After exhaustive google searches I am under the impression that Ansible does not have an LDAP Module, and that LDAP is only used as input to formulate rights/permissions associated with executing whatever Ansible is configured to do. I did see some chatter that looked like an LDAP Module might be in the Dev Pipeline - True? I am also aware of the command-line utilities that come with OpenLDAP (for example) - would these be suitable “hooks” to allow Ansible to Add/Change/Delete Accounts in LDAP? Is this just so trivial that nobody has to talk about it? Thanks in Advance.
Hello,
You are probably talking about this thread?
http://grokbase.com/t/gg/ansible-devel/148892tek3/ldap-modules
The modules developed by psagers (ldap_attr, ldap_entry) are currently not in
Ansible core, however I'm using them successfully in my project. They can be
used to create and manage LDAP entries and modify their attributes.
The current version of modules (unofficial, although with authors permission)
is distributed with the DebOps official playbooks, and can be found here:
https://github.com/debops/debops-playbooks/tree/master/playbooks/library/database/ldap
If you're interested in working with Ansible and LDAP, there are a few things
to consider. Using the modules directly in the roles or playbooks is
straightforward, 'with_dict' is very useful to define attributes and their
values. However to make the roles and playbooks more portable, I've resorted
to use a workaround in the form of several Ansible variables the define
important information like LDAP server, bind DN and bind password in one
place, which other roles can use as something akin to an API.
It all begins with 'debops.secret' role which maintains the variables. Some
documentation explaining the feature and examples can be found here:
http://docs.debops.org/en/latest/ansible/roles/ansible-secret/docs/guides.html#how-to-use-ldap-variables
The 'debops.slapd' role can be used to configure an OpenLDAP server. It uses
the 'ldap_attr' and 'ldap_entry' Ansible modules to configure the 'slapd'
server using the cn=config method. Look at the tasks in the role to see how
the LDAP variables are used:
https://github.com/debops/ansible-slapd
The client-side machine bind accounts are configured in yet another role,
'debops.auth'. It uses the LDAP modules to automatically create machine
accounts so that access to the LDAP server by services like 'nslcd' can be
authorized by the LDAP server:
https://github.com/debops/ansible-auth/blob/master/tasks/machine_bind_account.yml
The 'debops.gitlab' role can be configured to enable LDAP authentication in
a GitLab instance. It uses the 'ldappassword' filter plugin (included in
Ansible core) to generate and provide the necessary passwords:
https://github.com/debops/ansible-gitlab/blob/master/tasks/ldap_account.yml
In overall, I plan to include more LDAP support in my project in the future, as
the need arises. I also would like to see the 'ldap_attr' and 'ldap_entry'
modules merged into Ansible core (the 'ansible-modules-extras' repository
seems like a good fit), perhaps someday the author will contribute them again.
Alternatively I plan to do it after checking if the modules work properly with
Ansible v2.
Best Regards,
Maciej
Maciej,
Thanks for your thorough response! I’ll doodle with that and see how it works.
Best Regards,
Tim
You’re probably looking for the ldap_attr module. See the documentation at https://docs.ansible.com/ansible/latest/modules/ldap_attr_module.html#ldap-attr-module