Allow passing username/password from env variables #51
Comments
|
The PR #37 exposes all the connection options for LDAP into their own environment variables. Unfortunately lookups are disabled as part of any inventory plugin by default which is why your example won't work. |
|
thanks. export MICROSOFT_AD_LDAP_username="user@DOMAIN.COM"
export MICROSOFT_AD_LDAP_password="password"Should be the way? (if so, a bit limiting since I manage 3x domains, but I can work with it), or can only do |
|
You'll have to use the upper case
That is a good point, I'll have a closer look and see what can be done to enable lookups for the options. If it is I might just add a note saying this is possible but be careful of where the values are sourced from.
This should also be another option. At least with MIT krb5 you can use a directory ccache that contains multiple tickets for different principals. It should be possible to checkout all your krb5 tickets into the one ccache for your various principals and krb5 will select the correct ticket for the realm you are talking to. I have not tested this option but it should theoretically work. |
|
I've talked about this internally with some other Ansible devs and right now the only real option is to set the option in your inventory plugin config. You can vault the whole yml file and Ansible will be able to decrypt it if provided with the vault secret at runtime. A more practical solution is to follow ansible/ansible#79244 which is designed to allow templating on config options. This should enable things like the env lookup plugin to be used in your plugin config allowing you to do custom logic for deriving these values. Unfortunately I don't want to add even more custom handling to the inventory plugin itself so I'm hoping that PR will be ready shortly (bcoca said he was going to look into it again soon). |
SUMMARY
In the
microsoft.ad.ldapmodule, if I specify the credentials as:I get an error:
(this works ok in https://docs.ansible.com/ansible/devel/collections/microsoft/ad/object_info_module.html#ansible-collections-microsoft-ad-object-info-module-requirements, ie. )
... domain_username: "{{ lookup('env', 'ansible_user_windows_sig') }}" domain_password: "{{ lookup('env', 'ansible_password_windows_sig') }}" ...ISSUE TYPE
While putting in the
username: user@DOMAIN.COMandpassword: <password for the user>works, and I can obtain a kerberos ticket withkinit, ideally I would like to retrieve my credential from env vars....COMPONENT NAME
microsoft.ad.ldap
ADDITIONAL INFORMATION
The text was updated successfully, but these errors were encountered: