sssd_test_framework.roles.ipa

IPA multihost role.

Classes

IDGroupOverride(group)	IPA group ID override.
IDUserOverride(user)	IPA ID override for users.
IPA(*args, **kwargs)	IPA role.
IPAAutomount(role)	IPA automount management.
IPAAutomountKey(role, name, map)	IPA automount key management.
IPAAutomountLocation(role, name)	IPA automount location management.
IPAAutomountMap(role, name[, location])	IPA automount map management.
IPACertificateAuthority(host, fs)	FreeIPA Certificate Authority operations.
IPADNSServer(role)	IPA DNS server management.
IPADNSZone(role, name)	IPA DNS zone management.
IPAGroup(role, name)	IPA group management.
IPAHBAC(role, name)	Manages IPA HBAC (Host-Based Access Control) rule.
IPAHBACService(role, name)	IPA HBAC service management.
IPAHBACServiceGroup(role, name)	IPA HBAC service group management.
IPAHostAccount(role, name)	IPA host management.
IPAHostGroup(role, name)	IPA host group management.
IPAIDView(role, name)	IPA ID view management.
IPANetgroup(role, name)	IPA netgroup management.
IPANetgroupMember(*[, host, user, group, ...])	IPA netgroup member.
IPAObject(role, name, command_group)	Base class for IPA object management.
IPAPasswordPolicy(role[, name])	IPA password policy management.
IPASubID(role, user)	IPA sub id management.
IPASudoRule(role, name)	IPA sudo rule management.
IPAUser(role, name)	IPA user management.

class sssd_test_framework.roles.ipa.IPA(*args, **kwargs)

Bases: BaseLinuxRole[IPAHost]

IPA role.

Provides unified Python API for managing objects in the IPA server.

Creating user and group

@pytest.mark.topology(KnownTopology.IPA)
def test_example(ipa: IPA):
    u = ipa.user('tuser').add()
    g = ipa.group('tgroup').add()
    g.add_member(u)

Note

The role object is instantiated automatically as a dynamic pytest fixture by the multihost plugin. You should not create the object manually.

domain: str

IPA domain name.

realm: str

Kerberos realm.

name: str

Generic provider name.

server: str

Generic server name.

sssd: SSSDUtils

Managing and configuring SSSD.

sssctl: SSSCTLUtils

Call commands from sssctl.

automount: IPAAutomount

Manage automount locations, maps and keys.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_example(client: Client, ipa: IPA, nfs: NFS):
    nfs_export1 = nfs.export('export1').add()
    nfs_export2 = nfs.export('export2').add()
    nfs_export3 = nfs.export('sub/export3').add()

    # Create automout location
    loc = ipa.automount.location('boston').add()

    # Create automount maps
    auto_master = loc.map('auto.master').add()
    auto_home = loc.map('auto.home').add()
    auto_sub = loc.map('auto.sub').add()

    # Create mount points
    auto_master.key('/ehome').add(info=auto_home)
    auto_master.key('/esub/sub1/sub2').add(info=auto_sub)

    # Create mount keys
    key1 = auto_home.key('export1').add(info=nfs_export1)
    key2 = auto_home.key('export2').add(info=nfs_export2)
    key3 = auto_sub.key('export3').add(info=nfs_export3)

    # Start SSSD
    client.sssd.common.autofs()
    client.sssd.domain['ipa_automount_location'] = 'boston'
    client.sssd.start()

    # Reload automounter in order to fetch updated maps
    client.automount.reload()

    # Check that we can mount all directories on correct locations
    assert client.automount.mount('/ehome/export1', nfs_export1)
    assert client.automount.mount('/ehome/export2', nfs_export2)
    assert client.automount.mount('/esub/sub1/sub2/export3', nfs_export3)

    # Check that the maps are correctly fetched
    assert client.automount.dumpmaps() == {
        '/ehome': {
            'map': 'auto.home',
            'keys': [str(key1), str(key2)]
        },
        '/esub/sub1/sub2': {
            'map': 'auto.sub',
            'keys': [str(key3)]
        },
    }

property password_policy: IPAPasswordPolicy

Domain password policy management.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_example(client: Client, ipa: IPA):
    # Enable password complexity
    ipa.password_policy.complexity(enable=True)

    # Set 3 login attempts and 30 lockout duration
    ipa.password_policy.lockout(attempts=3, duration=30)

property ca: IPACertificateAuthority

IPA Certificate Authority management.

Provides certificate operations: - Request certificates for services/users - Revoke certificates with configurable reasons - Manage certificate holds - Retrieve certificate details

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_example(client: Client, ipa: IPA):
    # Request certificate
    cert, key, csr = ipa.ca.request(principal="HTTP/client.ipa.test")

    # Revoke certificate
    ipa.ca.revoke(cert, reason="key_compromise")

    # Place on hold
    ipa.ca.revoke_hold(cert)

    # Remove hold
    ipa.ca.revoke_hold_remove(cert)

property naming_context: str

Naming context.

setup() → None

Obtain IPA admin Kerberos TGT.

fqn(name: str) → str

Return fully qualified name in form name@domain.

Parameters:

name (str) – Username.

Returns:

Fully qualified name.

Return type:

str

static ipa_search(role: IPA, command: str, criteria: str | None = None, attr: str = 'cn', all: bool = False) → list[str]

Perform a generic IPA search command and extract attribute values.

Parameters:

• role (IPA) – IPA role object.

• command (str) – IPA command to run (e.g., ‘hostgroup-find’).

• criteria (str or None, optional) – Optional search filter string.

• attr (str, optional) – Attribute name to extract from each entry.

• all (bool, optional) – Prints all attributes, default is False.

Returns:

List of extracted attribute values.

Return type:

list[str]

user(name: str) → IPAUser

Get user object.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_example(client: Client, ipa: IPA):
    # Create user
    ipa.user('user-1').add()

    # Start SSSD
    client.sssd.start()

    # Call `id user-1` and assert the result
    result = client.tools.id('user-1')
    assert result is not None
    assert result.user.name == 'user-1'
    assert result.group.name == 'user-1'

Parameters:

name (str) – Username.

Returns:

New user object.

Return type:

IPAUser

group(name: str) → IPAGroup

Get group object.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_example_group(client: Client, ipa: IPA):
    # Create user
    user = ipa.user('user-1').add()

    # Create secondary group and add user as a member
    ipa.group('group-1').add().add_member(user)

    # Start SSSD
    client.sssd.start()

    # Call `id user-1` and assert the result
    result = client.tools.id('user-1')
    assert result is not None
    assert result.user.name == 'user-1'
    assert result.group.name == 'user-1'
    assert result.memberof('group-1')

Parameters:

name (str) – Group name.

Returns:

New group object.

