Ansible ldap_entry 模块
# ansible-vault简介
# ansible vault是 ansible的组件,可以加密解密 ansible使用的数据。
# 编辑配置文件
vim /etc/ansible/ansible.cfg
# 指定密码密码文件路径
[defaults]
vault_password_file = /etc/ansible/vault_password_file
# 创建加密文件
ansible-vault create test.yml
New Vault password: # 输入文件密码
Confirm New Vault password: # 输入确认密码
ansible-vault encrypt test.yml # 加密文件
ansible-vault rekey test.yml # 修改加密密码
ansible-vault edit test.yml # 编辑加密文件
ansible-vault view test.yml # 查看加密文件
ansible-vault decrypt test.yml # 解密文件
ansible-vault decrypt test.yml --output=test1.yml # 解密文件并保留原加密文件
## 将密码写在pass.txt文件中
echo '123456' > pass.txt
# 将密码文件权限设为600或5500
chmod 600 pass.txt
# 指定密码文件加密文件
ansible-vault encrypt --vault-id=./pass.txt test.yml
# 指定密码文件查看文件
ansible-vault --vault-id=./pass.txt view test.yml
# 指定密码文件解密文件
ansible-vault decrypt --vault-id=./pass.txt test.yml
# 运行加密剧本提示输入密码---2.4以前版本
ansible-playbook --ask-vault-pass playbook.yml
# 运行加密剧本并使用@prompt提示输入密码---2.4以后版本的功能
ansible-playbook --vault-id @prompt playbook.yml
# 使用--vault-id=pass.txt来指定密码文件运行playbook
ansible-playbook --vault-id=pass.txt playbook.yml
# 调用多个加密变量文件时输入多个密码/加载多个密码文件
ansible-playbook --vault-id one@prompt --vault-id two@prompt playbook.yml
vault password (one): # 提示输入第一个密码
vault password (two): # 提示输入第二个密码
# 使用 encrypt_string 创建要嵌入到 yaml 中的加密变量
# 要加密剧本示例中变量my_secret的值,命令将是:
echo 123456 > = /etc/ansible/vault_password_file
# 使用默认密码文件加密变量
ansible-vault encrypt_string 'T@123' --name 'bind_pw'
# 执行
ansible-playbook --vault-id @prompt ldap.yml
Vault password (default): 123456
# 应用ldap_entry模块:
# 安装依赖
yum install python-ldap
# cat ldap.yml
---
- hosts: 127.0.0.1
# become: yes
connection: local
vars:
bind_pw: !vault |
$ANSIBLE_VAULT;1.1;AES256
36313737366364633338316533363161383162346236386264306662353338653863663539336436
6165343537333664393163646130363861643231613232660a353638303736306236383333636537
39633365663566396265373534313165616562613461316534333762366136643333626566383932
3234343230336464330a316238633961326261313839326335396565313631383663393861633161
6233
tasks:
#- name: Make sure we have a parent entry for users
# ldap_entry:
# dn: ou=users,dc=vimll,dc=com
# objectClass: organizationalUnit
#
#- name: Make sure we have an admin user
# ldap_entry:
# dn: cn=admin,dc=vimll,dc=com
# objectClass:
# - simpleSecurityObject
# - organizationalRole
# attributes:
# description: An LDAP administrator
# userPassword: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND"
#
#- name: Get rid of an old entry
# ldap_entry:
# dn: ou=test,dc=vimll,dc=com
# state: absent
# server_uri: ldaps://ldap.vimll.com
# bind_dn: cn=admin,dc=vimll,dc=com
# bind_pw: "{{ bind_pw }}"
# The same as in the previous example but with the authentication details
# stored in the ldap_auth variable:
#
# ldap_auth:
# server_uri: ldap://localhost/
# bind_dn: cn=admin,dc=vimll,dc=com
# bind_pw: password
#- name: Get rid of an old entry
# ldap_entry:
# dn: ou=test,dc=vimll,dc=com
# state: absent
# params: "{{ ldap_auth }}"#
- name: create ldap users
ldap_entry:
dn: uid={{ item.uid }},ou=People,dc=vimll,dc=com
server_uri: ldaps://ldap.vimll.com
bind_dn: cn=Manager,dc=vimll,dc=com
bind_pw: "{{ bind_pw }}"
objectClass:
- inetOrgPerson
- posixAccount
- shadowAccount
- ldapPublicKey
attributes:
uid: "{{ item.uid }}"
cn: "{{ item.name }}"
sn: "{{ item.name[0:1] }}"
loginShell: /bin/bash
uidNumber: "{{ item.uidNumber }}"
gidNumber: 1000
homeDirectory: /home/{{ item.uid }}
mail: "{{ item.mail }}"
sshPublicKey: "{{ item.sshPublicKey | default('') }}"
with_items:
- uid: test
name: 测试
uidNumber: 1028
mail: test@vimll.com
sshPublicKey: ssh-rsa AAAAB3NzaC1xxxxxxxxxxxxxxxxxxxMxQV7 root@home.tang.com
VIM Linux Life