@@ -0,0 +1 @@ | |||
*.pyc |
@@ -1,27 +1,34 @@ | |||
# Ansible LDAP Modules | |||
For whatever reasons, Ansible doesn't include modules to manipulate an | |||
LDAP server in its [core](http://docs.ansible.com/ansible/modules_by_category.html). | |||
LDAP server in its | |||
[core](http://docs.ansible.com/ansible/modules_by_category.html). | |||
Peter Sagerson implemented a pair of modules and has | |||
[attempted to get them into Ansible](http://grokbase.com/t/gg/ansible-devel/148892tek3/ldap-modules), | |||
but no luck yet. He's instead hosted his code on | |||
[Bitbucket](https://bitbucket.org/psagers/ansible-ldap). | |||
This repository is a fork of his original work (with some cosmetic | |||
improvements) hosted on GitHub. | |||
This repository is a fork of his original work with some additions | |||
(and cosmetic improvements) hosted on GitHub. | |||
# Installation | |||
You'll need to clone this repository somewhere into your Ansible (use | |||
a git submodule). | |||
``` | |||
$ git clone https://github.com/unchained-capital/ansible-ldap-modules | |||
``` | |||
The `python-ldap` library is required on whatever host is executing | |||
these modules. This can be confusing if you use both | |||
`local_action`-type tasks and tasks which run on remote hosts and both | |||
need to talk do an LDAP server -- you'll need to install `python-ldap` | |||
both locally on your controller as well as remotely on the hosts you | |||
run the tasks on. | |||
In addition, you'll need to clone this repository itself to your | |||
controller and put it somewhere `ansible` can find it. | |||
The `python-ldap` library is required on the Ansible controller node | |||
for these modules to load. Install it with | |||
## python-ldap Installation | |||
Install it locally via the following commands: | |||
``` | |||
$ cd ansible-ldap-modules | |||
@@ -34,10 +41,38 @@ You may need to install some system dependencies first: | |||
$ sudo apt-get install python-dev libsasl2-dev libldap2-dev libssl-dev | |||
``` | |||
For remote hosts, this can be automated via Ansible: | |||
```yaml | |||
# in prepare_remote_ldap_host.yml, for example | |||
- name: Install dependencies | |||
apt: name="{{ item }}" state=present | |||
with_items: | |||
- python-pip | |||
- libsasl2-dev | |||
- libldap2-dev | |||
- libssl-dev | |||
- name: Upgrade pip | |||
command: pip install --upgrade pip | |||
- name: Install python-ldap | |||
pip: name=python-ldap state=present | |||
``` | |||
## Modules Installation | |||
You'll need to clone this repository somewhere on your controller | |||
machine so that `ansible` can find it. | |||
``` | |||
$ git clone https://github.com/unchained-capital/ansible-ldap-modules | |||
``` | |||
Once you have `python-ldap` installed, you'll need to link the | |||
executable files in this repository into Ansible's library path. The | |||
simplest way to do this is to create a `library` folder at the | |||
top-level of your Ansible repository and create symlinks within it to | |||
top-level of your playbook repository and create symlinks within it to | |||
the module files in this repository: | |||
``` | |||
@@ -52,14 +87,213 @@ or the `library` entry within the `defaults` section of your | |||
# Usage | |||
(copied from psager's [original README](https://bitbucket.org/psagers/ansible-ldap/src/ca4c0025358cdeba33e9ef0369af3430bf4812ad/README.md)) | |||
Remember, if you run these tasks locally, you need `python-ldap` | |||
installed locally. If you run them on a remote machine, you need | |||
`python-ldap` installed on that remote machine. | |||
