dellemc.enterprise_sonic.sonic_ldap module – Configure global LDAP server settings on SONiC.

Note

This module is part of the dellemc.enterprise_sonic collection (version 2.5.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install dellemc.enterprise_sonic.

To use it in a playbook, specify: dellemc.enterprise_sonic.sonic_ldap.

New in dellemc.enterprise_sonic 2.5.0

Synopsis 

This module provides configuration management of global LDAP server parameters on devices running SONiC.
Configure VRF instance before configuring VRF to be used for LDAP server connection.

Parameters 

Parameter	Comments
config list / elements=dictionary	Specifies the LDAP server related configuration.
base string	Configure base distinguished name.
bind_timelimit integer	Configure connect time limit (0 to 65535).
binddn string	Configure distinguished name to bind.
bindpw dictionary	Configure credentials to bind
encrypted boolean	Indicates whether the password is encrypted text. Choices: `false` `true`
pwd string / required	Authentication password for the bind.
idle_timelimit integer	Configure NSS idle time limit (0 to 65535). Applicable only for global and nss.
map dictionary	Configure LDAP server for map. Applicable only for global.
attribute list / elements=dictionary	Configure attribute map. from and to are required together.
from string	Configure attribute map key.
to string	Configure attribute map value.
default_attribute list / elements=dictionary	Configure default attribute map. from and to are required together.
from string	Configure default attribute map key.
to string	Configure default attribute map value.
map_remote_groups_to_sonic_roles list / elements=dictionary	Configure mapping for remote groups to sonic roles. remote_group and sonic_roles are required together.
remote_group string	Map remote groups to SONiC roles.
sonic_roles list / elements=string	Configure SONiC roles. Choices: `"admin"` `"operator"` `"netadmin"` `"secadmin"`
objectclass list / elements=dictionary	Configure Objectclass map. from and to are required together.
from string	Configure Objectclass map key.
to string	Configure Objectclass map value.
override_attribute list / elements=dictionary	Configure override attribute map. from and to are required together.
from string	Configure override attribute map key.
to string	Configure override attribute map value.
name string / required	Specifies the LDAP type. Choices: `"global"` `"nss"` `"pam"` `"sudo"`
nss_base_group string	Configure NSS search base for group map. Applicable only for global and nss.
nss_base_netgroup string	Configure NSS search base for netgroup map. Applicable only for global and nss.
nss_base_passwd string	Configure NSS search base for passwd map. Applicable only for global, nss and pam.
nss_base_shadow string	Configure NSS search base for shadow map. Applicable only for global and nss.
nss_base_sudoers string	Configure NSS search base for sudoers map. Applicable only for global and nss.
nss_initgroups_ignoreusers string	Configure NSS init groups ignore users. Applicable only for global and nss.
nss_skipmembers boolean	Configure NSS skipmembers Choices: `false` `true`
pam_filter string	Configure PAM filter. Applicable only for global and pam.
pam_group_dn string	Configure PAM Group Distinguished name. Applicable only for global and pam.
pam_login_attribute string	Configure PAM Login attribute. Applicable only for global and pam.
pam_member_attribute string	Configure PAM Member attribute. Applicable only for global and pam.
port integer	Configure server port (1 to 65535).
retry integer	Configure retransmit attempt (0 to 10).
scope string	Configure the search scope. Applicable only for global, nss and pam. Choices: `"sub"` `"one"` `"base"`
servers list / elements=dictionary	Configure host name or IP address for a LDAP server. Applicable only for global.
address string / required	Hostname or IP address of LDAP server.
port integer	Configure server port number (1 to 65535).
priority integer	Configure priority (1 to 99).
retry integer	Configure retransmit attempt (0 to 10).
server_type string	Configure server type. Choices: `"all"` `"nss"` `"sudo"` `"pam"` `"nss_sudo"` `"nss_pam"` `"sudo_pam"`
ssl string	Configure TLS configuration. Choices: `"on"` `"off"` `"start_tls"`
source_interface string	Configure source interface to be used as source IP for the LDAP packets. Applicable only for global. Full name of the Layer 3 interface, i.e. Eth1/1.
ssl string	Configure TLS configuration. Choices: `"on"` `"off"` `"start_tls"`
sudoers_base string	Configure sudo base distinguished name for queries. Applicable only for global and sudo.
sudoers_search_filter string	Configure sudo search filter for queries. Applicable only for global and sudo.
timelimit integer	Configure search time limit (1 to 65535).
version integer	Configure LDAP version 2 or 3. Choices: `2` `3`
vrf string	Configure VRF to be used for LDAP server connection. Applicable only for global.
state string	Specifies the operation to be performed on the LDAP server configured on the device. In case of merged, the input configuration will be merged with the existing LDAP server configuration on the device. In case of deleted, the existing LDAP server configuration will be removed from the device. In case of overridden, all the existing LDAP server configuration will be deleted and the specified input configuration will be installed. In case of replaced, the existing LDAP server configuration on the device will be replaced by the configuration in the playbook for each LDAP server group configured by the playbook. Choices: `"merged"` ← (default) `"deleted"` `"replaced"` `"overridden"`

