FAQ
Hello,

I'm working on an Ansible project that requires bootstrapping an LDAP
directory. In my case, the goal is to set up an LDAP service in the same
way one would set up MySQL or any other data store. Since Ansible doesn't
have any LDAP modules, I went ahead and wrote a couple, going so far as to
integrate them into an ansible fork
<https://github.com/psagers/ansible/compare/ansible:devel...devel> (
ldap_entry
<https://github.com/psagers/ansible/blob/devel/library/database/ldap_entry>,
ldap_attr
<https://github.com/psagers/ansible/blob/devel/library/database/ldap_attr>),
with documentation (ldap_entry
<http://psagers.github.io/ansible/ldap_entry_module.html>, ldap_attr
<http://psagers.github.io/ansible/ldap_attr_module.html>) and integration
tests. It looks like there have been a few other blips of interest in LDAP
in ansible, but I don't see anything on the developer list, so I thought
I'd kick off that thread.

My particular situation involves a single-server infrastructure running,
among other things, slapd (the openldap server). The actual content of our
LDAP directory is of course managed dynamically through other tools, so my
need for LDAP modules just extends to server configuration and perhaps a
few structural entries. In the past, slapd configuration was taken from a
normal text file, but that's no longer the case: current versions of slapd
keep the server configuration in a special LDAP directory under cn=config.
While it is theoretically possible to configure a slapd server by
manipulating files on disk, this is fraught with danger and highly
discouraged. The correct way to do it is over the LDAP protocol itself.

With the two simple modules linked above, I've been able to do everything I
need to get from Ubuntu's default slapd install to something that our own
user-management tools can work with. Not surprisingly, the documented
examples closely match my own use of the modules:

    1. Configure a directory, including root DN (e.g. dc=example,dc=com),
    ACL, indexes, etc.
    2. Create the root entry plus a few structural entries (e.g.
    ou=users,dc=example,dc=com).
    3. Create one or more built-in administrative users for our other tools
    and services to use (e.g. cn=admin,dc=example,dc=com).

LDAP is a fairly broad topic--as I've discovered writing django-auth-ldap
<https://pypi.python.org/pypi/django-auth-ldap/1.2.0>--but I believe that
asserting the presence/absence of entries and the presence/absence of
attribute values covers all normal scenarios for declaring the state of a
directory. If additional features are needed, they will most likely have to
do with connection options such as authentication methods and TLS. There
are other ways that one might rely on LDAP for server configuration, such
as looking up configuration information or iterating over entries, but I
would suggest that such things are largely independent projects.

The questions on the table, then, are:

    1. Has anyone else encountered or anticipated this need?
    2. Are there configuration scenarios that are not covered by the given
    model?
    3. Are there LDAP server implementations for which additional work would
    be required to accomplish the same configuration tasks?

Thanks,
Peter

--
You received this message because you are subscribed to the Google Groups "Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Search Discussions

  • Michael DeHaan at Aug 16, 2014 at 3:24 pm
    Sorry for the lack of feedback on this one, there may be a shortage of
    people trying to populate LDAP this way :)

    First off, minor process issue - I'd request that you remove the docs
    mirror at complicates our Google indexing, and it's confusing because it
    implies these modules are part of ansible for others reading. If you want
    to keep this internal to your company that's fine.

    To me, I think it would be a little weird having a list of all users in
    YAML as authorative and then trying to feed into LDAP, just a bit, as I
    think of ansible being more usually about configuring computer resources.

    Or maybe it's a bit more because mostly people want to read Active
    Directory?

    Anyway, I suspect most likely we would want to see more interest before
    this might be something we'd be interested in core, but it could be
    something that could be carried as some modules in a "./library" directory
    of a galaxy role, perhaps?



    On Fri, Aug 8, 2014 at 2:59 PM, Peter Sagerson wrote:

    Hello,

    I'm working on an Ansible project that requires bootstrapping an LDAP
    directory. In my case, the goal is to set up an LDAP service in the same
    way one would set up MySQL or any other data store. Since Ansible doesn't
    have any LDAP modules, I went ahead and wrote a couple, going so far as to
    integrate them into an ansible fork
    <https://github.com/psagers/ansible/compare/ansible:devel...devel> (
    ldap_entry
    <https://github.com/psagers/ansible/blob/devel/library/database/ldap_entry>,
    ldap_attr
    <https://github.com/psagers/ansible/blob/devel/library/database/ldap_attr>),
    with documentation (ldap_entry
    <http://psagers.github.io/ansible/ldap_entry_module.html>, ldap_attr
    <http://psagers.github.io/ansible/ldap_attr_module.html>) and integration
    tests. It looks like there have been a few other blips of interest in LDAP
    in ansible, but I don't see anything on the developer list, so I thought
    I'd kick off that thread.

    My particular situation involves a single-server infrastructure running,
    among other things, slapd (the openldap server). The actual content of our
    LDAP directory is of course managed dynamically through other tools, so my
    need for LDAP modules just extends to server configuration and perhaps a
    few structural entries. In the past, slapd configuration was taken from a
    normal text file, but that's no longer the case: current versions of slapd
    keep the server configuration in a special LDAP directory under cn=config.
    While it is theoretically possible to configure a slapd server by
    manipulating files on disk, this is fraught with danger and highly
    discouraged. The correct way to do it is over the LDAP protocol itself.

    With the two simple modules linked above, I've been able to do everything
    I need to get from Ubuntu's default slapd install to something that our own
    user-management tools can work with. Not surprisingly, the documented
    examples closely match my own use of the modules:

    1. Configure a directory, including root DN (e.g. dc=example,dc=com),
    ACL, indexes, etc.
    2. Create the root entry plus a few structural entries (e.g.
    ou=users,dc=example,dc=com).
    3. Create one or more built-in administrative users for our other
    tools and services to use (e.g. cn=admin,dc=example,dc=com).

    LDAP is a fairly broad topic--as I've discovered writing django-auth-ldap
    <https://pypi.python.org/pypi/django-auth-ldap/1.2.0>--but I believe that
    asserting the presence/absence of entries and the presence/absence of
    attribute values covers all normal scenarios for declaring the state of a
    directory. If additional features are needed, they will most likely have to
    do with connection options such as authentication methods and TLS. There
    are other ways that one might rely on LDAP for server configuration, such
    as looking up configuration information or iterating over entries, but I
    would suggest that such things are largely independent projects.

    The questions on the table, then, are:

    1. Has anyone else encountered or anticipated this need?
    2. Are there configuration scenarios that are not covered by the given
    model?
    3. Are there LDAP server implementations for which additional work
    would be required to accomplish the same configuration tasks?

    Thanks,
    Peter

    --
    You received this message because you are subscribed to the Google Groups
    "Ansible Development" group.
    To unsubscribe from this group and stop receiving emails from it, send an
    email to ansible-devel+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
    --
    You received this message because you are subscribed to the Google Groups "Ansible Development" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Quentin Stafford-Fraser at Jul 17, 2015 at 10:45 am
    Just as a data point - I found this thread because I wanted to do exactly
    the same thing: set up the basics of a slapd server on a fresh machine.

    So, thanks, Peter - I'll take a look at your stuff, and you're not alone!

    All the best,
    Quentin

    --
    You received this message because you are subscribed to the Google Groups "Ansible Development" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to ansible-devel+unsubscribe@googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupansible-devel @
postedAug 8, '14 at 6:59p
activeJul 17, '15 at 10:45a
posts3
users3

People

Translate

site design / logo © 2021 Grokbase