-
Notifications
You must be signed in to change notification settings - Fork 232
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
There is a new idview management module placed in the plugins folder:
plugins/modules/ipaidview.py
The idview module allows to ensure presence and absence of idviews and
idview host members.
Here is the documentation for the module:
README-idview.md
New example playbooks have been added:
playbooks/idview/idview-absent.yml
playbooks/idview/idview-host-applied.yml
playbooks/idview/idview-host-unapplied.yml
playbooks/idview/idview-present.yml
New tests for the module can be found at:
tests/idview/test_idview.yml
tests/idview/test_idview_client_context.yml- Loading branch information
Showing
9 changed files
with
909 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,153 @@ | ||
| Idview module | ||
| ============ | ||
|
|
||
| Description | ||
| ----------- | ||
|
|
||
| The idview module allows to ensure presence and absence of idviews and idview host members. | ||
|
|
||
| Use Cases | ||
| --------- | ||
|
|
||
| With ID views it is possible to override user or group attributes for users stored in the LDAP server. For example the login name, home directory, certificate for authentication or SSH keys. An ID view is client-side and specifies new values for user or group attributes and also the client host or hosts on which the values apply. | ||
|
|
||
| The ID view and the applied hosts are managed with idview, the user attributes are managed with idoverrideuser and the group attributes with idoverridegroup. | ||
|
|
||
| Features | ||
| -------- | ||
|
|
||
| * Idview management | ||
|
|
||
|
|
||
| Supported FreeIPA Versions | ||
| -------------------------- | ||
|
|
||
| FreeIPA versions 4.4.0 and up are supported by the ipaidview module. | ||
|
|
||
|
|
||
| Requirements | ||
| ------------ | ||
|
|
||
| **Controller** | ||
| * Ansible version: 2.8+ | ||
|
|
||
| **Node** | ||
| * Supported FreeIPA version (see above) | ||
|
|
||
|
|
||
| Usage | ||
| ===== | ||
|
|
||
| Example inventory file | ||
|
|
||
| ```ini | ||
| [ipaserver] | ||
| ipaserver.test.local | ||
| ``` | ||
|
|
||
|
|
||
| Example playbook to make sure idview "test_idview" is present: | ||
|
|
||
| ```yaml | ||
| --- | ||
| - name: Playbook to manage IPA idview. | ||
| hosts: ipaserver | ||
| become: false | ||
|
|
||
| tasks: | ||
| - ipaidview: | ||
| ipaadmin_password: SomeADMINpassword | ||
| name: test_idview | ||
| ``` | ||
| Example playbook to make sure idview "test_idview" member host "testhost.example.com" is present: | ||
| ```yaml | ||
| --- | ||
| - name: Playbook to manage IPA idview host member. | ||
| hosts: ipaserver | ||
| become: false | ||
|
|
||
| tasks: | ||
| - ipaidview: | ||
| ipaadmin_password: SomeADMINpassword | ||
| name: test_idview | ||
| host: testhost.example.com | ||
| action: member | ||
| ``` | ||
| Example playbook to make sure idview "test_idview" member host "testhost.example.com" is absent: | ||
| ```yaml | ||
| --- | ||
| - name: Playbook to manage IPA idview host member. | ||
| hosts: ipaserver | ||
| become: false | ||
|
|
||
| tasks: | ||
| - ipaidview: | ||
| ipaadmin_password: SomeADMINpassword | ||
| name: test_idview | ||
| host: testhost.example.com | ||
| action: member | ||
| state: absent | ||
| ``` | ||
| Example playbook to make sure idview "test_idview" is present with domain_resolution_order for "ad.example.com:ipa.example.com": | ||
| ```yaml | ||
| --- | ||
| - name: Playbook to manage IPA idview host member. | ||
| hosts: ipaserver | ||
| become: false | ||
|
|
||
| tasks: | ||
| - ipaidview: | ||
| ipaadmin_password: SomeADMINpassword | ||
| name: test_idview | ||
| domain_resolution_order: "ad.example.com:ipa.example.com" | ||
| ``` | ||
| Example playbook to make sure idview "test_idview" is absent: | ||
| ```yaml | ||
| --- | ||
| - name: Playbook to manage IPA idview. | ||
| hosts: ipaserver | ||
| become: false | ||
|
|
||
| tasks: | ||
| - ipaidview: | ||
| ipaadmin_password: SomeADMINpassword | ||
| name: test_idview | ||
| state: absent | ||
| ``` | ||
| Variables | ||
| --------- | ||
| Variable | Description | Required | ||
| -------- | ----------- | -------- | ||
| `ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no | ||
| `ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no | ||
| `ipaapi_context` | The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are `server` and `client`. | no | ||
| `ipaapi_ldap_cache` | Use LDAP cache for IPA connection. The bool setting defaults to true. (bool) | no | ||
| `name` \| `cn` | The list of idview name strings. | yes | ||
| `description` \| `desc` | The description string of the idview. | no | ||
| `domain_resolution_order` \| `ipadomainresolutionorder` | Colon-separated list of domains used for short name qualification. | no | ||
| `host` \| `hosts` | List of hosts to apply the ID View to. If a host is applied to an idview and is then applied to another idview, it will be removed from the previously applied idview and only be applied to the last idview. | no | ||
| `rename` \| `new_name` | Rename the ID view object to the new name string. Only usable with `state: renamed`. | no | ||
| `delete_continue` \| `continue` | Continuous mode. Don't stop on errors. Valid only if `state` is `absent`. | no | ||
| `action` | Work on idview or member level. It can be on of `member` or `idview` and defaults to `idview`. | no | ||
| `state` | The state to ensure. It can be one of `present`, `absent` and `renamed`, default: `present`. | no | ||
|
|
||
|
|
||
| Authors | ||
| ======= | ||
|
|
||
| Thomas Woerner |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| --- | ||
| - name: Idview absent example | ||
| hosts: ipaserver | ||
| become: no | ||
|
|
||
| tasks: | ||
| - name: Ensure idview test_idview is absent | ||
| ipaidview: | ||
| ipaadmin_password: SomeADMINpassword | ||
| name: test_idview | ||
| state: absent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| --- | ||
| - name: Idview host member applied example | ||
| hosts: ipaserver | ||
| become: no | ||
|
|
||
| tasks: | ||
| - name: Ensure host testhost.example.com is applied to idview test_idview | ||
| ipaidview: | ||
| ipaadmin_password: SomeADMINpassword | ||
| name: test_idview | ||
| host: testhost.example.com | ||
| action: member |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| --- | ||
| - name: Idview host member unapplied example | ||
| hosts: ipaserver | ||
| become: no | ||
|
|
||
| tasks: | ||
| - name: Ensure host testhost.example.com is not applied to idview test_idview | ||
| ipaidview: | ||
| ipaadmin_password: SomeADMINpassword | ||
| name: test_idview | ||
| host: testhost.example.com | ||
| action: member | ||
| state: absent |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| --- | ||
| - name: Idview present example | ||
| hosts: ipaserver | ||
| become: no | ||
|
|
||
| tasks: | ||
| - name: Ensure idview test_idview is present | ||
| ipaidview: | ||
| ipaadmin_password: SomeADMINpassword | ||
| name: test_idview |
Oops, something went wrong.