diff --git a/changelogs/fragments/1618-ldap_search-switch-off-cheasing-referrals.yaml b/changelogs/fragments/1618-ldap_search-switch-off-cheasing-referrals.yaml new file mode 100644 index 0000000000..eecf792963 --- /dev/null +++ b/changelogs/fragments/1618-ldap_search-switch-off-cheasing-referrals.yaml @@ -0,0 +1,4 @@ +bugfixes: + - ldap_search - ignore returned referrals (https://github.com/ansible-collections/community.general/issues/1067). +minor_changes: + - ldap modules - allow to configure referral chasing (https://github.com/ansible-collections/community.general/pull/1618). diff --git a/plugins/doc_fragments/ldap.py b/plugins/doc_fragments/ldap.py index 890c22eeff..b3d21bf423 100644 --- a/plugins/doc_fragments/ldap.py +++ b/plugins/doc_fragments/ldap.py @@ -27,6 +27,15 @@ options: description: - The DN of the entry to add or remove. type: str + referrals_chasing: + choices: [disabled, anonymous] + default: anonymous + type: str + description: + - Set the referrals chasing behavior. + - C(anonymous) follow referrals anonymously. This is the default behavior. + - C(disabled) disable referrals chasing. This sets C(OPT_REFERRALS) to off. + version_added: 2.0.0 server_uri: description: - A URI to the LDAP server. diff --git a/plugins/module_utils/ldap.py b/plugins/module_utils/ldap.py index d49d0a97e8..75405b3537 100644 --- a/plugins/module_utils/ldap.py +++ b/plugins/module_utils/ldap.py @@ -26,6 +26,7 @@ def gen_specs(**specs): 'bind_dn': dict(), 'bind_pw': dict(default='', no_log=True), 'dn': dict(required=True), + 'referrals_chasing': dict(type='str', default='anonymous', choices=['disabled', 'anonymous']), 'server_uri': dict(default='ldapi:///'), 'start_tls': dict(default=False, type='bool'), 'validate_certs': dict(default=True, type='bool'), @@ -41,6 +42,7 @@ class LdapGeneric(object): self.bind_dn = self.module.params['bind_dn'] self.bind_pw = self.module.params['bind_pw'] self.dn = self.module.params['dn'] + self.referrals_chasing = self.module.params['referrals_chasing'] self.server_uri = self.module.params['server_uri'] self.start_tls = self.module.params['start_tls'] self.verify_cert = self.module.params['validate_certs'] @@ -61,6 +63,10 @@ class LdapGeneric(object): connection = ldap.initialize(self.server_uri) + if self.referrals_chasing == 'disabled': + # Switch off chasing of referrals (https://github.com/ansible-collections/community.general/issues/1067) + connection.set_option(ldap.OPT_REFERRALS, 0) + if self.start_tls: try: connection.start_tls_s() diff --git a/plugins/modules/net_tools/ldap/ldap_search.py b/plugins/modules/net_tools/ldap/ldap_search.py index 3b1a283338..f4d02c1cd2 100644 --- a/plugins/modules/net_tools/ldap/ldap_search.py +++ b/plugins/modules/net_tools/ldap/ldap_search.py @@ -168,10 +168,14 @@ class LdapSearch(LdapGeneric): attrlist=self.attrlist, attrsonly=self.attrsonly ) - if self.schema: - return [dict(dn=result[0], attrs=list(result[1].keys())) for result in results] - else: - return [_extract_entry(result[0], result[1]) for result in results] + ldap_entries = [] + for result in results: + if isinstance(result[1], dict): + if self.schema: + ldap_entries.append(dict(dn=result[0], attrs=list(result[1].keys()))) + else: + ldap_entries.append(_extract_entry(result[0], result[1])) + return ldap_entries except ldap.NO_SUCH_OBJECT: self.module.fail_json(msg="Base not found: {0}".format(self.dn))