The service module allows to ensure presence and absence of services.
FreeIPA versions 4.4.0 and up are supported by the ipaservice module.
Some variables are only supported on newer versions of FreeIPA. Check Variables section for details.
Controller * Ansible version: 2.8+
Node * Supported FReeIPA version (see above)
Example inventory file
[ipaserver] ipaserver.test.local
Example playbook to make sure service is present:
--- - name: Playbook to manage IPA service. hosts: ipaserver become: true gather_facts: false tasks: # Ensure service is present - ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/www.example.com certificate: | - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s 4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1 UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs 5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH 2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq pac_type: PAD auth_ind: otp requires_pre_auth: false ok_as_delegate: false ok_to_auth_as_delegate: false skip_host_check: true force: true
Example playbook to make sure service is absent:
--- - name: Playbook to manage IPA service. hosts: ipaserver become: true gather_facts: false tasks: # Ensure service is present - ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/www.example.com state: absent
Example playbook to make sure service is disabled:
--- - name: Playbook to manage IPA service. hosts: ipaserver become: true gather_facts: false tasks: # Ensure service is present - ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/www.example.com state: disabled
Example playbook to add a service even if the host object does not exist, but only if it does have a DNS entry:
--- - name: Playbook to manage IPA service. hosts: ipaserver become: true gather_facts: false tasks: # Ensure service is present - ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/www.example.com skip_host_check: true force: false
Example playbook to add a service if it does have a DNS entry, but host object exits:
--- - name: Playbook to manage IPA service. hosts: ipaserver become: true gather_facts: false tasks: # Ensure service is present - ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/www.example.com skip_host_check: false force: true
Example playbook to ensure service has a certificate:
--- - name: Playbook to manage IPA service. hosts: ipaserver become: true gather_facts: false tasks: # Ensure service member certificate is present. - ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/www.example.com certificate: | - MIIC/zCCAeegAwIBAgIUMNHIbn+hhrOVew/2WbkteisV29QwDQYJKoZIhvcNAQELBQAw DzENMAsGA1UEAwwEdGVzdDAeFw0yMDAyMDQxNDQxMDhaFw0zMDAyMDExNDQxMDhaMA8xDT ALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+XVVGFYpH VkcDfVnNInE1Y/pFciegdzqTjMwUWlRL4Zt3u96GhaMLRbtk+OfEkzLUAhWBOwEraELJzM LJOMvjYF3C+TiGO7dStFLikZmccuSsSIXjnzIPwBXa8KvgRVRyGLoVvGbLJvmjfMXp0nIT oTx/i74KF9S++WEes9H5ErJ99CDhLKFgq0amnvsgparYXhypHaRLnikn0vQINt55YoEd1s 4KrvEcD2VdZkIMPbLRu2zFvMprF3cjQQG4LT9ggfEXNIPZ1nQWAnAsu7OJEkNF+E4Mkmpc xj9aGUVt5bsq1D+Tzj3GsidSX0nSNcZ2JltXRnL/5v63g5cZyE+nAgMBAAGjUzBRMB0GA1 UdDgQWBBRV0j7JYukuH/r/t9+QeNlRLXDlEDAfBgNVHSMEGDAWgBRV0j7JYukuH/r/t9+Q eNlRLXDlEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCgVy1+1kNwHs 5y1Zp0WjMWGCJC6/zw7FDG4OW5r2GJiCXZYdJ0UonY9ZtoVLJPrp2/DAv1m5DtnDhBYqic uPgLzEkOS1KdTi20Otm/J4yxLLrZC5W4x0XOeSVPXOJuQWfwQ5pPvKkn6WxYUYkGwIt1OH 2nSMngkbami3CbSmKZOCpgQIiSlQeDJ8oGjWFMLDymYSHoVOIXHwNoooyEiaio3693l6no obyGv49zyCVLVR1DC7i6RJ186ql0av+D4vPoiF5mX7+sKC2E8xEj9uKQ5GTWRh59VnRBVC /SiMJ/H78tJnBAvoBwXxSEvj8Z3Kjm/BQqZfv4IBsA5yqV7MVq action: member state: present
Example playbook to add a principal to the service:
--- - name: Playbook to manage IPA service. hosts: ipaserver become: true gather_facts: false tasks: # Principal host/principal.example.com present in service. - ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/www.example.com principal: host/principal.example.com action: member
Example playbook to enable a host to manage service:
