use ipaadmin_principal for simplicity

This commit is contained in:
Louis Abel 2024-02-12 22:35:41 -07:00
parent 98933f6e5d
commit 9e50935c62
Signed by: label
GPG Key ID: 3331F061D1D9990E
9 changed files with 31 additions and 31 deletions

View File

@ -4,7 +4,7 @@
# provided. # provided.
# What is expected: # What is expected:
# -> ipaadmin_password: This should be the password of the admin user # -> ipaadmin_password: This should be the password of the admin user
# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin) # -> ipaadmin_principal: The admin user that has kerberos management capabilities (default is admin)
# -> ipa_zone: The zone name (eg, rockylinux.org) # -> ipa_zone: The zone name (eg, rockylinux.org)
# -> ipa_name: The shortname (eg, buildbox instead of buildbox.rockylinux.org) # -> ipa_name: The shortname (eg, buildbox instead of buildbox.rockylinux.org)
# -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR) # -> ipa_name_type: Type of record (eg, CNAME, A, AAAA, PTR)
@ -33,7 +33,7 @@
- name: "Creating DNS Record" - name: "Creating DNS Record"
freeipa.ansible_freeipa.ipadnsrecord: freeipa.ansible_freeipa.ipadnsrecord:
ipaadmin_principal: "{{ ipa_admin|default('admin') }}" ipaadmin_principal: "{{ ipaadmin_principal|default('admin') }}"
ipaadmin_password: "{{ ipaadmin_password }}" ipaadmin_password: "{{ ipaadmin_password }}"
zone_name: "{{ ipa_zone }}" zone_name: "{{ ipa_zone }}"
name: "{{ ipa_name }}" name: "{{ ipa_name }}"
@ -48,7 +48,7 @@
# host doesn't exist, we'll ignore it. # host doesn't exist, we'll ignore it.
- name: "Creating host object for CNAME" - name: "Creating host object for CNAME"
freeipa.ansible_freeipa.ipahost: freeipa.ansible_freeipa.ipahost:
ipaadmin_principal: "{{ ipa_admin|default('admin') }}" ipaadmin_principal: "{{ ipaadmin_principal|default('admin') }}"
ipaadmin_password: "{{ ipaadmin_password }}" ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_name }}.{{ ipa_zone }}" name: "{{ ipa_name }}.{{ ipa_zone }}"
force: true force: true

View File

@ -14,7 +14,7 @@
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipaadmin_principal | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
- ipa_zone | mandatory - ipa_zone | mandatory
success_msg: "Required variables provided" success_msg: "Required variables provided"
@ -22,7 +22,7 @@
- name: "Creating DNS Zone" - name: "Creating DNS Zone"
freeipa.ansible_freeipa.ipadnszone: freeipa.ansible_freeipa.ipadnszone:
ipaadmin_principal: "{{ ipa_admin }}" ipaadmin_principal: "{{ ipaadmin_principal }}"
ipaadmin_password: "{{ ipaadmin_password }}" ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_zone }}" name: "{{ ipa_zone }}"
dynamicupdate: true dynamicupdate: true

