Try SpotterManage FreeIPA service
Authors: Rafael Guterres Jeffman (@rjeffman), Thomas Woerner (@t-woerner)
preview | supported by community
Install with ansible-galaxy collection install freeipa.ansible_freeipa:==1.11.1
collections:
- name: freeipa.ansible_freeipa
version: 1.11.1Manage FreeIPA service
# Ensure service is present
- freeipa.ansible_freeipa.ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
pac_type:
- MS-PAC
- PAD
auth_ind: otp
skip_host_check: true
force: false
requires_pre_auth: true
ok_as_delegate: false
ok_to_auth_as_delegate: false
# Ensure service is absent
- freeipa.ansible_freeipa.ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
state: absent
# Ensure service member certificate is present.
- freeipa.ansible_freeipa.ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
certificate:
- >
MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw
DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8x
DTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVG
FYpHVkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEr
aELJzMLJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmj
fMXp0nIToTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQI
Nt55YoEd1s4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJ
EkNF+E4Mkmpcxj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMB
AAGjUzBRMB0GA1UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV
0j7JYukuH/r/t9+QeNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUA
A4IBAQCgVy1+1kNwHs5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJP
rp2/DAv1m5DtnDhBYqicuPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfw
Q5pPvKkn6WxYUYkGwIt1OH2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHo
VOIXHwNoooyEiaio3693l6noobyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+s
KC2E8xEj9uKQ5GTWRh59VnRBVC/SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA
5yqV7MVq
action: member
state: present
# Ensure principal host/test.example.com present in service.
- freeipa.ansible_freeipa.ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
principal:
- host/test.example.com
action: member
# Ensure host can manage service.
- freeipa.ansible_freeipa.ipaservice:
ipaadmin_password: SomeADMINpassword
name: HTTP/www.example.com
host:
- host1.example.com
- host2.example.com
action: member
# Ensure multiple services are present.
- freeipa.ansible_freeipa.ipaservice:
ipaadmin_password: SomeADMINpassword
services:
- name: HTTP/www.example.com
host:
- host1.example.com
- name: HTTP/www.service.com
smb:
description: Add a SMB service.
required: false
type: bool
host:
aliases:
- managedby_host
description: Host that can manage the service.
elements: str
required: false
type: list
name:
aliases:
- service
description: The service to manage
elements: str
required: true
type: list
force:
description: Force principal name even if host is not in DNS.
required: false
type: bool
state:
choices:
- present
- absent
- disabled
default: present
description: State to ensure
type: str
action:
choices:
- member
- service
default: service
description: Work on service or member level
type: str
auth_ind:
aliases:
- krbprincipalauthind
choices:
- otp
- radius
- pkinit
- hardened
- idp
- ''
description: Defines an allow list for Authentication Indicators.
elements: str
required: false
type: list
pac_type:
aliases:
- pac_type
- ipakrbauthzdata
choices:
- MS-PAC
- PAD
- NONE
- ''
description: Supported PAC type.
elements: str
required: false
type: list
services:
description: The list of service dicts.
elements: dict
suboptions:
allow_create_keytab_group:
aliases:
- ipaallowedtoperform_write_keys_group
description: Groups allowed to create a keytab of this host.
elements: str
required: false
type: list
allow_create_keytab_host:
aliases:
- ipaallowedtoperform_write_keys_host
description: Hosts allowed to create a keytab of this host.
elements: str
required: false
type: list
allow_create_keytab_hostgroup:
aliases:
- ipaallowedtoperform_write_keys_hostgroup
description: Host group allowed to create a keytab of this host.
elements: str
required: false
type: list
allow_create_keytab_user:
aliases:
- ipaallowedtoperform_write_keys_user
description: Users allowed to create a keytab of this host.
elements: str
required: false
type: list
allow_retrieve_keytab_group:
aliases:
- ipaallowedtoperform_read_keys_group
description: Groups allowed to retrieve a keytab of this host.
elements: str
required: false
type: list
allow_retrieve_keytab_host:
aliases:
- ipaallowedtoperform_read_keys_host
description: Hosts allowed to retrieve a keytab of this host.
elements: str
required: false
type: list
allow_retrieve_keytab_hostgroup:
aliases:
- ipaallowedtoperform_read_keys_hostgroup
description: Host groups allowed to retrieve a keytab of this host.
elements: str
required: false
type: list
allow_retrieve_keytab_user:
aliases:
- ipaallowedtoperform_read_keys_user
description: User allowed to retrieve a keytab of this host.
