source-git / ansible-freeipa

Clone
Source Code
GIT

Blame README-user.md

c8 c8s master
  1.   c8
  2.   README-user.md
Blob History Raw
Packit 8cb997 
User module
Packit 8cb997 
===========
Packit 8cb997
Packit 8cb997 
Description
Packit 8cb997 
-----------
Packit 8cb997
Packit 8cb997 
The user module allows to ensure presence, absence, disablement, unlocking and undeletion of users.
Packit 8cb997
Packit 8cb997 
The user module is as compatible as possible to the Ansible upstream `ipa_user` module, but additionally offers to preserve delete, enable, disable, unlock and undelete users.
Packit 8cb997
Packit 8cb997
Packit 8cb997 
Features
Packit 8cb997 
--------
Packit 8cb997 
* User management
Packit 8cb997
Packit 8cb997
Packit 8cb997 
Supported FreeIPA Versions
Packit 8cb997 
--------------------------
Packit 8cb997
Packit 8cb997 
FreeIPA versions 4.4.0 and up are supported by the ipauser module.
Packit 8cb997
Packit 8cb997
Packit 8cb997 
Requirements
Packit 8cb997 
------------
Packit 8cb997
Packit 8cb997 
**Controller**
Packit 8cb997 
* Ansible version: 2.8+
Packit 8cb997
Packit 8cb997 
**Node**
Packit 8cb997 
* Supported FreeIPA version (see above)
Packit 8cb997
Packit 8cb997
Packit 8cb997 
Usage
Packit 8cb997 
=====
Packit 8cb997
Packit 8cb997 
Example inventory file
Packit 8cb997
Packit 8cb997 
```ini
Packit 8cb997 
[ipaserver]
Packit 8cb997 
ipaserver.test.local
Packit 8cb997 
```
Packit 8cb997
Packit 8cb997
Packit 8cb997 
Example playbook to ensure a user is present:
Packit 8cb997
Packit 8cb997 
```yaml
Packit 8cb997 
---
Packit 8cb997 
- name: Playbook to handle users
Packit 8cb997 
  hosts: ipaserver
Packit 8cb997 
  become: true
Packit 8cb997
Packit 8cb997 
  tasks:
Packit 8cb997 
  # Ensure user pinky is present
Packit 8cb997 
  - ipauser:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit 8cb997 
      name: pinky
Packit 8cb997 
      first: pinky
Packit 8cb997 
      last: Acme
Packit 8cb997 
      uid: 10001
Packit 8cb997 
      gid: 100
Packit 8cb997 
      phone: "+555123457"
Packit 8cb997 
      email: pinky@acme.com
Packit 8cb997 
      passwordexpiration: "2023-01-19 23:59:59"
Packit 8cb997 
      password: "no-brain"
Packit 8cb997 
      update_password: on_create
Packit 8cb997
Packit 8cb997 
  # Ensure user brain is present
Packit 8cb997 
  - ipauser:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit 8cb997 
      name: brain
Packit 8cb997 
      first: brain
Packit 8cb997 
      last: Acme
Packit 8cb997 
```
Packit 8cb997 
`update_password` controls if a password for a user will be set in present state only on creation or every time (always).
Packit 8cb997
Packit 8cb997
Packit 8cb997 
These two `ipauser` module calls can be combined into one with the `users` variable:
Packit 8cb997
Packit 8cb997 
```yaml
Packit 8cb997 
---
Packit 8cb997 
- name: Playbook to handle users
Packit 8cb997 
  hosts: ipaserver
Packit 8cb997 
  become: true
Packit 8cb997
Packit 8cb997 
  tasks:
Packit 8cb997 
  # Ensure users pinky and brain are present
Packit 8cb997 
  - ipauser:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit 8cb997 
      users:
Packit 8cb997 
      - name: pinky
Packit 8cb997 
        first: pinky
Packit 8cb997 
        last: Acme
Packit 8cb997 
        uid: 10001
Packit 8cb997 
        gid: 100
Packit 8cb997 
        phone: "+555123457"
Packit 8cb997 
        email: pinky@acme.com
Packit 8cb997 
        passwordexpiration: "2023-01-19 23:59:59"
Packit 8cb997 
        password: "no-brain"
Packit 8cb997 
      - name: brain
Packit 8cb997 
        first: brain
Packit 8cb997 
        last: Acme
Packit 8cb997 
      update_password: on_create
Packit 8cb997 
```
Packit 8cb997
Packit 8cb997 
You can also alternatively use a json file containing the users, here `users_present.json`:
Packit 8cb997
Packit 8cb997 
```json
Packit 8cb997 
{
Packit 8cb997 
  "users": [
Packit 8cb997 
    {
Packit 8cb997 
      "name": "user1",
Packit 8cb997 
      "first": "First 1",
Packit 8cb997 
      "last": "Last 1"
Packit 8cb997 
    },
Packit 8cb997 
    {
Packit 8cb997 
      "name": "user2",
Packit 8cb997 
      "first": "First 2",
Packit 8cb997 
      "last": "Last 2"
Packit 8cb997 
    },
Packit 8cb997 
    ...
