rendanic / rendanic.ansible_oracle / 4.0.0 / module / oracle_ldapuser Syncronises user accounts from LDAP/Active directory to Oracle database and maps group membership to Oracle roles | "added in version" 2.2.0 of rendanic.ansible_oracle" Authors: Ilmar Kerm, ilmar.kerm@gmail.com, @ilmarkermrendanic.ansible_oracle.oracle_ldapuser (4.0.0) — module
Install with ansible-galaxy collection install rendanic.ansible_oracle:==4.0.0
collections: - name: rendanic.ansible_oracle version: 4.0.0
Syncronises user accounts from LDAP/Active directory to Oracle database and maps group membership to Oracle roles
Can be run locally on the controlmachine or on a remote host
- hosts: localhost vars: oracle_env: ORACLE_HOME: /usr/lib/oracle/12.1/client64 LD_LIBRARY_PATH: /usr/lib/oracle/12.1/client64/lib tasks: - name: oracle_ldapuser oracle_ldapuser: hostname: testldap port: 1521 service_name: orcl user: system password: Oracle123 ldap_connect: ldap://domain.int:389 ldap_binddn: reader@domain.int ldap_bindpassword: HelloWorld123 ldap_user_basedn: OU=Users,DC=domain,DC=int #user_default_password: Oracle123 # The following filter means that objectClass is person, member of # one specific group, but not COMPUTER and account is not disabled ldap_user_filter: (&(objectClass=person)(memberOf=CN=prod_db,OU=Security Groups,DC=domain,DC=int)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(objectClass=COMPUTER))) #ldap_user_filter: (sAMAccountName=*prod*) ldap_username_attribute: sAMAccountName user_profile: LDAP_USER #user_quota_on_default_tbs_mb: 200 user_grants: - create session - create table group_role_map: - {dn: "CN=prod_db_reader,OU=Security Groups,DC=domain,DC=int", group: "prod_db_reader"} # noqa E501 - {dn: "CN=prod_db_writer,OU=Security Groups,DC=domain,DC=int", group: "prod_db_writer"} # noqa E501 environment: "{{ oracle_env }}"
mode: choices: - normal - sysdba default: normal description: - The mode with which to connect to the database required: true port: default: 1521 description: 'The listener port number on the host ' required: false type: int user: description: 'The Oracle user name to connect to the database, must have DBA privilege ' required: false hostname: default: localhost description: The Oracle database host required: false type: str password: description: - The Oracle user password for 'user' required: false ldap_binddn: description: - LDAP login username eg reader@domain.int required: true user_grants: default: create session description: - List of all grants all syncronised users will get required: false type: list ldap_connect: description: - LDAP connect string eg ldap://domain.int:389 required: true service_name: description: 'The database service name to connect to ' required: true type: str user_profile: default: LDAP_USER description: - Profile for syncronised user - Must be dedicated profile for this syncronization process, since this is the only way to detect which users should be locked/dropped required: false group_role_map: description: 'Each user can be granted additional roles based on LDAP group membership, this parameter describes the relationship between group LDAP DN and Oracle group name Each list item must be DICT with elements dn and groups Example list item: {dn: "CN=prod_db_reader,OU=Security Groups,DC=domain,DC=int", group: "prod_db_reader"} ' required: false type: list of dicts ldap_user_basedn: description: - LDAP BASE DN for syncronised users required: true ldap_user_filter: default: (objectClass=user) description: 'LDAP filter to search for syncronised users ' required: false deleted_user_mode: choices: - lock - drop default: lock description: 'What action to take then user is not found in LDAP search anymore ' required: false ldap_bindpassword: description: - LDAP login password required: true ldap_user_subtree: default: true description: - Is the entire subtree searched for users (true) or just one level (false) required: false user_temp_tablespace: default: TEMP description: - Temporary tablespace for syncronised user required: false user_default_password: description: - Default password for newly created user - Password is expired immediately - Do not specify for EXTERNAL authentication_type required: false ldap_username_attribute: default: sAMAccountName description: 'LDAP attribute that is used for user name in Oracle If value does not "Oracle identifier" compatible, then this user is silently skipped ' required: false user_default_tablespace: default: USERS description: - Default tablespace for syncronised users required: false user_quota_on_default_tbs_mb: description: - Quota in MB for the default tablespace - Do not specify for unlimited quota required: false