ldap_attr - Add or remove LDAP attribute values.¶
New in version 2.3.
Parameters¶
Parameter | Choices/Defaults | Comments |
---|---|---|
bind_dn |
A DN to bind with. If this is omitted, we'll try a SASL bind with the EXTERNAL mechanism.
If this is blank, we'll use an anonymous bind.
|
|
bind_pw |
The password to use with bind_dn.
|
|
dn
required |
The DN of the entry to add or remove.
|
|
name
required |
The name of the attribute to modify.
|
|
server_uri |
Default: ldapi:///
|
A URI to the LDAP server.
The default value lets the underlying LDAP client library look for a UNIX domain socket in its default location.
|
start_tls
bool |
|
If true, we'll use the START_TLS LDAP extension.
|
state |
|
The state of the attribute values. If
present , all given values will be added if they're missing. If absent , all given values will be removed if present. If exact , the set of values will be forced to exactly those provided and no others. If state=exact and value is an empty list, all values for this attribute will be removed. |
validate_certs
bool (added in 2.4) |
|
If set to
no , SSL certificates will not be validated.This should only be used on sites using self-signed certificates.
|
values
required |
The value(s) to add or remove. This can be a string or a list of strings. The complex argument format is required in order to pass a list of strings (see examples).
|
Notes¶
Note
- This only deals with attributes on existing entries. To add or remove whole entries, see ldap_entry.
- The default authentication settings will attempt to use a SASL EXTERNAL bind over a UNIX domain socket. This works well with the default Ubuntu install for example, which includes a cn=peercred,cn=external,cn=auth ACL rule allowing root to modify the server configuration. If you need to use a simple bind to access your server, pass the credentials in bind_dn and bind_pw.
- For state=present and state=absent, all value comparisons are performed on the server for maximum accuracy. For state=exact, values have to be compared in Python, which obviously ignores LDAP matching rules. This should work out in most cases, but it is theoretically possible to see spurious changes when target and actual values are semantically identical but lexically distinct.
Examples¶
- name: Configure directory number 1 for example.com
ldap_attr:
dn: olcDatabase={1}hdb,cn=config
name: olcSuffix
values: dc=example,dc=com
state: exact
# The complex argument format is required here to pass a list of ACL strings.
- name: Set up the ACL
ldap_attr:
dn: olcDatabase={1}hdb,cn=config
name: olcAccess
values:
- >-
{0}to attrs=userPassword,shadowLastChange
by self write
by anonymous auth
by dn="cn=admin,dc=example,dc=com" write
by * none'
- >-
{1}to dn.base="dc=example,dc=com"
by dn="cn=admin,dc=example,dc=com" write
by * read
state: exact
- name: Declare some indexes
ldap_attr:
dn: olcDatabase={1}hdb,cn=config
name: olcDbIndex
values: "{{ item }}"
with_items:
- objectClass eq
- uid eq
- name: Set up a root user, which we can use later to bootstrap the directory
ldap_attr:
dn: olcDatabase={1}hdb,cn=config
name: "{{ item.key }}"
values: "{{ item.value }}"
state: exact
with_dict:
olcRootDN: cn=root,dc=example,dc=com
olcRootPW: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND"
- name: Get rid of an unneeded attribute
ldap_attr:
dn: uid=jdoe,ou=people,dc=example,dc=com
name: shadowExpire
values: []
state: exact
server_uri: ldap://localhost/
bind_dn: cn=admin,dc=example,dc=com
bind_pw: password
#
# The same as in the previous example but with the authentication details
# stored in the ldap_auth variable:
#
# ldap_auth:
# server_uri: ldap://localhost/
# bind_dn: cn=admin,dc=example,dc=com
# bind_pw: password
- name: Get rid of an unneeded attribute
ldap_attr:
dn: uid=jdoe,ou=people,dc=example,dc=com
name: shadowExpire
values: []
state: exact
params: "{{ ldap_auth }}"
Return Values¶
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
modlist
list
|
success |
list of modified parameters
Sample:
[[2, "olcRootDN", ["cn=root,dc=example,dc=com"]]]
|
Status¶
This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.
Maintenance¶
This module is flagged as community which means that it is maintained by the Ansible Community. See Module Maintenance & Support for more info.
For a list of other modules that are also maintained by the Ansible Community, see here.
Author¶
- Jiri Tyr (@jtyr)
Hint
If you notice any issues in this documentation you can edit this document to improve it.