## Shared Behavior | |||
All the modules in this repository share some behaviors. This section | |||
describes those behaviors. The next section describes each module in | |||
detail. | |||
### Specifying an LDAP Server | |||
Here is a simple example of creating an entry (more details on this | |||
below): | |||
```yaml | |||
- hosts: server0 | |||
tasks: | |||
- name: Ensure an LDAP entry exists for ou=People | |||
ldap_entry: | |||
dn: "ou=People,dc=example,dc=com" | |||
ou: People | |||
objectClass: organizationalUnit | |||
description: Getting together and having a good time. | |||
``` | |||
The target host of an LDAP operation is assumed to be the same host as | |||
the Ansible task is executing so the above task would attempt to talk | |||
to LDAP server running on `server0` listenting on port 389. This example: | |||
```yaml | |||
- hosts: server0 | |||
tasks: | |||
- name: Ensure an LDAP entry exists for ou=People | |||
ldap_entry: | |||
server_uri: ldapi://server1/ | |||
dn: "ou=People,dc=example,dc=com" | |||
ou: People | |||
objectClass: organizationalUnit | |||
description: Getting together and having a good time. | |||
``` | |||
would target an LDAP server at `server1`. | |||
### Choosing Credentials | |||
Without any credentials (as in the above examples), the request will | |||
be made via a SASL `EXTERNAL` bind (similar to `ldapadd ... -Y | |||
EXTERNAL ...` on the command-line). | |||
Credentials can be specified as well: | |||
```yaml | |||
- hosts: server0 | |||
tasks: | |||
- name: Ensure an LDAP entry exists for ou=People | |||
ldap_entry: | |||
bind_dn: "cn=admin,dc=example,dc=com" | |||
bind_pw: "password" | |||
dn: "ou=People,dc=example,dc=com" | |||
ou: People | |||
objectClass: organizationalUnit | |||
description: Getting together and having a good time. | |||
``` | |||
## Modules | |||
This repository provides four different modules: | |||
This project contains a pair of Ansible modules for manipulating an | |||
LDAP directory. `ldap_entry` can be used to ensure that an entire | |||
entry exists and `ldap_attr` can be used to ensure the values of an | |||
entry's attributes. | |||
### ldap_entry | |||
Ensures that an entry with a given `dn` exists/doesn't exist. If | |||
missing, it creates it. It present it does nothing. In particular, | |||
even if the entry has different attributes from those specified in | |||
Ansible, `ldap_entry` does nothing. You can, however, use | |||
`ldap_entry` to remove LDAP entries if you specify `state=absent`. | |||
#### Creating an entry | |||
```yaml | |||
- name: Ensure an LDAP entry exists for ou=People | |||
ldap_entry: | |||
dn: "ou=People,dc=example,dc=com" | |||
ou: People | |||
objectClass: organizationalUnit | |||
description: Getting together and having a good time. | |||
``` | |||
If the `ou=People,dc=example,dc=com` entry has its `description` field | |||
changed, this task will not update it. It's therefore best to only | |||
specify the minimal number of fields required to successfully create | |||
the entity, given its LDAP `objectClass` values and later use | |||
`ldap_attr` to explicitly declare the expected state for each | |||
attribute individually. Or use `ldap_upsert`. | |||
#### Removing an entry | |||
```yaml | |||
- name: Ensure an LDAP entry exists for ou=People | |||
ldap_entry: | |||
dn: "ou=People,dc=example,dc=com" | |||
state: absent | |||
``` | |||
### ldap_attr | |||
Ensures that an attribute with a given value exists/doesn't exist for | |||
a given entry. If the entry does not exist, it throws an error. If | |||
the doesn't exist, it creates it. If it exists but has a different | |||
