dellemc.enterprise_sonic.sonic_ldap module – Configure global LDAP server settings on SONiC.

Note

This module is part of the dellemc.enterprise_sonic collection (version 3.0.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install dellemc.enterprise_sonic.

To use it in a playbook, specify: dellemc.enterprise_sonic.sonic_ldap.

New in dellemc.enterprise_sonic 2.5.0

Synopsis

  • This module provides configuration management of global LDAP server parameters on devices running SONiC.

  • Configure VRF instance before configuring VRF to be used for LDAP server connection.

Parameters

Parameter

Comments

config

list / elements=dictionary

Specifies the LDAP server related configuration.

base

string

Configure base distinguished name.

bind_timelimit

integer

Configure connect time limit (0 to 65535).

binddn

string

Configure distinguished name to bind.

bindpw

dictionary

Configure credentials to bind

encrypted

boolean

Indicates whether the password is encrypted text.

Choices:

  • false

  • true

pwd

string / required

Authentication password for the bind.

idle_timelimit

integer

Configure NSS idle time limit (0 to 65535).

Applicable only for global and nss.

map

dictionary

Configure LDAP server for map.

Applicable only for global.

attribute

list / elements=dictionary

Configure attribute map.

from and to are required together.

from

string

Configure attribute map key.

to

string

Configure attribute map value.

default_attribute

list / elements=dictionary

Configure default attribute map.

from and to are required together.

from

string

Configure default attribute map key.

to

string

Configure default attribute map value.

map_remote_groups_to_sonic_roles

list / elements=dictionary

Configure mapping for remote groups to sonic roles.

remote_group and sonic_roles are required together.

remote_group

string

Map remote groups to SONiC roles.

sonic_roles

list / elements=string

Configure SONiC roles.

Choices:

  • "admin"

  • "operator"

  • "netadmin"

  • "secadmin"

objectclass

list / elements=dictionary

Configure Objectclass map.

from and to are required together.

from

string

Configure Objectclass map key.

to

string

Configure Objectclass map value.

override_attribute

list / elements=dictionary

Configure override attribute map.

from and to are required together.

from

string

Configure override attribute map key.

to

string

Configure override attribute map value.

name

string / required

Specifies the LDAP type.

Choices:

  • "global"

  • "nss"

  • "pam"

  • "sudo"

nss_base_group

string

Configure NSS search base for group map.

Applicable only for global and nss.

nss_base_netgroup

string

Configure NSS search base for netgroup map.

Applicable only for global and nss.

nss_base_passwd

string

Configure NSS search base for passwd map.

Applicable only for global, nss and pam.

nss_base_shadow

string

Configure NSS search base for shadow map.

Applicable only for global and nss.

nss_base_sudoers

string

Configure NSS search base for sudoers map.

Applicable only for global and nss.

nss_initgroups_ignoreusers

string

Configure NSS init groups ignore users.

Applicable only for global and nss.

nss_skipmembers

boolean

Configure NSS skipmembers

Choices:

  • false

  • true

pam_filter

string

Configure PAM filter.

Applicable only for global and pam.

pam_group_dn

string

Configure PAM Group Distinguished name.

Applicable only for global and pam.

pam_login_attribute

string

Configure PAM Login attribute.

Applicable only for global and pam.

pam_member_attribute

string

Configure PAM Member attribute.

Applicable only for global and pam.

port

integer

Configure server port (1 to 65535).

retry

integer

Configure retransmit attempt (0 to 10).

scope

string

Configure the search scope.

Applicable only for global, nss and pam.

Choices:

  • "sub"

  • "one"

  • "base"

security_profile

string

Configure security profile for LDAP.

Applicable only for global.

servers

list / elements=dictionary

Configure host name or IP address for a LDAP server.

Applicable only for global.

address

string / required

Hostname or IP address of LDAP server.

port

integer

Configure server port number (1 to 65535).

priority

integer

Configure priority (1 to 99).

retry

integer

Configure retransmit attempt (0 to 10).

server_type

string

Configure server type.

Choices:

  • "all"

  • "nss"

  • "sudo"

  • "pam"

  • "nss_sudo"

  • "nss_pam"

  • "sudo_pam"

ssl

string

Configure TLS configuration.

Choices:

  • "on"

  • "off"

  • "start_tls"

source_interface

string

Configure source interface to be used as source IP for the LDAP packets.

