community / community.general / 8.5.0 / module / ipa_config Manage Global FreeIPA Configuration Settings Authors: Fran Fitzpatrick (@fxfitz)community.general.ipa_config (8.5.0) — module
Install with ansible-galaxy collection install community.general:==8.5.0
collections: - name: community.general version: 8.5.0
Modify global configuration settings of a FreeIPA Server.
- name: Ensure password plugin features DC:Disable Last Success and KDC:Disable Lockout are enabled community.general.ipa_config: ipaconfigstring: ["KDC:Disable Last Success", "KDC:Disable Lockout"] ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the default login shell is bash community.general.ipa_config: ipadefaultloginshell: /bin/bash ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the default e-mail domain is ansible.com community.general.ipa_config: ipadefaultemaildomain: ansible.com ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the default primary group is set to ipausers community.general.ipa_config: ipadefaultprimarygroup: ipausers ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the group search fields are set to 'cn,description' community.general.ipa_config: ipagroupsearchfields: ['cn', 'description'] ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the home directory location is set to /home community.general.ipa_config: ipahomesrootdir: /home ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the default types of PAC supported for services is set to MS-PAC and PAD community.general.ipa_config: ipakrbauthzdata: ["MS-PAC", "PAD"] ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the maximum user name length is set to 32 community.general.ipa_config: ipamaxusernamelength: 32 ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the password expiration notice is set to 4 days community.general.ipa_config: ipapwdexpadvnotify: 4 ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the search record limit is set to 100 community.general.ipa_config: ipasearchrecordslimit: 100 ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the search time limit is set to 2 seconds community.general.ipa_config: ipasearchtimelimit: 2 ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the default user auth type is password community.general.ipa_config: ipauserauthtype: ['password'] ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the user search fields is set to 'uid,givenname,sn,ou,title' community.general.ipa_config: ipausersearchfields: ['uid', 'givenname', 'sn', 'ou', 'title'] ipa_host: localhost ipa_user: admin ipa_pass: supersecret
- name: Ensure the SELinux user map order is set community.general.ipa_config: ipaselinuxusermaporder: - "guest_u:s0" - "xguest_u:s0" - "user_u:s0" - "staff_u:s0-s0:c0.c1023" - "unconfined_u:s0-s0:c0.c1023" ipa_host: localhost ipa_user: admin ipa_pass: supersecret
ipa_host: default: ipa.example.com description: - IP or hostname of IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_HOST) will be used instead. - If both the environment variable E(IPA_HOST) and the value are not specified in the task, then DNS will be used to try to discover the FreeIPA server. - The relevant entry needed in FreeIPA is the C(ipa-ca) entry. - If neither the DNS entry, nor the environment E(IPA_HOST), nor the value are available in the task, then the default value will be used. type: str ipa_pass: description: - Password of administrative user. - If the value is not specified in the task, the value of environment variable E(IPA_PASS) will be used instead. - Note that if the C(urllib_gssapi) library is available, it is possible to use GSSAPI to authenticate to FreeIPA. - If the environment variable E(KRB5CCNAME) is available, the module will use this kerberos credentials cache to authenticate to the FreeIPA server. - If the environment variable E(KRB5_CLIENT_KTNAME) is available, and E(KRB5CCNAME) is not; the module will use this kerberos keytab to authenticate. - If GSSAPI is not available, the usage of O(ipa_pass) is required. type: str ipa_port: default: 443 description: - Port of FreeIPA / IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_PORT) will be used instead. - If both the environment variable E(IPA_PORT) and the value are not specified in the task, then default value is set. type: int ipa_prot: choices: - http - https default: https description: - Protocol used by IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_PROT) will be used instead. - If both the environment variable E(IPA_PROT) and the value are not specified in the task, then default value is set. type: str ipa_user: default: admin description: - Administrative account used on IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_USER) will be used instead. - If both the environment variable E(IPA_USER) and the value are not specified in the task, then default value is set. type: str ipa_timeout: default: 10 description: - Specifies idle timeout (in seconds) for the connection. - For bulk operations, you may want to increase this in order to avoid timeout from IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_TIMEOUT) will be used instead. - If both the environment variable E(IPA_TIMEOUT) and the value are not specified in the task, then default value is set. type: int validate_certs: default: true description: - This only applies if O(ipa_prot) is V(https). - If set to V(false), the SSL certificates will not be validated. - This should only set to V(false) used on personally controlled sites using self-signed certificates. type: bool ipaconfigstring: aliases: - configstring choices: - AllowNThash - KDC:Disable Last Success - KDC:Disable Lockout - KDC:Disable Default Preauth for SPNs description: Extra hashes to generate in password plug-in. elements: str type: list version_added: 2.5.0 version_added_collection: community.general ipahomesrootdir: aliases: - homesrootdir description: Default location of home directories. type: str version_added: 2.5.0 version_added_collection: community.general ipakrbauthzdata: aliases: - krbauthzdata choices: - MS-PAC - PAD - nfs:NONE description: Default types of PAC supported for services. elements: str type: list version_added: 2.5.0 version_added_collection: community.general ipauserauthtype: aliases: - userauthtype choices: - password - radius - otp - pkinit - hardened - idp - passkey - disabled description: - The authentication type to use by default. - The choice V(idp) has been added in community.general 7.3.0. - The choice V(passkey) has been added in community.general 8.1.0. elements: str type: list version_added: 2.5.0 version_added_collection: community.general ipapwdexpadvnotify: aliases: - pwdexpadvnotify description: Notice of impending password expiration, in days. type: int version_added: 2.5.0 version_added_collection: community.general ipasearchtimelimit: aliases: - searchtimelimit description: Maximum amount of time (seconds) for a search (-1 or 0 is unlimited). type: int version_added: 2.5.0 version_added_collection: community.general ipausersearchfields: aliases: - usersearchfields description: A list of fields to search in when searching for users. elements: str type: list version_added: 2.5.0 version_added_collection: community.general ipadefaultloginshell: aliases: - loginshell description: Default shell for new users. type: str ipagroupsearchfields: aliases: - groupsearchfields description: A list of fields to search in when searching for groups. elements: str type: list version_added: 2.5.0 version_added_collection: community.general ipamaxusernamelength: aliases: - maxusernamelength description: Maximum length of usernames. type: int version_added: 2.5.0 version_added_collection: community.general ipauserobjectclasses: aliases: - userobjectclasses description: A list of user objectclasses. elements: str type: list version_added: 7.3.0 version_added_collection: community.general ipadefaultemaildomain: aliases: - emaildomain description: Default e-mail domain for new users. type: str ipagroupobjectclasses: aliases: - groupobjectclasses description: A list of group objectclasses. elements: str type: list version_added: 7.3.0 version_added_collection: community.general ipasearchrecordslimit: aliases: - searchrecordslimit description: Maximum number of records to search (-1 or 0 is unlimited). type: int version_added: 2.5.0 version_added_collection: community.general ipadefaultprimarygroup: aliases: - primarygroup description: Default group for new users. type: str version_added: 2.5.0 version_added_collection: community.general ipaselinuxusermaporder: aliases: - selinuxusermaporder description: The SELinux user map order (order in increasing priority of SELinux users). elements: str type: list version_added: 3.7.0 version_added_collection: community.general
config: description: Configuration as returned by IPA API. returned: always type: dict