2020-03-09 10:11:07 +01:00
|
|
|
#!/usr/bin/python
|
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
2022-08-05 12:28:29 +02:00
|
|
|
# Copyright (c) 2016, Peter Sagerson <psagers@ignorare.net>
|
|
|
|
# Copyright (c) 2016, Jiri Tyr <jiri.tyr@gmail.com>
|
2020-03-09 10:11:07 +01:00
|
|
|
#
|
2022-08-05 12:28:29 +02:00
|
|
|
# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
|
|
# SPDX-License-Identifier: GPL-3.0-or-later
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
from __future__ import absolute_import, division, print_function
|
|
|
|
__metaclass__ = type
|
|
|
|
|
|
|
|
|
|
|
|
DOCUMENTATION = '''
|
|
|
|
---
|
|
|
|
module: ldap_entry
|
2022-11-09 07:18:40 +01:00
|
|
|
short_description: Add or remove LDAP entries
|
2020-03-09 10:11:07 +01:00
|
|
|
description:
|
|
|
|
- Add or remove LDAP entries. This module only asserts the existence or
|
|
|
|
non-existence of an LDAP entry, not its attributes. To assert the
|
2021-04-13 13:19:25 +02:00
|
|
|
attribute values of an entry, see M(community.general.ldap_attrs).
|
2020-03-09 10:11:07 +01:00
|
|
|
notes:
|
|
|
|
- The default authentication settings will attempt to use a SASL EXTERNAL
|
|
|
|
bind over a UNIX domain socket. This works well with the default Ubuntu
|
|
|
|
install for example, which includes a cn=peercred,cn=external,cn=auth ACL
|
|
|
|
rule allowing root to modify the server configuration. If you need to use
|
2023-06-15 19:04:45 +02:00
|
|
|
a simple bind to access your server, pass the credentials in O(bind_dn)
|
|
|
|
and O(bind_pw).
|
2020-03-09 10:11:07 +01:00
|
|
|
author:
|
|
|
|
- Jiri Tyr (@jtyr)
|
|
|
|
requirements:
|
|
|
|
- python-ldap
|
2023-02-24 09:23:04 +01:00
|
|
|
attributes:
|
|
|
|
check_mode:
|
|
|
|
support: full
|
|
|
|
diff_mode:
|
|
|
|
support: none
|
2020-03-09 10:11:07 +01:00
|
|
|
options:
|
|
|
|
attributes:
|
|
|
|
description:
|
2023-06-15 19:04:45 +02:00
|
|
|
- If O(state=present), attributes necessary to create an entry. Existing
|
2020-03-09 10:11:07 +01:00
|
|
|
entries are never modified. To assert specific attribute values on an
|
2021-04-13 13:19:25 +02:00
|
|
|
existing entry, use M(community.general.ldap_attrs) module instead.
|
2023-03-27 20:57:21 +02:00
|
|
|
- Each attribute value can be a string for single-valued attributes or
|
|
|
|
a list of strings for multi-valued attributes.
|
|
|
|
- If you specify values for this option in YAML, please note that you can improve
|
|
|
|
readability for long string values by using YAML block modifiers as seen in the
|
|
|
|
examples for this module.
|
|
|
|
- Note that when using values that YAML/ansible-core interprets as other types,
|
2023-06-15 19:04:45 +02:00
|
|
|
like V(yes), V(no) (booleans), or V(2.10) (float), make sure to quote them if
|
2023-03-27 20:57:21 +02:00
|
|
|
these are meant to be strings. Otherwise the wrong values may be sent to LDAP.
|
2020-12-21 13:56:10 +01:00
|
|
|
type: dict
|
2022-11-01 19:25:51 +01:00
|
|
|
default: {}
|
2020-03-09 10:11:07 +01:00
|
|
|
objectClass:
|
|
|
|
description:
|
2023-06-15 19:04:45 +02:00
|
|
|
- If O(state=present), value or list of values to use when creating
|
2020-03-09 10:11:07 +01:00
|
|
|
the entry. It can either be a string or an actual list of
|
|
|
|
strings.
