Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #!/usr/bin/env ansible-playbook
- # ldapman.yml
- # vim: ft=yaml
- # Arkanon <paulo.bagatini@lsd.org.br>
- # 2018/07/03 (Tue) 17:52:21 -03
- # 2018/06/28 (Thu) 08:23:18 -03
- # 2018/06/27 (Wed) 16:56:36 -03
- # 2018/06/26 (Tue) 17:00:00 -03
- # 2018/06/25 (Mon) 08:51:09 -03
- # 2018/06/22 (Fri) 17:04:24 -03
- # 2018/06/15 (Fri) 16:52:37 -03
- # 2018/06/14 (Thu) 16:57:40 -03
- # 2018/06/07 (Thu) 17:04:21 -03
- # Os filtros [ SIDtoBase64, Base64toSID, GUIDtoBase64, Base64toGUID, Base64toCert, SIDtoID ]
- # são definidos pelo plugin de filtro [plugins/filter/b64-2-str.py]
- # o qual depende do módulo [plugins/sid.py]
- # listar dados do usuário no ad
- # listar dados do usuário no ldap
- # copiar usuário do ad
- # listar dados do grupo no ad
- # listar dados do grupo no ldap
- # criar grupo no ldap
- # remover grupo no ldap
- # remover usuário do ldap
- # associar usuários ao grupo no ldap
- # índices
- # u informações do usuário / lista de usuários
- # g informações do grupo / lista de grupos
- # n nome do usuário ou do grupo
- # i id do usuário ou do grupo
- # d descrição
- #
- # variáveis
- # +U grupo automático igual ao nome de usuário
- # +P grupo automático igual ao grupo primário no ad
- # +D grupo automático igual ao grupo default
- # +A id automático igual ao próximo disponível
- # +S id automático derivado do sid no ad
- #
- # defaults
- # nome do usuário/grupo é obrigatório
- # se o usuário existir no ad, será copiado para o ldap
- # uid/gid é opcional
- # nenhum uid implica em +S
- # nenhum gid implica em +A
- # lista de [grupos de um usuário]/[usuários de um grupo] é opcional
- # primeiro grupo indicado será o grupo primário
- # nenhum grupo indicado implica em +P como grupo primário
- # descrição é opcional
- #
- # exemplos
- #
- # data=" { add: { u: [ { n: paulo.bagatini, i: +S } ] } } "
- #
- # data="
- # {
- # add: {
- # u: [
- # { n: arkanon , i: 10101 , g: [ +U , pb , admin ] , },
- # { n: bagatini , i: +A , g: [ +D , pb , admin ] , },
- # { n: paulo.bagatini , i: +S , g: [ +P , mib , admin ] , },
- # { n: eduardo.goncalves , d: Líder , g: [ +U , mib ] , },
- # { n: andre.demathe , },
- # ],
- # g: [
- # { n: teste , i: 555 , d: 'Execução de testes' , },
- # { n: monitoramento , i: +A , u: [ bagatini , andre.demathe ] , },
- # ],
- # },
- # del: {
- # u: [ bruno.freitas , arthur.sens , ],
- # g: [ teste , ],
- # },
- # }
- # "
- #
- # ./ldapman.yml -e "{data:$data}"
- ---
- - hosts: localhost
- gather_facts: no
- environment:
- LDAPTLS_REQCERT: ALLOW
- tasks:
- - name: initilize parameters
- set_fact:
- do='' if do is undefined
- u='' if u is undefined
- g='' if g is undefined
- - name: dump parameters final values
- debug:
- msg:
- - " --------------------------------------------------- "
- - " "
- - " runuser = '{{ runuser }}' "
- - " do = '{{ do }}' "
- - " u = '{{ u }}' "
- - " g = '{{ g }}' "
- - " user = '{{ user }}' "
