freeipa.ansible_freeipa.ipahost (1.11.1) — module

Manage FreeIPA hosts

Authors: Thomas Woerner (@t-woerner)

preview | supported by community

Install collection

Install with ansible-galaxy collection install freeipa.ansible_freeipa:==1.11.1


Add to requirements.yml

  collections:
    - name: freeipa.ansible_freeipa
      version: 1.11.1

Description

Manage FreeIPA hosts

Usage examples

4
  • Hint
    Parameter 'ns_host_location' is an alias for parameter 'location' in module 'freeipa.ansible_freeipa.ipahost'.
  • Hint
    Parameter 'ns_os_version' is an alias for parameter 'os' in module 'freeipa.ansible_freeipa.ipahost'.
  • Hint
    Parameter 'ns_hardware_platform' is an alias for parameter 'platform' in module 'freeipa.ansible_freeipa.ipahost'.
  • Hint
    Tasks should always be named using the name parameter.
# Ensure host is present
- freeipa.ansible_freeipa.ipahost:
    ipaadmin_password: SomeADMINpassword
    name: host01.example.com
    description: Example host
    ip_address: 192.168.0.123
    locality: Lab
    ns_host_location: Lab
    ns_os_version: CentOS 7
    ns_hardware_platform: Lenovo T61
    mac_address:
    - "08:00:27:E3:B1:2D"
    - "52:54:00:BD:97:1E"
    state: present
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure host is present without DNS
- freeipa.ansible_freeipa.ipahost:
    ipaadmin_password: SomeADMINpassword
    name: host02.example.com
    description: Example host
    force: yes
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure multiple hosts are present with random passwords
- freeipa.ansible_freeipa.ipahost:
    ipaadmin_password: SomeADMINpassword
    hosts:
    - name: host01.example.com
      random: yes
    - name: host02.example.com
      random: yes
1
  • Hint
    Tasks should always be named using the name parameter.
# Initiate generation of a random password for the host
- freeipa.ansible_freeipa.ipahost:
    ipaadmin_password: SomeADMINpassword
    name: host01.example.com
    description: Example host
    ip_address: 192.168.0.123
    random: yes
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure multiple hosts are present with principals
- freeipa.ansible_freeipa.ipahost:
    ipaadmin_password: SomeADMINpassword
    hosts:
    - name: host01.example.com
      principal:
      - host/testhost01.example.com
    - name: host02.example.com
      principal:
      - host/myhost01.example.com
    action: member
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure host is disabled
- freeipa.ansible_freeipa.ipahost:
    ipaadmin_password: SomeADMINpassword
    name: host01.example.com
    update_dns: yes
    state: disabled
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure host is absent
- freeipa.ansible_freeipa.ipahost:
    ipaadmin_password: SomeADMINpassword
    name: host01.example.com
    state: absent

Inputs

    
os:
    aliases:
    - ns_os_version
    description: Host operating system and version (e.g. "Fedora 9")
    required: false
    type: str

name:
    aliases:
    - fqdn
    description: The full qualified domain name.
    elements: str
    required: false
    type: list

force:
    description: Force host name even if not in DNS
    required: false
    type: bool