Notes 

Note

Supports check_mode.

Examples 

# Using deleted
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server nss-initgroups-ignoreusers username1
#ldap-server nss scope sub
#ldap-server nss timelimit 15
#ldap-server nss idle-timelimit 25
#ldap-server nss nss-base-group group1
#ldap-server nss nss-base-sudoers sudo1
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server sudo retry 10
#ldap-server sudo ssl start_tls
#ldap-server sudo bind-timelimit 15
#ldap-server vrf Vrf_1
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server host example.com priority 10 ssl off
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#

  - name: Delete the LDAP server configurations
    sonic_ldap:
      config:
        - name: "global"
          servers:
            - address: "example.com"
          vrf: "Vrf_1"
        - name: "nss"
          idle_timelimit: 25
          scope: "sub"
        - name: "sudo"
      state: deleted

# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server nss-initgroups-ignoreusers username1
#ldap-server nss timelimit 15
#ldap-server nss nss-base-group group1
#ldap-server nss nss-base-sudoers sudo1
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#


# Using merged
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#!
#sonic# show running-configuration | grep ldap
#sonic#

  - name: Add the LDAP server configurations
    sonic_ldap:
      config:
        - name: "global"
          servers:
            - address: "example.com"
              priority: 10
              ssl: on
            - address: "10.10.10.1"
              priority: 5
              port: 1550
          port: 389
          version: 2
          nss_base_passwd: password
        - name: "pam"
          base: "admin"
          binddn: "CN=example.com"
          pam_login_attribute: "loginattrstring"
        - name: "sudo"
          bind_timelimit: 20
          retry: 10
      state: merged

# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server sudo retry 10
#ldap-server sudo bind-timelimit 20
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host example.com priority 10 ssl on
#sonic#


# Using merged
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#!
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server sudo retry 10
#ldap-server sudo bind-timelimit 20
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host example.com priority 10 ssl on
#sonic#

  - name: Add the LDAP server configurations
    sonic_ldap:
      config:
        - name: "global"
          servers:
            - address: "example.com"
              ssl: off
            - address: "20.20.20.10"
              retry: 1
          nss_base_passwd: password
          pam_login_attribute: "globallogin"
          nss_initgroups_ignoreusers: "username1"
          vrf: "Vrf_1"
          map:
            default_attribute:
              - from: "attr1"
                to: "attr2"
              - from: "attr3"
                to: "attr4"
            objectclass:
              - from: "attr1"
                to: "attr3"
            map_remote_groups_to_sonic_roles:
              - remote_group: "group1"
                sonic_roles:
                  - admin
                  - operator
        - name: "nss"
          nss_base_netgroup: "group1"
          idle_timelimit: 25
          timelimit: 15
          scope: "sub"
          nss_base_sudoers: "sudo1"
        - name: "sudo"
          bind_timelimit: 15
          ssl: "start_tls"
      state: merged

# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server pam-login-attribute globallogin
#ldap-server nss-initgroups-ignoreusers username1
#ldap-server nss scope sub
#ldap-server nss timelimit 15
#ldap-server nss idle-timelimit 25
#ldap-server nss nss-base-group group1
#ldap-server nss nss-base-sudoers sudo1
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server sudo retry 10
#ldap-server sudo ssl start_tls
#ldap-server sudo bind-timelimit 15
#ldap-server vrf Vrf_1
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server host example.com priority 10 ssl off
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#ldap-server map remote-groups-override-to-sonic-roles group1 to admin,operator
#sonic#


# Using replaced
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server nss-initgroups-ignoreusers username1
#ldap-server nss idle-timelimit 25
#ldap-server nss nss-base-group group1
#ldap-server nss nss-base-sudoers sudo1
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#

  - name: Replace the LDAP server configurations
    sonic_ldap:
      config:
        - name: "nss"
          scope: "one"
          bindpw:
            pwd: "password"
        - name: "pam"
          version: 3
          port: 2000
          timelimit: 20
          pam_group_dn: "DNAME"
        - name: "sudo"
          sudoers_search_filter: "filter1"
          base: "base_name"
          version: 3
      state: replaced

# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss scope one
#ldap-server nss bindpw U2FsdGVkX1+t8PR9IIi+qjZpYoNwjmd78D1WDBdkLxs= encrypted
#ldap-server pam version 3
#ldap-server pam port 2000
#ldap-server pam timelimit 20
#ldap-server pam pam-group-dn DNAME
#ldap-server sudo version 3
#ldap-server sudo base base_name
#ldap-server sudo sudoers-search-filter filter1
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#


# Using overridden
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss scope one
#ldap-server nss bindpw U2FsdGVkX1+t8PR9IIi+qjZpYoNwjmd78D1WDBdkLxs= encrypted
#ldap-server pam version 3
#ldap-server pam port 2000
#ldap-server pam timelimit 20
#ldap-server pam pam-group-dn DNAME
#ldap-server sudo version 3
#ldap-server sudo base base_name
#ldap-server sudo sudoers-search-filter filter1
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#

  - name: Override the LDAP server configurations
    sonic_ldap:
      config:
        - name: "global"
          source_interface: "Eth1/1"
          vrf: "Vrf_1"
          servers:
            - address: "client.com"
            - address: "host.com"
              server_type: "sudo_pam"
          map:
            override_attribute:
              - from: "attr1"
                to: "attr2"
            map_remote_groups_to_sonic_roles:
              - remote_group: "group1"
                sonic_roles:
                  - admin
                  - operator
          idle_timelimit: 20
        - name: "pam"
          ssl: "off"
          scope: "base"
      state: overridden

# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server idle-timelimit 20
#ldap-server pam ssl off
#ldap-server pam scope base
#ldap-server source-interface Eth1/1
#ldap-server vrf Vrf_1
#ldap-server host client.com
#ldap-server host host.com use-type sudo_pam
#ldap-server map override-attribute-value attr1 to attr2
#ldap-server map remote-groups-override-to-sonic-roles group1 to admin,operator
#sonic#

Return Values 

Common return values are documented here, the following are the fields unique to this module:

Key	Description
after list / elements=string	The resulting configuration module invocation. Returned: when changed Sample: `["The configuration returned will always be in the same format\n as the parameters above.\n"]`
after(generated) list / elements=string	The generated configuration module invocation. Returned: when `check_mode` Sample: `["The configuration returned will always be in the same format\n as the parameters above.\n"]`
before list / elements=string	The configuration prior to the module invocation. Returned: always Sample: `["The configuration returned will always be in the same format\n as the parameters above.\n"]`
commands list / elements=string	The set of commands pushed to the remote device. Returned: always Sample: `["command 1", "command 2", "command 3"]`

Authors

Santhosh Kumar T(@santhosh-kt)

dellemc.enterprise_sonic.sonic_ldap module – Configure global LDAP server settings on SONiC.

Synopsis

Parameters

Notes

Examples

Return Values