ansible / ansible.builtin / v2.8.11 / lookup / laps_password Retrieves the LAPS password for a server. | "added in version" 2.8 of ansible.builtin" Authors: Jordan Borean (@jborean93)ansible.builtin.laps_password (v2.8.11) — lookup
pip
Install with pip install ansible==2.8.11
This lookup returns the LAPS password set for a server from the Active Directory database.
See U(https://github.com/jborean93/ansible-lookup-laps_password) for more information around installing pre-requisites and testing.
# This isn't mandatory but it is a way to call kinit from within Ansible before calling the lookup - name: call kinit to retrieve Kerberos token expect: command: kinit username@ANSIBLE.COM responses: (?i)password: SecretPass1 no_log: True
- name: Get the LAPS password using Kerberos auth, relies on kinit already being called set_fact: ansible_password: "{{ lookup('laps_password', 'SERVER', domain='dc01.ansible.com') }}"
- name: Specific the domain host using an explicit LDAP URI set_fact: ansible_password: "{{ lookup('laps_password', 'SERVER', domain='ldap://ansible.com:389') }}"
- name: Use Simple auth over LDAPS set_fact: ansible_password: "{{ lookup('laps_password', 'server', domain='dc01.ansible.com', auth='simple', scheme='ldaps', username='username@ANSIBLE.COM', password='SuperSecret123') }}"
- name: Use Simple auth with LDAP and StartTLS set_fact: ansible_password: "{{ lookup('laps_password', 'app01', domain='dc01.ansible.com', auth='simple', start_tls=True, username='username@ANSIBLE.COM', password='SuperSecret123') }}"
- name: Narrow down the search base to a an OU set_fact: ansible_password: "{{ lookup('laps_password', 'sql10', domain='dc01.ansible.com', search_base='OU=Databases,DC=ansible,DC=com') }}"
- name: Set certificate file to use when validating the TLS certificate set_fact: ansible_password: "{{ lookup('laps_password', 'windows-pc', domain='dc01.ansible.com', start_tls=True, ca_cert='/usr/local/share/certs/ad.pem') }}"
auth: choices: - simple - gssapi default: gssapi description: - The type of authentication to use when connecting to the Active Directory server - When using C(simple), the I(username) and I(password) options must be set. If not using C(scheme=ldaps) or C(start_tls=True) then these credentials are exposed in plaintext in the network traffic. - It is recommended ot use C(gssapi) as it will encrypt the traffic automatically. - When using C(gssapi), run C(kinit) before running Ansible to get a valid Kerberos ticket. - You cannot use C(gssapi) when either C(scheme=ldaps) or C(start_tls=True) is set. type: str port: description: - The LDAP port to communicate over. - If I(kdc) is already an LDAP URI then this is ignored. type: int _terms: description: - The host name to retrieve the LAPS password for. - This is the C(Common Name (CN)) of the host. required: true type: str domain: description: - The domain to search in to retrieve the LAPS password. - This could either be a Windows domain name visible to the Ansible controller from DNS or a specific domain controller FQDN. - Supports either just the domain/host name or an explicit LDAP URI with the domain/host already filled in. - If the URI is set, I(port) and I(scheme) are ignored. required: true type: str scheme: choices: - ldap - ldaps default: ldap description: - The LDAP scheme to use. - When using C(ldap), it is recommended to set C(auth=gssapi), or C(start_tls=yes), otherwise traffic will be in plaintext. - The Active Directory host must be configured for C(ldaps) with a certificate before it can be used. - If I(kdc) is already an LDAP URI then this is ignored. ca_cert: aliases: - cacert_file description: - The path to a CA certificate PEM file to use for certificate validation. - Certificate validation is used when C(scheme=ldaps) or C(start_tls=yes). - This may fail on hosts with an older OpenLDAP install like MacOS, this will have to be updated before reinstalling python-ldap to get working again. type: str password: description: - The password for C(username). - Required when C(username) is set. type: str username: description: - Required when using C(auth=simple). - The username to authenticate with. - Recommended to use the username in the UPN format, e.g. C(username@DOMAIN.COM). - This is required when C(auth=simple) and is not supported when C(auth=gssapi). - Call C(kinit) outside of Ansible if C(auth=gssapi) is required. type: str start_tls: default: false description: - When C(scheme=ldap), will use the StartTLS extension to encrypt traffic sent over the wire. - This requires the Active Directory to be set up with a certificate that supports StartTLS. - This is ignored when C(scheme=ldaps) as the traffic is already encrypted. type: bool search_base: description: - Changes the search base used when searching for the host in Active Directory. - Will default to search in the C(defaultNamingContext) of the Active Directory server. - If multiple matches are found then a more explicit search_base is required so only 1 host is found. - If searching a larger Active Directory database, it is recommended to narrow the search_base for performance reasons. type: str validate_certs: choices: - never - allow - try - demand default: demand description: - When using C(scheme=ldaps) or C(start_tls=yes), this controls the certificate validation behaviour. - C(demand) will fail if no certificate or an invalid certificate is provided. - C(try) will fail for invalid certificates but will continue if no certificate is provided. - C(allow) will request and check a certificate but will continue even if it is invalid. - C(never) will not request a certificate from the server so no validation occurs. type: str allow_plaintext: default: false description: - When set to C(yes), will allow traffic to be sent unencrypted. - It is highly recommended to not touch this to avoid any credentials being exposed over the network. - Use C(scheme=ldaps), C(auth=gssapi), or C(start_tls=yes) to ensure the traffic is encrypted. type: bool
_raw: description: - The LAPS password(s) for the host(s) requested. type: str