2020-04-17 10:53:37 +02:00
|
|
|
#!/usr/bin/python
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
2022-08-05 12:28:29 +02:00
|
|
|
# Copyright (c) 2016, Peter Sagerson <psagers@ignorare.net>
|
|
|
|
# Copyright (c) 2020, Sebastian Pfahl <eryx@gmx.net>
|
|
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
2020-04-17 10:53:37 +02:00
|
|
|
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
|
|
DOCUMENTATION = r"""
|
|
|
|
---
|
|
|
|
module: ldap_search
|
2020-06-13 15:01:19 +02:00
|
|
|
version_added: '0.2.0'
|
2020-04-17 10:53:37 +02:00
|
|
|
short_description: Search for entries in a LDAP server
|
|
|
|
description:
|
|
|
|
- Return the results of an LDAP search.
|
|
|
|
notes:
|
|
|
|
- The default authentication settings will attempt to use a SASL EXTERNAL
|
|
|
|
bind over a UNIX domain socket. This works well with the default Ubuntu
|
|
|
|
install for example, which includes a C(cn=peercred,cn=external,cn=auth) ACL
|
|
|
|
rule allowing root to modify the server configuration. If you need to use
|
2023-06-15 19:04:45 +02:00
|
|
|
a simple bind to access your server, pass the credentials in O(bind_dn)
|
|
|
|
and O(bind_pw).
|
2020-04-17 10:53:37 +02:00
|
|
|
author:
|
|
|
|
- Sebastian Pfahl (@eryx12o45)
|
|
|
|
requirements:
|
|
|
|
- python-ldap
|
2023-02-24 09:23:04 +01:00
|
|
|
attributes:
|
|
|
|
check_mode:
|
|
|
|
support: full
|
|
|
|
diff_mode:
|
|
|
|
support: none
|
2020-04-17 10:53:37 +02:00
|
|
|
options:
|
|
|
|
dn:
|
|
|
|
required: true
|
|
|
|
type: str
|
|
|
|
description:
|
|
|
|
- The LDAP DN to search in.
|
|
|
|
scope:
|
|
|
|
choices: [base, onelevel, subordinate, children]
|
|
|
|
default: base
|
|
|
|
type: str
|
|
|
|
description:
|
|
|
|
- The LDAP scope to use.
|
2024-05-18 16:30:27 +02:00
|
|
|
- V(subordinate) requires the LDAPv3 subordinate feature extension.
|
|
|
|
- V(children) is equivalent to a "subtree" scope.
|
2020-04-17 10:53:37 +02:00
|
|
|
filter:
|
|
|
|
default: '(objectClass=*)'
|
|
|
|
type: str
|
|
|
|
description:
|
|
|
|
- Used for filtering the LDAP search result.
|
|
|
|
attrs:
|
|
|
|
type: list
|
|
|
|
elements: str
|
|
|
|
description:
|
|
|
|
- A list of attributes for limiting the result. Use an
|
|
|
|
actual list or a comma-separated string.
|
|
|
|
schema:
|
|
|
|
default: false
|
|
|
|
type: bool
|
|
|
|
description:
|
2023-06-15 19:04:45 +02:00
|
|
|
- Set to V(true) to return the full attribute schema of entries, not
|
|
|
|
their attribute values. Overrides O(attrs) when provided.
|
2023-06-15 08:42:35 +02:00
|
|
|
page_size:
|
|
|
|
default: 0
|
|
|
|
type: int
|
|
|
|
description:
|
|
|
|
- The page size when performing a simple paged result search (RFC 2696).
|
|
|
|
This setting can be tuned to reduce issues with timeouts and server limits.
|
|
|
|
- Setting the page size to V(0) (default) disables paged searching.
|
|
|
|
version_added: 7.1.0
|
2023-05-05 07:56:48 +02:00
|
|
|
base64_attributes:
|
|
|
|
description:
|
|
|
|
- If provided, all attribute values returned that are listed in this option
|
|
|
|
will be Base64 encoded.
|
2023-06-15 19:04:45 +02:00
|
|
|
- If the special value V(*) appears in this list, all attributes will be
|
2023-05-05 07:56:48 +02:00
|
|
|
Base64 encoded.
|
|
|
|
- All other attribute values will be converted to UTF-8 strings. If they
|
|
|
|
contain binary data, please note that invalid UTF-8 bytes will be omitted.
|
|
|
|
type: list
|
|
|
|
elements: str
|
|
|
|
version_added: 7.0.0
|
2020-04-17 10:53:37 +02:00
|
|
|
extends_documentation_fragment:
|
2023-02-24 09:23:04 +01:00
|
|
|
- community.general.ldap.documentation
|
|
|
|
- community.general.attributes
|
2020-04-17 10:53:37 +02:00
|
|
|
"""
|
|
|
|
|
|
|
|
EXAMPLES = r"""
|
|
|
|
- name: Return all entries within the 'groups' organizational unit.
