Fetch rootdse from LDAP server

141 views
Skip to first unread message

Mark Tovey

unread,
Aug 19, 2021, 3:22:41 PM8/19/21
to Ansible Project
I am trying to use community.general.ldap_search to return the RootDSE from a LDAP server (RedHat Directory Server).  The LDAP server is configured to allow anonymous access to the RootDSE (nsslapd-allow-anonymous-access: rootdse) and I can retrieve it with ldapsearch:

ldapsearch -LLL -x -H ldap://myldapserver.example.com  -b '' -s base  defaultnamingContext
dn:
defaultnamingContext: dc=mysrv,dc=example,dc=com

But I am unable to duplicate that with the ldap_search module:

ansible localhost -m community.general.ldap_search -a "server_uri='ldap://myldapserver.example.com' validate_certs=false  bind_dn='' dn='dn:' scope=base "

localhost | FAILED! => {
    "changed": false,
    "details": "{'info': 'Anonymous access is not allowed.', 'desc': 'Inappropriate authentication'}",
    "invocation": {
        "module_args": {
            "attrs": null,
            "bind_dn": "",
            "bind_pw": "",
            "dn": "dn:",
            "filter": "(objectClass=*)",
            "referrals_chasing": "anonymous",
            "sasl_class": "external",
            "schema": false,
            "scope": "base",
            "server_uri": "ldap://myldapserver.example.com",
            "start_tls": false,
            "validate_certs": false
        }
    },
    "msg": "Attribute action failed."
}

So how can I retrieve the RootDSE with ldap_search?  Has anyone else had success with this or am I going to be forced to shell out to ldapsearch?

Melvin Satheesan

unread,
Aug 19, 2021, 3:25:57 PM8/19/21
to ansible...@googlegroups.com
Whether your service account has sufficient privilege? What does it say while triggering in debug mode? 

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3f5a3363-c8c8-45c7-9dce-b7465724d5e8n%40googlegroups.com.

Mark Tovey

unread,
Aug 20, 2021, 10:07:31 AM8/20/21
to Ansible Project
I found the answer:

ansible localhost -m community.general.ldap_search -a "server_uri='ldap://myldapserver.example.com' validate_certs=false  bind_dn='' dn='' scope=base attrs=defaultnamingcontext"

localhost | SUCCESS => {
    "changed": false,
    "results": [
        {
            "defaultnamingcontext": "dc=mysrv,dc=example,dc=com",
            "dn": ""
        }
    ]
}

Leave the bind_dn null and the ldap_search module converts that to anonymous.  And leave dn null to specify the RootDSE.
Reply all
Reply to author
Forward
0 new messages