-
Notifications
You must be signed in to change notification settings - Fork 13
/
Copy pathidm_provision_users.yml
241 lines (211 loc) · 6.86 KB
/
idm_provision_users.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
---
- name: Playbook to add users
hosts: rh-idm-01.cool.lab
tasks:
- name: Create users
freeipa.ansible_freeipa.ipauser:
ipaadmin_password: "{{ ipaadmin_password }}"
state: present
update_password: on_create
users: "{{ enabled_users }}"
tags: users
- name: Ensure ipa admins group
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: admins
state: present
tags: groups
- name: Ensure members in ipa admins group
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: admins
action: member
user: "{{ idm_admins }}"
tags: groups
- name: Ensure group Red Hat Ops (rhops) with gid 1100
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: rhops
gidnumber: 1100
tags: groups
- name: Ensure members in group Red Hat Ops (rhops)
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: rhops
action: member
user: "{{ rh_ops }}"
tags: groups
- name: Ensure group Arrow Ops (arrowops) with gid 2100
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: arrowops
gidnumber: 2100
tags: groups
- name: Ensure members in group Arrow Ops (arrowops)
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: arrowops
action: member
user: "{{ arrow_ops }}"
tags: groups
- name: Ensure group arrow (arrow) with gid 2101
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: arrow
gidnumber: 2101
tags: groups
- name: Ensure members in group arrow (arrow)
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: arrow
action: member
user: "{{ arrow }}"
tags: groups
- name: Ensure group enfo with gid 2110
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: enfo
gidnumber: 2110
tags: groups
- name: Ensure members in group enfo
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: enfo
action: member
user: "{{ enfo }}"
tags: groups
- name: Ensure group devikone with gid 2210
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: devikone
gidnumber: 2210
tags: groups
- name: Ensure members in group devikone
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: devikone
action: member
user: "{{ devikone }}"
tags: groups
- name: Ensure group hiq with gid 2120
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: hiq
gidnumber: 2120
- name: Ensure members in group hiq
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: hiq
action: member
user: "{{ hiq }}"
tags: groups
- name: Ensure group partners with gid 3000
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: partners
gidnumber: 3000
tags: groups
- name: Ensure members in group partners
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: partners
action: member
user: "{{ partners }}"
tags: groups
- name: Ensure group ODH admins (odh_admins) with gid 2103
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: odh-admins
gidnumber: 2103
tags: groups
- name: Ensure members in group ODH admins (odh_admins)
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: odh-admins
action: member
user: "{{ odh_admins }}"
tags: groups
- name: Ensure group developers with gid 2104
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: developers
gidnumber: 2104
tags: groups
- name: Ensure members in group developers
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: developers
action: member
user: "{{ developers }}"
tags: groups
- name: Create LDAP bind user for AAP
community.general.ldap_entry:
server_uri: ldaps://rh-idm-01.cool.lab
bind_dn: cn=Directory Manager
bind_pw: "{{ ipadm_password }}"
dn: "uid={{ aap_ldap_username }},cn=sysaccounts,cn=etc,dc=cool,dc=lab"
validate_certs: false
objectClass:
- account
- simpleSecurityObject
attributes:
description: AAP LDAP bind account
userPassword: "{{ aap_ldap_password }}"
uid: "{{ aap_ldap_username }}"
passwordExpirationTime: 20320101000000Z
nsIdleTimeout: 0
tags:
- users
- aap
- name: Ensure group AAP admins
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
description: Ansible Automation Platform admins
name: aap_admins
tags:
- groups
- aap
- name: Ensure members in group AAP admins
freeipa.ansible_freeipa.ipagroup:
ipaadmin_password: "{{ ipaadmin_password }}"
name: aap_admins
action: member
user: "{{ aap_admins }}"
tags:
- groups
- aap
# - name: Ensure group Arrow Ops (arrops)
# freeipa.ansible_freeipa.ipagroup:
# name: sysops
# user:
# gidnumber: 1200
# tags: groups
# - name: Create group Application Developers (appops)
# freeipa.ansible_freeipa.ipagroup:
# name: appops
# tags: groups
- name: Ensure self-service rule is present
freeipa.ansible_freeipa.ipaselfservice:
ipaadmin_password: "{{ ipaadmin_password }}"
name: "Users can manage their own name details"
permission:
- read
- write
attribute:
- givenname
- displayname
- title
- initials
tags: selfservice
- name: Ensure sudo rule for gods
freeipa.ansible_freeipa.ipasudorule:
ipaadmin_password: "{{ ipaadmin_password }}"
name: rhops_sudo_all_nopasswd
cmdcategory: all
description: Red Hat ops allow to ruin everything anywhere freely
hostcategory: all
sudooption:
- '!authenticate'
group:
- rhops
tags: sudo