Packit 8cb997 
  ]
Packit 8cb997 
}
Packit 8cb997 
```
Packit 8cb997
Packit 8cb997 
And ensure the presence of the users with this example playbook:
Packit 8cb997
Packit 8cb997 
```yaml
Packit 8cb997 
---
Packit 8cb997 
- name: Tests
Packit 8cb997 
  hosts: ipaserver
Packit 8cb997 
  become: true
Packit 8cb997 
  gather_facts: false
Packit 8cb997
Packit 8cb997 
  tasks:
Packit 8cb997 
  - name: Include users_present.json
Packit 8cb997 
    include_vars:
Packit 8cb997 
      file: users_present.json
Packit 8cb997
Packit 8cb997 
  - name: Users present
Packit 8cb997 
    ipauser:
Packit 8cb997 
      ipaadmin_password: SomeADMINpassword
Packit 8cb997 
      users: "{{ users }}"
Packit 8cb997 
```
Packit 8cb997
Packit 8cb997 
Ensure user pinky is present with a generated random password and print the random password:
Packit 8cb997
Packit 8cb997 
```yaml
Packit 8cb997 
---
Packit 8cb997 
- name: Playbook to handle users
Packit 8cb997 
  hosts: ipaserver
Packit 8cb997 
  become: true
Packit 8cb997
Packit 8cb997 
  tasks:
Packit 8cb997 
  # Ensure user pinky is present with a random password
Packit 8cb997 
  - ipauser:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit 8cb997 
      name: brain
Packit 8cb997 
      first: brain
Packit 8cb997 
      last: Acme
Packit 8cb997 
      random: yes
Packit 8cb997 
    register: ipauser
Packit 8cb997
Packit 8cb997 
  - name: Print generated random password
Packit 8cb997 
    debug:
Packit 8cb997 
      var: ipauser.user.randompassword
Packit 8cb997 
```
Packit 8cb997
Packit 8cb997 
Ensure users pinky and brain are present with a generated random password and print the random passwords:
Packit 8cb997
Packit 8cb997 
```yaml
Packit 8cb997 
---
Packit 8cb997 
- name: Playbook to handle users
Packit 8cb997 
  hosts: ipaserver
Packit 8cb997 
  become: true
Packit 8cb997
Packit 8cb997 
  tasks:
Packit 8cb997 
  # Ensure users pinky and brain are present with random password
Packit 8cb997 
  - ipauser:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit 8cb997 
      users:
Packit 8cb997 
      - name: pinky
Packit 8cb997 
        first: pinky
Packit 8cb997 
        last: Acme
Packit 8cb997 
        uid: 10001
Packit 8cb997 
        gid: 100
Packit 8cb997 
        phone: "+555123457"
Packit 8cb997 
        email: pinky@acme.com
Packit 8cb997 
        passwordexpiration: "2023-01-19 23:59:59"
Packit 8cb997 
        password: "no-brain"
Packit 8cb997 
      - name: brain
Packit 8cb997 
        first: brain
Packit 8cb997 
        last: Acme
Packit 8cb997 
    register: ipauser
Packit 8cb997
Packit 8cb997 
  - name: Print generated random password of pinky
Packit 8cb997 
    debug:
Packit 8cb997 
      var: ipauser.user.pinky.randompassword
Packit 8cb997
Packit 8cb997 
  - name: Print generated random password of brain
Packit 8cb997 
    debug:
Packit 8cb997 
      var: ipauser.user.brain.randompassword
Packit 8cb997 
```
Packit 8cb997
Packit 8cb997 
Example playbook to delete a user, but preserve it:
Packit 8cb997
Packit 8cb997 
```yaml
Packit 8cb997 
---
Packit 8cb997 
- name: Playbook to handle users
Packit 8cb997 
  hosts: ipaserver
Packit 8cb997 
  become: true
Packit 8cb997
Packit 8cb997 
  tasks:
Packit 8cb997 
  # Remove but preserve user pinky
Packit 8cb997 
  - ipauser:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit 8cb997 
      name: pinky
Packit 8cb997 
      preserve: yes
Packit 8cb997 
      state: absent
Packit 8cb997 
```
Packit 8cb997
Packit 8cb997 
This can also be done with the `users` variable containing only names, this can be combined into one module call:
Packit 8cb997
Packit 8cb997 
