Personal
/
ansible-ldap-modules
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Ansible modules for talking to LDAP servers https://github.com/unchained-capital/ansible-ldap-modules
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
168KB
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
ansible-ldap-modules/ldap_entry

237 lines
7.1KB
Raw Permalink Blame History 

  1. #!/usr/bin/env python

  2. 

  3. from traceback import format_exc

  4. 

  5. import ldap

  6. import ldap.modlist

  7. import ldap.sasl

  8. 

  9. 

  10. DOCUMENTATION = """

  11. ---

  12. module: ldap_entry

  13. short_description: Add or remove LDAP entries.

  14. description:

  15.     - Add or remove LDAP entries. This module only asserts the existence or

  16.       non-existence of an LDAP entry, not its attributes. To assert the

  17.       attribute values of an entry, see M(ldap_attr).

  18. notes: []

  19. version_added: null

  20. author: Peter Sagerson

  21. requirements:

  22.     - python-ldap

  23. options:

  24.     dn:

  25.         required: true

  26.         description:

  27.             - The DN of the entry to add or remove.

  28.     state:

  29.         required: false

  30.         choices: [present, absent]

  31.         default: present

  32.         description:

  33.             - The target state of the entry.

  34.     objectClass:

  35.         required: false

  36.         description:

  37.             - If C(state=present), this must be a list of objectClass values to

  38.               use when creating the entry. It can either be a string containing

  39.               a comma-separated list of values, or an actual list of strings.

  40.     '...':

  41.         required: false

  42.         description:

  43.             - If C(state=present), all additional arguments are taken to be

  44.               LDAP attribute names like C(objectClass), with similar

  45.               lists of values. These should only be used to

  46.               provide the minimum attributes necessary for creating an entry;

  47.               existing entries are never modified. To assert specific attribute

  48.               values on an existing entry, see M(ldap_attr).

  49.     server_uri:

  50.         required: false

  51.         default: ldapi:///

  52.         description:

  53.             - A URI to the LDAP server. The default value lets the underlying

  54.               LDAP client library look for a UNIX domain socket in its default

  55.               location.

  56.     start_tls:

  57.         required: false

  58.         default: false

  59.         description:

  60.             - If true, we'll use the START_TLS LDAP extension.

  61.     bind_dn:

  62.         required: false

  63.         description:

  64.             - A DN to bind with. If this is omitted, we'll try a SASL bind with

  65.               the EXTERNAL mechanism. If this is blank, we'll use an anonymous

  66.               bind.

  67.     bind_pw:

  68.         required: false

  69.         description:

  70.             - The password to use with C(bind_dn).

  71. """

  72. 

  73. 

  74. EXAMPLES = """

  75. # Make sure we have a parent entry for users.

  76. - ldap_entry: dn='ou=users,dc=example,dc=com' objectClass=organizationalUnit

  77.   sudo: true

  78. 

  79. # Make sure we have an admin user.

  80. - ldap_entry:

  81.     dn: 'cn=admin,dc=example,dc=com'

  82.     objectClass: simpleSecurityObject,organizationalRole

  83.     description: An LDAP administrator

  84.     userPassword: '{SSHA}pedsA5Y9wHbZ5R90pRdxTEZmn6qvPdzm'

  85.   sudo: true

  86. 

  87. # Get rid of an old entry.

  88. - ldap_entry: dn='ou=stuff,dc=example,dc=com' state=absent server_uri='ldap://localhost/' bind_dn='cn=admin,dc=example,dc=com' bind_pw=password

  89. """

  90. 

  91. 

  92. def main():

  93.     module = AnsibleModule(

  94.         argument_spec={

  95.             'dn': dict(required=True),

  96.             'state': dict(default='present', choices=['present', 'absent']),

  97.             'server_uri': dict(default='ldapi:///'),

  98.             'start_tls': dict(default='false', choices=(list(BOOLEANS)+['True', True, 'False', False])),

  99.             'bind_dn': dict(default=None),

  100.             'bind_pw': dict(default='', no_log=True),

  101.         },

  102.         check_invalid_arguments=False,

  103.         supports_check_mode=True,

  104.     )

  105. 

  106.     try:

  107.         LdapEntry(module).main()

  108.     except ldap.LDAPError, e:

  109.         module.fail_json(msg=str(e), exc=format_exc())

  110. 

