community.general.ldap_passwd – Set passwords in LDAP.

Note

This plugin is part of the community.general collection (version 4.2.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install community.general.

To use it in a playbook, specify: community.general.ldap_passwd.

Synopsis

  • Set a password for an LDAP entry. This module only asserts that a given password is valid for a given entry. To assert the existence of an entry, see community.general.ldap_entry.

Requirements

The below requirements are needed on the host that executes this module.

  • python-ldap

Parameters

Parameter Choices/Defaults Comments
bind_dn
string
A DN to bind with. If this is omitted, we'll try a SASL bind with the EXTERNAL mechanism as default.
If this is blank, we'll use an anonymous bind.
bind_pw
string
The password to use with bind_dn.
dn
string / required
The DN of the entry to add or remove.
passwd
string
The (plaintext) password to be set for dn.
referrals_chasing
string
added in 2.0.0 of community.general
    Choices:
  • disabled
  • anonymous ←
Set the referrals chasing behavior.
anonymous follow referrals anonymously. This is the default behavior.
disabled disable referrals chasing. This sets OPT_REFERRALS to off.
sasl_class
string
added in 2.0.0 of community.general
    Choices:
  • external ←
  • gssapi
The class to use for SASL authentication.
possible choices are external, gssapi.
server_uri
string
Default:
"ldapi:///"
A URI to the LDAP server.
The default value lets the underlying LDAP client library look for a UNIX domain socket in its default location.
start_tls
boolean
    Choices:
  • no ←
  • yes
If true, we'll use the START_TLS LDAP extension.
validate_certs
boolean
    Choices:
  • no
  • yes ←
If set to no, SSL certificates will not be validated.
This should only be used on sites using self-signed certificates.

Notes

Note

  • The default authentication settings will attempt to use a SASL EXTERNAL bind over a UNIX domain socket. This works well with the default Ubuntu install for example, which includes a cn=peercred,cn=external,cn=auth ACL rule allowing root to modify the server configuration. If you need to use a simple bind to access your server, pass the credentials in bind_dn and bind_pw.

Examples

- name: Set a password for the admin user
  community.general.ldap_passwd:
    dn: cn=admin,dc=example,dc=com
    passwd: "{{ vault_secret }}"

- name: Setting passwords in bulk
  community.general.ldap_passwd:
    dn: "{{ item.key }}"
    passwd: "{{ item.value }}"
  with_dict:
    alice: alice123123
    bob:   "|30b!"
    admin: "{{ vault_secret }}"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
modlist
list / elements=string
success
list of modified parameters

Sample:
[[2, "olcRootDN", ["cn=root,dc=example,dc=com"]]]


Authors

  • Keller Fuchs (@KellerFuchs)