Maciej, Thanks for your thorough response! I'll doodle with that and see how it works.
Best Regards, Tim On Wednesday, April 27, 2016 at 4:46:39 AM UTC-7, Maciej Delmanowski wrote: > On Apr 26, [email protected] <javascript:> wrote: > > After exhaustive google searches I am under the impression that Ansible > > does not have an LDAP Module, and that LDAP is only used as input to > > formulate rights/permissions associated with executing whatever Ansible > is > > configured to do. I did see some chatter that looked like an LDAP > Module > > might be in the Dev Pipeline - True? I am also aware of the > command-line > > utilities that come with OpenLDAP (for example) - would these be > suitable > > "hooks" to allow Ansible to Add/Change/Delete Accounts in LDAP? Is this > > just so trivial that nobody has to talk about it? Thanks in Advance. > > Hello, > > You are probably talking about this thread? > http://grokbase.com/t/gg/ansible-devel/148892tek3/ldap-modules > > The modules developed by psagers (ldap_attr, ldap_entry) are currently not > in > Ansible core, however I'm using them successfully in my project. They can > be > used to create and manage LDAP entries and modify their attributes. > > The current version of modules (unofficial, although with authors > permission) > is distributed with the DebOps official playbooks, and can be found here: > > https://github.com/debops/debops-playbooks/tree/master/playbooks/library/database/ldap > > > If you're interested in working with Ansible and LDAP, there are a few > things > to consider. Using the modules directly in the roles or playbooks is > straightforward, 'with_dict' is very useful to define attributes and their > values. However to make the roles and playbooks more portable, I've > resorted > to use a workaround in the form of several Ansible variables the define > important information like LDAP server, bind DN and bind password in one > place, which other roles can use as something akin to an API. > > It all begins with 'debops.secret' role which maintains the variables. > Some > documentation explaining the feature and examples can be found here: > > http://docs.debops.org/en/latest/ansible/roles/ansible-secret/docs/guides.html#how-to-use-ldap-variables > > > The 'debops.slapd' role can be used to configure an OpenLDAP server. It > uses > the 'ldap_attr' and 'ldap_entry' Ansible modules to configure the 'slapd' > server using the cn=config method. Look at the tasks in the role to see > how > the LDAP variables are used: > https://github.com/debops/ansible-slapd > > The client-side machine bind accounts are configured in yet another role, > 'debops.auth'. It uses the LDAP modules to automatically create machine > accounts so that access to the LDAP server by services like 'nslcd' can be > authorized by the LDAP server: > > https://github.com/debops/ansible-auth/blob/master/tasks/machine_bind_account.yml > > > The 'debops.gitlab' role can be configured to enable LDAP authentication > in > a GitLab instance. It uses the 'ldappassword' filter plugin (included in > Ansible core) to generate and provide the necessary passwords: > https://github.com/debops/ansible-gitlab/blob/master/tasks/ldap_account.yml > > In overall, I plan to include more LDAP support in my project in the > future, as > the need arises. I also would like to see the 'ldap_attr' and 'ldap_entry' > modules merged into Ansible core (the 'ansible-modules-extras' repository > seems like a good fit), perhaps someday the author will contribute them > again. > Alternatively I plan to do it after checking if the modules work properly > with > Ansible v2. > > Best Regards, > Maciej > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/932fb365-fec4-45ec-a18b-ab89fdda8cad%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