View File

@ -10,7 +10,7 @@
# -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab # -> ipa_keytab_fullpath: The full path to the keytab. Example: /etc/gitlab/gitlab.keytab
# -> ipa_server: This needs to be one of the IPA servers # -> ipa_server: This needs to be one of the IPA servers
# -> ipa_owner: If applicable, the local account that can read this keytab (eg apache) # -> ipa_owner: If applicable, the local account that can read this keytab (eg apache)
# -> ipa_admin: The admin user that has kerberos management capabilities (default is admin) # -> ipaadmin_principal: The admin user that has kerberos management capabilities (default is admin)
# -> ipaadmin_password: This should be the password of the admin user # -> ipaadmin_password: This should be the password of the admin user
- name: Pull keytab from IPA - name: Pull keytab from IPA
@ -24,7 +24,7 @@
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipaadmin_principal | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
- ipa_service | mandatory - ipa_service | mandatory
- ipa_keytab_fullpath | mandatory - ipa_keytab_fullpath | mandatory
@ -46,33 +46,33 @@
success_msg: "Keytab doesn't exist, moving on..." success_msg: "Keytab doesn't exist, moving on..."
fail_msg: "Keytab with that name already exists, skipping." fail_msg: "Keytab with that name already exists, skipping."
- name: "Grant {{ host }} and {{ ipa_admin }} access to the service keytab" - name: "Grant {{ host }} and {{ ipaadmin_principal }} access to the service keytab"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
freeipa.ansible_freeipa.ipaservice: freeipa.ansible_freeipa.ipaservice:
ipaadmin_principal: "{{ ipa_admin }}" ipaadmin_principal: "{{ ipaadmin_principal }}"
ipaadmin_password: "{{ ipaadmin_password }}" ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_service }}" name: "{{ ipa_service }}"
allow_retrieve_keytab_user: allow_retrieve_keytab_user:
- "{{ ipa_admin }}" - "{{ ipaadmin_principal }}"
allow_retrieve_keytab_host: allow_retrieve_keytab_host:
- "{{ host }}" - "{{ host }}"
action: member action: member
- name: "Grant {{ host }} and {{ ipa_admin }} access to the host keytab" - name: "Grant {{ host }} and {{ ipaadmin_principal }} access to the host keytab"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
freeipa.ansible_freeipa.ipahost: freeipa.ansible_freeipa.ipahost:
ipaadmin_principal: "{{ ipa_admin }}" ipaadmin_principal: "{{ ipaadmin_principal }}"
ipaadmin_password: "{{ ipaadmin_password }}" ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ host }}" name: "{{ host }}"
state: present state: present
allow_retrieve_keytab_user: allow_retrieve_keytab_user:
- "{{ ipa_admin }}" - "{{ ipaadmin_principal }}"
managedby_host: "{{ host }}" managedby_host: "{{ host }}"
action: member action: member
- name: "Get kerberos ticket" - name: "Get kerberos ticket"
delegate_to: "{{ ipa_server }}" delegate_to: "{{ ipa_server }}"
ansible.builtin.shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}" ansible.builtin.shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipaadmin_principal }}"
check_mode: false check_mode: false
changed_when: "1 != 1" changed_when: "1 != 1"
when: not keytab_status.stat.exists when: not keytab_status.stat.exists

View File

@ -1,7 +1,7 @@
--- ---
# This playbook is meant to be used with callable variables, like adhoc or AWX. # This playbook is meant to be used with callable variables, like adhoc or AWX.
# What: Creates groups in the idm infrastructure based on the variables provided # What: Creates groups in the idm infrastructure based on the variables provided
# You MUST provide an ipa_admin user to run this. # You MUST provide an ipaadmin_principal user to run this.
# If group is going to be a fas group (exposed in noggin), ensure ipa_fas is # If group is going to be a fas group (exposed in noggin), ensure ipa_fas is
# set to true. # set to true.
@ -18,7 +18,7 @@
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipaadmin_principal | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
- ipa_group | mandatory - ipa_group | mandatory
- ipa_description | mandatory - ipa_description | mandatory
@ -28,7 +28,7 @@
- name: "Creating New Group" - name: "Creating New Group"
freeipa.ansible_freeipa.ipagroup: freeipa.ansible_freeipa.ipagroup:
ipaadmin_principal: "{{ ipa_admin }}" ipaadmin_principal: "{{ ipaadmin_principal }}"
ipaadmin_password: "{{ ipaadmin_password }}" ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_group }}" name: "{{ ipa_group }}"
description: "{{ ipa_description }}" description: "{{ ipa_description }}"
@ -39,7 +39,7 @@
- groups - groups
- name: "Prepare FAS if required" - name: "Prepare FAS if required"
ansible.builtin.shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipa_admin }}" ansible.builtin.shell: "set -o pipefail && echo \"{{ ipaadmin_password }}\" | kinit {{ ipaadmin_principal }}"
check_mode: false check_mode: false
changed_when: "1 != 1" changed_when: "1 != 1"
when: ipa_fas when: ipa_fas

View File

@ -13,7 +13,7 @@
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipaadmin_principal | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
- ipa_service | mandatory - ipa_service | mandatory
success_msg: "Required variables provided" success_msg: "Required variables provided"
@ -21,7 +21,7 @@
- name: "Creating Kerberos Service" - name: "Creating Kerberos Service"
freeipa.ansible_freeipa.ipaservice: freeipa.ansible_freeipa.ipaservice:
ipaadmin_principal: "{{ ipa_admin }}" ipaadmin_principal: "{{ ipaadmin_principal }}"
ipaadmin_password: "{{ ipaadmin_password }}" ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_service }}" name: "{{ ipa_service }}"
skip_host_check: "{{ ipa_skip_host_check | default(false) }}" skip_host_check: "{{ ipa_skip_host_check | default(false) }}"

