From 047fddfe86a49cb87ff929db037658d4ed252269 Mon Sep 17 00:00:00 2001 From: Chris Archibald Date: Tue, 28 Aug 2018 03:45:57 -0700 Subject: [PATCH] Adding ElementSW Ldap Module (#43969) * Adding ElementSW Ldap Module --- .../storage/netapp/na_elementsw_ldap.py | 243 ++++++++++++++++++ 1 file changed, 243 insertions(+) create mode 100644 lib/ansible/modules/storage/netapp/na_elementsw_ldap.py diff --git a/lib/ansible/modules/storage/netapp/na_elementsw_ldap.py b/lib/ansible/modules/storage/netapp/na_elementsw_ldap.py new file mode 100644 index 00000000000..3830ca42b2a --- /dev/null +++ b/lib/ansible/modules/storage/netapp/na_elementsw_ldap.py @@ -0,0 +1,243 @@ +#!/usr/bin/python + +# (c) 2017, NetApp, Inc +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community'} + + +DOCUMENTATION = ''' + +module: na_elementsw_ldap + +short_description: NetApp Element Software Manage ldap admin users +extends_documentation_fragment: + - netapp.solidfire +version_added: '2.7' +author: NetApp Ansible Team (ng-ansibleteam@netapp.com) +description: +- Enable, disable ldap, and add ldap users + +options: + + state: + description: + - Whether the specified volume should exist or not. + required: true + choices: ['present', 'absent'] + + authType: + description: + - Identifies which user authentication method to use. + choices: ['DirectBind', 'SearchAndBind'] + + groupSearchBaseDn: + description: + - The base DN of the tree to start the group search (will do a subtree search from here) + + groupSearchType: + description: + - Controls the default group search filter used + choices: ['NoGroup', 'ActiveDirectory', 'MemberDN'] + + serverURIs: + description: + - A comma-separated list of LDAP server URIs + + userSearchBaseDN: + description: + - The base DN of the tree to start the search (will do a subtree search from here) + + searchBindDN: + description: + - A dully qualified DN to log in with to perform an LDAp search for the user (needs read access to the LDAP directory). + + searchBindPassword: + description: + - The password for the searchBindDN account used for searching + + userSearchFilter: + description: + - the LDAP Filter to use + + userDNTemplate: + description: + - A string that is used form a fully qualified user DN. + + groupSearchCustomFilter: + description: + - For use with the CustomFilter Search type +''' + +EXAMPLES = """ + - name: disable ldap authentication + na_elementsw_ldap: + state: absent + username: "{{ admin username }}" + password: "{{ admin password }}" + hostname: "{{ hostname }}" + + - name: Enable ldap authentication + na_elementsw_ldap: + state: present + username: "{{ admin username }}" + password: "{{ admin password }}" + hostname: "{{ hostname }}" + authType: DirectBind + serverURIs: ldap://svmdurlabesx01spd_ldapclnt + groupSearchType: MemberDN + userDNTemplate: uid=%USERNAME%,cn=users,cn=accounts,dc=corp,dc="{{ company name }}",dc=com + + +""" + +RETURN = """ + +""" +import traceback + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils._text import to_native +import ansible.module_utils.netapp as netapp_utils + +HAS_SF_SDK = netapp_utils.has_sf_sdk() +try: + import solidfire.common +except: + HAS_SF_SDK = False + + +class NetappElementLdap(object): + + def __init__(self): + self.argument_spec = netapp_utils.ontap_sf_host_argument_spec() + self.argument_spec.update(dict( + state=dict(required=True, choices=['present', 'absent']), + authType=dict(required=False, choices=['DirectBind', 'SearchAndBind']), + groupSearchBaseDn=dict(required=False, type=str), + groupSearchType=dict(required=False, choices=['NoGroup', 'ActiveDirectory', 'MemberDN']), + serverURIs=dict(required=False, type=str), + userSearchBaseDN=dict(required=False, type=str), + searchBindDN=dict(required=False, type=str), + searchBindPassword=dict(required=False, type=str, no_log=True), + userSearchFilter=dict(required=False, type=str), + userDNTemplate=dict(required=False, type=str), + groupSearchCustomFilter=dict(required=False, type=str) + )) + + self.module = AnsibleModule( + argument_spec=self.argument_spec, + supports_check_mode=True + ) + + param = self.module.params + + # set up state variables + self.state = param['state'] + self.authType = param['authType'] + self.groupSearchBaseDn = param['groupSearchBaseDn'] + self.groupSearchType = param['groupSearchType'] + self.serverURIs = param['serverURIs'] + if self.serverURIs is not None: + self.serverURIs = self.serverURIs.split(',') + self.userSearchBaseDN = param['userSearchBaseDN'] + self.searchBindDN = param['searchBindDN'] + self.searchBindPassword = param['searchBindPassword'] + self.userSearchFilter = param['userSearchFilter'] + self.userDNTemplate = param['userDNTemplate'] + self.groupSearchCustomFilter = param['groupSearchCustomFilter'] + + if HAS_SF_SDK is False: + self.module.fail_json(msg="Unable to import the SolidFire Python SDK") + else: + self.sfe = netapp_utils.create_sf_connection(module=self.module) + + def get_ldap_configuration(self): + """ + Return ldap configuration if found + + :return: Details about the ldap configuration. None if not found. + :rtype: solidfire.models.GetLdapConfigurationResult + """ + ldap_config = self.sfe.get_ldap_configuration() + return ldap_config + + def enable_ldap(self): + """ + Enable LDAP + :return: nothing + """ + try: + self.sfe.enable_ldap_authentication(self.serverURIs, auth_type=self.authType, + group_search_base_dn=self.groupSearchBaseDn, + group_search_type=self.groupSearchType, + group_search_custom_filter=self.groupSearchCustomFilter, + search_bind_dn=self.searchBindDN, + search_bind_password=self.searchBindPassword, + user_search_base_dn=self.userSearchBaseDN, + user_search_filter=self.userSearchFilter, + user_dntemplate=self.userDNTemplate) + except solidfire.common.ApiServerError as error: + self.module.fail_json(msg='Error enabling LDAP %s: %s' % (self.account_id, to_native(error)), + exception=traceback.format_exc()) + + def check_config(self, ldap_config): + """ + Check to see if the ldap config has been modified. + :param ldap_config: The LDAP configuration + :return: False if the config is the same as the playbook, True if it is not + """ + if self.authType != ldap_config.ldap_configuration.auth_type: + return True + if self.serverURIs != ldap_config.ldap_configuration.server_uris: + return True + if self.groupSearchBaseDn != ldap_config.ldap_configuration.group_search_base_dn: + return True + if self.groupSearchType != ldap_config.ldap_configuration.group_search_type: + return True + if self.groupSearchCustomFilter != ldap_config.ldap_configuration.group_search_custom_filter: + return True + if self.searchBindDN != ldap_config.ldap_configuration.search_bind_dn: + return True + if self.searchBindPassword != ldap_config.ldap_configuration.search_bind_password: + return True + if self.userSearchBaseDN != ldap_config.ldap_configuration.user_search_base_dn: + return True + if self.userSearchFilter != ldap_config.ldap_configuration.user_search_filter: + return True + if self.userDNTemplate != ldap_config.ldap_configuration.user_dntemplate: + return True + return False + + def apply(self): + changed = False + ldap_config = self.get_ldap_configuration() + if self.state == 'absent': + if ldap_config and ldap_config.ldap_configuration.enabled: + changed = True + if self.state == 'present' and self.check_config(ldap_config): + changed = True + if changed: + if self.module.check_mode: + pass + else: + if self.state == 'present': + self.enable_ldap() + elif self.state == 'absent': + self.sfe.disable_ldap_authentication() + + self.module.exit_json(changed=changed) + + +def main(): + v = NetappElementLdap() + v.apply() + + +if __name__ == '__main__': + main()