Example playbook to delete a user, but preserve it using the `users` variable:
Packit 8cb997
Packit 8cb997 
```yaml
Packit 8cb997 
---
Packit 8cb997 
- name: Playbook to handle users
Packit 8cb997 
  hosts: ipaserver
Packit 8cb997 
  become: true
Packit 8cb997
Packit 8cb997 
  tasks:
Packit 8cb997 
  # Remove but preserve user pinky
Packit 8cb997 
  - ipauser:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit 8cb997 
      users:
Packit 8cb997 
      - name: pinky
Packit 8cb997 
      preserve: yes
Packit 8cb997 
      state: absent
Packit 8cb997 
```
Packit 8cb997
Packit 8cb997 
This can also be done as an alternative with the `users` variable containing only names.
Packit 8cb997
Packit 8cb997
Packit 8cb997 
Example playbook to undelete a preserved user.
Packit 8cb997
Packit 8cb997 
```yaml
Packit 8cb997 
---
Packit 8cb997 
- name: Playbook to handle users
Packit 8cb997 
  hosts: ipaserver
Packit 8cb997 
  become: true
Packit 8cb997
Packit 8cb997 
  tasks:
Packit 8cb997 
  # Undelete preserved user pinky
Packit 8cb997 
  - ipauser:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit 8cb997 
      name: pinky
Packit 8cb997 
      state: undeleted
Packit 8cb997 
```
Packit 8cb997
Packit 8cb997 
This can also be done as an alternative with the `users` variable containing only names.
Packit 8cb997
Packit 8cb997
Packit 8cb997 
Example playbook to disable a user:
Packit 8cb997
Packit 8cb997 
```yaml
Packit 8cb997 
---
Packit 8cb997 
- name: Playbook to handle users
Packit 8cb997 
  hosts: ipaserver
Packit 8cb997 
  become: true
Packit 8cb997
Packit 8cb997 
  tasks:
Packit 8cb997 
  # Disable user pinky
Packit 8cb997 
  - ipauser:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit 8cb997 
      name: pinky
Packit 8cb997 
      state: disabled
Packit 8cb997 
```
Packit 8cb997
Packit 8cb997 
This can also be done as an alternative with the `users` variable containing only names.
Packit 8cb997
Packit 8cb997
Packit 8cb997 
Example playbook to enable users:
Packit 8cb997
Packit 8cb997 
```yaml
Packit 8cb997 
---
Packit 8cb997 
- name: Playbook to handle users
Packit 8cb997 
  hosts: ipaserver
Packit 8cb997 
  become: true
Packit 8cb997
Packit 8cb997 
  tasks:
Packit 8cb997 
  # Enable user pinky and brain
Packit 8cb997 
  - ipauser:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit 8cb997 
      name: pinky,brain
Packit 8cb997 
      state: enabled
Packit 8cb997 
```
Packit 8cb997
Packit 8cb997 
This can also be done as an alternative with the `users` variable containing only names.
Packit 8cb997
Packit 8cb997
Packit 8cb997 
Example playbook to unlock users:
Packit 8cb997
Packit 8cb997 
```yaml
Packit 8cb997 
---
Packit 8cb997 
- name: Playbook to handle users
Packit 8cb997 
  hosts: ipaserver
Packit 8cb997 
  become: true
Packit 8cb997
Packit 8cb997 
  tasks:
Packit 8cb997 
  # Unlock user pinky and brain
Packit 8cb997 
  - ipauser:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit 8cb997 
      name: pinky,brain
Packit 8cb997 
      state: unlocked
Packit 8cb997 
```
Packit 8cb997
Packit 8cb997
Packit 8cb997 
Example playbook to ensure users are absent:
Packit 8cb997
Packit 8cb997 
```yaml
Packit 8cb997 
---
Packit 8cb997 
- name: Playbook to handle users
Packit 8cb997 
  hosts: ipaserver
Packit 8cb997 
  become: true
Packit 8cb997
Packit 8cb997 
  tasks:
Packit 8cb997 
  # Ensure users pinky and brain are absent
Packit 8cb997 
  - ipauser:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit 8cb997 
      name: pinky,brain
Packit 8cb997 
      state: absent
Packit 8cb997 
```
Packit 8cb997
Packit 8cb997 
This can also be done as an alternative with the `users` variable containing only names.
