Ansible ldap_entry 模块

Ansible ldap_entry 模块

# ansible-vault简介
# ansible vault是 ansible的组件,可以加密解密 ansible使用的数据。
# 编辑配置文件
vim /etc/ansible/ansible.cfg
# 指定密码密码文件路径
[defaults]
vault_password_file = /etc/ansible/vault_password_file
# 创建加密文件 
ansible-vault create test.yml
New Vault password:				# 输入文件密码
Confirm New Vault password:		# 输入确认密码
ansible-vault encrypt test.yml  # 加密文件
ansible-vault rekey test.yml    # 修改加密密码
ansible-vault edit test.yml     # 编辑加密文件
ansible-vault view test.yml     # 查看加密文件
ansible-vault decrypt test.yml  # 解密文件
ansible-vault decrypt test.yml --output=test1.yml    # 解密文件并保留原加密文件

## 将密码写在pass.txt文件中
echo '123456' > pass.txt
# 将密码文件权限设为600或5500
chmod 600 pass.txt
# 指定密码文件加密文件
ansible-vault encrypt --vault-id=./pass.txt test.yml
# 指定密码文件查看文件
ansible-vault --vault-id=./pass.txt view test.yml
# 指定密码文件解密文件
ansible-vault decrypt --vault-id=./pass.txt test.yml

# 运行加密剧本提示输入密码---2.4以前版本
ansible-playbook --ask-vault-pass playbook.yml
# 运行加密剧本并使用@prompt提示输入密码---2.4以后版本的功能
ansible-playbook --vault-id @prompt playbook.yml
# 使用--vault-id=pass.txt来指定密码文件运行playbook
ansible-playbook --vault-id=pass.txt playbook.yml
# 调用多个加密变量文件时输入多个密码/加载多个密码文件
ansible-playbook --vault-id one@prompt --vault-id two@prompt playbook.yml
vault password (one):				# 提示输入第一个密码
vault password (two):				# 提示输入第二个密码

# 使用 encrypt_string 创建要嵌入到 yaml 中的加密变量
# 要加密剧本示例中变量my_secret的值,命令将是:
echo 123456 > vault_password_file = /etc/ansible/vault_password_file
# 使用默认密码文件加密变量
ansible-vault encrypt_string 'T@123' --name 'bind_pw'
# 执行
ansible-playbook --vault-id @prompt ldap.yml
Vault password (default): 123456

# 应用ldap_entry模块:
# 安装依赖
yum install python-ldap

# cat ldap.yml
---
- hosts: 127.0.0.1
  # become: yes
  connection: local
  vars:
    bind_pw: !vault |
        $ANSIBLE_VAULT;1.1;AES256
        36313737366364633338316533363161383162346236386264306662353338653863663539336436
        6165343537333664393163646130363861643231613232660a353638303736306236383333636537
        39633365663566396265373534313165616562613461316534333762366136643333626566383932
        3234343230336464330a316238633961326261313839326335396565313631383663393861633161
        6233
  tasks:
  #- name: Make sure we have a parent entry for users
  #  ldap_entry:
  #    dn: ou=users,dc=vimll,dc=com
  #    objectClass: organizationalUnit
  #
  #- name: Make sure we have an admin user
  #  ldap_entry:
  #    dn: cn=admin,dc=vimll,dc=com
  #    objectClass:
  #      - simpleSecurityObject
  #      - organizationalRole
  #    attributes:
  #      description: An LDAP administrator
  #      userPassword: "{SSHA}tabyipcHzhwESzRaGA7oQ/SDoBZQOGND"
  #
  #- name: Get rid of an old entry
  #  ldap_entry:
  #    dn: ou=test,dc=vimll,dc=com
  #    state: absent
  #    server_uri: ldaps://ldap.vimll.com
  #    bind_dn: cn=admin,dc=vimll,dc=com
  #    bind_pw: "{{ bind_pw }}"

  # The same as in the previous example but with the authentication details
  # stored in the ldap_auth variable:
  #
  # ldap_auth:
  #   server_uri: ldap://localhost/
  #   bind_dn: cn=admin,dc=vimll,dc=com
  #   bind_pw: password
  #- name: Get rid of an old entry
  #  ldap_entry:
  #    dn: ou=test,dc=vimll,dc=com
  #    state: absent
  #    params: "{{ ldap_auth }}"#
  - name: create ldap users
    ldap_entry:
      dn: uid={{ item.uid }},ou=People,dc=vimll,dc=com
      server_uri: ldaps://ldap.vimll.com
      bind_dn: cn=Manager,dc=vimll,dc=com
      bind_pw: "{{ bind_pw }}"
      objectClass:
      - inetOrgPerson
      - posixAccount
      - shadowAccount
      - ldapPublicKey
      attributes:
        uid: "{{ item.uid }}"
        cn: "{{ item.name }}"
        sn: "{{ item.name[0:1] }}"
        loginShell: /bin/bash
        uidNumber: "{{ item.uidNumber }}"
        gidNumber: 1000
        homeDirectory: /home/{{ item.uid }}
        mail: "{{ item.mail }}"
        sshPublicKey: "{{ item.sshPublicKey | default('') }}"
    with_items:
     - uid: test
       name: 测试
       uidNumber: 1028
       mail: test@vimll.com
       sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUL/dpkEf7HFIMU2nau6aP/CaYyriopLobWNU7DY1DwUdzEG+f5qlET4OeflVKdtgos7s3aSNinoRgMoO9c5xNuq1KZWfh3RAw5v6VLUqHqaoeekkQqfkLHKhaVoksriSUIBpMRInZTABr/lCafoBrv+vlX80oB5SL2devNrDi30dmuiI+LQHgeQAjI+feOJYyIjiBh9UfeLgXmNEcA6ZpeBldrOQgw/lJuTl78aP0feTEJOvUmAkCfKzYbP+8PQKsirvK+chfSHWJGhGXmpReUIvhz0MSp9ApLq9pwYI1XBXzOhq77nE6K/YHI6xbUCnKIKEerUfjcMu+5Ri4hjOMxQV7 root@home.tang.com