Re: [ansible-project] Using ldap_attr to set root password works but shows failed

[Michael Ströder]

Kevin Hughes wrote:
> I'm using the following to set my LDAP root password:
> -name:generate ldap admin password hash
>   command:"/usr/sbin/slappasswd -s PASSWORD"
>   register:slapd_admin_password_hash
>   tags:ldap
> -name:setldap admin password
>   become:yes
>   ldap_attr:
>     dn:"olcDatabase={1}hdb,cn=config"
>     name:olcRootPW
>     values:"{{ slapd_admin_password_hash.stdout }}"
>     state:exact
>   tags:ldap
> |
> 
> It works; the password is set (in this case to PASSWORD) but the step shows 
> an error:

How did you check that the olcRootPW attribute was really changed?
Are you 100% sure that the modify operation was successful by setting and 
checking a
_different_ password and/or by looking at the OpenLDAP log?

> |
> fatal:[10.10.9.80]:FAILED!=>{"changed":false,"details":"{'desc': 'No such
> object'}","failed":true,"msg":"Attribute action failed."}

I've glanced over this ldap ansible module a couple of months ago but I don't 
know the
inner working in detail. And diving into the various OpenLDAP details would be 
off-topic
here.

But when using ansible (or another configuration management) my *strong* 
recommendation
is to use static configuration method (aka as slapd.conf) and generate the 
config file(s)
with Jinja templates. This is *much* less hassle regarding idempotent changes.

> I'm completely new to LDAP from the admin side so it's possible it's more an 
> LDAP
> misunderstanding than an Ansible one. Can anyone tell me what's happening?

I'd recommend to subscribe to the openldap-technical mailing list and ask 
OpenLDAP usage
questions there. Preferrably you should try to make the LDAP operation work with
OpenLDAP's command-line ldapmodify before trying to use ansible + 3rd party 
module(s).

Ciao, Michael.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/c45d4b13-397d-73e0-3e9e-ec334a1750d7%40stroeder.com.
For more options, visit https://groups.google.com/d/optout.

smime.p7s
Description: S/MIME Cryptographic Signature