community.general.ldap_attrs module – Add or remove multiple LDAP attribute values
Note
This module is part of the community.general collection (version 9.5.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.general
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.general.ldap_attrs
.
New in community.general 0.2.0
Synopsis
Add or remove multiple LDAP attribute values.
Requirements
The below requirements are needed on the host that executes this module.
python-ldap
Parameters
Parameter |
Comments |
---|---|
The attribute(s) and value(s) to add or remove. Each attribute value can be a string for single-valued attributes or a list of strings for multi-valued attributes. If you specify values for this option in YAML, please note that you can improve readability for long string values by using YAML block modifiers as seen in the examples for this module. Note that when using values that YAML/ansible-core interprets as other types, like |
|
A DN to bind with. If this is omitted, we’ll try a SASL bind with the EXTERNAL mechanism as default. If this is blank, we’ll use an anonymous bind. |
|
The password to use with Default: |
|
Set the path to PEM file with CA certs. |
|
PEM formatted certificate chain file to be used for SSL client authentication. Required if |
|
PEM formatted file that contains your private key to be used for SSL client authentication. Required if |
|
The DN of the entry to add or remove. |
|
If Choices:
|
|
Set the referrals chasing behavior.
Choices:
|
|
The class to use for SASL authentication. Choices:
|
|
The The default value lets the underlying LDAP client library look for a UNIX domain socket in its default location. Note that when using multiple URIs you cannot determine to which URI your client gets connected. For URIs containing additional fields, particularly when using commas, behavior is undefined. Default: |
|
If true, we’ll use the START_TLS LDAP extension. Choices:
|
|
The state of the attribute values. If Choices:
|
|
If set to This should only be used on sites using self-signed certificates. Choices:
|
|
Set the behavior on how to process Xordered DNs.
Choices:
|
Attributes
Attribute |
Support |
Description |
---|---|---|
Support: full |
Can run in |
|
Support: full added in community.general 8.5.0 |
Will return details on what has changed (or possibly needs changing in |
Notes
Note
This only deals with attributes on existing entries. To add or remove whole entries, see community.general.ldap_entry.
The default authentication settings will attempt to use a SASL EXTERNAL bind over a UNIX domain socket. This works well with the default Ubuntu install for example, which includes a cn=peercred,cn=external,cn=auth ACL rule allowing root to modify the server configuration. If you need to use a simple bind to access your server, pass the credentials in
bind_dn
andbind_pw
.For
state=present
andstate=absent
, all value comparisons are performed on the server for maximum accuracy. Forstate=exact
, values have to be compared in Python, which obviously ignores LDAP matching rules. This should work out in most cases, but it is theoretically possible to see spurious changes when target and actual values are semantically identical but lexically distinct.
Examples
- name: Configure directory number 1 for example.com
community.general.ldap_attrs:
dn: olcDatabase={1}hdb,cn=config
attributes:
olcSuffix: dc=example,dc=com
state: exact
# The complex argument format is required here to pass a list of ACL strings.
- name: Set up the ACL
community.general.ldap_attrs:
dn: olcDatabase={1}hdb,cn=config
attributes:
olcAccess:
- >-
{0}to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=example,dc=com" write
by * none'
- >-
{1}to dn.base="dc=example,dc=com"
by dn="cn=admin,dc=example,dc=com" write
by * read
state: exact
# An alternative approach with automatic X-ORDERED numbering
- name: Set up the ACL
community.general.ldap_attrs:
dn: olcDatabase={1}hdb,cn=config
attributes:
olcAccess:
- >-
to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=example,dc=com" write
by * none'
- >-
to dn.base="dc=example,dc=com"
by dn="cn=admin,dc=example,dc=com" write
by * read
ordered: true
state: exact
- name: Declare some indexes
community.general.ldap_attrs:
dn: olcDatabase={1}hdb,cn=config
attributes:
olcDbIndex:
- objectClass eq
- uid eq
- name: Set up a root user, which we can use later to bootstrap the directory
community.general.ldap_attrs:
dn: olcDatabase={1}hdb,cn=config
attributes:
olcRootDN: cn=root,dc=example,dc=com
olcRootPW: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND"
state: exact
- name: Remove an attribute with a specific value
community.general.ldap_attrs:
dn: uid=jdoe,ou=people,dc=example,dc=com
attributes:
description: "An example user account"
state: absent
server_uri: ldap://localhost/
bind_dn: cn=admin,dc=example,dc=com
bind_pw: password
- name: Remove specified attribute(s) from an entry
community.general.ldap_attrs:
dn: uid=jdoe,ou=people,dc=example,dc=com
attributes:
description: []
state: exact
server_uri: ldap://localhost/
bind_dn: cn=admin,dc=example,dc=com
bind_pw: password
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
list of modified parameters Returned: success Sample: |