freeipa.ansible_freeipa.ipauser (1.11.1) — module

Manage FreeIPA users

Authors: Thomas Woerner (@t-woerner)

preview | supported by community

Install collection

Install with ansible-galaxy collection install freeipa.ansible_freeipa:==1.11.1


Add to requirements.yml

  collections:
    - name: freeipa.ansible_freeipa
      version: 1.11.1

Description

Manage FreeIPA users

Usage examples

1
  • Hint
    Tasks should always be named using the name parameter.
# Create user pinky
- freeipa.ansible_freeipa.ipauser:
    ipaadmin_password: SomeADMINpassword
    name: pinky
    first: pinky
    last: Acme
    uid: 10001
    gid: 100
    phone: "+555123457"
    email: pinky@acme.com
    passwordexpiration: "2023-01-19 23:59:59"
    password: "no-brain"
    update_password: on_create
1
  • Hint
    Tasks should always be named using the name parameter.
# Create user brain
- freeipa.ansible_freeipa.ipauser:
    ipaadmin_password: SomeADMINpassword
    name: brain
    first: brain
    last: Acme
1
  • Hint
    Tasks should always be named using the name parameter.
# Create multiple users pinky and brain
- freeipa.ansible_freeipa.ipauser:
    ipaadmin_password: SomeADMINpassword
    users:
    - name: pinky
      first: pinky
      last: Acme
    - name: brain
      first: brain
      last: Acme
1
  • Hint
    Tasks should always be named using the name parameter.
# Delete user pinky, but preserved
- freeipa.ansible_freeipa.ipauser:
    ipaadmin_password: SomeADMINpassword
    name: pinky
    preserve: yes
    state: absent
1
  • Hint
    Tasks should always be named using the name parameter.
# Undelete user pinky
- freeipa.ansible_freeipa.ipauser:
    ipaadmin_password: SomeADMINpassword
    name: pinky
    state: undeleted
1
  • Hint
    Tasks should always be named using the name parameter.
# Disable user pinky
- freeipa.ansible_freeipa.ipauser:
    ipaadmin_password: SomeADMINpassword
    name: pinky,brain
    state: disabled
1
  • Hint
    Tasks should always be named using the name parameter.
# Enable user pinky and brain
- freeipa.ansible_freeipa.ipauser:
    ipaadmin_password: SomeADMINpassword
    name: pinky,brain
    state: enabled
1
  • Hint
    Tasks should always be named using the name parameter.
# Remove but preserve user pinky
- freeipa.ansible_freeipa.ipauser:
    ipaadmin_password: SomeADMINpassword
    users:
    - name: pinky
    preserve: yes
    state: absent
1
  • Hint
    Tasks should always be named using the name parameter.
# Remove user pinky and brain
- freeipa.ansible_freeipa.ipauser:
    ipaadmin_password: SomeADMINpassword
    name: pinky,brain
    state: disabled
1
  • Hint
    Tasks should always be named using the name parameter.
# Ensure a user has SMB attributes
- freeipa.ansible_freeipa.ipauser:
    ipaadmin_password: SomeADMINpassword
    name: smbuser
    first: SMB
    last: User
    smb_logon_script: N:\logonscripts\startup
    smb_profile_path: \\server\profiles\some_profile
    smb_home_dir: \\users\home\smbuser
    smb_home_drive: "U:"

Inputs

    
fax:
    aliases:
    - facsimiletelephonenumber
    description: List of fax numbers
    elements: str
    required: false
    type: list

gid:
    aliases:
    - gidnumber
    description: Group ID Number
    required: false
    type: int

idp:
    aliases:
    - ipaidpconfiglink
    description: External IdP configuration
    required: false
    type: str

uid:
    aliases:
    - uidnumber
    description: User ID Number (system will assign one if not provided)
    required: false
    type: int

city:
    description: City
    required: false
    type: str

last:
    aliases:
    - sn
    description: The last name. Required if user doesnot exst.
    required: false
    type: str

name:
    aliases:
    - login
    description: The list of users (internally uid).
    elements: str
    required: false
    type: list

email:
    description: List of email addresses
    elements: str
    required: false
    type: list

first:
    aliases:
    - givenname
    description: The first name. Required if user does not exist.
    required: false
    type: str

