ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-04-23 19:01:26 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

ldap: Add client certificate support (#6668)

Browse source 
* Set up secure ldap server

* ldap: Added client cert options

Shamelessly copied from https://github.com/andrewshulgin/ldap_search

* Added tests for ldap client authentication

* Add changelog fragment

* Make sure the openssl commands work on older versions of openssl

* Apply suggestions from code review

Co-authored-by: Felix Fontein <felix@fontein.de>

* Remove aliases for new arguments

* Add required_together to ldap module declerations

---------

Co-authored-by: Felix Fontein <felix@fontein.de>
This commit is contained in:
Gnonthgol 2023-06-15 07:19:29 +02:00 committed by GitHub
parent bb2169340d
commit f3ecf4c7f8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 121 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

12
plugins/module_utils/ldap.py
View file

@ -42,11 +42,17 @@ def gen_specs(**specs):
'validate_certs': dict(default=True, type='bool'),
'sasl_class': dict(choices=['external', 'gssapi'], default='external', type='str'),
'xorder_discovery': dict(choices=['enable', 'auto', 'disable'], default='auto', type='str'),
'client_cert': dict(default=None, type='path'),
'client_key': dict(default=None, type='path'),
})
return specs
def ldap_required_together():
return [['client_cert', 'client_key']]
class LdapGeneric(object):
def __init__(self, module):
# Shortcuts
@ -60,6 +66,8 @@ class LdapGeneric(object):
self.verify_cert = self.module.params['validate_certs']
self.sasl_class = self.module.params['sasl_class']
self.xorder_discovery = self.module.params['xorder_discovery']
self.client_cert = self.module.params['client_cert']
self.client_key = self.module.params['client_key']
# Establish connection
self.connection = self._connect_to_ldap()
@ -102,6 +110,10 @@ class LdapGeneric(object):
if self.ca_path:
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ca_path)
if self.client_cert and self.client_key:
ldap.set_option(ldap.OPT_X_TLS_CERTFILE, self.client_cert)
ldap.set_option(ldap.OPT_X_TLS_KEYFILE, self.client_key)
connection = ldap.initialize(self.server_uri)
if self.referrals_chasing == 'disabled':