
will be used instead.
- If both the environment variable E(IPA_HOST) and the value are not specified in
the task, then DNS will be used to try to discover the FreeIPA server.
- The relevant entry needed in FreeIPA is the C(ipa-ca) entry.
- If neither the DNS entry, nor the environment E(IPA_HOST), nor the value are available
in the task, then the default value will be used.
type: str
ipa_pass:
description:
- Password of administrative user.
- If the value is not specified in the task, the value of environment variable E(IPA_PASS)
will be used instead.
- Note that if the C(urllib_gssapi) library is available, it is possible to use GSSAPI
to authenticate to FreeIPA.
- If the environment variable E(KRB5CCNAME) is available, the module will use this
kerberos credentials cache to authenticate to the FreeIPA server.
- If the environment variable E(KRB5_CLIENT_KTNAME) is available, and E(KRB5CCNAME)
is not; the module will use this kerberos keytab to authenticate.
- If GSSAPI is not available, the usage of O(ipa_pass) is required.
type: str
ipa_port:
default: 443
description:
- Port of FreeIPA / IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_PORT)
will be used instead.
- If both the environment variable E(IPA_PORT) and the value are not specified in
the task, then default value is set.
type: int
ipa_prot:
choices:
- http
- https
default: https
description:
- Protocol used by IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_PROT)
will be used instead.
- If both the environment variable E(IPA_PROT) and the value are not specified in
the task, then default value is set.
type: str
ipa_user:
default: admin
description:
- Administrative account used on IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_USER)
will be used instead.
- If both the environment variable E(IPA_USER) and the value are not specified in
the task, then default value is set.
type: str
notafter:
description:
- Last date/time the token can be used.
- In the format C(YYYYMMddHHmmss).
- For example, C(20200121182022) will allow the token to be used until 21 January
2020 at 18:20:22.
type: str
uniqueid:
aliases:
- name
description: Unique ID of the token in IPA.
required: true
type: str
algorithm:
choices:
- sha1
- sha256
- sha384
- sha512
description:
- Token hash algorithm.
- B(Note:) Cannot be modified after OTP is created.
type: str
notbefore:
description:
- First date/time the token can be used.
- In the format C(YYYYMMddHHmmss).
- For example, C(20180121182022) will allow the token to be used starting on 21 January
2018 at 18:20:22.
type: str
secretkey:
description:
- Token secret (Base64).
- If OTP is created and this is not specified, a random secret will be generated by
IPA.
- B(Note:) Cannot be modified after OTP is created.
type: str
description:
description: Description of the token (informational only).
type: str
ipa_timeout:
default: 10
description:
- Specifies idle timeout (in seconds) for the connection.
- For bulk operations, you may want to increase this in order to avoid timeout from
IPA server.
- If the value is not specified in the task, the value of environment variable E(IPA_TIMEOUT)
will be used instead.
- If both the environment variable E(IPA_TIMEOUT) and the value are not specified
in the task, then default value is set.
type: int
newuniqueid:
description: If specified, the unique id specified will be changed to this.
type: str
validate_certs:
default: true
description:
- This only applies if O(ipa_prot) is V(https).
- If set to V(false), the SSL certificates will not be validated.
- This should only set to V(false) used on personally controlled sites using self-signed
certificates.
type: bool
otptoken: description: OTP Token as returned by IPA API returned: always type: dict