ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

Feature/ldap gssapi sasl authentication (#1595)

Browse source 
* add sasl_class as parameter

* type str not string

* recreate .gitignore with vscode support

* document sasl_class parameter

* revert .gitignore changes (separate PR)

* docs - add version and end lines with .

* add changelog entry

* add sasl_class choices to docs as well

* changelog should link to issue

Co-authored-by: Felix Fontein <felix@fontein.de>

Co-authored-by: Wim Van Leuven <wim.vanleuven@ucb.com>
Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
Wim Van Leuven 2021-01-27 08:15:38 +01:00 committed by GitHub
parent cd022c3e2a
commit 7a01c5809c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
changelogs/fragments/1595-ldap-gssapi-sasl-authentication.yml Normal file
View file

@ -0,0 +1,2 @@
bugfixes:
- "ldap modules - add ``sasl_class`` parameter to support passwordless SASL authentication via GSSAPI (kerberos), next to external (https://github.com/ansible-collections/community.general/issues/1523)."

10
plugins/doc_fragments/ldap.py
View file

@ -15,7 +15,7 @@ class ModuleDocFragment(object):
options: options:
bind_dn: bind_dn:
description: description:
- A DN to bind with. If this is omitted, we'll try a SASL bind with the EXTERNAL mechanism. - A DN to bind with. If this is omitted, we'll try a SASL bind with the EXTERNAL mechanism as default.
- If this is blank, we'll use an anonymous bind. - If this is blank, we'll use an anonymous bind.
type: str type: str
bind_pw: bind_pw:
@ -53,4 +53,12 @@ options:
- This should only be used on sites using self-signed certificates. - This should only be used on sites using self-signed certificates.
type: bool type: bool
default: yes default: yes
sasl_class:
description:
- The class to use for SASL authentication.
- possible choices are C(external), C(gssapi).
type: str
choices: ['external', 'gssapi']
default: external
version_added: "2.0.0"
''' '''

10
plugins/module_utils/ldap.py
View file

@ -17,6 +17,11 @@ try:
import ldap.sasl import ldap.sasl
HAS_LDAP = True HAS_LDAP = True
SASCL_CLASS = {
'gssapi': ldap.sasl.gssapi,
'external': ldap.sasl.external,
}
except ImportError: except ImportError:
HAS_LDAP = False HAS_LDAP = False
@ -30,6 +35,7 @@ def gen_specs(**specs):
'server_uri': dict(default='ldapi:///'), 'server_uri': dict(default='ldapi:///'),
'start_tls': dict(default=False, type='bool'), 'start_tls': dict(default=False, type='bool'),
'validate_certs': dict(default=True, type='bool'), 'validate_certs': dict(default=True, type='bool'),
'sasl_class': dict(choices=['external', 'gssapi'], default='external', type='str'),
}) })
return specs return specs
@ -46,6 +52,7 @@ class LdapGeneric(object):
self.server_uri = self.module.params['server_uri'] self.server_uri = self.module.params['server_uri']
self.start_tls = self.module.params['start_tls'] self.start_tls = self.module.params['start_tls']
self.verify_cert = self.module.params['validate_certs'] self.verify_cert = self.module.params['validate_certs']
self.sasl_class = self.module.params['sasl_class']
# Establish connection # Establish connection
self.connection = self._connect_to_ldap() self.connection = self._connect_to_ldap()
@ -77,7 +84,8 @@ class LdapGeneric(object):
if self.bind_dn is not None: if self.bind_dn is not None:
connection.simple_bind_s(self.bind_dn, self.bind_pw) connection.simple_bind_s(self.bind_dn, self.bind_pw)
else: else:
connection.sasl_interactive_bind_s('', ldap.sasl.external()) klass = SASCL_CLASS.get(self.sasl_class, ldap.sasl.external)
connection.sasl_interactive_bind_s('', klass())
except ldap.LDAPError as e: except ldap.LDAPError as e:
self.fail("Cannot bind to the server.", e) self.fail("Cannot bind to the server.", e)