community.general.ldap_attrs – Add or remove multiple LDAP attribute values

Note

This plugin is part of the community.general collection (version 2.5.1).

To install it use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.ldap_attrs.

New in version 0.2.0: of community.general

Synopsis

• Add or remove multiple LDAP attribute values.

Requirements

The below requirements are needed on the host that executes this module.

• python-ldap

Parameters

Parameter	Choices/Defaults	Comments
attributes dictionary / required		The attribute(s) and value(s) to add or remove. The complex argument format is required in order to pass a list of strings (see examples).
bind_dn string		A DN to bind with. If this is omitted, we'll try a SASL bind with the EXTERNAL mechanism as default. If this is blank, we'll use an anonymous bind.
bind_pw string		The password to use with bind_dn.
dn string / required		The DN of the entry to add or remove.
ordered boolean	Choices: no ← yes	If yes, prepend list values with X-ORDERED index numbers in all attributes specified in the current task. This is useful mostly with olcAccess attribute to easily manage LDAP Access Control Lists.
referrals_chasing string added in 2.0.0 of community.general	Choices: disabled anonymous ←	Set the referrals chasing behavior. anonymous follow referrals anonymously. This is the default behavior. disabled disable referrals chasing. This sets OPT_REFERRALS to off.
sasl_class string added in 2.0.0 of community.general	Choices: external ← gssapi	The class to use for SASL authentication. possible choices are external, gssapi.
server_uri string	Default: "ldapi:///"	A URI to the LDAP server. The default value lets the underlying LDAP client library look for a UNIX domain socket in its default location.
start_tls boolean	Choices: no ← yes	If true, we'll use the START_TLS LDAP extension.
state string	Choices: present ← absent exact	The state of the attribute values. If present, all given attribute values will be added if they're missing. If absent, all given attribute values will be removed if present. If exact, the set of attribute values will be forced to exactly those provided and no others. If state=exact and the attribute value is empty, all values for this attribute will be removed.
validate_certs boolean	Choices: no yes ←	If set to no, SSL certificates will not be validated. This should only be used on sites using self-signed certificates.

Notes

Note

• This only deals with attributes on existing entries. To add or remove whole entries, see community.general.ldap_entry.

• The default authentication settings will attempt to use a SASL EXTERNAL bind over a UNIX domain socket. This works well with the default Ubuntu install for example, which includes a cn=peercred,cn=external,cn=auth ACL rule allowing root to modify the server configuration. If you need to use a simple bind to access your server, pass the credentials in bind_dn and bind_pw.

• For state=present and state=absent, all value comparisons are performed on the server for maximum accuracy. For state=exact, values have to be compared in Python, which obviously ignores LDAP matching rules. This should work out in most cases, but it is theoretically possible to see spurious changes when target and actual values are semantically identical but lexically distinct.

Examples

- name: Configure directory number 1 for example.com
  community.general.ldap_attrs:
    dn: olcDatabase={1}hdb,cn=config
    attributes:
        olcSuffix: dc=example,dc=com
    state: exact

# The complex argument format is required here to pass a list of ACL strings.
- name: Set up the ACL
  community.general.ldap_attrs:
    dn: olcDatabase={1}hdb,cn=config
    attributes:
        olcAccess:
          - >-
            {0}to attrs=userPassword,shadowLastChange
            by self write
            by anonymous auth
            by dn="cn=admin,dc=example,dc=com" write
            by * none'
          - >-
            {1}to dn.base="dc=example,dc=com"
            by dn="cn=admin,dc=example,dc=com" write
            by * read
    state: exact

# An alternative approach with automatic X-ORDERED numbering
- name: Set up the ACL
  community.general.ldap_attrs:
    dn: olcDatabase={1}hdb,cn=config
    attributes:
        olcAccess:
          - >-
            to attrs=userPassword,shadowLastChange
            by self write
            by anonymous auth
            by dn="cn=admin,dc=example,dc=com" write
            by * none'
          - >-
            to dn.base="dc=example,dc=com"
            by dn="cn=admin,dc=example,dc=com" write
            by * read
    ordered: yes
    state: exact

- name: Declare some indexes
  community.general.ldap_attrs:
    dn: olcDatabase={1}hdb,cn=config
    attributes:
        olcDbIndex:
            - objectClass eq
            - uid eq

- name: Set up a root user, which we can use later to bootstrap the directory
  community.general.ldap_attrs:
    dn: olcDatabase={1}hdb,cn=config
    attributes:
        olcRootDN: cn=root,dc=example,dc=com
        olcRootPW: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND"
    state: exact

- name: Remove an attribute with a specific value
  community.general.ldap_attrs:
    dn: uid=jdoe,ou=people,dc=example,dc=com
    attributes:
        description: "An example user account"
    state: absent
    server_uri: ldap://localhost/
    bind_dn: cn=admin,dc=example,dc=com
    bind_pw: password

- name: Remove specified attribute(s) from an entry
  community.general.ldap_attrs:
    dn: uid=jdoe,ou=people,dc=example,dc=com
    attributes:
        description: []
    state: exact
    server_uri: ldap://localhost/
    bind_dn: cn=admin,dc=example,dc=com
    bind_pw: password

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
modlist list / elements=string	success	list of modified parameters Sample: [[2, "olcRootDN", ["cn=root,dc=example,dc=com"]]]

Authors

• Jiri Tyr (@jtyr)

• Alexander Korinek (@noles)

• Maciej Delmanowski (@drybjed)