An Ansible collection for Red Hat IdM / FreeIPA with dynamic inventory, IdM vault retrieval and lifecycle automation, Kerberos principal state, keytab delivery, delegated user-lease control, certificate automation, OTP workflows, DNS record inspection, sudo policy inspection, SELinux user map inspection, and HBAC rule inspection and access testing.
If you are mapping the collection into OpenShift ecosystem workflows:
For the adjacent branches off that primer:
OPENSHIFT RHOSO USE CASES OPENSHIFT RHACM USE CASES OPENSHIFT RHACS USE CASES OPENSHIFT QUAY USE CASES
eigenstate is a nod to the quantum-mechanical idea of a stable observable
state. In practice, the collection assumes IdM already knows what the estate
looks like and what secrets it should hand out. The Ansible side should consume
that state directly instead of maintaining a parallel copy in static inventory
files and side-channel secret stores.
The GitHub repository name is eigenstate-ipa; the Ansible collection name is
eigenstate.ipa.
Ansible already has strong support for managing IdM objects. The missing piece has been consuming IdM as an input system:
- dynamic inventory from enrolled IdM hosts, hostgroups, netgroups, and HBAC policy
- secret retrieval from IdM vaults without copying those values into Git or inventory vars
Without those two paths, operators usually end up with:
- static inventory that drifts from the enrollment reality
- policy data duplicated outside the identity platform
- credentials copied into other stores because automation cannot read IdM vaults
- keytabs staged by hand outside the automation lifecycle
- certificate requests handled in separate CA workflows outside the automation lifecycle
This collection closes that gap with one inventory plugin, nine lookup plugins, and two write modules.
The collection has three practical layers:
- live inventory from IdM host and policy data
- controller-side lookup plugins for Kerberos, vaults, certificates, OTP, DNS, and policy state
- narrow write modules for vault lifecycle and delegated temporary-user expiry
The table below is the authoritative surface summary.
| Plugin | Type | FQCN | Purpose |
|---|---|---|---|
| IdM inventory | inventory | eigenstate.ipa.idm |
Builds live inventory from IdM-enrolled hosts and policy-backed group relationships |
| IdM vault | lookup | eigenstate.ipa.vault |
Retrieves vault payloads, inspects metadata, and searches vault scopes in IdM |
| IdM vault lifecycle | module | eigenstate.ipa.vault_write |
Creates, archives, updates, and deletes IdM vaults with check-mode and member-management support |
| Kerberos principal state | lookup | eigenstate.ipa.principal |
Reads user, host, and service principal existence, key, lock, and last-auth state from IdM |
| Kerberos keytab | lookup | eigenstate.ipa.keytab |
Retrieves Kerberos keytab files for service and host principals via ipa-getkeytab |
| User lease boundary | module | eigenstate.ipa.user_lease |
Sets, expires, or clears user expiry attributes for delegated temporary-access workflows |
| IdM certificates | lookup | eigenstate.ipa.cert |
Requests, retrieves, and searches IdM CA certificates for host and service principals |
| OTP and enrollment credentials | lookup | eigenstate.ipa.otp |
Issues user OTP tokens and one-time host enrollment passwords through IdM |
| DNS record state | lookup | eigenstate.ipa.dns |
Reads forward, reverse, zone-apex, and broad-search DNS records from IdM |
| SELinux user map state | lookup | eigenstate.ipa.selinuxmap |
Reads SELinux user map configuration and HBAC-linked scope from IdM |
| Sudo policy state | lookup | eigenstate.ipa.sudo |
Reads sudo rules, sudo commands, and sudo command groups from IdM |
| HBAC rule state and access test | lookup | eigenstate.ipa.hbacrule |
Reads HBAC rule configuration and runs live access tests via the FreeIPA hbactest engine |
Use these first if you want the project map before you dive into individual surfaces.
