opitzconsulting.ansible_oracle.oracle_ldapuser (4.7.0) — module

Install collection

Install with ansible-galaxy collection install opitzconsulting.ansible_oracle:==4.7.0

Add to requirements.yml

  collections:
    - name: opitzconsulting.ansible_oracle
      version: 4.7.0

Description

Syncronises user accounts from LDAP/Active directory to Oracle database and maps group membership to Oracle roles

Can be run locally on the controlmachine or on a remote host

Requirements

• cx_Oracle
• ldap
• re

Usage examples

Scanned by Steampunk Spotter

• Success
  Steampunk Spotter scan finished with no errors, warnings or hints.

- hosts: localhost
  vars:
    oracle_env:
      ORACLE_HOME: /usr/lib/oracle/12.1/client64
      LD_LIBRARY_PATH: /usr/lib/oracle/12.1/client64/lib
  tasks:
    - name: oracle_ldapuser
      oracle_ldapuser:
        hostname: testldap
        port: 1521
        service_name: orcl
        user: system
        password: Oracle123
        ldap_connect: ldap://domain.int:389
        ldap_binddn: reader@domain.int
        ldap_bindpassword: HelloWorld123
        ldap_user_basedn: OU=Users,DC=domain,DC=int
        #user_default_password: Oracle123
        # The following filter means that objectClass is person, member of
        # one specific group, but not COMPUTER and account is not disabled
        ldap_user_filter: (&(objectClass=person)(memberOf=CN=prod_db,OU=Security Groups,DC=domain,DC=int)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=COMPUTER)))
        #ldap_user_filter: (sAMAccountName=*prod*)
        ldap_username_attribute: sAMAccountName
        user_profile: LDAP_USER
        #user_quota_on_default_tbs_mb: 200
        user_grants:
          - create session
          - create table
        group_role_map:
          - {dn: "CN=prod_db_reader,OU=Security Groups,DC=domain,DC=int", group: "prod_db_reader"}  # noqa E501
          - {dn: "CN=prod_db_writer,OU=Security Groups,DC=domain,DC=int", group: "prod_db_writer"}  # noqa E501
      environment: "{{ oracle_env }}"

Inputs

    
mode:
    choices:
    - normal
    - sysdba
    default: normal
    description:
    - The mode with which to connect to the database
    required: true

port:
    default: 1521
    description: 'The listener port number on the host

      '
    required: false
    type: int

user:
    description: 'The Oracle user name to connect to the database, must have DBA privilege

      '
    required: false

hostname:
    default: localhost
    description: The Oracle database host
    required: false
    type: str

password:
    description:
    - The Oracle user password for 'user'
    required: false

ldap_binddn:
    description:
    - LDAP login username eg reader@domain.int
    required: true

user_grants:
    default: create session
    description:
    - List of all grants all syncronised users will get
    required: false
    type: list

ldap_connect:
    description:
    - LDAP connect string eg ldap://domain.int:389
    required: true

service_name:
    description: 'The database service name to connect to

      '
    required: true
    type: str

user_profile:
    default: LDAP_USER
    description:
    - Profile for syncronised user
    - Must be dedicated profile for this syncronization process, since this is               the
      only way to detect which users should be locked/dropped
    required: false

group_role_map:
    description: 'Each user can be granted additional roles based on LDAP group membership,
      this parameter describes the relationship between group LDAP DN and Oracle group
      name Each list item must be DICT with elements dn and groups Example list item:
      {dn: "CN=prod_db_reader,OU=Security Groups,DC=domain,DC=int", group: "prod_db_reader"}

      '
    required: false
    type: list of dicts

ldap_user_basedn:
    description:
    - LDAP BASE DN for syncronised users
    required: true

ldap_user_filter:
    default: (objectClass=user)
    description: 'LDAP filter to search for syncronised users

      '
    required: false

deleted_user_mode:
    choices:
    - lock
    - drop
    default: lock
    description: 'What action to take then user is not found in LDAP search anymore

      '
    required: false

ldap_bindpassword:
    description:
    - LDAP login password
    required: true

ldap_user_subtree:
    default: true
    description:
    - Is the entire subtree searched for users (true) or just one level (false)
    required: false

user_temp_tablespace:
    default: TEMP
    description:
    - Temporary tablespace for syncronised user
    required: false

user_default_password:
    description:
    - Default password for newly created user
    - Password is expired immediately
    - Do not specify for EXTERNAL authentication_type
    required: false

ldap_username_attribute:
    default: sAMAccountName
    description: 'LDAP attribute that is used for user name in Oracle If value does not
      "Oracle identifier" compatible, then this user is silently skipped

      '
    required: false

user_default_tablespace:
    default: USERS
    description:
    - Default tablespace for syncronised users
    required: false

user_quota_on_default_tbs_mb:
    description:
    - Quota in MB for the default tablespace
    - Do not specify for unlimited quota
    required: false