Removing an LDAP attribute regardless of its value

dnmvisser · June 26, 2023, 4:11pm

Hii,
I am trying to remove an attribute from an LDAP entry, in this case the password that was put in during installation of the slapd package.

Initially I have this:

root@dick-dev1:~# ldapsearch -Q -LLL -Y EXTERNAL -b cn=config olcDatabase={1}mdb
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=geant,dc=org
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=geant,dc=org
olcRootPW: {SSHA}tRU7YUk8WUdcA04ZbYAv1985nUcMrjRZ
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824

This LDIF:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcRootPW

can be successfully used with ldapmodify:

root@dick-dev1:~# ldapmodify -Y EXTERNAL -f bar.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry “olcDatabase={1}mdb,cn=config”

After which the entry looks like this:

root@dick-dev1:~# ldapsearch -Q -LLL -Y EXTERNAL -b cn=config olcDatabase={1}mdb
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=geant,dc=org
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=geant,dc=org
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824

I.e., the olcRootPW attribute is now gone. Great.

I want to use ansible to achieve the same thing, but I can’t figure out how to do that.
I can’t use ldap_entry because that can only remove entire entries.
According to https://docs.ansible.com/ansible/latest/collections/community/general/ldap_attrs_module.html, this is to “Add or remove multiple LDAP attribute values”.
That seems like what I need.

But according to https://docs.ansible.com/ansible/latest/collections/community/general/ldap_attrs_module.html#parameter-attributes:

The attribute(s) and value(s) to add or remove.

That works, but I need to supply both the attribute AND its value.
I cannot seem to remove just the attribute, regardless of its value.
Any idea how to do that? I.e. without adding helper tasks to first check if the attribute exists, and if so, get its value?

thx

Dick

Andrew_Latham · June 26, 2023, 5:20pm

Sounds fun, I landed on https://git.theo-andreou.org/Personal/ansible-ldap-modules/src/commit/03bc81122d419a0cede79a97d802af2fb700d73d/README.md?lang=tr-TR#user-content-removing-an-attribute which might do what you want

Topic		Replies	Views
Using ldap_attr to set root password works but shows failed Ansible Project ubuntu	1	0	January 26, 2017
LDAP modules Ansible Developer ubuntu	2	0	July 17, 2015
removing a domain form sssd.conf Ansible Project	3	2	February 2, 2019
Setting up ldap auth on Ubuntu Get Help ubuntu	4	258	July 2, 2024
change in behaviour of "when:" Ansible Project	5	0	October 12, 2013

Removing an LDAP attribute regardless of its value

Related topics