LDAP modules

Hello,

I’m working on an Ansible project that requires bootstrapping an LDAP directory. In my case, the goal is to set up an LDAP service in the same way one would set up MySQL or any other data store. Since Ansible doesn’t have any LDAP modules, I went ahead and wrote a couple, going so far as to integrate them into an ansible fork (ldap_entry, ldap_attr), with documentation (ldap_entry, ldap_attr) and integration tests. It looks like there have been a few other blips of interest in LDAP in ansible, but I don’t see anything on the developer list, so I thought I’d kick off that thread.

My particular situation involves a single-server infrastructure running, among other things, slapd (the openldap server). The actual content of our LDAP directory is of course managed dynamically through other tools, so my need for LDAP modules just extends to server configuration and perhaps a few structural entries. In the past, slapd configuration was taken from a normal text file, but that’s no longer the case: current versions of slapd keep the server configuration in a special LDAP directory under cn=config. While it is theoretically possible to configure a slapd server by manipulating files on disk, this is fraught with danger and highly discouraged. The correct way to do it is over the LDAP protocol itself.

With the two simple modules linked above, I’ve been able to do everything I need to get from Ubuntu’s default slapd install to something that our own user-management tools can work with. Not surprisingly, the documented examples closely match my own use of the modules:

1. Configure a directory, including root DN (e.g. dc=example,dc=com), ACL, indexes, etc.
2. Create the root entry plus a few structural entries (e.g. ou=users,dc=example,dc=com).
3. Create one or more built-in administrative users for our other tools and services to use (e.g. cn=admin,dc=example,dc=com).
   LDAP is a fairly broad topic–as I’ve discovered writing django-auth-ldap–but I believe that asserting the presence/absence of entries and the presence/absence of attribute values covers all normal scenarios for declaring the state of a directory. If additional features are needed, they will most likely have to do with connection options such as authentication methods and TLS. There are other ways that one might rely on LDAP for server configuration, such as looking up configuration information or iterating over entries, but I would suggest that such things are largely independent projects.

The questions on the table, then, are:

1. Has anyone else encountered or anticipated this need?
2. Are there configuration scenarios that are not covered by the given model?
3. Are there LDAP server implementations for which additional work would be required to accomplish the same configuration tasks?
   Thanks,

Peter

Sorry for the lack of feedback on this one, there may be a shortage of people trying to populate LDAP this way

First off, minor process issue - I’d request that you remove the docs mirror at complicates our Google indexing, and it’s confusing because it implies these modules are part of ansible for others reading. If you want to keep this internal to your company that’s fine.

To me, I think it would be a little weird having a list of all users in YAML as authorative and then trying to feed into LDAP, just a bit, as I think of ansible being more usually about configuring computer resources.

Or maybe it’s a bit more because mostly people want to read Active Directory?

Anyway, I suspect most likely we would want to see more interest before this might be something we’d be interested in core, but it could be something that could be carried as some modules in a “./library” directory of a galaxy role, perhaps?

Just as a data point - I found this thread because I wanted to do exactly the same thing: set up the basics of a slapd server on a fresh machine.

So, thanks, Peter - I’ll take a look at your stuff, and you’re not alone!

All the best,
Quentin