value, it updates it. You can use `ldap_attr` to remove LDAP | |||
attributes if you specify `state=absent`. | |||
#### Specifying an attribute exactly | |||
Here's a simple example. | |||
```yaml | |||
- name: Ensure description is correct for ou=People | |||
ldap_attr: | |||
dn: "ou=People,dc=example,dc=com" | |||
name: description | |||
state: exact | |||
values: Getting together and having a good time. | |||
- name: Ensure members are correct for cn=Admins,ou=Groups | |||
ldap_attr: | |||
dn: "cn=Admins,ou=Groups,dc=example,dc=com" | |||
name: member | |||
state: exact | |||
values: | |||
- cn=joe,ou=People,dc=example,dc=com | |||
- cn=bob,ou=People,dc=example,dc=com | |||
``` | |||
This is a lot of work for many entries with many attributes. Consider | |||
`ldap_upsert` in these cases. | |||
#### Appending to an attribute | |||
```yaml | |||
- name: Ensure members are present in cn=Admins,ou=Groups | |||
ldap_attr: | |||
dn: "cn=Admins,ou=Groups,dc=example,dc=com" | |||
name: member | |||
state: present | |||
values: | |||
- cn=joe,ou=People,dc=example,dc=com | |||
- cn=bob,ou=People,dc=example,dc=com | |||
``` | |||
The user `cn=mike,ou=People,dc=example,dc=com` could still be a | |||
`member` of `cn=Admins,ou=Groups,dc=example,dc=com` after this task | |||
runs. | |||
#### Removing an attribute | |||
```yaml | |||
- name: Ensure user's password is not set | |||
ldap_attr: | |||
dn: "cn=joe,ou=People,dc=example,dc=com" | |||
state: absent | |||
name: userPassword | |||
``` | |||
### ldap_upsert | |||
Ensures both that an entry exists as well as that its attributs have | |||
particular values. You cannot use `ldap_upsert` to remove entries or | |||
their attributes, but it useful when creating lots of entities with | |||
their attributes. | |||
```yaml | |||
- name: Create a user | |||
ldap_upsert: | |||
dn: "uid=joe1234,ou=People,dc=example,dc=com" | |||
objectClass: | |||
- account | |||
- posixAccount | |||
cn: "Joe Smith" | |||
gn: "Joe" | |||
sn: "Smith" | |||
uid: "joe1234" | |||
homeDirectory: "/home/joe1234" | |||
userPassword: "..." | |||
``` | |||
### ldap_search | |||
Perform an LDAP search. Useful in combination with Ansible's | |||
`register` keyword. | |||
This example performs a task for each LDAP user `account`: | |||
```yaml | |||
- name: | |||
ldap_search: | |||
base: "ou=People,dc=example,dc=com" | |||
scope: onelevel | |||
filter: "(objectClass=account)" | |||
register: ldap_user_search | |||
- name: View search results | |||
debug: var=ldap_user_search | |||
- name: Do something for each user | |||
# ... | |||
with_items: "{{ ldap_user_search.results }}" | |||
``` | |||
Regrettably, Ansible does not have any sensible mechanism for | |||
packaging and distributing third-party modules with rendered | |||
documentation and runnable unit tests. The LDAP modules do have | |||
complete documentation strings embedded. |
@@ -129,7 +129,7 @@ def main(): | |||
'values': dict(required=True), | |||
'state': dict(default='present', choices=['present', 'absent', 'exact']), | |||
'server_uri': dict(default='ldapi:///'), | |||
'start_tls': dict(default='false', choices=BOOLEANS), | |||
'start_tls': dict(default='false', choices=(BOOLEANS+['True', True, 'False', False])), | |||
'bind_dn': dict(default=None), | |||
'bind_pw': dict(default='', no_log=True), | |||
}, | |||
@@ -95,7 +95,7 @@ def main(): | |||
'dn': dict(required=True), | |||
'state': dict(default='present', choices=['present', 'absent']), | |||
'server_uri': dict(default='ldapi:///'), | |||
'start_tls': dict(default='false', choices=BOOLEANS), | |||
'start_tls': dict(default='false', choices=(BOOLEANS+['True', True, 'False', False])), | |||