gecos:
    description: The GECOS
    required: false
    type: str

pager:
    description: List of pager numbers
    elements: str
    required: false
    type: list

phone:
    aliases:
    - telephonenumber
    description: List of telephone numbers
    elements: str
    required: false
    type: list

shell:
    aliases:
    - loginshell
    description: The login shell
    required: false
    type: str

state:
    choices:
    - present
    - absent
    - enabled
    - disabled
    - unlocked
    - undeleted
    default: present
    description: State to ensure
    type: str

title:
    description: The job title
    required: false
    type: str

users:
    description: The list of user dicts (internally uid).
    elements: dict
    required: false
    suboptions:
      carlicense:
        description: List of car licenses
        elements: str
        required: false
        type: list
      certificate:
        aliases:
        - usercertificate
        description: List of base-64 encoded user certificates
        elements: str
        required: false
        type: list
      certmapdata:
        description:
        - List of certificate mappings
        - Only usable with IPA versions 4.5 and up.
        elements: dict
        required: false
        suboptions:
          certificate:
            description: Base-64 encoded user certificate
            required: false
            type: str
          data:
            description: Certmap data
            required: false
            type: str
          issuer:
            description: Issuer of the certificate
            required: false
            type: str
          subject:
            description: Subject of the certificate
            required: false
            type: str
        type: list
      city:
        description: City
        required: false
        type: str
      departmentnumber:
        description: Department Number
        elements: str
        required: false
        type: list
      displayname:
        description: The display name
        required: false
        type: str
      email:
        description: List of email addresses
        elements: str
        required: false
        type: list
      employeenumber:
        description: Employee Number
        required: false
        type: str
      employeetype:
        description: Employee Type
        required: false
        type: str
      fax:
        aliases:
        - facsimiletelephonenumber
        description: List of fax numbers
        elements: str
        required: false
        type: list
      first:
        aliases:
        - givenname
        description: The first name. Required if user does not exist.
        required: false
        type: str
      fullname:
        aliases:
        - cn
        description: The full name
        required: false
        type: str
      gecos:
        description: The GECOS
        required: false
        type: str
      gid:
        aliases:
        - gidnumber
        description: Group ID Number
        required: false
        type: int
      homedir:
        description: The home directory
        required: false
        type: str
      idp:
        aliases:
        - ipaidpconfiglink
        description: External IdP configuration
        required: false
        type: str
      idp_user_id:
        aliases:
        - ipaidpsub
        description: A string that identifies the user at external IdP
        required: false
        type: str
      initials:
        description: Initials
        required: false
        type: str
      last:
        aliases:
        - sn
        description: The last name. Required if user doesnot exst.
        required: false
        type: str
      manager:
        description: List of managers
        elements: str
        required: false
        type: list
      mobile:
        description: List of mobile telephone numbers
        elements: str
        required: false
        type: list
      name:
        aliases:
        - login
        description: The user (internally uid).
        required: true
        type: str
      nomembers:
        description: Suppress processing of membership attributes
        required: false
        type: bool
      noprivate:
        description: Don't create user private group
        required: false
        type: bool
      orgunit:
        aliases:
        - ou
        description: Org. Unit
        required: false
        type: str
      pager:
        description: List of pager numbers
        elements: str
        required: false
        type: list
      password:
        description: The user password
        required: false
        type: str
      passwordexpiration:
        aliases:
        - krbpasswordexpiration
        description: 'The kerberos password expiration date (FreeIPA-4.7+)

          (possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ,

          YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,

          YYYY-MM-dd HH:mmZ) The trailing ''Z'' can be skipped.

          Only usable with IPA versions 4.7 and up.

          '
        required: false
        type: str
      phone:
        aliases:
        - telephonenumber
        description: List of telephone numbers
        elements: str
        required: false
        type: list
      postalcode:
        aliases:
        - zip
        description: Postalcode/ZIP
        required: false
        type: str
      preferredlanguage:
        description: Preferred Language
        required: false
        type: str
      principal:
        aliases:
        - principalname
        - krbprincipalname
        description: The kerberos principal
        elements: str
        required: false
        type: list
      principalexpiration:
        aliases:
        - krbprincipalexpiration
        description: 'The kerberos principal expiration date

          (possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ,

          YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,

          YYYY-MM-dd HH:mmZ) The trailing ''Z'' can be skipped.

