f5os_auth – Manage authentication settings

New in version 1.10.0.

Synopsis

  • Manage authentication settings including
  • Remote Auth Servers
  • Remote Roles
  • Authentication order
  • Password Policy
  • Please Note This playbook is NOT IDEMPOTENT for API flaws, such as radius
  • and tacacs secrets are only reported encrypted and password policy always reports
  • as present. For these items, a change is always reported.

Parameters

Parameter Choices/Defaults Configuration Comments
auth_order
list / elements=string
Specifies the order in which the authentication providers are applied to login attempts
Options are [local, radius, tacacs, ldap]
password_policy
dictionary
Specifies the password policy for local user accounts
apply_to_root
boolean
    Choices:
  • no
  • yes
Specifies if the password policy also applies to the root user
max_age
integer
Specifies the maximum age for a password
max_class_repeat
integer
Specifies the maximum repetition of Characters within the same class
max_letter_repeat
integer
Specifies the maximum repetition of the same character
max_login_failures
integer
Specifies the maximum logon failures before a user is locked out
max_retries
integer
Specifies the maximum attempts a user can try to create a valid password
max_sequence_repeat
integer
Specifies the maximum repetition of a character sequence
min_differences
integer
Specifies the number of characters that must be altered between updated passwords
min_length
integer
Specifies the minimum password length
min_lower
integer
Specifies the minimum number of lowercase characters
min_number
integer
Specifies the minimum number of numeric characters
min_special
integer
Specifies the minimum number of special character
min_upper
integer
Specifies the minimum number of uppercase characters
reject_username
boolean
    Choices:
  • no
  • yes
Specifies whether the system rejects passwords that contain the username
root_lockout
boolean
    Choices:
  • no
  • yes
Specifies whether the root user can be locked out
root_unlock_time
integer
Specifies the root users unlock time
unlock_time
integer
Specifies the unlock the time
remote_roles
list / elements=dictionary
Specifies the conditions under which a role is applied to a remote-authenticated user
ldap_group
string
Name of the LDAP group (Applies to LDAP only)
remote_gid
integer
Specifies the remote Group ID to be associated with the local role
rolename
string
Name of the role as configured on the system
Options are [admin, resource-admin, superuser, operator, user]
servergroups
list / elements=dictionary
Specifies Server Groups for remote authentication
This option will be deprecated in future versions.
We have separated server group configurations into separate module f5os_auth_server to enhance modularity and granularity.
name
string
Name of the server group
protocol
string
authentication protocol for the server group.
options are [radius, tacacs, ldap, ocsp]
servers
list / elements=dictionary
Server list as members of the Server Group
address
string
Address of the remote host
port
integer
Network Port (TCP/UDP) to be used on the remote server
secret
string
Secret for RADIUS or TACACS+ Servers (Applies to RADIUS and TACACS+ only)
security
string
Security setting for LDAP Servers (Applies to LDAP only)
if present, should be None (LDAP) or "tls" (LDAPS)
timeout
integer
Default:
3
Timeout for RADIUS Servers (Applies to RADIUS only)
state
string
    Choices:
  • present ←
  • absent
If present, creates/updates the specified setting if necessary.
If absent, deletes the specified setting if it exists.

Examples

- name: Create Servers
  f5os_auth:
    servergroups:
      - name: radius_servers
        protocol: radius
        servers:
          - address: 10.2.3.4
            secret: TOPSECRET
            port: 1812
            timeout: 3
          - address: 10.2.3.5
            secret: TOPSECRET
            port: 1812
            timeout: 3
      - name: tacacs_servers
        protocol: tacacs
        servers:
          - address: 10.2.3.4
            secret: TOPSECRET
            port: 49
          - address: 10.2.3.5
            secret: TOPSECRET
            port: 49
      - name: ldap_servers
        protocol: ldap
        servers:
          - address: 10.2.3.4
            port: 389
          - address: 10.2.3.5
            port: 636
            security: tls
      - name: ocsp_servers
        protocol: ocsp
        servers:
          - address: 10.2.3.4
            port: 80
          - address: 10.2.3.5
            port: 80

- name: Set Auth Order
  f5os_auth:
    auth_order:
      - radius
      - tacacs
      - ldap
      - local

- name: Set Password Policy
  f5os_auth:
    password_policy:
      max_age: 30
      max_class_repeat: 2
      max_letter_repeat: 2
      max_login_failures: 10
      max_retries: 3
      max_sequence_repeat: 2
      min_differences: 8
      min_length: 16
      min_lower: 3
      min_number: 3
      min_special: 3
      min_upper: 3
      reject_username: true
      root_lockout: false
      root_unlock_time: 60
      unlock_time: 60

- name: Set Remote Roles
  f5os_auth:
    remote_roles:
      - rolename: admin
        remote_gid: 10
        ldap_group: admins
      - rolename: resource-admin
        remote_gid: 20
        ldap_group: resource-admins

- name: Delete Servers
  f5os_auth:
    servergroups:
      - name: radius_servers
        protocol: radius
        servers:
          - address: 10.2.3.4
            secret: TOPSECRET
            port: 1812
            timeout: 3
          - address: 10.2.3.5
            secret: TOPSECRET
            port: 1812
            timeout: 3
      - name: tacacs_servers
        protocol: tacacs
        servers:
          - address: 10.2.3.4
            secret: TOPSECRET
            port: 49
          - address: 10.2.3.5
            secret: TOPSECRET
            port: 49
      - name: ldap_servers
        protocol: ldap
        servers:
          - address: 10.2.3.4
            port: 389
          - address: 10.2.3.5
            port: 636
            security: tls
      - name: ocsp_servers
        protocol: ocsp
        servers:
          - address: 10.2.3.4
            port: 80
          - address: 10.2.3.5
            port: 80
    state: absent

- name: Set Auth Order
  f5os_auth:
    auth_order:
      - radius
      - tacacs
      - ldap
      - local
    state: absent

- name: Set Password Policy
  f5os_auth:
    password_policy:
      max_age: 30
      max_class_repeat: 2
      max_letter_repeat: 2
      max_login_failures: 10
      max_retries: 3
      max_sequence_repeat: 2
      min_differences: 8
      min_length: 16
      min_lower: 3
      min_number: 3
      min_special: 3
      min_upper: 3
      reject_username: true
      root_lockout: false
      root_unlock_time: 60
      unlock_time: 60
    state: absent

- name: Set Remote Roles
  f5os_auth:
    remote_roles:
      - rolename: admin
        remote_gid: 10
        ldap_group: admins
      - rolename: resource-admin
        remote_gid: 20
        ldap_group: resource-admins
    state: absent

Return Values

The following are the fields unique to this module:

Key Returned Description
auth_order
string
changed
Specifies the auth order
password_policy
string
changed
Specifies the password policy
remote_roles
string
changed
Specifies the remote roles
servergroups
string
changed
Specifies the servergroups


Status

Authors

  • Martin Vogel (@MVogel91)