community / community.general / 8.5.0 / module / ipa_pwpolicy Manage FreeIPA password policies | "added in version" 2.0.0 of community.general" Authors: Adralioh (@adralioh)community.general.ipa_pwpolicy (8.5.0) — module
Install with ansible-galaxy collection install community.general:==8.5.0
collections: - name: community.general version: 8.5.0
Add, modify, or delete a password policy using the IPA API.
- name: Modify the global password policy community.general.ipa_pwpolicy: maxpwdlife: '90' minpwdlife: '1' historylength: '8' minclasses: '3' minlength: '16' maxfailcount: '6' failinterval: '60' lockouttime: '600' ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
- name: Ensure the password policy for the group admins is present community.general.ipa_pwpolicy: group: admins state: present maxpwdlife: '60' minpwdlife: '24' historylength: '16' minclasses: '4' priority: '10' minlength: '6' maxfailcount: '4' failinterval: '600' lockouttime: '1200' gracelimit: 3 maxrepeat: 3 maxsequence: 3 dictcheck: true usercheck: true ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
- name: Ensure that the group sysops does not have a unique password policy community.general.ipa_pwpolicy: group: sysops state: absent ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret
group: aliases: - name description: - Name of the group that the policy applies to. - If omitted, the global policy is used. type: str state: choices: - absent - present default: present description: State to ensure. type: str ipa_host: default: ipa.example.com description: - IP or hostname of IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_HOST) will be used instead. - If both the environment variable E(IPA_HOST) and the value are not specified in the task, then DNS will be used to try to discover the FreeIPA server. - The relevant entry needed in FreeIPA is the C(ipa-ca) entry. - If neither the DNS entry, nor the environment E(IPA_HOST), nor the value are available in the task, then the default value will be used. type: str ipa_pass: description: - Password of administrative user. - If the value is not specified in the task, the value of environment variable E(IPA_PASS) will be used instead. - Note that if the C(urllib_gssapi) library is available, it is possible to use GSSAPI to authenticate to FreeIPA. - If the environment variable E(KRB5CCNAME) is available, the module will use this kerberos credentials cache to authenticate to the FreeIPA server. - If the environment variable E(KRB5_CLIENT_KTNAME) is available, and E(KRB5CCNAME) is not; the module will use this kerberos keytab to authenticate. - If GSSAPI is not available, the usage of O(ipa_pass) is required. type: str ipa_port: default: 443 description: - Port of FreeIPA / IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_PORT) will be used instead. - If both the environment variable E(IPA_PORT) and the value are not specified in the task, then default value is set. type: int ipa_prot: choices: - http - https default: https description: - Protocol used by IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_PROT) will be used instead. - If both the environment variable E(IPA_PROT) and the value are not specified in the task, then default value is set. type: str ipa_user: default: admin description: - Administrative account used on IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_USER) will be used instead. - If both the environment variable E(IPA_USER) and the value are not specified in the task, then default value is set. type: str priority: description: - Priority of the policy. - High number means lower priority. - Required when C(cn) is not the global policy. type: str dictcheck: description: Check whether the password (with possible modifications) matches a word in a dictionary (using cracklib). type: bool version_added: 8.2.0 version_added_collection: community.general maxrepeat: description: Maximum number of allowed same consecutive characters in the new password. type: int version_added: 8.2.0 version_added_collection: community.general minlength: description: Minimum password length. type: str usercheck: description: Check whether the password (with possible modifications) contains the user name in some form (if the name has > 3 characters). type: bool version_added: 8.2.0 version_added_collection: community.general gracelimit: description: Maximum number of LDAP logins after password expiration. type: int version_added: 8.2.0 version_added_collection: community.general maxpwdlife: description: Maximum password lifetime (in days). type: str minclasses: description: Minimum number of character classes. type: str minpwdlife: description: Minimum password lifetime (in hours). type: str ipa_timeout: default: 10 description: - Specifies idle timeout (in seconds) for the connection. - For bulk operations, you may want to increase this in order to avoid timeout from IPA server. - If the value is not specified in the task, the value of environment variable E(IPA_TIMEOUT) will be used instead. - If both the environment variable E(IPA_TIMEOUT) and the value are not specified in the task, then default value is set. type: int lockouttime: description: Period (in seconds) for which users are locked out. type: str maxsequence: description: Maximum length of monotonic character sequences in the new password. An example of a monotonic sequence of length 5 is V(12345). type: int version_added: 8.2.0 version_added_collection: community.general failinterval: description: Period (in seconds) after which the number of failed login attempts is reset. type: str maxfailcount: description: Maximum number of consecutive failures before lockout. type: str historylength: description: - Number of previous passwords that are remembered. - Users cannot reuse remembered passwords. type: str validate_certs: default: true description: - This only applies if O(ipa_prot) is V(https). - If set to V(false), the SSL certificates will not be validated. - This should only set to V(false) used on personally controlled sites using self-signed certificates. type: bool
pwpolicy: description: Password policy as returned by IPA API. returned: always sample: cn: - admins cospriority: - '10' dn: cn=admins,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbmaxpwdlife: - '60' krbminpwdlife: - '24' krbpwdfailurecountinterval: - '600' krbpwdhistorylength: - '16' krbpwdlockoutduration: - '1200' krbpwdmaxfailure: - '4' krbpwdmindiffchars: - '4' objectclass: - top - nscontainer - krbpwdpolicy type: dict