`linuxfabrik.lfops.ipauser`¶

Manage FreeIPA users

Synopsis¶

Manage FreeIPA users

Available since LFOps 6.0.0.

Optional Parameters¶

action

Work on user or member level
Type: String. One of member, user.
Default: user

carlicense

List of car licenses
Type: List.

certificate

List of base-64 encoded user certificates
Type: List.

certmapdata

List of certificate mappings Only usable with IPA versions 4.5 and up.
Type: List.
Subkeys:
- certificate:
  - Base-64 encoded user certificate
  - Type: String.
- data:
  - Certmap data
  - Type: String.
- issuer:
  - Issuer of the certificate
  - Type: String.
- subject:
  - Subject of the certificate
  - Type: String.

city

City
Type: String.

departmentnumber

Department Number
Type: List.

displayname

The display name
Type: String.

email

List of email addresses
Type: List.

employeenumber

Employee Number
Type: String.

employeetype

Employee Type
Type: String.

fax

List of fax numbers
Type: List.

first

The first name. Required if user does not exist.
Type: String.

fullname

The full name
Type: String.

gecos

The GECOS
Type: String.

gid

Group ID Number
Type: Number.

homedir

The home directory
Type: String.

idp

External IdP configuration
Type: String.

idp_user_id

A string that identifies the user at external IdP
Type: String.

initials

Initials
Type: String.

last

The last name. Required if user doesnot exst.
Type: String.

manager

List of managers
Type: List.

mobile

List of mobile telephone numbers
Type: List.

name

The list of users (internally uid).
Type: List.

nomembers

Suppress processing of membership attributes
Type: Bool.

noprivate

Don't create user private group
Type: Bool.

orgunit

Org. Unit
Type: String.

pager

List of pager numbers
Type: List.

password

The user password
Type: String.

passwordexpiration

The kerberos password expiration date (FreeIPA-4.7+) (possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ, YYYY-MM-dd HH:mmZ) The trailing 'Z' can be skipped. Only usable with IPA versions 4.7 and up.
Type: String.

phone

List of telephone numbers
Type: List.

postalcode

Postalcode/ZIP
Type: String.

preferredlanguage

Preferred Language
Type: String.

preserve

Delete a user, keeping the entry available for future use
Type: Bool.

principal

The kerberos principal
Type: List.

principalexpiration

The kerberos principal expiration date (possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ, YYYY-MM-dd HH:mmZ) The trailing 'Z' can be skipped.
Type: String.

radius

RADIUS proxy configuration
Type: String.

radiususer

RADIUS proxy username
Type: String.

random

Generate a random user password
Type: Bool.

rename

Rename the user object
Type: String.

shell

The login shell
Type: String.

smb_home_dir

SMB Home Directory
Type: String.

smb_home_drive

SMB Home Directory Drive
Type: String. One of A:, B:, C:, D:, E:, F:, G:, H:, I:, J:, K:, L:, M:, N:, O:, P:, Q:, R:, S:, T:, U:, V:, W:, X:, Y:, Z:, ``.

smb_logon_script

SMB logon script path
Type: String.

smb_profile_path

SMB profile path
Type: String.

sshpubkey

List of SSH public keys
Type: List.

state

State to ensure
Type: String. One of present, absent, enabled, disabled, unlocked, undeleted, renamed.
Default: present

street

Street address
Type: String.

title

The job title
Type: String.

uid

User ID Number (system will assign one if not provided)
Type: Number.

update_password

Set password for a user in present state only on creation or always
Type: String. One of always, on_create.

userauthtype

List of supported user authentication types Use empty string to reset userauthtype to the initial value.
Type: List. One of password, radius, otp, pkinit, hardened, idp, passkey, ``.

userclass

User category (semantics placed on this attribute are for local interpretation)
Type: List.