Return type:

IPAGroup

netgroup(name: str) → IPANetgroup

Get netgroup object.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_example_netgroup(client: Client, ipa: IPA):
    # Create user
    user = ipa.user("user-1").add()

    # Create two netgroups
    ng1 = ipa.netgroup("ng-1").add()
    ng2 = ipa.netgroup("ng-2").add()

    # Add user and ng2 as members to ng1
    ng1.add_member(user=user)
    ng1.add_member(ng=ng2)

    # Add host as member to ng2
    ng2.add_member(host="client")

    # Start SSSD
    client.sssd.start()

    # Call `getent netgroup ng-1` and assert the results
    result = client.tools.getent.netgroup("ng-1")
    assert result is not None
    assert result.name == "ng-1"
    assert len(result.members) == 2
    assert "(-,user-1,ipa.test)" in result.members
    assert "(client.test,-,ipa.test)" in result.members

Parameters:

name (str) – Netgroup name.

Returns:

New netgroup object.

Return type:

IPANetgroup

host_account(name: str) → IPAHostAccount

Get host object.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_example(client: Client, ipa: IPA):
    # Create host
    ipa.host_account(f'myhost.{ipa.domain}').add(ip="10.255.251.10")

Parameters:

name (str) – Hostname.

Returns:

New host account object.

Return type:

IPAHostAccount

sudorule(name: str) → IPASudoRule

Get sudo rule object.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_example(client: Client, ipa: IPA):
    user = ipa.user('user-1').add(password="Secret123")
    ipa.sudorule('testrule').add(user=user, host='ALL', command='/bin/ls')

    client.sssd.common.sudo()
    client.sssd.start()

    # Test that user can run /bin/ls
    assert client.auth.sudo.run('user-1', 'Secret123', command='/bin/ls')

Parameters:

name (str) – Sudo rule name.

Returns:

New sudo rule object.

Return type:

IPASudoRule

idview(name: str) → IPAIDView

IPA ID View object.

Here, we only add the IPA ID view, that can be used while creating a new User ID override.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_example(ipa: IPA):
    ipa.idview("newview").add(description="This is a new view")
    ipa.idview("newview").apply(hosts="client.test")
    ipa.idview("newview").delete()

Parameters:

name (str) – ID View name.

Returns:

New ID View object.

dns() → IPADNSServer

Get DNS server object.

Get methods use dig and is parsed by jc. The data from jc contains several nested dict, but two are returned as a tuple, answer, authority.

Example usage

# Create forward zone and add forward record
zone = ipa.dns().zone("example.test").create()
zone.add_record("client", "172.16.200.15")

# Create reverse zone and add reverse record
zone = ipa.dns().zone("10.0.10.in-addr.arpa").create()
zone.add_ptr_record("client.example.test", 15)

# Add forward record to default domain
ipa.dns().zone(ipa.domain).add_record("client", "1.2.3.4")

# Add a global forwarder
ipa.dns().add_forwarder("1.1.1.1")

# Remove a global forwarder
ipa.dns().remove_forwarder("1.1.1.1")

# Clear all forwarders
ipa.dns().clear_forwarders()

hbac(name: str) → IPAHBAC

IPA HBAC object.

Provides access to manage HBAC (Host-Based Access Control) rules in IPA. This allows creating rules and setting access controls for particular hosts and services.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_ipa__validate_hbac_rule_check_access_sshd_service(client: Client, ipa: IPA):
    # Disable all users to access all services on all hosts.
    ipa.hbac("allow_all").disable()

    ssh_access_rule = ipa.hbac("ssh_access_user1").create(
        description="SSH access rule for user1",
        users="user1",
        hosts="client.test",
        services="sshd"
    )

    hbactest_out1 = ssh_access_rule.test(user="user1", host="client.test",
                                        service="sshd", rule="ssh_access_user1")
    assert hbactest_out1["access_granted"], "Access was not granted as expected"
    assert "ssh_access_user1" in hbactest_out1["matched_rules"],                     "Matched rule ssh_access_user1 was not found as expected"

    hbactest_out2 = ssh_access_rule.test(user="user2", host="client.test",
                                        service="sshd", rule="ssh_access_user1")
    assert not hbactest_out2["access_granted"], "Access was granted which is not expected"
    assert "ssh_access_user1" in hbactest_out2["not_matched_rules"],                     "Rule should not match for user2"

    hbactest_out3 = ssh_access_rule.test(user="user1", host="client.test",
                                        service="sshd", rule="nonexistent_rule")
    assert "nonexistent_rule" in hbactest_out3["invalid_rules"],                     "Non-existent rule nonexistent_rule should be reported as invalid"

    hbactest_out4 = ssh_access_rule.test(user="user2", host="client.test",
                                        service="sshd", rule="nonexistent_rule")
    assert "nonexistent_rule" in hbactest_out4["invalid_rules"],                     "Non-existent rule nonexistent_rule should be reported as invalid"

    client.sssd.restart()

    assert client.auth.ssh.password("user1", "Secret123"), "user1 should be able to SSH"
    assert not client.auth.ssh.password("user2", "Secret123"), "user2 should be denied SSH"
    assert not client.auth.ssh.password("user3", "Secret123"), "user3 should be denied SSH"

    ssh_access_rule.delete()

    client.sssd.restart()

    assert not client.auth.ssh.password("user1", "Secret123"), "user1 should be denied after rule deletion"
    assert not client.auth.ssh.password("user2", "Secret123"), "user2 should be denied after rule deletion"
    assert not client.auth.ssh.password("user3", "Secret123"), "user3 should be denied after rule deletion"

Parameters:

name (str) – IPA HBAC rule name.

Returns:

New HBAC object.

Return type:

IPAHBAC

hostgroup(name: str) → IPAHostGroup

IPA Host Group object.

Here, we can create and manage IPA host groups, which are collections of hosts that can be used in HBAC rules for simplified host management.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_ipa__validate_hbac_rule_host_group_access(client: Client, ipa: IPA):
    # Create users for testing
    users = ["user1", "user2"]
    for user in users:
        ipa.user(user).add()

    # Create host groups
    web_group = ipa.hostgroup("webservers").add(description="Web servers group")
    db_group = ipa.hostgroup("dbservers").add(description="Database servers group")

    # Add hosts to webservers group
    web_group.add_member(host=["client.test"])

    # Disable default allow_all rule
    ipa.hbac("allow_all").disable()

    # Create HBAC rule using host group
    webservers_ssh_rule = ipa.hbac("webservers_ssh_access").create(
        description="SSH access for webservers host group",
        users="user1",
        hostgroups="webservers",
        services="sshd"
    )

    # Test access via host group
    hbactest_result = webservers_ssh_rule.test(user="user1", host="client.test", service="sshd")
    assert hbactest_result["access_granted"], "user1 should have access via host group"

    # Remove host from group and test access is denied
    web_group.remove_member(host=["client.test"])
    client.sssd.restart()

    assert not client.auth.ssh.password("user1", "Secret123"), "user1 should be denied after host removal"

Parameters:

name (str) – IPA host group name.

