dellemc.enterprise_sonic.sonic_ldap module – Configure global LDAP server settings on SONiC.
Note
This module is part of the dellemc.enterprise_sonic collection (version 3.0.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install dellemc.enterprise_sonic
.
To use it in a playbook, specify: dellemc.enterprise_sonic.sonic_ldap
.
New in dellemc.enterprise_sonic 2.5.0
Synopsis
This module provides configuration management of global LDAP server parameters on devices running SONiC.
Configure VRF instance before configuring VRF to be used for LDAP server connection.
Parameters
Parameter |
Comments |
---|---|
Specifies the LDAP server related configuration. |
|
Configure base distinguished name. |
|
Configure connect time limit (0 to 65535). |
|
Configure distinguished name to bind. |
|
Configure credentials to bind |
|
Indicates whether the password is encrypted text. Choices:
|
|
Authentication password for the bind. |
|
Configure NSS idle time limit (0 to 65535). Applicable only for global and nss. |
|
Configure LDAP server for map. Applicable only for global. |
|
Configure attribute map. from and to are required together. |
|
Configure attribute map key. |
|
Configure attribute map value. |
|
Configure default attribute map. from and to are required together. |
|
Configure default attribute map key. |
|
Configure default attribute map value. |
|
Configure mapping for remote groups to sonic roles. remote_group and sonic_roles are required together. |
|
Map remote groups to SONiC roles. |
|
Configure SONiC roles. Choices:
|
|
Configure Objectclass map. from and to are required together. |
|
Configure Objectclass map key. |
|
Configure Objectclass map value. |
|
Configure override attribute map. from and to are required together. |
|
Configure override attribute map key. |
|
Configure override attribute map value. |
|
Specifies the LDAP type. Choices:
|
|
Configure NSS search base for group map. Applicable only for global and nss. |
|
Configure NSS search base for netgroup map. Applicable only for global and nss. |
|
Configure NSS search base for passwd map. Applicable only for global, nss and pam. |
|
Configure NSS search base for shadow map. Applicable only for global and nss. |
|
Configure NSS search base for sudoers map. Applicable only for global and nss. |
|
Configure NSS init groups ignore users. Applicable only for global and nss. |
|
Configure NSS skipmembers Choices:
|
|
Configure PAM filter. Applicable only for global and pam. |
|
Configure PAM Group Distinguished name. Applicable only for global and pam. |
|
Configure PAM Login attribute. Applicable only for global and pam. |
|
Configure PAM Member attribute. Applicable only for global and pam. |
|
Configure server port (1 to 65535). |
|
Configure retransmit attempt (0 to 10). |
|
Configure the search scope. Applicable only for global, nss and pam. Choices:
|
|
Configure security profile for LDAP. Applicable only for global. |
|
Configure host name or IP address for a LDAP server. Applicable only for global. |
|
Hostname or IP address of LDAP server. |
|
Configure server port number (1 to 65535). |
|
Configure priority (1 to 99). |
|
Configure retransmit attempt (0 to 10). |
|
Configure server type. Choices:
|
|
Configure TLS configuration. Choices:
|
|
Configure source interface to be used as source IP for the LDAP packets. Applicable only for global. Full name of the Layer 3 interface, i.e. Eth1/1. |
|
Configure TLS configuration. Choices:
|
|
Configure sudo base distinguished name for queries. Applicable only for global and sudo. |
|
Configure sudo search filter for queries. Applicable only for global and sudo. |
|
Configure search time limit (1 to 65535). |
|
Configure LDAP version 2 or 3. Choices:
|
|
Configure VRF to be used for LDAP server connection. Applicable only for global. |
|
Specifies the operation to be performed on the LDAP server configured on the device. In case of merged, the input configuration will be merged with the existing LDAP server configuration on the device. In case of deleted, the existing LDAP server configuration will be removed from the device. In case of overridden, all the existing LDAP server configuration will be deleted and the specified input configuration will be installed. In case of replaced, the existing LDAP server configuration on the device will be replaced by the configuration in the playbook for each LDAP server group configured by the playbook. Choices:
|
Notes
Note
Supports
check_mode
.
Examples
# Using deleted
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server nss-initgroups-ignoreusers username1
#ldap-server nss scope sub
#ldap-server nss timelimit 15
#ldap-server nss idle-timelimit 25
#ldap-server nss nss-base-group group1
#ldap-server nss nss-base-sudoers sudo1
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server sudo retry 10
#ldap-server sudo ssl start_tls
#ldap-server sudo bind-timelimit 15
#ldap-server vrf Vrf_1
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server host example.com priority 10 ssl off
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#
- name: Delete the LDAP server configurations
sonic_ldap:
config:
- name: "global"
servers:
- address: "example.com"
vrf: "Vrf_1"
- name: "nss"
idle_timelimit: 25
scope: "sub"
- name: "sudo"
state: deleted
# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server nss-initgroups-ignoreusers username1
#ldap-server nss timelimit 15
#ldap-server nss nss-base-group group1
#ldap-server nss nss-base-sudoers sudo1
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#
# Using merged
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#!