|
2020-12-21 13:56:10 +01:00
|
|
|
type: list
|
|
|
|
elements: str
|
2020-03-09 10:11:07 +01:00
|
|
|
state:
|
|
|
|
description:
|
|
|
|
- The target state of the entry.
|
|
|
|
choices: [present, absent]
|
|
|
|
default: present
|
2021-04-18 10:09:46 +02:00
|
|
|
type: str
|
2022-03-15 05:39:51 +01:00
|
|
|
recursive:
|
|
|
|
description:
|
2023-06-15 19:04:45 +02:00
|
|
|
- If O(state=delete), a flag indicating whether a single entry or the
|
2022-03-15 05:39:51 +01:00
|
|
|
whole branch must be deleted.
|
|
|
|
type: bool
|
|
|
|
default: false
|
|
|
|
version_added: 4.6.0
|
2020-03-09 10:11:07 +01:00
|
|
|
extends_documentation_fragment:
|
2023-02-24 09:23:04 +01:00
|
|
|
- community.general.ldap.documentation
|
|
|
|
- community.general.attributes
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
|
|
EXAMPLES = """
|
|
|
|
- name: Make sure we have a parent entry for users
|
2020-07-13 21:50:31 +02:00
|
|
|
community.general.ldap_entry:
|
2020-03-09 10:11:07 +01:00
|
|
|
dn: ou=users,dc=example,dc=com
|
|
|
|
objectClass: organizationalUnit
|
|
|
|
|
|
|
|
- name: Make sure we have an admin user
|
2020-07-13 21:50:31 +02:00
|
|
|
community.general.ldap_entry:
|
2020-03-09 10:11:07 +01:00
|
|
|
dn: cn=admin,dc=example,dc=com
|
|
|
|
objectClass:
|
|
|
|
- simpleSecurityObject
|
|
|
|
- organizationalRole
|
|
|
|
attributes:
|
|
|
|
description: An LDAP administrator
|
|
|
|
userPassword: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND"
|
|
|
|
|
2023-03-27 20:57:21 +02:00
|
|
|
- name: Set possible values for attributes elements
|
|
|
|
community.general.ldap_entry:
|
|
|
|
dn: cn=admin,dc=example,dc=com
|
|
|
|
objectClass:
|
|
|
|
- simpleSecurityObject
|
|
|
|
- organizationalRole
|
|
|
|
attributes:
|
|
|
|
description: An LDAP Administrator
|
|
|
|
roleOccupant:
|
|
|
|
- cn=Chocs Puddington,ou=Information Technology,dc=example,dc=com
|
|
|
|
- cn=Alice Stronginthebrain,ou=Information Technology,dc=example,dc=com
|
|
|
|
olcAccess:
|
|
|
|
- >-
|
|
|
|
{0}to attrs=userPassword,shadowLastChange
|
|
|
|
by self write
|
|
|
|
by anonymous auth
|
|
|
|
by dn="cn=admin,dc=example,dc=com" write
|
|
|
|
by * none'
|
|
|
|
- >-
|
|
|
|
{1}to dn.base="dc=example,dc=com"
|
|
|
|
by dn="cn=admin,dc=example,dc=com" write
|
|
|
|
by * read
|
|
|
|
|
2020-03-09 10:11:07 +01:00
|
|
|
- name: Get rid of an old entry
|
2020-07-13 21:50:31 +02:00
|
|
|
community.general.ldap_entry:
|
2020-03-09 10:11:07 +01:00
|
|
|
dn: ou=stuff,dc=example,dc=com
|
|
|
|
state: absent
|
|
|
|
server_uri: ldap://localhost/
|
|
|
|
bind_dn: cn=admin,dc=example,dc=com
|
|
|
|
bind_pw: password
|
|
|
|
|
|
|
|
#
|
|
|
|
# The same as in the previous example but with the authentication details
|
|
|
|
# stored in the ldap_auth variable:
|
|
|
|
#
|
|
|
|
# ldap_auth:
|
|
|
|
# server_uri: ldap://localhost/
|
|
|
|
# bind_dn: cn=admin,dc=example,dc=com
|
|
|
|
# bind_pw: password
|
2020-04-06 18:13:04 +02:00
|
|
|
#
|
|
|
|
# In the example below, 'args' is a task keyword, passed at the same level as the module
|