hosts:
    description: The list of host dicts
    elements: dict
    required: false
    suboptions:
      allow_create_keytab_group:
        aliases:
        - ipaallowedtoperform_write_keys_group
        description: Groups allowed to create a keytab of this host
        elements: str
        required: false
        type: list
      allow_create_keytab_host:
        aliases:
        - ipaallowedtoperform_write_keys_host
        description: Hosts allowed to create a keytab of this host
        elements: str
        required: false
        type: list
      allow_create_keytab_hostgroup:
        aliases:
        - ipaallowedtoperform_write_keys_hostgroup
        description: Hostgroups allowed to create a keytab of this host
        elements: str
        required: false
        type: list
      allow_create_keytab_user:
        aliases:
        - ipaallowedtoperform_write_keys_user
        description: Users allowed to create a keytab of this host
        elements: str
        required: false
        type: list
      allow_retrieve_keytab_group:
        aliases:
        - ipaallowedtoperform_read_keys_group
        description: Groups allowed to retrieve a keytab of this host
        elements: str
        required: false
        type: list
      allow_retrieve_keytab_host:
        aliases:
        - ipaallowedtoperform_read_keys_host
        description: Hosts allowed to retrieve a keytab of this host
        elements: str
        required: false
        type: list
      allow_retrieve_keytab_hostgroup:
        aliases:
        - ipaallowedtoperform_read_keys_hostgroup
        description: Hostgroups allowed to retrieve a keytab of this host
        elements: str
        required: false
        type: list
      allow_retrieve_keytab_user:
        aliases:
        - ipaallowedtoperform_read_keys_user
        description: Users allowed to retrieve a keytab of this host
        elements: str
        required: false
        type: list
      auth_ind:
        aliases:
        - krbprincipalauthind
        choices:
        - radius
        - otp
        - pkinit
        - hardened
        - idp
        - ''
        description: Defines an allow list for Authentication Indicators. Use 'otp' to
          allow OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA
          authentications. Other values may be used for custom configurations. Use empty
          string to reset auth_ind to the initial value.
        elements: str
        required: false
        type: list
      certificate:
        aliases:
        - usercertificate
        description: List of base-64 encoded host certificates
        elements: str
        required: false
        type: list
      description:
        description: The host description
        required: false
        type: str
      force:
        description: Force host name even if not in DNS
        required: false
        type: bool
      ip_address:
        aliases:
        - ipaddress
        description: The host IP address list (IPv4 and IPv6). No IP address conflict
          check will be done.
        elements: str
        required: false
        type: list
      locality:
        description: Host locality (e.g. "Baltimore, MD")
        required: false
        type: str
      location:
        aliases:
        - ns_host_location
        description: Host physical location hist (e.g. "Lab 2")
        required: false
        type: str
      mac_address:
        aliases:
        - macaddress
        description: List of hardware MAC addresses.
        elements: str
        required: false
        type: list
      managedby_host:
        description: List of hosts that can manage this host
        elements: str
        required: false
        type: list
      name:
        aliases:
        - fqdn
        description: The host (internally uid).
        required: true
        type: str
      ok_as_delegate:
        aliases:
        - ipakrbokasdelegate
        description: Client credentials may be delegated to the service
        required: false
        type: bool
      ok_to_auth_as_delegate:
        aliases:
        - ipakrboktoauthasdelegate
        description: The service is allowed to authenticate on behalf of a client
        required: false
        type: bool
      os:
        aliases:
        - ns_os_version
        description: Host operating system and version (e.g. "Fedora 9")
        required: false
        type: str
      password:
        aliases:
        - user_password
        - userpassword
        description: Password used in bulk enrollment
        required: false
        type: str
      platform:
        aliases:
        - ns_hardware_platform
        description: Host hardware platform (e.g. "Lenovo T61")
        required: false
        type: str
      principal:
        aliases:
        - principalname
        - krbprincipalname
        description: List of principal aliases for this host
        elements: str
        required: false
        type: list
      random:
        aliases:
        - random_password
        description: Initiate the generation of a random password to be used in bulk enrollment
        required: false
        type: bool
      requires_pre_auth:
        aliases:
        - ipakrbrequirespreauth
        description: Pre-authentication is required for the service
        required: false
        type: bool
      reverse:
        description: Reverse DNS detection
        required: false
        type: bool
      sshpubkey:
        aliases:
        - ipasshpubkey
        description: List of SSH public keys
        elements: str
        required: false
        type: list
      update_dns:
        aliases:
        - updatedns
        description: Controls the update of the DNS SSHFP records for existing hosts and
          the removal of all DNS entries if a host gets removed with state absent.
        required: false
        type: bool
      userclass:
        aliases:
        - class
        description: Host category (semantics placed on this attribute are for local interpretation)
        elements: str
        required: false
        type: list
    type: list

state:
    choices:
    - present
    - absent
    - disabled
    default: present
    description: State to ensure
    type: str

action:
    choices:
    - member
    - host
    default: host
    description: Work on host or member level
    type: str

random:
    aliases:
    - random_password
    description: Initiate the generation of a random password to be used in bulk enrollment
    required: false
    type: bool

reverse:
    description: Reverse DNS detection
    required: false
    type: bool

auth_ind:
    aliases:
    - krbprincipalauthind
    choices:
    - radius
    - otp
    - pkinit
    - hardened
    - idp
    - ''
    description: Defines an allow list for Authentication Indicators. Use 'otp' to allow
      OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications.
      Other values may be used for custom configurations. Use empty string to reset auth_ind
      to the initial value.
    elements: str
    required: false
    type: list

locality:
    description: Host locality (e.g. "Baltimore, MD")
    required: false
    type: str

location:
    aliases:
    - ns_host_location
    description: Host location (e.g. "Lab 2")
    required: false
    type: str

password:
    aliases:
    - user_password
    - userpassword
    description: Password used in bulk enrollment
    required: false
    type: str

