I'm working on an Ansible project that requires bootstrapping an LDAP
directory. In my case, the goal is to set up an LDAP service in the same
way one would set up MySQL or any other data store. Since Ansible doesn't
have any LDAP modules, I went ahead and wrote a couple, going so far as to
integrate them into an ansible fork
with documentation (ldap_entry
<http://psagers.github.io/ansible/ldap_attr_module.html>) and integration
tests. It looks like there have been a few other blips of interest in LDAP
in ansible, but I don't see anything on the developer list, so I thought
I'd kick off that thread.
My particular situation involves a single-server infrastructure running,
among other things, slapd (the openldap server). The actual content of our
LDAP directory is of course managed dynamically through other tools, so my
need for LDAP modules just extends to server configuration and perhaps a
few structural entries. In the past, slapd configuration was taken from a
normal text file, but that's no longer the case: current versions of slapd
keep the server configuration in a special LDAP directory under cn=config.
While it is theoretically possible to configure a slapd server by
manipulating files on disk, this is fraught with danger and highly
discouraged. The correct way to do it is over the LDAP protocol itself.
With the two simple modules linked above, I've been able to do everything I
need to get from Ubuntu's default slapd install to something that our own
user-management tools can work with. Not surprisingly, the documented
examples closely match my own use of the modules:
1. Configure a directory, including root DN (e.g. dc=example,dc=com),
ACL, indexes, etc.
2. Create the root entry plus a few structural entries (e.g.
3. Create one or more built-in administrative users for our other tools
and services to use (e.g. cn=admin,dc=example,dc=com).
LDAP is a fairly broad topic--as I've discovered writing django-auth-ldap
<https://pypi.python.org/pypi/django-auth-ldap/1.2.0>--but I believe that
asserting the presence/absence of entries and the presence/absence of
attribute values covers all normal scenarios for declaring the state of a
directory. If additional features are needed, they will most likely have to
do with connection options such as authentication methods and TLS. There
are other ways that one might rely on LDAP for server configuration, such
as looking up configuration information or iterating over entries, but I
would suggest that such things are largely independent projects.
The questions on the table, then, are:
1. Has anyone else encountered or anticipated this need?
2. Are there configuration scenarios that are not covered by the given
3. Are there LDAP server implementations for which additional work would
be required to accomplish the same configuration tasks?
You received this message because you are subscribed to the Google Groups "Ansible Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to firstname.lastname@example.org.
For more options, visit https://groups.google.com/d/optout.