Try SpotterManage FreeIPA hosts
Authors: Thomas Woerner (@t-woerner)
preview | supported by community
Install with ansible-galaxy collection install freeipa.ansible_freeipa:==1.11.1
collections:
- name: freeipa.ansible_freeipa
version: 1.11.1Manage FreeIPA hosts
# Ensure host is present
- freeipa.ansible_freeipa.ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address: 192.168.0.123
locality: Lab
ns_host_location: Lab
ns_os_version: CentOS 7
ns_hardware_platform: Lenovo T61
mac_address:
- "08:00:27:E3:B1:2D"
- "52:54:00:BD:97:1E"
state: present
# Ensure host is present without DNS
- freeipa.ansible_freeipa.ipahost:
ipaadmin_password: SomeADMINpassword
name: host02.example.com
description: Example host
force: yes
# Ensure multiple hosts are present with random passwords
- freeipa.ansible_freeipa.ipahost:
ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
random: yes
- name: host02.example.com
random: yes
# Initiate generation of a random password for the host
- freeipa.ansible_freeipa.ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address: 192.168.0.123
random: yes
# Ensure multiple hosts are present with principals
- freeipa.ansible_freeipa.ipahost:
ipaadmin_password: SomeADMINpassword
hosts:
- name: host01.example.com
principal:
- host/testhost01.example.com
- name: host02.example.com
principal:
- host/myhost01.example.com
action: member
# Ensure host is disabled
- freeipa.ansible_freeipa.ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
update_dns: yes
state: disabled
# Ensure host is absent
- freeipa.ansible_freeipa.ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
state: absent
os:
aliases:
- ns_os_version
description: Host operating system and version (e.g. "Fedora 9")
required: false
type: str
name:
aliases:
- fqdn
description: The full qualified domain name.
elements: str
required: false
type: list
force:
description: Force host name even if not in DNS
required: false
type: bool
hosts:
description: The list of host dicts
elements: dict
required: false
suboptions:
allow_create_keytab_group:
aliases:
- ipaallowedtoperform_write_keys_group
description: Groups allowed to create a keytab of this host
elements: str
required: false
type: list
allow_create_keytab_host:
aliases:
- ipaallowedtoperform_write_keys_host
description: Hosts allowed to create a keytab of this host
elements: str
required: false
type: list
allow_create_keytab_hostgroup:
aliases:
- ipaallowedtoperform_write_keys_hostgroup
description: Hostgroups allowed to create a keytab of this host
elements: str
required: false
type: list
allow_create_keytab_user:
aliases:
- ipaallowedtoperform_write_keys_user
description: Users allowed to create a keytab of this host
elements: str
required: false
type: list
allow_retrieve_keytab_group:
aliases:
- ipaallowedtoperform_read_keys_group
description: Groups allowed to retrieve a keytab of this host
elements: str
required: false
type: list
allow_retrieve_keytab_host:
aliases:
- ipaallowedtoperform_read_keys_host
description: Hosts allowed to retrieve a keytab of this host
elements: str
required: false
type: list
allow_retrieve_keytab_hostgroup:
aliases:
- ipaallowedtoperform_read_keys_hostgroup
description: Hostgroups allowed to retrieve a keytab of this host
elements: str
required: false
type: list
allow_retrieve_keytab_user:
aliases:
- ipaallowedtoperform_read_keys_user
description: Users allowed to retrieve a keytab of this host
elements: str
required: false
type: list
auth_ind:
aliases:
- krbprincipalauthind
choices:
- radius
- otp
- pkinit
- hardened
- idp
- ''
description: Defines an allow list for Authentication Indicators. Use 'otp' to
allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA
authentications. Other values may be used for custom configurations. Use empty
string to reset auth_ind to the initial value.
elements: str
required: false
type: list
certificate:
aliases:
- usercertificate
description: List of base-64 encoded host certificates
elements: str
required: false
type: list
description:
description: The host description
required: false
type: str
force:
description: Force host name even if not in DNS
required: false
type: bool
ip_address:
aliases:
- ipaddress
description: The host IP address list (IPv4 and IPv6). No IP address conflict
check will be done.
elements: str
required: false
type: list
locality:
description: Host locality (e.g. "Baltimore, MD")
required: false
type: str
location:
aliases:
- ns_host_location
description: Host physical location hist (e.g. "Lab 2")
required: false
type: str
mac_address:
aliases:
- macaddress
description: List of hardware MAC addresses.
elements: str
required: false
type: list
managedby_host:
description: List of hosts that can manage this host
elements: str
required: false
type: list
name:
aliases:
- fqdn
description: The host (internally uid).
required: true
type: str
ok_as_delegate:
aliases:
- ipakrbokasdelegate
description: Client credentials may be delegated to the service
required: false
type: bool
ok_to_auth_as_delegate:
aliases:
- ipakrboktoauthasdelegate
description: The service is allowed to authenticate on behalf of a client
required: false
type: bool
os:
aliases:
- ns_os_version
description: Host operating system and version (e.g. "Fedora 9")
required: false
type: str
password:
aliases:
- user_password
- userpassword
description: Password used in bulk enrollment
required: false
type: str
platform:
aliases:
- ns_hardware_platform
description: Host hardware platform (e.g. "Lenovo T61")
required: false
type: str
principal:
aliases:
- principalname
- krbprincipalname
description: List of principal aliases for this host
elements: str
required: false
type: list
random:
aliases:
- random_password
description: Initiate the generation of a random password to be used in bulk enrollment
required: false
type: bool
requires_pre_auth:
aliases:
- ipakrbrequirespreauth
description: Pre-authentication is required for the service
required: false
type: bool
reverse:
description: Reverse DNS detection
required: false
type: bool
sshpubkey:
aliases:
- ipasshpubkey
description: List of SSH public keys
elements: str
required: false
type: list
update_dns:
aliases:
- updatedns
description: Controls the update of the DNS SSHFP records for existing hosts and
the removal of all DNS entries if a host gets removed with state absent.
