diff options
| author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:04:41 +0000 |
|---|---|---|
| committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-13 12:04:41 +0000 |
| commit | 975f66f2eebe9dadba04f275774d4ab83f74cf25 (patch) | |
| tree | 89bd26a93aaae6a25749145b7e4bca4a1e75b2be /ansible_collections/microsoft/ad/plugins/modules/computer.py | |
| parent | Initial commit. (diff) | |
| download | ansible-975f66f2eebe9dadba04f275774d4ab83f74cf25.tar.xz ansible-975f66f2eebe9dadba04f275774d4ab83f74cf25.zip | |
Adding upstream version 7.7.0+dfsg.upstream/7.7.0+dfsg
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'ansible_collections/microsoft/ad/plugins/modules/computer.py')
| -rw-r--r-- | ansible_collections/microsoft/ad/plugins/modules/computer.py | 277 |
1 files changed, 277 insertions, 0 deletions
diff --git a/ansible_collections/microsoft/ad/plugins/modules/computer.py b/ansible_collections/microsoft/ad/plugins/modules/computer.py new file mode 100644 index 000000000..498b882ba --- /dev/null +++ b/ansible_collections/microsoft/ad/plugins/modules/computer.py @@ -0,0 +1,277 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2023, Ansible Project +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +DOCUMENTATION = r""" +--- +module: computer +short_description: Manage Active Directory computer objects +description: +- Manages Active Directory computer objects and their attributes. +options: + delegates: + description: + - The principal objects that the current AD object can trust for + delegation to either add, remove or set. + - The values for each sub option must be specified as a distinguished name + C(CN=shenetworks,CN=Users,DC=ansible,DC=test) + - This is the value set on the C(msDS-AllowedToActOnBehalfOfOtherIdentity) + LDAP attribute. + - This is a highly sensitive attribute as it allows the principals + specified to impersonate any account when authenticating with the AD + computer object being managed. + - To clear all principals, use I(set) with an empty list. + - See R(Setting list option values,ansible_collections.microsoft.ad.docsite.guide_list_values) + for more information on how to add/remove/set list options. + aliases: + - principals_allowed_to_delegate + type: dict + suboptions: + add: + description: + - The AD objects by their C(DistinguishedName) to add as a principal + allowed to delegate. + - Any existing principals not specified by I(add) will be untouched + unless specified by I(remove) or not in I(set). + type: list + elements: str + remove: + description: + - The AD objects by their C(DistinguishedName) to remove as a principal + allowed to delegate. + - Any existing pricipals not specified by I(remove) will be untouched + unless I(set) is defined. + type: list + elements: str + set: + description: + - The AD objects by their C(DistinguishedName) to set as the only + principals allowed to delegate. + - This will remove any existing principals if not specified in this + list. + - Specify an empty list to remove all principals allowed to delegate. + type: list + elements: str + dns_hostname: + description: + - Specifies the fully qualified domain name (FQDN) of the computer. + - This is the value set on the C(dNSHostName) LDAP attribute. + type: str + enabled: + description: + - C(yes) will enable the group. + - C(no) will disable the group. + type: bool + kerberos_encryption_types: + description: + - Specifies the Kerberos encryption types supported the AD computer + account. + - This is the value set on the C(msDS-SupportedEncryptionTypes) LDAP + attribute. + - Avoid using C(rc4) or C(des) as they are older an insecure encryption + protocols. + - To clear all encryption types, use I(set) with an empty list. + - See R(Setting list option values,ansible_collections.microsoft.ad.docsite.guide_list_values) + for more information on how to add/remove/set list options. + type: dict + suboptions: + add: + description: + - The encryption types to add to the existing set. + - Any existing encryption types not specified by I(add) will be + untouched unless specified by I(remove) or not in I(set). + choices: + - aes128 + - aes256 + - des + - rc4 + type: list + elements: str + remove: + description: + - The encryption types to remove from the existing set. + - Any existing encryption types not specified by I(remove) will be + untouched unless I(set) is defined. + choices: + - aes128 + - aes256 + - des + - rc4 + type: list + elements: str + set: + description: + - The encryption types to set as the only encryption types allowed + by the AD computer. + - This will remove any existing encryption types if not specified in + this list. + - Specify an empty list to remove all encryption types. + choices: + - aes128 + - aes256 + - des + - rc4 + type: list + elements: str + location: + description: + - Sets the location of the computer account. + - This is the value set on the C(location) LDAP attribute. + type: str + managed_by: + description: + - The user or group that manages the object. + - The value can be in the form of a C(distinguishedName), C(objectGUID), + C(objectSid), or sAMAccountName). + - This is the value set on the C(managedBy) LDAP attribute. + type: str + sam_account_name: + description: + - The C(sAMAccountName) value to set for the group. + - If omitted, the I(name) value is used when creating a new group. + - It has a maximum of 256 characters, 15 is advised for older + operating systems compatibility. + - If ommitted the value is the same as C(name$) when the computer is + created. + - Note that all computer C(sAMAccountName) values need to end with a C($). + - If C($) is omitted, it will be added to the end. + type: str + spn: + description: + - Specifies the service principal name(s) for the account to add, remove or + set. + - This is the value set on the C(servicePrincipalName) LDAP attribute. + - To clear all service principal names, use I(set) with an empty list. + - See R(Setting list option values,ansible_collections.microsoft.ad.docsite.guide_list_values) + for more information on how to add/remove/set list options. + aliases: + - spns + type: dict + suboptions: + add: + description: + - The SPNs to add to C(servicePrincipalName). + type: list + elements: str + remove: + description: + - The SPNs to remove from C(servicePrincipalName). + type: list + elements: str + set: + description: + - The SPNs to set as the only values in C(servicePrincipalName). + - This will clear out any existing SPNs if not in the specified list. + - Set to an empty list to clear all SPNs on the AD object. + type: list + elements: str + trusted_for_delegation: + description: + - Specifies whether an account is trusted for Kerberos delegation. + - This is also known as unconstrained Kerberos delegation. + - This sets the C(ADS_UF_TRUSTED_FOR_DELEGATION) flag in the + C(userAccountControl) LDAP attribute. + type: bool + upn: + description: + - Configures the User Principal Name (UPN) for the account. + - The format is C(<username>@<domain>). + - This is the value set on the C(userPrincipalName) LDAP attribute. + type: str +notes: +- See R(win_domain_computer migration,ansible_collections.microsoft.ad.docsite.guide_migration.migrated_modules.win_domain_computer) + for help on migrating from M(community.windows.win_domain_computer) to this + module. +extends_documentation_fragment: +- microsoft.ad.ad_object +- ansible.builtin.action_common_attributes +attributes: + check_mode: + support: full + diff_mode: + support: full + platform: + platforms: + - windows +seealso: +- module: microsoft.ad.domain +- module: microsoft.ad.domain_controller +- module: microsoft.ad.membership +- module: microsoft.ad.object_info +- module: microsoft.ad.object +- module: microsoft.ad.offline_join +- module: microsoft.ad.group +- ref: Migration guide <ansible_collections.microsoft.ad.docsite.guide_migration.migrated_modules.win_domain_computer> + description: This module replaces C(community.windows.win_domain_computer). See the migration guide for details. +- module: community.windows.win_domain_computer +author: +- Jordan Borean (@jborean93) +""" + +EXAMPLES = r""" +- name: Add linux computer to Active Directory OU using a windows machine + microsoft.ad.computer: + name: one_linux_server + sam_account_name: linux_server$ + dns_hostname: one_linux_server.my_org.local + path: OU=servers,DC=my_org,DC=local + description: Example of linux server + enabled: yes + state: present + +- name: Remove linux computer from Active Directory using a windows machine + microsoft.ad.computer: + name: one_linux_server + state: absent + +- name: Add SPNs to computer + microsoft.ad.computer: + name: TheComputer + spn: + add: + - HOST/TheComputer + - HOST/TheComputer.domain.test + - HOST/TheComputer.domain.test:1234 + +- name: Remove SPNs on the computer + microsoft.ad.computer: + name: TheComputer + spn: + remove: + - HOST/TheComputer + - HOST/TheComputer.domain.test + - HOST/TheComputer.domain.test:1234 + +- name: Set the principals the computer trusts for delegation from + microsoft.ad.computer: + name: TheComputer + delegates: + set: + - CN=FileShare,OU=Computers,DC=domain,DC=test + - CN=DC,OU=Domain Controllers,DC=domain,DC=test +""" + +RETURN = r""" +object_guid: + description: + - The C(objectGUID) of the AD object that was created, removed, or edited. + - If a new object was created in check mode, a GUID of 0s will be returned. + returned: always + type: str + sample: d84a141f-2b99-4f08-9da0-ed2d26864ba1 +distinguished_name: + description: + - The C(distinguishedName) of the AD object that was created, removed, or edited. + returned: always + type: str + sample: CN=MyComputer,CN=Computers,DC=domain,DC=test +sid: + description: + - The Security Identifier (SID) of the account managed. + - If a new computer was created in check mode, the SID will be C(S-1-5-0000). + returned: always + type: str + sample: S-1-5-21-4151808797-3430561092-2843464588-1104 +""" |