#!/usr/bin/env python from traceback import format_exc import ldap import ldap.modlist import ldap.sasl DOCUMENTATION = """ --- module: ldap_search short_description: Return the results of an LDAP search. description: - Return the results of an LDAP search. Use in combination with Ansible's 'register' statement. notes: [] version_added: null author: Dhruv Bansal requirements: - python-ldap options: base: required: true description: - The base to search from. scope: required: false choices: [base, onelevel, subordinate, children] default: base description: - The LDAP scope to use when searching. filter: required: false default: '(objectClass=*)' description: - The filter to apply to the search. attrs: required: false default: none description: - A list of attrs to limit the results to. Can be an actual list or just a comma-separated string. schema: required: false default: false description: - Return the full attribute schema of entries, not their attribute values. Overrides C(attrs) when given. server_uri: required: false default: ldapi:/// description: - A URI to the LDAP server. The default value lets the underlying LDAP client library look for a UNIX domain socket in its default location. start_tls: required: false default: false description: - If true, we'll use the START_TLS LDAP extension. bind_dn: required: false description: - A DN to bind with. If this is omitted, we'll try a SASL bind with the EXTERNAL mechanism. If this is blank, we'll use an anonymous bind. bind_pw: required: false description: - The password to use with C(bind_dn). """ EXAMPLES = """ # Return all entries within the 'groups' organizational unit. - ldap_search: base='ou=groups,dc=example,dc=com' register: ldap_groups sudo: true # Return GIDs for all groups - ldap_entry: base='ou=groups,dc=example,dc=com' scope=onelevel attrs="gidNumber" register: ldap_group_gids sudo: true """ def main(): module = AnsibleModule( argument_spec={ 'base': dict(required=True), 'scope': dict(default='base', choices=['base', 'onelevel', 'subordinate', 'children']), 'filter': dict(default='(objectClass=*)'), 'attrs': dict(default=None), 'schema': dict(default=False, choices=(list(BOOLEANS)+['True', True, 'False', False])), 'server_uri': dict(default='ldapi:///'), 'start_tls': dict(default='false', choices=(list(BOOLEANS)+['True', True, 'False', False])), 'bind_dn': dict(default=None), 'bind_pw': dict(default='', no_log=True), }, check_invalid_arguments=False, supports_check_mode=False, ) try: LdapSearch(module).main() except ldap.LDAPError, e: module.fail_json(msg=str(e), exc=format_exc()) class LdapSearch(object): _connection = None def __init__(self, module): self.module = module # python-ldap doesn't understand unicode strings. Parameters that are # just going to get passed to python-ldap APIs are stored as utf-8. self.base = self._utf8_param('base') self.filterstr = self._utf8_param('filter') self.server_uri = self.module.params['server_uri'] self.start_tls = self.module.boolean(self.module.params['start_tls']) self.bind_dn = self._utf8_param('bind_dn') self.bind_pw = self._utf8_param('bind_pw') self.attrlist = [] self._load_scope() self._load_attrs() self._load_schema() # if (self.state == 'present') and ('objectClass' not in self.attrs): # self.module.fail_json(msg="When state=present, at least one objectClass must be provided") def _utf8_param(self, name): return self._force_utf8(self.module.params[name]) def _load_schema(self): self.schema = self.module.boolean(self.module.params['schema']) if self.schema: self.attrsonly = 1 else: self.attrsonly = 0 def _load_scope(self): scope = self.module.params['scope'] if scope == 'base': self.scope = ldap.SCOPE_BASE elif scope == 'onelevel': self.scope = ldap.SCOPE_ONELEVEL elif scope == 'subordinate': self.scope = ldap.SCOPE_SUBORDINATE elif scope == 'children': self.scope = ldap.SCOPE_SUBTREE else: self.module.fail_json(msg="scope must be one of: base, onelevel, subordinate, children") def _load_attrs(self): if self.module.params['attrs'] is None: self.attrlist = None else: attrs = self._load_attr_values(self.module.params['attrs']) if len(attrs) > 0: self.attrlist = attrs else: self.attrlist = None def _load_attr_values(self, raw): if isinstance(raw, basestring): values = raw.split(',') else: values = raw if not (isinstance(values, list) and all(isinstance(value, basestring) for value in values)): self.module.fail_json(msg="attrs must be a string or list of strings.") return map(self._force_utf8, values) def _force_utf8(self, value): """ If value is unicode, encode to utf-8. """ if isinstance(value, unicode): value = value.encode('utf-8') return value def main(self): results = self.perform_search() self.module.exit_json(changed=True, results=results) def perform_search(self): try: results = self.connection.search_s(self.base, self.scope, filterstr=self.filterstr, attrlist=self.attrlist, attrsonly=self.attrsonly) if self.schema: return [dict(dn=result[0],attrs=result[1].keys()) for result in results] else: return [self._extract_entry(result[0], result[1]) for result in results] except ldap.NO_SUCH_OBJECT: self.module.fail_json(msg="Base not found: {}".format(self.base)) def _extract_entry(self, dn, attrs): extracted = {'dn': dn} for attr, val in attrs.iteritems(): if len(val) == 1: extracted[attr] = val[0] else: extracted[attr] = val return extracted # # LDAP Connection # @property def connection(self): """ An authenticated connection to the LDAP server (cached). """ if self._connection is None: self._connection = self._connect_to_ldap() return self._connection def _connect_to_ldap(self): connection = ldap.initialize(self.server_uri) if self.start_tls: connection.start_tls_s() if self.bind_dn is not None: connection.simple_bind_s(self.bind_dn, self.bind_pw) else: connection.sasl_interactive_bind_s('', ldap.sasl.external()) return connection from ansible.module_utils.basic import * # noqa main()