Try SpotterManage FreeIPA users
Authors: Thomas Woerner (@t-woerner)
preview | supported by community
Install with ansible-galaxy collection install freeipa.ansible_freeipa:==1.11.1
collections:
- name: freeipa.ansible_freeipa
version: 1.11.1Manage FreeIPA users
# Create user pinky
- freeipa.ansible_freeipa.ipauser:
ipaadmin_password: SomeADMINpassword
name: pinky
first: pinky
last: Acme
uid: 10001
gid: 100
phone: "+555123457"
email: pinky@acme.com
passwordexpiration: "2023-01-19 23:59:59"
password: "no-brain"
update_password: on_create
# Create user brain
- freeipa.ansible_freeipa.ipauser:
ipaadmin_password: SomeADMINpassword
name: brain
first: brain
last: Acme
# Create multiple users pinky and brain
- freeipa.ansible_freeipa.ipauser:
ipaadmin_password: SomeADMINpassword
users:
- name: pinky
first: pinky
last: Acme
- name: brain
first: brain
last: Acme
# Delete user pinky, but preserved
- freeipa.ansible_freeipa.ipauser:
ipaadmin_password: SomeADMINpassword
name: pinky
preserve: yes
state: absent
# Undelete user pinky
- freeipa.ansible_freeipa.ipauser:
ipaadmin_password: SomeADMINpassword
name: pinky
state: undeleted
# Disable user pinky
- freeipa.ansible_freeipa.ipauser:
ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: disabled
# Enable user pinky and brain
- freeipa.ansible_freeipa.ipauser:
ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: enabled
# Remove but preserve user pinky
- freeipa.ansible_freeipa.ipauser:
ipaadmin_password: SomeADMINpassword
users:
- name: pinky
preserve: yes
state: absent
# Remove user pinky and brain
- freeipa.ansible_freeipa.ipauser:
ipaadmin_password: SomeADMINpassword
name: pinky,brain
state: disabled
# Ensure a user has SMB attributes
- freeipa.ansible_freeipa.ipauser:
ipaadmin_password: SomeADMINpassword
name: smbuser
first: SMB
last: User
smb_logon_script: N:\logonscripts\startup
smb_profile_path: \\server\profiles\some_profile
smb_home_dir: \\users\home\smbuser
smb_home_drive: "U:"
fax:
aliases:
- facsimiletelephonenumber
description: List of fax numbers
elements: str
required: false
type: list
gid:
aliases:
- gidnumber
description: Group ID Number
required: false
type: int
idp:
aliases:
- ipaidpconfiglink
description: External IdP configuration
required: false
type: str
uid:
aliases:
- uidnumber
description: User ID Number (system will assign one if not provided)
required: false
type: int
city:
description: City
required: false
type: str
last:
aliases:
- sn
description: The last name. Required if user doesnot exst.
required: false
type: str
name:
aliases:
- login
description: The list of users (internally uid).
elements: str
required: false
type: list
email:
description: List of email addresses
elements: str
required: false
type: list
first:
aliases:
- givenname
description: The first name. Required if user does not exist.
required: false
type: str
gecos:
description: The GECOS
required: false
type: str
pager:
description: List of pager numbers
elements: str
required: false
type: list
phone:
aliases:
- telephonenumber
description: List of telephone numbers
elements: str
required: false
type: list
shell:
aliases:
- loginshell
description: The login shell
required: false
type: str
state:
choices:
- present
- absent
- enabled
- disabled
- unlocked
- undeleted
default: present
description: State to ensure
type: str
title:
description: The job title
required: false
type: str
users:
description: The list of user dicts (internally uid).
elements: dict
required: false
suboptions:
carlicense:
description: List of car licenses
elements: str
required: false
type: list
certificate:
aliases:
- usercertificate
description: List of base-64 encoded user certificates
elements: str
required: false
type: list
certmapdata:
description:
- List of certificate mappings
- Only usable with IPA versions 4.5 and up.
elements: dict
required: false
suboptions:
certificate:
description: Base-64 encoded user certificate
required: false
type: str
data:
description: Certmap data
required: false
type: str
issuer:
description: Issuer of the certificate
required: false
type: str
subject:
description: Subject of the certificate
required: false
type: str
type: list
city:
description: City
required: false
type: str
departmentnumber:
description: Department Number
elements: str
required: false
type: list
displayname:
description: The display name
required: false
type: str
email:
description: List of email addresses
elements: str
required: false
type: list
employeenumber:
description: Employee Number
required: false
type: str
employeetype:
description: Employee Type
required: false
type: str
fax:
aliases:
- facsimiletelephonenumber
description: List of fax numbers
elements: str
required: false
type: list
first:
aliases:
- givenname
description: The first name. Required if user does not exist.
