Documentation

ldap_entry - Add or remove LDAP entries.

New in version 2.3.

Synopsis

  • Add or remove LDAP entries. This module only asserts the existence or non-existence of an LDAP entry, not its attributes. To assert the attribute values of an entry, see ldap_attr.

Options

parameter required default choices comments
attributes
 no
If state=present, attributes necessary to create an entry. Existing entries are never modified. To assert specific attribute values on an existing entry, use ldap_attr module instead.
bind_dn
 no
A DN to bind with. If this is omitted, we'll try a SASL bind with the EXTERNAL mechanism. If this is blank, we'll use an anonymous bind.
bind_pw
 no
The password to use with bind_dn.
dn
 yes
The DN of the entry to add or remove.
objectClass
 no
If state=present, value or list of values to use when creating the entry. It can either be a string or an actual list of strings.
params
 no
List of options which allows to overwrite any of the task or the attributes options. To remove an option, set the value of the option to null.
server_uri
 no ldapi:///
A URI to the LDAP server. The default value lets the underlying LDAP client library look for a UNIX domain socket in its default location.
start_tls
 no no
  • yes
  • no
If true, we'll use the START_TLS LDAP extension.
state
 no present
  • present
  • absent
The target state of the entry.
validate_certs
(added in 2.4)
 no yes
  • yes
  • no
If no, SSL certificates will not be validated. This should only be used on sites using self-signed certificates.

Examples

- name: Make sure we have a parent entry for users
  ldap_entry:
    dn: ou=users,dc=example,dc=com
    objectClass: organizationalUnit

- name: Make sure we have an admin user
  ldap_entry:
    dn: cn=admin,dc=example,dc=com
    objectClass:
      - simpleSecurityObject
      - organizationalRole
    attributes:
      description: An LDAP administrator
      userPassword: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND"

- name: Get rid of an old entry
  ldap_entry:
    dn: ou=stuff,dc=example,dc=com
    state: absent
    server_uri: ldap://localhost/
    bind_dn: cn=admin,dc=example,dc=com
    bind_pw: password

#
# The same as in the previous example but with the authentication details
# stored in the ldap_auth variable:
#
# ldap_auth:
#   server_uri: ldap://localhost/
#   bind_dn: cn=admin,dc=example,dc=com
#   bind_pw: password
- name: Get rid of an old entry
  ldap_entry:
    dn: ou=stuff,dc=example,dc=com
    state: absent
    params: "{{ ldap_auth }}"

Notes

Note

  • The default authentication settings will attempt to use a SASL EXTERNAL bind over a UNIX domain socket. This works well with the default Ubuntu install for example, which includes a cn=peercred,cn=external,cn=auth ACL rule allowing root to modify the server configuration. If you need to use a simple bind to access your server, pass the credentials in bind_dn and bind_pw.

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Testing Ansible and Developing Modules.