2020-03-09 10:11:07 +01:00
|
|
|
- name: Get rid of an old entry
|
2020-07-13 21:50:31 +02:00
|
|
|
community.general.ldap_entry:
|
2020-03-09 10:11:07 +01:00
|
|
|
dn: ou=stuff,dc=example,dc=com
|
|
|
|
state: absent
|
2020-04-06 18:13:04 +02:00
|
|
|
args: "{{ ldap_auth }}"
|
2020-03-09 10:11:07 +01:00
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
|
|
RETURN = """
|
|
|
|
# Default return values
|
|
|
|
"""
|
|
|
|
|
|
|
|
import traceback
|
|
|
|
|
|
|
|
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
|
2021-06-26 23:59:11 +02:00
|
|
|
from ansible.module_utils.common.text.converters import to_native, to_bytes
|
2023-06-15 08:42:42 +02:00
|
|
|
from ansible_collections.community.general.plugins.module_utils.ldap import LdapGeneric, gen_specs, ldap_required_together
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
LDAP_IMP_ERR = None
|
|
|
|
try:
|
|
|
|
import ldap.modlist
|
2022-03-15 05:39:51 +01:00
|
|
|
import ldap.controls
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
HAS_LDAP = True
|
|
|
|
except ImportError:
|
|
|
|
LDAP_IMP_ERR = traceback.format_exc()
|
|
|
|
HAS_LDAP = False
|
|
|
|
|
|
|
|
|
|
|
|
class LdapEntry(LdapGeneric):
|
|
|
|
def __init__(self, module):
|
|
|
|
LdapGeneric.__init__(self, module)
|
|
|
|
|
|
|
|
# Shortcuts
|
|
|
|
self.state = self.module.params['state']
|
2022-03-15 05:39:51 +01:00
|
|
|
self.recursive = self.module.params['recursive']
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
# Add the objectClass into the list of attributes
|
|
|
|
self.module.params['attributes']['objectClass'] = (
|
|
|
|
self.module.params['objectClass'])
|
|
|
|
|
|
|
|
# Load attributes
|
|
|
|
if self.state == 'present':
|
|
|
|
self.attrs = self._load_attrs()
|
|
|
|
|
|
|
|
def _load_attrs(self):
|
|
|
|
""" Turn attribute's value to array. """
|
|
|
|
attrs = {}
|
|
|
|
|
|
|
|
for name, value in self.module.params['attributes'].items():
|
|
|
|
if isinstance(value, list):
|
|
|
|
attrs[name] = list(map(to_bytes, value))
|
|
|
|
else:
|
2020-12-21 13:56:10 +01:00
|
|
|
attrs[name] = [to_bytes(value)]
|
2020-03-09 10:11:07 +01:00
|
|
|
|
|
|
|
return attrs
|
|
|
|
|
|
|
|
def add(self):
|
|
|
|
""" If self.dn does not exist, returns a callable that will add it. """
|
|
|
|
def _add():
|
|
|
|
self.connection.add_s(self.dn, modlist)
|
|
|
|
|
|
|
|
if not self._is_entry_present():
|
|
|
|
modlist = ldap.modlist.addModlist(self.attrs)
|
|
|
|
action = _add
|
|
|
|
else:
|
|
|
|
action = None
|
|
|
|
|
|
|
|
return action
|
|
|
|
|
|
|
|
def delete(self):
|
2022-03-15 05:39:51 +01:00
|
|
|
""" If self.dn exists, returns a callable that will delete either
|
|
|
|
the item itself if the recursive option is not set or the whole branch
|
|
|
|
if it is. """
|
2020-03-09 10:11:07 +01:00
|
|
|
def _delete():
|
|
|
|
self.connection.delete_s(self.dn)
|
|
|
|
|
2022-03-15 05:39:51 +01:00
|
|
|
def _delete_recursive():
|
2023-10-26 06:20:21 +02:00
|
|
|
""" Attempt recursive deletion using the subtree-delete control.