View File

@ -17,7 +17,7 @@
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipaadmin_principal | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
- ipa_name | mandatory - ipa_name | mandatory
- ticket_id | mandatory - ticket_id | mandatory
@ -26,7 +26,7 @@
- name: "Disabling User Account" - name: "Disabling User Account"
freeipa.ansible_freeipa.ipauser: freeipa.ansible_freeipa.ipauser:
ipaadmin_principal: "{{ ipa_admin }}" ipaadmin_principal: "{{ ipaadmin_principal }}"
ipaadmin_password: "{{ ipaadmin_password }}" ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_name }}" name: "{{ ipa_name }}"
state: disabled state: disabled
@ -40,7 +40,7 @@
values: [] values: []
state: exact state: exact
server_uri: ldap://localhost/ server_uri: ldap://localhost/
bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org" bind_dn: "uid={{ ipaadmin_principal }},cn=users,cn=accounts,dc=rockylinux,dc=org"
bind_pw: "{{ ipaadmin_password }}" bind_pw: "{{ ipaadmin_password }}"
with_items: with_items:
- fasGPGKeyId - fasGPGKeyId
@ -70,7 +70,7 @@
values: "Account Disabled: {{ ticket_id }}" values: "Account Disabled: {{ ticket_id }}"
state: exact state: exact
server_uri: ldap://localhost/ server_uri: ldap://localhost/
bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org" bind_dn: "uid={{ ipaadmin_principal }},cn=users,cn=accounts,dc=rockylinux,dc=org"
bind_pw: "{{ ipaadmin_password }}" bind_pw: "{{ ipaadmin_password }}"
- name: "Set FAS Account Information to Private" - name: "Set FAS Account Information to Private"
@ -80,6 +80,6 @@
values: "TRUE" values: "TRUE"
state: exact state: exact
server_uri: ldap://localhost/ server_uri: ldap://localhost/
bind_dn: "uid={{ ipa_admin }},cn=users,cn=accounts,dc=rockylinux,dc=org" bind_dn: "uid={{ ipaadmin_principal }},cn=users,cn=accounts,dc=rockylinux,dc=org"
bind_pw: "{{ ipaadmin_password }}" bind_pw: "{{ ipaadmin_password }}"
... ...

View File

@ -13,7 +13,7 @@
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipaadmin_principal | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
- ipa_name | mandatory - ipa_name | mandatory
success_msg: "Required variables provided" success_msg: "Required variables provided"
@ -21,7 +21,7 @@
- name: "Disabling User Account" - name: "Disabling User Account"
freeipa.ansible_freeipa.ipauser: freeipa.ansible_freeipa.ipauser:
ipaadmin_principal: "{{ ipa_admin }}" ipaadmin_principal: "{{ ipaadmin_principal }}"
ipaadmin_password: "{{ ipaadmin_password }}" ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_name }}" name: "{{ ipa_name }}"
state: disabled state: disabled

View File

@ -13,7 +13,7 @@
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipaadmin_principal | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
- ipa_name | mandatory - ipa_name | mandatory
success_msg: "Required variables provided" success_msg: "Required variables provided"
@ -21,7 +21,7 @@
- name: "Enabling User Account" - name: "Enabling User Account"
freeipa.ansible_freeipa.ipauser: freeipa.ansible_freeipa.ipauser:
ipaadmin_principal: "{{ ipa_admin }}" ipaadmin_principal: "{{ ipaadmin_principal }}"
ipaadmin_password: "{{ ipaadmin_password }}" ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_name }}" name: "{{ ipa_name }}"
state: enabled state: enabled

View File

@ -13,7 +13,7 @@
- name: "Checking for user variables" - name: "Checking for user variables"
ansible.builtin.assert: ansible.builtin.assert:
that: that:
- ipa_admin | mandatory - ipaadmin_principal | mandatory
- ipaadmin_password | mandatory - ipaadmin_password | mandatory
- ipa_name | mandatory - ipa_name | mandatory
- ipa_first | mandatory - ipa_first | mandatory
@ -26,7 +26,7 @@
- name: "Creating User Account" - name: "Creating User Account"
freeipa.ansible_freeipa.ipauser: freeipa.ansible_freeipa.ipauser:
ipaadmin_principal: "{{ ipa_admin }}" ipaadmin_principal: "{{ ipaadmin_principal }}"
ipaadmin_password: "{{ ipaadmin_password }}" ipaadmin_password: "{{ ipaadmin_password }}"
name: "{{ ipa_name }}" name: "{{ ipa_name }}"
first: "{{ ipa_first }}" first: "{{ ipa_first }}"