required: false
type: bool
userclass:
aliases:
- class
description: Host category (semantics placed on this attribute are for local interpretation)
elements: str
required: false
type: list
type: list
state:
choices:
- present
- absent
- disabled
default: present
description: State to ensure
type: str
action:
choices:
- member
- host
default: host
description: Work on host or member level
type: str
random:
aliases:
- random_password
description: Initiate the generation of a random password to be used in bulk enrollment
required: false
type: bool
reverse:
description: Reverse DNS detection
required: false
type: bool
auth_ind:
aliases:
- krbprincipalauthind
choices:
- radius
- otp
- pkinit
- hardened
- idp
- ''
description: Defines an allow list for Authentication Indicators. Use 'otp' to allow
OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications.
Other values may be used for custom configurations. Use empty string to reset auth_ind
to the initial value.
elements: str
required: false
type: list
locality:
description: Host locality (e.g. "Baltimore, MD")
required: false
type: str
location:
aliases:
- ns_host_location
description: Host location (e.g. "Lab 2")
required: false
type: str
password:
aliases:
- user_password
- userpassword
description: Password used in bulk enrollment
required: false
type: str
platform:
aliases:
- ns_hardware_platform
description: Host hardware platform (e.g. "Lenovo T61")
required: false
type: str
principal:
aliases:
- principalname
- krbprincipalname
description: List of principal aliases for this host
elements: str
required: false
type: list
sshpubkey:
aliases:
- ipasshpubkey
description: List of SSH public keys
elements: str
required: false
type: list
userclass:
aliases:
- class
description: Host category (semantics placed on this attribute are for local interpretation)
elements: str
required: false
type: list
ip_address:
aliases:
- ipaddress
description: The host IP address list (IPv4 and IPv6). No IP address conflict check
will be done.
elements: str
required: false
type: list
update_dns:
aliases:
- updatedns
description: Controls the update of the DNS SSHFP records for existing hosts and the
removal of all DNS entries if a host gets removed with state absent.
required: false
type: bool
certificate:
aliases:
- usercertificate
description: List of base-64 encoded host certificates
elements: str
required: false
type: list
description:
description: The host description
required: false
type: str
mac_address:
aliases:
- macaddress
description: List of hardware MAC addresses.
elements: str
required: false
type: list
ipaapi_context:
choices:
- server
- client
description: 'The context in which the module will execute. Executing in a
server context is preferred. If not provided context will be
determined by the execution environment.
'
required: false
type: str
managedby_host:
description: List of hosts that can manage this host
elements: str
required: false
type: list
ok_as_delegate:
aliases:
- ipakrbokasdelegate
description: Client credentials may be delegated to the service
required: false
type: bool
update_password:
choices:
- always
- on_create
description: Set password for a host in present state only on creation or always
type: str
ipaadmin_password:
description: The admin password.
required: false
type: str
ipaapi_ldap_cache:
default: true
description: Use LDAP cache for IPA connection.
type: bool
requires_pre_auth:
aliases:
- ipakrbrequirespreauth
description: Pre-authentication is required for the service
required: false
type: bool
ipaadmin_principal:
default: admin
description: The admin principal.
type: str
ok_to_auth_as_delegate:
aliases:
- ipakrboktoauthasdelegate
description: The service is allowed to authenticate on behalf of a client
required: false
type: bool
allow_create_keytab_host:
aliases:
- ipaallowedtoperform_write_keys_host
description: Hosts allowed to create a keytab of this host
elements: str
required: false
type: list
allow_create_keytab_user:
aliases:
- ipaallowedtoperform_write_keys_user
description: Users allowed to create a keytab of this host
elements: str
required: false
type: list
allow_create_keytab_group:
aliases:
- ipaallowedtoperform_write_keys_group
description: Groups allowed to create a keytab of this host
elements: str
required: false
type: list
allow_retrieve_keytab_host:
aliases:
- ipaallowedtoperform_read_keys_host
description: Hosts allowed to retrieve a keytab of this host
elements: str
required: false
type: list
allow_retrieve_keytab_user:
aliases:
- ipaallowedtoperform_read_keys_user
description: Users allowed to retrieve a keytab of this host
elements: str
required: false
type: list
allow_retrieve_keytab_group:
aliases:
- ipaallowedtoperform_read_keys_group
description: Groups allowed to retrieve a keytab of this host
elements: str
required: false
type: list
allow_create_keytab_hostgroup:
aliases:
- ipaallowedtoperform_write_keys_hostgroup
description: Hostgroups allowed to create a keytab of this host
elements: str
required: false
type: list
allow_retrieve_keytab_hostgroup:
aliases:
- ipaallowedtoperform_read_keys_hostgroup
description: Hostgroups allowed to retrieve a keytab of this host
elements: str
required: false
type: list
host:
contains:
name:
contains:
randompassword:
description: The generated random password
returned: always
type: str
description: The host name of the host that got a new random password
returned: 'If several hosts are handled by the module with the hosts parameter
'
type: dict
randompassword:
description: The generated random password
returned: 'If only one host is handled by the module without using hosts parameter
'
type: str
description: Host dict with random password
returned: If random is yes and host did not exist or update_password is yes
type: dict