1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
community.general/plugins/modules/net_tools/ldap/ldap_passwd.py

145 lines
3.8 KiB
Python
Raw Normal View History

2020-03-09 10:11:07 +01:00
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Copyright: (c) 2017-2018, Keller Fuchs <kellerfuchs@hashbang.sh>
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
module: ldap_passwd
short_description: Set passwords in LDAP.
description:
- Set a password for an LDAP entry. This module only asserts that
a given password is valid for a given entry. To assert the
existence of an entry, see M(community.general.ldap_entry).
2020-03-09 10:11:07 +01:00
notes:
- The default authentication settings will attempt to use a SASL EXTERNAL
bind over a UNIX domain socket. This works well with the default Ubuntu
install for example, which includes a cn=peercred,cn=external,cn=auth ACL
rule allowing root to modify the server configuration. If you need to use
a simple bind to access your server, pass the credentials in I(bind_dn)
and I(bind_pw).
author:
- Keller Fuchs (@KellerFuchs)
requirements:
- python-ldap
options:
passwd:
description:
- The (plaintext) password to be set for I(dn).
Tidy up validate-modules:no-default-for-required-parameter and other cases (#1423) * Fixed validate-modules:mutually_exclusive-unknown for plugins/modules/packaging/os/redhat_subscription.py * fixed validation-modules for plugins/modules/cloud/lxd/lxd_container.py * fixed validation-modules for plugins/modules/web_infrastructure/sophos_utm/utm_network_interface_address.py * fixed validation-modules for plugins/modules/cloud/opennebula/one_host.py * fixed validation-modules for plugins/modules/cloud/opennebula/one_image_info.py * fixed validation-modules for plugins/modules/cloud/opennebula/one_image.py * fixed validation-modules for plugins/modules/cloud/opennebula/one_service.py * fixed validation-modules for plugins/modules/cloud/opennebula/one_vm.py * fixed validation-modules for plugins/modules/net_tools/cloudflare_dns.py * fixed validation-modules for plugins/modules/net_tools/ip_netns.py * fixed validation-modules for plugins/modules/net_tools/ipinfoio_facts.py * fixed validation-modules for plugins/modules/net_tools/netcup_dns.py * fixed validation-modules for plugins/modules/remote_management/wakeonlan.py * added types to plugins/modules/remote_management/stacki/stacki_host.py but still cannot remove ignore line * added a couple of FIXME comments * fixed validation-modules for plugins/modules/remote_management/manageiq/manageiq_provider.py * fixed validation-modules for plugins/modules/notification/rocketchat.py * fixed validation-modules for plugins/modules/monitoring/bigpanda.py * fixed validation-modules for plugins/modules/identity/keycloak/keycloak_client.py * fixed validation-modules for plugins/modules/identity/keycloak/keycloak_clienttemplate.py * fixed validation-modules for plugins/modules/cloud/univention/udm_user.py * fixed validation-modules for plugins/modules/cloud/univention/udm_group.py * fixed validation-modules for plugins/modules/cloud/spotinst/spotinst_aws_elastigroup.py * fixed validation-modules for plugins/modules/cloud/smartos/imgadm.py * fixed validation-modules for plugins/modules/cloud/profitbricks/profitbricks_nic.py * fixed validation-modules for plugins/modules/cloud/ovirt/ovirt_external_provider_facts.py * Tidy up validate-modules ignores no-default-for-required-parameter + couple of other cases * Added changelog frag * fixed validation-modules for plugins/modules/cloud/centurylink/clc_alert_policy.py * fixed validation-modules for plugins/modules/cloud/centurylink/clc_firewall_policy.py * fixed validation-modules for plugins/modules/cloud/lxd/lxd_profile.py * Typos and small fixes * fixed validation-modules for plugins/modules/net_tools/ldap/ldap_passwd.py * Typos and small fixes, part 2 * Fixes from PR comments * Update plugins/modules/cloud/profitbricks/profitbricks_nic.py Co-authored-by: Felix Fontein <felix@fontein.de> * Rolled back the mutually-exclusive-unknown in redhat_subscription * Update changelogs/fragments/1423-valmod_multiple_cases.yml Co-authored-by: Felix Fontein <felix@fontein.de> Co-authored-by: Felix Fontein <felix@fontein.de>
2020-12-01 21:28:40 +01:00
type: str
2020-03-09 10:11:07 +01:00
extends_documentation_fragment:
- community.general.ldap.documentation
'''
EXAMPLES = """
- name: Set a password for the admin user
community.general.ldap_passwd:
2020-03-09 10:11:07 +01:00
dn: cn=admin,dc=example,dc=com
passwd: "{{ vault_secret }}"
- name: Setting passwords in bulk
community.general.ldap_passwd:
2020-03-09 10:11:07 +01:00
dn: "{{ item.key }}"
passwd: "{{ item.value }}"
with_dict:
alice: alice123123
bob: "|30b!"
admin: "{{ vault_secret }}"
"""
RETURN = """
modlist:
description: list of modified parameters
returned: success
type: list
2022-08-04 20:22:16 +02:00
sample:
- [2, "olcRootDN", ["cn=root,dc=example,dc=com"]]
2020-03-09 10:11:07 +01:00
"""
import traceback
from ansible.module_utils.basic import AnsibleModule, missing_required_lib
from ansible_collections.community.general.plugins.module_utils.ldap import LdapGeneric, gen_specs
LDAP_IMP_ERR = None
try:
import ldap
HAS_LDAP = True
except ImportError:
LDAP_IMP_ERR = traceback.format_exc()
HAS_LDAP = False
class LdapPasswd(LdapGeneric):
def __init__(self, module):
LdapGeneric.__init__(self, module)
# Shortcuts
self.passwd = self.module.params['passwd']
def passwd_check(self):
try:
tmp_con = ldap.initialize(self.server_uri)
except ldap.LDAPError as e:
self.fail("Cannot initialize LDAP connection", e)
if self.start_tls:
try:
tmp_con.start_tls_s()
except ldap.LDAPError as e:
self.fail("Cannot start TLS.", e)
try:
tmp_con.simple_bind_s(self.dn, self.passwd)
except ldap.INVALID_CREDENTIALS:
return True
except ldap.LDAPError as e:
self.fail("Cannot bind to the server.", e)
else:
return False
finally:
tmp_con.unbind()
def passwd_set(self):
# Exit early if the password is already valid
if not self.passwd_check():
return False
# Change the password (or throw an exception)
try:
self.connection.passwd_s(self.dn, None, self.passwd)
except ldap.LDAPError as e:
self.fail("Unable to set password", e)
# Password successfully changed
return True
def main():
module = AnsibleModule(
argument_spec=gen_specs(passwd=dict(no_log=True)),
supports_check_mode=True,
)
if not HAS_LDAP:
module.fail_json(msg=missing_required_lib('python-ldap'),
exception=LDAP_IMP_ERR)
ldap = LdapPasswd(module)
if module.check_mode:
module.exit_json(changed=ldap.passwd_check())
module.exit_json(changed=ldap.passwd_set())
if __name__ == '__main__':
main()