|
2022-03-15 05:39:51 +01:00
|
|
|
If that fails, do it manually. """
|
|
|
|
try:
|
|
|
|
subtree_delete = ldap.controls.ValueLessRequestControl('1.2.840.113556.1.4.805')
|
|
|
|
self.connection.delete_ext_s(self.dn, serverctrls=[subtree_delete])
|
|
|
|
except ldap.NOT_ALLOWED_ON_NONLEAF:
|
|
|
|
search = self.connection.search_s(self.dn, ldap.SCOPE_SUBTREE, attrlist=('dn',))
|
|
|
|
search.reverse()
|
|
|
|
for entry in search:
|
|
|
|
self.connection.delete_s(entry[0])
|
|
|
|
|
2020-03-09 10:11:07 +01:00
|
|
|
if self._is_entry_present():
|
2022-03-15 05:39:51 +01:00
|
|
|
if self.recursive:
|
|
|
|
action = _delete_recursive
|
|
|
|
else:
|
|
|
|
action = _delete
|
2020-03-09 10:11:07 +01:00
|
|
|
else:
|
|
|
|
action = None
|
|
|
|
|
|
|
|
return action
|
|
|
|
|
|
|
|
def _is_entry_present(self):
|
|
|
|
try:
|
|
|
|
self.connection.search_s(self.dn, ldap.SCOPE_BASE)
|
|
|
|
except ldap.NO_SUCH_OBJECT:
|
|
|
|
is_present = False
|
|
|
|
else:
|
|
|
|
is_present = True
|
|
|
|
|
|
|
|
return is_present
|
|
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
module = AnsibleModule(
|
|
|
|
argument_spec=gen_specs(
|
|
|
|
attributes=dict(default={}, type='dict'),
|
2020-12-21 13:56:10 +01:00
|
|
|
objectClass=dict(type='list', elements='str'),
|
2020-03-09 10:11:07 +01:00
|
|
|
state=dict(default='present', choices=['present', 'absent']),
|
2022-03-15 05:39:51 +01:00
|
|
|
recursive=dict(default=False, type='bool'),
|
2020-03-09 10:11:07 +01:00
|
|
|
),
|
2020-12-21 13:56:10 +01:00
|
|
|
required_if=[('state', 'present', ['objectClass'])],
|
2020-03-09 10:11:07 +01:00
|
|
|
supports_check_mode=True,
|
2023-06-15 08:42:42 +02:00
|
|
|
required_together=ldap_required_together(),
|
2020-03-09 10:11:07 +01:00
|
|
|
)
|
|
|
|
|
|
|
|
if not HAS_LDAP:
|
|
|
|
module.fail_json(msg=missing_required_lib('python-ldap'),
|
|
|
|
exception=LDAP_IMP_ERR)
|
|
|
|
|
|
|
|
state = module.params['state']
|
|
|
|
|
|
|
|
# Instantiate the LdapEntry object
|
|
|
|
ldap = LdapEntry(module)
|
|
|
|
|
|
|
|
# Get the action function
|
|
|
|
if state == 'present':
|
|
|
|
action = ldap.add()
|
|
|
|
elif state == 'absent':
|
|
|
|
action = ldap.delete()
|
|
|
|
|
|
|
|
# Perform the action
|
|
|
|
if action is not None and not module.check_mode:
|
|
|
|
try:
|
|
|
|
action()
|
|
|
|
except Exception as e:
|
|
|
|
module.fail_json(msg="Entry action failed.", details=to_native(e), exception=traceback.format_exc())
|
|
|
|
|
|
|
|
module.exit_json(changed=(action is not None))
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
main()
|