ansible-ldap-modules/README.md

7,9 KiB

Ansible LDAP Modules

For whatever reasons, Ansible doesn't include modules to manipulate an LDAP server in its core.

Peter Sagerson implemented a pair of modules and has attempted to get them into Ansible, but no luck yet. He's instead hosted his code on Bitbucket.

This repository is a fork of his original work with some additions (and cosmetic improvements) hosted on GitHub.

Installation

The python-ldap library is required on whatever host is executing these modules. This can be confusing if you use both local_action-type tasks and tasks which run on remote hosts and both need to talk do an LDAP server -- you'll need to install python-ldap both locally on your controller as well as remotely on the hosts you run the tasks on.

In addition, you'll need to clone this repository itself to your controller and put it somewhere ansible can find it.

python-ldap Installation

Install it locally via the following commands:

$ cd ansible-ldap-modules
$ sudo pip -r requirements.txt

You may need to install some system dependencies first:

$ sudo apt-get install python-dev libsasl2-dev libldap2-dev libssl-dev

For remote hosts, this can be automated via Ansible:

# in prepare_remote_ldap_host.yml, for example
- name: Install dependencies
  apt: name="{{ item }}" state=present
  with_items:
    - python-pip
    - libsasl2-dev
    - libldap2-dev
    - libssl-dev

- name: Upgrade pip
  command: pip install --upgrade pip

- name: Install python-ldap
  pip: name=python-ldap state=present

Modules Installation

You'll need to clone this repository somewhere on your controller machine so that ansible can find it.

$ git clone https://github.com/unchained-capital/ansible-ldap-modules

Once you have python-ldap installed, you'll need to link the executable files in this repository into Ansible's library path. The simplest way to do this is to create a library folder at the top-level of your playbook repository and create symlinks within it to the module files in this repository:

$ mkdir -p library
$ ln -s ansible-ldap-modules/ldap_entry library/ldap_entry
$ ln -s ansible-ldap-modules/ldap_attr  library/ldap_attr

You can also explicitly set the ANSIBLE_LIBRARY environment variable or the library entry within the defaults section of your ansible.cfg to include this repository's directory.

Usage

Remember, if you run these tasks locally, you need python-ldap installed locally. If you run them on a remote machine, you need python-ldap installed on that remote machine.

Shared Behavior

All the modules in this repository share some behaviors. This section describes those behaviors. The next section describes each module in detail.

Specifying an LDAP Server

Here is a simple example of creating an entry (more details on this below):

- hosts: server0
  tasks:
  - name: Ensure an LDAP entry exists for ou=People
    ldap_entry:
      dn: "ou=People,dc=example,dc=com"
      ou: People
      objectClass: organizationalUnit
      description: Getting together and having a good time.

The target host of an LDAP operation is assumed to be the same host as the Ansible task is executing so the above task would attempt to talk to LDAP server running on server0 listenting on port 389. This example:

- hosts: server0
  tasks:
  - name: Ensure an LDAP entry exists for ou=People
    ldap_entry:
	  server_uri: ldapi://server1/
      dn: "ou=People,dc=example,dc=com"
      ou: People
      objectClass: organizationalUnit
      description: Getting together and having a good time.

would target an LDAP server at server1.

Choosing Credentials

Without any credentials (as in the above examples), the request will be made via a SASL EXTERNAL bind (similar to ldapadd ... -Y EXTERNAL ... on the command-line).

Credentials can be specified as well:

- hosts: server0
  tasks:
  - name: Ensure an LDAP entry exists for ou=People
    ldap_entry:
	  bind_dn: "cn=admin,dc=example,dc=com"
	  bind_pw: "password"
      dn: "ou=People,dc=example,dc=com"
      ou: People
      objectClass: organizationalUnit
      description: Getting together and having a good time.

Modules

This repository provides four different modules:

ldap_entry

Ensures that an entry with a given dn exists/doesn't exist. If missing, it creates it. It present it does nothing. In particular, even if the entry has different attributes from those specified in Ansible, ldap_entry does nothing. You can, however, use ldap_entry to remove LDAP entries if you specify state=absent.

Creating an entry

- name: Ensure an LDAP entry exists for ou=People
  ldap_entry:
    dn: "ou=People,dc=example,dc=com"
	ou: People
	objectClass: organizationalUnit
	description: Getting together and having a good time.

If the ou=People,dc=example,dc=com entry has its description field changed, this task will not update it. It's therefore best to only specify the minimal number of fields required to successfully create the entity, given its LDAP objectClass values and later use ldap_attr to explicitly declare the expected state for each attribute individually. Or use ldap_upsert.

Removing an entry

- name: Ensure an LDAP entry exists for ou=People
  ldap_entry:
    dn: "ou=People,dc=example,dc=com"
    state: absent

ldap_attr

Ensures that an attribute with a given value exists/doesn't exist for a given entry. If the entry does not exist, it throws an error. If the doesn't exist, it creates it. If it exists but has a different value, it updates it. You can use ldap_attr to remove LDAP attributes if you specify state=absent.

Specifying an attribute exactly

Here's a simple example.

- name: Ensure description is correct for ou=People
  ldap_attr:
    dn: "ou=People,dc=example,dc=com"
	name:  description
	state:  exact
	values: Getting together and having a good time.

- name: Ensure members are correct for cn=Admins,ou=Groups
  ldap_attr:
    dn: "cn=Admins,ou=Groups,dc=example,dc=com"
	name:   member
	state:  exact
	values:
	  - cn=joe,ou=People,dc=example,dc=com
	  - cn=bob,ou=People,dc=example,dc=com

This is a lot of work for many entries with many attributes. Consider ldap_upsert in these cases.

Appending to an attribute

- name: Ensure members are present in cn=Admins,ou=Groups
  ldap_attr:
    dn: "cn=Admins,ou=Groups,dc=example,dc=com"
	name:   member
	state:  present
	values:
	  - cn=joe,ou=People,dc=example,dc=com
	  - cn=bob,ou=People,dc=example,dc=com

The user cn=mike,ou=People,dc=example,dc=com could still be a member of cn=Admins,ou=Groups,dc=example,dc=com after this task runs.

Removing an attribute

- name: Ensure user's password is not set
  ldap_attr:
    dn: "cn=joe,ou=People,dc=example,dc=com"
	state: absent
	name:  userPassword

ldap_upsert

Ensures both that an entry exists as well as that its attributs have particular values. You cannot use ldap_upsert to remove entries or their attributes, but it useful when creating lots of entities with their attributes.


- name: Create a user
  ldap_upsert:
    dn:    "uid=joe1234,ou=People,dc=example,dc=com"
	objectClass:
	  - account
	  - posixAccount
	cn:    "Joe Smith"
	gn:    "Joe"
	sn:    "Smith"
	uid:   "joe1234"
	homeDirectory: "/home/joe1234"
	userPassword: "..."

Perform an LDAP search. Useful in combination with Ansible's register keyword.

This example performs a task for each LDAP user account:

- name: 
  ldap_search:
    base: "ou=People,dc=example,dc=com"
	scope: onelevel
	filter: "(objectClass=account)"
  register: ldap_user_search

- name: View search results
  debug: var=ldap_user_search

- name: Do something for each user
  # ...
  with_items: "{{ ldap_user_search.results }}"