use ipaadmin_principal for simplicity
This commit is contained in:
parent
98933f6e5d
commit
9e50935c62
@ -4,7 +4,7 @@
|
|||||||
# provided.
|
# provided.
|
||||||
# What is expected:
|
# What is expected:
|
||||||
# -> ipaadmin_password: This should be the password of the admin user
|
# -> ipaadmin_password: This should be the password of the admin user
|
||||||
# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin)
|
# -> ipaadmin_principal: The admin user that has kerberos management capabilities (default is admin)
|
||||||
# -> ipa_zone: The zone name (eg, rockylinux.org)
|
# -> ipa_zone: The zone name (eg, rockylinux.org)
|
||||||
# -> ipa_name: The shortname (eg, buildbox instead of buildbox.rockylinux.org)
|
# -> ipa_name: The shortname (eg, buildbox instead of buildbox.rockylinux.org)
|
||||||
# -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR)
|
# -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR)
|
||||||
@ -33,7 +33,7 @@
|
|||||||
|
|
||||||
- name: "Creating DNS Record"
|
- name: "Creating DNS Record"
|
||||||
freeipa.ansible_freeipa.ipadnsrecord:
|
freeipa.ansible_freeipa.ipadnsrecord:
|
||||||
ipaadmin_principal: "{{ ipa_admin|default('admin') }}"
|
ipaadmin_principal: "{{ ipaadmin_principal|default('admin') }}"
|
||||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||||
zone_name: "{{ ipa_zone }}"
|
zone_name: "{{ ipa_zone }}"
|
||||||
name: "{{ ipa_name }}"
|
name: "{{ ipa_name }}"
|
||||||
@ -48,7 +48,7 @@
|
|||||||
# host doesn't exist, we'll ignore it.
|
# host doesn't exist, we'll ignore it.
|
||||||
- name: "Creating host object for CNAME"
|
- name: "Creating host object for CNAME"
|
||||||
freeipa.ansible_freeipa.ipahost:
|
freeipa.ansible_freeipa.ipahost:
|
||||||
ipaadmin_principal: "{{ ipa_admin|default('admin') }}"
|
ipaadmin_principal: "{{ ipaadmin_principal|default('admin') }}"
|
||||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||||
name: "{{ ipa_name }}.{{ ipa_zone }}"
|
name: "{{ ipa_name }}.{{ ipa_zone }}"
|
||||||
force: true
|
force: true
|
||||||
|
@ -14,7 +14,7 @@
|
|||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipaadmin_principal | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
- ipa_zone | mandatory
|
- ipa_zone | mandatory
|
||||||
success_msg: "Required variables provided"
|
success_msg: "Required variables provided"
|
||||||
@ -22,7 +22,7 @@
|
|||||||
|
|
||||||
- name: "Creating DNS Zone"
|
- name: "Creating DNS Zone"
|
||||||
freeipa.ansible_freeipa.ipadnszone:
|
freeipa.ansible_freeipa.ipadnszone:
|
||||||
ipaadmin_principal: "{{ ipa_admin }}"
|
ipaadmin_principal: "{{ ipaadmin_principal }}"
|
||||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||||
name: "{{ ipa_zone }}"
|
name: "{{ ipa_zone }}"
|
||||||
dynamicupdate: true
|
dynamicupdate: true
|
||||||
|
@ -10,7 +10,7 @@
|
|||||||
# -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
|
# -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
|
||||||
# -> ipa_server: This needs to be one of the IPA servers
|
# -> ipa_server: This needs to be one of the IPA servers
|
||||||
# -> ipa_owner: If applicable, the local account that can read this keytab (eg apache)
|
# -> ipa_owner: If applicable, the local account that can read this keytab (eg apache)
|
||||||
# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin)
|
# -> ipaadmin_principal: The admin user that has kerberos management capabilities (default is admin)
|
||||||
# -> ipaadmin_password: This should be the password of the admin user
|
# -> ipaadmin_password: This should be the password of the admin user
|
||||||
|
|
||||||
- name: Pull keytab from IPA
|
- name: Pull keytab from IPA
|
||||||
@ -24,7 +24,7 @@
|
|||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipaadmin_principal | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
- ipa_service | mandatory
|
- ipa_service | mandatory
|
||||||
- ipa_keytab_fullpath | mandatory
|
- ipa_keytab_fullpath | mandatory
|
||||||
@ -46,33 +46,33 @@
|
|||||||
success_msg: "Keytab doesn't exist, moving on..."
