LDAP: Refactor and add ldap_passwd module (#33040)

* modules/net_tools/ldap: Refactor shared options * modules/net_tools/ldap: Refactor shared code * modules/net_tools/ldap: Add ldap_passwd module * modules/net_tools/ldap/ldap_passwd: More robust change check * In some deployments, using compare_s results in spurious “changed” results, while bind is more reliable. The downside is that it results in an extra connection, and the code it more involved. * ldap_passwd: Rename methods passwd_[cs] * ldap_passwd: Remove unecessary type=str * ldap: Factor-out failure cases * ldap_passwd: Provide more precise error messages * ldap_passwd: Irrelevant syntax changes * ldap_passwd: Rename u_con to tmp_con * ldap_passwd: Keep HAS_LDAP local * LDAP doc update * Resolved all copyright related issues * Resolved self.fail calls * Update documentation Signed-off-by: The Fox in the Shell <KellerFuchs@hashbang.sh> Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
2025-04-26 12:21:26 -07:00 · 2018-04-27 10:24:05 +00:00 · 2018-04-27 10:24:05 +00:00 · efe7c20100
commit efe7c20100
parent 19e1f41837
5 changed files with 311 additions and 177 deletions
--- a/lib/ansible/modules/net_tools/ldap/ldap_entry.py
+++ b/lib/ansible/modules/net_tools/ldap/ldap_entry.py
@ -1,8 +1,8 @@
 #!/usr/bin/python
 # -*- coding: utf-8 -*-

-# (c) 2016, Peter Sagerson <psagers@ignorare.net>
-# (c) 2016, Jiri Tyr <jiri.tyr@gmail.com>
+# Copyright: (c) 2016, Peter Sagerson <psagers@ignorare.net>
+# Copyright: (c) 2016, Jiri Tyr <jiri.tyr@gmail.com>
 #
 # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)

@ -10,9 +10,11 @@ from __future__ import absolute_import, division, print_function
 __metaclass__ = type


-ANSIBLE_METADATA = {'metadata_version': '1.1',
-                    'status': ['preview'],
-                    'supported_by': 'community'}
+ANSIBLE_METADATA = {
+    'metadata_version': '1.1',
+    'status': ['preview'],
+    'supported_by': 'community'
+}


 DOCUMENTATION = """
@ -36,18 +38,6 @@ author:
 requirements:
  - python-ldap
 options:
-  bind_dn:
-    description:
-      - A DN to bind with. If this is omitted, we'll try a SASL bind with
-        the EXTERNAL mechanism. If this is blank, we'll use an anonymous
-        bind.
-  bind_pw:
-    description:
-      - The password to use with I(bind_dn).
-  dn:
-    description:
-      - The DN of the entry to add or remove.
-    required: true
  attributes:
    description:
      - If I(state=present), attributes necessary to create an entry. Existing
@ -63,29 +53,12 @@ options:
      - List of options which allows to overwrite any of the task or the
        I(attributes) options. To remove an option, set the value of the option
        to C(null).
-  server_uri:
-    description:
-      - A URI to the LDAP server. The default value lets the underlying
-        LDAP client library look for a UNIX domain socket in its default
-        location.
-    default: ldapi:///
-  start_tls:
-    description:
-      - If true, we'll use the START_TLS LDAP extension.
-    type: bool
-    default: 'no'
  state:
    description:
      - The target state of the entry.
    choices: [present, absent]
    default: present
-  validate_certs:
-    description:
-      - If C(no), SSL certificates will not be validated. This should only be
-        used on sites using self-signed certificates.
-    type: bool
-    default: 'yes'
-    version_added: "2.4"
+extends_documentation_fragment: ldap.documentation
 """


@ -135,31 +108,25 @@ RETURN = """

 import traceback

+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.six import string_types
+from ansible.module_utils._text import to_native
+from ansible.module_utils.ldap import LdapGeneric, gen_specs
+
 try:
-    import ldap
    import ldap.modlist
-    import ldap.sasl

    HAS_LDAP = True
 except ImportError:
    HAS_LDAP = False

-from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.six import string_types
-from ansible.module_utils._text import to_native

-
-class LdapEntry(object):
+class LdapEntry(LdapGeneric):
    def __init__(self, module):
+        LdapGeneric.__init__(self, module)
+
        # Shortcuts
-        self.module = module
-        self.bind_dn = self.module.params['bind_dn']
-        self.bind_pw = self.module.params['bind_pw']
-        self.dn = self.module.params['dn']
-        self.server_uri = self.module.params['server_uri']
-        self.start_tls = self.module.params['start_tls']
        self.state = self.module.params['state']
-        self.verify_cert = self.module.params['validate_certs']

        # Add the objectClass into the list of attributes
        self.module.params['attributes']['objectClass'] = (
@ -169,9 +136,6 @@ class LdapEntry(object):
        if self.state == 'present':
            self.attrs = self._load_attrs()

-        # Establish connection
-        self.connection = self._connect_to_ldap()
-
    def _load_attrs(self):
        """ Turn attribute's value to array. """
        attrs = {}
@ -222,46 +186,15 @@ class LdapEntry(object):

        return is_present

-    def _connect_to_ldap(self):
-        if not self.verify_cert:
-            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
-
-        connection = ldap.initialize(self.server_uri)
-
-        if self.start_tls:
-            try:
-                connection.start_tls_s()
-            except ldap.LDAPError as e:
-                self.module.fail_json(msg="Cannot start TLS.", details=to_native(e),
-                                      exception=traceback.format_exc())
-
-        try:
-            if self.bind_dn is not None:
-                connection.simple_bind_s(self.bind_dn, self.bind_pw)
-            else:
-                connection.sasl_interactive_bind_s('', ldap.sasl.external())
-        except ldap.LDAPError as e:
-            self.module.fail_json(
-                msg="Cannot bind to the server.", details=to_native(e),
-                exception=traceback.format_exc())
-
-        return connection
-

 def main():
    module = AnsibleModule(
-        argument_spec={
-            'attributes': dict(default={}, type='dict'),
-            'bind_dn': dict(),
-            'bind_pw': dict(default='', no_log=True),
-            'dn': dict(required=True),
-            'objectClass': dict(type='raw'),
-            'params': dict(type='dict'),
-            'server_uri': dict(default='ldapi:///'),
-            'start_tls': dict(default=False, type='bool'),
-            'state': dict(default='present', choices=['present', 'absent']),
-            'validate_certs': dict(default=True, type='bool'),
-        },
+        argument_spec=gen_specs(
+            attributes=dict(default={}, type='dict'),
+            objectClass=dict(type='raw'),
+            params=dict(type='dict'),
+            state=dict(default='present', choices=['present', 'absent']),
+        ),
        supports_check_mode=True,
    )