netapp_eseries.santricity.na_santricity_ldap – NetApp E-Series manage LDAP integration to use for authentication¶
Note
This plugin is part of the netapp_eseries.santricity collection (version 1.2.7).
To install it use: ansible-galaxy collection install netapp_eseries.santricity
.
To use it in a playbook, specify: netapp_eseries.santricity.na_santricity_ldap
.
Parameters¶
Parameter | Choices/Defaults | Comments |
---|---|---|
api_password
string
/ required
|
The password to authenticate with the SANtricity Web Services Proxy or Embedded Web Services API.
|
|
api_url
string
/ required
|
The url to the SANtricity Web Services Proxy or Embedded Web Services API.
Example https://prod-1.wahoo.acme.com:8443/devmgr/v2
|
|
api_username
string
/ required
|
The username to authenticate with the SANtricity Web Services Proxy or Embedded Web Services API.
|
|
bind_password
string
|
This is the password for the bind user account.
Required when bind_user is specified.
|
|
bind_user
string
|
This is the user account that will be used for querying the LDAP server.
Required when bind_password is specified.
Example: CN=MyBindAcct,OU=ServiceAccounts,DC=example,DC=com
|
|
group_attributes
list
/ elements=string
|
Default: ["memberOf"]
|
The user attributes that should be considered for the group to role mapping.
Typically this is used with something like "memberOf", and a user"s access is tested against group membership or lack thereof.
|
identifier
string
|
Default: "default"
|
This is a unique identifier for the configuration (for cases where there are multiple domains configured).
|
names
list
/ elements=string
|
The domain name[s] that will be utilized when authenticating to identify which domain to utilize.
Default to use the DNS name of the server.
The only requirement is that the name[s] be resolvable.
Example: [email protected]
|
|
role_mappings
dictionary
|
This is where you specify which groups should have access to what permissions for the storage-system.
For example, all users in group A will be assigned all 4 available roles, which will allow access to all the management functionality of the system (super-user). Those in group B only have the storage.monitor role, which will allow only read-only access.
This is specified as a mapping of regular expressions to a list of roles. See the examples.
The roles that will be assigned to to the group/groups matching the provided regex.
storage.admin allows users full read/write access to storage objects and operations.
storage.monitor allows users read-only access to storage objects and operations.
support.admin allows users access to hardware, diagnostic information, the Major Event Log, and other critical support-related functionality, but not the storage configuration.
security.admin allows users access to authentication/authorization configuration, as well as the audit log configuration, and certification management.
|
|
search_base
string
|
The search base is used to find group memberships of the user.
Example: ou=users,dc=example,dc=com
|
|
server_url
string
|
This is the LDAP server url.
The connection string should be specified as using the ldap or ldaps protocol along with the port information.
|
|
ssid
string
|
Default: 1
|
The ID of the array to manage. This value must be unique for each array.
|
state
string
|
|
When state=="present" the defined LDAP domain will be added to the storage system.
When state=="absent" the domain specified will be removed from the storage system.
state=="disabled" will result in deleting all existing LDAP domains on the storage system.
|
user_attribute
string
|
Default: "sAMAccountName"
|
This is the attribute we will use to match the provided username when a user attempts to authenticate.
|
validate_certs
boolean
|
|
Should https certificates be validated?
|
Notes¶
Note
Check mode is supported
This module allows you to define one or more LDAP domains identified uniquely by identifier to use for authentication. Authorization is determined by role_mappings, in that different groups of users may be given different (or no), access to certain aspects of the system and API.
The local user accounts will still be available if the LDAP server becomes unavailable/inaccessible.
Generally, you”ll need to get the details of your organization”s LDAP server before you”ll be able to configure the system for using LDAP authentication; every implementation is likely to be very different.
This API is currently only supported with the Embedded Web Services API v2.0 and higher, or the Web Services Proxy v3.0 and higher.
The E-Series Ansible modules require either an instance of the Web Services Proxy (WSP), to be available to manage the storage-system, or an E-Series storage-system that supports the Embedded Web Services API.
Embedded Web Services is currently available on the E2800, E5700, EF570, and newer hardware models.
netapp_e_storage_system may be utilized for configuring the systems managed by a WSP instance.
Examples¶
- name: Disable LDAP authentication
na_santricity_ldap:
ssid: "1"
api_url: "https://192.168.1.100:8443/devmgr/v2"
api_username: "admin"
api_password: "adminpass"
validate_certs: true
state: absent
- name: Remove the "default" LDAP domain configuration
na_santricity_ldap:
ssid: "1"
api_url: "https://192.168.1.100:8443/devmgr/v2"
api_username: "admin"
api_password: "adminpass"
validate_certs: true
state: absent
identifier: default
- name: Define a new LDAP domain, utilizing defaults where possible
na_santricity_ldap:
ssid: "1"
api_url: "https://192.168.1.100:8443/devmgr/v2"
api_username: "admin"
api_password: "adminpass"
validate_certs: true
state: enabled
bind_username: "CN=MyBindAccount,OU=ServiceAccounts,DC=example,DC=com"
bind_password: "mySecretPass"
server: "ldap://example.com:389"
search_base: "OU=Users,DC=example,DC=com"
role_mappings:
".*dist-dev-storage.*":
- storage.admin
- security.admin
- support.admin
- storage.monitor
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
msg
string
|
on success |
Success message
Sample:
The ldap settings have been updated.
|
Authors¶
Michael Price (@lmprice)
Nathan Swartz (@ndswartz)