  111. 

  112. class LdapEntry(object):

  113.     _connection = None

  114. 

  115.     def __init__(self, module):

  116.         self.module = module

  117. 

  118.         # python-ldap doesn't understand unicode strings. Parameters that are

  119.         # just going to get passed to python-ldap APIs are stored as utf-8.

  120.         self.dn = self._utf8_param('dn')

  121.         self.state = self.module.params['state']

  122.         self.server_uri = self.module.params['server_uri']

  123.         self.start_tls = self.module.boolean(self.module.params['start_tls'])

  124.         self.bind_dn = self._utf8_param('bind_dn')

  125.         self.bind_pw = self._utf8_param('bind_pw')

  126.         self.attrs = {}

  127. 

  128.         self._load_attrs()

  129. 

  130.         if (self.state == 'present') and ('objectClass' not in self.attrs):

  131.             self.module.fail_json(msg="When state=present, at least one objectClass must be provided")

  132. 

  133.     def _utf8_param(self, name):

  134.         return self._force_utf8(self.module.params[name])

  135. 

  136.     def _load_attrs(self):

  137.         for name, raw in self.module.params.iteritems():

  138.             if name not in self.module.argument_spec:

  139.                 self.attrs[name] = self._load_attr_values(name, raw)

  140. 

  141.     def _load_attr_values(self, name, raw):

  142.         if isinstance(raw, basestring):

  143.             values = raw.split(',')

  144.         else:

  145.             values = raw

  146. 

  147.         if not (isinstance(values, list) and all(isinstance(value, basestring) for value in values)):

  148.             self.module.fail_json(msg="{} must be a string or list of strings.".format(name))

  149. 

  150.         return list(map(self._force_utf8, values))

  151. 

  152.     def _force_utf8(self, value):

  153.         """ If value is unicode, encode to utf-8. """

  154.         if isinstance(value, unicode):

  155.             value = value.encode('utf-8')

  156. 

  157.         return value

  158. 

  159.     def main(self):

  160.         if self.state == 'present':

  161.             action = self.handle_present()

  162.         elif self.state == 'absent':

  163.             action = self.handle_absent()

  164.         else:

  165.             action = None

  166. 

  167.         if (action is not None) and (not self.module.check_mode):

  168.             action()

  169. 

  170.         self.module.exit_json(changed=(action is not None))

  171. 

  172.     #

  173.     # State Implementations

  174.     #

  175. 

  176.     def handle_present(self):

  177.         """ If self.dn does not exist, returns a callable that will add it. """

  178.         if not self.is_entry_present():

  179.             modlist = ldap.modlist.addModlist(self.attrs)

  180.             action = lambda: self.connection.add_s(self.dn, modlist)

  181.         else:

  182.             action = None

  183. 

  184.         return action

  185. 

  186.     def handle_absent(self):

  187.         """ If self.dn exists, returns a callable that will delete it. """

  188.         if self.is_entry_present():

  189.             action = lambda: self.connection.delete_s(self.dn)

  190.         else:

  191.             action = None

  192. 

  193.         return action

  194. 

  195.     #

  196.     # Util

  197.     #

  198. 

  199.     def is_entry_present(self):

  200.         try:

  201.             self.connection.search_s(self.dn, ldap.SCOPE_BASE)

  202.         except ldap.NO_SUCH_OBJECT:

  203.             is_present = False

  204.         else:

  205.             is_present = True

  206. 

  207.         return is_present

  208. 

  209.     #

  210.     # LDAP Connection

  211.     #

  212. 

  213.     @property

  214.     def connection(self):

  215.         """ An authenticated connection to the LDAP server (cached). """

  216.         if self._connection is None:

  217.             self._connection = self._connect_to_ldap()

  218. 

  219.         return self._connection

  220. 

  221.     def _connect_to_ldap(self):

  222.         connection = ldap.initialize(self.server_uri)

  223. 

  224.         if self.start_tls:

  225.             connection.start_tls_s()

  226. 

  227.         if self.bind_dn is not None:

  228.             connection.simple_bind_s(self.bind_dn, self.bind_pw)

  229.         else:

  230.             connection.sasl_interactive_bind_s('', ldap.sasl.external())

  231. 

  232.         return connection

  233. 

  234. 

  235. from ansible.module_utils.basic import *  # noqa

  236. main()