VhpDdZdZddlZddlZddlmZddlmZddl m Z ddl m Z ddl mZmZdd lmZd Z dd lmZd Z ddlZd dlmZd dlmZd dlmZd ZdZGddeeZ!y#e$rY/wxYw#e$rZ d Ze ZYdZ [ &dZ [ wwxYw)a name: ldap author: Jordan Borean (@jborean93) short_description: Inventory plugin for Active Directory version_added: 1.1.0 description: - Inventory plugin for Active Directory or other LDAP sources. - Uses a YAML configuration file that ends with C(microsoft.ad.ldap.{yml|yaml}). - Each host that is added will set the C(inventory_hostname) to the C(name) of the LDAP computer object and C(ansible_host) to the value of the C(dNSHostName) LDAP attribute if set. If the C(dNSHostName) attribute is not set on the computer object then C(ansible_host) is not set. See R(LDAP inventory hostname,ansible_collections.microsoft.ad.docsite.guide_ldap_inventory.inventory_hostname) for more information on how these values are set and how to adjust them. - The host fact C(microsoft_ad_distinguished_name) will also be set to the distinguished name of the host that was used to derive the host entry. - Any other fact that is needed, needs to be defined in the I(attributes) option. options: attributes: description: - The LDAP attributes to retrieve. - The keys specified are the LDAP attributes requested and the values for each attribute is a dictionary that reflects what host var to set it to and how. - Each key of the inner dictionary value is the host variable name to set and the value is the template to use to derive the value. If no value is explicitly set then it will use the coerced value as returned from the LDAP attribute. - Attributes that are denoted as single value in the LDAP schema are returned as that single value, multi valued attributes are returned as a list of values. - See R(LDAP inventory attributes,ansible_collections.microsoft.ad.docsite.guide_ldap_inventory.attributes) for more information. default: {} type: dict filter: description: - The LDAP filter string used to query the computer objects. - By default, this will be combined with the filter "(objectCategory=computer)". Use I(filter_without_computer) to override this behavior and have I(filter) be the only filter used. type: str filter_without_computer: description: - Will not combine the I(filter) value with the default filter "(objectCategory=computer)". - In most cases this should be C(false) but can be set to C(true) to have the I(filter) value specified be the only filter used. type: bool default: false version_added: '1.3.0' search_base: description: - The LDAP search base to find the computer objects in. - Defaults to the C(defaultNamingContext) of the Active Directory server if not specified. - If searching a larger Active Directory database, it is recommended to narrow the search base to speed up the queries. type: str search_scope: description: - The scope of the LDAP search to perform. - C(base) will search only the current path or object specified by I(search_base). This is typically not useful for inventory plugins. - C(one_level) will search only the immediate child objects in I(search_base). - C(subtree) will search the immediate child objects and any nested objects in I(search_base). choices: - base - one_level - subtree default: subtree type: str notes: - See R(LDAP inventory,ansible_collections.microsoft.ad.docsite.guide_ldap_inventory) for more details on how to use this inventory plugin. - See R(LAPS,ansible_collections.microsoft.ad.docsite.guide_ldap_inventory.laps) for more details on how this plugin can retrieve the LAPS password information. - This plugin is a tech preview and the module options are subject to change based on feedback received. - Unless specified otherwise in the option description, the value specified in the config file is used as is. Only the LDAP connection options allow using a Jinja2 template. extends_documentation_fragment: - constructed - microsoft.ad.ldap_connection a # Set in the file ending with microsoft.ad.ldap.yml or microsoft.ad.ldap.yaml plugin: microsoft.ad.ldap #################################################################### # Connection