Returns:

New host group object.

Return type:

IPAHostGroup

hbacsvc(name: str) → IPAHBACService

IPA HBAC Service object.

This method creates and returns an IPA HBAC service object, which represents individual services that can be used in HBAC rules to control access at the service level.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_ipa__validate_hbac_rule_service_access(client: Client, ipa: IPA):
    # Create users for testing
    users = ["user1", "user2"]
    for user in users:
        ipa.user(user).add()

    # Create HBAC service
    ssh_service = ipa.hbacsvc("sshd").add(description="SSH service")

    # Disable default allow_all rule
    ipa.hbac("allow_all").disable()

    # Create HBAC rule using the service
    remote_services_rule = ipa.hbac("remote_services_access").create(
        description="Remote access via specific services",
        users="user1",
        hosts="client.test",
        services="sshd"
    )

    # Test access to the sshd service
    hbactest_ssh = remote_services_rule.test(user="user1", host="client.test", service="sshd")
    assert hbactest_ssh["access_granted"], "user1 should have sshd access"

    # Test access to a service not authorized
    hbactest_http = remote_services_rule.test(user="user1", host="client.test", service="httpd")
    assert not hbactest_http["access_granted"], "user1 should be denied httpd access"

    # Remove service from the HBAC rule and test access is denied
    ipa.hbacsvc("sshd").remove_member()
    client.sssd.restart()

    assert not client.auth.ssh.password("user1", "Secret123"), "user1 denied after service removal"

Parameters:

name (str) – IPA HBAC service name.

Returns:

New HBAC service object.

Return type:

IPAHBACService

hbacsvcgroup(name: str) → IPAHBACServiceGroup

IPA HBAC Service Group object.

In this we can create and manage IPA HBAC service groups, which are collections of services that can be used in HBAC rules for simplified service management.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_ipa__validate_hbac_rule_service_group_access(client: Client, ipa: IPA):
    # Create users for testing
    users = ["user1", "user2"]
    for user in users:
        ipa.user(user).add()

    # Create service group and add services
    remote_svc_group = ipa.hbacsvcgroup("remote_access").add(description="Remote access services")
    remote_svc_group.add_member(hbacsvc=["sshd"])

    # Disable default allow_all rule
    ipa.hbac("allow_all").disable()

    # Create HBAC rule using service group
    remote_services_rule = ipa.hbac("remote_services_access").create(
        description="Remote access via service groups",
        users="user1",
        hosts="client.test",
        servicegroups="remote_access"
    )

    # Test access to services in the group
    hbactest_ssh = remote_services_rule.test(user="user1", host="client.test", service="sshd")
    assert hbactest_ssh["access_granted"], "user1 should have sshd access via service group"


    # Test access to service not in group
    hbactest_http = remote_services_rule.test(user="user1", host="client.test", service="httpd")
    assert not hbactest_http["access_granted"], "user1 should be denied httpd access"

    # Remove service from group and test access is denied
    remote_svc_group.remove_member(hbacsvc=["sshd"])
    client.sssd.restart()

    assert not client.auth.ssh.password("user1", "Secret123"), "user1 denied after service removal"

Parameters:

name (str) – IPA HBAC service group name.

Returns:

New HBAC service group object.

Return type:

IPAHBACServiceGroup

class sssd_test_framework.roles.ipa.IPAObject(role: IPA, name: str, command_group: str)

Bases: BaseObject[IPAHost, IPA]

Base class for IPA object management.

Provides shortcuts for command execution and implementation of get() and delete() methods.

Parameters:

• role (IPA) – IPA role object.

• name (str) – Object name.

• command_group (str) – IPA command group.

command_group: str

IPA cli command group.

property name: str

delete() → None

Delete IPA object.

get(attrs: list[str] | None = None, *, opattrs: bool = False) → dict[str, list[str]] | None

Get IPA object attributes.

Parameters:

• attrs (list[str] | None, optional) – If set, only requested attributes are returned, defaults to None

• opattrs (bool, optional) – Ignored (LDAP-only); present for generic entity API compatibility.

Returns:

Dictionary with attribute name as a key or None if no such attribute is found.

Return type:

dict[str, list[str]] | None

class sssd_test_framework.roles.ipa.IPAPasswordPolicy(role: IPA, name: str = 'ipausers')

Bases: IPAObject, GenericPasswordPolicy

IPA password policy management.

IPAPasswordPolicy implements GenericPasswordPolicy for static typing and provider-agnostic tests.

Parameters:

• role (IPA) – IPA role object.

• name (str) – Name of target object, defaults to ‘ipausers’.

complexity(enable: bool) → IPAPasswordPolicy

Enable or disable password complexity.

Parameters:

enable (bool) – Enable or disable password complexity.

Returns:

Self.

Return type:

IPAPasswordPolicy

lockout(duration: int, attempts: int) → IPAPasswordPolicy

Set lockout duration and login attempts.

Parameters:

• duration (int) – Duration of lockout in seconds.

• attempts (int) – Number of login attempts.

Returns:

Self.

Return type:

IPAPasswordPolicy

class sssd_test_framework.roles.ipa.IPAUser(role: IPA, name: str)

Bases: IPAObject, GenericUser

IPA user management.

IPAUser implements GenericUser for static typing and provider-agnostic tests. IPA-specific keyword arguments on add() and modify() are in addition to the generic API.

Parameters:

• role (IPA) – IPA role object.

• name (str) – Username.

add(*, uid: int | None = None, gid: int | None = None, password: str = 'Secret123', home: str | None = None, gecos: str | None = None, shell: str | None = None, require_password_reset: bool = False, user_auth_type: str | list[str] | None = None, sshpubkey: str | list[str] | None = None, email: str | None = None) → IPAUser

Create new IPA user.

Parameters that are not set are ignored.

Parameters:

• uid (int | None, optional) – User id, defaults to None

• gid (int | None, optional) – Primary group id, defaults to None

• password (str, optional) – Password, defaults to ‘Secret123’ (use empty string to skip setting a password)

• home (str | None, optional) – Home directory, defaults to None

• gecos (str | None, optional) – GECOS, defaults to None

• shell (str | None, optional) – Login shell, defaults to None

• require_password_reset (bool, optional) – Require password reset on first login, defaults to False

• user_auth_type (str | list[str] | None, optional) – Types of supported user authentication, defaults to None

• sshpubkey (str | list[str] | None, optional) – SSH public key, defaults to None

• email (str | None, optional) – email attribute, defaults to None

Returns:

Self.