'bind_dn': dict(default=None), | |||
'bind_pw': dict(default='', no_log=True), | |||
}, | |||
@@ -0,0 +1,231 @@ | |||
#!/usr/bin/env python | |||
from traceback import format_exc | |||
import ldap | |||
import ldap.modlist | |||
import ldap.sasl | |||
DOCUMENTATION = """ | |||
--- | |||
module: ldap_search | |||
short_description: Return the results of an LDAP search. | |||
description: | |||
- Return the results of an LDAP search. Use in combination with | |||
Ansible's 'register' statement. | |||
notes: [] | |||
version_added: null | |||
author: Dhruv Bansal | |||
requirements: | |||
- python-ldap | |||
options: | |||
base: | |||
required: true | |||
description: | |||
- The base to search from. | |||
scope: | |||
required: false | |||
choices: [base, onelevel, subordinate, children] | |||
default: base | |||
description: | |||
- The LDAP scope to use when searching. | |||
filter: | |||
required: false | |||
default: '(objectClass=*)' | |||
description: | |||
- The filter to apply to the search. | |||
attrs: | |||
required: false | |||
default: none | |||
description: | |||
- A list of attrs to limit the results to. Can be an | |||
actual list or just a comma-separated string. | |||
schema: | |||
required: false | |||
default: false | |||
description: | |||
- Return the full attribute schema of entries, not their | |||
attribute values. Overrides C(attrs) when given. | |||
server_uri: | |||
required: false | |||
default: ldapi:/// | |||
description: | |||
- A URI to the LDAP server. The default value lets the underlying | |||
LDAP client library look for a UNIX domain socket in its default | |||
location. | |||
start_tls: | |||
required: false | |||
default: false | |||
description: | |||
- If true, we'll use the START_TLS LDAP extension. | |||
bind_dn: | |||
required: false | |||
description: | |||
- A DN to bind with. If this is omitted, we'll try a SASL bind with | |||
the EXTERNAL mechanism. If this is blank, we'll use an anonymous | |||
bind. | |||
bind_pw: | |||
required: false | |||
description: | |||
- The password to use with C(bind_dn). | |||
""" | |||
EXAMPLES = """ | |||
# Return all entries within the 'groups' organizational unit. | |||
- ldap_search: base='ou=groups,dc=example,dc=com' | |||
register: ldap_groups | |||
sudo: true | |||
# Return GIDs for all groups | |||
- ldap_entry: base='ou=groups,dc=example,dc=com' scope=onelevel attrs="gidNumber" | |||
register: ldap_group_gids | |||
sudo: true | |||
""" | |||
def main(): | |||
module = AnsibleModule( | |||
argument_spec={ | |||
'base': dict(required=True), | |||
'scope': dict(default='base', choices=['base', 'onelevel', 'subordinate', 'children']), | |||
'filter': dict(default='(objectClass=*)'), | |||
'attrs': dict(default=None), | |||
'schema': dict(default=False, choices=(BOOLEANS+['True', True, 'False', False])), | |||
'server_uri': dict(default='ldapi:///'), | |||
'start_tls': dict(default='false', choices=(BOOLEANS+['True', True, 'False', False])), | |||
'bind_dn': dict(default=None), | |||
'bind_pw': dict(default='', no_log=True), | |||
}, | |||
check_invalid_arguments=False, | |||
supports_check_mode=False, | |||
) | |||
try: | |||
LdapSearch(module).main() | |||
except ldap.LDAPError, e: | |||
module.fail_json(msg=str(e), exc=format_exc()) | |||
class LdapSearch(object): | |||
_connection = None | |||
def __init__(self, module): | |||
self.module = module | |||
# python-ldap doesn't understand unicode strings. Parameters that are | |||
# just going to get passed to python-ldap APIs are stored as utf-8. | |||
self.base = self._utf8_param('base') | |||