|
|
|
|
community.general.ldap_search:
|
|
|
|
dn: "ou=groups,dc=example,dc=com"
|
|
|
|
register: ldap_groups
|
|
|
|
|
|
|
|
- name: Return GIDs for all groups
|
|
|
|
community.general.ldap_search:
|
|
|
|
dn: "ou=groups,dc=example,dc=com"
|
|
|
|
scope: "onelevel"
|
|
|
|
attrs:
|
|
|
|
- "gidNumber"
|
|
|
|
register: ldap_group_gids
|
|
|
|
"""
|
|
|
|
|
2023-05-05 07:56:48 +02:00
|
|
|
RESULTS = """
|
|
|
|
results:
|
|
|
|
description:
|
|
|
|
- For every entry found, one dictionary will be returned.
|
|
|
|
- Every dictionary contains a key C(dn) with the entry's DN as a value.
|
|
|
|
- Every attribute of the entry found is added to the dictionary. If the key
|
|
|
|
has precisely one value, that value is taken directly, otherwise the key's
|
|
|
|
value is a list.
|
|
|
|
- Note that all values (for single-element lists) and list elements (for multi-valued
|
|
|
|
lists) will be UTF-8 strings. Some might contain Base64-encoded binary data; which
|
2023-06-15 19:04:45 +02:00
|
|
|
ones is determined by the O(base64_attributes) option.
|
2023-05-05 07:56:48 +02:00
|
|
|
type: list
|
|
|
|
elements: dict
|
|
|
|
"""
|
|
|
|
|
|
|
|
import base64
|
2020-04-17 10:53:37 +02:00
|
|
|
import traceback
|
|
|
|
|
|
|
|
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
|
2023-05-05 07:56:48 +02:00
|
|
|
from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
|
2023-09-15 19:15:03 +02:00
|
|
|
from ansible.module_utils.six import binary_type, string_types, text_type
|
2023-06-15 08:42:42 +02:00
|
|
|
from ansible_collections.community.general.plugins.module_utils.ldap import LdapGeneric, gen_specs, ldap_required_together
|
2020-04-17 10:53:37 +02:00
|
|
|
|
|
|
|
LDAP_IMP_ERR = None
|
|
|
|
try:
|
|
|
|
import ldap
|
|
|
|
|
|
|
|
HAS_LDAP = True
|
|
|
|
except ImportError:
|
|
|
|
LDAP_IMP_ERR = traceback.format_exc()
|
|
|
|
HAS_LDAP = False
|
|
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
module = AnsibleModule(
|
|
|
|
argument_spec=gen_specs(
|
|
|
|
dn=dict(type='str', required=True),
|
|
|
|
scope=dict(type='str', default='base', choices=['base', 'onelevel', 'subordinate', 'children']),
|
|
|
|
filter=dict(type='str', default='(objectClass=*)'),
|
|
|
|
attrs=dict(type='list', elements='str'),
|
|
|
|
schema=dict(type='bool', default=False),
|
2023-06-15 08:42:35 +02:00
|
|
|
page_size=dict(type='int', default=0),
|
2023-05-05 07:56:48 +02:00
|
|
|
base64_attributes=dict(type='list', elements='str'),
|
2020-04-17 10:53:37 +02:00
|
|
|
),
|
|
|
|
supports_check_mode=True,
|
2023-06-15 08:42:42 +02:00
|
|
|
required_together=ldap_required_together(),
|
2020-04-17 10:53:37 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
if not HAS_LDAP:
|
|
|
|
module.fail_json(msg=missing_required_lib('python-ldap'),
|
|
|
|
exception=LDAP_IMP_ERR)
|
|
|
|
|
2021-11-13 15:00:05 +01:00
|
|
|
try:
|
|
|
|
LdapSearch(module).main()
|
|
|
|
except Exception as exception:
|
|
|
|
module.fail_json(msg="Attribute action failed.", details=to_native(exception))
|
2020-04-17 10:53:37 +02:00
|
|
|
|
2023-05-05 07:56:48 +02:00
|
|
|
|
|
|
|
def _normalize_string(val, convert_to_base64):
|
2023-09-15 19:15:03 +02:00
|
|
|
if isinstance(val, (string_types, binary_type)):
|
2023-05-05 07:56:48 +02:00
|
|
|
if isinstance(val, text_type):
|
|
|
|
val = to_bytes(val, encoding='utf-8')
|
|
|
|
if convert_to_base64:
|
|
|
|
val = to_text(base64.b64encode(val))
|
|
|
|
else:
|
|
|
|
# See https://github.com/ansible/ansible/issues/80258#issuecomment-1477038952 for details.
|
|
|
|
# We want to make sure that all strings are properly UTF-8 encoded, even if they were not,
|
|
|
|
# or happened to be byte strings.
|
|
|
|
val = to_text(val, 'utf-8', errors='replace')
