LDAP: Refactor and add ldap_passwd module (#33040)

* modules/net_tools/ldap: Refactor shared options * modules/net_tools/ldap: Refactor shared code * modules/net_tools/ldap: Add ldap_passwd module * modules/net_tools/ldap/ldap_passwd: More robust change check * In some deployments, using compare_s results in spurious “changed” results, while bind is more reliable. The downside is that it results in an extra connection, and the code it more involved. * ldap_passwd: Rename methods passwd_[cs] * ldap_passwd: Remove unecessary type=str * ldap: Factor-out failure cases * ldap_passwd: Provide more precise error messages * ldap_passwd: Irrelevant syntax changes * ldap_passwd: Rename u_con to tmp_con * ldap_passwd: Keep HAS_LDAP local * LDAP doc update * Resolved all copyright related issues * Resolved self.fail calls * Update documentation Signed-off-by: The Fox in the Shell <KellerFuchs@hashbang.sh> Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
2025-04-26 12:21:26 -07:00 · 2018-04-27 10:24:05 +00:00 · 2018-04-27 10:24:05 +00:00 · efe7c20100
commit efe7c20100
parent 19e1f41837
5 changed files with 311 additions and 177 deletions
--- a/lib/ansible/modules/net_tools/ldap/ldap_attr.py
+++ b/lib/ansible/modules/net_tools/ldap/ldap_attr.py
@ -1,8 +1,8 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-

-# (c) 2016, Peter Sagerson <psagers@ignorare.net>
-# (c) 2016, Jiri Tyr <jiri.tyr@gmail.com>
+# Copyright: (c) 2016, Peter Sagerson <psagers@ignorare.net>
+# Copyright: (c) 2016, Jiri Tyr <jiri.tyr@gmail.com>
 #
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

@ -10,9 +10,11 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type


-ANSIBLE_METADATA = {'metadata_version': '1.1',
-                    'status': ['preview'],
-                    'supported_by': 'community'}
+ANSIBLE_METADATA = {
+    'metadata_version': '1.1',
+    'status': ['preview'],
+    'supported_by': 'community'
+}


 DOCUMENTATION = """
@ -42,33 +44,10 @@ author:
 requirements:
  - python-ldap
 options:
-  bind_dn:
-    description:
-      - A DN to bind with. If this is omitted, we'll try a SASL bind with
-        the EXTERNAL mechanism. If this is blank, we'll use an anonymous
-        bind.
-  bind_pw:
-    description:
-      - The password to use with I(bind_dn).
-  dn:
-    description:
-      - The DN of the entry to modify.
-    required: true
  name:
    description:
      - The name of the attribute to modify.
    required: true
-  server_uri:
-    description:
-      - A URI to the LDAP server. The default value lets the underlying
-        LDAP client library look for a UNIX domain socket in its default
-        location.
-    default: ldapi:///
-  start_tls:
-    description:
-      - If true, we'll use the START_TLS LDAP extension.
-    type: bool
-    default: 'no'
  state:
    description:
      - The state of the attribute values. If C(present), all given
@ -85,13 +64,7 @@ options:
        strings. The complex argument format is required in order to pass
        a list of strings (see examples).
    required: true
-  validate_certs:
-    description:
-      - If C(no), SSL certificates will not be validated. This should only be
-        used on sites using self-signed certificates.
-    type: bool
-    default: 'yes'
-    version_added: "2.4"
+extends_documentation_fragment: ldap.documentation
 """


@ -178,30 +151,25 @@ modlist:

 import traceback

+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils._text import to_native
+from ansible.module_utils.ldap import LdapGeneric, gen_specs
+
 try:
    import ldap
-    import ldap.sasl

    HAS_LDAP = True
 except ImportError:
    HAS_LDAP = False

-from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils._text import to_native

-
-class LdapAttr(object):
+class LdapAttr(LdapGeneric):
    def __init__(self, module):
+        LdapGeneric.__init__(self, module)
+
        # Shortcuts
-        self.module = module
-        self.bind_dn = self.module.params['bind_dn']
-        self.bind_pw = self.module.params['bind_pw']
-        self.dn = self.module.params['dn']
        self.name = self.module.params['name']
-        self.server_uri = self.module.params['server_uri']
-        self.start_tls = self.module.params['start_tls']
        self.state = self.module.params['state']
-        self.verify_cert = self.module.params['validate_certs']

        # Normalize values
        if isinstance(self.module.params['values'], list):
@ -209,9 +177,6 @@ class LdapAttr(object):
        else:
            self.values = [str(self.module.params['values'])]

-        # Establish connection
-        self.connection = self._connect_to_ldap()
-
    def add(self):
        values_to_add = filter(self._is_value_absent, self.values)

@ -237,9 +202,7 @@ class LdapAttr(object):
            results = self.connection.search_s(
                self.dn, ldap.SCOPE_BASE, attrlist=[self.name])
        except ldap.LDAPError as e:
-            self.module.fail_json(
-                msg="Cannot search for attribute %s" % self.name,
-                details=to_native(e))
+            self.fail("Cannot search for attribute %s" % self.name, e)

        current = results[0][1].get(self.name, [])
        modlist = []
@ -268,46 +231,17 @@ class LdapAttr(object):
        """ True if the target attribute doesn't have the given value. """
        return not self._is_value_present(value)

-    def _connect_to_ldap(self):
-        if not self.verify_cert:
-            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
-
-        connection = ldap.initialize(self.server_uri)
-
-        if self.start_tls:
-            try:
-                connection.start_tls_s()
-            except ldap.LDAPError as e:
-                self.module.fail_json(msg="Cannot start TLS.", details=to_native(e))
-
-        try:
-            if self.bind_dn is not None:
-                connection.simple_bind_s(self.bind_dn, self.bind_pw)
-            else:
-                connection.sasl_interactive_bind_s('', ldap.sasl.external())
-        except ldap.LDAPError as e:
-            self.module.fail_json(
-                msg="Cannot bind to the server.", details=to_native(e))
-
-        return connection
-

 def main():
    module = AnsibleModule(
-        argument_spec={
-            'bind_dn': dict(default=None),
-            'bind_pw': dict(default='', no_log=True),
-            'dn': dict(required=True),
-            'name': dict(required=True),
-            'params': dict(type='dict'),
-            'server_uri': dict(default='ldapi:///'),
-            'start_tls': dict(default=False, type='bool'),
-            'state': dict(
+        argument_spec=gen_specs(
+            name=dict(required=True),
+            params=dict(type='dict'),
+            state=dict(
                default='present',
                choices=['present', 'absent', 'exact']),
-            'values': dict(required=True, type='raw'),
-            'validate_certs': dict(default=True, type='bool'),
-        },
+            values=dict(required=True, type='raw'),
+        ),
        supports_check_mode=True,
    )