Dynamic inventory from Active Directory?

Bob_Tanner · September 21, 2015, 7:31pm

Is there a way to build a dynamic inventory from Active Directory?

Given you cannot use Windows as a control host fun things like pyad and py32win aren’t going to work to pull stuff out of Active Directory.

Is this a sales point for Tower?

Brian_Coca · September 21, 2015, 7:32pm

you can query AD as an ldap server, so it should not be hard to make a
script to use it as an inventory source.

Trond_Hindenes · September 21, 2015, 10:37pm

That’s a great suggestion Bob.

Given my very limited understading of Ansible I’ve written a few inventory APIs on asp.net web api, and a very simple python script which just gets json data from those api’s (with some optional caching). For now I have apis for building inventories from Azure Resouce Manager and Virtual Machine Manager, which can be found here:
https://github.com/trondhindenes/armrest
https://github.com/trondhindenes/VMmDynamicInventory

The latter one just invokes PowerShell to query VMM on the server running the web api, so it shouldn’t be too hard to maybe build that into a ad-querying thing instead. I’ll probably have a look at that at some point.

Brian_Coca · September 22, 2015, 12:28am

This can be done in any language that has an LDAP library, just query
the domain with "(&(objectClass=computer))" as your search parameter.

Bob_Tanner · September 27, 2015, 8:56pm

Anyone playing around with this look at ldap3:

http://ldap3.readthedocs.org/en/latest/tutorial.html

Not python-ldap. ldap3 has the ability to convert searches into JSON.

Bob_Tanner · October 12, 2015, 8:27pm

Gotten something working but run into a security problem.

How and where do you store the username and password securely for these dynamic inventory scripts/programs?

Looking at the contrib/inventory all the .ini files look to store the credentials in clear text.

In my script can I programmatically extend the ansible-vault functionality so I can at least encrypt the .ini file?

esco_real · October 13, 2015, 12:10pm

Hello Bob,

I would use a dedicated user without any further permission in the AD. And if the system you are running Ansible on is not secure enough to store this then this is quite a challenge

But some alternative approach:
I like to use KeePass 2 databases for storing passwords (and other sensitive information). In Python you can use this with libkeepass.

esco

Topic		Replies	Views
Dynamic Inventory using Active Directory / LDAP Ansible Project windows	6	3	January 5, 2019
Active Directory as a dynamic inventory Ansible Project	0	2	April 21, 2022
microsoft dynamic inventory Ansible Developer	2	10	February 5, 2024
Looking for Feedback: Ansible LDAP Inventory Plugin Ansible Developer	0	0	August 26, 2019
Ansible Hyper-V inventory module Get Help collections , windows , inventory , hyper-v	1	185	March 4, 2024

Dynamic inventory from Active Directory?

Related topics