Using ldap_attr to set root password works but shows failed
392 views
Skip to first unread message
Kevin Hughes
Jan 25, 2017, 11:56:18 AM1/25/17
to Ansible Project
I'm using the following to set my LDAP root password:
- name: generate ldap admin password hash
command: "/usr/sbin/slappasswd -s PASSWORD"
register: slapd_admin_password_hash
tags: ldap
- name: set ldap admin password
become: yes
ldap_attr:
dn: "olcDatabase={1}hdb,cn=config"
name: olcRootPW
values: "{{ slapd_admin_password_hash.stdout }}"
state: exact
tags: ldap
It works; the password is set (in this case to PASSWORD) but the step shows an error:
fatal: [10.10.9.80]: FAILED! => {"changed": false, "details": "{'desc': 'No such object'}", "failed": true, "msg": "Attribute action failed."}
I'm completely new to LDAP from the admin side so it's possible it's more an LDAP misunderstanding than an Ansible one. Can anyone tell me what's happening?
I'm using Ansible 2.3.0 on Arch linux configuring an Ubuntu Trusty server.
Thanks,
Kev
Michael Ströder
Jan 26, 2017, 8:16:20 PM1/26/17
to ansible...@googlegroups.com
Kevin Hughes wrote:
> I'm using the following to set my LDAP root password:
> -name:generate ldap admin password hash
> I'm using the following to set my LDAP root password:
> command:"/usr/sbin/slappasswd -s PASSWORD"
> register:slapd_admin_password_hash
> tags:ldap
> -name:setldap admin password
> register:slapd_admin_password_hash
> tags:ldap
> become:yes
> ldap_attr:
> dn:"olcDatabase={1}hdb,cn=config"
> name:olcRootPW
> values:"{{ slapd_admin_password_hash.stdout }}"
> state:exact
> tags:ldap
> |
>
> It works; the password is set (in this case to PASSWORD) but the step shows an error:
How did you check that the olcRootPW attribute was really changed?
> ldap_attr:
> dn:"olcDatabase={1}hdb,cn=config"
> name:olcRootPW
> values:"{{ slapd_admin_password_hash.stdout }}"
> state:exact
> tags:ldap
> |
>
> It works; the password is set (in this case to PASSWORD) but the step shows an error:
Are you 100% sure that the modify operation was successful by setting and checking a
_different_ password and/or by looking at the OpenLDAP log?
> |
> fatal:[10.10.9.80]:FAILED!=>{"changed":false,"details":"{'desc': 'No such
> object'}","failed":true,"msg":"Attribute action failed."}
I've glanced over this ldap ansible module a couple of months ago but I don't know the
inner working in detail. And diving into the various OpenLDAP details would be off-topic
here.
But when using ansible (or another configuration management) my *strong* recommendation
is to use static configuration method (aka as slapd.conf) and generate the config file(s)
with Jinja templates. This is *much* less hassle regarding idempotent changes.
> I'm completely new to LDAP from the admin side so it's possible it's more an LDAP
> misunderstanding than an Ansible one. Can anyone tell me what's happening?
questions there. Preferrably you should try to make the LDAP operation work with
OpenLDAP's command-line ldapmodify before trying to use ansible + 3rd party module(s).
Ciao, Michael.
Reply all
Reply to author
Forward
0 new messages