Return type:

IPAUser

modify(*, first: str | None = None, last: str | None = None, uid: int | None = None, gid: int | None = None, password: str | None = None, home: str | None = None, gecos: str | None = None, shell: str | None = None, user_auth_type: str | list[str] | None = None, idp: str | None = None, idp_user_id: str | None = None, password_expiration: str | None = None, sshpubkey: str | list[str] | None = None, email: str | None = None) → IPAUser

Modify existing IPA user.

Parameters:

• first (str | None, optional) – First name of user.

• last (str | None, optional) – Last name of user.

• uid (int | None, optional) – User id, defaults to None

• gid (int | None, optional) – Primary group id, defaults to None

• password (str | None, optional) – Password, defaults to ‘Secret123’

• home (str | None, optional) – Home directory, defaults to None

• gecos (str | None, optional) – GECOS, defaults to None

• shell (str | None, optional) – Login shell, defaults to None

• user_auth_type (str | list[str] | None, optional) – Types of supported user authentication, defaults to None

• idp (str | None, optional) – Name of external IdP configured in IPA for user.

• idp_user_id (str | None, optional) – User ID used to map IPA user to external IdP user.

• password_expiration (str | None, optional) – Date and time stamp for password expiration.

• sshpubkey (str | list[str] | None, optional) – SSH public key, defaults to None

• email (str | None, optional) – email attribute, defaults to None

Returns:

Self.

Return type:

IPAUser

get(attrs: list[str] | None = None, *, opattrs: bool = False) → dict[str, list[str]] | None

Get user attributes.

Parameters:

• attrs (list[str] | None, optional) – If set, only requested attributes are returned, defaults to None

• opattrs (bool, optional) – Ignored (LDAP-only); present for GenericUser API compatibility.

Returns:

Dictionary with attribute name as a key (empty if the user does not exist).

Return type:

dict[str, list[str]] | None

reset(password: str | None = 'Secret123') → IPAUser

Reset user password.

Parameters:

password (str, optional) – Password, defaults to ‘Secret123’

Returns:

Self.

Return type:

IPAUser

expire(expiration: str | None = '19700101000000Z') → IPAUser

Set user password expiration date and time.

Parameters:

expiration (str, optional) – Date and time for user password expiration, defaults to 19700101000000

Returns:

Self.

Return type:

IPAUser

password_change_at_logon(**kwargs) → IPAUser

Force user to change password next logon.

Returns:

Self.

Return type:

IPAUser

passkey_add(passkey_mapping: str) → IPAUser

Add passkey mapping to the user.

Parameters:

passkey_mapping (str) – Passkey mapping generated by sssctl passkey-register.

Returns:

Self.

Return type:

IPAUser

passkey_add_register(**kwargs) → str

wrapper for passkey_add_register methods

umockdev_passkey_add_register(*, pin: str | int | None, device: str, ioctl: str, script: str) → str

Register passkey with the user (run ipa user-add-passkey –register).

Parameters:

• pin (str | int | None) – Passkey PIN.

• device (str) – Path to local umockdev device file.

• ioctl (str) – Path to local umockdev ioctl file.

• script (str) – Path to local umockdev script file.

Returns:

Generated passkey mapping string.

Return type:

str

passkey_remove(passkey_mapping: str) → IPAUser

Remove passkey mapping from the user.

Implements GenericUser.passkey_remove().

Parameters:

passkey_mapping (str) – Passkey mapping generated by sssctl passkey-register

Returns:

Self.

Return type:

IPAUser

vfido_passkey_add_register(*, client: Client, pin: str | int | None = None) → str

Register user passkey when using virtual-fido

iduseroverride() → IDUserOverride

Add override to the IPA user.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_example(client: Client, ipa: IPA):
    ipa.idview("newview1").add(description="This is a new view")
    ipa.idview("newview1").apply(f"{client.host.hostname}")
    ipa.user("user-1").add().iduseroverride().add_override("newview1", uid=1344567)
    client.sssd.restart()
    lookup1 = client.tools.id("user-1")
    assert lookup1.user.id == 1344567

Returns:

New IDOverride object.

Return type:

IDOverride

subid() → IPASubID

IPA subid management.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_ipa__subids_configured(ipa: IPA):
    user = ipa.user("user1").add()
    user.subid().generate()

class sssd_test_framework.roles.ipa.IPAGroup(role: IPA, name: str)

Bases: IPAObject, GenericGroup

IPA group management.

IPAGroup implements GenericGroup for static typing and provider-agnostic tests. IPA-specific keyword arguments on add() and external members (str) on membership methods are in addition to the generic API.

Parameters:

• role (IPA) – IPA role object.

• name (str) – Group name.

add(*, gid: int | None = None, description: str | None = None, nonposix: bool = False, external: bool = False) → IPAGroup

Create new IPA group.

Parameters that are not set are ignored.

Parameters:

• gid (int | None, optional) – Group id, defaults to None

• description (str | None, optional) – Description, defaults to None

• nonposix (bool, optional) – Group is non-posix group, defaults to False

• external (bool, optional) – Group is external group, defaults to False

Returns:

Self.

Return type:

IPAGroup

modify(*, gid: int | None = None, description: str | None = None) → IPAGroup

Modify existing IPA group.

Parameters that are not set are ignored.

Parameters:

• gid (int | None, optional) – Group id, defaults to None

• description (str | None, optional) – Description, defaults to None

Returns:

Self.

Return type:

IPAGroup

get(attrs: list[str] | None = None, *, opattrs: bool = False) → dict[str, list[str]] | None

Get group attributes.

Parameters:

• attrs (list[str] | None, optional) – If set, only requested attributes are returned, defaults to None

• opattrs (bool, optional) – Ignored (LDAP-only); present for GenericGroup API compatibility.

Returns:

Dictionary with attribute name as a key (empty if the group does not exist).

Return type:

dict[str, list[str]] | None

add_member(member: GenericUser | GenericGroup | str) → IPAGroup

Add group member.

Member can be a GenericUser, GenericGroup, or a string in which case it is added as an external member.

Parameters:

member (GroupMemberField) – User or group to add as a member.

Returns:

Self.

Return type:

IPAGroup

add_members(members: list[GenericUser | GenericGroup | str]) → IPAGroup

Add multiple group members.

Members can be GenericUser, GenericGroup, or strings (external members).

Parameters:

members (list[GroupMemberField]) – List of users or groups to add as members.

Returns:

Self.

Return type:

IPAGroup

remove_member(member: GenericUser | GenericGroup | str) → IPAGroup

Remove group member.

Member can be a GenericUser, GenericGroup, or a string (external member).

Parameters:

member (GroupMemberField) – User or group to remove from the group.

Returns:

Self.

Return type:

IPAGroup

remove_members(members: list[GenericUser | GenericGroup | str]) → IPAGroup

Remove multiple group members.

