netapp_e_ldap – NetApp E-Series manage LDAP integration to use for authentication

From Get docs
Ansible/docs/2.8/modules/netapp e ldap module


netapp_e_ldap – NetApp E-Series manage LDAP integration to use for authentication

New in version 2.7.


Synopsis

  • Configure an E-Series system to allow authentication via an LDAP server

Parameters

Parameter Choices/Defaults Comments

api_password

- / required

The password to authenticate with the SANtricity Web Services Proxy or Embedded Web Services API.

api_url

- / required

The url to the SANtricity Web Services Proxy or Embedded Web Services API. Example https://prod-1.wahoo.acme.com/devmgr/v2

api_username

- / required

The username to authenticate with the SANtricity Web Services Proxy or Embedded Web Services API.

attributes

-

Default:

"memberOf"

The user attributes that should be considered for the group to role mapping.

Typically this is used with something like 'memberOf', and a user's access is tested against group membership or lack thereof.

identifier

-

This is a unique identifier for the configuration (for cases where there are multiple domains configured).

If this is not specified, but state=present, we will utilize a default value of 'default'.

log_path

-

A local path to a file to be used for debug logging

name

-

The domain name[s] that will be utilized when authenticating to identify which domain to utilize.

Default to use the DNS name of the server.

The only requirement is that the name[s] be resolvable.

password

- / required

This is the password for the bind user account.


aliases: bind_password

role_mappings

- / required

This is where you specify which groups should have access to what permissions for the storage-system.

For example, all users in group A will be assigned all 4 available roles, which will allow access to all the management functionality of the system (super-user). Those in group B only have the storage.monitor role, which will allow only read-only access.

This is specified as a mapping of regular expressions to a list of roles. See the examples.

The roles that will be assigned to to the group/groups matching the provided regex.

storage.admin allows users full read/write access to storage objects and operations.

storage.monitor allows users read-only access to storage objects and operations.

support.admin allows users access to hardware, diagnostic information, the Major Event Log, and other critical support-related functionality, but not the storage configuration.

security.admin allows users access to authentication/authorization configuration, as well as the audit log configuration, and certification management.

search_base

- / required

The search base is used to find group memberships of the user.

Example: ou=users,dc=example,dc=com

server

- / required

This is the LDAP server url.

The connection string should be specified as using the ldap or ldaps protocol along with the port information.


aliases: server_url

ssid

-

Default:

1

The ID of the array to manage. This value must be unique for each array.

state

-

  • present

  • absent

Enable/disable LDAP support on the system. Disabling will clear out any existing defined domains.

user_attribute

-

Default:

"sAMAccountName"

This is the attribute we will use to match the provided username when a user attempts to authenticate.

username

- / required

This is the user account that will be used for querying the LDAP server.

Example: CN=MyBindAcct,OU=ServiceAccounts,DC=example,DC=com


aliases: bind_username

validate_certs

boolean

  • no
  • yes

Should https certificates be validated?



Notes

Note

  • Check mode is supported.
  • This module allows you to define one or more LDAP domains identified uniquely by identifier to use for authentication. Authorization is determined by role_mappings, in that different groups of users may be given different (or no), access to certain aspects of the system and API.
  • The local user accounts will still be available if the LDAP server becomes unavailable/inaccessible.
  • Generally, you’ll need to get the details of your organization’s LDAP server before you’ll be able to configure the system for using LDAP authentication; every implementation is likely to be very different.
  • This API is currently only supported with the Embedded Web Services API v2.0 and higher, or the Web Services Proxy v3.0 and higher.
  • The E-Series Ansible modules require either an instance of the Web Services Proxy (WSP), to be available to manage the storage-system, or an E-Series storage-system that supports the Embedded Web Services API.
  • Embedded Web Services is currently available on the E2800, E5700, EF570, and newer hardware models.
  • netapp_e_storage_system may be utilized for configuring the systems managed by a WSP instance.


Examples

- name: Disable LDAP authentication
  netapp_e_ldap:
    api_url: "10.1.1.1:8443"
    api_username: "admin"
    api_password: "myPass"
    ssid: "1"
    state: absent

- name: Remove the 'default' LDAP domain configuration
  netapp_e_ldap:
    state: absent
    identifier: default

- name: Define a new LDAP domain, utilizing defaults where possible
  netapp_e_ldap:
    state: present
    bind_username: "CN=MyBindAccount,OU=ServiceAccounts,DC=example,DC=com"
    bind_password: "mySecretPass"
    server: "ldap://example.com:389"
    search_base: 'OU=Users,DC=example,DC=com'
    role_mappings:
      ".*dist-dev-storage.*":
        - storage.admin
        - security.admin
        - support.admin
        - storage.monitor

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

msg

string

on success

Success message


Sample:

The ldap settings have been updated.




Status

Authors

  • Michael Price (@lmprice)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/netapp_e_ldap_module.html