community.proxmox.proxmox_domain module – Manage authentication realms.

Note

This module is part of the community.proxmox collection (version 2.0.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.proxmox. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: community.proxmox.proxmox_domain.

New in community.proxmox 2.0.0

Synopsis

Requirements

The below requirements are needed on the host that executes this module.

  • proxmoxer >= 2.3

  • requests

Parameters

Parameter

Comments

ad_case_sensitive

boolean

Choose if username is case-sensitive or not.

Supported for type=ad.

Choices:

  • false

  • true ← (default)

ad_domain

string

AD domain name.

Required when type=ad.

api_host

string / required

Specify the target host of the Proxmox VE cluster.

Uses the PROXMOX_HOST environment variable if not specified.

api_otp

string

Specify the OTP.

Uses the PROXMOX_OTP environment variable if not specified.

api_password

string

Specify the password to authenticate with.

Uses the PROXMOX_PASSWORD environment variable if not specified.

api_port

integer

Specify the target port of the Proxmox VE cluster.

Uses the PROXMOX_PORT environment variable if not specified.

api_timeout

integer

Time limit for requests towards the Proxmox VE API.

Default: 5

api_token_id

string

Specify the token ID.

Uses the PROXMOX_TOKEN_ID environment variable if not specified.

api_token_secret

string

Specify the token secret.

Uses the PROXMOX_TOKEN_SECRET environment variable if not specified.

api_user

string / required

Specify the user to authenticate with.

Uses the PROXMOX_USER environment variable if not specified.

ca_path

path

Path to a local certificate, which will be used to verify TLS connections.

Ignored if validate_certs=false.

comment

string

Description of the realm.

default

boolean

Use as default realm.

Choices:

  • false

  • true

ldap_base_dn

string

LDAP base domain name.

Required when type=ldap.

ldap_bind_dn

aliases: ad_bind_dn

string

LDAP user bind domain name.

Supported for type=ldap and type=ad.

ldap_filter

aliases: ad_filter

string

LDAP filter for user sync.

Supported for type=ldap and type=ad.

ldap_group_classes

aliases: ad_group_classes

string

The object class for group (groupOfNames, group, univentionGroup, ipausergroup).

Supported for type=ldap and type=ad.

ldap_group_filter

aliases: ad_group_filter

string

LDAP filter for group sync.

Supported for type=ldap and type=ad.

ldap_group_name_attr

aliases: ad_group_name_attr

string

LDAP group attribute name.

Supported for type=ldap and type=ad.

ldap_mode

aliases: ad_mode

string

LDAP protocol mode.

Supported for type=ldap and type=ad.

Choices:

  • "ldap"

  • "ldaps"

  • "ldap+starttls"

ldap_password

aliases: ad_password

string

LDAP bind password.

Supported for type=ldap and type=ad.

ldap_port

aliases: ad_port

integer

Server port.

Supported for type=ldap and type=ad.

ldap_primary_server

aliases: ad_primary_server

string

Server ip address or dns name.

Required when type=ldap or type=ad.

ldap_secondary_server

aliases: ad_secondary_server

string

Fallback server ip address or dns name.

Supported for type=ldap and type=ad.

ldap_sync_defaults_options

aliases: ad_sync_defaults_options

dictionary

The defaults options for behavior of synchronizations.

Supported for type=ldap and type=ad.

enable_new

boolean

Enable creation of new users.

Choices:

  • false

  • true

remove_vanished

string

Semicolon-separated list of things to remove when they or the user vanishes during a sync.

The following values are possible

remove_vanished=acl removes acls when the user/group is not returned from the sync.

remove_vanished=properties removes the set properties on existing user/group that do not appear in the source (even custom ones).

remove_vanished=entry removes the user/group when not returned from the sync.

Instead of a list it also can be remove_vanishe=none.

Example remove_vanished="acl;properties;entry".

scope

string

Select what to sync.

Choices:

  • "users"

  • "groups"

  • "both"

ldap_user_attr

string

LDAP user attribute name.

Required when type=ldap.

ldap_user_classes

aliases: ad_user_classes

string

The object class for user (inetorgperson, posixaccount, person, user).

