Personal
/
ansible-ldap-modules
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Ansible modules for talking to LDAP servers https://github.com/unchained-capital/ansible-ldap-modules
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
168KB
Tree: 03bc81122d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '03bc81122d'
${ noResults }
ansible-ldap-modules/ldap_attr

294 lines
9.3KB
Raw Blame History 

  1. #!/usr/bin/env python

  2. 

  3. from traceback import format_exc

  4. 

  5. import ldap

  6. import ldap.sasl

  7. 

  8. 

  9. DOCUMENTATION = """

  10. ---

  11. module: ldap_attr

  12. short_description: Add or remove LDAP attribute values.

  13. description:

  14.     - Add or remove LDAP attribute values.

  15. notes:

  16.     - This only deals with attributes on existing entries. To add or remove

  17.       whole entries, see M(ldap_entry).

  18.     - The default authentication settings will attempt to use a SASL EXTERNAL

  19.       bind over a UNIX domain socket. This works well with the default Ubuntu

  20.       install for example, which includes a cn=peercred,cn=external,cn=auth ACL

  21.       rule allowing root to modify the server configuration. If you need to use

  22.       a simple bind to access your server, pass the credentials in C(bind_dn)

  23.       and C(bind_pw).

  24.     - For C(state=present) and C(state=absent), all value comparisons are

  25.       performed on the server for maximum accuracy. For C(state=exact), values

  26.       have to be compared in Python, which obviously ignores LDAP matching

  27.       rules. This should work out in most cases, but it is theoretically

  28.       possible to see spurious changes when target and actual values are

  29.       semantically identical but lexically distinct.

  30. version_added: null

  31. author: Peter Sagerson

  32. requirements:

  33.     - python-ldap

  34. options:

  35.     dn:

  36.         required: true

  37.         description:

  38.             - The DN of the entry to modify.

  39.     name:

  40.         required: true

  41.         description:

  42.             - The name of the attribute to modify.

  43.     values:

  44.         required: true

  45.         description:

  46.             - The value(s) to add or remove. This can be a string or a list of

  47.               strings. The complex argument format is required in order to pass

  48.               a list of strings (see examples).

  49.     state:

  50.         required: false

  51.         choices: [present, absent, exact]

  52.         default: present

  53.         description:

  54.             - The state of the attribute values. If C(present), all given

  55.               values will be added if they're missing. If C(absent), all given

  56.               values will be removed if present. If C(exact), the set of values

  57.               will be forced to exactly those provided and no others. If

  58.               C(state=exact) and C(values) is empty, all values for this

  59.               attribute will be removed.

  60.     server_uri:

  61.         required: false

  62.         default: ldapi:///

  63.         description:

  64.             - A URI to the LDAP server. The default value lets the underlying

  65.               LDAP client library look for a UNIX domain socket in its default

  66.               location.

  67.     start_tls:

  68.         required: false

  69.         default: false

  70.         description:

  71.             - If true, we'll use the START_TLS LDAP extension.

  72.     bind_dn:

  73.         required: false

  74.         description:

  75.             - A DN to bind with. If this is omitted, we'll try a SASL bind with

  76.               the EXTERNAL mechanism (see note). If this is blank, we'll use an

  77.               anonymous bind.

  78.     bind_pw:

  79.         required: false

  80.         description:

  81.             - The password to use with C(bind_dn).

  82. """

  83. 

  84. 

  85. EXAMPLES = """

  86. # Configure directory number 1 for example.com.

  87. - ldap_attr: dn='olcDatabase={1}hdb,cn=config' name=olcSuffix values='dc=example,dc=com' state=exact

  88.   sudo: true

  89. 

  90. # Set up the ACL. The complex argument format is required here to pass a list

  91. # of ACL strings.

  92. - ldap_attr:

  93.   sudo: true

  94.   args:

  95.     dn: olcDatabase={1}hdb,cn=config

  96.     name: olcAccess

  97.     values:

  98.       - '{0}to attrs=userPassword,shadowLastChange

  99.          by self write

  100.          by anonymous auth

  101.          by dn="cn=admin,dc=example,dc=com" write

  102.          by * none'

  103.       - '{1}to dn.base="dc=example,dc=com"

  104.          by dn="cn=admin,dc=example,dc=com" write

  105.          by * read'

  106.     state: exact

  107. 

  108. # Declare some indexes.

  109. - ldap_attr: dn='olcDatabase={1}hdb,cn=config' name=olcDbIndex values={{ item }}

  110.   sudo: true

  111.   with_items:

  112.     - objectClass eq

  113.     - uid eq

  114. 

  115. # Set up a root user, which we can use later to bootstrap the directory.

  116. - ldap_attr: dn='olcDatabase={1}hdb,cn=config' name={{ item.key }} values={{ item.value }} state=exact

  117.   sudo: true

  118.   with_dict:

  119.     olcRootDN: 'cn=root,dc=example,dc=com'

  120.     olcRootPW: '{SSHA}mRskON0Stk+5wO5K+MMk2xmakKt8h7eJ'

  121. """

  122. 

  123. 

  124. def main():

  125.     module = AnsibleModule(

  126.         argument_spec={

  127.             'dn': dict(required=True),

  128.             'name': dict(required=True),

  129.             'values': dict(required=True),

  130.             'state': dict(default='present', choices=['present', 'absent', 'exact']),

  131.             'server_uri': dict(default='ldapi:///'),

  132.             'start_tls': dict(default='false', choices=(BOOLEANS+['True', True, 'False', False])),

  133.             'bind_dn': dict(default=None),

  134.             'bind_pw': dict(default='', no_log=True),

  135.         },

  136.         supports_check_mode=True,

  137.     )

  138. 

