Documentation

ldap_entry - Add or remove LDAP entries.

New in version 2.3.

Synopsis

  • Add or remove LDAP entries. This module only asserts the existence or non-existence of an LDAP entry, not its attributes. To assert the attribute values of an entry, see ldap_attr.

Requirements

The below requirements are needed on the host that executes this module.

  • python-ldap

Parameters

Parameter
Choices/Defaults
Comments
attributes
If state=present, attributes necessary to create an entry. Existing entries are never modified. To assert specific attribute values on an existing entry, use ldap_attr module instead.
bind_dn
A DN to bind with. If this is omitted, we'll try a SASL bind with the EXTERNAL mechanism. If this is blank, we'll use an anonymous bind.
bind_pw
The password to use with bind_dn.
dn
required
The DN of the entry to add or remove.
objectClass
If state=present, value or list of values to use when creating the entry. It can either be a string or an actual list of strings.
params
List of options which allows to overwrite any of the task or the attributes options. To remove an option, set the value of the option to null.
server_uri
Default:
ldapi:///
A URI to the LDAP server. The default value lets the underlying LDAP client library look for a UNIX domain socket in its default location.
start_tls
    Choices:
  • no ←
  • yes
If true, we'll use the START_TLS LDAP extension.
state
    Choices:
  • present ←
  • absent
The target state of the entry.
validate_certs
(added in 2.4)
    Choices:
  • no
  • yes ←
If no, SSL certificates will not be validated. This should only be used on sites using self-signed certificates.

Notes

Note

  • The default authentication settings will attempt to use a SASL EXTERNAL bind over a UNIX domain socket. This works well with the default Ubuntu install for example, which includes a cn=peercred,cn=external,cn=auth ACL rule allowing root to modify the server configuration. If you need to use a simple bind to access your server, pass the credentials in bind_dn and bind_pw.

Examples

- name: Make sure we have a parent entry for users
  ldap_entry:
    dn: ou=users,dc=example,dc=com
    objectClass: organizationalUnit

- name: Make sure we have an admin user
  ldap_entry:
    dn: cn=admin,dc=example,dc=com
    objectClass:
      - simpleSecurityObject
      - organizationalRole
    attributes:
      description: An LDAP administrator
      userPassword: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND"

- name: Get rid of an old entry
  ldap_entry:
    dn: ou=stuff,dc=example,dc=com
    state: absent
    server_uri: ldap://localhost/
    bind_dn: cn=admin,dc=example,dc=com
    bind_pw: password

#
# The same as in the previous example but with the authentication details
# stored in the ldap_auth variable:
#
# ldap_auth:
#   server_uri: ldap://localhost/
#   bind_dn: cn=admin,dc=example,dc=com
#   bind_pw: password
- name: Get rid of an old entry
  ldap_entry:
    dn: ou=stuff,dc=example,dc=com
    state: absent
    params: "{{ ldap_auth }}"

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Author

  • Jiri Tyr (@jtyr)

Hint

If you notice any issues in this documentation you can edit this document to improve it.