self.filterstr = self._utf8_param('filter') | |||
self.server_uri = self.module.params['server_uri'] | |||
self.start_tls = self.module.boolean(self.module.params['start_tls']) | |||
self.bind_dn = self._utf8_param('bind_dn') | |||
self.bind_pw = self._utf8_param('bind_pw') | |||
self.attrlist = [] | |||
self._load_scope() | |||
self._load_attrs() | |||
self._load_schema() | |||
# if (self.state == 'present') and ('objectClass' not in self.attrs): | |||
# self.module.fail_json(msg="When state=present, at least one objectClass must be provided") | |||
def _utf8_param(self, name): | |||
return self._force_utf8(self.module.params[name]) | |||
def _load_schema(self): | |||
self.schema = self.module.boolean(self.module.params['schema']) | |||
if self.schema: | |||
self.attrsonly = 1 | |||
else: | |||
self.attrsonly = 0 | |||
def _load_scope(self): | |||
scope = self.module.params['scope'] | |||
if scope == 'base': self.scope = ldap.SCOPE_BASE | |||
elif scope == 'onelevel': self.scope = ldap.SCOPE_ONELEVEL | |||
elif scope == 'subordinate': self.scope = ldap.SCOPE_SUBORDINATE | |||
elif scope == 'children': self.scope = ldap.SCOPE_SUBTREE | |||
else: | |||
self.module.fail_json(msg="scope must be one of: base, onelevel, subordinate, children") | |||
def _load_attrs(self): | |||
if self.module.params['attrs'] is None: | |||
self.attrlist = None | |||
else: | |||
attrs = self._load_attr_values(self.module.params['attrs']) | |||
if len(attrs) > 0: | |||
self.attrlist = attrs | |||
else: | |||
self.attrlist = None | |||
def _load_attr_values(self, raw): | |||
if isinstance(raw, basestring): | |||
values = raw.split(',') | |||
else: | |||
values = raw | |||
if not (isinstance(values, list) and all(isinstance(value, basestring) for value in values)): | |||
self.module.fail_json(msg="attrs must be a string or list of strings.") | |||
return map(self._force_utf8, values) | |||
def _force_utf8(self, value): | |||
""" If value is unicode, encode to utf-8. """ | |||
if isinstance(value, unicode): | |||
value = value.encode('utf-8') | |||
return value | |||
def main(self): | |||
results = self.perform_search() | |||
self.module.exit_json(changed=True, results=results) | |||
def perform_search(self): | |||
try: | |||
results = self.connection.search_s(self.base, self.scope, filterstr=self.filterstr, attrlist=self.attrlist, attrsonly=self.attrsonly) | |||
if self.schema: | |||
return [dict(dn=result[0],attrs=result[1].keys()) for result in results] | |||
else: | |||
return [self._extract_entry(result[0], result[1]) for result in results] | |||
except ldap.NO_SUCH_OBJECT: | |||
self.module.fail_json(msg="Base not found: {}".format(self.base)) | |||
def _extract_entry(self, dn, attrs): | |||
extracted = {'dn': dn} | |||
for attr, val in attrs.iteritems(): | |||
if len(val) == 1: | |||
extracted[attr] = val[0] | |||
else: | |||
extracted[attr] = val | |||
return extracted | |||
# | |||
# LDAP Connection | |||
# | |||
@property | |||
def connection(self): | |||
""" An authenticated connection to the LDAP server (cached). """ | |||
if self._connection is None: | |||
self._connection = self._connect_to_ldap() | |||
return self._connection | |||
def _connect_to_ldap(self): | |||
connection = ldap.initialize(self.server_uri) | |||
if self.start_tls: | |||
connection.start_tls_s() | |||
if self.bind_dn is not None: | |||
connection.simple_bind_s(self.bind_dn, self.bind_pw) | |||
else: | |||
connection.sasl_interactive_bind_s('', ldap.sasl.external()) | |||
return connection | |||
from ansible.module_utils.basic import * # noqa | |||
main() |
@@ -0,0 +1,239 @@ | |||
