community.general.ldap_inc module – Use the Modify-Increment LDAP V3 feature to increment an attribute value

Note

This module is part of the community.general collection (version 10.2.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: community.general.ldap_inc.

New in community.general 10.2.0

Synopsis

  • Atomically increments the value of an attribute and return its new value.

Requirements

The below requirements are needed on the host that executes this module.

  • python-ldap

Parameters

Parameter

Comments

attribute

string / required

The attribute to increment.

bind_dn

string

A DN to bind with. Try to use a SASL bind with the EXTERNAL mechanism as default when this parameter is omitted.

Use an anonymous bind if the parameter is blank.

bind_pw

string

The password to use with bind_dn.

Default: ""

ca_path

path

added in community.general 6.5.0

Set the path to PEM file with CA certs.

client_cert

path

added in community.general 7.1.0

PEM formatted certificate chain file to be used for SSL client authentication.

Required if client_key is defined.

client_key

path

added in community.general 7.1.0

PEM formatted file that contains your private key to be used for SSL client authentication.

Required if client_cert is defined.

dn

string / required

The DN entry containing the attribute to increment.

increment

integer

The value of the increment to apply.

Default: 1

method

string

If auto, the module determines automatically the method to use.

If rfc4525 or legacy force to use the corresponding method.

Choices:

  • "auto" ← (default)

  • "rfc4525"

  • "legacy"

referrals_chasing

string

added in community.general 2.0.0

Set the referrals chasing behavior.

anonymous follow referrals anonymously. This is the default behavior.

disabled disable referrals chasing. This sets OPT_REFERRALS to off.

Choices:

  • "disabled"

  • "anonymous" ← (default)

sasl_class

string

added in community.general 2.0.0

The class to use for SASL authentication.

Choices:

  • "external" ← (default)

  • "gssapi"

server_uri

string

The server_uri parameter may be a comma- or whitespace-separated list of URIs containing only the schema, the host, and the port fields.

The default value lets the underlying LDAP client library look for a UNIX domain socket in its default location.

Note that when using multiple URIs you cannot determine to which URI your client gets connected.

For URIs containing additional fields, particularly when using commas, behavior is undefined.

Default: "ldapi:///"

start_tls

boolean

Use the START_TLS LDAP extension if set to true.

Choices:

  • false ← (default)

  • true

validate_certs

boolean

If set to false, SSL certificates will not be validated.

This should only be used on sites using self-signed certificates.

Choices:

  • false

  • true ← (default)

xorder_discovery

string

added in community.general 6.4.0

Set the behavior on how to process Xordered DNs.

enable will perform a ONELEVEL search below the superior RDN to find the matching DN.

disable will always use the DN unmodified (as passed by the dn parameter).

auto will only perform a search if the first RDN does not contain an index number ({x}).

Choices:

  • "enable"

  • "auto" ← (default)

  • "disable"

Attributes

Attribute

Support

Description

check_mode

Support: full

Can run in check_mode and return changed status prediction without modifying target.

diff_mode

Support: none

Will return details on what has changed (or possibly needs changing in check_mode), when in diff mode.

Notes

Note

  • When implemented by the directory server, the module uses the ModifyIncrement extension defined in RFC4525 and the control PostRead. This extension and the control are implemented in OpenLdap but not all directory servers implement them. In this case, the module automatically uses a more classic method based on two phases, first the current value is read then the modify operation remove the old value and add the new one in a single request. If the value has changed by a concurrent call then the remove action will fail. Then the sequence is retried 3 times before raising an error to the playbook. In an heavy modification environment, the module does not guarante to be systematically successful.

  • This only deals with integer attribute of an existing entry. To modify attributes of an entry, see community.general.ldap_attrs or to add or remove whole entries, see community.general.ldap_entry.

  • The default authentication settings will attempt to use a SASL EXTERNAL bind over a UNIX domain socket. This works well with the default Ubuntu install for example, which includes a cn=peercred,cn=external,cn=auth ACL rule allowing root to modify the server configuration. If you need to use a simple bind to access your server, pass the credentials in bind_dn and bind_pw.

Examples

- name: Increments uidNumber 1 Number for example.com
  community.general.ldap_inc:
    dn: "cn=uidNext,ou=unix-management,dc=example,dc=com"
    attribute: "uidNumber"
    increment: "1"
  register: ldap_uidNumber_sequence

- name: Modifies the user to define its identification number (uidNumber) when incrementation is successful
  community.general.ldap_attrs:
    dn: "cn=john,ou=posix-users,dc=example,dc=com"
    state: present
    attributes:
      - uidNumber: "{{ ldap_uidNumber_sequence.value }}"
  when: ldap_uidNumber_sequence.incremented

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

attribute

string

The name of the attribute that was incremented.

Returned: success

Sample: "uidNumber"

incremented

boolean

It is set to true if the attribute value has changed.

Returned: success

Sample: true

rfc4525

boolean

Is true if the method used to increment is based on RFC4525, false if legacy.

Returned: success

Sample: true

value

string

The new value after incrementing.

Returned: success

Sample: "2"

Authors

  • Philippe Duveau (@pduveau)