  139.     try:

  140.         LdapAttr(module).main()

  141.     except ldap.LDAPError, e:

  142.         module.fail_json(msg=str(e), exc=format_exc())

  143. 

  144. 

  145. class LdapAttr(object):

  146.     def __init__(self, module):

  147.         self.module = module

  148. 

  149.         # python-ldap doesn't understand unicode strings. Parameters that are

  150.         # just going to get passed to python-ldap APIs are stored as utf-8.

  151.         self.dn = self._utf8_param('dn')

  152.         self.name = self._utf8_param('name')

  153.         self.values = self._normalized_values()

  154.         self.state = self.module.params['state']

  155.         self.server_uri = self.module.params['server_uri']

  156.         self.start_tls = self.module.boolean(self.module.params['start_tls'])

  157.         self.bind_dn = self._utf8_param('bind_dn')

  158.         self.bind_pw = self._utf8_param('bind_pw')

  159. 

  160.         self._connection = None

  161. 

  162.     def _utf8_param(self, name):

  163.         return self._force_utf8(self.module.params[name])

  164. 

  165.     def _normalized_values(self):

  166.         """ Parses the value parameter into a list of utf-8 strings. """

  167.         values = self.module.params['values']

  168. 

  169.         if isinstance(values, basestring):

  170.             if values == '':

  171.                 values = []

  172.             else:

  173.                 values = [values]

  174. 

  175.         if not (isinstance(values, list) and all(isinstance(value, basestring) for value in values)):

  176.             self.module.fail_json(msg="values must be a string or list of strings.")

  177. 

  178.         return map(self._force_utf8, values)

  179. 

  180.     def _force_utf8(self, value):

  181.         """ If value is unicode, encode to utf-8. """

  182.         if isinstance(value, unicode):

  183.             value = value.encode('utf-8')

  184. 

  185.         return value

  186. 

  187.     def main(self):

  188.         if self.state == 'present':

  189.             modlist = self.handle_present()

  190.         elif self.state == 'absent':

  191.             modlist = self.handle_absent()

  192.         elif self.state == 'exact':

  193.             modlist = self.handle_exact()

  194.         else:

  195.             modlist = []

  196. 

  197.         if len(modlist) > 0:

  198.             changed = True

  199.             if not self.module.check_mode:

  200.                 self.connection.modify_s(self.dn, modlist)

  201.         else:

  202.             changed = False

  203. 

  204.         self.module.exit_json(changed=changed, modlist=modlist)

  205. 

  206.     #

  207.     # State Implementations

  208.     #

  209. 

  210.     def handle_present(self):

  211.         values_to_add = filter(self.is_value_absent, self.values)

  212.         if len(values_to_add) > 0:

  213.             modlist = [(ldap.MOD_ADD, self.name, values_to_add)]

  214.         else:

  215.             modlist = []

  216. 

  217.         return modlist

  218. 

  219.     def handle_absent(self):

  220.         values_to_delete = filter(self.is_value_present, self.values)

  221.         if len(values_to_delete) > 0:

  222.             modlist = [(ldap.MOD_DELETE, self.name, values_to_delete)]

  223.         else:

  224.             modlist = []

  225. 

  226.         return modlist

  227. 

  228.     def handle_exact(self):

  229.         modlist = []

  230. 

  231.         current = self.current_values()

  232.         if frozenset(self.values) != frozenset(current):

  233.             if len(current) == 0:

  234.                 modlist = [(ldap.MOD_ADD, self.name, self.values)]

  235.             elif len(self.values) == 0:

  236.                 modlist = [(ldap.MOD_DELETE, self.name, None)]

  237.             else:

  238.                 modlist = [(ldap.MOD_REPLACE, self.name, self.values)]

  239. 

  240.         return modlist

  241. 

  242.     #

  243.     # Util

  244.     #

  245. 

  246.     def is_value_present(self, value):

  247.         """ True if the target attribute has the given value. """

  248.         try:

  249.             is_present = bool(self.connection.compare_s(self.dn, self.name, value))

  250.         except ldap.NO_SUCH_ATTRIBUTE:

  251.             is_present = False

  252. 

  253.         return is_present

  254. 

  255.     def is_value_absent(self, value):

  256.         """ True if the target attribute does not have the given value. """

  257.         return (not self.is_value_present(value))

  258. 

  259.     def current_values(self):

  260.         """ Returns the full list of values on the target attribute. """

  261.         results = self.connection.search_s(self.dn, ldap.SCOPE_BASE, attrlist=[self.name])

  262.         values = results[0][1].get(self.name, [])

  263. 

  264.         return values

  265. 

  266.     #

  267.     # LDAP Connection

  268.     #

  269. 

  270.     @property

  271.     def connection(self):

  272.         """ An authenticated connection to the LDAP server (cached). """

  273.         if self._connection is None:

  274.             self._connection = self._connect_to_ldap()

  275. 

  276.         return self._connection

  277. 

  278.     def _connect_to_ldap(self):

  279.         connection = ldap.initialize(self.server_uri)

  280. 

  281.         if self.start_tls:

  282.             connection.start_tls_s()

  283. 

  284.         if self.bind_dn is not None:

  285.             connection.simple_bind_s(self.bind_dn, self.bind_pw)

  286.         else:

  287.             connection.sasl_interactive_bind_s('', ldap.sasl.external())

  288. 

  289.         return connection

  290. 

  291. 

  292. from ansible.module_utils.basic import *  # noqa

  293. main()