          '
        required: false
        type: str
      radius:
        aliases:
        - ipatokenradiusconfiglink
        description: RADIUS proxy configuration
        required: false
        type: str
      radiususer:
        aliases:
        - radiususername
        - ipatokenradiususername
        description: RADIUS proxy username
        required: false
        type: str
      random:
        description: Generate a random user password
        required: false
        type: bool
      shell:
        aliases:
        - loginshell
        description: The login shell
        required: false
        type: str
      smb_home_dir:
        aliases:
        - ipanthomedirectory
        description: SMB Home Directory
        required: false
        type: str
      smb_home_drive:
        aliases:
        - ipanthomedirectorydrive
        choices:
        - 'A:'
        - 'B:'
        - 'C:'
        - 'D:'
        - 'E:'
        - 'F:'
        - 'G:'
        - 'H:'
        - 'I:'
        - 'J:'
        - 'K:'
        - 'L:'
        - 'M:'
        - 'N:'
        - 'O:'
        - 'P:'
        - 'Q:'
        - 'R:'
        - 'S:'
        - 'T:'
        - 'U:'
        - 'V:'
        - 'W:'
        - 'X:'
        - 'Y:'
        - 'Z:'
        - ''
        description: SMB Home Directory Drive
        required: false
        type: str
      smb_logon_script:
        aliases:
        - ipantlogonscript
        description: SMB logon script path
        required: false
        type: str
      smb_profile_path:
        aliases:
        - ipantprofilepath
        description: SMB profile path
        required: false
        type: str
      sshpubkey:
        aliases:
        - ipasshpubkey
        description: List of SSH public keys
        elements: str
        required: false
        type: list
      street:
        description: Street address
        required: false
        type: str
      title:
        description: The job title
        required: false
        type: str
      uid:
        aliases:
        - uidnumber
        description: User ID Number (system will assign one if not provided)
        required: false
        type: int
      userauthtype:
        aliases:
        - ipauserauthtype
        choices:
        - password
        - radius
        - otp
        - pkinit
        - hardened
        - idp
        - ''
        description: List of supported user authentication types Use empty string to reset
          userauthtype to the initial value.
        elements: str
        required: false
        type: list
      userclass:
        aliases:
        - class
        description:
        - User category
        - (semantics placed on this attribute are for local interpretation)
        elements: str
        required: false
        type: list
      userstate:
        aliases:
        - st
        description: State/Province
        required: false
        type: str
    type: list

action:
    choices:
    - member
    - user
    default: user
    description: Work on user or member level
    type: str

mobile:
    description: List of mobile telephone numbers
    elements: str
    required: false
    type: list

radius:
    aliases:
    - ipatokenradiusconfiglink
    description: RADIUS proxy configuration
    required: false
    type: str

random:
    description: Generate a random user password
    required: false
    type: bool

street:
    description: Street address
    required: false
    type: str

homedir:
    description: The home directory
    required: false
    type: str

manager:
    description: List of managers
    elements: str
    required: false
    type: list

orgunit:
    aliases:
    - ou
    description: Org. Unit
    required: false
    type: str

fullname:
    aliases:
    - cn
    description: The full name
    required: false
    type: str

initials:
    description: Initials
    required: false
    type: str

password:
    description: The user password
    required: false
    type: str

preserve:
    description: Delete a user, keeping the entry available for future use
    required: false
    type: bool

nomembers:
    description: Suppress processing of membership attributes
    required: false
    type: bool

noprivate:
    description: Don't create user private group
    required: false
    type: bool

principal:
    aliases:
    - principalname
    - krbprincipalname
    description: The kerberos principal
    elements: str
    required: false
    type: list

sshpubkey:
    aliases:
    - ipasshpubkey
    description: List of SSH public keys
    elements: str
    required: false
    type: list

userclass:
    aliases:
    - class
    description:
    - User category
    - (semantics placed on this attribute are for local interpretation)
    elements: str
    required: false
    type: list

userstate:
    aliases:
    - st
    description: State/Province
    required: false
    type: str

carlicense:
    description: List of car licenses
    elements: str
    required: false
    type: list