For identity-backed inventory and static secret handling:
INVENTORY CAPABILITIES IDM VAULT CAPABILITIES VAULT WRITE CAPABILITIES
For Kerberos, temporary access, certificates, and enrollment:
PRINCIPAL CAPABILITIES KEYTAB CAPABILITIES USER LEASE CAPABILITIES IDM CERT CAPABILITIES OTP CAPABILITIES
For DNS and policy-aware controller checks:
DNS CAPABILITIES SELINUX MAP CAPABILITIES SUDO CAPABILITIES HBAC RULE CAPABILITIES
For collection-wide workflow guidance:
ROTATION CAPABILITIES ROTATION USE CASES AAP INTEGRATION EPHEMERAL ACCESS CAPABILITIES
When you already believe the plugin boundary fits and want the playbook shape:
INVENTORY USE CASES IDM VAULT USE CASES VAULT WRITE USE CASES PRINCIPAL USE CASES KEYTAB USE CASES USER LEASE USE CASES IDM CERT USE CASES OTP USE CASES DNS USE CASES SELINUX MAP USE CASES SUDO USE CASES HBAC RULE USE CASES
Start with the comparison framing, then move into the collection-wide workflow guides.
VAULT/CYBERARK PRIMER ROTATION CAPABILITIES ROTATION USE CASES EPHEMERAL ACCESS CAPABILITIES AAP INTEGRATION
If the comparison translates into an IdM-native workflow for you, these are the first concrete surfaces worth reading:
IDM VAULT PLUGIN VAULT WRITE MODULE KEYTAB PLUGIN USER LEASE MODULE IDM CERT PLUGIN HBAC RULE PLUGIN
ansible-galaxy collection install eigenstate-ipa-1.10.6.tar.gzVerify the main surfaces you plan to use. For example:
ansible-doc -t inventory eigenstate.ipa.idm
ansible-doc -t lookup eigenstate.ipa.vault
ansible-doc -t lookup eigenstate.ipa.keytab
ansible-doc -t module eigenstate.ipa.vault_write
ansible-doc -t module eigenstate.ipa.user_leaseFor the full plugin index, use DOCS MAP.
Note
The inventory plugin talks to the IdM JSON-RPC API and can use either
password authentication or Kerberos with an optional keytab. The vault
lookup, vault write, principal, cert, OTP, and DNS components use ipalib and
therefore depend on the local IdM client Python libraries being available on
the control node or execution environment. The keytab
plugin shells out to ipa-getkeytab and does not require ipalib; on RHEL
10 install ipa-client, and on other releases install the package that
provides ipa-getkeytab on the control node or EE. The cert plugin uses
ipalib like the vault plugin and can request, retrieve, and search IdM CA
certificates without certmonger on the target. The OTP, selinuxmap,
sudo, hbacrule, and user_lease module use the same IdM client Python stack as the
vault, principal, and cert lookups.
| Path | Purpose |
|---|---|
plugins/inventory/idm.py |
Dynamic inventory plugin for hosts, hostgroups, netgroups, and HBAC rules |
plugins/lookup/vault.py |
Lookup plugin for IdM vault retrieval |
plugins/modules/vault_write.py |
Module for IdM vault lifecycle operations |
plugins/module_utils/ipa_client.py |
Shared Kerberos auth and ipalib connection utilities for IPA write operations |
plugins/lookup/principal.py |
Lookup plugin for Kerberos principal state queries |
plugins/lookup/keytab.py |
Lookup plugin for Kerberos keytab retrieval via ipa-getkeytab |
plugins/modules/user_lease.py |
Module for delegated temporary-user expiry and lease boundaries in IdM |
plugins/lookup/cert.py |
Lookup plugin for IdM CA certificate request, retrieval, and search |
plugins/lookup/otp.py |
Lookup plugin for OTP token issuance and host enrollment password generation |
plugins/lookup/selinuxmap.py |
Lookup plugin for SELinux user map state inspection |
plugins/lookup/sudo.py |
Lookup plugin for sudo rules, commands, and command groups |
plugins/lookup/hbacrule.py |
Lookup plugin for HBAC rule state inspection and access testing |
docs/ |
Operator and maintainer documentation aligned with the collection interface |
scripts/validate-collection.sh |
Lightweight repo validation for YAML, plugin syntax, and collection build hygiene |
Makefile |
Wrapper for repo validation targets |
llms.txt |
Project-level navigation file for model consumers |
CITATION.cff |
Citation metadata for GitHub and downstream tooling |
CHANGELOG.md |
Release-history placeholder for Galaxy and repo hygiene |
meta/runtime.yml |
Collection runtime metadata |
Greg Procunier
GPL-3.0-or-later. See COPYING.