users

The list of user dicts (internally uid).
Type: List.
Subkeys:
- carlicense:
  - List of car licenses
  - Type: List.
- certificate:
  - List of base-64 encoded user certificates
  - Type: List.
- certmapdata:
  - List of certificate mappings Only usable with IPA versions 4.5 and up.
  - Type: List.
  - Subkeys:
    - certificate:
      - Base-64 encoded user certificate
      - Type: String.
    - data:
      - Certmap data
      - Type: String.
    - issuer:
      - Issuer of the certificate
      - Type: String.
    - subject:
      - Subject of the certificate
      - Type: String.
- city:
  - City
  - Type: String.
- departmentnumber:
  - Department Number
  - Type: List.
- displayname:
  - The display name
  - Type: String.
- email:
  - List of email addresses
  - Type: List.
- employeenumber:
  - Employee Number
  - Type: String.
- employeetype:
  - Employee Type
  - Type: String.
- fax:
  - List of fax numbers
  - Type: List.
- first:
  - The first name. Required if user does not exist.
  - Type: String.
- fullname:
  - The full name
  - Type: String.
- gecos:
  - The GECOS
  - Type: String.
- gid:
  - Group ID Number
  - Type: Number.
- homedir:
  - The home directory
  - Type: String.
- idp:
  - External IdP configuration
  - Type: String.
- idp_user_id:
  - A string that identifies the user at external IdP
  - Type: String.
- initials:
  - Initials
  - Type: String.
- last:
  - The last name. Required if user doesnot exst.
  - Type: String.
- manager:
  - List of managers
  - Type: List.
- mobile:
  - List of mobile telephone numbers
  - Type: List.
- name:
  - The user (internally uid).
  - Type: String.
- nomembers:
  - Suppress processing of membership attributes
  - Type: Bool.
- noprivate:
  - Don't create user private group
  - Type: Bool.
- orgunit:
  - Org. Unit
  - Type: String.
- pager:
  - List of pager numbers
  - Type: List.
- password:
  - The user password
  - Type: String.
- passwordexpiration:
  - The kerberos password expiration date (FreeIPA-4.7+) (possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ, YYYY-MM-dd HH:mmZ) The trailing 'Z' can be skipped. Only usable with IPA versions 4.7 and up.
  - Type: String.
- phone:
  - List of telephone numbers
  - Type: List.
- postalcode:
  - Postalcode/ZIP
  - Type: String.
- preferredlanguage:
  - Preferred Language
  - Type: String.
- principal:
  - The kerberos principal
  - Type: List.
- principalexpiration:
  - The kerberos principal expiration date (possible formats: YYYYMMddHHmmssZ, YYYY-MM-ddTHH:mm:ssZ, YYYY-MM-ddTHH:mmZ, YYYY-MM-ddZ, YYYY-MM-dd HH:mm:ssZ, YYYY-MM-dd HH:mmZ) The trailing 'Z' can be skipped.
  - Type: String.
- radius:
  - RADIUS proxy configuration
  - Type: String.
- radiususer:
  - RADIUS proxy username
  - Type: String.
- random:
  - Generate a random user password
  - Type: Bool.
- rename:
  - Rename the user object
  - Type: String.
- shell:
  - The login shell
  - Type: String.
- smb_home_dir:
  - SMB Home Directory
  - Type: String.
- smb_home_drive:
  - SMB Home Directory Drive
  - Type: String. One of A:, B:, C:, D:, E:, F:, G:, H:, I:, J:, K:, L:, M:, N:, O:, P:, Q:, R:, S:, T:, U:, V:, W:, X:, Y:, Z:, ``.
- smb_logon_script:
  - SMB logon script path
  - Type: String.
- smb_profile_path:
  - SMB profile path
  - Type: String.
- sshpubkey:
  - List of SSH public keys
  - Type: List.
- street:
  - Street address
  - Type: String.
- title:
  - The job title
  - Type: String.
- uid:
  - User ID Number (system will assign one if not provided)
  - Type: Number.
- userauthtype:
  - List of supported user authentication types Use empty string to reset userauthtype to the initial value.
  - Type: List. One of password, radius, otp, pkinit, hardened, idp, passkey, ``.
- userclass:
  - User category (semantics placed on this attribute are for local interpretation)
  - Type: List.
- userstate:
  - State/Province
  - Type: String.

userstate

State/Province
Type: String.

Examples¶

# Create user pinky
- ipauser:
    ipaadmin_password: SomeADMINpassword
    name: pinky
    first: pinky
    last: Acme
    uid: 10001
    gid: 100
    phone: "+555123457"
    email: pinky@acme.com
    passwordexpiration: "2023-01-19 23:59:59"
    password: "no-brain"
    update_password: on_create

# Create user brain
- ipauser:
    ipaadmin_password: SomeADMINpassword
    name: brain
    first: brain
    last: Acme

# Create multiple users pinky and brain
- ipauser:
    ipaadmin_password: SomeADMINpassword
    users:
    - name: pinky
      first: pinky
      last: Acme
    - name: brain
      first: brain
      last: Acme

# Delete user pinky, but preserved
- ipauser:
    ipaadmin_password: SomeADMINpassword
    name: pinky
    preserve: yes
    state: absent

# Undelete user pinky
- ipauser:
    ipaadmin_password: SomeADMINpassword
    name: pinky
    state: undeleted

# Disable user pinky
- ipauser:
    ipaadmin_password: SomeADMINpassword
    name: pinky,brain
    state: disabled

# Enable user pinky and brain
- ipauser:
    ipaadmin_password: SomeADMINpassword
    name: pinky,brain
    state: enabled

# Remove but preserve user pinky
- ipauser:
    ipaadmin_password: SomeADMINpassword
    users:
    - name: pinky
    preserve: yes
    state: absent

# Remove user pinky and brain
- ipauser:
    ipaadmin_password: SomeADMINpassword
    name: pinky,brain
    state: disabled

# Ensure a user has SMB attributes
- ipauser:
    ipaadmin_password: SomeADMINpassword
    name: smbuser
    first: SMB
    last: User
    smb_logon_script: N:\logonscripts\startup
    smb_profile_path: \\server\profiles\some_profile
    smb_home_dir: \\users\home\smbuser
    smb_home_drive: "U:"

# Rename an existing user
- ipauser:
    ipaadmin_password: SomeADMINpassword
    name: someuser
    rename: anotheruser
    state: renamed

Return Values¶

user

User dict with random password
Type: Dictionary.
Returned: If random is yes and user did not exist or update_password is yes.

Authors¶

Thomas Woerner (@t-woerner)

linuxfabrik.lfops.ipauser¶