Try SpotterRetrieves the LAPS password for a server.
| "added in version" 2.8 of ansible.builtin"
Authors: Jordan Borean (@jborean93)
pipInstall with pip install ansible==2.9.27
This lookup returns the LAPS password set for a server from the Active Directory database.
See U(https://github.com/jborean93/ansible-lookup-laps_password) for more information around installing pre-requisites and testing.
# This isn't mandatory but it is a way to call kinit from within Ansible before calling the lookup
- name: call kinit to retrieve Kerberos token
expect:
command: kinit username@ANSIBLE.COM
responses:
(?i)password: SecretPass1
no_log: True
- name: Get the LAPS password using Kerberos auth, relies on kinit already being called
set_fact:
ansible_password: "{{ lookup('laps_password', 'SERVER', domain='dc01.ansible.com') }}"
- name: Specific the domain host using an explicit LDAP URI
set_fact:
ansible_password: "{{ lookup('laps_password', 'SERVER', domain='ldap://ansible.com:389') }}"
- name: Use Simple auth over LDAPS
set_fact:
ansible_password: "{{ lookup('laps_password', 'server',
domain='dc01.ansible.com',
auth='simple',
scheme='ldaps',
username='username@ANSIBLE.COM',
password='SuperSecret123') }}"
- name: Use Simple auth with LDAP and StartTLS
set_fact:
ansible_password: "{{ lookup('laps_password', 'app01',
domain='dc01.ansible.com',
auth='simple',
start_tls=True,
username='username@ANSIBLE.COM',
password='SuperSecret123') }}"
- name: Narrow down the search base to a an OU
set_fact:
ansible_password: "{{ lookup('laps_password', 'sql10',
domain='dc01.ansible.com',
search_base='OU=Databases,DC=ansible,DC=com') }}"
- name: Set certificate file to use when validating the TLS certificate
set_fact:
ansible_password: "{{ lookup('laps_password', 'windows-pc',
domain='dc01.ansible.com',
start_tls=True,
ca_cert='/usr/local/share/certs/ad.pem') }}"
auth:
choices:
- simple
- gssapi
default: gssapi
description:
- The type of authentication to use when connecting to the Active Directory server
- When using C(simple), the I(username) and I(password) options must be set. If not
using C(scheme=ldaps) or C(start_tls=True) then these credentials are exposed in
plaintext in the network traffic.
- It is recommended ot use C(gssapi) as it will encrypt the traffic automatically.
- When using C(gssapi), run C(kinit) before running Ansible to get a valid Kerberos
ticket.
- You cannot use C(gssapi) when either C(scheme=ldaps) or C(start_tls=True) is set.
type: str
port:
description:
- The LDAP port to communicate over.
- If I(kdc) is already an LDAP URI then this is ignored.
type: int
_terms:
description:
- The host name to retrieve the LAPS password for.
- This is the C(Common Name (CN)) of the host.
required: true
type: str
domain:
description:
- The domain to search in to retrieve the LAPS password.
- This could either be a Windows domain name visible to the Ansible controller from
DNS or a specific domain controller FQDN.
- Supports either just the domain/host name or an explicit LDAP URI with the domain/host
already filled in.
- If the URI is set, I(port) and I(scheme) are ignored.
required: true
type: str
scheme:
choices:
- ldap
- ldaps
default: ldap
description:
- The LDAP scheme to use.
- When using C(ldap), it is recommended to set C(auth=gssapi), or C(start_tls=yes),
otherwise traffic will be in plaintext.
- The Active Directory host must be configured for C(ldaps) with a certificate before
it can be used.
- If I(kdc) is already an LDAP URI then this is ignored.
ca_cert:
aliases:
- cacert_file
description:
- The path to a CA certificate PEM file to use for certificate validation.
- Certificate validation is used when C(scheme=ldaps) or C(start_tls=yes).
- This may fail on hosts with an older OpenLDAP install like MacOS, this will have
to be updated before reinstalling python-ldap to get working again.
type: str
password:
description:
- The password for C(username).
- Required when C(username) is set.
type: str
username:
description:
- Required when using C(auth=simple).
- The username to authenticate with.
- Recommended to use the username in the UPN format, e.g. C(username@DOMAIN.COM).
- This is required when C(auth=simple) and is not supported when C(auth=gssapi).
- Call C(kinit) outside of Ansible if C(auth=gssapi) is required.
type: str
start_tls:
default: false
description:
- When C(scheme=ldap), will use the StartTLS extension to encrypt traffic sent over
the wire.
- This requires the Active Directory to be set up with a certificate that supports
StartTLS.
- This is ignored when C(scheme=ldaps) as the traffic is already encrypted.
type: bool
search_base:
description:
- Changes the search base used when searching for the host in Active Directory.
- Will default to search in the C(defaultNamingContext) of the Active Directory server.
- If multiple matches are found then a more explicit search_base is required so only
1 host is found.
- If searching a larger Active Directory database, it is recommended to narrow the
search_base for performance reasons.
type: str
validate_certs:
choices:
- never
- allow
- try
- demand
default: demand
description:
- When using C(scheme=ldaps) or C(start_tls=yes), this controls the certificate validation
behaviour.
- C(demand) will fail if no certificate or an invalid certificate is provided.
- C(try) will fail for invalid certificates but will continue if no certificate is
provided.
- C(allow) will request and check a certificate but will continue even if it is invalid.
- C(never) will not request a certificate from the server so no validation occurs.
type: str
allow_plaintext:
default: false
description:
- When set to C(yes), will allow traffic to be sent unencrypted.
- It is highly recommended to not touch this to avoid any credentials being exposed
over the network.
- Use C(scheme=ldaps), C(auth=gssapi), or C(start_tls=yes) to ensure the traffic is
encrypted.
type: bool
_raw: description: - The LAPS password(s) for the host(s) requested. type: str