ldap: Add client certificate support (#6668)

* Set up secure ldap server * ldap: Added client cert options Shamelessly copied from https://github.com/andrewshulgin/ldap_search * Added tests for ldap client authentication * Add changelog fragment * Make sure the openssl commands work on older versions of openssl * Apply suggestions from code review Co-authored-by: Felix Fontein <felix@fontein.de> * Remove aliases for new arguments * Add required_together to ldap module declerations --------- Co-authored-by: Felix Fontein <felix@fontein.de>
2025-08-06 06:04:24 -07:00 · 2023-06-15 07:19:29 +02:00 · 2023-06-15 07:19:29 +02:00 · f3ecf4c7f8
commit f3ecf4c7f8
parent bb2169340d
12 changed files with 121 additions and 5 deletions
--- a/plugins/doc_fragments/ldap.py
+++ b/plugins/doc_fragments/ldap.py
@ -29,6 +29,18 @@ options:
      - Set the path to PEM file with CA certs.
    type: path
    version_added: "6.5.0"
+  client_cert:
+    type: path
+    description:
+      - PEM formatted certificate chain file to be used for SSL client authentication.
+      - Required if O(client_key) is defined.
+    version_added: "7.1.0"
+  client_key:
+    type: path
+    description:
+      - PEM formatted file that contains your private key to be used for SSL client authentication.
+      - Required if O(client_cert) is defined.
+    version_added: "7.1.0"
  dn:
    required: true
    description:
--- a/plugins/module_utils/ldap.py
+++ b/plugins/module_utils/ldap.py
@ -42,11 +42,17 @@ def gen_specs(**specs):
        'validate_certs': dict(default=True, type='bool'),
        'sasl_class': dict(choices=['external', 'gssapi'], default='external', type='str'),
        'xorder_discovery': dict(choices=['enable', 'auto', 'disable'], default='auto', type='str'),
+        'client_cert': dict(default=None, type='path'),
+        'client_key': dict(default=None, type='path'),
    })

    return specs


+def ldap_required_together():
+    return [['client_cert', 'client_key']]
+
+
 class LdapGeneric(object):
    def __init__(self, module):
        # Shortcuts
@ -60,6 +66,8 @@ class LdapGeneric(object):
        self.verify_cert = self.module.params['validate_certs']
        self.sasl_class = self.module.params['sasl_class']
        self.xorder_discovery = self.module.params['xorder_discovery']
+        self.client_cert = self.module.params['client_cert']
+        self.client_key = self.module.params['client_key']

        # Establish connection
        self.connection = self._connect_to_ldap()
@ -102,6 +110,10 @@ class LdapGeneric(object):
        if self.ca_path:
            ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca_path)

+        if self.client_cert and self.client_key:
+            ldap.set_option(ldap.OPT_X_TLS_CERTFILE, self.client_cert)
+            ldap.set_option(ldap.OPT_X_TLS_KEYFILE, self.client_key)
+
        connection = ldap.initialize(self.server_uri)

        if self.referrals_chasing == 'disabled':
--- a/plugins/modules/ldap_attrs.py
+++ b/plugins/modules/ldap_attrs.py
@ -182,7 +182,7 @@ import traceback

 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils.common.text.converters import to_native, to_bytes, to_text
-from ansible_collections.community.general.plugins.module_utils.ldap import LdapGeneric, gen_specs
+from ansible_collections.community.general.plugins.module_utils.ldap import LdapGeneric, gen_specs, ldap_required_together

 import re

@ -300,6 +300,7 @@ def main():
            state=dict(type='str', default='present', choices=['absent', 'exact', 'present']),
        ),
        supports_check_mode=True,
+        required_together=ldap_required_together(),
    )

    if not HAS_LDAP:
--- a/plugins/modules/ldap_entry.py
+++ b/plugins/modules/ldap_entry.py
@ -151,7 +151,7 @@ import traceback

 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils.common.text.converters import to_native, to_bytes
-from ansible_collections.community.general.plugins.module_utils.ldap import LdapGeneric, gen_specs
+from ansible_collections.community.general.plugins.module_utils.ldap import LdapGeneric, gen_specs, ldap_required_together

 LDAP_IMP_ERR = None
 try:
@ -255,6 +255,7 @@ def main():
        ),
        required_if=[('state', 'present', ['objectClass'])],
        supports_check_mode=True,
+        required_together=ldap_required_together(),
    )

    if not HAS_LDAP:
--- a/plugins/modules/ldap_passwd.py
+++ b/plugins/modules/ldap_passwd.py
@ -72,7 +72,7 @@ modlist:
 import traceback

 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
-from ansible_collections.community.general.plugins.module_utils.ldap import LdapGeneric, gen_specs
+from ansible_collections.community.general.plugins.module_utils.ldap import LdapGeneric, gen_specs, ldap_required_together

 LDAP_IMP_ERR = None
 try:
@ -133,6 +133,7 @@ def main():
    module = AnsibleModule(
        argument_spec=gen_specs(passwd=dict(no_log=True)),
        supports_check_mode=True,
+        required_together=ldap_required_together(),
    )

    if not HAS_LDAP:
--- a/plugins/modules/ldap_search.py
+++ b/plugins/modules/ldap_search.py
@ -113,7 +113,7 @@ import traceback
 from ansible.module_utils.basic import AnsibleModule, missing_required_lib
 from ansible.module_utils.common.text.converters import to_bytes, to_native, to_text
 from ansible.module_utils.six import string_types, text_type
-from ansible_collections.community.general.plugins.module_utils.ldap import LdapGeneric, gen_specs
+from ansible_collections.community.general.plugins.module_utils.ldap import LdapGeneric, gen_specs, ldap_required_together

 LDAP_IMP_ERR = None
 try:
@ -136,6 +136,7 @@ def main():
            base64_attributes=dict(type='list', elements='str'),
        ),
        supports_check_mode=True,
+        required_together=ldap_required_together(),
    )

    if not HAS_LDAP: