laps_password – Retrieves the LAPS password for a server
laps_password – Retrieves the LAPS password for a server
New in version 2.8.
Synopsis
- This lookup returns the LAPS password set for a server from the Active Directory database.
- See https://github.com/jborean93/ansible-lookup-laps_password for more information around installing pre-requisites and testing.
Requirements
The below requirements are needed on the local master node that executes this lookup.
- python-ldap
Parameters
Parameter | Choices/Defaults | Configuration | Comments |
---|---|---|---|
_terms string / required |
The host name to retrieve the LAPS password for. This is the | ||
allow_plaintext boolean |
|
When set to It is highly recommended to not touch this to avoid any credentials being exposed over the network. Use | |
auth string |
|
The type of authentication to use when connecting to the Active Directory server When using It is recommended ot use When using You cannot use | |
ca_cert string |
The path to a CA certificate PEM file to use for certificate validation. Certificate validation is used when This may fail on hosts with an older OpenLDAP install like MacOS, this will have to be updated before reinstalling python-ldap to get working again.
| ||
domain string / required |
The domain to search in to retrieve the LAPS password. This could either be a Windows domain name visible to the Ansible controller from DNS or a specific domain controller FQDN. Supports either just the domain/host name or an explicit LDAP URI with the domain/host already filled in. If the URI is set, port and scheme are ignored. | ||
password string |
The password for Required when | ||
port integer |
The LDAP port to communicate over. If kdc is already an LDAP URI then this is ignored. | ||
scheme - |
|
The LDAP scheme to use. When using The Active Directory host must be configured for If kdc is already an LDAP URI then this is ignored. | |
search_base string |
Changes the search base used when searching for the host in Active Directory. Will default to search in the If multiple matches are found then a more explicit search_base is required so only 1 host is found. If searching a larger Active Directory database, it is recommended to narrow the search_base for performance reasons. | ||
start_tls boolean |
|
When This requires the Active Directory to be set up with a certificate that supports StartTLS. This is ignored when | |
username string |
Required when using The username to authenticate with. Recommended to use the username in the UPN format, e.g. This is required when Call | ||
validate_certs string |
|
When using
|
Notes
Note
- If a host was found but had no LAPS password attribute
ms-Mcs-AdmPwd
, the lookup will fail. - Due to the sensitive nature of the data travelling across the network, it is highly recommended to run with either
auth=gssapi
,scheme=ldaps
, orstart_tls=yes
. - Failing to run with one of the above settings will result in the account credentials as well as the LAPS password to be sent in plaintext.
- Some scenarios may not work when running on a host with an older OpenLDAP install like MacOS. It is recommended to install the latest OpenLDAP version and build python-ldap against this, see https://keathmilligan.net/python-ldap-and-macos/ for more information.
Examples
# This isn't mandatory but it is a way to call kinit from within Ansible before calling the lookup
- name: call kinit to retrieve Kerberos token
expect:
command: kinit [email protected]
responses:
(?i)password: SecretPass1
no_log: True
- name: Get the LAPS password using Kerberos auth, relies on kinit already being called
set_fact:
ansible_password: "{{ lookup('laps_password', 'SERVER', domain='dc01.ansible.com') }}"
- name: Specific the domain host using an explicit LDAP URI
set_fact:
ansible_password: "{{ lookup('laps_password', 'SERVER', domain='ldap://ansible.com:389') }}"
- name: Use Simple auth over LDAPS
set_fact:
ansible_password: "{{ lookup('laps_password', 'server',
domain='dc01.ansible.com',
auth='simple',
scheme='ldaps',
username='[email protected]',
password='SuperSecret123') }}"
- name: Use Simple auth with LDAP and StartTLS
set_fact:
ansible_password: "{{ lookup('laps_password', 'app01',
domain='dc01.ansible.com',
auth='simple',
start_tls=True,
username='[email protected]',
password='SuperSecret123') }}"
- name: Narrow down the search base to a an OU
set_fact:
ansible_password: "{{ lookup('laps_password', 'sql10',
domain='dc01.ansible.com',
search_base='OU=Databases,DC=ansible,DC=com') }}"
- name: Set certificate file to use when validating the TLS certificate
set_fact:
ansible_password: "{{ lookup('laps_password', 'windows-pc',
domain='dc01.ansible.com',
start_tls=True,
ca_cert='/usr/local/share/certs/ad.pem') }}"
Return Values
Common return values are documented here, the following are the fields unique to this lookup:
Key | Returned | Description |
---|---|---|
_raw string |
The LAPS password(s) for the host(s) requested.
|
Status
- This lookup is not guaranteed to have a backwards compatible interface. [preview]
- This lookup is maintained by the Ansible Community. [community]
Authors
- Jordan Borean (@jborean93)
Hint
Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/plugins/lookup/laps_password.html