community.general.ldap_search does not support the "subtree" scope; no way to search a whole LDAP tree with ldap_search

[jayhendren]

Summary

The community.general.ldap_search module does not support the "subtree" scope. Although this module does support the "subordinate" scope, the "subordinate" scope is not supported by default on most popular LDAP server implementations, such as Active Directory or OpenLDAP.

Without support for the "subtree" scope, there is no way to use this module to search an entire LDAP tree on such LDAP servers. This limits searches to objects where the full DN or parent container of the object(s) being searched for are already known.

I am filing this as a bug report rather than a feature request since this seems like a bizarrely basic feature to be missing from an ldap search tool.

I believe this to be related to #4894 , although it seems that the OP in that issue may not have understood the difference between the "subordinate" and "subtree" scopes.

Issue Type

Bug Report

Component Name

ldap_search

Ansible Version

(ansible-venv) [turducken ~/Work/git/or-ldap](master|✔)[I]% ansible --version
ansible [core 2.15.3]
  config file = /media/psf/Home/Work/git/or-ldap/ansible.cfg
  configured module search path = ['/home/jay/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /media/psf/Home/Work/ansible-venv/lib/python3.10/site-packages/ansible
  ansible collection location = /home/jay/.ansible/collections:/usr/share/ansible/collections
  executable location = /media/psf/Home/Work/ansible-venv/bin/ansible
  python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/media/psf/Home/Work/ansible-venv/bin/python3)
  jinja version = 3.1.2
  libyaml = True

Community.general Version

(ansible-venv) [turducken ~/Work/git/or-ldap](master|✔)[I]% ansible-galaxy collection list community.general

# /media/psf/Home/Work/ansible-venv/lib/python3.10/site-packages/ansible_collections
Collection        Version
----------------- -------
community.general 7.3.0  

Configuration

n/a

OS / Environment

n/a

Steps to Reproduce

n/a

Expected Results

n/a

Actual Results

n/a

Code of Conduct

• I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/modules/ldap_search.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @eryx12o45 @jtyr
click here for bot help

[jayhendren]

After poking through the source code, it appears that subtree is indeed supported, but it's actually called "children" instead:

community.general/plugins/modules/ldap_search.py

Line 211 in 7dd7cbd

children=ldap.SCOPE_SUBTREE,

A little confusing, to me at least, since in OpenLDAP for instance, the "children" scope is equivalent to "subordinate", not "subtree".

So perhaps a documentation issue - maybe the docs here should mention that "children" is actually "subtree": https://docs.ansible.com/ansible/latest/collections/community/general/ldap_search_module.html#parameter-scope

[felixfontein]

That's definitely a good idea. Do you want to create a PR to improve the documentation? You can find it here: https://github.com/ansible-collections/community.general/blob/main/plugins/modules/ldap_search.py#L46. (If you want to change it, add a new item in description - the items are paragraphs - and write something like Note that V(children) ....)

[jayhendren]

Absolutely. I created #8377.