1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
community.general/plugins/modules/ldap_entry.py

288 lines
8.8 KiB
Python
Raw Normal View History

2020-03-09 10:11:07 +01:00
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright (c) 2016, Peter Sagerson <psagers@ignorare.net>
# Copyright (c) 2016, Jiri Tyr <jiri.tyr@gmail.com>
2020-03-09 10:11:07 +01:00
#
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
# SPDX-License-Identifier: GPL-3.0-or-later
2020-03-09 10:11:07 +01:00
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
module: ldap_entry
short_description: Add or remove LDAP entries
2020-03-09 10:11:07 +01:00
description:
- Add or remove LDAP entries. This module only asserts the existence or
non-existence of an LDAP entry, not its attributes. To assert the
attribute values of an entry, see M(community.general.ldap_attrs).
2020-03-09 10:11:07 +01:00
notes:
- The default authentication settings will attempt to use a SASL EXTERNAL
bind over a UNIX domain socket. This works well with the default Ubuntu
install for example, which includes a cn=peercred,cn=external,cn=auth ACL
rule allowing root to modify the server configuration. If you need to use
a simple bind to access your server, pass the credentials in O(bind_dn)
and O(bind_pw).
2020-03-09 10:11:07 +01:00
author:
- Jiri Tyr (@jtyr)
requirements:
- python-ldap
attributes:
check_mode:
support: full
diff_mode:
support: none
2020-03-09 10:11:07 +01:00
options:
attributes:
description:
- If O(state=present), attributes necessary to create an entry. Existing
2020-03-09 10:11:07 +01:00
entries are never modified. To assert specific attribute values on an
existing entry, use M(community.general.ldap_attrs) module instead.
- Each attribute value can be a string for single-valued attributes or
a list of strings for multi-valued attributes.
- If you specify values for this option in YAML, please note that you can improve
readability for long string values by using YAML block modifiers as seen in the
examples for this module.
- Note that when using values that YAML/ansible-core interprets as other types,
like V(yes), V(no) (booleans), or V(2.10) (float), make sure to quote them if
these are meant to be strings. Otherwise the wrong values may be sent to LDAP.
type: dict
2022-11-01 19:25:51 +01:00
default: {}
2020-03-09 10:11:07 +01:00
objectClass:
description:
- If O(state=present), value or list of values to use when creating
2020-03-09 10:11:07 +01:00
the entry. It can either be a string or an actual list of
strings.
type: list
elements: str
2020-03-09 10:11:07 +01:00
state:
description:
- The target state of the entry.
choices: [present, absent]
default: present
type: str
recursive:
description:
- If O(state=delete), a flag indicating whether a single entry or the
whole branch must be deleted.
type: bool
default: false
version_added: 4.6.0
2020-03-09 10:11:07 +01:00
extends_documentation_fragment:
- community.general.ldap.documentation
- community.general.attributes
2020-03-09 10:11:07 +01:00
'''
EXAMPLES = """
- name: Make sure we have a parent entry for users
community.general.ldap_entry:
2020-03-09 10:11:07 +01:00
dn: ou=users,dc=example,dc=com
objectClass: organizationalUnit
- name: Make sure we have an admin user
community.general.ldap_entry:
2020-03-09 10:11:07 +01:00
dn: cn=admin,dc=example,dc=com
objectClass:
- simpleSecurityObject
- organizationalRole
attributes:
description: An LDAP administrator
userPassword: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND"
- name: Set possible values for attributes elements
community.general.ldap_entry:
dn: cn=admin,dc=example,dc=com
objectClass:
- simpleSecurityObject
- organizationalRole
attributes:
description: An LDAP Administrator
roleOccupant:
- cn=Chocs Puddington,ou=Information Technology,dc=example,dc=com
- cn=Alice Stronginthebrain,ou=Information Technology,dc=example,dc=com
olcAccess:
- >-
{0}to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=example,dc=com" write
by * none'
- >-
{1}to dn.base="dc=example,dc=com"
by dn="cn=admin,dc=example,dc=com" write
by * read
2020-03-09 10:11:07 +01:00
- name: Get rid of an old entry
community.general.ldap_entry:
2020-03-09 10:11:07 +01:00
dn: ou=stuff,dc=example,dc=com
state: absent
server_uri: ldap://localhost/
