New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ldap_attr, ldap_entry: Add validate_certs option #24060
Conversation
The test
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have commented on the ldap_entry.py
module only, but the same comments apply on the other one as well.
bind_dn: cn=Directory Manager | ||
bind_pw: password | ||
objectClass: organizationalUnit | ||
validate_certs: True |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This line doesn't make much sense if the default value is True
. The whole example is redundant. Please remove it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer to have a example with validate_certs: no
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You don't have to have examples with all possible options. Please remove the example entirely.
@@ -101,6 +101,12 @@ | |||
default: present | |||
description: | |||
- The target state of the entry. | |||
validate_certs: | |||
required: false | |||
choices: [true, false] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be:
['yes', 'no']
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK.
choices: [true, false] | ||
default: true | ||
description: | ||
- If false, will ignore self-signed certificates of server and connect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be (decoration around the no
and period at the end of the sentence):
- If set to C(no), it will ignore self-signed certificates of server and connect.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK.
@@ -268,17 +287,18 @@ def main(): | |||
'server_uri': dict(default='ldapi:///'), | |||
'start_tls': dict(default=False, type='bool'), | |||
'state': dict(default='present', choices=['present', 'absent']), | |||
'validate_certs': dict(default=True, type='bool'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thing the option should be called verify_cert
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, the option validate_certs
is also used in the get_url
module. I think we should keep it in sync with other modules.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please note that on rebase this files have moved to modules/net_tools/
choices: [true, false] | ||
default: true | ||
description: | ||
- If false, will ignore self-signed certificates of server and connect |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
description:
- If C(no), SSL certificates will not be validated. This should only be used
on personally controlled sites using self-signed certificates.
version_added: "2.4"
@@ -101,6 +101,12 @@ | |||
default: present | |||
description: | |||
- The target state of the entry. | |||
validate_certs: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update as per other modules
@@ -101,6 +101,13 @@ | |||
- The value(s) to add or remove. This can be a string or a list of | |||
strings. The complex argument format is required in order to pass | |||
a list of strings (see examples). | |||
validate_cert: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be validate_certs
as per other modules (e.g. get_url
). The same anywhere else in the code.
server_uri: ldaps://localhost | ||
bind_dn: cn=admin,dc=example,dc=com | ||
bind_pw: password | ||
validate_cert: no |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As I said, it's not really necessary to demonstrate every option. Please remove this example.
ready_for_review |
Please change to
|
@gundalow I think that it's not necessary to mention that it should only be used on personally controlled sites. I would change it to this:
|
This fix adds a module option `validate_certs' to check self-signed certificate of LDAP server. Fixes ansible#24009 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Merged, thanks for the PR and the reviews. |
@gundalow Thanks a lot. |
SUMMARY
This fix adds a module option `validate_certs' to check
self-signed certificate of LDAP server.
Fixes #24009
Signed-off-by: Abhijeet Kasurde akasurde@redhat.com
ISSUE TYPE
COMPONENT NAME
lib/ansible/modules/network/ldap_attr.py
lib/ansible/modules/network/ldap_entry.py
ANSIBLE VERSION