Applicable only for global.

Full name of the Layer 3 interface, i.e. Eth1/1.

ssl

string

Configure TLS configuration.

Choices:

  • "on"

  • "off"

  • "start_tls"

sudoers_base

string

Configure sudo base distinguished name for queries.

Applicable only for global and sudo.

sudoers_search_filter

string

Configure sudo search filter for queries.

Applicable only for global and sudo.

timelimit

integer

Configure search time limit (1 to 65535).

version

integer

Configure LDAP version 2 or 3.

Choices:

  • 2

  • 3

vrf

string

Configure VRF to be used for LDAP server connection.

Applicable only for global.

state

string

Specifies the operation to be performed on the LDAP server configured on the device.

In case of merged, the input configuration will be merged with the existing LDAP server configuration on the device.

In case of deleted, the existing LDAP server configuration will be removed from the device.

In case of overridden, all the existing LDAP server configuration will be deleted and the specified input configuration will be installed.

In case of replaced, the existing LDAP server configuration on the device will be replaced by the configuration in the playbook for each LDAP server group configured by the playbook.

Choices:

  • "merged" ← (default)

  • "deleted"

  • "replaced"

  • "overridden"

Notes

Note

  • Supports check_mode.

Examples

# Using deleted
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server nss-initgroups-ignoreusers username1
#ldap-server nss scope sub
#ldap-server nss timelimit 15
#ldap-server nss idle-timelimit 25
#ldap-server nss nss-base-group group1
#ldap-server nss nss-base-sudoers sudo1
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server sudo retry 10
#ldap-server sudo ssl start_tls
#ldap-server sudo bind-timelimit 15
#ldap-server vrf Vrf_1
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server host example.com priority 10 ssl off
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#

  - name: Delete the LDAP server configurations
    sonic_ldap:
      config:
        - name: "global"
          servers:
            - address: "example.com"
          vrf: "Vrf_1"
        - name: "nss"
          idle_timelimit: 25
          scope: "sub"
        - name: "sudo"
      state: deleted

# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server nss-initgroups-ignoreusers username1
#ldap-server nss timelimit 15
#ldap-server nss nss-base-group group1
#ldap-server nss nss-base-sudoers sudo1
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#


# Using merged
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#!
#sonic# show running-configuration | grep ldap
#sonic#

  - name: Add the LDAP server configurations
    sonic_ldap:
      config:
        - name: "global"
          servers:
            - address: "example.com"
              priority: 10
              ssl: on
            - address: "10.10.10.1"
              priority: 5
              port: 1550
          port: 389
          version: 2
          nss_base_passwd: password
        - name: "pam"
          base: "admin"
          binddn: "CN=example.com"
          pam_login_attribute: "loginattrstring"
        - name: "sudo"
          bind_timelimit: 20
          retry: 10
      state: merged

# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server sudo retry 10
#ldap-server sudo bind-timelimit 20
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host example.com priority 10 ssl on
#sonic#


# Using merged
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#!
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server sudo retry 10
#ldap-server sudo bind-timelimit 20
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host example.com priority 10 ssl on
#sonic#

  - name: Add the LDAP server configurations
    sonic_ldap:
      config:
        - name: "global"
          servers:
            - address: "example.com"
              ssl: off
            - address: "20.20.20.10"
              retry: 1
          nss_base_passwd: password
          pam_login_attribute: "globallogin"
          nss_initgroups_ignoreusers: "username1"
          vrf: "Vrf_1"
          map:
            default_attribute:
              - from: "attr1"
                to: "attr2"
              - from: "attr3"
                to: "attr4"
            objectclass:
              - from: "attr1"
                to: "attr3"
            map_remote_groups_to_sonic_roles:
              - remote_group: "group1"
                sonic_roles:
                  - admin
                  - operator
        - name: "nss"
          nss_base_netgroup: "group1"
          idle_timelimit: 25
          timelimit: 15
          scope: "sub"
          nss_base_sudoers: "sudo1"
        - name: "sudo"
          bind_timelimit: 15
          ssl: "start_tls"
      state: merged

# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server pam-login-attribute globallogin
#ldap-server nss-initgroups-ignoreusers username1
#ldap-server nss scope sub
#ldap-server nss timelimit 15
#ldap-server nss idle-timelimit 25
#ldap-server nss nss-base-group group1
#ldap-server nss nss-base-sudoers sudo1
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server sudo retry 10
#ldap-server sudo ssl start_tls
#ldap-server sudo bind-timelimit 15
#ldap-server vrf Vrf_1
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server host example.com priority 10 ssl off
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#ldap-server map remote-groups-override-to-sonic-roles group1 to admin,operator
#sonic#


