The pwpolicy module allows to ensure presence and absence of pwpolicies.
FreeIPA versions 4.4.0 and up are supported by the ipapwpolicy module.
Controller * Ansible version: 2.8+
Node * Supported FreeIPA version (see above)
Example inventory file
[ipaserver] ipaserver.test.local
Example playbook to ensure presence of pwpolicies for exisiting group ops:
tasks: - name: Ensure presence of pwpolicies for group ops ipapwpolicy: ipaadmin_password: MyPassword123 name: ops minlife: 7 maxlife: 49 history: 5 priority: 1 lockouttime: 300 minlength: 8 maxfail: 3
Example playbook to ensure absence of pwpolicies for group ops
--- - name: Playbook to handle pwpolicies hosts: ipaserver become: true tasks: # Ensure absence of pwpolicies for group ops - ipapwpolicy: ipaadmin_password: MyPassword123 name: ops state: absent
| Variable | Description | Required |
|---|---|---|
ipaadmin_principal |
The admin principal is a string and defaults to admin |
no |
ipaadmin_password |
The admin password is a string and is required if there is no admin ticket available on the node | no |
name | cn |
The list of pwpolicy name strings. | no |
maxlife | krbmaxpwdlife |
Maximum password lifetime in days. (int) | no |
minlife | krbminpwdlife |
Minimum password lifetime in hours. (int) | no |
history | krbpwdhistorylength |
Password history size. (int) | no |
minclasses | krbpwdmindiffchars |
Minimum number of character classes. (int) | no |
minlength | krbpwdminlength |
Minimum length of password. (int) | no |
priority | cospriority |
Priority of the policy, higher number means lower priority. (int) | no |
maxfail | krbpwdmaxfailure |
Consecutive failures before lockout. (int) | no |
failinterval | krbpwdfailurecountinterval |
Period after which failure count will be reset in seconds. (int) | no |
lockouttime | krbpwdlockoutduration |
Period for which lockout is enforced in seconds. (int) | no |
state |
The state to ensure. It can be one of present or absent, default: present. |
yes |
Thomas Woerner