From 512bf4b77f86d8e3875ed958d179d38745ba00cc Mon Sep 17 00:00:00 2001 From: Reto Kupferschmid Date: Wed, 22 Mar 2023 07:39:58 +0100 Subject: [PATCH] ldap moduls: add optional ca_cert_file option (#6185) * add ca_cert_file option * fix pr url * Apply suggestions from code review Co-authored-by: Felix Fontein * update parameter name --------- Co-authored-by: Felix Fontein --- changelogs/fragments/xxxx-ldap-ca-cert-file.yml | 2 ++ plugins/doc_fragments/ldap.py | 5 +++++ plugins/module_utils/ldap.py | 5 +++++ 3 files changed, 12 insertions(+) create mode 100644 changelogs/fragments/xxxx-ldap-ca-cert-file.yml diff --git a/changelogs/fragments/xxxx-ldap-ca-cert-file.yml b/changelogs/fragments/xxxx-ldap-ca-cert-file.yml new file mode 100644 index 0000000000..9730e08271 --- /dev/null +++ b/changelogs/fragments/xxxx-ldap-ca-cert-file.yml @@ -0,0 +1,2 @@ +minor_changes: + - ldap modules - add ``ca_path`` option (https://github.com/ansible-collections/community.general/pull/6185). diff --git a/plugins/doc_fragments/ldap.py b/plugins/doc_fragments/ldap.py index 8cbe276945..b321c75eb8 100644 --- a/plugins/doc_fragments/ldap.py +++ b/plugins/doc_fragments/ldap.py @@ -24,6 +24,11 @@ options: - The password to use with I(bind_dn). type: str default: '' + ca_path: + description: + - Set the path to PEM file with CA certs. + type: path + version_added: "6.5.0" dn: required: true description: diff --git a/plugins/module_utils/ldap.py b/plugins/module_utils/ldap.py index cc6a37199b..6553713210 100644 --- a/plugins/module_utils/ldap.py +++ b/plugins/module_utils/ldap.py @@ -34,6 +34,7 @@ def gen_specs(**specs): specs.update({ 'bind_dn': dict(), 'bind_pw': dict(default='', no_log=True), + 'ca_path': dict(type='path'), 'dn': dict(required=True), 'referrals_chasing': dict(type='str', default='anonymous', choices=['disabled', 'anonymous']), 'server_uri': dict(default='ldapi:///'), @@ -52,6 +53,7 @@ class LdapGeneric(object): self.module = module self.bind_dn = self.module.params['bind_dn'] self.bind_pw = self.module.params['bind_pw'] + self.ca_path = self.module.params['ca_path'] self.referrals_chasing = self.module.params['referrals_chasing'] self.server_uri = self.module.params['server_uri'] self.start_tls = self.module.params['start_tls'] @@ -97,6 +99,9 @@ class LdapGeneric(object): if not self.verify_cert: ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER) + if self.ca_path: + ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca_path) + connection = ldap.initialize(self.server_uri) if self.referrals_chasing == 'disabled':