Skip to content 4.84 KiB
Newer Older
Topology modules


These modules allow to manage the topology. That means that it can made sure that topology segments are present, absent or reinitialized. Also it is possible to verify topology suffixes.

* Topology management

Supported FreeIPA Versions

FreeIPA versions 4.4.0 and up are supported by the ipatopologysegment and ipatopologysuffix modules.


* Ansible version: 2.8+

* Supported FreeIPA version (see above)


Example inventory file


Example playbook to add a topology segment with default name (cn):

- name: Playbook to handle topologysegment
  hosts: ipaserver
  become: true

  - name: Add topology segment
      ipaadmin_password: MyPassword123
      suffix: domain
      left: ipareplica1.test.local
      right: ipareplica2.test.local
      state: present
The name (cn) can also be set if it should not be the default `{left}-to-{right}`.

Example playbook to delete a topology segment:

- name: Playbook to handle topologysegment
  hosts: ipaserver
  become: true

  - name: Delete topology segment
      ipaadmin_password: MyPassword123
      suffix: domain
      left: ipareplica1.test.local
      right: ipareplica2.test.local
      state: absent
It is possible to either use the name (cn) or left and right nodes. If left and right nodes are used, then the name will be searched and used internally.

Example playbook to reinitialize a topology segment:

- name: Playbook to handle topologysegment
  hosts: ipaserver
  become: true

  - name: Reinitialize topology segment
      ipaadmin_password: MyPassword123
      suffix: domain
      left: ipareplica1.test.local
      right: ipareplica2.test.local
      direction: left-to-right
      state: reinitialized
It is possible to either use the name (cn) or left and right nodes. If left and right nodes are used, then the name will be searched and used internally.

Example playbook to verify a topology suffix:

- name: Playbook to handle topologysuffix
  hosts: ipaserver
  become: true

  - name: Verify topology suffix
      suffix: domain
      state: verified

Example playbook to add or remove or check or reinitialize a list of topology segments:

- name: Add topology segments
  hosts: ipaserver
  become: true
  gather_facts: false

    ipaadmin_password: password1
    - {suffix: domain, left: replica1.test.local, right: replica2.test.local}
    - {suffix: domain, left: replica2.test.local, right: replica3.test.local}
    - {suffix: domain, left: replica3.test.local, right: replica4.test.local}
    - {suffix: domain+ca, left: replica4.test.local, right: replica1.test.local}

  - name: Add topology segment
      ipaadmin_password: "{{ ipaadmin_password }}"
      suffix: "{{ item.suffix }}"
      name: "{{ | default(omit) }}"
      left: "{{ item.left }}"
      right: "{{ item.right }}"
      #state: absent
      #state: checked
    loop: "{{ ipatopology_segments | default([]) }}"



Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`suffix` | The topology suffix to be used, this can either be `domain`, `ca` or `domain+ca` | yes
`name` \| `cn` | The topology segment name (cn) is the unique identifier for a segment. | no
`left` \| `leftnode` | The left replication node string - an IPA server | no
`right` \| `rightnode` | The right replication node string - an IPA server | no
`direction` | The direction a segment will be reinitialized. It can either be `left-to-right` or `right-to-left` and only used with `state: reinitialized` | 
`state` | The state to ensure. It can be one of `present`, `absent`, `enabled`, `disabled`, `checked` or `reinitialized` | yes


Verify FreeIPA topology suffix

Variable | Description | Required
-------- | ----------- | --------
`ipaadmin_principal` | The admin principal is a string and defaults to `admin` | no
`ipaadmin_password` | The admin password is a string and is required if there is no admin ticket available on the node | no
`suffix` | The topology suffix to be used, this can either be `domain` or `ca` | yes
`state` | The state to ensure. It can only be `verified` | yes


Thomas Woerner