XLAB Steampunk logo Try Spotter
 / home / ari_stark / ari_stark.ansible_oracle_modules / 1.2.1 / module / oracle_ldapuser

ari_stark.ansible_oracle_modules.oracle_ldapuser (1.2.1) — module

Syncronises user accounts from LDAP/Active directory to Oracle database

| "added in version" 0.8.0 of ari_stark.ansible_oracle_modules"

Authors: Ilmar Kerm, ilmar.kerm@gmail.com, @ilmarkerm

Install collection | Add to requirements.yml | Description | Requirements | Usage examples | Inputs

Install collection

Install with ansible-galaxy collection install ari_stark.ansible_oracle_modules:==1.2.1


Add to requirements.yml

  collections:
    - name: ari_stark.ansible_oracle_modules
      version: 1.2.1

Description

Syncronises user accounts from LDAP/Active directory to Oracle database and maps group membership to Oracle roles

Can be run locally on the controlmachine or on a remote host


Requirements

Usage examples

Scanned by Steampunk Spotter
  • Success
    Steampunk Spotter scan finished with no errors, warnings or hints.
- hosts: localhost
  vars:
    oracle_env:
      ORACLE_HOME: /usr/lib/oracle/12.1/client64
      LD_LIBRARY_PATH: /usr/lib/oracle/12.1/client64/lib
  tasks:
    - name: oracle_ldapuser
      oracle_ldapuser:
        hostname: testldap
        port: 1521
        service_name: orcl
        user: system
        password: Oracle123
        ldap_connect: ldap://domain.int:389
        ldap_binddn: reader@domain.int
        ldap_bindpassword: HelloWorld123
        ldap_user_basedn: OU=Users,DC=domain,DC=int
        #user_default_password: Oracle123
        # The following filter means that objectClass is person, member of one specific group,
        # but not COMPUTER and account is not disabled
        ldap_user_filter: |
            (&(objectClass=person)(memberOf=CN=prod_db,OU=Security Groups,DC=domain,DC=int)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=COMPUTER)))
        #ldap_user_filter: (sAMAccountName=*prod*)
        ldap_username_attribute: sAMAccountName
        user_profile: LDAP_USER
        #user_quota_on_default_tbs_mb: 200
        user_grants:
          - create session
          - create table
        group_role_map:
          - {dn: "CN=prod_db_reader,OU=Security Groups,DC=domain,DC=int", group: "prod_db_reader"}
          - {dn: "CN=prod_db_writer,OU=Security Groups,DC=domain,DC=int", group: "prod_db_writer"}
      environment: "{{ oracle_env }}"

Inputs

    
mode:
    choices:
    - normal
    - sysdba
    default: normal
    description:
    - The mode with which to connect to the database
    required: true

port:
    default: 1521
    description:
    - The listener port number on the host
    required: false

user:
    description:
    - The Oracle user name to connect to the database, must have DBA privilege
    required: false

hostname:
    default: localhost
    description:
    - The Oracle database host
    required: false

password:
    description:
    - The Oracle user password for 'user'
    required: false

ldap_binddn:
    description:
    - LDAP login username eg reader@domain.int
    required: true

user_grants:
    default: create session
    description:
    - List of all grants all syncronised users will get
    required: false
    type: list

ldap_connect:
    description:
    - LDAP connect string eg ldap://domain.int:389
    required: true

service_name:
    description:
    - The database service name to connect to
    required: true

user_profile:
    default: LDAP_USER
    description:
    - Profile for syncronised user
    - Must be dedicated profile for this syncronization process, since this is the only
      way to detect which users should be locked/dropped
    required: false

group_role_map:
    description:
    - Each user can be granted additional roles based on LDAP group membership, this parameter
      describes the relationship between group LDAP DN and Oracle group name
    - Each list item must be DICT with elements dn and groups
    - 'Example list item: {dn:"CN=prod_db_reader,OU=Security Groups,DC=domain,DC=int",group:"prod_db_reader"}'
    required: false
    type: list of dicts

ldap_user_basedn:
    description:
    - LDAP BASE DN for syncronised users
    required: true

ldap_user_filter:
    default: (objectClass=user)
    description:
    - LDAP filter to search for syncronised users
    required: false

deleted_user_mode:
    choices:
    - lock
    - drop
    default: lock
    description:
    - What action to take then user is not found in LDAP search anymore
    required: false

ldap_bindpassword:
    description:
    - LDAP login password
    required: true

ldap_user_subtree:
    default: true
    description:
    - Is the entire subtree searched for users (true) or just one level (false)
    required: false

user_temp_tablespace:
    default: TEMP
    description:
    - Temporary tablespace for syncronised user
    required: false

user_default_password:
    description:
    - Default password for newly created user
    - Password is expired immediately
    - Do not specify for EXTERNAL authentication_type
    required: false

ldap_username_attribute:
    default: sAMAccountName
    description:
    - LDAP attribute that is used for user name in Oracle
    - If value does not "Oracle identifier" compatible, then this user is silently skipped
    required: false

user_default_tablespace:
    default: USERS
    description:
    - Default tablespace for syncronised users
    required: false

user_quota_on_default_tbs_mb:
    description:
    - Quota in MB for the default tablespace
    - Do not specify for unlimited quota
    required: false
Got feedback? steampunk@xlab.si | © 2024. All rights reserved.
Cookie policy-Privacy policy-Terms of use-Security policy