|
Packit Service |
0a38ef |
Group module
|
|
Packit Service |
0a38ef |
============
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Description
|
|
Packit Service |
0a38ef |
-----------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
The group module allows to ensure presence and absence of groups and members of groups.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
The group module is as compatible as possible to the Ansible upstream `ipa_group` module, but additionally offers to add users to a group and also to remove users from a group.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Features
|
|
Packit Service |
0a38ef |
--------
|
|
Packit Service |
0a38ef |
* Group management
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Supported FreeIPA Versions
|
|
Packit Service |
0a38ef |
--------------------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
FreeIPA versions 4.4.0 and up are supported by the ipagroup module.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
a166ed |
Some variables are only supported on newer versions of FreeIPA. Check `Variables` section for details.
|
|
Packit Service |
a166ed |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Requirements
|
|
Packit Service |
0a38ef |
------------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
**Controller**
|
|
Packit Service |
0a38ef |
* Ansible version: 2.8+
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
**Node**
|
|
Packit Service |
0a38ef |
* Supported FreeIPA version (see above)
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Usage
|
|
Packit Service |
0a38ef |
=====
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example inventory file
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```ini
|
|
Packit Service |
0a38ef |
[ipaserver]
|
|
Packit Service |
0a38ef |
ipaserver.test.local
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to add groups:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle groups
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
# Create group ops with gid 1234
|
|
Packit Service |
0a38ef |
- ipagroup:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: ops
|
|
Packit Service |
0a38ef |
gidnumber: 1234
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Create group sysops
|
|
Packit Service |
0a38ef |
- ipagroup:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: sysops
|
|
Packit Service |
0a38ef |
user:
|
|
Packit Service |
0a38ef |
- pinky
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
# Create group appops
|
|
Packit Service |
0a38ef |
- ipagroup:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: appops
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to add users to a group:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle groups
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
# Add user member brain to group sysops
|
|
Packit Service |
0a38ef |
- ipagroup:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: sysops
|
|
Packit Service |
0a38ef |
action: member
|
|
Packit Service |
0a38ef |
user:
|
|
Packit Service |
0a38ef |
- brain
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
`action` controls if a the group or member will be handled. To add or remove members, set `action` to `member`.
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Example playbook to add group members to a group:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle groups
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
# Add group members sysops and appops to group sysops
|
|
Packit Service |
0a38ef |
- ipagroup:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: ops
|
|
Packit Service |
0a38ef |
group:
|
|
Packit Service |
0a38ef |
- sysops
|
|
Packit Service |
0a38ef |
- appops
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
a166ed |
Example playbook to add members from a trusted realm to an external group:
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
```yaml
|
|
Packit Service |
a166ed |
--
|
|
Packit Service |
a166ed |
- name: Playbook to handle groups.
|
|
Packit Service |
a166ed |
hosts: ipaserver
|
|
Packit Service |
a166ed |
became: true
|
|
Packit Service |
a166ed |
|
|
Packit Service |
a166ed |
- name: Create an external group and add members from a trust to it.
|
|
Packit Service |
a166ed |
ipagroup:
|
|
Packit Service |
a166ed |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
a166ed |
name: extgroup
|
|
Packit Service |
a166ed |
external: yes
|
|
Packit Service |
a166ed |
externalmember:
|
|
Packit Service |
a166ed |
- WINIPA\\Web Users
|
|
Packit Service |
a166ed |
- WINIPA\\Developers
|
|
Packit Service |
a166ed |
```
|
|
Packit Service |
a166ed |
|
|
Packit Service |
0a38ef |
Example playbook to remove groups:
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
```yaml
|
|
Packit Service |
0a38ef |
---
|
|
Packit Service |
0a38ef |
- name: Playbook to handle groups
|
|
Packit Service |
0a38ef |
hosts: ipaserver
|
|
Packit Service |
0a38ef |
become: true
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
tasks:
|
|
Packit Service |
0a38ef |
# Remove goups sysops, appops and ops
|
|
Packit Service |
0a38ef |
- ipagroup:
|
|
Packit Service |
0a38ef |
ipaadmin_password: SomeADMINpassword
|
|
Packit Service |
0a38ef |
name: sysops,appops,ops
|
|
Packit Service |
0a38ef |
state: absent
|
|
Packit Service |
0a38ef |
```
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variables
|
|
Packit Service |
0a38ef |
=========
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
ipagroup
|
|
Packit Service |
0a38ef |
-------
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Variable | Description | Required
|
|
Packit Service |
0a38ef |
-------- | ----------- | --------
|
|
Packit Service |
0a38ef |
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
|
|
Packit Service |
0a38ef |
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
|
|
Packit Service |
0a38ef |
`name` \| `cn` | The list of group name strings. | no
|
|
Packit Service |
0a38ef |
`description` | The group description string. | no
|
|
Packit Service |
0a38ef |
`gid` \| `gidnumber` | The GID integer. | no
|
|
Packit Service |
a166ed |
`posix` | Create a non-POSIX group or change a non-POSIX to a posix group. (bool) | no
|
|
Packit Service |
0a38ef |
`nonposix` | Create as a non-POSIX group. (bool) | no
|
|
Packit Service |
0a38ef |
`external` | Allow adding external non-IPA members from trusted domains. (bool) | no
|
|
Packit Service |
0a38ef |
`nomembers` | Suppress processing of membership attributes. (bool) | no
|
|
Packit Service |
0a38ef |
`user` | List of user name strings assigned to this group. | no
|
|
Packit Service |
0a38ef |
`group` | List of group name strings assigned to this group. | no
|
|
Packit Service |
0a38ef |
`service` | List of service name strings assigned to this group. Only usable with IPA versions 4.7 and up. | no
|
|
Packit Service |
0a38ef |
`membermanager_user` | List of member manager users assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
|
|
Packit Service |
0a38ef |
`membermanager_group` | List of member manager groups assigned to this group. Only usable with IPA versions 4.8.4 and up. | no
|
|
Packit Service |
a166ed |
`externalmember` \| `ipaexternalmember` \| `external_member`| List of members of a trusted domain in DOM\\name or name@domain form. | no
|
|
Packit Service |
0a38ef |
`action` | Work on group or member level. It can be on of `member` or `group` and defaults to `group`. | no
|
|
Packit Service |
0a38ef |
`state` | The state to ensure. It can be one of `present` or `absent`, default: `present`. | yes
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Authors
|
|
Packit Service |
0a38ef |
=======
|
|
Packit Service |
0a38ef |
|
|
Packit Service |
0a38ef |
Thomas Woerner
|