#!/usr/bin/python # -*- coding: utf-8 -*- # Copyright (c) 2016, Adfinis SyGroup AG # Tobias Rueetschi <tobias.ruetschi@adfinis-sygroup.ch> # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt) # SPDX-License-Identifier: GPL-3.0-or-later from __future__ import absolute_import, division, print_function __metaclass__ = type DOCUMENTATION = r''' --- module: udm_user author: - Tobias Rüetschi (@keachi) short_description: Manage posix users on a univention corporate server description: - "This module allows to manage posix users on a univention corporate server (UCS). It uses the python API of the UCS to create a new object or edit it." extends_documentation_fragment: - community.general.attributes attributes: check_mode: support: full diff_mode: support: partial options: state: default: "present" choices: [ present, absent ] description: - Whether the user is present or not. type: str username: required: true description: - User name aliases: ['name'] type: str firstname: description: - First name. Required if I(state=present). type: str lastname: description: - Last name. Required if I(state=present). type: str password: description: - Password. Required if I(state=present). type: str birthday: description: - Birthday type: str city: description: - City of users business address. type: str country: description: - Country of users business address. type: str department_number: description: - Department number of users business address. aliases: [ departmentNumber ] type: str description: description: - Description (not gecos) type: str display_name: description: - Display name (not gecos) aliases: [ displayName ] type: str email: default: [''] description: - A list of e-mail addresses. type: list elements: str employee_number: description: - Employee number aliases: [ employeeNumber ] type: str employee_type: description: - Employee type aliases: [ employeeType ] type: str gecos: description: - GECOS type: str groups: default: [] description: - "POSIX groups, the LDAP DNs of the groups will be found with the LDAP filter for each group as $GROUP: C((&(objectClass=posixGroup)(cn=$GROUP)))." type: list elements: str home_share: description: - "Home NFS share. Must be a LDAP DN, e.g. C(cn=home,cn=shares,ou=school,dc=example,dc=com)." aliases: [ homeShare ] type: str home_share_path: description: - Path to home NFS share, inside the homeShare. aliases: [ homeSharePath ] type: str home_telephone_number: default: [] description: - List of private telephone numbers. aliases: [ homeTelephoneNumber ] type: list elements: str homedrive: description: - Windows home drive, e.g. C("H:"). type: str mail_alternative_address: default: [] description: - List of alternative e-mail addresses. aliases: [ mailAlternativeAddress ] type: list elements: str mail_home_server: description: - FQDN of mail server aliases: [ mailHomeServer ] type: str mail_primary_address: description: - Primary e-mail address aliases: [ mailPrimaryAddress ] type: str mobile_telephone_number: default: [] description: - Mobile phone number aliases: [ mobileTelephoneNumber ] type: list elements: str organisation: description: - Organisation aliases: [ organization ] type: str overridePWHistory: type: bool default: false description: - Override password history aliases: [ override_pw_history ] overridePWLength: type: bool default: false description: - Override password check aliases: [ override_pw_length ] pager_telephonenumber: default: [] description: - List of pager telephone numbers. aliases: [ pagerTelephonenumber ] type: list elements: str phone: description: - List of telephone numbers. type: list elements: str default: [] postcode: description: - Postal code of users business address. type: str primary_group: description: - Primary group. This must be the group LDAP DN. - If not specified, it defaults to C(cn=Domain Users,cn=groups,$LDAP_BASE_DN). aliases: [ primaryGroup ] type: str profilepath: description: - Windows profile directory type: str pwd_change_next_login: choices: [ '0', '1' ] description: - Change password on next login. aliases: [ pwdChangeNextLogin ] type: str room_number: description: - Room number of users business address. aliases: [ roomNumber ] type: str samba_privileges: description: - "Samba privilege, like allow printer administration, do domain join." aliases: [ sambaPrivileges ] type: list elements: str default: [] samba_user_workstations: description: - Allow the authentication only on this Microsoft Windows host. aliases: [ sambaUserWorkstations ] type: list elements: str default: [] sambahome: description: - Windows home path, e.g. C('\\$FQDN\$USERNAME'). type: str scriptpath: description: - Windows logon script. type: str secretary: default: [] description: - A list of superiors as LDAP DNs. type: list elements: str serviceprovider: default: [''] description: - Enable user for the following service providers. type: list elements: str shell: default: '/bin/bash' description: - Login shell type: str street: description: - Street of users business address. type: str title: description: - Title, e.g. C(Prof.). type: str unixhome: description: - Unix home directory - If not specified, it defaults to C(/home/$USERNAME). type: str userexpiry: description: - Account expiry date, e.g. C(1999-12-31). - If not specified, it defaults to the current day plus one year. type: str position: default: '' description: - "Define the whole position of users object inside the LDAP tree, e.g. C(cn=employee,cn=users,ou=school,dc=example,dc=com)." type: str update_password: default: always choices: [ always, on_create ] description: - "C(always) will update passwords if they differ. C(on_create) will only set the password for newly created users." type: str ou: default: '' description: - "Organizational Unit inside the LDAP Base DN, e.g. C(school) for LDAP OU C(ou=school,dc=example,dc=com)." type: str subpath: default: 'cn=users' description: - "LDAP subpath inside the organizational unit, e.g. C(cn=teachers,cn=users) for LDAP container C(cn=teachers,cn=users,dc=example,dc=com)." type: str ''' EXAMPLES = ''' - name: Create a user on a UCS community.general.udm_user: name: FooBar password: secure_password firstname: Foo lastname: Bar - name: Create a user with the DN C(uid=foo,cn=teachers,cn=users,ou=school,dc=school,dc=example,dc=com) community.general.udm_user: name: foo password: secure_password firstname: Foo lastname: Bar ou: school subpath: 'cn=teachers,cn=users' # or define the position - name: Create a user with the DN C(uid=foo,cn=teachers,cn=users,ou=school,dc=school,dc=example,dc=com) community.general.udm_user: name: foo password: secure_password firstname: Foo lastname: Bar position: 'cn=teachers,cn=users,ou=school,dc=school,dc=example,dc=com' ''' RETURN = '''# ''' import crypt from datetime import date, timedelta from ansible.module_utils.basic import AnsibleModule from ansible_collections.community.general.plugins.module_utils.univention_umc import ( umc_module_for_add, umc_module_for_edit, ldap_search, base_dn, ) def main(): expiry = date.strftime(date.today() + timedelta(days=365), "%Y-%m-%d") module = AnsibleModule( argument_spec=dict( birthday=dict(type='str'), city=dict(type='str'), country=dict(type='str'), department_number=dict(type='str', aliases=['departmentNumber']), description=dict(type='str'), display_name=dict(type='str', aliases=['displayName']), email=dict(default=[''], type='list', elements='str'), employee_number=dict(type='str', aliases=['employeeNumber']), employee_type=dict(type='str', aliases=['employeeType']), firstname=dict(type='str'), gecos=dict(type='str'), groups=dict(default=[], type='list', elements='str'), home_share=dict(type='str', aliases=['homeShare']), home_share_path=dict(type='str', aliases=['homeSharePath']), home_telephone_number=dict(default=[], type='list', elements='str', aliases=['homeTelephoneNumber']), homedrive=dict(type='str'), lastname=dict(type='str'), mail_alternative_address=dict(default=[], type='list', elements='str', aliases=['mailAlternativeAddress']), mail_home_server=dict(type='str', aliases=['mailHomeServer']), mail_primary_address=dict(type='str', aliases=['mailPrimaryAddress']), mobile_telephone_number=dict(default=[], type='list', elements='str', aliases=['mobileTelephoneNumber']), organisation=dict(type='str', aliases=['organization']), overridePWHistory=dict(default=False, type='bool', aliases=['override_pw_history']), overridePWLength=dict(default=False, type='bool', aliases=['override_