ldap_entry - Add or remove LDAP entries.¶

New in version 2.3.

Synopsis
- Requirements
Parameters
Notes
Examples
Status
Maintenance
- Author

Synopsis ¶

Add or remove LDAP entries. This module only asserts the existence or non-existence of an LDAP entry, not its attributes. To assert the attribute values of an entry, see ldap_attr.

Requirements ¶

The below requirements are needed on the host that executes this module.

python-ldap

Parameters ¶

Parameter	Choices/Defaults	Comments
attributes		If state=present, attributes necessary to create an entry. Existing entries are never modified. To assert specific attribute values on an existing entry, use ldap_attr module instead.
bind_dn		A DN to bind with. If this is omitted, we'll try a SASL bind with the EXTERNAL mechanism. If this is blank, we'll use an anonymous bind.
bind_pw		The password to use with bind_dn.
dn required		The DN of the entry to add or remove.
objectClass		If state=present, value or list of values to use when creating the entry. It can either be a string or an actual list of strings.
params		List of options which allows to overwrite any of the task or the attributes options. To remove an option, set the value of the option to `null`.
server_uri	Default: ldapi:///	A URI to the LDAP server. The default value lets the underlying LDAP client library look for a UNIX domain socket in its default location.
start_tls bool	Choices: no ← yes	If true, we'll use the START_TLS LDAP extension.
state	Choices: present ← absent	The target state of the entry.
validate_certs bool (added in 2.4)	Choices: no yes ←	If set to `no`, SSL certificates will not be validated. This should only be used on sites using self-signed certificates.

Notes ¶

Note

The default authentication settings will attempt to use a SASL EXTERNAL bind over a UNIX domain socket. This works well with the default Ubuntu install for example, which includes a cn=peercred,cn=external,cn=auth ACL rule allowing root to modify the server configuration. If you need to use a simple bind to access your server, pass the credentials in bind_dn and bind_pw.

Examples ¶

- name: Make sure we have a parent entry for users
  ldap_entry:
    dn: ou=users,dc=example,dc=com
    objectClass: organizationalUnit

- name: Make sure we have an admin user
  ldap_entry:
    dn: cn=admin,dc=example,dc=com
    objectClass:
      - simpleSecurityObject
      - organizationalRole
    attributes:
      description: An LDAP administrator
      userPassword: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND"

- name: Get rid of an old entry
  ldap_entry:
    dn: ou=stuff,dc=example,dc=com
    state: absent
    server_uri: ldap://localhost/
    bind_dn: cn=admin,dc=example,dc=com
    bind_pw: password

#
# The same as in the previous example but with the authentication details
# stored in the ldap_auth variable:
#
# ldap_auth:
#   server_uri: ldap://localhost/
#   bind_dn: cn=admin,dc=example,dc=com
#   bind_pw: password
- name: Get rid of an old entry
  ldap_entry:
    dn: ou=stuff,dc=example,dc=com
    state: absent
    params: "{{ ldap_auth }}"

Status ¶

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Maintenance ¶

This module is flagged as community which means that it is maintained by the Ansible Community. See Module Maintenance & Support for more info.

For a list of other modules that are also maintained by the Ansible Community, see here.

Author ¶

Jiri Tyr (@jtyr)

Hint

If you notice any issues in this documentation you can edit this document to improve it.