ldap_attr - Add or remove LDAP attribute values.

New in version 2.3.

Synopsis
Requirements (on host that executes module)
Options
Examples
Return Values
Notes
- Status

Synopsis

Add or remove LDAP attribute values.

Requirements (on host that executes module)

python-ldap

Options

parameter	required	default	choices	comments
bind_dn	no			A DN to bind with. If this is omitted, we'll try a SASL bind with the EXTERNAL mechanism. If this is blank, we'll use an anonymous bind.
bind_pw	no			The password to use with bind_dn.
dn	yes			The DN of the entry to modify.
name	yes			The name of the attribute to modify.
server_uri	no	ldapi:///		A URI to the LDAP server. The default value lets the underlying LDAP client library look for a UNIX domain socket in its default location.
start_tls	no	no	yes no	If true, we'll use the START_TLS LDAP extension.
state	no	present	present absent exact	The state of the attribute values. If `present`, all given values will be added if they're missing. If `absent`, all given values will be removed if present. If `exact`, the set of values will be forced to exactly those provided and no others. If state=exact and value is empty, all values for this attribute will be removed.
validate_certs (added in 2.4)	no	yes	yes no	If `no`, SSL certificates will not be validated. This should only be used on sites using self-signed certificates.
values	yes			The value(s) to add or remove. This can be a string or a list of strings. The complex argument format is required in order to pass a list of strings (see examples).

Examples

- name: Configure directory number 1 for example.com
  ldap_attr:
    dn: olcDatabase={1}hdb,cn=config
    name: olcSuffix
    values: dc=example,dc=com
    state: exact

# The complex argument format is required here to pass a list of ACL strings.
- name: Set up the ACL
  ldap_attr:
    dn: olcDatabase={1}hdb,cn=config
    name: olcAccess
    values:
      - >-
        {0}to attrs=userPassword,shadowLastChange
        by self write
        by anonymous auth
        by dn="cn=admin,dc=example,dc=com" write
        by * none'
      - >-
        {1}to dn.base="dc=example,dc=com"
        by dn="cn=admin,dc=example,dc=com" write
        by * read
    state: exact

- name: Declare some indexes
  ldap_attr:
    dn: olcDatabase={1}hdb,cn=config
    name: olcDbIndex
    values: "{{ item }}"
  with_items:
    - objectClass eq
    - uid eq

- name: Set up a root user, which we can use later to bootstrap the directory
  ldap_attr:
    dn: olcDatabase={1}hdb,cn=config
    name: "{{ item.key }}"
    values: "{{ item.value }}"
    state: exact
  with_dict:
    olcRootDN: cn=root,dc=example,dc=com
    olcRootPW: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND"

- name: Get rid of an unneeded attribute
  ldap_attr:
    dn: uid=jdoe,ou=people,dc=example,dc=com
    name: shadowExpire
    values: ""
    state: exact
    server_uri: ldap://localhost/
    bind_dn: cn=admin,dc=example,dc=com
    bind_pw: password

#
# The same as in the previous example but with the authentication details
# stored in the ldap_auth variable:
#
# ldap_auth:
#   server_uri: ldap://localhost/
#   bind_dn: cn=admin,dc=example,dc=com
#   bind_pw: password
- name: Get rid of an unneeded attribute
  ldap_attr:
    dn: uid=jdoe,ou=people,dc=example,dc=com
    name: shadowExpire
    values: ""
    state: exact
    params: "{{ ldap_auth }}"

Return Values

Common return values are documented here Return Values, the following are the fields unique to this module:

name	description	returned	type	sample
modlist	list of modified parameters	success	list	[[2, "olcRootDN", ["cn=root,dc=example,dc=com"]]]

Notes

Note

This only deals with attributes on existing entries. To add or remove whole entries, see ldap_entry.
The default authentication settings will attempt to use a SASL EXTERNAL bind over a UNIX domain socket. This works well with the default Ubuntu install for example, which includes a cn=peercred,cn=external,cn=auth ACL rule allowing root to modify the server configuration. If you need to use a simple bind to access your server, pass the credentials in bind_dn and bind_pw.
For state=present and state=absent, all value comparisons are performed on the server for maximum accuracy. For state=exact, values have to be compared in Python, which obviously ignores LDAP matching rules. This should work out in most cases, but it is theoretically possible to see spurious changes when target and actual values are semantically identical but lexically distinct.

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Testing Ansible and Developing Modules.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.4/ldap_attr_module.html