Members can be GenericUser, GenericGroup, or strings (external members).

Parameters:

members (list[GroupMemberField]) – List of users or groups to remove from the group.

Returns:

Self.

Return type:

IPAGroup

idgroupoverride() → IDGroupOverride

Add override to the IPA Group.

Example usage

@pytest.mark.topology(KnownTopology.IPA)
def test_example(client: Client, ipa: IPA):
    ipa.idview("newview1").add(description="This is a new view")
    ipa.idview("newview1").apply(hosts=f"{client.host.hostname}")
    ipa.group("group-1").add().idgroupoverride().add_override("newview1", gid=1344567)
    client.sssd.restart()
    g_lookup = client.tools.getent.group("group-1")
    assert g_lookup.gid == 1344567

Returns:

New IDOverride object.

Return type:

IDOverride

class sssd_test_framework.roles.ipa.IPASudoRule(role: IPA, name: str)

Bases: IPAObject, GenericSudoRule

IPA sudo rule management.

IPASudoRule implements GenericSudoRule for static typing and provider-agnostic tests.

Parameters:

• role (IPA) – IPA role object.

• name (str) – Sudo rule name.

add(*, user: str | GenericUser | GenericGroup | ProtocolName | list[str | GenericUser | GenericGroup | ProtocolName] | None = None, host: str | ProtocolName | list[str | ProtocolName] | None = None, command: str | ProtocolName | list[str | ProtocolName] | None = None, option: str | list[str] | None = None, runasuser: str | GenericUser | GenericGroup | ProtocolName | list[str | GenericUser | GenericGroup | ProtocolName] | None = None, runasgroup: str | GenericGroup | ProtocolName | list[str | GenericGroup | ProtocolName] | None = None, order: int | None = None, nopasswd: bool | None = None) → IPASudoRule

Create new sudo rule.

Parameters:

• user (SudoRuleUserField, optional) – sudoUser attribute, defaults to None

• host (SudoRuleHostField, optional) – sudoHost attribute, defaults to None

• command (SudoRuleCommandField, optional) – sudoCommand attribute, defaults to None

• option (str | list[str] | None, optional) – sudoOption attribute, defaults to None

• runasuser (SudoRuleRunAsUserField, optional) – sudoRunAsUser attribute, defaults to None

• runasgroup (SudoRuleRunAsGroupField, optional) – sudoRunAsGroup attribute, defaults to None

• order (int | None, optional) – sudoOrder attribute, defaults to None

• nopasswd (bool | None, optional) – If true, no authentication is required (NOPASSWD), defaults to None (no change)

Returns:

Self.

Return type:

IPASudoRule

modify(*, user: str | GenericUser | GenericGroup | ProtocolName | list[str | GenericUser | GenericGroup | ProtocolName] | None = None, host: str | ProtocolName | list[str | ProtocolName] | None = None, command: str | ProtocolName | list[str | ProtocolName] | None = None, option: str | list[str] | None = None, runasuser: str | GenericUser | GenericGroup | ProtocolName | list[str | GenericUser | GenericGroup | ProtocolName] | None = None, runasgroup: str | GenericGroup | ProtocolName | list[str | GenericGroup | ProtocolName] | None = None, order: int | None = None, nopasswd: bool | None = None) → IPASudoRule

Modify existing IPA sudo rule.

Parameters:

• user (SudoRuleUserField, optional) – sudoUser attribute, defaults to None

• host (SudoRuleHostField, optional) – sudoHost attribute, defaults to None

• command (SudoRuleCommandField, optional) – sudoCommand attribute, defaults to None

• option (str | list[str] | None, optional) – sudoOption attribute, defaults to None

• runasuser (SudoRuleRunAsUserField, optional) – sudoRunAsUser attribute, defaults to None

• runasgroup (SudoRuleRunAsGroupField, optional) – sudoRunAsGroup attribute, defaults to None

• order (int | None, optional) – sudoOrder attribute, defaults to None

• nopasswd (bool | None, optional) – If true, no authentication is required (NOPASSWD), defaults to None (no change)

Returns:

Self.

Return type:

IPASudoRule

get(attrs: list[str] | None = None, *, opattrs: bool = False) → dict[str, list[str]] | None

Get sudo rule attributes.

Parameters:

• attrs (list[str] | None, optional) – If set, only requested attributes are returned, defaults to None

• opattrs (bool, optional) – Ignored (LDAP-only); present for GenericSudoRule API compatibility.

Returns:

Dictionary with attribute name as a key (empty if the rule does not exist).

Return type:

dict[str, list[str]] | None

delete() → None

Delete sudo rule from IPA.

class sssd_test_framework.roles.ipa.IPAAutomount(role: IPA)

Bases: GenericAutomount

IPA automount management.

IPAAutomount implements GenericAutomount for static typing and provider-agnostic tests. The optional location argument on map() is IPA-specific; location() is not part of the generic API.

Parameters:

role (IPA) – IPA role object.

location(name: str) → IPAAutomountLocation

Get automount location object.

Parameters:

name (str) – Automount location name

Returns:

New automount location object.

Return type:

IPAAutomountLocation

map(name: str, location: str = 'default') → IPAAutomountMap

Get automount map object.

Implements GenericAutomount.map(); location selects the IPA automount location (defaults to default).

Parameters:

• name (str) – Automount map name.

• location (str) – Automount map location, defaults to default

Returns:

New automount map object.

Return type:

IPAAutomountMap

key(name: str, map: GenericAutomountMap) → IPAAutomountKey

Get automount key object.

Implements GenericAutomount.key().

Parameters:

• name (str) – Automount key name.

• map (GenericAutomountMap) – Automount map that is a parent to this key.

Returns:

New automount key object.

Return type:

IPAAutomountKey

class sssd_test_framework.roles.ipa.IPAAutomountLocation(role: IPA, name: str)

Bases: IPAObject

IPA automount location management.

Parameters:

• role (IPA) – IPA role object.

• name (str) – Automount map location

add() → IPAAutomountLocation

Create new IPA automount location.

Returns:

Self.

Return type:

IPAAutomountLocation

map(name: str) → IPAAutomountMap

Get automount map object for this location.

Parameters:

name (str) – Automount map name.

Returns:

New automount map object.

Return type:

IPAAutomountMap

class sssd_test_framework.roles.ipa.IPAAutomountMap(role: IPA, name: str, location: IPAAutomountLocation | str = 'default')

Bases: IPAObject, GenericAutomountMap

IPA automount map management.

IPAAutomountMap implements GenericAutomountMap for static typing and provider-agnostic tests.

Parameters:

• role (IPA) – IPA role object.

• name (str) – Automount map name.

