Select Git revision
README-pwpolicy.md
-
Rafael Guterres Jeffman authored
As ansible-freeipa roles do not support version 2.8 anymore, change the minimum supported version to 2.13, which is the currently minimum available and supported Ansible version. This patch fixes documentation on all plugin READMEs, spec file and module templates.
Rafael Guterres Jeffman authoredAs ansible-freeipa roles do not support version 2.8 anymore, change the minimum supported version to 2.13, which is the currently minimum available and supported Ansible version. This patch fixes documentation on all plugin READMEs, spec file and module templates.
README-pwpolicy.md 4.33 KiB
Pwpolicy module
Description
The pwpolicy module allows to ensure presence and absence of pwpolicies.
Features
- Pwpolicy management
Supported FreeIPA Versions
FreeIPA versions 4.4.0 and up are supported by the ipapwpolicy module.
Requirements
Controller
- Ansible version: 2.13+
Node
- Supported FreeIPA version (see above)
Usage
Example inventory file
[ipaserver]
ipaserver.test.localExample playbook to ensure presence of pwpolicies for exisiting group ops:
tasks:
- name: Ensure presence of pwpolicies for group ops
ipapwpolicy:
ipaadmin_password: SomeADMINpassword
name: ops
minlife: 7
maxlife: 49
history: 5
priority: 1
lockouttime: 300
minlength: 8
maxfail: 3Example playbook to ensure absence of pwpolicies for group ops:
---
- name: Playbook to handle pwpolicies
hosts: ipaserver
become: true
tasks:
# Ensure absence of pwpolicies for group ops
- ipapwpolicy:
ipaadmin_password: SomeADMINpassword
name: ops
state: absentExample playbook to ensure maxlife is set to 49 in global policy:
---
- name: Playbook to handle pwpolicies
hosts: ipaserver
become: true
tasks:
# Ensure maxlife is set to 49 in global policy
- ipapwpolicy:
ipaadmin_password: SomeADMINpassword
maxlife: 49Example playbook to ensure password grace period is set to 3 in global policy:
---
- name: Playbook to handle pwpolicies
hosts: ipaserver
become: true
tasks:
# Ensure maxlife is set to 49 in global policy
- ipapwpolicy:
ipaadmin_password: SomeADMINpassword
gracelimit: 3Example playbook to ensure password grace period is set to unlimited in global policy:
---
- name: Playbook to handle pwpolicies
hosts: ipaserver
become: true
tasks:
# Ensure maxlife is set to 49 in global policy
- ipapwpolicy:
ipaadmin_password: SomeADMINpassword
gracelimit: -1Variables
| Variable | Description | Required |
|---|---|---|
ipaadmin_principal |
The admin principal is a string and defaults to admin
|
no |
ipaadmin_password |
The admin password is a string and is required if there is no admin ticket available on the node | no |
ipaapi_context |
The context in which the module will execute. Executing in a server context is preferred. If not provided context will be determined by the execution environment. Valid values are server and client. |
no |
ipaapi_ldap_cache |
Use LDAP cache for IPA connection. The bool setting defaults to yes. (bool) | no |
name | cn
|
The list of pwpolicy name strings. If name is not given, global_policy will be used automatically. |
no |
maxlife | krbmaxpwdlife
|
Maximum password lifetime in days. (int or "") | no |
minlife | krbminpwdlife
|
Minimum password lifetime in hours. (int or "") | no |
history | krbpwdhistorylength
|
Password history size. (int or "") | no |
minclasses | krbpwdmindiffchars
|
Minimum number of character classes. (int or "") | no |
minlength | krbpwdminlength
|
Minimum length of password. (int or "") | no |
priority | cospriority
|
Priority of the policy, higher number means lower priority. (int or "") | no |
maxfail | krbpwdmaxfailure
|
Consecutive failures before lockout. (int or "") | no |
failinterval | krbpwdfailurecountinterval
|
Period after which failure count will be reset in seconds. (int or "") | no |
lockouttime | krbpwdlockoutduration
|
Period for which lockout is enforced in seconds. (int or "") | no |
maxrepeat | ipapwdmaxrepeat
|
Maximum number of same consecutive characters. Requires IPA 4.9+ (int or "") | no |
maxsequence | ipapwdmaxsequence
|
The maximum length of monotonic character sequences (abcd). Requires IPA 4.9+ (int or "") | no |
dictcheck | ipapwdictcheck
|
Check if the password is a dictionary word. Requires IPA 4.9+. (bool or "") | no |
usercheck | ipapwdusercheck
|
Check if the password contains the username. Requires IPA 4.9+. (bool or "") | no |
gracelimit | passwordgracelimit
|
Number of LDAP authentications allowed after expiration. Requires IPA 4.9.10 (int or "") | no |
state |
The state to ensure. It can be one of present or absent, default: present. |
yes |
Authors
Thomas Woerner