On Apr 26, [email protected] wrote: > After exhaustive google searches I am under the impression that Ansible > does not have an LDAP Module, and that LDAP is only used as input to > formulate rights/permissions associated with executing whatever Ansible is > configured to do. I did see some chatter that looked like an LDAP Module > might be in the Dev Pipeline - True? I am also aware of the command-line > utilities that come with OpenLDAP (for example) - would these be suitable > "hooks" to allow Ansible to Add/Change/Delete Accounts in LDAP? Is this > just so trivial that nobody has to talk about it? Thanks in Advance.
Hello, You are probably talking about this thread? http://grokbase.com/t/gg/ansible-devel/148892tek3/ldap-modules The modules developed by psagers (ldap_attr, ldap_entry) are currently not in Ansible core, however I'm using them successfully in my project. They can be used to create and manage LDAP entries and modify their attributes. The current version of modules (unofficial, although with authors permission) is distributed with the DebOps official playbooks, and can be found here: https://github.com/debops/debops-playbooks/tree/master/playbooks/library/database/ldap If you're interested in working with Ansible and LDAP, there are a few things to consider. Using the modules directly in the roles or playbooks is straightforward, 'with_dict' is very useful to define attributes and their values. However to make the roles and playbooks more portable, I've resorted to use a workaround in the form of several Ansible variables the define important information like LDAP server, bind DN and bind password in one place, which other roles can use as something akin to an API. It all begins with 'debops.secret' role which maintains the variables. Some documentation explaining the feature and examples can be found here: http://docs.debops.org/en/latest/ansible/roles/ansible-secret/docs/guides.html#how-to-use-ldap-variables The 'debops.slapd' role can be used to configure an OpenLDAP server. It uses the 'ldap_attr' and 'ldap_entry' Ansible modules to configure the 'slapd' server using the cn=config method. Look at the tasks in the role to see how the LDAP variables are used: https://github.com/debops/ansible-slapd The client-side machine bind accounts are configured in yet another role, 'debops.auth'. It uses the LDAP modules to automatically create machine accounts so that access to the LDAP server by services like 'nslcd' can be authorized by the LDAP server: https://github.com/debops/ansible-auth/blob/master/tasks/machine_bind_account.yml The 'debops.gitlab' role can be configured to enable LDAP authentication in a GitLab instance. It uses the 'ldappassword' filter plugin (included in Ansible core) to generate and provide the necessary passwords: https://github.com/debops/ansible-gitlab/blob/master/tasks/ldap_account.yml In overall, I plan to include more LDAP support in my project in the future, as the need arises. I also would like to see the 'ldap_attr' and 'ldap_entry' modules merged into Ansible core (the 'ansible-modules-extras' repository seems like a good fit), perhaps someday the author will contribute them again. Alternatively I plan to do it after checking if the modules work properly with Ansible v2. Best Regards, Maciej -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/20160427114628.GB30802%40helios.gumed.edu.pl. For more options, visit https://groups.google.com/d/optout.