required: false
type: str
fullname:
aliases:
- cn
description: The full name
required: false
type: str
gecos:
description: The GECOS
required: false
type: str
gid:
aliases:
- gidnumber
description: Group ID Number
required: false
type: int
homedir:
description: The home directory
required: false
type: str
idp:
aliases:
- ipaidpconfiglink
description: External IdP configuration
required: false
type: str
idp_user_id:
aliases:
- ipaidpsub
description: A string that identifies the user at external IdP
required: false
type: str
initials:
description: Initials
required: false
type: str
last:
aliases:
- sn
description: The last name. Required if user doesnot exst.
required: false
type: str
manager:
description: List of managers
elements: str
required: false
type: list
mobile:
description: List of mobile telephone numbers
elements: str
required: false
type: list
name:
aliases:
- login
description: The user (internally uid).
required: true
type: str
nomembers:
description: Suppress processing of membership attributes
required: false
type: bool
noprivate:
description: Don't create user private group
required: false
type: bool
orgunit:
aliases:
- ou
description: Org. Unit
required: false
type: str
pager:
description: List of pager numbers
elements: str
required: false
type: list
password:
description: The user password
required: false
type: str
passwordexpiration:
aliases:
- krbpasswordexpiration
description: 'The kerberos password expiration date (FreeIPA-4.7+)
(possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ,
YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,
YYYY-MM-dd HH:mmZ) The trailing ''Z'' can be skipped.
Only usable with IPA versions 4.7 and up.
'
required: false
type: str
phone:
aliases:
- telephonenumber
description: List of telephone numbers
elements: str
required: false
type: list
postalcode:
aliases:
- zip
description: Postalcode/ZIP
required: false
type: str
preferredlanguage:
description: Preferred Language
required: false
type: str
principal:
aliases:
- principalname
- krbprincipalname
description: The kerberos principal
elements: str
required: false
type: list
principalexpiration:
aliases:
- krbprincipalexpiration
description: 'The kerberos principal expiration date
(possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ,
YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,
YYYY-MM-dd HH:mmZ) The trailing ''Z'' can be skipped.
'
required: false
type: str
radius:
aliases:
- ipatokenradiusconfiglink
description: RADIUS proxy configuration
required: false
type: str
radiususer:
aliases:
- radiususername
- ipatokenradiususername
description: RADIUS proxy username
required: false
type: str
random:
description: Generate a random user password
required: false
type: bool
shell:
aliases:
- loginshell
description: The login shell
required: false
type: str
smb_home_dir:
aliases:
- ipanthomedirectory
description: SMB Home Directory
required: false
type: str
smb_home_drive:
aliases:
- ipanthomedirectorydrive
choices:
- 'A:'
- 'B:'
- 'C:'
- 'D:'
- 'E:'
- 'F:'
- 'G:'
- 'H:'
- 'I:'
- 'J:'
- 'K:'
- 'L:'
- 'M:'
- 'N:'
- 'O:'
- 'P:'
- 'Q:'
- 'R:'
- 'S:'
- 'T:'
- 'U:'
- 'V:'
- 'W:'
- 'X:'
- 'Y:'
- 'Z:'
- ''
description: SMB Home Directory Drive
required: false
type: str
smb_logon_script:
aliases:
- ipantlogonscript
description: SMB logon script path
required: false
type: str
smb_profile_path:
aliases:
- ipantprofilepath
description: SMB profile path
required: false
type: str
sshpubkey:
aliases:
- ipasshpubkey
description: List of SSH public keys
elements: str
required: false
type: list
street:
description: Street address
required: false
type: str
title:
description: The job title
required: false
type: str
uid:
aliases:
- uidnumber
description: User ID Number (system will assign one if not provided)
required: false
type: int
userauthtype:
aliases:
- ipauserauthtype
choices:
- password
- radius
- otp
- pkinit
- hardened
- idp
- ''
description: List of supported user authentication types Use empty string to reset
userauthtype to the initial value.