elements: str
required: false
type: list
auth_ind:
aliases:
- krbprincipalauthind
choices:
- otp
- radius
- pkinit
- hardened
- idp
- ''
description: Defines an allow list for Authentication Indicators.
elements: str
required: false
type: list
certificate:
aliases:
- usercertificate
description: Base-64 encoded service certificate.
elements: str
required: false
type: list
force:
description: Force principal name even if host is not in DNS.
required: false
type: bool
host:
aliases:
- managedby_host
description: Host that can manage the service.
elements: str
required: false
type: list
name:
aliases:
- service
description: The service to manage
required: true
type: str
netbiosname:
description: NETBIOS name for the SMB service.
required: false
type: str
ok_as_delegate:
aliases:
- ipakrbokasdelegate
description: Client credentials may be delegated to the service.
required: false
type: bool
ok_to_auth_as_delegate:
aliases:
- ipakrboktoauthasdelegate
description: Allow service to authenticate on behalf of a client.
required: false
type: bool
pac_type:
aliases:
- pac_type
- ipakrbauthzdata
choices:
- MS-PAC
- PAD
- NONE
- ''
description: Supported PAC type.
elements: str
required: false
type: list
principal:
aliases:
- krbprincipalname
description: List of principal aliases for the service.
elements: str
required: false
type: list
requires_pre_auth:
aliases:
- ipakrbrequirespreauth
description: Pre-authentication is required for the service.
required: false
type: bool
skip_host_check:
description: Skip checking if host object exists.
required: false
type: bool
smb:
description: Add a SMB service.
required: false
type: bool
type: list
principal:
aliases:
- krbprincipalname
description: List of principal aliases for the service.
elements: str
required: false
type: list
certificate:
aliases:
- usercertificate
description: Base-64 encoded service certificate.
elements: str
required: false
type: list
netbiosname:
description: NETBIOS name for the SMB service.
required: false
type: str
ipaapi_context:
choices:
- server
- client
description: 'The context in which the module will execute. Executing in a
server context is preferred. If not provided context will be
determined by the execution environment.
'
required: false
type: str
ok_as_delegate:
aliases:
- ipakrbokasdelegate
description: Client credentials may be delegated to the service.
required: false
type: bool
delete_continue:
aliases:
- continue
description: Continuous mode. Don't stop on errors. Valid only if `state` is `absent`.
required: false
type: bool
skip_host_check:
description: Skip checking if host object exists.
required: false
type: bool
ipaadmin_password:
description: The admin password.
required: false
type: str
ipaapi_ldap_cache:
default: true
description: Use LDAP cache for IPA connection.
type: bool
requires_pre_auth:
aliases:
- ipakrbrequirespreauth
description: Pre-authentication is required for the service.
required: false
type: bool
ipaadmin_principal:
default: admin
description: The admin principal.
type: str
ok_to_auth_as_delegate:
aliases:
- ipakrboktoauthasdelegate
description: Allow service to authenticate on behalf of a client.
required: false
type: bool
allow_create_keytab_host:
aliases:
- ipaallowedtoperform_write_keys_host
description: Hosts allowed to create a keytab of this host.
elements: str
required: false
type: list
allow_create_keytab_user:
aliases:
- ipaallowedtoperform_write_keys_user
description: Users allowed to create a keytab of this host.
elements: str
required: false
type: list
allow_create_keytab_group:
aliases:
- ipaallowedtoperform_write_keys_group
description: Groups allowed to create a keytab of this host.
elements: str
required: false
type: list
allow_retrieve_keytab_host:
aliases:
- ipaallowedtoperform_read_keys_host
description: Hosts allowed to retrieve a keytab of this host.
elements: str
required: false
type: list
allow_retrieve_keytab_user:
aliases:
- ipaallowedtoperform_read_keys_user
description: User allowed to retrieve a keytab of this host.
elements: str
required: false
type: list
allow_retrieve_keytab_group:
aliases:
- ipaallowedtoperform_read_keys_group
description: Groups allowed to retrieve a keytab of this host.
elements: str
required: false
type: list
allow_create_keytab_hostgroup:
aliases:
- ipaallowedtoperform_write_keys_hostgroup
description: Host group allowed to create a keytab of this host.
elements: str
required: false
type: list
allow_retrieve_keytab_hostgroup:
aliases:
- ipaallowedtoperform_read_keys_hostgroup
description: Host groups allowed to retrieve a keytab of this host.
elements: str
required: false
type: list