pw_length']), pager_telephonenumber=dict(default=[], type='list', elements='str', aliases=['pagerTelephonenumber']), password=dict(type='str', no_log=True), phone=dict(default=[], type='list', elements='str'), postcode=dict(type='str'), primary_group=dict(type='str', aliases=['primaryGroup']), profilepath=dict(type='str'), pwd_change_next_login=dict(type='str', choices=['0', '1'], aliases=['pwdChangeNextLogin']), room_number=dict(type='str', aliases=['roomNumber']), samba_privileges=dict(default=[], type='list', elements='str', aliases=['sambaPrivileges']), samba_user_workstations=dict(default=[], type='list', elements='str', aliases=['sambaUserWorkstations']), sambahome=dict(type='str'), scriptpath=dict(type='str'), secretary=dict(default=[], type='list', elements='str'), serviceprovider=dict(default=[''], type='list', elements='str'), shell=dict(default='/bin/bash', type='str'), street=dict(type='str'), title=dict(type='str'), unixhome=dict(type='str'), userexpiry=dict(type='str'), username=dict(required=True, aliases=['name'], type='str'), position=dict(default='', type='str'), update_password=dict(default='always', choices=['always', 'on_create'], type='str'), ou=dict(default='', type='str'), subpath=dict(default='cn=users', type='str'), state=dict(default='present', choices=['present', 'absent'], type='str') ), supports_check_mode=True, required_if=([ ('state', 'present', ['firstname', 'lastname', 'password']) ]) ) username = module.params['username'] position = module.params['position'] ou = module.params['ou'] subpath = module.params['subpath'] state = module.params['state'] changed = False diff = None users = list(ldap_search( '(&(objectClass=posixAccount)(uid={0}))'.format(username), attr=['uid'] )) if position != '': container = position else: if ou != '': ou = 'ou={0},'.format(ou) if subpath != '': subpath = '{0},'.format(subpath) container = '{0}{1}{2}'.format(subpath, ou, base_dn()) user_dn = 'uid={0},{1}'.format(username, container) exists = bool(len(users)) if state == 'present': try: if not exists: obj = umc_module_for_add('users/user', container) else: obj = umc_module_for_edit('users/user', user_dn) if module.params['displayName'] is None: module.params['displayName'] = '{0} {1}'.format( module.params['firstname'], module.params['lastname'] ) if module.params['unixhome'] is None: module.params['unixhome'] = '/home/{0}'.format( module.params['username'] ) for k in obj.keys(): if (k != 'password' and k != 'groups' and k != 'overridePWHistory' and k in module.params and module.params[k] is not None): obj[k] = module.params[k] # handle some special values obj['e-mail'] = module.params['email'] if 'userexpiry' in obj and obj.get('userexpiry') is None: obj['userexpiry'] = expiry password = module.params['password'] if obj['password'] is None: obj['password'] = password if module.params['update_password'] == 'always': old_password = obj['password'].split('}', 2)[1] if crypt.crypt(password, old_password) != old_password: obj['overridePWHistory'] = module.params['overridePWHistory'] obj['overridePWLength'] = module.params['overridePWLength'] obj['password'] = password diff = obj.diff() if exists: for k in obj.keys(): if obj.hasChanged(k): changed = True else: changed = True if not module.check_mode: if not exists: obj.create() elif changed: obj.modify() except Exception: module.fail_json( msg="Creating/editing user {0} in {1} failed".format( username, container ) ) try: groups = module.params['groups'] if groups: filter = '(&(objectClass=posixGroup)(|(cn={0})))'.format( ')(cn='.join(groups) ) group_dns = list(ldap_search(filter, attr=['dn'])) for dn in group_dns: grp = umc_module_for_edit('groups/group', dn[0]) if user_dn not in grp['users']: grp['users'].append(user_dn) if not module.check_mode: grp.modify() changed = True except Exception: module.fail_json( msg="Adding groups to user {0} failed".format(username) ) if state == 'absent' and exists: try: obj = umc_module_for_edit('users/user', user_dn) if not module.check_mode: obj.remove() changed = True except Exception: module.fail_json( msg="Removing user {0} failed".format(username) ) module.exit_json( changed=changed, username=username, diff=diff, container=container ) if __name__ == '__main__': main()