#sonic# show running-configuration | grep ldap
#sonic#
- name: Add the LDAP server configurations
sonic_ldap:
config:
- name: "global"
servers:
- address: "example.com"
priority: 10
ssl: on
- address: "10.10.10.1"
priority: 5
port: 1550
port: 389
version: 2
nss_base_passwd: password
- name: "pam"
base: "admin"
binddn: "CN=example.com"
pam_login_attribute: "loginattrstring"
- name: "sudo"
bind_timelimit: 20
retry: 10
state: merged
# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server sudo retry 10
#ldap-server sudo bind-timelimit 20
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host example.com priority 10 ssl on
#sonic#
# Using merged
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#!
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server sudo retry 10
#ldap-server sudo bind-timelimit 20
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host example.com priority 10 ssl on
#sonic#
- name: Add the LDAP server configurations
sonic_ldap:
config:
- name: "global"
servers:
- address: "example.com"
ssl: off
- address: "20.20.20.10"
retry: 1
nss_base_passwd: password
pam_login_attribute: "globallogin"
nss_initgroups_ignoreusers: "username1"
vrf: "Vrf_1"
map:
default_attribute:
- from: "attr1"
to: "attr2"
- from: "attr3"
to: "attr4"
objectclass:
- from: "attr1"
to: "attr3"
map_remote_groups_to_sonic_roles:
- remote_group: "group1"
sonic_roles:
- admin
- operator
- name: "nss"
nss_base_netgroup: "group1"
idle_timelimit: 25
timelimit: 15
scope: "sub"
nss_base_sudoers: "sudo1"
- name: "sudo"
bind_timelimit: 15
ssl: "start_tls"
state: merged
# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server pam-login-attribute globallogin
#ldap-server nss-initgroups-ignoreusers username1
#ldap-server nss scope sub
#ldap-server nss timelimit 15
#ldap-server nss idle-timelimit 25
#ldap-server nss nss-base-group group1
#ldap-server nss nss-base-sudoers sudo1
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server sudo retry 10
#ldap-server sudo ssl start_tls
#ldap-server sudo bind-timelimit 15
#ldap-server vrf Vrf_1
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server host example.com priority 10 ssl off
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#ldap-server map remote-groups-override-to-sonic-roles group1 to admin,operator
#sonic#
# Using replaced
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server nss-initgroups-ignoreusers username1
#ldap-server nss idle-timelimit 25
#ldap-server nss nss-base-group group1
#ldap-server nss nss-base-sudoers sudo1
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#
- name: Replace the LDAP server configurations
sonic_ldap:
config:
- name: "nss"
scope: "one"
bindpw:
pwd: "password"
- name: "pam"
version: 3
port: 2000
timelimit: 20
pam_group_dn: "DNAME"
- name: "sudo"
sudoers_search_filter: "filter1"
base: "base_name"
version: 3
state: replaced
# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss scope one
#ldap-server nss bindpw U2FsdGVkX1+t8PR9IIi+qjZpYoNwjmd78D1WDBdkLxs= encrypted
#ldap-server pam version 3
#ldap-server pam port 2000
#ldap-server pam timelimit 20
#ldap-server pam pam-group-dn DNAME
#ldap-server sudo version 3
#ldap-server sudo base base_name
#ldap-server sudo sudoers-search-filter filter1
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#
# Using overridden
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss scope one
#ldap-server nss bindpw U2FsdGVkX1+t8PR9IIi+qjZpYoNwjmd78D1WDBdkLxs= encrypted
#ldap-server pam version 3
#ldap-server pam port 2000
#ldap-server pam timelimit 20
#ldap-server pam pam-group-dn DNAME
#ldap-server sudo version 3
#ldap-server sudo base base_name
#ldap-server sudo sudoers-search-filter filter1
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#
- name: Override the LDAP server configurations
sonic_ldap:
config:
- name: "global"
source_interface: "Eth1/1"
security_profile: "default"
vrf: "Vrf_1"
servers:
- address: "client.com"
- address: "host.com"
server_type: "sudo_pam"
map:
override_attribute:
- from: "attr1"
to: "attr2"
map_remote_groups_to_sonic_roles:
- remote_group: "group1"
sonic_roles:
- admin
- operator
idle_timelimit: 20
- name: "pam"
ssl: "off"
scope: "base"
state: overridden
# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server idle-timelimit 20
#ldap-server pam ssl off
#ldap-server pam scope base
#ldap-server source-interface Eth1/1
#ldap-server security-profile default
#ldap-server vrf Vrf_1
#ldap-server host client.com
#ldap-server host host.com use-type sudo_pam
#ldap-server map override-attribute-value attr1 to attr2
#ldap-server map remote-groups-override-to-sonic-roles group1 to admin,operator
#sonic#
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The resulting configuration module invocation. Returned: when changed Sample: |
|
The generated configuration module invocation. Returned: when Sample: |
|
The configuration prior to the module invocation. Returned: always Sample: |
|
The set of commands pushed to the remote device. Returned: always Sample: |