community.general.ipa_pwpolicy (8.5.0) — module

Install collection

Install with ansible-galaxy collection install community.general:==8.5.0

Add to requirements.yml

  collections:
    - name: community.general
      version: 8.5.0

Description

Add, modify, or delete a password policy using the IPA API.

Usage examples

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Modify the global password policy
  community.general.ipa_pwpolicy:
      maxpwdlife: '90'
      minpwdlife: '1'
      historylength: '8'
      minclasses: '3'
      minlength: '16'
      maxfailcount: '6'
      failinterval: '60'
      lockouttime: '600'
      ipa_host: ipa.example.com
      ipa_user: admin
      ipa_pass: topsecret

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Ensure the password policy for the group admins is present
  community.general.ipa_pwpolicy:
      group: admins
      state: present
      maxpwdlife: '60'
      minpwdlife: '24'
      historylength: '16'
      minclasses: '4'
      priority: '10'
      minlength: '6'
      maxfailcount: '4'
      failinterval: '600'
      lockouttime: '1200'
      gracelimit: 3
      maxrepeat: 3
      maxsequence: 3
      dictcheck: true
      usercheck: true
      ipa_host: ipa.example.com
      ipa_user: admin
      ipa_pass: topsecret

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- name: Ensure that the group sysops does not have a unique password policy
  community.general.ipa_pwpolicy:
      group: sysops
      state: absent
      ipa_host: ipa.example.com
      ipa_user: admin
      ipa_pass: topsecret

Inputs

    
group:
    aliases:
    - name
    description:
    - Name of the group that the policy applies to.
    - If omitted, the global policy is used.
    type: str

state:
    choices:
    - absent
    - present
    default: present
    description: State to ensure.
    type: str

ipa_host:
    default: ipa.example.com
    description:
    - IP or hostname of IPA server.
    - If the value is not specified in the task, the value of environment variable E(IPA_HOST)
      will be used instead.
    - If both the environment variable E(IPA_HOST) and the value are not specified in
      the task, then DNS will be used to try to discover the FreeIPA server.
    - The relevant entry needed in FreeIPA is the C(ipa-ca) entry.
    - If neither the DNS entry, nor the environment E(IPA_HOST), nor the value are available
      in the task, then the default value will be used.
    type: str

ipa_pass:
    description:
    - Password of administrative user.
    - If the value is not specified in the task, the value of environment variable E(IPA_PASS)
      will be used instead.
    - Note that if the C(urllib_gssapi) library is available, it is possible to use GSSAPI
      to authenticate to FreeIPA.
    - If the environment variable E(KRB5CCNAME) is available, the module will use this
      kerberos credentials cache to authenticate to the FreeIPA server.
    - If the environment variable E(KRB5_CLIENT_KTNAME) is available, and E(KRB5CCNAME)
      is not; the module will use this kerberos keytab to authenticate.
    - If GSSAPI is not available, the usage of O(ipa_pass) is required.
    type: str

ipa_port:
    default: 443
    description:
    - Port of FreeIPA / IPA server.
    - If the value is not specified in the task, the value of environment variable E(IPA_PORT)
      will be used instead.
    - If both the environment variable E(IPA_PORT) and the value are not specified in
      the task, then default value is set.
    type: int

ipa_prot:
    choices:
    - http
    - https
    default: https
    description:
    - Protocol used by IPA server.
    - If the value is not specified in the task, the value of environment variable E(IPA_PROT)
      will be used instead.
    - If both the environment variable E(IPA_PROT) and the value are not specified in
      the task, then default value is set.
    type: str

ipa_user:
    default: admin
    description:
    - Administrative account used on IPA server.
    - If the value is not specified in the task, the value of environment variable E(IPA_USER)
      will be used instead.
    - If both the environment variable E(IPA_USER) and the value are not specified in
      the task, then default value is set.
    type: str

priority:
    description:
    - Priority of the policy.
    - High number means lower priority.
    - Required when C(cn) is not the global policy.
    type: str

dictcheck:
    description: Check whether the password (with possible modifications) matches a word
      in a dictionary (using cracklib).
    type: bool
    version_added: 8.2.0
    version_added_collection: community.general

maxrepeat:
    description: Maximum number of allowed same consecutive characters in the new password.
    type: int
    version_added: 8.2.0
    version_added_collection: community.general

minlength:
    description: Minimum password length.
    type: str

usercheck:
    description: Check whether the password (with possible modifications) contains the
      user name in some form (if the name has > 3 characters).
    type: bool
    version_added: 8.2.0
    version_added_collection: community.general

gracelimit:
    description: Maximum number of LDAP logins after password expiration.
    type: int
    version_added: 8.2.0
    version_added_collection: community.general

maxpwdlife:
    description: Maximum password lifetime (in days).
    type: str

minclasses:
    description: Minimum number of character classes.
    type: str

minpwdlife:
    description: Minimum password lifetime (in hours).
    type: str

ipa_timeout:
    default: 10
    description:
    - Specifies idle timeout (in seconds) for the connection.
    - For bulk operations, you may want to increase this in order to avoid timeout from
      IPA server.
    - If the value is not specified in the task, the value of environment variable E(IPA_TIMEOUT)
      will be used instead.
    - If both the environment variable E(IPA_TIMEOUT) and the value are not specified
      in the task, then default value is set.
    type: int

lockouttime:
    description: Period (in seconds) for which users are locked out.
    type: str

maxsequence:
    description: Maximum length of monotonic character sequences in the new password.
      An example of a monotonic sequence of length 5 is V(12345).
    type: int
    version_added: 8.2.0
    version_added_collection: community.general

failinterval:
    description: Period (in seconds) after which the number of failed login attempts is
      reset.
    type: str

maxfailcount:
    description: Maximum number of consecutive failures before lockout.
    type: str

historylength:
    description:
    - Number of previous passwords that are remembered.
    - Users cannot reuse remembered passwords.
    type: str

validate_certs:
    default: true
    description:
    - This only applies if O(ipa_prot) is V(https).
    - If set to V(false), the SSL certificates will not be validated.
    - This should only set to V(false) used on personally controlled sites using self-signed
      certificates.
    type: bool

Outputs

pwpolicy:
  description: Password policy as returned by IPA API.
  returned: always
  sample:
    cn:
    - admins
    cospriority:
    - '10'
    dn: cn=admins,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com
    krbmaxpwdlife:
    - '60'
    krbminpwdlife:
    - '24'
    krbpwdfailurecountinterval:
    - '600'
    krbpwdhistorylength:
    - '16'
    krbpwdlockoutduration:
    - '1200'
    krbpwdmaxfailure:
    - '4'
    krbpwdmindiffchars:
    - '4'
    objectclass:
    - top
    - nscontainer
    - krbpwdpolicy
  type: dict