#!/usr/bin/env python | |||
from traceback import format_exc | |||
import ldap | |||
import ldap.modlist | |||
import ldap.sasl | |||
DOCUMENTATION = """ | |||
--- | |||
module: ldap_upsert | |||
short_description: Insert or update an LDAP entry. | |||
description: | |||
- Insert or update an LDAP entry. Existing entries with matching | |||
C(dn) will have their attributes updated. Otherwise a new entry | |||
will be created with the given attributes. This module cannot | |||
delete entries or remove attributes, see M(ldap_entry) and | |||
M(ldap_attr), respectively. | |||
notes: [] | |||
version_added: null | |||
author: Peter Sagerson | |||
requirements: | |||
- python-ldap | |||
options: | |||
dn: | |||
required: true | |||
description: | |||
- The DN of the entry to insert or update. | |||
objectClass: | |||
required: true | |||
description: | |||
- Must be a list of objectClass values to use when | |||
creating the entry. It can either be a string containing | |||
a comma-separated list of values, or an actual list of | |||
strings. When updating, these values are not used. | |||
'...': | |||
required: false | |||
description: | |||
- All additional arguments are taken to be LDAP attribute | |||
names like C(objectClass), with similar lists of values. | |||
If the entry exists, these attributes will be updated if | |||
necessary. Otherwise the newly created entry will have | |||
these attributes. | |||
server_uri: | |||
required: false | |||
default: ldapi:/// | |||
description: | |||
- A URI to the LDAP server. The default value lets the underlying | |||
LDAP client library look for a UNIX domain socket in its default | |||
location. | |||
start_tls: | |||
required: false | |||
default: false | |||
description: | |||
- If true, we'll use the START_TLS LDAP extension. | |||
bind_dn: | |||
required: false | |||
description: | |||
- A DN to bind with. If this is omitted, we'll try a SASL bind with | |||
the EXTERNAL mechanism. If this is blank, we'll use an anonymous | |||
bind. | |||
bind_pw: | |||
required: false | |||
description: | |||
- The password to use with C(bind_dn). | |||
""" | |||
EXAMPLES = """ | |||
# Make sure we have a parent entry for users. | |||
- ldap_entry: dn='ou=users,dc=example,dc=com' objectClass=organizationalUnit description="My Org Unit" | |||
sudo: true | |||
# Make sure we have an admin user. | |||
- ldap_entry: | |||
dn: 'cn=admin,dc=example,dc=com' | |||
objectClass: simpleSecurityObject,organizationalRole | |||
description: An LDAP administrator | |||
userPassword: '{SSHA}pedsA5Y9wHbZ5R90pRdxTEZmn6qvPdzm' | |||
sudo: true | |||
""" | |||
def main(): | |||
module = AnsibleModule( | |||
argument_spec={ | |||
'dn': dict(required=True), | |||
'server_uri': dict(default='ldapi:///'), | |||
'start_tls': dict(default='false', choices=(BOOLEANS+['True', True, 'False', False])), | |||
'bind_dn': dict(default=None), | |||
'bind_pw': dict(default='', no_log=True), | |||
}, | |||
check_invalid_arguments=False, | |||
supports_check_mode=False, | |||
) | |||
try: | |||
LdapUpsert(module).main() | |||
except ldap.LDAPError, e: | |||
module.fail_json(msg=str(e), exc=format_exc()) | |||
class LdapUpsert(object): | |||
def __init__(self, module): | |||
self.module = module | |||
self.server_uri = self.module.params['server_uri'] | |||
self.start_tls = self._boolean_param('start_tls') | |||
self.bind_dn = self._utf8_param('bind_dn') | |||
self.bind_pw = self._utf8_param('bind_pw') | |||
self.dn = self._utf8_param('dn') | |||
self._load_attrs() | |||
if 'objectClass' not in self.attrs: | |||
self.module.fail_json(msg="At least one objectClass must be provided") | |||
