主页
产品
Red Hat Enterprise Linux
10
Managing IdM users, groups, hosts, and access control rules
21.4. Using Ansible to ensure that a self-service rule does not have specific attributes

21.4. Using Ansible to ensure that a self-service rule does not have specific attributes

The following procedure describes how to use an Ansible playbook to ensure that a self-service rule does not have specific settings. You can use this playbook to make sure a self-service rule does not grant undesired access. In the example, you ensure the Users can manage their own name details self-service rule does not have the givenname and surname member attributes.

Prerequisites

On the control node:
- You are using Ansible version 2.15 or later.
- You have installed the ansible-freeipa package.
- The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
- The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.
The Users can manage their own name details self-service rule exists in IdM.

Procedure

Navigate to the ~/MyPlaybooks/ directory:
```
$ cd ~/MyPlaybooks/
```
Make a copy of the selfservice-member-absent.yml file located in the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/selfservice/ directory:
```
$ cp /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/selfservice/selfservice-member-absent.yml selfservice-member-absent-copy.yml
```
Open the selfservice-member-absent-copy.yml Ansible playbook file for editing.

Adapt the file by setting the following variables in the freeipa.ansible_freeipa.ipaselfservice task section:

Set the name variable to the name of the self-service rule you want to modify.
Set the attribute variable to givenname and surname.
Set the action variable to member.
Set the state variable to absent.

This is the modified Ansible playbook file for the current example:

---
- name: Self-service member absent
  hosts: ipaserver

  vars_files:
  - /home/user_name/MyPlaybooks/secret.yml
  tasks:
  - name: Ensure selfservice "Users can manage their own name details" member attributes givenname and surname are absent
    freeipa.ansible_freeipa.ipaselfservice:
      ipaadmin_password: "{{ ipaadmin_password }}"
      name: "Users can manage their own name details"
      attribute:
      - givenname
      - surname
      action: member
      state: absent

Save the file.
For details about variables and example playbooks in the FreeIPA Ansible collection, see the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/README-selfservice.md file and the /usr/share/ansible/collections/ansible_collections/freeipa/ansible_freeipa/playbooks/selfservice directory on the control node.
Run the Ansible playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file:
```
$ ansible-playbook --vault-password-file=password_file -v -i inventory selfservice-member-absent-copy.yml
```

21.4. Using Ansible to ensure that a self-service rule does not have specific attributes

学习

尝试、购买和销售

社区

关于红帽文档

让开源更具包容性

關於紅帽

Theme

Red Hat legal and privacy links

Red Hat legal and privacy links