Sorry, I’m unclear on what you are trying to do still.
Avoid duplicating data into playbook, inventory or vars files which I already have in a canonical store (LDAP in this case).
I guess i’m a bit confused because there are lookup questions, datastructure questions, and LDAP questions kind of all together.
LDAP is only coincidental, but yes, I still think there are lots of things to be done for lookups and datastructures in Ansible.
If you’re wanting to write a lookup plugin to walk an arbitrary unique datastructure, that’s a good idea.
I agree that this is something that’s missing.
I would not think you would need to write a module, unless that module was to get some things from LDAP, and even then MAYBE you’d be better off just writing an inventory plugin that pulled your hosts from LDAP and set some group variables about the users and so on at the same time.
In this case, I wanted to give our users access to hosts in ec2. They already have user accounts in our corporate LDAP server, and zero or more ssh keys per user as well. So instead of having to specify the users, including gecos field, shell and ssh keys in the playbook or vars files, I want to just give a list of usernames, and have those attributes that make sense copied from our internal directory server to the virtual host in ec2. Without having to set up an LDAP server in ec2, or a VPN from ec2 to our office or anything like that.
To me it feels natural to specify the list of users in either vars or the playbook instead of changing the inventory (script) when the list of users changes or I want to specify a set of users for a new host. And I also wouldn’t want to fetch the list of all users (basically dumping the whole directory) on every ansible run.
That said, I still think more options for handling complex data structures in playbook would be welcome. And is it possible to populate a var from a lookup without flattening the complex data structure into a string? That would also have been handy.
Sorry for being so confusing,
Paul