- - " "
- - " --------------------------------------------------- "
- # begin >> AD QUERY <<
- - block:
- - name: query user in ad server
- shell: >
- {{ ldapsearch }}
- -H '{{ ad_server }}'
- -D '{{ ad_runuser_dn }}'
- -w '{{ ad_runuser_pw }}'
- -b '{{ ad_user_base }}'
- '{{ ad_user_filter }}'
- {{ ad_user_attributes | d('') | join(' ') }}
- register: ad_user_out
- - name: set ad_user_dict
- set_fact:
- ad_user_dict: >
- {%- set list = item.split(': ', 1) -%}
- {%- set key = list[0] | trim -%}
- {%- set val = list[1] | d('') | trim -%}
- {%- if key[-1] == ':' -%}
- {%- set key = key[:-1] -%}
- {%- if key | lower is search('guid') -%}
- {%- set val = val | Base64toGUID -%}
- {%- elif key | lower is search('sid') -%}
- {%- set val = val | Base64toSID -%}
- {%- elif key | lower is search('certificate') -%}
- {%- set val = val | Base64toCert -%}
- {%- else -%}
- {%- set val = val | b64decode -%}
- {%- endif -%}
- {%- endif -%}
- {%- if ad_user_dict is defined and ad_user_dict[key] is defined -%}
- {%- set val = [ [ ad_user_dict[key] ] + [ val ] ] | flatten -%}
- {%- endif -%}
- {{ ad_user_dict | d({}) | combine( { key: val } ) }}
- with_items: "{{ ad_user_out.stdout_lines | select('match', '^[^#]') | list }}"
- # <http://adamretter.org.uk/blog/entries/active-directory-ldap-users-primary-group.xml>
- # <http://en.wikipedia.org/wiki/Base64>
- # [A-Za-z0-9+/=]
- # == at final indicates that the last group contained only one byte
- # = at final indicates that it contained two bytes
- - name: query user primary group in ad server
- shell: >
- {{ ldapsearch }}
- -H '{{ ad_server }}'
- -D '{{ ad_runuser_dn }}'
- -w '{{ ad_runuser_pw }}'
- -b '{{ ad_group_base }}'
- '{{ ad_group_filter }}={{ ad_user_dict.objectSid.split('-')[:-1] | join('-') }}-{{ ad_user_dict.primaryGroupID }}'
- {{ ad_group_attributes | d('') | join(' ') }}
- register: ad_pgroup_out
- - name: set ad_pgroup_dict
- set_fact:
- ad_pgroup_dict: >
- {%- set list = item.split(': ', 1) -%}
- {%- set key = list[0] | trim -%}
- {%- set val = list[1] | d('') | trim -%}
- {%- if key[-1] == ':' -%}
- {%- set key = key[:-1] -%}
- {%- if key | lower is search('guid') -%}
- {%- set val = val | Base64toGUID -%}
- {%- elif key | lower is search('sid') -%}
- {%- set val = val | Base64toSID -%}
- {%- elif key | lower is search('certificate') -%}
- {%- set val = val | Base64toCert -%}
- {%- else -%}
- {%- set val = val | b64decode -%}
- {%- endif -%}
- {%- endif -%}
- {%- if ad_pgroup_dict is defined and ad_pgroup_dict[key] is defined -%}
- {%- set val = [ [ ad_pgroup_dict[key] ] + [ val ] ] | flatten -%}
- {%- endif -%}
- {{ ad_pgroup_dict | d({}) | combine( { key: val } ) }}
- with_items: "{{ ad_pgroup_out.stdout_lines | select('match', '^[^#]') | list }}"
- - name: query user groups in ad server
- shell: >
- {{ ldapsearch }}
- -H '{{ ad_server }}'
- -D '{{ ad_runuser_dn }}'
- -w '{{ ad_runuser_pw }}'
- -b '{{ ad_group_base }}'
