ari_stark / ari_stark.ansible_oracle_modules / 1.2.1 / module / oracle_ldapuser Syncronises user accounts from LDAP/Active directory to Oracle database | "added in version" 0.8.0 of ari_stark.ansible_oracle_modules" Authors: Ilmar Kerm, ilmar.kerm@gmail.com, @ilmarkermari_stark.ansible_oracle_modules.oracle_ldapuser (1.2.1) — module
Install with ansible-galaxy collection install ari_stark.ansible_oracle_modules:==1.2.1
collections: - name: ari_stark.ansible_oracle_modules version: 1.2.1
Syncronises user accounts from LDAP/Active directory to Oracle database and maps group membership to Oracle roles
Can be run locally on the controlmachine or on a remote host
- hosts: localhost vars: oracle_env: ORACLE_HOME: /usr/lib/oracle/12.1/client64 LD_LIBRARY_PATH: /usr/lib/oracle/12.1/client64/lib tasks: - name: oracle_ldapuser oracle_ldapuser: hostname: testldap port: 1521 service_name: orcl user: system password: Oracle123 ldap_connect: ldap://domain.int:389 ldap_binddn: reader@domain.int ldap_bindpassword: HelloWorld123 ldap_user_basedn: OU=Users,DC=domain,DC=int #user_default_password: Oracle123 # The following filter means that objectClass is person, member of one specific group, # but not COMPUTER and account is not disabled ldap_user_filter: | (&(objectClass=person)(memberOf=CN=prod_db,OU=Security Groups,DC=domain,DC=int)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=COMPUTER))) #ldap_user_filter: (sAMAccountName=*prod*) ldap_username_attribute: sAMAccountName user_profile: LDAP_USER #user_quota_on_default_tbs_mb: 200 user_grants: - create session - create table group_role_map: - {dn: "CN=prod_db_reader,OU=Security Groups,DC=domain,DC=int", group: "prod_db_reader"} - {dn: "CN=prod_db_writer,OU=Security Groups,DC=domain,DC=int", group: "prod_db_writer"} environment: "{{ oracle_env }}"
mode: choices: - normal - sysdba default: normal description: - The mode with which to connect to the database required: true port: default: 1521 description: - The listener port number on the host required: false user: description: - The Oracle user name to connect to the database, must have DBA privilege required: false hostname: default: localhost description: - The Oracle database host required: false password: description: - The Oracle user password for 'user' required: false ldap_binddn: description: - LDAP login username eg reader@domain.int required: true user_grants: default: create session description: - List of all grants all syncronised users will get required: false type: list ldap_connect: description: - LDAP connect string eg ldap://domain.int:389 required: true service_name: description: - The database service name to connect to required: true user_profile: default: LDAP_USER description: - Profile for syncronised user - Must be dedicated profile for this syncronization process, since this is the only way to detect which users should be locked/dropped required: false group_role_map: description: - Each user can be granted additional roles based on LDAP group membership, this parameter describes the relationship between group LDAP DN and Oracle group name - Each list item must be DICT with elements dn and groups - 'Example list item: {dn:"CN=prod_db_reader,OU=Security Groups,DC=domain,DC=int",group:"prod_db_reader"}' required: false type: list of dicts ldap_user_basedn: description: - LDAP BASE DN for syncronised users required: true ldap_user_filter: default: (objectClass=user) description: - LDAP filter to search for syncronised users required: false deleted_user_mode: choices: - lock - drop default: lock description: - What action to take then user is not found in LDAP search anymore required: false ldap_bindpassword: description: - LDAP login password required: true ldap_user_subtree: default: true description: - Is the entire subtree searched for users (true) or just one level (false) required: false user_temp_tablespace: default: TEMP description: - Temporary tablespace for syncronised user required: false user_default_password: description: - Default password for newly created user - Password is expired immediately - Do not specify for EXTERNAL authentication_type required: false ldap_username_attribute: default: sAMAccountName description: - LDAP attribute that is used for user name in Oracle - If value does not "Oracle identifier" compatible, then this user is silently skipped required: false user_default_tablespace: default: USERS description: - Default tablespace for syncronised users required: false user_quota_on_default_tbs_mb: description: - Quota in MB for the default tablespace - Do not specify for unlimited quota required: false