Vh-ddlmZmZmZeZdZdZdZddl Z ddl m Z m Z ddl mZmZmZddlmZmZmZddlZdZ ddlZddlZd ZGd d eZd Zedk(reyy#e$re j6Zd ZY6wxYw))absolute_importdivisionprint_functiona module: ldap_attrs short_description: Add or remove multiple LDAP attribute values description: - Add or remove multiple LDAP attribute values. notes: - This only deals with attributes on existing entries. To add or remove whole entries, see M(community.general.ldap_entry). - For O(state=present) and O(state=absent), all value comparisons are performed on the server for maximum accuracy. For O(state=exact), values have to be compared in Python, which obviously ignores LDAP matching rules. This should work out in most cases, but it is theoretically possible to see spurious changes when target and actual values are semantically identical but lexically distinct. version_added: '0.2.0' author: - Jiri Tyr (@jtyr) - Alexander Korinek (@noles) - Maciej Delmanowski (@drybjed) requirements: - python-ldap attributes: check_mode: support: full diff_mode: support: full version_added: 8.5.0 options: state: required: false type: str choices: [present, absent, exact] default: present description: - The state of the attribute values. If V(present), all given attribute values will be added if they are missing. If V(absent), all given attribute values will be removed if present. If V(exact), the set of attribute values will be forced to exactly those provided and no others. If O(state=exact) and the attribute value is empty, all values for this attribute will be removed. attributes: required: true type: dict description: - The attribute(s) and value(s) to add or remove. - Each attribute value can be a string for single-valued attributes or a list of strings for multi-valued attributes. - If you specify values for this option in YAML, please note that you can improve readability for long string values by using YAML block modifiers as seen in the examples for this module. - Note that when using values that YAML/ansible-core interprets as other types, like V(yes), V(no) (booleans), or V(2.10) (float), make sure to quote them if these are meant to be strings. Otherwise the wrong values may be sent to LDAP. ordered: required: false type: bool default: false description: - If V(true), prepend list values with X-ORDERED index numbers in all attributes specified in the current task. This is useful mostly with C(olcAccess) attribute to easily manage LDAP Access Control Lists. extends_documentation_fragment: - community.general.ldap.documentation - community.general.attributes a - name: Configure directory number 1 for example.com community.general.ldap_attrs: dn: olcDatabase={1}hdb,cn=config attributes: olcSuffix: dc=example,dc=com state: exact # The complex argument format is required here to pass a list of ACL strings. - name: Set up the ACL community.general.ldap_attrs: dn: olcDatabase={1}hdb,cn=config attributes: olcAccess: - >- {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none' - >- {1}to dn.base="dc=example,dc=com" by dn="cn=admin,dc=example,dc=com" write by * read state: exact # An alternative approach with automatic X-ORDERED numbering - name: Set up the ACL community.general.ldap_attrs: dn: olcDatabase={1}hdb,cn=config attributes: olcAccess: - >- to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none' - >- to dn.base="dc=example,dc=com" by dn="cn=admin,dc=example,dc=com" write by * read ordered: true state: exact - name: Declare some indexes community.general.ldap_attrs: dn: olcDatabase={1}hdb,cn=config attributes: olcDbIndex: - objectClass eq - uid eq - name: Set up a root user, which