|
success_msg: "Keytab doesn't exist, moving on..."
|
||||||
fail_msg: "Keytab with that name already exists, skipping."
|
fail_msg: "Keytab with that name already exists, skipping."
|
||||||
|
|
||||||
- name: "Grant {{ host }} and {{ ipa_admin }} access to the service keytab"
|
- name: "Grant {{ host }} and {{ ipaadmin_principal }} access to the service keytab"
|
||||||
delegate_to: "{{ ipa_server }}"
|
delegate_to: "{{ ipa_server }}"
|
||||||
freeipa.ansible_freeipa.ipaservice:
|
freeipa.ansible_freeipa.ipaservice:
|
||||||
ipaadmin_principal: "{{ ipa_admin }}"
|
ipaadmin_principal: "{{ ipaadmin_principal }}"
|
||||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||||
name: "{{ ipa_service }}"
|
name: "{{ ipa_service }}"
|
||||||
allow_retrieve_keytab_user:
|
allow_retrieve_keytab_user:
|
||||||
- "{{ ipa_admin }}"
|
- "{{ ipaadmin_principal }}"
|
||||||
allow_retrieve_keytab_host:
|
allow_retrieve_keytab_host:
|
||||||
- "{{ host }}"
|
- "{{ host }}"
|
||||||
action: member
|
action: member
|
||||||
|
|
||||||
- name: "Grant {{ host }} and {{ ipa_admin }} access to the host keytab"
|
- name: "Grant {{ host }} and {{ ipaadmin_principal }} access to the host keytab"
|
||||||
delegate_to: "{{ ipa_server }}"
|
delegate_to: "{{ ipa_server }}"
|
||||||
freeipa.ansible_freeipa.ipahost:
|
freeipa.ansible_freeipa.ipahost:
|
||||||
ipaadmin_principal: "{{ ipa_admin }}"
|
ipaadmin_principal: "{{ ipaadmin_principal }}"
|
||||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||||
name: "{{ host }}"
|
name: "{{ host }}"
|
||||||
state: present
|
state: present
|
||||||
allow_retrieve_keytab_user:
|
allow_retrieve_keytab_user:
|
||||||
- "{{ ipa_admin }}"
|
- "{{ ipaadmin_principal }}"
|
||||||
managedby_host: "{{ host }}"
|
managedby_host: "{{ host }}"
|
||||||
action: member
|
action: member
|
||||||
|
|
||||||
- name: "Get kerberos ticket"
|
- name: "Get kerberos ticket"
|
||||||
delegate_to: "{{ ipa_server }}"
|
delegate_to: "{{ ipa_server }}"
|
||||||
ansible.builtin.shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
|
ansible.builtin.shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipaadmin_principal }}"
|
||||||
check_mode: false
|
check_mode: false
|
||||||
changed_when: "1 != 1"
|
changed_when: "1 != 1"
