Personal
/
ansible-ldap-modules
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Ansible modules for talking to LDAP servers https://github.com/unchained-capital/ansible-ldap-modules
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
168KB
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
ansible-ldap-modules/ldap_search

232 lines
7.2KB
Raw Permalink Blame History 

  1. #!/usr/bin/env python

  2. 

  3. from traceback import format_exc

  4. 

  5. import ldap

  6. import ldap.modlist

  7. import ldap.sasl

  8. 

  9. 

  10. DOCUMENTATION = """

  11. ---

  12. module: ldap_search

  13. short_description: Return the results of an LDAP search.

  14. description:

  15.     - Return the results of an LDAP search.  Use in combination with

  16.       Ansible's 'register' statement.

  17. 

  18. notes: []

  19. version_added: null

  20. author: Dhruv Bansal

  21. requirements:

  22.     - python-ldap

  23. options:

  24.     base:

  25.         required: true

  26.         description:

  27.             - The base to search from.

  28.     scope:

  29.         required: false

  30.         choices: [base, onelevel, subordinate, children]

  31.         default: base

  32.         description:

  33.             - The LDAP scope to use when searching.

  34.     filter:

  35.         required: false

  36.         default: '(objectClass=*)'

  37.         description:

  38.             - The filter to apply to the search.

  39.     attrs:

  40.         required: false

  41.         default: none

  42.         description:

  43.             - A list of attrs to limit the results to.  Can be an

  44.               actual list or just a comma-separated string.

  45.     schema:

  46.         required: false

  47.         default: false

  48.         description:

  49.             - Return the full attribute schema of entries, not their

  50.               attribute values.  Overrides C(attrs) when given.

  51.     server_uri:

  52.         required: false

  53.         default: ldapi:///

  54.         description:

  55.             - A URI to the LDAP server. The default value lets the underlying

  56.               LDAP client library look for a UNIX domain socket in its default

  57.               location.

  58.     start_tls:

  59.         required: false

  60.         default: false

  61.         description:

  62.             - If true, we'll use the START_TLS LDAP extension.

  63.     bind_dn:

  64.         required: false

  65.         description:

  66.             - A DN to bind with. If this is omitted, we'll try a SASL bind with

  67.               the EXTERNAL mechanism. If this is blank, we'll use an anonymous

  68.               bind.

  69.     bind_pw:

  70.         required: false

  71.         description:

  72.             - The password to use with C(bind_dn).

  73. """

  74. 

  75. 

  76. EXAMPLES = """

  77. # Return all entries within the 'groups' organizational unit.

  78. - ldap_search: base='ou=groups,dc=example,dc=com'

  79.   register: ldap_groups

  80.   sudo: true

  81. 

  82. # Return GIDs for all groups

  83. - ldap_entry: base='ou=groups,dc=example,dc=com' scope=onelevel attrs="gidNumber"

  84.   register: ldap_group_gids

  85.   sudo: true

  86. """

  87. 

  88. def main():

  89.     module = AnsibleModule(

  90.         argument_spec={

  91.             'base': dict(required=True),

  92.             'scope': dict(default='base', choices=['base', 'onelevel', 'subordinate', 'children']),

  93.             'filter': dict(default='(objectClass=*)'),

  94.             'attrs': dict(default=None),

  95.             'schema': dict(default=False, choices=(list(BOOLEANS)+['True', True, 'False', False])),

  96.             'server_uri': dict(default='ldapi:///'),

  97.             'start_tls': dict(default='false', choices=(list(BOOLEANS)+['True', True, 'False', False])),

  98.             'bind_dn': dict(default=None),

  99.             'bind_pw': dict(default='', no_log=True),

  100.         },

  101.         check_invalid_arguments=False,

  102.         supports_check_mode=False,

  103.     )

  104. 

  105.     try:

  106.         LdapSearch(module).main()

  107.     except ldap.LDAPError, e:

  108.         module.fail_json(msg=str(e), exc=format_exc())

  109. 

  110. 

  111. class LdapSearch(object):

  112.     _connection = None

  113. 

  114.     def __init__(self, module):

  115.         self.module = module

  116. 

  117.         # python-ldap doesn't understand unicode strings. Parameters that are

  118.         # just going to get passed to python-ldap APIs are stored as utf-8.

