summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2014-07-07 23:02:45 +0200
committerGuilhem Moulin <guilhem@fripost.org>2015-06-07 02:52:41 +0200
commit9198e7f8096e9f1b0d5f474cf2345913a357f864 (patch)
tree940cafc428e311b8ea82d9dad7a59c8bfb9251ac
parent3e38718677b10faca8970d9b1cc8edc215cce798 (diff)
Make the Ansible LDAP plugin able to delete entries and attributes.
Use it to delete cn=admin,dc=fripost,dc=org, and to remove the rootDN on the 'config' database.
-rw-r--r--lib/action_plugins/openldap.py3
-rw-r--r--lib/modules/openldap37
-rw-r--r--roles/LDAP-provider/tasks/main.yml2
-rw-r--r--roles/common-LDAP/tasks/main.yml14
4 files changed, 47 insertions, 9 deletions
diff --git a/lib/action_plugins/openldap.py b/lib/action_plugins/openldap.py
index ee8a991..5dbf59f 100644
--- a/lib/action_plugins/openldap.py
+++ b/lib/action_plugins/openldap.py
@@ -31,6 +31,9 @@ class ActionModule(object):
def run(self, conn, tmp, module_name, module_args, inject, complex_args=None, **kwargs):
''' handler for file transfer operations '''
+ if self.runner.noop_on_check(inject):
+ return ReturnData(conn=conn, comm_ok=True, result=dict(skipped=True))
+
# load up options
options = {}
if complex_args:
diff --git a/lib/modules/openldap b/lib/modules/openldap
index 1e84c32..69ee4df 100644
--- a/lib/modules/openldap
+++ b/lib/modules/openldap
@@ -265,31 +265,58 @@ def slapd_to_ldif(src, name):
def main():
module = AnsibleModule(
argument_spec = dict(
- state = dict( default="present", choices=["absent","present"]),
target = dict( default=None ),
module = dict( default=None ),
suffix = dict( default=None ),
format = dict( default="ldif", choices=["ldif","slapd.conf"] ),
name = dict( default=None ),
local = dict( default="no", choices=["no","file","template"] ),
+ delete = dict( default=None ),
),
supports_check_mode=True
)
params = module.params
- state = params['state']
target = params['target']
mod = params['module']
suffix = params['suffix']
form = params['format']
name = params['name']
+ delete = params['delete']
changed = False
try:
- if state == "absent":
- module.fail_json(msg="OpenLDAP's ansible: unsupported feature")
+ if delete is not None:
+ if name is None:
+ module.fail_json(msg="missing name")
+ l = ldap.initialize( 'ldapi://' )
+ l.sasl_interactive_bind_s('', ldap.sasl.external())
+ if delete == 'entry':
+ filterStr = '(objectClass=*)'
+ else:
+ filterStr = [ '(%s=*)' % x for x in delete.split(',') ]
+ if len(filterStr) > 1:
+ filterStr = '(|' + ''.join(filterStr) + ')'
+ else:
+ filterStr = filterStr[0]
+
+ try:
+ r = l.search_s( name, ldap.SCOPE_BASE, filterStr, attrsonly=1 )
+ except ldap.LDAPError, ldap.NO_SUCH_OBJECT:
+ r = None
- elif state == "present":
+ if r:
+ changed = True
+ if module.check_mode:
+ module.exit_json(changed=changed)
+ if delete == 'entry':
+ l.delete_s(r[0][0])
+ else:
+ attrlist = list(set(r[0][1].keys()) & set(delete.split(',')))
+ l.modify_s(r[0][0], [ (ldap.MOD_DELETE, x, None) for x in attrlist ])
+ l.unbind_s()
+
+ else:
if form == 'slapd.conf':
if name is None:
module.fail_json(msg="missing name")
diff --git a/roles/LDAP-provider/tasks/main.yml b/roles/LDAP-provider/tasks/main.yml
index 0ba4f26..fa212a0 100644
--- a/roles/LDAP-provider/tasks/main.yml
+++ b/roles/LDAP-provider/tasks/main.yml
@@ -1,5 +1,5 @@
- name: Load and configure the syncprov overlay
- openldap: module=syncprov state=present
+ openldap: module=syncprov
suffix=dc=fripost,dc=org
target=etc/ldap/syncprov.ldif
local=file
diff --git a/roles/common-LDAP/tasks/main.yml b/roles/common-LDAP/tasks/main.yml
index 85ad831..e86fa45 100644
--- a/roles/common-LDAP/tasks/main.yml
+++ b/roles/common-LDAP/tasks/main.yml
@@ -112,17 +112,25 @@
- amavis
- name: Load amavis' schema
- openldap: target=/etc/ldap/schema/amavis.schema state=present
+ openldap: target=/etc/ldap/schema/amavis.schema
format=slapd.conf name=amavis
tags:
- ldap
- name: Load Fripost' schema
- openldap: target=/etc/ldap/schema/fripost.ldif state=present
+ openldap: target=/etc/ldap/schema/fripost.ldif
tags:
- ldap
# We assume a clean (=stock) cn=config
- name: Configure the LDAP database
openldap: target=etc/ldap/database.ldif.j2 local=template
- state=present
+
+# On read-only replicates, you might have to temporarily switch back to
+# read-write, delete the SyncRepl, and delete the DN manually:
+# sudo ldapdelete -Y EXTERNAL -H ldapi:// cn=admin,dc=fripost,dc=org
+- name: Remove cn=admin,dc=fripost,dc=org
+ openldap: name="cn=admin,dc=fripost,dc=org" delete=entry
+
+- name: Remove the rootDN under the 'config' database
+ openldap: name="olcDatabase={0}config,cn=config" delete=olcRootDN,olcRootPW