ldap_entry – Add or remove LDAP entries¶
New in version 2.3.
Synopsis¶
Add or remove LDAP entries. This module only asserts the existence or non-existence of an LDAP entry, not its attributes. To assert the attribute values of an entry, see ldap_attr.
Requirements¶
The below requirements are needed on the host that executes this module.
python-ldap
Parameters¶
| Parameter | Choices/Defaults | Comments |
|---|---|---|
|
attributes
-
|
If state=present, attributes necessary to create an entry. Existing entries are never modified. To assert specific attribute values on an existing entry, use ldap_attr module instead.
|
|
|
bind_dn
string
|
A DN to bind with. If this is omitted, we'll try a SASL bind with the EXTERNAL mechanism.
If this is blank, we'll use an anonymous bind.
|
|
|
bind_pw
string
|
The password to use with bind_dn.
|
|
|
dn
string
/ required
|
The DN of the entry to add or remove.
|
|
|
objectClass
-
|
If state=present, value or list of values to use when creating the entry. It can either be a string or an actual list of strings.
|
|
|
server_uri
string
|
Default: "ldapi:///"
|
A URI to the LDAP server.
The default value lets the underlying LDAP client library look for a UNIX domain socket in its default location.
|
|
start_tls
boolean
|
|
If true, we'll use the START_TLS LDAP extension.
|
|
state
-
|
|
The target state of the entry.
|
|
validate_certs
boolean
added in 2.4 |
|
If set to
no, SSL certificates will not be validated.This should only be used on sites using self-signed certificates.
|
Notes¶
Note
The default authentication settings will attempt to use a SASL EXTERNAL bind over a UNIX domain socket. This works well with the default Ubuntu install for example, which includes a cn=peercred,cn=external,cn=auth ACL rule allowing root to modify the server configuration. If you need to use a simple bind to access your server, pass the credentials in bind_dn and bind_pw.
The params parameter is deprecated in Ansible-2.7 due to circumventing Ansible’s parameter handling. The params parameter started disallowing setting the bind_pw parameter in Ansible-2.7 as it was insecure to set the parameter that way.
Examples¶
- name: Make sure we have a parent entry for users
ldap_entry:
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
- name: Make sure we have an admin user
ldap_entry:
dn: cn=admin,dc=example,dc=com
objectClass:
- simpleSecurityObject
- organizationalRole
attributes:
description: An LDAP administrator
userPassword: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND"
- name: Get rid of an old entry
ldap_entry:
dn: ou=stuff,dc=example,dc=com
state: absent
server_uri: ldap://localhost/
bind_dn: cn=admin,dc=example,dc=com
bind_pw: password
#
# The same as in the previous example but with the authentication details
# stored in the ldap_auth variable:
#
# ldap_auth:
# server_uri: ldap://localhost/
# bind_dn: cn=admin,dc=example,dc=com
# bind_pw: password
#
# In the example below, 'args' is a task keyword, passed at the same level as the module
- name: Get rid of an old entry
ldap_entry:
dn: ou=stuff,dc=example,dc=com
state: absent
args: "{{ ldap_auth }}"
Status¶
This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]