  119.         self.base = self._utf8_param('base')

  120.         self.filterstr = self._utf8_param('filter')

  121.         self.server_uri = self.module.params['server_uri']

  122.         self.start_tls = self.module.boolean(self.module.params['start_tls'])

  123.         self.bind_dn = self._utf8_param('bind_dn')

  124.         self.bind_pw = self._utf8_param('bind_pw')

  125.         self.attrlist = []

  126. 

  127.         self._load_scope()

  128.         self._load_attrs()

  129.         self._load_schema()

  130. 

  131.         # if (self.state == 'present') and ('objectClass' not in self.attrs):

  132.         #     self.module.fail_json(msg="When state=present, at least one objectClass must be provided")

  133. 

  134.     def _utf8_param(self, name):

  135.         return self._force_utf8(self.module.params[name])

  136. 

  137.     def _load_schema(self):

  138.         self.schema = self.module.boolean(self.module.params['schema'])

  139.         if self.schema:

  140.             self.attrsonly = 1

  141.         else:

  142.             self.attrsonly = 0

  143. 

  144.     def _load_scope(self):

  145.         scope = self.module.params['scope']

  146.         if   scope == 'base':        self.scope = ldap.SCOPE_BASE

  147.         elif scope == 'onelevel':    self.scope = ldap.SCOPE_ONELEVEL

  148.         elif scope == 'subordinate': self.scope = ldap.SCOPE_SUBORDINATE

  149.         elif scope == 'children':    self.scope = ldap.SCOPE_SUBTREE

  150.         else:

  151.             self.module.fail_json(msg="scope must be one of: base, onelevel, subordinate, children")

  152. 

  153.     def _load_attrs(self):

  154.         if self.module.params['attrs'] is None:

  155.             self.attrlist = None

  156.         else:

  157.             attrs = self._load_attr_values(self.module.params['attrs'])

  158.             if len(attrs) > 0:

  159.                 self.attrlist = attrs

  160.             else:

  161.                 self.attrlist = None

  162. 

  163.     def _load_attr_values(self, raw):

  164.         if isinstance(raw, basestring):

  165.             values = raw.split(',')

  166.         else:

  167.             values = raw

  168. 

  169.         if not (isinstance(values, list) and all(isinstance(value, basestring) for value in values)):

  170.             self.module.fail_json(msg="attrs must be a string or list of strings.")

  171. 

  172.         return map(self._force_utf8, values)

  173. 

  174.     def _force_utf8(self, value):

  175.         """ If value is unicode, encode to utf-8. """

  176.         if isinstance(value, unicode):

  177.             value = value.encode('utf-8')

  178. 

  179.         return value

  180. 

  181.     def main(self):

  182.         results = self.perform_search()

  183.         self.module.exit_json(changed=True, results=results)

  184. 

  185.     def perform_search(self):

  186.         try:

  187.             results = self.connection.search_s(self.base, self.scope, filterstr=self.filterstr, attrlist=self.attrlist, attrsonly=self.attrsonly)

  188.             if self.schema:

  189.                 return [dict(dn=result[0],attrs=result[1].keys()) for result in results]

  190.             else:

  191.                 return [self._extract_entry(result[0], result[1]) for result in results]

  192.         except ldap.NO_SUCH_OBJECT:

  193.             self.module.fail_json(msg="Base not found: {}".format(self.base))

  194. 

  195.     def _extract_entry(self, dn, attrs):

  196.         extracted = {'dn': dn}

  197.         for attr, val in attrs.iteritems():

  198.             if len(val) == 1:

  199.                 extracted[attr] = val[0]

  200.             else:

  201.                 extracted[attr] = val

  202.         return extracted

  203. 

  204.     #

  205.     # LDAP Connection

  206.     #

  207. 

  208.     @property

  209.     def connection(self):

  210.         """ An authenticated connection to the LDAP server (cached). """

  211.         if self._connection is None:

  212.             self._connection = self._connect_to_ldap()

  213. 

  214.         return self._connection

  215. 

  216.     def _connect_to_ldap(self):

  217.         connection = ldap.initialize(self.server_uri)

  218. 

  219.         if self.start_tls:

  220.             connection.start_tls_s()

  221. 

  222.         if self.bind_dn is not None:

  223.             connection.simple_bind_s(self.bind_dn, self.bind_pw)

  224.         else:

  225.             connection.sasl_interactive_bind_s('', ldap.sasl.external())

  226. 

  227.         return connection

  228. 

  229. 

  230. from ansible.module_utils.basic import *  # noqa

  231. main()