- '{{ ad_groups_filter }}={{ ad_user_dict.dn }}'
- {{ ad_group_attributes | d('') | join(' ') }}
- register: ad_groups_out
- - set_fact:
- ad_groups_list:
- "{{ ad_groups_out.stdout_lines | select('match', '^[^#]') | list + [ 'dn: fim' ] }}"
- my:
- temp_dict : {}
- dict : {}
- prev_key : ''
- dict_key : ''
- n : 1
- - name: set ad_groups_dict
- set_fact:
- ad_groups_dict: >
- {#- -#}
- {#- -#}
- {%- for l in ad_groups_list -%}
- {#- -#}
- {#- -#}
- {%- do my.update( { 'list' : l.split(': ', 1) } ) -%}
- {%- do my.update( { 'key' : my.list.0 | trim } ) -%}
- {%- do my.update( { 'val' : my.list.1 | d('') | trim } ) -%}
- {#- -#}
- {#- -#}
- {%- if my.key[-1] == ':' -%}
- {%- do my.update( { 'key' : my.key[:-1] } ) -%}
- {%- if my.key | lower is search('guid') -%}
- {%- do my.update( { 'val' : my.val | Base64toGUID } ) -%}
- {%- elif my.key | lower is search('sid') -%}
- {%- do my.update( { 'val' : my.val | Base64toSID } ) -%}
- {%- elif my.key | lower is search('certificate') -%}
- {%- do my.update( { 'val' : my.val | Base64toCert } ) -%}
- {%- else -%}
- {%- do my.update( { 'val' : my.val | b64decode } ) -%}
- {%- endif -%}
- {%- endif -%}
- {#- -#}
- {#- -#}
- {%- if my.key == my.prev_key -%}
- {%- do my.update( { 'all_val' : [ [ my.all_val ] + [ my.val ] ] | flatten } ) -%}
- {%- else -%}
- {%- do my.update( { 'all_val' : my.val } ) -%}
- {%- endif -%}
- {#- -#}
- {#- -#}
- {%- if my.key == 'dn' -%}
- {%- if my.dict_key != '' -%}
- {#- -#}
- {%- do my.update( { 'sn' : my.n | string + ' ' } ) -%}
- {%- if my.n < 10 -%}
- {%- do my.update( { 'sn' : ' ' + my.sn } ) -%}
- {%- else -%}
- {%- do my.update( { 'sn' : my.sn } ) -%}
- {%- endif -%}
- {#- -#}
- {%- do my.update( { 'temp_dict' : my.temp_dict | combine( { my.key : my.prev_val } ) } ) -%}
- {%- do my.update( { 'dict' : my.dict | combine( { my.dict_key : my.temp_dict } ) } ) -%}
- {#- do my.update( { 'dict' : my.dict | combine( { my.sn + my.dict_key : my.temp_dict } ) } ) -#}
- {%- do my.update( { 'n' : my.n + 1 } ) -%}
- {%- do my.update( { 'temp_dict' : {} } ) -%}
- {%- endif -%}
- {%- do my.update( { 'prev_val' : my.all_val } ) -%}
- {%- else -%}
- {%- do my.update( { 'temp_dict' : my.temp_dict | combine( { my.key: my.all_val } ) } ) -%}
- {%- endif -%}
- {#- -#}
- {#- -#}
- {%- if my.key == 'cn' -%}
- {%- do my.update( { 'dict_key' : my.all_val } ) -%}
- {%- endif -%}
- {#- -#}
- {#- -#}
- {%- do my.update( { 'prev_key' : my.key } ) -%}
- {#- -#}
- {#- -#}
- {%- endfor -%}
- {#- -#}
- {#- -#}
- {{ my.dict }}
- when: do != '' and g == ''
- # end >> AD QUERY <<
- # begin >> LDAP MANAGE <<
- - block:
- # begin >> ldap user manage <<
- - block:
- - name: delete user ldap entry
- ldap_entry:
- state : absent
- server_uri : "{{ ldap_server }}"
- bind_dn : "{{ ldap_manager_dn }}"
- bind_pw : "{{ ldap_manager_pw }}"
- dn : "uid={{ user }},{{ ldap_user_base }}"
- when: do == 'd'
- - name: add user ldap entry
- ldap_entry:
- state : present
