eigenstate.ipa Documentation

eigenstate.ipa

IdM-native Ansible collection for inventory, vault, Kerberos, certificates, OTP, policy, AAP workflows, and temporary access boundaries.

How-to

Use this when IdM should issue a user OTP token or one-time host enrollment password.

Boundary
Mutating
Authority
idm, collection
Evidence
command-output

Issue an OTP or host enrollment password

When To Use This

Use this when IdM should issue a user OTP token or one-time host enrollment password.

Required Authority

IdM owns token and host enrollment state. The lookup calls IdM to issue or inspect the credential.

Safety Boundary

This workflow is mutating. Confirm that this is the intended boundary before placing it in a scheduled job or AAP workflow.

Secret Handling

Do not print payload material. Use no_log: true on payload-bearing tasks. Review artifacts should redact secret values, and payload manifest rendering should be opt-in.

Inputs

  • User or host target
  • OTP type or host enrollment mode
  • Credentials allowed to issue the credential

Steps

  1. Choose user OTP or host enrollment mode.
  2. Issue the credential in a no_log: true task.
  3. Pass the value directly to enrollment or an out-of-band delivery process.
- name: Issue host enrollment password
  ansible.builtin.set_fact:
    enroll_pass: >-
      {{ lookup('eigenstate.ipa.otp',
                'client01.example.com',
                token_type='host',
                server='idm-01.example.com',
                kerberos_keytab='/runner/env/ipa/automation.keytab') }}
  no_log: true

Example Host Enrollment Password

This playbook generates a host enrollment password, redacts it, and passes it directly to the enrollment role.

enroll-host.yml

---
- name: Issue a host enrollment password and enroll the host
  hosts: new_idm_clients
  gather_facts: false
  tasks:
    - name: Generate one enrollment password for this host
      ansible.builtin.set_fact:
        enroll_password: >-
          {{ lookup('eigenstate.ipa.otp',
                    inventory_hostname,
                    token_type='host',
                    server='idm-01.example.com',
                    kerberos_keytab='/runner/env/ipa/automation.keytab') }}
      delegate_to: localhost
      no_log: true

    - name: Enroll the host with ansible-freeipa
      ansible.builtin.include_role:
        name: freeipa.ansible_freeipa.ipaclient
      vars:
        ipaclient_hostname: "{{ inventory_hostname }}"
        ipaclient_password: "{{ enroll_password }}"
      no_log: true

Run It

ansible-playbook -i new-hosts.yml enroll-host.yml

Expected Evidence

The enrollment credential task stays redacted while the protected enrollment step can consume the value:

TASK [Generate one enrollment password for this host] **************************
ok: [newhost01.example.com]

TASK [Enroll the host with ansible-freeipa] ************************************
changed: [newhost01.example.com]

Troubleshooting

  • Token not issued: verify IdM permission and target existence.
  • Credential leaked in output: remove debug and keep no_log: true.
  • Enrollment fails: verify host DNS and IdM enrollment prerequisites.