From a3053d8c2ca7cdb3ba24cf5ca0bb51193be9f059 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde <akasurde@redhat.com>
Date: Wed, 3 May 2017 20:59:55 +0530
Subject: [PATCH] Add validate_certs option to ldap_attr, ldap_entry (#24060)

This fix adds a module option `validate_certs' to check
self-signed certificate of LDAP server.

Fixes https://github.com/ansible/ansible/issues/24009

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
---
 lib/ansible/modules/net_tools/ldap/ldap_attr.py | 15 ++++++++++++++-
 .../modules/net_tools/ldap/ldap_entry.py        | 17 +++++++++++++++--
 2 files changed, 29 insertions(+), 3 deletions(-)

diff --git a/lib/ansible/modules/net_tools/ldap/ldap_attr.py b/lib/ansible/modules/net_tools/ldap/ldap_attr.py
index bf7f3c1f244..a5be88a5000 100644
--- a/lib/ansible/modules/net_tools/ldap/ldap_attr.py
+++ b/lib/ansible/modules/net_tools/ldap/ldap_attr.py
@@ -101,6 +101,14 @@ options:
       - The value(s) to add or remove. This can be a string or a list of
         strings. The complex argument format is required in order to pass
         a list of strings (see examples).
+  validate_certs:
+    required: false
+    choices: ['yes', 'no']
+    default: 'yes'
+    description:
+      - If C(no), SSL certificates will not be validated. This should only be
+        used on sites using self-signed certificates.
+    version_added: "2.4"
 """
 
 
@@ -208,6 +216,7 @@ class LdapAttr(object):
         self.server_uri = self.module.params['server_uri']
         self.start_tls = self.module.params['start_tls']
         self.state = self.module.params['state']
+        self.verify_cert = self.module.params['validate_certs']
 
         # Normalize values
         if isinstance(self.module.params['values'], list):
@@ -276,6 +285,9 @@ class LdapAttr(object):
         return not self._is_value_present(value)
 
     def _connect_to_ldap(self):
+        if not self.verify_cert:
+            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
+
         connection = ldap.initialize(self.server_uri)
 
         if self.start_tls:
@@ -312,13 +324,14 @@ def main():
                 default='present',
                 choices=['present', 'absent', 'exact']),
             'values': dict(required=True, type='raw'),
+            'validate_certs': dict(default=True, type='bool'),
         },
         supports_check_mode=True,
     )
 
     if not HAS_LDAP:
         module.fail_json(
-            msg="Missing requried 'ldap' module (pip install python-ldap)")
+            msg="Missing required 'ldap' module (pip install python-ldap)")
 
     # Update module parameters with user's parameters if defined
     if 'params' in module.params and isinstance(module.params['params'], dict):
diff --git a/lib/ansible/modules/net_tools/ldap/ldap_entry.py b/lib/ansible/modules/net_tools/ldap/ldap_entry.py
index 7c591ec4bf6..0f53828fb65 100644
--- a/lib/ansible/modules/net_tools/ldap/ldap_entry.py
+++ b/lib/ansible/modules/net_tools/ldap/ldap_entry.py
@@ -101,6 +101,14 @@ options:
     default: present
     description:
       - The target state of the entry.
+  validate_certs:
+    required: false
+    choices: ['yes', 'no']
+    default: 'yes'
+    description:
+      - If C(no), SSL certificates will not be validated. This should only be
+        used on sites using self-signed certificates.
+    version_added: "2.4"
 """
 
 
@@ -171,6 +179,7 @@ class LdapEntry(object):
         self.server_uri = self.module.params['server_uri']
         self.start_tls = self.module.params['start_tls']
         self.state = self.module.params['state']
+        self.verify_cert = self.module.params['validate_certs']
 
         # Add the objectClass into the list of attributes
         self.module.params['attributes']['objectClass'] = (
@@ -234,6 +243,9 @@ class LdapEntry(object):
         return is_present
 
     def _connect_to_ldap(self):
+        if not self.verify_cert:
+            ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
+
         connection = ldap.initialize(self.server_uri)
 
         if self.start_tls:
@@ -268,17 +280,18 @@ def main():
             'server_uri': dict(default='ldapi:///'),
             'start_tls': dict(default=False, type='bool'),
             'state': dict(default='present', choices=['present', 'absent']),
+            'validate_certs': dict(default=True, type='bool'),
         },
         supports_check_mode=True,
     )
 
     if not HAS_LDAP:
         module.fail_json(
-            msg="Missing requried 'ldap' module (pip install python-ldap).")
+            msg="Missing required 'ldap' module (pip install python-ldap).")
 
     state = module.params['state']
 
-    # Chek if objectClass is present when needed
+    # Check if objectClass is present when needed
     if state == 'present' and module.params['objectClass'] is None:
         module.fail_json(msg="At least one objectClass must be provided.")