- server_uri : "{{ ldap_server }}"
- bind_dn : "{{ ldap_manager_dn }}"
- bind_pw : "{{ ldap_manager_pw }}"
- dn : "uid={{ user }},{{ ldap_user_base }}"
- objectClass:
- - top
- - inetOrgPerson
- - posixAccount
- - shadowAccount
- attributes:
- userPassword : "{CRYPT}*"
- loginShell : "/bin/bash"
- homeDirectory : "/home/{{ user }}"
- gidNumber : "{{ ad_pgroup_dict.objectSid | SIDtoID }}"
- uidNumber : "{{ ad_user_dict.objectSid | SIDtoID }}"
- description : "{{ ad_user_dict.givenName }} {{ ad_user_dict.sn }}"
- o : "{{ ad_user_dict.company }}"
- ou : "{{ ad_user_dict.department }}"
- cn : "{{ ad_user_dict.givenName }}"
- sn : "{{ ad_user_dict.sn }}"
- mail : "{{ ad_user_dict.mail }}"
- title : "{{ ad_user_dict.title }}"
- manager : "{{ ad_user_dict.manager }}"
- telephoneNumber : "{{ ad_user_dict.telephoneNumber }}"
- physicalDeliveryOfficeName : "{{ ad_user_dict.physicalDeliveryOfficeName }}"
- when: do == 'a'
- when: u != '' and g == ''
- # end >> ldap user manage <<
- # begin >> ldap group manage <<
- - block:
- - name: remove empty keys from group.attributes
- set_fact:
- attributes: "{{ attributes | d({}) | combine({item.key: item.value}) }}"
- when: item.value != ''
- with_dict: "{{ group.attributes }}"
- - name: delete group ldap entry
- ldap_entry:
- state : absent
- server_uri : "{{ ldap_server }}"
- bind_dn : "{{ ldap_manager_dn }}"
- bind_pw : "{{ ldap_manager_pw }}"
- dn : "cn={{ group.name }},{{ ldap_group_base }}"
- when: do == 'd'
- - name: add group ldap entry
- ldap_entry:
- state : present
- server_uri : "{{ ldap_server }}"
- bind_dn : "{{ ldap_manager_dn }}"
- bind_pw : "{{ ldap_manager_pw }}"
- dn : "cn={{ group.name }},{{ ldap_group_base }}"
- objectClass:
- - top
- - posixGroup # ldapsearch -o ldif-wrap=no -H ldap://172.23.2.61 -x -s base -b cn=subschema objectclasses | grep --color -E '^|.*posixGroup.*'
- attributes: "{{ attributes }}"
- when: do == 'a'
- when: u == '' and g != ''
- # end >> ldap group manage <<
- when: do != ''
- # end >> LDAP MANAGE <<
- # begin >> LDAP QUERY <<
- - block:
- # begin >> ldap user query <<
- - block:
- - name: query user in ldap server
- shell: >
- {{ ldapsearch }}
- -H '{{ ldap_server }}'
- -D '{{ ldap_manager_dn }}'
- -w '{{ ldap_manager_pw }}'
- -b '{{ ldap_user_base }}'
- '{{ ldap_user_filter }}'
- {{ ldap_attributes | d('') | join(' ') }}
- register: ldap_user_out
- - name: set ldap_user_dict
- set_fact:
- ldap_user_dict: >
- {%- set list = item.split(': ', 1) -%}
- {%- set key = list[0] | trim -%}
- {%- set val = list[1] | d('') | trim -%}
- {%- if key[-1] == ':' -%}
- {%- set key = key[:-1] -%}
- {%- if key | lower is search('guid') -%}
- {%- set val = val | Base64toGUID -%}
- {%- elif key | lower is search('sid') -%}
- {%- set val = val | Base64toSID -%}
- {%- elif key | lower is search('certificate') -%}
- {%- set val = val | Base64toCert -%}
- {%- else -%}
- {%- set val = val | b64decode -%}
- {%- endif -%}
