Dynamic inventory from Active Directory?
1,072 views
Skip to first unread message
Bob Tanner
Sep 21, 2015, 3:31:43 PM9/21/15
to Ansible Development
Is there a way to build a dynamic inventory from Active Directory?
Given you cannot use Windows as a control host fun things like pyad and py32win aren't going to work to pull stuff out of Active Directory.
Is this a sales point for Tower?
Brian Coca
Sep 21, 2015, 3:32:51 PM9/21/15
to Bob Tanner, Ansible Development
you can query AD as an ldap server, so it should not be hard to make a
script to use it as an inventory source.
--
Brian Coca
script to use it as an inventory source.
--
Brian Coca
Trond Hindenes
Sep 21, 2015, 6:37:25 PM9/21/15
to Ansible Development, basicth...@gmail.com
That's a great suggestion Bob.
Given my very limited understading of Ansible I've written a few inventory APIs on asp.net web api, and a very simple python script which just gets json data from those api's (with some optional caching). For now I have apis for building inventories from Azure Resouce Manager and Virtual Machine Manager, which can be found here:
https://github.com/trondhindenes/armrest
https://github.com/trondhindenes/armrest
The latter one just invokes PowerShell to query VMM on the server running the web api, so it shouldn't be too hard to maybe build that into a ad-querying thing instead. I'll probably have a look at that at some point.
Brian Coca
Sep 21, 2015, 8:28:46 PM9/21/15
to Trond Hindenes, Ansible Development, Bob Tanner
This can be done in any language that has an LDAP library, just query
the domain with "(&(objectClass=computer))" as your search parameter.
--
Brian Coca
the domain with "(&(objectClass=computer))" as your search parameter.
--
Brian Coca
Bob Tanner
Sep 27, 2015, 4:56:34 PM9/27/15
to Ansible Development
Anyone playing around with this look at ldap3:
Not python-ldap. ldap3 has the ability to convert searches into JSON.
Bob Tanner
Oct 12, 2015, 4:27:35 PM10/12/15
to Ansible Development
Gotten something working but run into a security problem.
How and where do you store the username and password securely for these dynamic inventory scripts/programs?
Looking at the contrib/inventory all the .ini files look to store the credentials in clear text.
In my script can I programmatically extend the ansible-vault functionality so I can at least encrypt the .ini file?
esco real
Oct 13, 2015, 8:10:48 AM10/13/15
to Ansible Development
Hello Bob,
I would use a dedicated user without any further permission in the AD. And if the system you are running Ansible on is not secure enough to store this then this is quite a challenge ;)
But some alternative approach:
I like to use KeePass 2 databases for storing passwords (and other sensitive information). In Python you can use this with libkeepass.
esco
Reply all
Reply to author
Forward
0 new messages