Supported for type=ldap and type=ad.

ldap_validate_certs

aliases: ad_validate_certs

boolean

Verify the server’s SSL certificate.

Supported for type=ldap and type=ad.

Choices:

  • false

  • true

openid_acr_values

string

Defines the Authentication Context Class Reference values requested from the Authorization Server for the Authentication Request.

Supported for type=openid.

openid_autocreate

boolean

Automatically create users if they do not exist.

Supported for type=openid.

Choices:

  • false

  • true

openid_client_id

string

OpenID Client ID.

Required when type=openid.

openid_client_key

string

OpenID Client key.

Supported for type=openid.

openid_groups_autocreate

boolean

Automatically create users if they do not exist.

Supported for type=openid.

Choices:

  • false

  • true

openid_groups_claim

string

OpenID claim used to retrieve groups with.

Supported for type=openid.

openid_groups_overwrite

boolean

All groups will be overwritten for the user on login.

Supported for type=openid.

Choices:

  • false

  • true

openid_issuer_url

string

OpenID Issuer Url.

Required when type=openid.

openid_prompt

string

Specifies whether the Authorization Server prompts the End-User for reauthentication and consent.

Supported for with type=openid.

openid_query_userinfo

boolean

Enables querying the userinfo endpoint for claims values.

Supported for with type=openid.

Choices:

  • false

  • true

openid_scopes

string

Specifies the scopes (user details) that should be authorized and returned, for example ‘email’ or ‘profile’.

Supported for type=openid.

openid_username_claim

string

OpenID claim used to generate the unique username.

Supported for type=openid.

realm

string / required

Arbitrary string used to identify the login realm in Proxmox.

state

string / required

Indicates if the realm should be present or absent.

Choices:

  • "present"

  • "absent"

type

string

Realm type.

Required when state=present.

Choices:

  • "ad"

  • "ldap"

  • "openid"

validate_certs

boolean

Validate the TLS certificates used for the connection to the Proxmox VE API.

May be set through the environment variable PROXMOX_VALIDATE_CERTS.

Choices:

  • false

  • true ← (default)

Attributes

Attribute

Support

Description

action_group

Action group: community.proxmox.proxmox

Use group/community.proxmox.proxmox in module_defaults to set defaults for this module.

check_mode

Support: full

This action does not modify state.

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: none

This action does not modify state.

Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.

See Also

See also

Authentication

Complete guide for the Proxmox API authentication

Examples

- name: Add LDAP domain
  community.proxmox.proxmox_domain:
    realm: "example.test"
    state: present
    type: "ldap"
    default: True
    ldap_base_dn: "cn=accounts,dc=example,dc=test"
    ldap_bind_dn: "uid=sa-proxmox,cn=users,cn=accounts,dc=example,dc=test"
    ldap_filter: "memberof=cn=admins-proxmox,cn=groups,cn=accounts,dc=example,dc=test"
    ldap_group_filter: "cn=admins-proxmox"
    ldap_group_name_attr: "cn"
    ldap_mode: "ldaps"
    ldap_password: XXXXX
    ldap_primary_server: "ipa.example.test"
    ldap_user_attr: "uid"
    ldap_validate_certs: False
    ldap_sync_defaults_options:
      scope: "both"
      enable_new: True
      remove_vanished: "acl;properties;entry"

- name: Add AD domain
  community.proxmox.proxmox_domain:
    ad_domain: "ADDOMAIN"
    realm: "ad"
    state: present
    type: "ad"
    comment: "AD"
    ad_mode: "ldap"
    ad_password: XXXXXXXX
    ad_primary_server: "ad.exemple.test"
    ad_sync_defaults_options:
      scope: "both"
      enable_new: True
      remove_vanished: "acl;properties;entry"

- name: Add OpenID domain
  community.proxmox.proxmox_domain:
    realm: "openid"
    state: present
    type: "openid"
    openid_client_id: idoftheclient
    openid_client_key: keyoftheclient
    openid_issuer_url: "https://example.test/openid-server"

- name: Remove domain
  community.proxmox.proxmox_domain:
    realm: "ipa.example.test"
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

msg

string

The output message that the module generates.

Returned: always

Authors

  • Vial Nicolas (@teslamania)