Skip to content
Browse files

Merge branch 'drybjed-ldap-get-uuid-play'

  • Loading branch information...
drybjed committed Oct 5, 2019
2 parents 6966299 + 482245d commit 44740fa794b19bf56c61677a355be9b370608a6f
Showing with 80 additions and 0 deletions.
  1. +3 −0 CHANGELOG.rst
  2. +74 −0 ansible/playbooks/ldap/get-uuid.yml
  3. +3 −0 docs/ansible/roles/debops.ldap/ldap-admin.rst
@@ -55,6 +55,9 @@ LDAP
other Ansible roles to utilize them without the need for the system
administrator to define them by hand.

- The :file:`ldap/get-uuid.yml` Ansible playbook can be used to convert LDAP
Distinguished Names to UUIDs to look up the password files if needed.

:ref:`debops.apt_install` role

@@ -0,0 +1,74 @@

# DebOps uses the "to_uuid" Ansible filter to convert LDAP Distinguished Names
# to UUID strings that are safe to use in shell and store in the filesystem.
# This playbook can be used to convert Distinguished Names to UUID strings to
# help locate specific data about a particular Distinguished Name, for example
# a password stored in the 'secret/ldap/credentials/' directory or in the
# 'pass' database.
# To use this playbook, it is best to apply it against a specifc host that is
# configured to use LDAP via the 'debops.ldap' Ansible role. If that's not the
# case, the playbook will still work, however the resulting UUIDs might not be
# correct.
# Remember to specify Distinguished Name attributes separated by commas,
# without spaces between them. For example, don't use:
# uid=user, ou=People, dc=example, dc=org
# Specify the DN as:
# uid=user,ou=People,dc=example,dc=org
# Usage: debops ldap/get-uuid -l ldap-host

- name: Convert LDAP Distinguished Name to UUID
hosts: [ 'all' ]
serial: '1'
gather_subset: '!all'


# LDAP base Distinguished Name
ldap_base_dn: '{{ ansible_local.ldap.base_dn
if (ansible_local|d() and ansible_local.ldap|d() and
else (ansible_domain.split(".")
| map("regex_replace", "^(.*)$", "dc=\1")
| list) }}'

# Relative Distinguished Name of the LDAP object that contains the personal
# user accounts
ldap_people_rdn: '{{ ansible_local.ldap.people_rdn
if (ansible_local|d() and ansible_local.ldap|d() and
else "ou=People" }}'

# Relative Distinguished Name of an user account to convert to an UUID
person_rdn: 'uid={{ person_uid.user_input }}'

# Distinguished Name of an LDAP object to convert to an UUID
object_dn: '{{ (([ person_rdn, ldap_people_rdn ] + ldap_base_dn) | join(","))
if person_uid.user_input|d()
else object_dn_string.user_input }}'


- name: Get the UUID of an user account based on uid
prompt: 'uid (case-sensitive)'
register: person_uid

- name: Get the UUID of a Distinguished Name
prompt: 'dn (case-sensitive)'
register: object_dn_string
when: not person_uid.user_input|d()

- name: LDAP object information
msg: '{{ {"DN:": object_dn,
"UUID:": (object_dn | to_uuid)} }}'
when: object_dn|d()
@@ -69,6 +69,9 @@ are named based on the UUID value of the current user Distinguished Name used
as the BindDN (in the :envvar:`ldap__admin_binddn` variable). The UUID
conversion is used because LDAP Distinguished Names can contain spaces, and the
Ansible lookups don't work too well with filenames that contain spaces.
You can use the :file:`ldap/get-uuid.yml` playbook to convert user account DNs
or arbitrary LDAP Distinguished Names to an UUID value you can use to look up
the passwords manually, if needed.

You can store new credentials in the :command:`pass` password manager using the
:file:`ansible/playbooks/ldap/save-credential.yml` Ansible playbook included

0 comments on commit 44740fa

Please sign in to comment.
You can’t perform that action at this time.