def _boolean_param(self, name): | |||
return self.module.boolean(self.module.params[name]) | |||
def _utf8_param(self, name): | |||
return self._force_utf8(self.module.params[name]) | |||
def _load_attr_values(self, name, raw): | |||
if isinstance(raw, basestring): | |||
values = raw.split(',') | |||
else: | |||
values = raw | |||
if not (isinstance(values, list) and all(isinstance(value, basestring) for value in values)): | |||
self.module.fail_json(msg="{} must be a string or list of strings.".format(name)) | |||
return map(self._force_utf8, values) | |||
def _force_utf8(self, value): | |||
""" If value is unicode, encode to utf-8. """ | |||
if isinstance(value, unicode): | |||
value = value.encode('utf-8') | |||
return value | |||
def _load_attrs(self): | |||
self.attrs = {} | |||
for name, raw in self.module.params.iteritems(): | |||
if name not in self.module.argument_spec: | |||
self.attrs[name] = self._load_attr_values(name, raw) | |||
def main(self): | |||
if self.entry_exists(): | |||
results = self.update_entry() | |||
self.module.exit_json(**results) | |||
else: | |||
insert_result = self.insert_entry() | |||
self.module.exit_json(changed=True, results=[insert_result]) | |||
def entry_exists(self): | |||
try: | |||
results = self.connection.search_s(self.dn, ldap.SCOPE_BASE) | |||
for result in results: | |||
if result[0] == self.dn: | |||
return True | |||
except ldap.NO_SUCH_OBJECT: | |||
return False | |||
def insert_entry(self): | |||
modlist = ldap.modlist.addModlist(self.attrs) | |||
result = self.connection.add_s(self.dn, modlist) | |||
return result | |||
def update_entry(self): | |||
results = [] | |||
for attr, value in self.attrs.iteritems(): | |||
if attr == 'objectClass': continue | |||
value = self._extract_value(value) | |||
check = self._attribute_value_check(attr, value) | |||
if check is False: | |||
op = ldap.MOD_REPLACE | |||
elif check is None: | |||
op = ldap.MOD_ADD | |||
else: | |||
op = None # Nothing to see here... | |||
if op is not None: | |||
result = self.connection.modify_s(self.dn, [(op, attr, value)]) | |||
results.append(result) | |||
if len(results) == 0: | |||
return dict(changed=False) | |||
else: | |||
return dict(changed=True, results=results) | |||
def _attribute_value_check(self, attr, value): | |||
try: | |||
return bool(self.connection.compare_s(self.dn, attr, value)) | |||
except ldap.NO_SUCH_ATTRIBUTE: | |||
return None | |||
def _extract_value(self, values): | |||
if isinstance(values, basestring): | |||
if values == '': | |||
values = [] | |||
else: | |||
values = [values] | |||
if not (isinstance(values, list) and all(isinstance(value, basestring) for value in values)): | |||
self.module.fail_json(msg="Attribute values must be strings or lists of strings.") | |||
values = map(self._force_utf8, values) | |||
if len(values) == 1: | |||
return values[0] | |||
else: | |||
return values | |||
# | |||
# LDAP Connection | |||
# | |||
_connection = None | |||
@property | |||
def connection(self): | |||
""" An authenticated connection to the LDAP server (cached). """ | |||
if self._connection is None: | |||
self._connection = self._connect_to_ldap() | |||
return self._connection | |||
def _connect_to_ldap(self): | |||
connection = ldap.initialize(self.server_uri) | |||
if self.start_tls: | |||
connection.start_tls_s() | |||
if self.bind_dn is not None: | |||
connection.simple_bind_s(self.bind_dn, self.bind_pw) | |||
else: | |||
connection.sasl_interactive_bind_s('', ldap.sasl.external()) | |||
return connection | |||
from ansible.module_utils.basic import * # noqa | |||
main() |