|
||||||
when: not keytab_status.stat.exists
|
when: not keytab_status.stat.exists
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
---
|
---
|
||||||
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
# This playbook is meant to be used with callable variables, like adhoc or AWX.
|
||||||
# What: Creates groups in the idm infrastructure based on the variables provided
|
# What: Creates groups in the idm infrastructure based on the variables provided
|
||||||
# You MUST provide an ipa_admin user to run this.
|
# You MUST provide an ipaadmin_principal user to run this.
|
||||||
# If group is going to be a fas group (exposed in noggin), ensure ipa_fas is
|
# If group is going to be a fas group (exposed in noggin), ensure ipa_fas is
|
||||||
# set to true.
|
# set to true.
|
||||||
|
|
||||||
@ -18,7 +18,7 @@
|
|||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipaadmin_principal | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
- ipa_group | mandatory
|
- ipa_group | mandatory
|
||||||
- ipa_description | mandatory
|
- ipa_description | mandatory
|
||||||
@ -28,7 +28,7 @@
|
|||||||
|
|
||||||
- name: "Creating New Group"
|
- name: "Creating New Group"
|
||||||
freeipa.ansible_freeipa.ipagroup:
|
freeipa.ansible_freeipa.ipagroup:
|
||||||
ipaadmin_principal: "{{ ipa_admin }}"
|
ipaadmin_principal: "{{ ipaadmin_principal }}"
|
||||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||||
name: "{{ ipa_group }}"
|
name: "{{ ipa_group }}"
|
||||||
description: "{{ ipa_description }}"
|
description: "{{ ipa_description }}"
|
||||||
@ -39,7 +39,7 @@
|
|||||||
- groups
|
- groups
|
||||||
|
|
||||||
- name: "Prepare FAS if required"
|
- name: "Prepare FAS if required"
|
||||||
ansible.builtin.shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}"
|
ansible.builtin.shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipaadmin_principal }}"
|
||||||
check_mode: false
|
check_mode: false
|
||||||
changed_when: "1 != 1"
|
changed_when: "1 != 1"
|
||||||
when: ipa_fas
|
when: ipa_fas
|
||||||
|
@ -13,7 +13,7 @@
|
|||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipaadmin_principal | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
- ipa_service | mandatory
|
- ipa_service | mandatory
|
||||||
success_msg: "Required variables provided"
|
success_msg: "Required variables provided"
|
||||||
@ -21,7 +21,7 @@
|
|||||||
|
|
||||||
- name: "Creating Kerberos Service"
|
- name: "Creating Kerberos Service"
|
||||||
freeipa.ansible_freeipa.ipaservice:
|
freeipa.ansible_freeipa.ipaservice:
|
||||||
ipaadmin_principal: "{{ ipa_admin }}"
|
ipaadmin_principal: "{{ ipaadmin_principal }}"
|
||||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||||
name: "{{ ipa_service }}"
|
name: "{{ ipa_service }}"
|
||||||
skip_host_check: "{{ ipa_skip_host_check | default(false) }}"
|
skip_host_check: "{{ ipa_skip_host_check | default(false) }}"
|
||||||
|
@ -17,7 +17,7 @@
|
|||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipaadmin_principal | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
- ipa_name | mandatory
|
- ipa_name | mandatory
|
||||||
- ticket_id | mandatory
|
- ticket_id | mandatory
|
||||||
@ -26,7 +26,7 @@
|
|||||||
|
|
||||||
- name: "Disabling User Account"
|
- name: "Disabling User Account"
|
||||||
freeipa.ansible_freeipa.ipauser:
|
freeipa.ansible_freeipa.ipauser:
|
||||||
ipaadmin_principal: "{{ ipa_admin }}"
|
ipaadmin_principal: "{{ ipaadmin_principal }}"
|
||||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||||
name: "{{ ipa_name }}"
|
name: "{{ ipa_name }}"
|
||||||
state: disabled
|
state: disabled
|
||||||
@ -40,7 +40,7 @@
|
|||||||
values: []
|
values: []
|
||||||
state: exact
|
state: exact
|
||||||
server_uri: ldap://localhost/
|
server_uri: ldap://localhost/
|
||||||
bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
|
bind_dn: "uid={{ ipaadmin_principal }},cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||||
bind_pw: "{{ ipaadmin_password }}"
|
bind_pw: "{{ ipaadmin_password }}"
|
||||||
with_items:
|
with_items:
|
||||||
- fasGPGKeyId
|
- fasGPGKeyId
|
||||||
@ -70,7 +70,7 @@
|
|||||||
values: "Account Disabled: {{ ticket_id }}"
|
values: "Account Disabled: {{ ticket_id }}"
|
||||||
state: exact
|
state: exact
|
||||||
server_uri: ldap://localhost/
|
server_uri: ldap://localhost/
|
||||||
bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
|
bind_dn: "uid={{ ipaadmin_principal }},cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||||
bind_pw: "{{ ipaadmin_password }}"
|
bind_pw: "{{ ipaadmin_password }}"
|
||||||
|
|
||||||
- name: "Set FAS Account Information to Private"
|
- name: "Set FAS Account Information to Private"
|
||||||
@ -80,6 +80,6 @@
|
|||||||
values: "TRUE"
|
values: "TRUE"
|
||||||
state: exact
|
state: exact
|
||||||
server_uri: ldap://localhost/
|
server_uri: ldap://localhost/
|
||||||
bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org"
|
bind_dn: "uid={{ ipaadmin_principal }},cn=users,cn=accounts,dc=rockylinux,dc=org"
|
||||||
bind_pw: "{{ ipaadmin_password }}"
|
bind_pw: "{{ ipaadmin_password }}"
|
||||||
...