- {%- endif -%}
- {%- if ldap_user_dict is defined and ldap_user_dict[key] is defined -%}
- {%- set val = [ [ ldap_user_dict[key] ] + [ val ] ] | flatten -%}
- {%- endif -%}
- {{ ldap_user_dict | d({}) | combine( { key: val } ) }}
- with_items: "{{ ldap_user_out.stdout_lines | select('match', '^[^#]') | list }}"
- - name: dump user facts
- debug:
- msg:
- 01 ad_user_out : "{{ ad_user_out.stdout_lines }}"
- 02 ad_user_dict : "{{ ad_user_dict }}"
- 03 ldap_user_out : "{{ ldap_user_out.stdout_lines }}"
- 04 ldap_user_dict : "{{ ldap_user_dict | d('') }}"
- when: g == ''
- # end >> ldap user query <<
- # begin >> ldap group query <<
- - block:
- - name: search group in ldap server
- shell: >
- ldapsearch
- -N
- -LLL
- -z none
- -o ldif-wrap=no
- -E pr=1000/noprompt
- -H '{{ ldap_server }}'
- -D '{{ ldap_manager_dn }}'
- -w '{{ ldap_manager_pw }}'
- -b '{{ ldap_group_base }}'
- '{{ ldap_group_filter }}'
- {{ ldap_attributes | d('') | join(' ') }}
- register: ldap_group_out
- - name: set ldap_group_dict
- set_fact:
- ldap_group_dict: >
- {%- set list = item.split(': ', 1) -%}
- {%- set key = list[0] | trim -%}
- {%- set val = list[1] | d('') | trim -%}
- {%- if key[-1] == ':' -%}
- {%- set key = key[:-1] -%}
- {%- if key | lower is search('guid') -%}
- {%- set val = val | Base64toGUID -%}
- {%- elif key | lower is search('sid') -%}
- {%- set val = val | Base64toSID -%}
- {%- elif key | lower is not search('certificate') -%}
- {%- set val = val | b64decode -%}
- {%- endif -%}
- {%- endif -%}
- {%- if ldap_group_dict is defined and ldap_group_dict[key] is defined -%}
- {%- set val = [ [ ldap_group_dict[key] ] + [ val ] ] | flatten -%}
- {%- endif -%}
- {{ ldap_group_dict | d({}) | combine( { key: val } ) }}
- with_items: "{{ ldap_group_out.stdout_lines | select('match', '^[^#]') | list }}"
- - name: dump group facts
- debug:
- msg:
- 01 group : "{{ group }}"
- 02 ad_pgroup_out : "{{ ad_pgroup_out.stdout_lines }}"
- 03 ad_pgroup_dict : "{{ ad_pgroup_dict }}"
- 04 ad_groups_out : "{{ ad_groups_out.stdout_lines }}"
- 05 ad_groups_dict : "{{ ad_groups_dict }}"
- 06 ldap_group_out : "{{ ldap_group_out.stdout_lines }}"
- 07 ldap_group_dict : "{{ ldap_group_dict | d('') }}"
- # when: u == ''
- # end >> ldap group query <<
- when: do == 'l'
- # end >> LDAP QUERY <<
- - name: help
- debug:
- msg:
- - " ------------------------------------------------------------------------------ "
- - " "
- - " Acrescente (em qualquer ordem) "
- - " "
- - " -e do=l|a|d lista|adiciona|deleta entrada ldap "
- - " -e u=<user>:[uid]:[descr]:[primgroup] age no usuário "
- - " -e g=<group>:[gid]:[descr] age no grupo "
- - " "
- - " Grupo primário: "
- - " default : '{{ defmaingroup }}' "
- - " igual ao username : 'u' "
- - " "
- - "{{ data }}"
- - " "
- - " ------------------------------------------------------------------------------ "
- when: do+u+g in [ '', 'a', 'd' ]
- # EOF
Add Comment
Please, Sign In to add comment