netapp_eseries.santricity.na_santricity_ldap – NetApp E-Series manage LDAP integration to use for authentication

Note

This plugin is part of the netapp_eseries.santricity collection (version 1.2.13).

To install it use: ansible-galaxy collection install netapp_eseries.santricity.

To use it in a playbook, specify: netapp_eseries.santricity.na_santricity_ldap.

Synopsis

  • Configure an E-Series system to allow authentication via an LDAP server

Parameters

Parameter Choices/Defaults Comments
api_password
string / required
The password to authenticate with the SANtricity Web Services Proxy or Embedded Web Services API.
api_url
string / required
The url to the SANtricity Web Services Proxy or Embedded Web Services API.
Example https://prod-1.wahoo.acme.com:8443/devmgr/v2
api_username
string / required
The username to authenticate with the SANtricity Web Services Proxy or Embedded Web Services API.
bind_password
string
This is the password for the bind user account.
Required when bind_user is specified.
bind_user
string
This is the user account that will be used for querying the LDAP server.
Required when bind_password is specified.
Example: CN=MyBindAcct,OU=ServiceAccounts,DC=example,DC=com
group_attributes
list / elements=string
Default:
["memberOf"]
The user attributes that should be considered for the group to role mapping.
Typically this is used with something like "memberOf", and a user"s access is tested against group membership or lack thereof.
identifier
string
Default:
"default"
This is a unique identifier for the configuration (for cases where there are multiple domains configured).
names
list / elements=string
The domain name[s] that will be utilized when authenticating to identify which domain to utilize.
Default to use the DNS name of the server.
The only requirement is that the name[s] be resolvable.
role_mappings
dictionary
This is where you specify which groups should have access to what permissions for the storage-system.
For example, all users in group A will be assigned all 4 available roles, which will allow access to all the management functionality of the system (super-user). Those in group B only have the storage.monitor role, which will allow only read-only access.
This is specified as a mapping of regular expressions to a list of roles. See the examples.
The roles that will be assigned to to the group/groups matching the provided regex.
storage.admin allows users full read/write access to storage objects and operations.
storage.monitor allows users read-only access to storage objects and operations.
support.admin allows users access to hardware, diagnostic information, the Major Event Log, and other critical support-related functionality, but not the storage configuration.
security.admin allows users access to authentication/authorization configuration, as well as the audit log configuration, and certification management.
search_base
string
The search base is used to find group memberships of the user.
Example: ou=users,dc=example,dc=com
server_url
string
This is the LDAP server url.
The connection string should be specified as using the ldap or ldaps protocol along with the port information.
ssid
string
Default:
1
The ID of the array to manage. This value must be unique for each array.
state
string
    Choices:
  • present ←
  • absent
  • disabled
When state=="present" the defined LDAP domain will be added to the storage system.
When state=="absent" the domain specified will be removed from the storage system.
state=="disabled" will result in deleting all existing LDAP domains on the storage system.
user_attribute
string
Default:
"sAMAccountName"
This is the attribute we will use to match the provided username when a user attempts to authenticate.
validate_certs
boolean
    Choices:
  • no
  • yes ←
Should https certificates be validated?

Notes

Note

  • Check mode is supported

  • This module allows you to define one or more LDAP domains identified uniquely by identifier to use for authentication. Authorization is determined by role_mappings, in that different groups of users may be given different (or no), access to certain aspects of the system and API.

  • The local user accounts will still be available if the LDAP server becomes unavailable/inaccessible.

  • Generally, you”ll need to get the details of your organization”s LDAP server before you”ll be able to configure the system for using LDAP authentication; every implementation is likely to be very different.

  • This API is currently only supported with the Embedded Web Services API v2.0 and higher, or the Web Services Proxy v3.0 and higher.

  • The E-Series Ansible modules require either an instance of the Web Services Proxy (WSP), to be available to manage the storage-system, or an E-Series storage-system that supports the Embedded Web Services API.

  • Embedded Web Services is currently available on the E2800, E5700, EF570, and newer hardware models.

  • netapp_e_storage_system may be utilized for configuring the systems managed by a WSP instance.

Examples

- name: Disable LDAP authentication
  na_santricity_ldap:
    ssid: "1"
    api_url: "https://192.168.1.100:8443/devmgr/v2"
    api_username: "admin"
    api_password: "adminpass"
    validate_certs: true
    state: absent

- name: Remove the "default" LDAP domain configuration
  na_santricity_ldap:
    ssid: "1"
    api_url: "https://192.168.1.100:8443/devmgr/v2"
    api_username: "admin"
    api_password: "adminpass"
    validate_certs: true
    state: absent
    identifier: default

- name: Define a new LDAP domain, utilizing defaults where possible
  na_santricity_ldap:
    ssid: "1"
    api_url: "https://192.168.1.100:8443/devmgr/v2"
    api_username: "admin"
    api_password: "adminpass"
    validate_certs: true
    state: enabled
    bind_username: "CN=MyBindAccount,OU=ServiceAccounts,DC=example,DC=com"
    bind_password: "mySecretPass"
    server: "ldap://example.com:389"
    search_base: "OU=Users,DC=example,DC=com"
    role_mappings:
      ".*dist-dev-storage.*":
        - storage.admin
        - security.admin
        - support.admin
        - storage.monitor

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
msg
string
on success
Success message

Sample:
The ldap settings have been updated.


Authors

  • Michael Price (@lmprice)

  • Nathan Swartz (@ndswartz)