elements: str
required: false
type: list
userclass:
aliases:
- class
description:
- User category
- (semantics placed on this attribute are for local interpretation)
elements: str
required: false
type: list
userstate:
aliases:
- st
description: State/Province
required: false
type: str
type: list
action:
choices:
- member
- user
default: user
description: Work on user or member level
type: str
mobile:
description: List of mobile telephone numbers
elements: str
required: false
type: list
radius:
aliases:
- ipatokenradiusconfiglink
description: RADIUS proxy configuration
required: false
type: str
random:
description: Generate a random user password
required: false
type: bool
street:
description: Street address
required: false
type: str
homedir:
description: The home directory
required: false
type: str
manager:
description: List of managers
elements: str
required: false
type: list
orgunit:
aliases:
- ou
description: Org. Unit
required: false
type: str
fullname:
aliases:
- cn
description: The full name
required: false
type: str
initials:
description: Initials
required: false
type: str
password:
description: The user password
required: false
type: str
preserve:
description: Delete a user, keeping the entry available for future use
required: false
type: bool
nomembers:
description: Suppress processing of membership attributes
required: false
type: bool
noprivate:
description: Don't create user private group
required: false
type: bool
principal:
aliases:
- principalname
- krbprincipalname
description: The kerberos principal
elements: str
required: false
type: list
sshpubkey:
aliases:
- ipasshpubkey
description: List of SSH public keys
elements: str
required: false
type: list
userclass:
aliases:
- class
description:
- User category
- (semantics placed on this attribute are for local interpretation)
elements: str
required: false
type: list
userstate:
aliases:
- st
description: State/Province
required: false
type: str
carlicense:
description: List of car licenses
elements: str
required: false
type: list
postalcode:
aliases:
- zip
description: Postalcode/ZIP
required: false
type: str
radiususer:
aliases:
- radiususername
- ipatokenradiususername
description: RADIUS proxy username
required: false
type: str
certificate:
aliases:
- usercertificate
description: List of base-64 encoded user certificates
elements: str
required: false
type: list
certmapdata:
description:
- List of certificate mappings
- Only usable with IPA versions 4.5 and up.
elements: dict
required: false
suboptions:
certificate:
description: Base-64 encoded user certificate
required: false
type: str
data:
description: Certmap data
required: false
type: str
issuer:
description: Issuer of the certificate
required: false
type: str
subject:
description: Subject of the certificate
required: false
type: str
type: list
displayname:
description: The display name
required: false
type: str
idp_user_id:
aliases:
- ipaidpsub
description: A string that identifies the user at external IdP
required: false
type: str
employeetype:
description: Employee Type
required: false
type: str
smb_home_dir:
aliases:
- ipanthomedirectory
description: SMB Home Directory
required: false
type: str
userauthtype:
aliases:
- ipauserauthtype
choices:
- password
- radius
- otp
- pkinit
- hardened
- idp
- ''
description: List of supported user authentication types Use empty string to reset
userauthtype to the initial value.
elements: str
required: false
type: list
employeenumber:
description: Employee Number
required: false
type: str
ipaapi_context:
choices:
- server
- client
description: 'The context in which the module will execute. Executing in a
server context is preferred. If not provided context will be
determined by the execution environment.
'
required: false
type: str
smb_home_drive:
aliases:
- ipanthomedirectorydrive
choices:
- 'A:'
- 'B:'
- 'C:'
- 'D:'
- 'E:'
- 'F:'
- 'G:'
- 'H:'
- 'I:'
- 'J:'
- 'K:'
- 'L:'
- 'M:'
- 'N:'
- 'O:'
- 'P:'
- 'Q:'
- 'R:'
- 'S:'
- 'T:'
- 'U:'
- 'V:'
- 'W:'
- 'X:'
- 'Y:'
- 'Z:'
- ''
description: SMB Home Directory Drive
required: false
type: str
update_password:
choices:
- always
- on_create
description: Set password for a user in present state only on creation or always
required: false
type: str
departmentnumber:
description: Department Number
elements: str
required: false
type: list
smb_logon_script:
aliases:
- ipantlogonscript
description: SMB logon script path
required: false
type: str
smb_profile_path:
aliases:
- ipantprofilepath
description: SMB profile path
required: false
type: str
ipaadmin_password:
description: The admin password.
required: false
type: str
ipaapi_ldap_cache:
default: true
description: Use LDAP cache for IPA connection.
type: bool
preferredlanguage:
description: Preferred Language
required: false
type: str
ipaadmin_principal:
default: admin
description: The admin principal.
type: str
passwordexpiration:
aliases:
- krbpasswordexpiration
description: 'The kerberos password expiration date (FreeIPA-4.7+)
(possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ,
YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,
YYYY-MM-dd HH:mmZ) The trailing ''Z'' can be skipped.
Only usable with IPA versions 4.7 and up.
'
required: false
type: str
principalexpiration:
aliases:
- krbprincipalexpiration
description: 'The kerberos principal expiration date
(possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ,
YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ,
YYYY-MM-dd HH:mmZ) The trailing ''Z'' can be skipped.
'
required: false
type: str
user:
contains:
name:
contains:
randompassword:
description: The generated random password
returned: always
type: str
description: The user name of the user that got a new random password
returned: 'If several users are handled by the module with the users parameter
'
type: dict
randompassword:
description: The generated random password
returned: 'If only one user is handled by the module without using users parameter
'
type: str
description: User dict with random password
returned: If random is yes and user did not exist or update_password is yes
type: dict