community / community.general / 8.5.0 / module / ipa_group Manage FreeIPA group Authors: Thomas Krahn (@Nosmoht)community.general.ipa_group (8.5.0) — module
Install with ansible-galaxy collection install community.general:==8.5.0
collections: - name: community.general version: 8.5.0
Add, modify and delete group within IPA server
- name: Ensure group is present community.general.ipa_group: name: oinstall gidnumber: '54321' state: present ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
- name: Ensure that groups sysops and appops are assigned to ops but no other group community.general.ipa_group: name: ops group: - sysops - appops ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
- name: Ensure that users linus and larry are assign to the group, but no other user community.general.ipa_group: name: sysops user: - linus - larry ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
- name: Ensure that new starter named john is member of the group, without removing other members community.general.ipa_group: name: developers user: - john append: true state: present ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
- name: Add external user to a group community.general.ipa_group: name: developers external: true append: true external_user: - S-1-5-21-123-1234-12345-63421 ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
- name: Add a user from MYDOMAIN community.general.ipa_group: name: developers external: true append: true external_user: - MYDOMAIN\\john ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
- name: Ensure group is absent community.general.ipa_group: name: sysops state: absent ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
cn: aliases: - name description: - Canonical name. - Can not be changed as it is the unique identifier. required: true type: str user: description: - List of user names assigned to this group. - If O(append=false) and an empty list is passed all users will be removed from this group. - Users that are already assigned but not passed will be removed. - If O(append=true) the listed users will be assigned without removing other users. - If option is omitted assigned users will not be checked or changed. elements: str type: list group: description: - List of group names assigned to this group. - If O(append=false) and an empty list is passed all groups will be removed from this group. - Groups that are already assigned but not passed will be removed. - If O(append=true) the listed groups will be assigned without removing other groups. - If option is omitted assigned groups will not be checked or changed. elements: str type: list state: choices: - absent - present default: present description: - State to ensure type: str append: default: false description: - If V(true), add the listed O(user) and O(group) to the group members. - If V(false), only the listed O(user) and O(group) will be group members, removing any other members. type: bool version_added: 4.0.0 version_added_collection: community.general external: description: - Allow adding external non-IPA members from trusted domains. type: bool ipa_host: default: ipa.example.com description: - IP or hostname of IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_HOST) will be used instead. - If both the environment variable E(IPA_HOST) and the value are not specified in the task, then DNS will be used to try to discover the FreeIPA server. - The relevant entry needed in FreeIPA is the C(ipa-ca) entry. - If neither the DNS entry, nor the environment E(IPA_HOST), nor the value are available in the task, then the default value will be used. type: str ipa_pass: description: - Password of administrative user. - If the value is not specified in the task, the value of environment variable E(IPA_PASS) will be used instead. - Note that if the C(urllib_gssapi) library is available, it is possible to use GSSAPI to authenticate to FreeIPA. - If the environment variable E(KRB5CCNAME) is available, the module will use this kerberos credentials cache to authenticate to the FreeIPA server. - If the environment variable E(KRB5_CLIENT_KTNAME) is available, and E(KRB5CCNAME) is not; the module will use this kerberos keytab to authenticate. - If GSSAPI is not available, the usage of O(ipa_pass) is required. type: str ipa_port: default: 443 description: - Port of FreeIPA / IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_PORT) will be used instead. - If both the environment variable E(IPA_PORT) and the value are not specified in the task, then default value is set. type: int ipa_prot: choices: - http - https default: https description: - Protocol used by IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_PROT) will be used instead. - If both the environment variable E(IPA_PROT) and the value are not specified in the task, then default value is set. type: str ipa_user: default: admin description: - Administrative account used on IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_USER) will be used instead. - If both the environment variable E(IPA_USER) and the value are not specified in the task, then default value is set. type: str nonposix: description: - Create as a non-POSIX group. type: bool gidnumber: aliases: - gid description: - GID (use this option to set it manually). type: str description: description: - Description of the group. type: str ipa_timeout: default: 10 description: - Specifies idle timeout (in seconds) for the connection. - For bulk operations, you may want to increase this in order to avoid timeout from IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_TIMEOUT) will be used instead. - If both the environment variable E(IPA_TIMEOUT) and the value are not specified in the task, then default value is set. type: int external_user: description: - List of external users assigned to this group. - Behaves identically to O(user) with respect to O(append) attribute. - List entries can be in V(DOMAIN\\\\username) or SID format. - Unless SIDs are provided, the module will always attempt to make changes even if the group already has all the users. This is because only SIDs are returned by IPA query. - O(external=true) is needed for this option to work. elements: str type: list version_added: 6.3.0 version_added_collection: community.general validate_certs: default: true description: - This only applies if O(ipa_prot) is V(https). - If set to V(false), the SSL certificates will not be validated. - This should only set to V(false) used on personally controlled sites using self-signed certificates. type: bool
group: description: Group as returned by IPA API returned: always type: dict