# Using replaced
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss-base-passwd password
#ldap-server nss-initgroups-ignoreusers username1
#ldap-server nss idle-timelimit 25
#ldap-server nss nss-base-group group1
#ldap-server nss nss-base-sudoers sudo1
#ldap-server pam base admin
#ldap-server pam binddn CN=example.com
#ldap-server pam pam-login-attribute loginattrstring
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#

  - name: Replace the LDAP server configurations
    sonic_ldap:
      config:
        - name: "nss"
          scope: "one"
          bindpw:
            pwd: "password"
        - name: "pam"
          version: 3
          port: 2000
          timelimit: 20
          pam_group_dn: "DNAME"
        - name: "sudo"
          sudoers_search_filter: "filter1"
          base: "base_name"
          version: 3
      state: replaced

# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss scope one
#ldap-server nss bindpw U2FsdGVkX1+t8PR9IIi+qjZpYoNwjmd78D1WDBdkLxs= encrypted
#ldap-server pam version 3
#ldap-server pam port 2000
#ldap-server pam timelimit 20
#ldap-server pam pam-group-dn DNAME
#ldap-server sudo version 3
#ldap-server sudo base base_name
#ldap-server sudo sudoers-search-filter filter1
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#


# Using overridden
#
# Before State:
# -------------
#
#sonic# show running-configuration vrf Vrf_1
#!
#ip vrf Vrf_1
#sonic# show running-configuration | grep ldap
#ldap-server port 389
#ldap-server version 2
#ldap-server nss scope one
#ldap-server nss bindpw U2FsdGVkX1+t8PR9IIi+qjZpYoNwjmd78D1WDBdkLxs= encrypted
#ldap-server pam version 3
#ldap-server pam port 2000
#ldap-server pam timelimit 20
#ldap-server pam pam-group-dn DNAME
#ldap-server sudo version 3
#ldap-server sudo base base_name
#ldap-server sudo sudoers-search-filter filter1
#ldap-server host 10.10.10.1 port 1550 priority 5
#ldap-server host 20.20.20.10 retry 1
#ldap-server map default-attribute-value attr1 to attr2
#ldap-server map default-attribute-value attr3 to attr4
#ldap-server map objectclass attr1 to attr3
#sonic#

  - name: Override the LDAP server configurations
    sonic_ldap:
      config:
        - name: "global"
          source_interface: "Eth1/1"
          security_profile: "default"
          vrf: "Vrf_1"
          servers:
            - address: "client.com"
            - address: "host.com"
              server_type: "sudo_pam"
          map:
            override_attribute:
              - from: "attr1"
                to: "attr2"
            map_remote_groups_to_sonic_roles:
              - remote_group: "group1"
                sonic_roles:
                  - admin
                  - operator
          idle_timelimit: 20
        - name: "pam"
          ssl: "off"
          scope: "base"
      state: overridden

# After State:
# ------------
#
#sonic# show running-configuration | grep ldap
#ldap-server idle-timelimit 20
#ldap-server pam ssl off
#ldap-server pam scope base
#ldap-server source-interface Eth1/1
#ldap-server security-profile default
#ldap-server vrf Vrf_1
#ldap-server host client.com
#ldap-server host host.com use-type sudo_pam
#ldap-server map override-attribute-value attr1 to attr2
#ldap-server map remote-groups-override-to-sonic-roles group1 to admin,operator
#sonic#

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

after

list / elements=string

The resulting configuration module invocation.

Returned: when changed

Sample: ["The configuration returned will always be in the same format\n as the parameters above.\n"]

after(generated)

list / elements=string

The generated configuration module invocation.

Returned: when check_mode

Sample: ["The configuration returned will always be in the same format\n as the parameters above.\n"]

before

list / elements=string

The configuration prior to the module invocation.

Returned: always

Sample: ["The configuration returned will always be in the same format\n as the parameters above.\n"]

commands

list / elements=string

The set of commands pushed to the remote device.

Returned: always

Sample: ["command 1", "command 2", "command 3"]

Authors

  • Santhosh Kumar T(@santhosh-kt)