Vh *ddlmZmZmZeZdZdZdZddl Z ddl m Z ddl m Z mZddlmZGd d e Z dd Zd Zd ZdZedk(reyy))absolute_importdivisionprint_functiona module: ipa_pwpolicy author: Adralioh (@adralioh) short_description: Manage FreeIPA password policies description: - Add, modify, or delete a password policy using the IPA API. version_added: 2.0.0 attributes: check_mode: support: full diff_mode: support: none options: group: description: - Name of the group that the policy applies to. - If omitted, the global policy is used. aliases: ["name"] type: str state: description: State to ensure. default: "present" choices: ["absent", "present"] type: str maxpwdlife: description: Maximum password lifetime (in days). type: str minpwdlife: description: Minimum password lifetime (in hours). type: str historylength: description: - Number of previous passwords that are remembered. - Users cannot reuse remembered passwords. type: str minclasses: description: Minimum number of character classes. type: str minlength: description: Minimum password length. type: str priority: description: - Priority of the policy. - High number means lower priority. - Required when C(cn) is not the global policy. type: str maxfailcount: description: Maximum number of consecutive failures before lockout. type: str failinterval: description: Period (in seconds) after which the number of failed login attempts is reset. type: str lockouttime: description: Period (in seconds) for which users are locked out. type: str gracelimit: description: Maximum number of LDAP logins after password expiration. type: int version_added: 8.2.0 maxrepeat: description: Maximum number of allowed same consecutive characters in the new password. type: int version_added: 8.2.0 maxsequence: description: Maximum length of monotonic character sequences in the new password. An example of a monotonic sequence of length 5 is V(12345). type: int version_added: 8.2.0 dictcheck: description: Check whether the password (with possible modifications) matches a word in a dictionary (using cracklib). type: bool version_added: 8.2.0 usercheck: description: Check whether the password (with possible modifications) contains the user name in some form (if the name has > 3 characters). type: bool version_added: 8.2.0 extends_documentation_fragment: - community.general.ipa.documentation - community.general.attributes a - name: Modify the global password policy community.general.ipa_pwpolicy: maxpwdlife: '90' minpwdlife: '1' historylength: '8' minclasses: '3' minlength: '16' maxfailcount: '6' failinterval: '60' lockouttime: '600' ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret - name: Ensure the password policy for the group admins is present community.general.ipa_pwpolicy: group: admins state: present maxpwdlife: '60' minpwdlife: '24' historylength: '16' minclasses: '4' priority: '10' minlength: '6' maxfailcount: '4' failinterval: '600' lockouttime: '1200' gracelimit: 3 maxrepeat: 3 maxsequence: 3 dictcheck: true usercheck: true ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret - name: Ensure that the group sysops does not have a unique password policy community.general.ipa_pwpolicy: group: sysops state: absent ipa_host: ipa.example.com ipa_user: admin ipa_pass: topsecret a pwpolicy: description: Password policy as returned by IPA API. returned: always type: dict sample: cn: ['admins'] cospriority: ['10'] dn: 'cn=admins,cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com' krbmaxpwdlife: ['60'] krbminpwdlife: ['24'] krbpwdfailurecountinterval: ['600'] krbpwdhistorylength: ['16'] krbpwdlockoutduration: ['1200'] krbpwdmaxfailure: ['4'] krbpwdmindiffchars: ['4'] objectclass: ['top', 'nscontainer', 'krbpwdpolicy'] N) AnsibleModule) IPAClientipa_argument_spec) to_nativec:eZdZdZfdZdZdZdZdZxZ S)PwPolicyIPAClientz8The global policy will be selected when `name` is `None`c2tt| ||||y)N)superr __init__)selfmodulehostportprotocol __class__s r/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/general/plugins/modules/ipa_pwpolicy.pyrzPwPolicyIPAClient.__init__s /dHMc8|d}|jddd|dS)N global_policy pwpolicy_findT)allcnmethodnameitem _post_jsonrrs rrzPwPolicyIPAClient.pwpolicy_finds) <#DoDt[_G`aarc*|jd||S)N pwpolicy_addrr rrrs rr$zPwPolicyIPAClient.pwpolicy_addn4dKKrc*|jd||S)N pwpolicy_modrr r%s rr(zPwPolicyIPAClient.pwpolicy_modr&rc(|jd|S)N pwpolicy_del)rrr r"s rr*zPwPolicyIPAClient.pwpolicy_delsn4@@r) __name__ __module__ __qualname____doc__rrr$r(r* __classcell__)rs@rr r s$BNbLLArr c i}|||||||||| | | d }| | d}|jD]\}}| t|||<|jD]\}}| t|||<|S)N) krbmaxpwdlife krbminpwdlifekrbpwdhistorylengthkrbpwdmindiffcharskrbpwdminlength cosprioritykrbpwdmaxfailurekrbpwdfailurecountintervalkrbpwdlockoutdurationpasswordgracelimitipapwdmaxrepeatipapwdmaxsequence)ipapwddictcheckipapwdusercheck)itemsr bool) maxpwdlife minpwdlife historylength minclasses minlengthpriority maxfailcount failinterval lockouttime gracelimit maxrepeat maxsequence dictcheck usercheckpwpolicypwpolicy_optionspwpolicy_boolean_optionsoptionvalues rget_pwpolicy_dictrTsH##,($(&2!,($(  %$  *//10   (/HV 02779+   #E{HV + Orc(|j||S)N)ipa_data module_data)get_diff)client ipa_pwpolicymodule_pwpolicys rget_pwpolicy_diffr\s ??Lo? NNrcx|jd}|jd}t|jjd|jjd|jjd|jjd|jjd|jjd|jjd |jjd |jjd |jjd |jjd |jjd|jjd|jjd}|j|}d}|dk(rg|s%d}|jsS|j ||}||fSt |||}t|dkDr!d}|js|j||}||fS|r d}|js|j|||fS)NstategrouprArBrCrDrErFrGrHrIrJrKrLrMrN)rArBrCrDrErFrGrHrIrJrKrLrMrN)rFpresentT)rrr) paramsrTgetr check_moder$r\lenr(r*)rrYr^rr[rZchangeddiffs rensurergs MM' "E == !D'6==3D3D\3R39==3D3D\3R6ansible_collections.community.general.plugins.module_utils.iparr+ansible.module_utils.common.text.convertersr r rTr\rgrr+rrrsA@ Q f, \ &4gAA A,X\UYuy FO(!V#9L zFr