|
...
|
||||||
|
@ -13,7 +13,7 @@
|
|||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipaadmin_principal | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
- ipa_name | mandatory
|
- ipa_name | mandatory
|
||||||
success_msg: "Required variables provided"
|
success_msg: "Required variables provided"
|
||||||
@ -21,7 +21,7 @@
|
|||||||
|
|
||||||
- name: "Disabling User Account"
|
- name: "Disabling User Account"
|
||||||
freeipa.ansible_freeipa.ipauser:
|
freeipa.ansible_freeipa.ipauser:
|
||||||
ipaadmin_principal: "{{ ipa_admin }}"
|
ipaadmin_principal: "{{ ipaadmin_principal }}"
|
||||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||||
name: "{{ ipa_name }}"
|
name: "{{ ipa_name }}"
|
||||||
state: disabled
|
state: disabled
|
||||||
|
@ -13,7 +13,7 @@
|
|||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipaadmin_principal | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
- ipa_name | mandatory
|
- ipa_name | mandatory
|
||||||
success_msg: "Required variables provided"
|
success_msg: "Required variables provided"
|
||||||
@ -21,7 +21,7 @@
|
|||||||
|
|
||||||
- name: "Enabling User Account"
|
- name: "Enabling User Account"
|
||||||
freeipa.ansible_freeipa.ipauser:
|
freeipa.ansible_freeipa.ipauser:
|
||||||
ipaadmin_principal: "{{ ipa_admin }}"
|
ipaadmin_principal: "{{ ipaadmin_principal }}"
|
||||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||||
name: "{{ ipa_name }}"
|
name: "{{ ipa_name }}"
|
||||||
state: enabled
|
state: enabled
|
||||||
|
@ -13,7 +13,7 @@
|
|||||||
- name: "Checking for user variables"
|
- name: "Checking for user variables"
|
||||||
ansible.builtin.assert:
|
ansible.builtin.assert:
|
||||||
that:
|
that:
|
||||||
- ipa_admin | mandatory
|
- ipaadmin_principal | mandatory
|
||||||
- ipaadmin_password | mandatory
|
- ipaadmin_password | mandatory
|
||||||
- ipa_name | mandatory
|
- ipa_name | mandatory
|
||||||
- ipa_first | mandatory
|
- ipa_first | mandatory
|
||||||
@ -26,7 +26,7 @@
|
|||||||
|
|
||||||
- name: "Creating User Account"
|
- name: "Creating User Account"
|
||||||
freeipa.ansible_freeipa.ipauser:
|
freeipa.ansible_freeipa.ipauser:
|
||||||
ipaadmin_principal: "{{ ipa_admin }}"
|
ipaadmin_principal: "{{ ipaadmin_principal }}"
|
||||||
ipaadmin_password: "{{ ipaadmin_password }}"
|
ipaadmin_password: "{{ ipaadmin_password }}"
|
||||||
name: "{{ ipa_name }}"
|
name: "{{ ipa_name }}"
|
||||||
first: "{{ ipa_first }}"
|
first: "{{ ipa_first }}"
|
||||||
|
Loading…
Reference in New Issue
Block a user