platform:
    aliases:
    - ns_hardware_platform
    description: Host hardware platform (e.g. "Lenovo T61")
    required: false
    type: str

principal:
    aliases:
    - principalname
    - krbprincipalname
    description: List of principal aliases for this host
    elements: str
    required: false
    type: list

sshpubkey:
    aliases:
    - ipasshpubkey
    description: List of SSH public keys
    elements: str
    required: false
    type: list

userclass:
    aliases:
    - class
    description: Host category (semantics placed on this attribute are for local interpretation)
    elements: str
    required: false
    type: list

ip_address:
    aliases:
    - ipaddress
    description: The host IP address list (IPv4 and IPv6). No IP address conflict check
      will be done.
    elements: str
    required: false
    type: list

update_dns:
    aliases:
    - updatedns
    description: Controls the update of the DNS SSHFP records for existing hosts and the
      removal of all DNS entries if a host gets removed with state absent.
    required: false
    type: bool

certificate:
    aliases:
    - usercertificate
    description: List of base-64 encoded host certificates
    elements: str
    required: false
    type: list

description:
    description: The host description
    required: false
    type: str

mac_address:
    aliases:
    - macaddress
    description: List of hardware MAC addresses.
    elements: str
    required: false
    type: list

ipaapi_context:
    choices:
    - server
    - client
    description: 'The context in which the module will execute. Executing in a

      server context is preferred. If not provided context will be

      determined by the execution environment.

      '
    required: false
    type: str

managedby_host:
    description: List of hosts that can manage this host
    elements: str
    required: false
    type: list

ok_as_delegate:
    aliases:
    - ipakrbokasdelegate
    description: Client credentials may be delegated to the service
    required: false
    type: bool

update_password:
    choices:
    - always
    - on_create
    description: Set password for a host in present state only on creation or always
    type: str

ipaadmin_password:
    description: The admin password.
    required: false
    type: str

ipaapi_ldap_cache:
    default: true
    description: Use LDAP cache for IPA connection.
    type: bool

requires_pre_auth:
    aliases:
    - ipakrbrequirespreauth
    description: Pre-authentication is required for the service
    required: false
    type: bool

ipaadmin_principal:
    default: admin
    description: The admin principal.
    type: str

ok_to_auth_as_delegate:
    aliases:
    - ipakrboktoauthasdelegate
    description: The service is allowed to authenticate on behalf of a client
    required: false
    type: bool

allow_create_keytab_host:
    aliases:
    - ipaallowedtoperform_write_keys_host
    description: Hosts allowed to create a keytab of this host
    elements: str
    required: false
    type: list

allow_create_keytab_user:
    aliases:
    - ipaallowedtoperform_write_keys_user
    description: Users allowed to create a keytab of this host
    elements: str
    required: false
    type: list

allow_create_keytab_group:
    aliases:
    - ipaallowedtoperform_write_keys_group
    description: Groups allowed to create a keytab of this host
    elements: str
    required: false
    type: list

allow_retrieve_keytab_host:
    aliases:
    - ipaallowedtoperform_read_keys_host
    description: Hosts allowed to retrieve a keytab of this host
    elements: str
    required: false
    type: list

allow_retrieve_keytab_user:
    aliases:
    - ipaallowedtoperform_read_keys_user
    description: Users allowed to retrieve a keytab of this host
    elements: str
    required: false
    type: list

allow_retrieve_keytab_group:
    aliases:
    - ipaallowedtoperform_read_keys_group
    description: Groups allowed to retrieve a keytab of this host
    elements: str
    required: false
    type: list

allow_create_keytab_hostgroup:
    aliases:
    - ipaallowedtoperform_write_keys_hostgroup
    description: Hostgroups allowed to create a keytab of this host
    elements: str
    required: false
    type: list

allow_retrieve_keytab_hostgroup:
    aliases:
    - ipaallowedtoperform_read_keys_hostgroup
    description: Hostgroups allowed to retrieve a keytab of this host
    elements: str
    required: false
    type: list

Outputs

host:
  contains:
    name:
      contains:
        randompassword:
          description: The generated random password
          returned: always
          type: str
      description: The host name of the host that got a new random password
      returned: 'If several hosts are handled by the module with the hosts parameter

        '
      type: dict
    randompassword:
      description: The generated random password
      returned: 'If only one host is handled by the module without using hosts parameter

        '
      type: str
  description: Host dict with random password
  returned: If random is yes and host did not exist or update_password is yes
  type: dict