The automember module allows to ensure presence or absence of automember rules and manage automember rule conditions.
- Automember management
FreeIPA versions 4.4.0 and up are supported by the ipaautomember module.
Controller
- Ansible version: 2.13+
Node
- Supported FreeIPA version (see above)
Example inventory file
[ipaserver]
ipaserver.test.local
Example playbook to make sure group automember rule is present with no conditions.
---
- name: Playbook to ensure a group automember rule is present with no conditions
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
name: admins
description: "my automember rule"
automember_type: group
Example playbook to make sure group automember rule is present with conditions:
---
- name: Playbook to add a group automember rule with two conditions
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
name: admins
description: "my automember rule"
automember_type: group
inclusive:
- key: mail
expression: '@example.com$'
exclusive:
- key: uid
expression: "1234"
Example playbook to delete a group automember rule:
- name: Playbook to delete a group automember rule
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
name: admins
description: "my automember rule"
automember_type: group
state: absent
Example playbook to add an inclusive condition to an existing rule
- name: Playbook to add an inclusive condition to an existing rule
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
name: "My domain hosts"
description: "my automember condition"
automember_type: hostgroup
action: member
inclusive:
- key: fqdn
expression: ".*.mydomain.com"
Example playbook to ensure group membership for all users has been rebuilt
- name: Playbook to ensure group membership for all users has been rebuilt
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: group
state: rebuilt
Example playbook to ensure group membership for given users has been rebuilt
- name: Playbook to ensure group membership for given users has been rebuilt
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
users:
- user1
- user2
state: rebuilt
Example playbook to ensure hostgroup membership for all hosts has been rebuilt
- name: Playbook to ensure hostgroup membership for all hosts has been rebuilt
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: hostgroup
state: rebuilt
Example playbook to ensure hostgroup membership for given hosts has been rebuilt
- name: Playbook to ensure hostgroup membership for given hosts has been rebuilt
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
hosts:
- host1.mydomain.com
- host2.mydomain.com
state: rebuilt
Example playbook to ensure default group fallback_group for all unmatched group entries is set
- name: Playbook to ensure default group fallback_group for all unmatched group entries is set
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: group
default_group: fallback_group
Example playbook to ensure default group for all unmatched group entries is not set
- name: Playbook to ensure default group for all unmatched group entries is not set
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
default_group: ""
automember_type: group
state: absent
Example playbook to ensure default hostgroup fallback_hostgroup for all unmatched group entries
- name: Playbook to ensure default hostgroup fallback_hostgroup for all unmatched group entries
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: hostgroup
default_group: fallback_hostgroup
Example playbook to ensure default hostgroup for all unmatched group entries is not set
- name: Playbook to ensure default hostgroup for all unmatched group entries is not set
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: hostgroup
default_group: ""
state: absent
Example playbook to ensure all orphan automember group rules are removed:
- name: Playbook to ensure all orphan automember group rules are removed
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: group
state: orphans_removed
Example playbook to ensure all orphan automember hostgroup rules are removed:
- name: Playbook to ensure all orphan automember hostgroup rules are removed
hosts: ipaserver
become: yes
gather_facts: no
tasks:
- ipaautomember:
ipaadmin_password: SomeADMINpassword
automember_type: hostgroup
state: orphans_removed
Variable | Description | Required |
---|---|---|
ipaadmin_principal |
The admin principal is a string and defaults to admin |
no |
ipaadmin_password |
The admin password is a string and is required if there is no admin ticket available on the node | no |
ipaapi_context |
The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are server and client . |
no |
ipaapi_ldap_cache |
Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no |
name | cn |
Automember rule. | yes |
description |
A description of this auto member rule. | no |
automember_type |
Grouping to which the rule applies. It can be one of group , hostgroup . |
yes |
inclusive |
List of dictionaries in the format of {'key': attribute, 'expression': inclusive_regex} |
no |
exclusive |
List of dictionaries in the format of {'key': attribute, 'expression': exclusive_regex} |
no |
users |
Users to rebuild membership for. | no |
hosts |
Hosts to rebuild membership for. | no |
no_wait |
Don't wait for rebuilding membership. | no |
default_group |
Default (fallback) group for all unmatched entries. Use the empty string "" for ensuring the default group is not set. | no |
action |
Work on automember or member level. It can be one of member or automember and defaults to automember . |
no |
state |
The state to ensure. It can be one of present , absent , 'rebuilt'. 'orphans_removed' default: present . |
no |
Mark Hahl Thomas Woerner