postalcode:
    aliases:
    - zip
    description: Postalcode/ZIP
    required: false
    type: str

radiususer:
    aliases:
    - radiususername
    - ipatokenradiususername
    description: RADIUS proxy username
    required: false
    type: str

certificate:
    aliases:
    - usercertificate
    description: List of base-64 encoded user certificates
    elements: str
    required: false
    type: list

certmapdata:
    description:
    - List of certificate mappings
    - Only usable with IPA versions 4.5 and up.
    elements: dict
    required: false
    suboptions:
      certificate:
        description: Base-64 encoded user certificate
        required: false
        type: str
      data:
        description: Certmap data
        required: false
        type: str
      issuer:
        description: Issuer of the certificate
        required: false
        type: str
      subject:
        description: Subject of the certificate
        required: false
        type: str
    type: list

displayname:
    description: The display name
    required: false
    type: str

idp_user_id:
    aliases:
    - ipaidpsub
    description: A string that identifies the user at external IdP
    required: false
    type: str

employeetype:
    description: Employee Type
    required: false
    type: str

smb_home_dir:
    aliases:
    - ipanthomedirectory
    description: SMB Home Directory
    required: false
    type: str

userauthtype:
    aliases:
    - ipauserauthtype
    choices:
    - password
    - radius
    - otp
    - pkinit
    - hardened
    - idp
    - ''
    description: List of supported user authentication types Use empty string to reset
      userauthtype to the initial value.
    elements: str
    required: false
    type: list

employeenumber:
    description: Employee Number
    required: false
    type: str

ipaapi_context:
    choices:
    - server
    - client
    description: 'The context in which the module will execute. Executing in a

      server context is preferred. If not provided context will be

      determined by the execution environment.

      '
    required: false
    type: str

smb_home_drive:
    aliases:
    - ipanthomedirectorydrive
    choices:
    - 'A:'
    - 'B:'
    - 'C:'
    - 'D:'
    - 'E:'
    - 'F:'
    - 'G:'
    - 'H:'
    - 'I:'
    - 'J:'
    - 'K:'
    - 'L:'
    - 'M:'
    - 'N:'
    - 'O:'
    - 'P:'
    - 'Q:'
    - 'R:'
    - 'S:'
    - 'T:'
    - 'U:'
    - 'V:'
    - 'W:'
    - 'X:'
    - 'Y:'
    - 'Z:'
    - ''
    description: SMB Home Directory Drive
    required: false
    type: str

update_password:
    choices:
    - always
    - on_create
    description: Set password for a user in present state only on creation or always
    required: false
    type: str

departmentnumber:
    description: Department Number
    elements: str
    required: false
    type: list

smb_logon_script:
    aliases:
    - ipantlogonscript
    description: SMB logon script path
    required: false
    type: str

smb_profile_path:
    aliases:
    - ipantprofilepath
    description: SMB profile path
    required: false
    type: str

ipaadmin_password:
    description: The admin password.
    required: false
    type: str

ipaapi_ldap_cache:
    default: true
    description: Use LDAP cache for IPA connection.
    type: bool

preferredlanguage:
    description: Preferred Language
    required: false
    type: str

ipaadmin_principal:
    default: admin
    description: The admin principal.
    type: str

passwordexpiration:
    aliases:
    - krbpasswordexpiration
    description: 'The kerberos password expiration date (FreeIPA-4.7+)

      (possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ,

      YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,

      YYYY-MM-dd HH:mmZ) The trailing ''Z'' can be skipped.

      Only usable with IPA versions 4.7 and up.

      '
    required: false
    type: str

principalexpiration:
    aliases:
    - krbprincipalexpiration
    description: 'The kerberos principal expiration date

      (possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ,

      YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,

      YYYY-MM-dd HH:mmZ) The trailing ''Z'' can be skipped.

      '
    required: false
    type: str

Outputs

user:
  contains:
    name:
      contains:
        randompassword:
          description: The generated random password
          returned: always
          type: str
      description: The user name of the user that got a new random password
      returned: 'If several users are handled by the module with the users parameter

        '
      type: dict
    randompassword:
      description: The generated random password
      returned: 'If only one user is handled by the module without using users parameter

        '
      type: str
  description: User dict with random password
  returned: If random is yes and user did not exist or update_password is yes
  type: dict