Integrating Microsoft LAPS and ansible

88 views
Skip to first unread message

harsh chawda

unread,
Jul 9, 2020, 6:52:05 AM7/9/20
to Ansible Project
Hello All,

I am using ansible for patching windows machines in my domain. The process is working fine with patches being installed till date over Winrm and kerberos as authentication.

But now they have decided to use LAPS in the environment .So, the password keep on changing and i am not able to access with the same password and patch the servers.

So, i tried researching on the internet about it and how to integrate it with the current setup.But I am not able to do it.

Is it feasible and possible with ansible to use LAPS to retrieve password and patch windows machines as I am patching 5-10 machines at a stretch and all are having different passwords. And also is it secure to integrate it with ansible

If anyone have used it in their environment and help me out in this ,it would be great. As, I am completely blank on this and how to integrate it.

Thanks in advance.

jbor...@gmail.com

unread,
Jul 13, 2020, 3:42:56 PM7/13/20
to Ansible Project
Theres the laps_password https://docs.ansible.com/ansible/latest/plugins/lookup/laps_password.html lookup that you can use to retrieve a password set by LAPS from AD. Unfortunately it requires a few extra bits to be installed on your host like OpenLDAP but it's definitely possible.

harsh chawda

unread,
Jul 15, 2020, 6:47:53 AM7/15/20
to Ansible Project
Hello ,

Thanks for you reply. I will test it out the same.

Thanks again.

harsh chawda

unread,
Jul 15, 2020, 7:33:27 AM7/15/20
to Ansible Project
Hello,

I have one doubt like not all systems in my environment are configured with LAPS as of now.

So some of the systems are having LAPS others are having LDAP . So will both the things work out.

ie. basically if i install OpenLDAP , is it standalone package/module or will it replace the current configuration settings. ie. LDAP

Thanks for your reply.


On Tuesday, July 14, 2020 at 1:12:56 AM UTC+5:30, jbor...@gmail.com wrote:

Jordan Borean

unread,
Jul 15, 2020, 2:42:20 PM7/15/20
to Ansible Project
I don’t understand what you mean sorry. OpenLDAP is required on the controller because that’s a dependency of python-ldap that the lookup uses https://www.python-ldap.org/en/python-ldap-3.3.0/installing.html#installing. If you already have it installed then you don’t need to reinstall it.

If some hosts use LAPS then you can use this for plugin to get the password, for the others that don’t then you need some other mechanism to get the password.

harsh chawda

unread,
Jul 22, 2020, 1:41:45 AM7/22/20
to Ansible Project
Hello Jordan,

Thanks for your reply .

I am trying to do the same what you explained. Will post my queries if got any issues.

Thanks again.
Reply all
Reply to author
Forward
0 new messages