ldap_search: switch off client-chasing referrals (#1618)

* switch off client-chasing referrals

* Add changelog fragment

* Add comment to module

* Sanity check

* Update changelogs/fragments/1618-ldap_search-switch-off-cheasing-referrals.yaml

Co-authored-by: Felix Fontein <felix@fontein.de>

* Add module ref_chasing param to ldap module_utils

* test acces token gitlab

* test acces token gitlab: revert

* Complete referrals_chasing parameter documentation

* Fix parameter value check

* Fix issue #963

* fix sanity check

* Update plugins/doc_fragments/ldap.py

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update changelogs/fragments/1618-ldap_search-switch-off-cheasing-referrals.yaml

Co-authored-by: Felix Fontein <felix@fontein.de>

* Update plugins/doc_fragments/ldap.py

Co-authored-by: Felix Fontein <felix@fontein.de>

Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Mickael Foucher <mikael.foucher@groupama.com>

changelogs/fragments/1618-ldap_search-switch-off-cheasing-referrals.yaml

@@ -0,0 +1,4 @@
+bugfixes:
+  - ldap_search - ignore returned referrals (https://github.com/ansible-collections/community.general/issues/1067).
+minor_changes:
+  - ldap modules - allow to configure referral chasing (https://github.com/ansible-collections/community.general/pull/1618).

plugins/doc_fragments/ldap.py

@@ -27,6 +27,15 @@ options:
     description:
       - The DN of the entry to add or remove.
     type: str
+  referrals_chasing:
+    choices: [disabled, anonymous]
+    default: anonymous
+    type: str
+    description:
+      - Set the referrals chasing behavior.
+      - C(anonymous) follow referrals anonymously. This is the default behavior.
+      - C(disabled) disable referrals chasing. This sets C(OPT_REFERRALS) to off.
+    version_added: 2.0.0
   server_uri:
     description:
       - A URI to the LDAP server.

plugins/module_utils/ldap.py

@@ -26,6 +26,7 @@ def gen_specs(**specs):
         'bind_dn': dict(),
         'bind_pw': dict(default='', no_log=True),
         'dn': dict(required=True),
+        'referrals_chasing': dict(type='str', default='anonymous', choices=['disabled', 'anonymous']),
         'server_uri': dict(default='ldapi:///'),
         'start_tls': dict(default=False, type='bool'),
         'validate_certs': dict(default=True, type='bool'),
@@ -41,6 +42,7 @@ class LdapGeneric(object):
         self.bind_dn = self.module.params['bind_dn']
         self.bind_pw = self.module.params['bind_pw']
         self.dn = self.module.params['dn']
+        self.referrals_chasing = self.module.params['referrals_chasing']
         self.server_uri = self.module.params['server_uri']
         self.start_tls = self.module.params['start_tls']
         self.verify_cert = self.module.params['validate_certs']
@@ -61,6 +63,10 @@ class LdapGeneric(object):
 
         connection = ldap.initialize(self.server_uri)
 
+        if self.referrals_chasing == 'disabled':
+            # Switch off chasing of referrals (https://github.com/ansible-collections/community.general/issues/1067)
+            connection.set_option(ldap.OPT_REFERRALS, 0)
+
         if self.start_tls:
             try:
                 connection.start_tls_s()

plugins/modules/net_tools/ldap/ldap_search.py

@@ -168,10 +168,14 @@ class LdapSearch(LdapGeneric):
                 attrlist=self.attrlist,
                 attrsonly=self.attrsonly
             )
+            ldap_entries = []
+            for result in results:
+                if isinstance(result[1], dict):
                     if self.schema:
-                return [dict(dn=result[0], attrs=list(result[1].keys())) for result in results]
+                        ldap_entries.append(dict(dn=result[0], attrs=list(result[1].keys())))
                     else:
-                return [_extract_entry(result[0], result[1]) for result in results]
+                        ldap_entries.append(_extract_entry(result[0], result[1]))
+            return ldap_entries
         except ldap.NO_SUCH_OBJECT:
             self.module.fail_json(msg="Base not found: {0}".format(self.dn))