• location (IPAAutomountLocation | str) – Automount map location, defaults to default

location: IPAAutomountLocation

add() → IPAAutomountMap

Create new IPA Automount map.

Returns:

Self.

Return type:

IPAAutomountMap

get(attrs: list[str] | None = None, *, opattrs: bool = False) → dict[str, list[str]] | None

Get automount map attributes.

Parameters:

• attrs (list[str] | None, optional) – If set, only requested attributes are returned, defaults to None

• opattrs (bool, optional) – Ignored (LDAP-only); present for GenericAutomountMap API compatibility.

Returns:

Dictionary with attribute name as a key (empty if the map does not exist).

Return type:

dict[str, list[str]] | None

key(name: str) → IPAAutomountKey

Get automount key object for this map.

Parameters:

name (str) – Automount key name.

Returns:

New automount key object.

Return type:

IPAAutomountKey

class sssd_test_framework.roles.ipa.IPAAutomountKey(role: IPA, name: str, map: IPAAutomountMap)

Bases: IPAObject, GenericAutomountKey

IPA automount key management.

IPAAutomountKey implements GenericAutomountKey for static typing and provider-agnostic tests.

Parameters:

• role (IPA) – IPA role object.

• name (str) – Automount key name.

• map (IPAAutomountMap) – Automount map that is a parent to this key.

map: IPAAutomountMap

info: str | None

get(attrs: list[str] | None = None, *, opattrs: bool = False) → dict[str, list[str]] | None

Get automount key attributes.

Parameters:

• attrs (list[str] | None, optional) – If set, only requested attributes are returned, defaults to None

• opattrs (bool, optional) – Ignored (LDAP-only); present for GenericAutomountKey API compatibility.

Returns:

Dictionary with attribute name as a key (empty if the key does not exist).

Return type:

dict[str, list[str]] | None

add(*, info: str | NFSExport | GenericAutomountMap) → IPAAutomountKey

Create new IPA automount key.

Parameters:

info (str | NFSExport | GenericAutomountMap) – Automount information

Returns:

Self.

Return type:

IPAAutomountKey

modify(*, info: str | NFSExport | GenericAutomountMap | None = None) → IPAAutomountKey

Modify existing IPA automount key.

Parameters:

info (str | NFSExport | GenericAutomountMap | None) – Automount information, defaults to None

Returns:

Self.

Return type:

IPAAutomountKey

dump() → str

Dump the key in the automount -m format.

export1 | -fstype=nfs,rw,sync,no_root_squash nfs.test:/dev/shm/exports/export1

You can also call str(key) instead of key.dump().

Returns:

Key information in automount -m format.

Return type:

str

class sssd_test_framework.roles.ipa.IPADNSServer(role: IPA)

Bases: GenericDNSServer

IPA DNS server management.

IPADNSServer implements GenericDNSServer for static typing and provider-agnostic tests.

Parameters:

role (IPA) – IPA role object.

domain: str

Domain name.

server: str

Server name.

zone(name: str) → IPADNSZone

Get DNS zone object.

Implements GenericDNSServer.zone().

Parameters:

name (str) – Zone name.

Returns:

DNS zone object.

Return type:

IPADNSZone

get_forwarders() → list[str]

Get DNS global forwarders.

Implements GenericDNSServer.get_forwarders().

Returns:

List of forwarder IP addresses (empty if none are configured).

Return type:

list[str]

add_forwarder(ip_address: str) → IPADNSServer

Add a DNS server forwarder.

Parameters:

ip_address (str) – IP address.

Returns:

Self.

Return type:

IPADNSServer

remove_forwarder(ip_address: str) → None

Remove a DNS server forwarder.

Parameters:

ip_address (str) – IP address.

clear_forwarders() → None

Clear all DNS server forwarders.

IPA has no global forwarders by default.

list_zones() → list[str]

List zones.

Implements GenericDNSServer.list_zones().

Returns:

List of zone names (empty if none are found).

Return type:

list[str]

class sssd_test_framework.roles.ipa.IPADNSZone(role: IPA, name: str)

Bases: IPADNSServer, GenericDNSZone

IPA DNS zone management.

IPADNSZone implements GenericDNSZone for static typing and provider-agnostic tests.

Parameters:

• role (IPA) – IPA role object.

• name (str) – DNS zone name.

zone_name: str

Zone name.

create() → IPADNSZone

Create new zone.

Implements GenericDNSZone.create().

Returns:

Self.

Return type:

IPADNSZone

delete() → None

Delete zone.

Implements GenericDNSZone.delete().

add_record(name: str, data: str | int) → IPADNSZone

Add DNS record.

Implements GenericDNSZone.add_record().

If data is a str, a forward record will be added. If an integer a reverse record will be added.

Parameters:

• name (str) – Record name.

• data (str | int) – Record data.

Returns:

Self.

Return type:

IPADNSZone

delete_record(name: str) → None

Delete DNS record, both forward and reverse records are deleted.

Implements GenericDNSZone.delete_record().

Parameters:

name (str) – Name of the record.

print() → str

Print all DNS records in a zone as text.

Implements GenericDNSZone.print().

Returns:

Zone data as text.

Return type:

str

class sssd_test_framework.roles.ipa.IPACertificateAuthority(host: MultihostHost, fs: LinuxFileSystem)

Bases: GenericCertificateAuthority

FreeIPA Certificate Authority operations.

IPACertificateAuthority implements GenericCertificateAuthority for static typing and provider-agnostic tests. It requests, revokes, places/removes certificate holds, and retrieves certificate information via the ipa CLI. request() accepts IPA-specific keyword arguments in addition to the generic API.

Example usage

import pytest
from pytest_mh import Client, IPA, KnownTopology

@pytest.mark.topology(KnownTopology.IPA)
def test_smartcard___su_as_ipa_user(client: Client, ipa: IPA):
    # Add user in IPA
    ipa.user('ipacertuser1').add()

    # Request certificate from IPA CA
    cert, key, _ = ipa.ca.request('ipacertuser1')

    # Read contents of certificate and key
    cert_content = ipa.fs.read(cert)
    key_content = ipa.fs.read(key)

    # Write to client filesystem
    client.fs.write('/opt/test_ca/ipacertuser1.crt', cert_content)
    client.fs.write('/opt/test_ca/ipacertuser1.key', key_content)

    # Initialize smartcard and add cert/key
    client.smartcard.initialize_card()
    client.smartcard.add_key('/opt/test_ca/ipacertuser1.key')
    client.smartcard.add_cert('/opt/test_ca/ipacertuser1.crt')

    # Enable smartcard authentication via authselect
    client.authselect.select("sssd", ["with-smartcard"])
    client.sssd.pam["pam_cert_auth"] = "True"
    client.sssd.start()
    client.svc.restart("virt_cacard.service")

    # Attempt to su and check for PIN prompt
    result = client.host.conn.run(
        "su - ipacertuser1 -c 'su - ipacertuser1 -c whoami'", input="123456"
    )
    assert "PIN" in result.stderr, "String 'PIN' was not found in stderr!"
    assert "ipacertuser1" in result.stdout, "'ipacertuser1' not found in 'whoami' output!"