--- - name: Playbook to manage IPA service. hosts: ipaserver become: true gather_facts: false tasks: # Ensure host can manage service, again. - ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/www.example.com host: host1.example.com action: member
Example playbook to allow users, groups, hosts or hostgroups to create a keytab of this service:
--- - name: Playbook to manage IPA service. hosts: ipaserver become: true gather_facts: false tasks: # Allow users, groups, hosts or host groups to create a keytab of this service. - ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/www.example.com allow_create_keytab_user: - user01 - user02 allow_create_keytab_group: - group01 - group02 allow_create_keytab_host: - host1.example.com - host2.example.com allow_create_keytab_hostgroup: - hostgroup01 - hostgroup02 action: member
Example playbook to allow users, groups, hosts or hostgroups to retrieve a keytab of this service:
--- - name: Playbook to manage IPA service. hosts: ipaserver become: true gather_facts: false tasks: # Allow users, groups, hosts or host groups to retrieve a keytab of this service. - ipaservice: ipaadmin_password: SomeADMINpassword name: HTTP/www.example.com allow_retrieve_keytab_user: - user01 - user02 allow_retrieve_keytab_group: - group01 - group02 allow_retrieve_keytab_host: - "{{ host1_fqdn }}" - "{{ host2_fqdn }}" allow_retrieve_keytab_hostgroup: - hostgroup01 - hostgroup02 action: member
ipaservice
| Variable | Description | Required |
|---|---|---|
ipaadmin_principal |
The admin principal is a string and defaults to admin |
no |
ipaadmin_password |
The admin password is a string and is required if there is no admin ticket available on the node | no |
name | service |
The list of service name strings. | yes |
certificate | usercertificate |
Base-64 encoded service certificate. | no |
pac_type | ipakrbauthzdata |
Supported PAC type. It can be one of MS-PAC, PAD, or NONE. |
no |
auth_ind | krbprincipalauthind |
Defines an allow list for Authentication Indicators. It can be any of otp, radius, pkinit, or hardened. |
no |
requires_pre_auth | ipakrbrequirespreauth |
Pre-authentication is required for the service. Default to true. (bool) | no |
ok_as_delegate | ipakrbokasdelegate |
Client credentials may be delegated to the service. Default to false. (bool) | no |
ok_to_auth_as_delegate | ipakrboktoauthasdelegate |
The service is allowed to authenticate on behalf of a client. Default to false. (bool) | no |
skip_host_check |
Force service to be created even when host object does not exist to manage it. Only usable with IPA versions 4.7.0 and up. Default to false. (bool) | no |
force |
Force principal name even if host not in DNS. Default to false. (bool) | no |
host | managedby_host |
Hosts that can manage the service. | no |
principal | krbprincipalname |
List of principal aliases for the service. | no |
allow_create_keytab_user | ipaallowedtoperform_write_keys_user |
Users allowed to create a keytab of this host. | no |
allow_create_keytab_group | ipaallowedtoperform_write_keys_group |
Groups allowed to create a keytab of this host. | no |
allow_create_keytab_host | ipaallowedtoperform_write_keys_host |
Hosts allowed to create a keytab of this host. | no |
allow_create_keytab_hostgroup | ipaallowedtoperform_write_keys_group |
Host groups allowed to create a keytab of this host. | no |
allow_retrieve_keytab_user | ipaallowedtoperform_read_keys_user |
Users allowed to retrieve a keytab of this host. | no |
allow_retrieve_keytab_group | ipaallowedtoperform_read_keys_group |
Groups allowed to retrieve a keytab of this host. | no |
allow_retrieve_keytab_host | ipaallowedtoperform_read_keys_host |
Hosts allowed to retrieve a keytab from of host. | no |
allow_retrieve_keytab_hostgroup | ipaallowedtoperform_read_keys_hostgroup |
Host groups allowed to retrieve a keytab of this host. | no |
continue |
Continuous mode: don't stop on errors. Valid only if state is absent. Default: no (bool) |
no |
action |
Work on service or member level. It can be on of member or service and defaults to service. |
no |
state |
The state to ensure. It can be one of present, absent, or disabled, default: present. |
no |
Rafael Jeffman