|
|
|
|
# See also https://github.com/ansible-collections/community.general/issues/5704.
|
|
|
|
return val
|
2020-04-17 10:53:37 +02:00
|
|
|
|
|
|
|
|
2023-05-05 07:56:48 +02:00
|
|
|
def _extract_entry(dn, attrs, base64_attributes):
|
2020-04-17 10:53:37 +02:00
|
|
|
extracted = {'dn': dn}
|
|
|
|
for attr, val in list(attrs.items()):
|
2023-05-05 07:56:48 +02:00
|
|
|
convert_to_base64 = '*' in base64_attributes or attr in base64_attributes
|
2020-04-17 10:53:37 +02:00
|
|
|
if len(val) == 1:
|
2023-05-05 07:56:48 +02:00
|
|
|
extracted[attr] = _normalize_string(val[0], convert_to_base64)
|
2020-04-17 10:53:37 +02:00
|
|
|
else:
|
2023-05-05 07:56:48 +02:00
|
|
|
extracted[attr] = [_normalize_string(v, convert_to_base64) for v in val]
|
2020-04-17 10:53:37 +02:00
|
|
|
return extracted
|
|
|
|
|
|
|
|
|
|
|
|
class LdapSearch(LdapGeneric):
|
|
|
|
def __init__(self, module):
|
|
|
|
LdapGeneric.__init__(self, module)
|
|
|
|
|
|
|
|
self.filterstr = self.module.params['filter']
|
|
|
|
self.attrlist = []
|
2023-06-15 08:42:35 +02:00
|
|
|
self.page_size = self.module.params['page_size']
|
2020-04-17 10:53:37 +02:00
|
|
|
self._load_scope()
|
|
|
|
self._load_attrs()
|
|
|
|
self._load_schema()
|
2023-05-05 07:56:48 +02:00
|
|
|
self._base64_attributes = set(self.module.params['base64_attributes'] or [])
|
2020-04-17 10:53:37 +02:00
|
|
|
|
|
|
|
def _load_schema(self):
|
2023-05-05 07:56:48 +02:00
|
|
|
self.schema = self.module.params['schema']
|
2020-04-17 10:53:37 +02:00
|
|
|
if self.schema:
|
|
|
|
self.attrsonly = 1
|
|
|
|
else:
|
|
|
|
self.attrsonly = 0
|
|
|
|
|
|
|
|
def _load_scope(self):
|
2020-12-22 15:56:46 +01:00
|
|
|
spec = dict(
|
|
|
|
base=ldap.SCOPE_BASE,
|
|
|
|
onelevel=ldap.SCOPE_ONELEVEL,
|
|
|
|
subordinate=ldap.SCOPE_SUBORDINATE,
|
|
|
|
children=ldap.SCOPE_SUBTREE,
|
|
|
|
)
|
|
|
|
self.scope = spec[self.module.params['scope']]
|
2020-04-17 10:53:37 +02:00
|
|
|
|
|
|
|
def _load_attrs(self):
|
|
|
|
self.attrlist = self.module.params['attrs'] or None
|
|
|
|
|
|
|
|
def main(self):
|
|
|
|
results = self.perform_search()
|
2020-12-22 15:56:46 +01:00
|
|
|
self.module.exit_json(changed=False, results=results)
|
2020-04-17 10:53:37 +02:00
|
|
|
|
|
|
|
def perform_search(self):
|
2023-06-15 08:42:35 +02:00
|
|
|
ldap_entries = []
|
|
|
|
controls = []
|
|
|
|
if self.page_size > 0:
|
|
|
|
controls.append(ldap.controls.libldap.SimplePagedResultsControl(True, size=self.page_size, cookie=''))
|
2020-04-17 10:53:37 +02:00
|
|
|
try:
|
2023-06-15 08:42:35 +02:00
|
|
|
while True:
|
|
|
|
response = self.connection.search_ext(
|
|
|
|
self.dn,
|
|
|
|
self.scope,
|
|
|
|
filterstr=self.filterstr,
|
|
|
|
attrlist=self.attrlist,
|
|
|
|
attrsonly=self.attrsonly,
|
|
|
|
serverctrls=controls,
|
|
|
|
)
|
|
|
|
rtype, results, rmsgid, serverctrls = self.connection.result3(response)
|
|
|
|
for result in results:
|
|
|
|
if isinstance(result[1], dict):
|
|
|
|
if self.schema:
|
|
|
|
ldap_entries.append(dict(dn=result[0], attrs=list(result[1].keys())))
|
|
|
|
else:
|
|
|
|
ldap_entries.append(_extract_entry(result[0], result[1], self._base64_attributes))
|
|
|
|
cookies = [c.cookie for c in serverctrls if c.controlType == ldap.controls.libldap.SimplePagedResultsControl.controlType]
|
|
|
|
if self.page_size > 0 and cookies and cookies[0]:
|
|
|
|
controls[0].cookie = cookies[0]
|
|
|
|
else:
|
|
|
|
return ldap_entries
|
2020-04-17 10:53:37 +02:00
|
|
|
except ldap.NO_SUCH_OBJECT:
|
|
|
|
self.module.fail_json(msg="Base not found: {0}".format(self.dn))
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
main()
|