Options # # # # These options control how the plugin connects to the LDAP server # #################################################################### # Connects to ldap://dc01.domain.com:389 server: dc01.domain.com port: 389 # Connects to ldaps://dc01.domain.com:636 server: dc01.domain.com tls_mode: ldaps # Connects to the global catalog # ldap://dc01.domain.com:3268 server: dc01.domain.com port: 3268 # Provides explicit user, will use the current Kerberos ticket if no credential # is provided. username: domain-user@DOMAIN.COM password: Password123! # Only allow Kerberos authentication. auth_protocol: kerberos # Verify LDAPS CA chain with custom CA chain. tls_mode: ldaps ca_cert: /home/user/certs/ldap.pem # The username and password can be retrieved using a template with a lookup. # Other connection options can also be set this way, the option description # tells you whether it can be set to a template. username: '{{ lookup("ansible.builtin.env", "LDAP_USERNAME") }}' password: '{{ lookup("ansible.builtin.env", "LDAP_PASSWORD") }}' ############################################## # Search Options # # # # These options control the searching rules # ############################################## # Search for computer accounts in the Workshop OU. search_base: OU=Workshop A,DC=domain,DC=com # Filter the computer accounts returned for only ones with the dNSDomainName # attribute set. filter: (dNSDomainName=*) # Filter computer accounts returned for ones starting with PROD and with the # LAPS password set. filter: (&(sAMAccountName=PROD*)(ms-Mcs-AdmPwd=*)) # See documentation for more details attributes: sAMAccountName: sam_account_name: objectSid: computer_sid: pwdLastSet: password_last_set: this | microsoft.ad.as_datetime comment: host_comment memberOf: # Gets the value (1) of the first RDN (0) of each memberOf instance (this). # For example 'CN=Domain Admins,CN=Users,DC=domain,DC=test' # will be returned as just 'Domain Admins' computer_membership: this | microsoft.ad.parse_dn | map(attribute="0.1") location: ############################################################################ # LAPS Integration # # # # Examples on how to use the new Windows LAPS values as connection options # ############################################################################ attributes: # msLAPS-Password is used if no encryption has been configured. # Currently an encrypted LAPS password is not supported. msLAPS-Password: ansible_user: (this | from_json).n ansible_password: (this | from_json).p # msLAPS-EncryptedPassword is used if encryption has been configured. # If the Python dpapi-ng library is installed the `this`` value will # contain the entry `value` which is the decrypted value. The ``info`` # entry will contain the reason why the value could not be decrypted. msLAPS-EncryptedPassword: ansible_user: (this.value | from_json).n ansible_password: (this.value | from_json).p # ms-Mcs-AdmPwd is used for Legacy LAPS and stores just the password. # The username needs to be hardcoded as a string value for this template. ms-Mcs-AdmPwd: ansible_user: '"Administrator"' ansible_password: this ##################################################################### # Constructed Options # # # # These options control the constructed values like vars and groups # ##################################################################### # Build composed host variables. Requires attributes to be set in the # attributes option to be referenced here. compose: host_var: computer_sid # Conditionals that adds found hosts to the groups specified. groups: # Adds all hosts to the windows group windows: true # Uses the memberOf fact documented above to place the host in the production # group if it's a member of that group production: '"Production Group" in computer_membership' # Adds the host to a group site_{{ location }} with the default group of # site_unknown if the location isn't defined keyed_groups: - key: location | default(omit) prefix: site default_value: unknown N) AnsibleError) InventoryData)missing_required_lib) DataLoader)BaseInventoryPlugin Constructable)wrap_varF)trust_as_templateT)create_ldap_connection) LDAPSchema) LAPSDecryptorc eZdZdZdedeffd Zdededededdf fd Z de jee jeefffd Z xZ S) InventoryModulezmicrosoft.ad.ldappathreturncFt||r|jdSy)N)zmicrosoft.ad.ldap.ymlzmicrosoft.ad.ldap.yamlF)super verify_fileendswith)selfr __class__s g/home/dcms/DCMS/lib/python3.12/site-packages/ansible_collections/microsoft/ad/plugins/inventory/ldap.pyrzInventoryModule.verify_file s# 7 t $==!TU U inventoryloadercacheNc  t/||||||j|j|ts't ddd}t |dtt|jd}|jd}|jd}|jd } |jd } |jd } |jd } |jd } tjjtjjtjjd| }tjdd}| r=tjj!