Remove the params module option from ldap_attr and ldap_entry (#113)

* Remove the params module option from ldap_attr and ldap_entry Module options that circumvent Ansible's option handling were disallowed in: https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html Additionally, this particular usage can be insecure if bind_pw is set this way as the password could end up in a logfile or displayed on stdout. Fixes CVE-2020-1746 * Remove checking the version of Ansible Fix fail_json * Apply suggestions from code review Co-Authored-By: Felix Fontein <felix@fontein.de> Co-authored-by: Toshio Kuratomi <a.badger@gmail.com> Co-authored-by: Felix Fontein <felix@fontein.de>
2025-04-18 16:31:26 -07:00 · 2020-04-06 12:13:04 -04:00 · 2020-04-06 12:13:04 -04:00 · 11ef03e9dd
commit 11ef03e9dd
parent 645fe91fa3
5 changed files with 31 additions and 27 deletions
--- a/plugins/modules/net_tools/ldap/ldap_attr.py
+++ b/plugins/modules/net_tools/ldap/ldap_attr.py
@ -35,6 +35,9 @@ notes:
    rules. This should work out in most cases, but it is theoretically
    possible to see spurious changes when target and actual values are
    semantically identical but lexically distinct.
+  - "The I(params) parameter was removed due to circumventing Ansible's parameter
+     handling.  The I(params) parameter started disallowing setting the I(bind_pw) parameter in
+     Ansible-2.7 as it was insecure to set the parameter that way."
 deprecated:
  removed_in: '2.14'
  why: 'The current "ldap_attr" module does not support LDAP attribute insertions or deletions with objectClass dependencies.'
@ -66,10 +69,6 @@ options:
        a list of strings (see examples).
    type: raw
    required: true
-  params:
-    description:
-    - Additional module parameters.
-    type: dict
 extends_documentation_fragment:
 - community.general.ldap.documentation

@ -138,13 +137,15 @@ EXAMPLES = r'''
 #   server_uri: ldap://localhost/
 #   bind_dn: cn=admin,dc=example,dc=com
 #   bind_pw: password
+#
+# In the example below, 'args' is a task keyword, passed at the same level as the module
 - name: Get rid of an unneeded attribute
  ldap_attr:
    dn: uid=jdoe,ou=people,dc=example,dc=com
    name: shadowExpire
    values: []
    state: exact
-    params: "{{ ldap_auth }}"
+  args: "{{ ldap_auth }}"
 '''

 RETURN = r'''
@ -255,11 +256,8 @@ def main():
        module.fail_json(msg=missing_required_lib('python-ldap'),
                         exception=LDAP_IMP_ERR)

-    # Update module parameters with user's parameters if defined
-    if 'params' in module.params and isinstance(module.params['params'], dict):
-        module.params.update(module.params['params'])
-        # Remove the params
-        module.params.pop('params', None)
+    if module.params['params']:
+        module.fail_json(msg="The `params` option to ldap_attr was removed in since it circumvents Ansible's option handling")

    # Instantiate the LdapAttr object
    ldap = LdapAttr(module)