Initialize the IPA Certificate Authority helper.

Parameters:

• host (MultihostHost) – Remote test host.

• fs (LinuxFileSystem) – Filesystem helper for remote file operations.

cli: CLIBuilder

request(principal: str, subject: str | None = None, add_service: bool = False, key_size: int = 2048, **kwargs: Any) → tuple[str, str, str]

Request a certificate from the IPA CA.

Implements GenericCertificateAuthority.request(); principal is passed positionally or as the first argument. Extra **kwargs are ignored.

Parameters:

• principal (str) – The principal (user or service) name.

• subject (str | None) – Optional OpenSSL subject (e.g., /CN=example). If omitted, derived from principal.

• add_service (bool) – Whether to add the principal as an IPA service.

• key_size (int) – RSA key size in bits.

Returns:

A tuple of (certificate_path, key_path, csr_path).

Return type:

tuple[str, str, str]

Raises:

• ValueError – If subject cannot be derived from principal.

• RuntimeError – If CSR generation fails.

revoke(cert_path: str, reason: str = 'unspecified') → None

Revoke a certificate in IPA.

Implements GenericCertificateAuthority.revoke().

Parameters:

• cert_path (str) – Path to the certificate file.

• reason (str) – Reason for revocation.

Raises:

RuntimeError – If revocation fails.

revoke_hold(cert_path: str) → None

Place a certificate on hold.

Implements GenericCertificateAuthority.revoke_hold().

Parameters:

cert_path (str) – Path to the certificate file.

revoke_hold_remove(cert_path: str) → None

Remove hold from a certificate.

Implements GenericCertificateAuthority.revoke_hold_remove().

Parameters:

cert_path (str) – Path to the certificate file.

Raises:

RuntimeError – If hold removal fails.

get(cert_path: str) → dict[str, list[str]]

Retrieve certificate details from IPA.

Implements GenericCertificateAuthority.get().

Parameters:

cert_path (str) – Path to the certificate file.

Returns:

A dictionary of certificate attributes.

Return type:

dict[str, list[str]]

Raises:

ValueError – If the certificate is not found in IPA.

class sssd_test_framework.roles.ipa.IPAHBACService(role: IPA, name: str)

Bases: IPAObject

IPA HBAC service management.

Parameters:

• role (IPA) – IPA role object.

• name (str) – HBAC service name.

add(*, description: str | None = None) → IPAHBACService

Create new IPA HBAC service.

Parameters:

description (str | None, optional) – Description, defaults to None

Returns:

Self.

Return type:

IPAHBACService

modify(*, description: str | None = None) → IPAHBACService

Modify existing IPA HBAC service.

Parameters:

description (str | None, optional) – Description, defaults to None

Returns:

Self.

Return type:

IPAHBACService

delete() → None

Delete the IPA HBAC service.

show(attrs: list[str]) → dict[str, list[str]] | None

Show detailed info of the HBAC service.

Parameters:

attrs (list[str]) – Returned attributes.

Returns:

Service attributes, None if not found.

Return type:

dict[str, list[str]] | None

classmethod search(role: IPA, criteria: str, all: bool = False) → list[str]

Search for HBAC services matching criteria.

Parameters:

• role (IPA) – IPA role object.

• criteria (str) – Search filter string.

• all (bool) – Prints all attributes, default is False.

Returns:

List of matching HBAC host group names.

Return type:

list[str]

class sssd_test_framework.roles.ipa.IPAHBACServiceGroup(role: IPA, name: str)

Bases: IPAObject

IPA HBAC service group management.

Parameters:

• role (IPA) – IPA role object.

• name (str) – HBAC service group name.

add(*, description: str | None = None) → IPAHBACServiceGroup

Create new IPA HBAC service group.

Parameters:

description (str | None, optional) – Description, defaults to None

Returns:

Self.

Return type:

IPAHBACServiceGroup

modify(*, description: str | None = None) → IPAHBACServiceGroup

Modify existing IPA HBAC service group.

Parameters:

description (str | None, optional) – Description, defaults to None

Returns:

Self.

Return type:

IPAHBACServiceGroup

add_member(*, hbacsvc: list[str] | str | None = None, hbacsvcgroup: list[str] | str | None = None) → IPAHBACServiceGroup

Add HBAC service group members.

Parameters:

• hbacsvc (list[str] | str | None, optional) – HBAC service(s) to add as member(s).

• hbacsvcgroup (list[str] | str | None, optional) – HBAC service group(s) to add as member(s).

Returns:

Self.

Return type:

IPAHBACServiceGroup

remove_member(*, hbacsvc: list[str] | str | None = None, hbacsvcgroup: list[str] | str | None = None) → IPAHBACServiceGroup

Remove HBAC service group members.

Parameters:

• hbacsvc (list[str] | str | None, optional) – HBAC service(s) to remove as member(s).

• hbacsvcgroup (list[str] | str | None, optional) – HBAC service group(s) to remove as member(s).

Returns:

Self.

Return type:

IPAHBACServiceGroup

delete() → None

Delete the IPA HBAC service group.

show(attrs: list[str] | None = None) → dict[str, list[str]] | None

Show detailed info of the HBAC service group.

Parameters:

attrs (list[str] | None, optional) – If set, only requested attributes are returned, defaults to None

Returns:

Dictionary of HBAC service group attributes or None if not found

Return type:

dict[str, list[str]]

classmethod search(role: IPA, criteria: str, all: bool = False) → list[str]

Search for host groups matching criteria.

Parameters:

• role (IPA) – IPA role object.

• criteria (str) – Search filter string.

• all (bool) – Prints all attributes, default is False.

Returns:

List of matching HBAC host group names.

Return type:

list[str]

class sssd_test_framework.roles.ipa.IPAHostGroup(role: IPA, name: str)

Bases: IPAObject

IPA host group management.

Initialize IPAHostGroup.

Parameters:

• role (IPA) – IPA role object.

• name (str) – Host group name.

add(description: str | None = None) → IPAHostGroup

Create new IPA host group.

Parameters:

description (str | None, optional) – Description, defaults to None.

Returns:

Self.

Return type:

IPAHostGroup

modify(description: str | None = None) → IPAHostGroup

Modify existing IPA host group.

Parameters:

description (str | None, optional) – Description, defaults to None

Returns:

Self.

Return type:

IPAHostGroup

delete() → None

Delete the IPA host group.

show(attrs: list[str] | None = None) → dict[str, list[str]] | None

Show detailed info of the host group or selected attributes.