bind_dn: cn=admin,dc=example,dc=com
bind_pw: password
#
# The same as in the previous example but with the authentication details
# stored in the ldap_auth variable:
#
# ldap_auth:
# server_uri: ldap://localhost/
# bind_dn: cn=admin,dc=example,dc=com
# bind_pw: password
#
# In the example below, 'args' is a task keyword, passed at the same level as the module
2020-03-09 10:11:07 +01:00
- name: Get rid of an old entry
community.general.ldap_entry:
2020-03-09 10:11:07 +01:00
dn: ou=stuff,dc=example,dc=com
state: absent
args: "{{ ldap_auth }}"
2020-03-09 10:11:07 +01:00
"""
RETURN = """
# Default return values
"""
import traceback
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible.module_utils.common.text.converters import to_native, to_bytes
from ansible_collections.community.general.plugins.module_utils.ldap import LdapGeneric, gen_specs, ldap_required_together
2020-03-09 10:11:07 +01:00
LDAP_IMP_ERR = None
try:
import ldap.modlist
import ldap.controls
2020-03-09 10:11:07 +01:00
HAS_LDAP = True
except ImportError:
LDAP_IMP_ERR = traceback.format_exc()
HAS_LDAP = False
class LdapEntry(LdapGeneric):
def __init__(self, module):
LdapGeneric.__init__(self, module)
# Shortcuts
self.state = self.module.params['state']
self.recursive = self.module.params['recursive']
2020-03-09 10:11:07 +01:00
# Add the objectClass into the list of attributes
self.module.params['attributes']['objectClass'] = (
self.module.params['objectClass'])
# Load attributes
if self.state == 'present':
self.attrs = self._load_attrs()
def _load_attrs(self):
""" Turn attribute's value to array. """
attrs = {}
for name, value in self.module.params['attributes'].items():
if isinstance(value, list):
attrs[name] = list(map(to_bytes, value))
else:
attrs[name] = [to_bytes(value)]
2020-03-09 10:11:07 +01:00
return attrs
def add(self):
""" If self.dn does not exist, returns a callable that will add it. """
def _add():
self.connection.add_s(self.dn, modlist)
if not self._is_entry_present():
modlist = ldap.modlist.addModlist(self.attrs)
action = _add
else:
action = None
return action
def delete(self):
""" If self.dn exists, returns a callable that will delete either
the item itself if the recursive option is not set or the whole branch
if it is. """
2020-03-09 10:11:07 +01:00
def _delete():
self.connection.delete_s(self.dn)
def _delete_recursive():
2023-10-25 23:01:32 +02:00
""" Attempt recursive deletion using the subtree-delete control.
If that fails, do it manually. """
try:
subtree_delete = ldap.controls.ValueLessRequestControl('1.2.840.113556.1.4.805')
self.connection.delete_ext_s(self.dn, serverctrls=[subtree_delete])
except ldap.NOT_ALLOWED_ON_NONLEAF:
search = self.connection.search_s(self.dn, ldap.SCOPE_SUBTREE, attrlist=('dn',))
search.reverse()
for entry in search:
self.connection.delete_s(entry[0])
2020-03-09 10:11:07 +01:00
if self._is_entry_present():
if self.recursive:
action = _delete_recursive
else:
action = _delete
2020-03-09 10:11:07 +01:00
else:
action = None
return action
def _is_entry_present(self):
try:
self.connection.search_s(self.dn, ldap.SCOPE_BASE)
except ldap.NO_SUCH_OBJECT:
is_present = False
else:
is_present = True
return is_present
def main():
module = AnsibleModule(
argument_spec=gen_specs(
attributes=dict(default={}, type='dict'),
objectClass=dict(type='list', elements='str'),
2020-03-09 10:11:07 +01:00
state=dict(default='present', choices=['present', 'absent']),
recursive=dict(default=False, type='bool'),
2020-03-09 10:11:07 +01:00
),
required_if=[('state', 'present', ['objectClass'])],
2020-03-09 10:11:07 +01:00
supports_check_mode=True,
required_together=ldap_required_together(),
2020-03-09 10:11:07 +01:00
)
if not HAS_LDAP:
module.fail_json(msg=missing_required_lib('python-ldap'),
exception=LDAP_IMP_ERR)
state = module.params['state']
# Instantiate the LdapEntry object
ldap = LdapEntry(module)
# Get the action function
if state == 'present':
action = ldap.add()
elif state == 'absent':
action = ldap.delete()
# Perform the action
if action is not None and not module.check_mode:
try:
action()
except Exception as e:
module.fail_json(msg="Entry action failed.", details=to_native(e), exception=traceback.format_exc())
module.exit_json(changed=(action is not None))
if __name__ == '__main__':
main()