cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Add validate_certs option to ldap_attr, ldap_entry (#24060)

Browse source 
This fix adds a module option `validate_certs' to check
self-signed certificate of LDAP server.

Fixes https://github.com/ansible/ansible/issues/24009

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
This commit is contained in:
Abhijeet Kasurde 2017-05-03 20:59:55 +05:30 committed by John R Barker
parent 2fbfba0ef3
commit a3053d8c2c
2 changed files with 29 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
lib/ansible/modules/net_tools/ldap/ldap_attr.py
View file

@ -101,6 +101,14 @@ options:
- The value(s) to add or remove. This can be a string or a list of
strings. The complex argument format is required in order to pass
a list of strings (see examples).
validate_certs:
required: false
choices: ['yes', 'no']
default: 'yes'
description:
- If C(no), SSL certificates will not be validated. This should only be
used on sites using self-signed certificates.
version_added: "2.4"
"""
@ -208,6 +216,7 @@ class LdapAttr(object):
self.server_uri = self.module.params['server_uri']
self.start_tls = self.module.params['start_tls']
self.state = self.module.params['state']
self.verify_cert = self.module.params['validate_certs']
# Normalize values
if isinstance(self.module.params['values'], list):
@ -276,6 +285,9 @@ class LdapAttr(object):
return not self._is_value_present(value)
def _connect_to_ldap(self):
if not self.verify_cert:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
connection = ldap.initialize(self.server_uri)
if self.start_tls:
@ -312,13 +324,14 @@ def main():
default='present',
choices=['present', 'absent', 'exact']),
'values': dict(required=True, type='raw'),
'validate_certs': dict(default=True, type='bool'),
},
supports_check_mode=True,
)
if not HAS_LDAP:
module.fail_json(
msg="Missing requried 'ldap' module (pip install python-ldap)")
msg="Missing required 'ldap' module (pip install python-ldap)")
# Update module parameters with user's parameters if defined
if 'params' in module.params and isinstance(module.params['params'], dict):

17
lib/ansible/modules/net_tools/ldap/ldap_entry.py
View file

@ -101,6 +101,14 @@ options:
default: present
description:
- The target state of the entry.
validate_certs:
required: false
choices: ['yes', 'no']
default: 'yes'
description:
- If C(no), SSL certificates will not be validated. This should only be
used on sites using self-signed certificates.
version_added: "2.4"
"""
@ -171,6 +179,7 @@ class LdapEntry(object):
self.server_uri = self.module.params['server_uri']
self.start_tls = self.module.params['start_tls']
self.state = self.module.params['state']
self.verify_cert = self.module.params['validate_certs']
# Add the objectClass into the list of attributes
self.module.params['attributes']['objectClass'] = (
@ -234,6 +243,9 @@ class LdapEntry(object):
return is_present
def _connect_to_ldap(self):
if not self.verify_cert:
ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
connection = ldap.initialize(self.server_uri)
if self.start_tls:
@ -268,17 +280,18 @@ def main():
'server_uri': dict(default='ldapi:///'),
'start_tls': dict(default=False, type='bool'),
'state': dict(default='present', choices=['present', 'absent']),
'validate_certs': dict(default=True, type='bool'),
},
supports_check_mode=True,
)
if not HAS_LDAP:
module.fail_json(
msg="Missing requried 'ldap' module (pip install python-ldap).")
msg="Missing required 'ldap' module (pip install python-ldap).")
state = module.params['state']
# Chek if objectClass is present when needed
# Check if objectClass is present when needed
if state == 'present' and module.params['objectClass'] is None:
module.fail_json(msg="At least one objectClass must be provided.")