LDAPSearch Ansible Playbook

emrehayta · December 19, 2023, 10:53am

Hello, I’m attempting an LDAP search using an Ansible playbook to list the usernames. Unfortunately, it’s not working as expected. Does anyone have any tips or insights regarding this?

My playbook:

---
- name: Query AD for User List
  hosts: localhost
  vars:
    ansible_python_interpreter: /usr/bin/python3
  tasks:
    - name: Query AD for users
      community.general.ldap_search:
        server_uri: ldap://domain.xy:389
        dn: "OU=Mitarbeiter,OU=PM,DC=domain,DC=xy"
        bind_dn: "CN=SU_PM_AWX,OU=PM,DC=domain,DC=xy"
        bind_pw: "xyz"
        filter: "(objectClass=user)"
        #validate_certs: no
        #attrs:
          #- "sAMAccountName"
      register: ad_users


    - name: Display AD Users
      debug:
        var: ad_users

Output:

PLAY [Query AD for User List] ************************************************************************************************************************************************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [Query AD for users] ****************************************************************************************************************************************************************************************************************************************************
ok: [localhost]

TASK [Display AD Users] ******************************************************************************************************************************************************************************************************************************************************
ok: [localhost] => {
    "ad_users": {
        "changed": false,
        "failed": false,
        "results": []
    }
}

PLAY RECAP *******************************************************************************************************************************************************************************************************************************************************************
localhost                  : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

wa_schaly · December 19, 2023, 11:17am

Hallo Emre

Have you tried to use the -vvv Flag to get more debugging output.

Have you tried to set your ‘filter:’ line to one of the ad_users you’re searching for, just to test if the LDAP server answers (correctly) at all

cheers
Wolf-Agathon

emrehayta · December 19, 2023, 12:05pm

Hallo @wa_schaly ,

i tried it with -vvv but it shows not much more relevant information.
I tried also to execute an ldapsearch command from the CLI with the same parameters and credentials and it works fine.

Kind Regards,
Emre

wa_schaly · December 20, 2023, 12:51pm

Upsi - my question was not good enough

what I ment.
can you delete the entire section ‘- name: Display AD Users’
delete the line 'register: … ’
and can you please set the filter: ‘(&(objectclass=user)(uid=some_numeric_existing_UID))’

ptn · December 21, 2023, 4:12pm

Hi,

Just to get this out of the way, are you getting results using ldapsearch (or any other CLI tools letting you query an LDAP directory) using the same filter ?