Packit 8cb997
Packit 8cb997
Packit 8cb997 
Example playbook to ensure users are absent:
Packit 8cb997
Packit 8cb997 
```yaml
Packit 8cb997 
---
Packit 8cb997 
- name: Playbook to handle users
Packit 8cb997 
  hosts: ipaserver
Packit 8cb997 
  become: true
Packit 8cb997
Packit 8cb997 
  tasks:
Packit 8cb997 
  # Ensure users pinky and brain are absent
Packit 8cb997 
  - ipauser:
Packit Service 0f71a7 
      ipaadmin_password: SomeADMINpassword
Packit 8cb997 
      users:
Packit 8cb997 
      - name: pinky
Packit 8cb997 
      - name: brain
Packit 8cb997 
      state: absent
Packit 8cb997 
```
Packit 8cb997
Packit 8cb997
Packit 8cb997 
Variables
Packit 8cb997 
=========
Packit 8cb997
Packit 8cb997 
ipauser
Packit 8cb997 
-------
Packit 8cb997
Packit 8cb997 
**General Variables:**
Packit 8cb997
Packit 8cb997 
Variable | Description | Required
Packit 8cb997 
-------- | ----------- | --------
Packit 8cb997 
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
Packit 8cb997 
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
Packit 8cb997 
`name` | The list of user name strings. `name` with *user variables* or `users` containing *user variables* need to be used. | no
Packit 8cb997 
**User variables** | Only used with `name` variable in the first level. | no
Packit 8cb997 
`users` | The list of user dicts. Each `users` dict entry can contain **user variables**.
There is one required option in the `users` dict:| no
Packit 8cb997 
  | `name` - The user name string of the entry. | yes
Packit 8cb997 
  | **User variables** | no
Packit 8cb997 
`preserve` | Delete a user, keeping the entry available for future use. (bool) | no
Packit 8cb997 
`update_password` | Set password for a user in present state only on creation or always. It can be one of `always` or `on_create` and defaults to `always`. | no
Packit 8cb997 
`preserve` | Delete a user, keeping the entry available for future use. (bool)  | no
Packit 8cb997 
`action` | Work on user or member level. It can be on of `member` or `user` and defaults to `user`. | no
Packit 8cb997 
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `unlocked` or `undeleted`, default: `present`. Only `names` or `users` with only `name` set are allowed if state is not `present`. | yes
Packit 8cb997
Packit 8cb997
Packit 8cb997
Packit 8cb997 
**User Variables:**
Packit 8cb997
Packit 8cb997 
Variable | Description | Required
Packit 8cb997 
-------- | ----------- | --------
Packit 8cb997 
`first` \| `givenname` | The first name string. | no
Packit 8cb997 
`last` \| `sn` | The last name string. | no
Packit 8cb997 
`fullname` \| `cn` | The full name string. | no
Packit 8cb997 
`displayname` | The display name string. | no
Packit 8cb997 
`homedir` | The home directory string. | no
Packit 8cb997 
`shell` \| `loginshell` | The login shell string. | no
Packit 8cb997 
`email` | List of email address strings. | no
Packit 8cb997 
`principal` \| `principalnam` \| `krbprincipalname` | The kerberos principal sptring. | no
Packit 8cb997 
`principalexpiration` \| `krbprincipalexpiration` | The kerberos principal expiration date. Possible formats: `YYYYMMddHHmmssZ`, `YYYY-MM-ddTHH:mm:ssZ`, `YYYY-MM-ddTHH:mmZ`, `YYYY-MM-ddZ`, `YYYY-MM-dd HH:mm:ssZ` or `YYYY-MM-dd HH:mmZ`. The trailing 'Z' can be skipped. | no
Packit 8cb997 
`passwordexpiration` \| `krbpasswordexpiration` | The kerberos password expiration date. Possible formats: `YYYYMMddHHmmssZ`, `YYYY-MM-ddTHH:mm:ssZ`, `YYYY-MM-ddTHH:mmZ`, `YYYY-MM-ddZ`, `YYYY-MM-dd HH:mm:ssZ` or `YYYY-MM-dd HH:mmZ`. The trailing 'Z' can be skipped. Only usable with IPA versions 4.7 and up. | no