we can use later to bootstrap the directory community.general.ldap_attrs: dn: olcDatabase={1}hdb,cn=config attributes: olcRootDN: cn=root,dc=example,dc=com olcRootPW: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND" state: exact - name: Remove an attribute with a specific value community.general.ldap_attrs: dn: uid=jdoe,ou=people,dc=example,dc=com attributes: description: "An example user account" state: absent server_uri: ldap://localhost/ bind_dn: cn=admin,dc=example,dc=com bind_pw: password - name: Remove specified attribute(s) from an entry community.general.ldap_attrs: dn: uid=jdoe,ou=people,dc=example,dc=com attributes: description: [] state: exact server_uri: ldap://localhost/ bind_dn: cn=admin,dc=example,dc=com bind_pw: password z modlist: description: List of modified parameters. returned: success type: list sample: - [2, "olcRootDN", ["cn=root,dc=example,dc=com"]] N) AnsibleModulemissing_required_lib) to_nativeto_bytesto_text) LdapGeneric gen_specsldap_required_togetherTFc<eZdZdZdZdZdZdZdZdZ dZ y ) LdapAttrsctj|||jjd|_|jjd|_|jjd|_y)N attributesstateordered)r __init__moduleparamsattrsrr)selfrs p/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/community/general/plugins/modules/ldap_attrs.pyrzLdapAttrs.__init__sVT6*[['' 5 [[''0 {{)))4 cg}t|trMt|D]?\}}tjdd|}|j dt |zdz|zA|S)z8 Prepend X-ORDERED index numbers to attribute's values. z^\{\d+\}{}) isinstancelist enumerateresubappendstr)rvaluesordered_valuesindexvalue cleaned_values r _order_valueszLdapAttrs._order_valuessf fd # )& 1 N u "{B > %%cCJ&6&<}&LM Nrc $g}t|trh|jrAttt|j ttt |}|Sttt|}|St t |g}|S)z Normalize attribute's values. )rr rmapr r+r%)rr& norm_valuess r_normalize_valueszLdapAttrs._normalize_valuess fd #||"3x#'#5#5d3s?E? ''. /"- $ .I%%rcg}i}i}|jjdjD]\}}|j|}g}|D]H}|j ||s|j ||j t j||fJ|si|||<|Dcgc] }||vs| c}||<|||fScc}wr1)rrr2r/_is_value_presentr$r4 MOD_DELETE) rr6 old_attrsr7r8r&r.removed_valuesr)s rdeletezLdapAttrs.deletes   KK..|<BBD bLD&008KN$ C))$6"))%0NNDOOT5#AB C"- $6A"aUUR`E`5"a $ b 9,,#bs B;*B;cTg}i}i}|jjdjD]=\}}|j|} |jj |j tj|g}ddj|g} t|t| k7st| dk(r#|jtj||fnSt|dk(r#|jtj |dfn"|jtj"||f| ||<|||<t| dk(st|dk(s.| d||<|d||<@|||fS#tj$r }|jd|z|Yd}~$d}~wwxYw)Nr)attrlistzCannot search for attribute %sr)rrr2r/ connectionsearch_sdnr4 SCOPE_BASE LDAPErrorfailget frozensetlenr$r5r= MOD_REPLACE) rr6r>r7r8r&r.resultsecurrents rexactzLdapAttrs.exacts   KK..|<BBD 5LD&008K F//22GGT__v3? ajm''b1G%7);;w<1$NNDLL$ #DE%*NNDOOT4#@ANND$4$4dK#HI") $"- $w<1$[)9Q)>&-ajIdO&1!nIdO+ 5. 9,,%>> F :TA1EE Fs7E44F'F""F'c( tjjt|}d|d|d}|jj |j tj|}t|dk(}|S#tj$rd}Y|SwxYw)z3 True if the target attribute has the given value. (=)rCF) r4filterescape_filter_charsr rDrErFrGrLNO_SUCH_OBJECT)rr8r) escaped_value filterstrdns is_presents rr<zLdapAttrs._is_value_presents  KK;;GENKM%)=9I//**477DOOYOCSQJ"" J sA4A88BBc(|j|| S)z< True if the target attribute doesn't have the given value. )r<)rr8r)s rr3zLdapAttrs._is_value_absent#s))$666rN) __name__ __module__ __qualname__rr+r/r:r@rQr<r3rrrrs*5  &- -: 7rrc tttddtdddtddgd   dt }ts |j t d tt|}d}d}|jd}|dk(r|j\}}}n5|dk(r|j\}}}n|dk(r|j\}}}d}tdkDr5d}|js' |jj!|j"||j)||||dy#t$$r&}|j dt'|Yd}~Bd}~wwxYw)NdictT)typerequiredboolF)rddefaultrer%present)absentrQrh)rdrgchoices)rrr) argument_specsupports_check_moderequired_togetherz python-ldap)msg exceptionrrirQrzAttribute action failed.)rndetails)beforeafter)changedr6diff)rr rcr HAS_LDAP fail_jsonr LDAP_IMP_ERRrrr:r@rQrL check_moderDmodify_srF Exceptionr exit_json)rr4r>r7rr6rsrOs rmainr|(si $7feeDE9>\] !02F 1-@#/  1 V DII MM' "E (0 %I ( (3 %I ' (2 %IG 7|a   W((': Wgy[drsA@ 7 tP f JTTzz  H m7 m7`)gX zFC'9'')LHs A A;:A;