Parameters:

attrs – List of attributes to show, None shows all, defaults to None.

Type:

list[str] | None, optional

Returns:

Dictionary of requested host group attributes or None if not found.

Return type:

dict[str, list[str]]

classmethod search(role: IPA, criteria: str, all: bool = False) → list[str]

Search for host groups matching criteria.

Parameters:

• role (IPA) – IPA role object.

• criteria (str) – Search filter string.

• all (bool) – Prints all attributes, default is False.

Returns:

List of matching HBAC host group names.

Return type:

list[str]

add_member(host: list[str] | str | None = None, hostgroup: list[str] | str | None = None) → IPAHostGroup

Add host group members.

Parameters:

• host (list[str] | str | None, optional) – Host(s) to add as member(s), defaults to None.

• hostgroup (list[str] | str | None, optional) – Host group(s) to add as member(s), defaults to None.

Returns:

Self.

Return type:

IPAHostGroup

remove_member(host: list[str] | str | None = None, hostgroup: list[str] | str | None = None) → IPAHostGroup

Remove host group members.

Parameters:

• host (list[str] | str | None, optional) – Host(s) to remove as member(s), defaults to None.

• hostgroup (list[str] | str | None, optional) – Host group(s) to remove as member(s), defaults to None.

Returns:

Self.

Return type:

IPAHostGroup

add_member_manager(host: list[str] | str | None = None, hostgroup: list[str] | str | None = None) → IPAHostGroup

Add host group member managers.

Parameters:

• host (list[str] | str | None, optional) – Host(s) to add as member manager(s), defaults to None.

• hostgroup (list[str] | str | None, optional) – Host group(s) to add as member manager(s), defaults to None.

Returns:

Self.

Return type:

IPAHostGroup

remove_member_manager(host: list[str] | str | None = None, hostgroup: list[str] | str | None = None) → IPAHostGroup

Remove host group member managers.

Parameters:

• host (list[str] | str | None, optional) – Host(s) to remove as member manager(s), defaults to None.

• hostgroup (list[str] | str | None, optional) – Host group(s) to remove as member manager(s), defaults to None.

Returns:

Self.

Return type:

IPAHostGroup

class sssd_test_framework.roles.ipa.IPAHBAC(role: IPA, name: str)

Bases: IPAObject

Manages IPA HBAC (Host-Based Access Control) rule.

Initializes an HBAC rule manager.

Parameters:

• role (IPA) – IPA role.

• name (str) – Name of IPA HBAC rule.

create(users: list[str] | str | None = None, groups: list[str] | str | None = None, hosts: list[str] | str | None = None, hostgroups: list[str] | str | None = None, services: list[str] | str | None = None, servicegroups: list[str] | str | None = None, description: str | None = None, hostcat: str | None = None, servicecat: str | None = None, usercat: str | None = None, **kwargs) → IPAHBAC

Creates a new HBAC rule with all components in one call. Can also be used to add components to existing rules.

Parameters:

• users (list[str] | str | None) – User(s) to create HBAC rule.

• groups (list[str] | str | None) – Group(s) to create HBAC rule.

• hosts (list[str] | str | None) – Host(s) to create HBAC rule.

• hostgroups (list[str] | str | None) – Host(s) group(s) to create HBAC rule.

• services (list[str] | str | None) – Service(s) to create HBAC rule.

• servicegroups (list[str] | str | None) – Service(group(s) to create HBAC rule.)

• description (str | None) – Description(s) to create HBAC rule.

• hostcat (str | None) – Host(cat) to create HBAC rule.

• servicecat (str | None) – Service(cat) to create HBAC rule.

• usercat (str | None) – User(cat) to create HBAC rule.

Returns:

Self.

Return type:

IPAHBAC

modify(description: str | None = None, hostcat: str | None = None, servicecat: str | None = None, usercat: str | None = None, **kwargs) → IPAHBAC

Modifies an existing HBAC rule.

Parameters:

• description (str | None) – Description(s) to modify HBAC rule.

• hostcat (str | None) – Host(cat) to modify HBAC rule.

• servicecat (str | None) – Service(cat) to modify HBAC rule.

• usercat (str | None) – User(cat) to modify HBAC rule.

Returns:

Self.

Return type:

IPAHBAC

delete() → None

Deletes the HBAC rule.

enable() → IPAHBAC

Enables the HBAC rule.

Returns:

Self.

Return type:

IPAHBAC

disable() → IPAHBAC

Disables the HBAC rule.

Returns:

Self.

Return type:

IPAHBAC

classmethod search(role: IPA, criteria: str, all: bool = False) → list[str]

Search for HBAC rules.

Parameters:

• role (IPA) – IPA role object.

• criteria (str) – Search filter string.

• all (bool) – Prints all attributes, default is False.

Returns:

List of matching List of matching HBAC rules names.

Return type:

list[str]

remove_members(*, users: list[str] | str | None = None, hosts: list[str] | str | None = None, services: list[str] | str | None = None) → IPAHBAC

Remove users, hosts, and/or services from HBAC rule.

Parameters:

• users (list[str] | str | None, default to None) – Users to remove.

• hosts (list[str] | str | None, default to None) – Hosts to remove.

• services (list[str] | str | None, default to None) – Services to remove.

Returns:

Self.

Return type:

IPAHBAC

test(user: str, host: str, service: str, nodetail: bool = False, **kwargs) → dict[str, Any]

Tests HBAC rule evaluation and returns comprehensive results. Evaluates all configured rules to determine access and shows which rules match.

Parameters:

• user (str | None) – User(s) to create HBAC rule.

• host (str | None) – Host(s) to create HBAC rule.

• service (str | None) – Service(s) to create HBAC rule.

• nodetail (bool | None) – Whether to return nodetail rules.

• kwargs (dict[str, Any]) – Keyword arguments to pass to ipa.hbacrule-test.

Returns:

parsed hbacrule-test output.

Return type:

dict[str, Any]

status(*, user: str | None = None, group: str | None = None, host: str | None = None, service: str | None = None, include_members: bool = False) → dict[str, Any]

Get rule status, optionally checking membership and returning the raw member lists.

Parameters:

• user – Username to check for membership in the rule.

• group – Group name to check for membership in the rule.

• host – Hostname to check for membership in the rule.

• service – Service name to check for membership in the rule.

• include_members – When True return the resolved member lists in the output.

Type:

str | None, default to None

Type:

str | None, default to None

Type:

str | None, default to None

Type:

str | None, default to None

Type:

bool | None, default to False

Returns:

Dictionary with rule status information and optional membership results.

Return type:

dict[str, Any]

contains(**kwargs) → bool

Convenience method to check if any membership filter matches.

Returns:

True if any membership filter matches, else False.

Return type:

bool