| }| r|}ntj"||g}n|}|j%}ddhj'|j)Dcgc]}|j+c}}|j-dd}|rd|i|d<|j/}hd}i}t0sd|d<|j3D]e\}}||vs |j4j7|s'|j8j;d||j4j<d%d|i|||<gt?d%i|}tAd%i|5}tCjD|}|jG|tI|| |j3D]@\}}|j3D !cic]\} }!| j+|!}"} }!|"ddjKd}#d|i}$|"jMdd}%|%r|%djKd|$d<|j3D]\}&}'|"jM|&j+g}(|jO|&|(})tQ|(D*cgc]%}*tSjT|*jK'c}*|$d<|&j+d k(r#|(r!tQ|jW|(d|$d!<ntQ|)|$d!<|'j3D].\}+}!t0r tY|!}! |j[|!|$},|,|$|+<0|$j-d|$j-d!|$jMd|#}.|j_|.|$j3D]\}+}!|+dk(r |ja|.|+|! |jc||$|.| $|je||$|.| $|jg||$|.| $C dddycc}wcc}!} wcc}*w#t\$r"}-| rt d"|+d#|#d|-|-Yd}-~-,d}-~-wwxYw#1swYyxYw)&Nzsansldap and pyspnegozIhttps://pypi.org/project/sansldap/ and https://pypi.org/project/pyspnego/zfor ldap lookups)urlreasonz: composegroups keyed_groupsfilterfilter_without_computer search_base search_scopestrict)base one_levelsubtreeobjectCategoryscomputer)filtersname dnshostnameinventory_hostname> portserverca_certencryptpasswordtls_modeusername certificate auth_protocolcert_validationcertificate_keyconnection_timeoutcertificate_passwordFdisable_lookupszTemplating option variable)r$ attributesr&r'rzutf-8microsoft_ad_distinguished_name ansible_hostrawzmslaps-encryptedpasswordthiszCould not set z for host )r()4rparse set_options_read_config_dataHAS_LDAPrr LDAP_IMP_ERR get_optionsansldap SearchScopeBASE ONE_LEVELSUBTREEFilterEquality LDAPFilter from_string FilterAnd_get_custom_attributesunionkeyslowerpop get_optionsUSE_DATA_TAGGINGitemstemplar is_templatedisplayvvvtemplaterr r load_schemasearchlistdecodeget cast_objectr base64 b64encodedecryptr _compose Exceptionadd_host set_variable_set_composite_vars_add_host_to_composed_groups_add_host_to_keyed_groups)0rrrrrmsgr!r"r# ldap_filterldap_filter_without_computerr&r'r(ldap_search_scopecomputer_filterldap_filter_obj final_filtercustom_attributesar@r0connection_optionstemplate_fieldstemplated_option_kwargs option_name option_valuelaps_decryptorclientschemadninfokvinsensitive_info host_name host_vars dns_host_namer.var_info raw_valuesvaluesrn compositeeactual_host_namers0 rrFzInventoryModule.parses  iu5  t$&'_)C #b78l J//),*~6 ooh/ '+7P'Q$oom4 ~6 *((--!--77++33    #112BKP &11==kJO+. '11,o>  +L 779m,22 1 6 6 8 91QWWY 9 %[[)=tD $&87 2 3"--/ #%9> #$5 6);)A)A)C  %Ko-$,,2J2J3   #5k]!CD2G$,,2G2G3)3-3";/  '<);< # 9&8 9B V++F3F"MM# +'. * eg ? D >BZZ\#JTQAGGIqL#J #J,V4Q7>>wG 5r1 !1 4 4]D I  0=a0@0G0G0PIn-&7&=&=&?*ND(!1!5!5djjlB!GJ#//jAF'/?IJ!))!,335J(Ie$zz|'AAj,4^5K5KJWXM5Z,[ &),4V,< &) ( 0 11+ 1! 4A%(, a(CI(1 !  1MM%(MM&);*>$-==1Ey#Q ""#34%OO-CDAq00 **+;QBC ((Y(8)11I'72.. )-=f/{? B B Y :j$K K )%%&2&4QCz)Bqc$R'"'(!)% %OB B s^T9)AU7T> BU7;*U%A5U7U -CU7> U7 U4 U/ )U7/U4 4U77Vc |jd}i}|jD]\}}|s|jdddi}nZt|tr|jdd|i}n5t|t s%t d|dt|jdt|jD]G}||}|sd||<t|tr!t d|d|d t|jd |||<|S) Nr@-_rDz Attribute z value was z but was expecting a dictionary.z template value was z but was expecting a string) rKr\replace isinstancestrdictrtype__name__rdrW)rryprocessed_attributesr.rvar_name var_templates rrUz&InventoryModule._get_custom_attributess) OOL9>@+113 .JD$ S#.7D#& S#.5d+" k$t*2E2E1FFef!- #H~ #%+DN#L#6&$TF!H:5I$|J\JeJeIfgBC  *.  &) .,$#r)r __module__ __qualname__NAMErboolrrrrFtDictrU __classcell__)rs@rrrs~ D ` `` `  `  `D$sAFF384D/D(E$rr)" DOCUMENTATIONEXAMPLESrhtypingransible.errorsransible.inventory.dataransible.module_utils.basicransible.parsing.dataloaderransible.plugins.inventoryrransible.utils.unsafe_proxyr r[ansible.templater ImportErrorrLplugin_utils._ldapr plugin_utils._ldap.schemar plugin_utils._ldap.lapsrrIrJrlrrrErrrsY vD L'0;1H/ 2 ;67HL E$)=E$%  HLs(A&A1&A.-A.1B6A??B