Using ldap_attr to set root password works but shows failed

Archives Ansible Project
1

I’m using the following to set my LDAP root password:
`

  • name: generate ldap admin password hash
    command: “/usr/sbin/slappasswd -s PASSWORD”
    register: slapd_admin_password_hash
    tags: ldap
  • name: set ldap admin password
    become: yes
    ldap_attr:
    dn: “olcDatabase={1}hdb,cn=config”
    name: olcRootPW
    values: “{{ slapd_admin_password_hash.stdout }}”
    state: exact
    tags: ldap

`

It works; the password is set (in this case to PASSWORD) but the step shows an error:

`
fatal: [10.10.9.80]: FAILED! => {“changed”: false, “details”: “{‘desc’: ‘No such object’}”, “failed”: true, “msg”: “Attribute action failed.”}

`

I’m completely new to LDAP from the admin side so it’s possible it’s more an LDAP misunderstanding than an Ansible one. Can anyone tell me what’s happening?

I’m using Ansible 2.3.0 on Arch linux configuring an Ubuntu Trusty server.

Thanks,
Kev

2

Kevin Hughes wrote:

I'm using the following to set my LDAP root password:
-name:generate ldap admin password hash
  command:"/usr/sbin/slappasswd -s PASSWORD"
  register:slapd_admin_password_hash
  tags:ldap
-name:setldap admin password
  become:yes
  ldap_attr:
    dn:"olcDatabase={1}hdb,cn=config"
    name:olcRootPW
    values:"{{ slapd_admin_password_hash.stdout }}"
    state:exact
  tags:ldap
>

It works; the password is set (in this case to PASSWORD) but the step shows an error:

How did you check that the olcRootPW attribute was really changed?
Are you 100% sure that the modify operation was successful by setting and checking a
_different_ password and/or by looking at the OpenLDAP log?

>
fatal:[10.10.9.80]:FAILED!=>{"changed":false,"details":"{'desc': 'No such
object'}","failed":true,"msg":"Attribute action failed."}

I've glanced over this ldap ansible module a couple of months ago but I don't know the
inner working in detail. And diving into the various OpenLDAP details would be off-topic
here.

But when using ansible (or another configuration management) my *strong* recommendation
is to use static configuration method (aka as slapd.conf) and generate the config file(s)
with Jinja templates. This is *much* less hassle regarding idempotent changes.

I'm completely new to LDAP from the admin side so it's possible it's more an LDAP
misunderstanding than an Ansible one. Can anyone tell me what's happening?

I'd recommend to subscribe to the openldap-technical mailing list and ask OpenLDAP usage
questions there. Preferrably you should try to make the LDAP operation work with
OpenLDAP's command-line ldapmodify before trying to use ansible + 3rd party module(s).

Ciao, Michael.