Try SpotterManage FreeIPA hosts
Authors: Thomas Woerner
preview | supported by community
Install with ansible-galaxy collection install freeipa.ansible_freeipa:==1.8.4
collections:
- name: freeipa.ansible_freeipa
version: 1.8.4Manage FreeIPA hosts
# Ensure host is present
- freeipa.ansible_freeipa.ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address: 192.168.0.123
locality: Lab
ns_host_location: Lab
ns_os_version: CentOS 7
ns_hardware_platform: Lenovo T61
mac_address:
- "08:00:27:E3:B1:2D"
- "52:54:00:BD:97:1E"
state: present
# Ensure host is present without DNS
- freeipa.ansible_freeipa.ipahost:
ipaadmin_password: SomeADMINpassword
name: host02.example.com
description: Example host
force: yes
# Initiate generation of a random password for the host
- freeipa.ansible_freeipa.ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
description: Example host
ip_address: 192.168.0.123
random: yes
# Ensure host is disabled
- freeipa.ansible_freeipa.ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
update_dns: yes
state: disabled
# Ensure host is absent
- freeipa.ansible_freeipa.ipahost:
ipaadmin_password: SomeADMINpassword
name: host01.example.com
state: absent
os:
aliases:
- ns_os_version
description: Host operating system and version (e.g. "Fedora 9")
required: false
name:
aliases:
- fqdn
description: The full qualified domain name.
required: true
force:
description: Force host name even if not in DNS
required: false
hosts:
description: The list of user host dicts
required: false
suboptions:
allow_create_keytab_group:
aliases:
- ipaallowedtoperform_write_keys_group
description: Groups allowed to create a keytab of this host
required: false
allow_create_keytab_host:
aliases:
- ipaallowedtoperform_write_keys_host
description: Hosts allowed to create a keytab of this host
required: false
allow_create_keytab_hostgroup:
aliases:
- ipaallowedtoperform_write_keys_hostgroup
description: Hostgroups allowed to create a keytab of this host
required: false
allow_create_keytab_user:
aliases:
- ipaallowedtoperform_write_keys_user
description: Users allowed to create a keytab of this host
required: false
allow_retrieve_keytab_group:
aliases:
- ipaallowedtoperform_read_keys_group
description: Groups allowed to retrieve a keytab of this host
required: false
allow_retrieve_keytab_host:
aliases:
- ipaallowedtoperform_read_keys_host
description: Hosts allowed to retrieve a keytab of this host
required: false
allow_retrieve_keytab_hostgroup:
aliases:
- ipaallowedtoperform_read_keys_hostgroup
description: Hostgroups allowed to retrieve a keytab of this host
required: false
allow_retrieve_keytab_user:
aliases:
- ipaallowedtoperform_read_keys_user
description: Users allowed to retrieve a keytab of this host
required: false
auth_ind:
aliases:
- krbprincipalauthind
choices:
- radius
- otp
- pkinit
- hardened
- ''
description: Defines a whitelist for Authentication Indicators. Use 'otp' to allow
OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications.
Other values may be used for custom configurations. Use empty string to reset
auth_ind to the initial value.
required: false
type: list
certificate:
aliases:
- usercertificate
description: List of base-64 encoded host certificates
required: false
type: list
description:
description: The host description
required: false
force:
description: Force host name even if not in DNS
required: false
ip_address:
aliases:
- ipaddress
description: The host IP address list (IPv4 and IPv6). No IP address conflict
check will be done.
required: false
locality:
description: Host locality (e.g. "Baltimore, MD")
required: false
location:
aliases:
- ns_host_location
description: Host location (e.g. "Lab 2")
required: false
mac_address:
aliases:
- macaddress
description: List of hardware MAC addresses.
required: false
type: list
managedby_host:
aliases:
- principalname
- krbprincipalname
description: List of hosts that can manage this host
required: false
type: list
name:
aliases:
- fqdn
description: The host (internally uid).
required: true
ok_as_delegate:
aliases:
- ipakrbokasdelegate
description: Client credentials may be delegated to the service
required: false
type: bool
ok_to_auth_as_delegate:
aliases:
- ipakrboktoauthasdelegate
description: The service is allowed to authenticate on behalf of a client
required: false
type: bool
os:
aliases:
- ns_os_version
description: Host operating system and version (e.g. "Fedora 9")
required: false
password:
aliases:
- user_password
- userpassword
description: Password used in bulk enrollment
required: false
platform:
aliases:
- ns_hardware_platform
description: Host hardware platform (e.g. "Lenovo T61")
required: false
principal:
aliases:
- principalname
- krbprincipalname
description: List of principal aliases for this host
required: false
type: list
random:
aliases:
- random_password
description: Initiate the generation of a random password to be used in bulk enrollment
required: false
requires_pre_auth:
aliases:
- ipakrbrequirespreauth
description: Pre-authentication is required for the service
required: false
type: bool
reverse:
default: true
description: Reverse DNS detection
required: false
sshpubkey:
aliases:
- ipasshpubkey
description: List of SSH public keys
required: false
type: list
update_dns:
description: Controls the update of the DNS SSHFP records for existing hosts and
the removal of all DNS entries if a host gets removed with state absent.
required: false
userclass:
aliases:
- class
description: Host category (semantics placed on this attribute are for local interpretation)
required: false
state:
choices:
- present
- absent
- disabled
default: present
description: State to ensure
action:
choices:
- member
- host
default: host
description: Work on host or member level
random:
aliases:
- random_password
description: Initiate the generation of a random password to be used in bulk enrollment
required: false
reverse:
default: true
description: Reverse DNS detection
required: false
auth_ind:
aliases:
- krbprincipalauthind
choices:
- radius
- otp
- pkinit
- hardened
- ''
description: Defines a whitelist for Authentication Indicators. Use 'otp' to allow
OTP-based 2FA authentications. Use 'radius' to allow RADIUS-based 2FA authentications.
Other values may be used for custom configurations. Use empty string to reset auth_ind
to the initial value.
required: false
type: list
locality:
description: Host locality (e.g. "Baltimore, MD")
required: false
location:
aliases:
- ns_host_location
description: Host location (e.g. "Lab 2")
required: false
password:
aliases:
- user_password
- userpassword
description: Password used in bulk enrollment
required: false
platform:
aliases:
- ns_hardware_platform
description: Host hardware platform (e.g. "Lenovo T61")
required: false
principal:
aliases:
- principalname
- krbprincipalname
description: List of principal aliases for this host
required: false
type: list
sshpubkey:
aliases:
- ipasshpubkey
description: List of SSH public keys
required: false
type: list
userclass:
aliases:
- class
description: Host category (semantics placed on this attribute are for local interpretation)
required: false
ip_address:
aliases:
- ipaddress
description: The host IP address list (IPv4 and IPv6). No IP address conflict check
will be done.
required: false
update_dns:
description: Controls the update of the DNS SSHFP records for existing hosts and the
removal of all DNS entries if a host gets removed with state absent.
required: false
certificate:
aliases:
- usercertificate
description: List of base-64 encoded host certificates
required: false
type: list
description:
description: The host description
required: false
mac_address:
aliases:
- macaddress
description: List of hardware MAC addresses.
required: false
type: list
ipaapi_context:
choices:
- server
- client
description: 'The context in which the module will execute. Executing in a
server context is preferred. If not provided context will be
determined by the execution environment.
'
required: false
managedby_host:
aliases:
- principalname
- krbprincipalname
description: List of hosts that can manage this host
required: false
type: list
ok_as_delegate:
aliases:
- ipakrbokasdelegate
description: Client credentials may be delegated to the service
required: false
type: bool
update_password:
choices:
- always
- on_create
default: always
description: Set password for a host in present state only on creation or always
ipaadmin_password:
description: The admin password.
required: false
ipaapi_ldap_cache:
default: true
description: Use LDAP cache for IPA connection.
type: bool
requires_pre_auth:
aliases:
- ipakrbrequirespreauth
description: Pre-authentication is required for the service
required: false
type: bool
ipaadmin_principal:
default: admin
description: The admin principal.
ok_to_auth_as_delegate:
aliases:
- ipakrboktoauthasdelegate
description: The service is allowed to authenticate on behalf of a client
required: false
type: bool
allow_create_keytab_host:
aliases:
- ipaallowedtoperform_write_keys_host
description: Hosts allowed to create a keytab of this host
required: false
allow_create_keytab_user:
aliases:
- ipaallowedtoperform_write_keys_user
description: Users allowed to create a keytab of this host
required: false
allow_create_keytab_group:
aliases:
- ipaallowedtoperform_write_keys_group
description: Groups allowed to create a keytab of this host
required: false
allow_retrieve_keytab_host:
aliases:
- ipaallowedtoperform_read_keys_host
description: Hosts allowed to retrieve a keytab of this host
required: false
allow_retrieve_keytab_user:
aliases:
- ipaallowedtoperform_read_keys_user
description: Users allowed to retrieve a keytab of this host
required: false
allow_retrieve_keytab_group:
aliases:
- ipaallowedtoperform_read_keys_group
description: Groups allowed to retrieve a keytab of this host
required: false
allow_create_keytab_hostgroup:
aliases:
- ipaallowedtoperform_write_keys_hostgroup
description: Hostgroups allowed to create a keytab of this host
required: false
allow_retrieve_keytab_hostgroup:
aliases:
- ipaallowedtoperform_read_keys_hostgroup
description: Hostgroups allowed to retrieve a keytab of this host
required: false
host:
description: Host dict with random password
options:
name:
description: The user name of the user that got a new random password
options:
randompassword:
description: The generated random password
returned: always
returned: If several users are handled by the module
type: dict
randompassword:
description: The generated random password
returned: If only one user is handled by the module
returned: If random is yes and user did not exist or update_password is yes
type: dict