|
Packit Service |
a166ed |
Delegation module
|
|
Packit Service |
a166ed |
=================
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Description
|
|
Packit Service |
a166ed |
-----------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
The delegation module allows to ensure presence, absence of delegations and delegation attributes.
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Features
|
|
Packit Service |
a166ed |
--------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
* Delegation management
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Supported FreeIPA Versions
|
|
Packit Service |
a166ed |
--------------------------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
FreeIPA versions 4.4.0 and up are supported by the ipadelegation module.
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Requirements
|
|
Packit Service |
a166ed |
------------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
**Controller**
|
|
Packit Service |
a166ed |
* Ansible version: 2.8+
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
**Node**
|
|
Packit Service |
a166ed |
* Supported FreeIPA version (see above)
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Usage
|
|
Packit Service |
a166ed |
=====
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example inventory file
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```ini
|
|
Packit Service |
a166ed |
[ipaserver]
|
|
Packit Service |
a166ed |
ipaserver.test.local
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to make sure delegation "basic manager attributes" is present:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to manage IPA delegation.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: yes
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- ipadelegation:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: "basic manager attributes"
|
|
Packit Service |
a166ed |
permission: read
|
|
Packit Service |
a166ed |
attribute:
|
|
Packit Service |
a166ed |
- businesscategory
|
|
Packit Service |
a166ed |
- employeetype
|
|
Packit Service |
a166ed |
group: managers
|
|
Packit Service |
a166ed |
membergroup: employees
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to make sure delegation "basic manager attributes" is absent:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to manage IPA delegation.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: yes
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- ipadelegation:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: "basic manager attributes"
|
|
Packit Service |
a166ed |
state: absent
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are present:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to manage IPA delegation.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: yes
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- ipadelegation:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: "basic manager attributes"
|
|
Packit Service |
a166ed |
attribute:
|
|
Packit Service |
a166ed |
- employeenumber
|
|
Packit Service |
a166ed |
- employeetype
|
|
Packit Service |
a166ed |
action: member
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to make sure "basic manager attributes" member attributes employeetype and employeenumber are absent:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to manage IPA delegation.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: yes
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- ipadelegation:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: "basic manager attributes"
|
|
Packit Service |
a166ed |
attribute:
|
|
Packit Service |
a166ed |
- employeenumber
|
|
Packit Service |
a166ed |
- employeetype
|
|
Packit Service |
a166ed |
action: member
|
|
Packit Service |
a166ed |
state: absent
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Example playbook to make sure delegation "basic manager attributes" is absent:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
---
|
|
Packit Service |
a166ed |
- name: Playbook to manage IPA delegation.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
become: yes
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
tasks:
|
|
Packit Service |
a166ed |
- ipadelegation:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: "basic manager attributes"
|
|
Packit Service |
a166ed |
state: absent
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Variables
|
|
Packit Service |
a166ed |
---------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
ipadelegation
|
|
Packit Service |
a166ed |
-------
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Variable | Description | Required
|
|
Packit Service |
a166ed |
-------- | ----------- | --------
|
|
Packit Service |
a166ed |
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
|
|
Packit Service |
a166ed |
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
|
|
Packit Service |
a166ed |
`name` \| `aciname` | The list of delegation name strings. | yes
|
|
Packit Service |
a166ed |
`permission` \| `permissions` | The permission to grant `read`, `read,write`, `write`]. Default is `write`. | no
|
|
Packit Service |
a166ed |
`attribute` \| `attrs` | The attribute list to which the delegation applies. | no
|
|
Packit Service |
a166ed |
`membergroup` \| `memberof` | The user group to apply delegation to. | no
|
|
Packit Service |
a166ed |
`group` | User group ACI grants access to. | no
|
|
Packit Service |
a166ed |
`action` | Work on delegation or member level. It can be on of `member` or `delegation` and defaults to `delegation`. | no
|
|
Packit Service |
a166ed |
`state` | The state to ensure. It can be one of `present`, `absent`, default: `present`. | no
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Authors
|
|
Packit Service |
a166ed |
=======
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
Thomas Woerner
|