Packit 8cb997 
`password` | The user password string. | no
Packit 8cb997 
`random` | Generate a random user password | no
Packit 8cb997 
`uid` \| `uidnumber` | The UID integer. | no
Packit 8cb997 
`gid` \| `gidnumber` | The GID integer. | no
Packit 8cb997 
`city` | City | no
Packit 8cb997 
`userstate` \| `st` | State/Province | no
Packit 8cb997 
`postalcode` \| `zip` | Postalcode/ZIP | no
Packit 8cb997 
`phone` \| `telephonenumber` | List of telephone number strings, | no
Packit 8cb997 
`mobile` | List of mobile telephone number strings. | no
Packit 8cb997 
`pager` | List of pager number strings. | no
Packit 8cb997 
`fax` \| `facsimiletelephonenumber` | List of fax number strings. | no
Packit 8cb997 
`orgunit` | The Organisation unit. | no
Packit 8cb997 
`title` | The job title string. | no
Packit 8cb997 
`manager` | List of manager user names. | no
Packit 8cb997 
`carlicense` | List of car licenses. | no
Packit 8cb997 
`sshpubkey` \| `ipasshpubkey` | List of SSH public keys. | no
Packit Service 0f71a7 
`userauthtype` | List of supported user authentication types. Choices: `password`, `radius`, `otp` and ``. Use empty string to reset userauthtype to the initial value. | no
Packit 8cb997 
`userclass` | User category. (semantics placed on this attribute are for local interpretation). | no
Packit 8cb997 
`radius` | RADIUS proxy configuration  | no
Packit 8cb997 
`radiususer` | RADIUS proxy username | no
Packit 8cb997 
`departmentnumber` | Department Number | no
Packit 8cb997 
`employeenumber` | Employee Number | no
Packit 8cb997 
`employeetype` | Employee Type | no
Packit 8cb997 
`preferredlanguage` | Preferred Language | no
Packit 8cb997 
`certificate` | List of base-64 encoded user certificates. | no
Packit Service 0f71a7 
`certmapdata` | List of certificate mappings. Either `data` or `certificate` or `issuer` together with `subject` need to be specified. Only usable with IPA versions 4.5 and up. 
Options: | no
Packit Service 0f71a7 
  | `certificate` - Base-64 encoded user certificate, not usable with other certmapdata options. | no
Packit Service 0f71a7 
  | `issuer` - Issuer of the certificate, only usable together with `usbject` option. | no
Packit Service 0f71a7 
  | `subject` - Subject of the certificate, only usable together with `issuer` option. | no
Packit Service 0f71a7 
  | `data` - Certmap data, not usable with other certmapdata options. | no
Packit 8cb997 
`noprivate` | Do not create user private group. (bool) | no
Packit 8cb997 
`nomembers` | Suppress processing of membership attributes. (bool) | no
Packit 8cb997
Packit 8cb997
Packit 8cb997
Packit 8cb997 
Return Values
Packit 8cb997 
=============
Packit 8cb997
Packit 8cb997 
ipauser
Packit 8cb997 
-------
Packit 8cb997
Packit 8cb997 
There are only return values if one or more random passwords have been generated.
Packit 8cb997
Packit 8cb997 
Variable | Description | Returned When
Packit 8cb997 
-------- | ----------- | -------------
Packit 8cb997 
`host` | Host dict with random password. (dict) 
Options: | If random is yes and user did not exist or update_password is yes
Packit 8cb997 
  | `randompassword` - The generated random password | If only one user is handled by the module
Packit 8cb997 
  | `name` - The user name of the user that got a new random password. (dict) 
 Options: 
   `randompassword` - The generated random password | If several users are handled by the module
Packit 8cb997
Packit 8cb997
Packit 8cb997 
Authors
Packit 8cb997 
=======
Packit 8cb997
Packit 8cb997 
Thomas Woerner

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation