laps_password – Retrieves the LAPS password for a server¶
New in version 2.8.
Synopsis¶
This lookup returns the LAPS password set for a server from the Active Directory database.
See https://github.com/jborean93/ansible-lookup-laps_password for more information around installing pre-requisites and testing.
Requirements¶
The below requirements are needed on the local master node that executes this lookup.
python-ldap
Parameters¶
Notes¶
Note
If a host was found but had no LAPS password attribute
ms-Mcs-AdmPwd
, the lookup will fail.Due to the sensitive nature of the data travelling across the network, it is highly recommended to run with either
auth=gssapi
,scheme=ldaps
, orstart_tls=yes
.Failing to run with one of the above settings will result in the account credentials as well as the LAPS password to be sent in plaintext.
Some scenarios may not work when running on a host with an older OpenLDAP install like MacOS. It is recommended to install the latest OpenLDAP version and build python-ldap against this, see https://keathmilligan.net/python-ldap-and-macos/ for more information.
Examples¶
# This isn't mandatory but it is a way to call kinit from within Ansible before calling the lookup
- name: call kinit to retrieve Kerberos token
expect:
command: kinit username@ANSIBLE.COM
responses:
(?i)password: SecretPass1
no_log: True
- name: Get the LAPS password using Kerberos auth, relies on kinit already being called
set_fact:
ansible_password: "{{ lookup('laps_password', 'SERVER', domain='dc01.ansible.com') }}"
- name: Specific the domain host using an explicit LDAP URI
set_fact:
ansible_password: "{{ lookup('laps_password', 'SERVER', domain='ldap://ansible.com:389') }}"
- name: Use Simple auth over LDAPS
set_fact:
ansible_password: "{{ lookup('laps_password', 'server',
domain='dc01.ansible.com',
auth='simple',
scheme='ldaps',
username='username@ANSIBLE.COM',
password='SuperSecret123') }}"
- name: Use Simple auth with LDAP and StartTLS
set_fact:
ansible_password: "{{ lookup('laps_password', 'app01',
domain='dc01.ansible.com',
auth='simple',
start_tls=True,
username='username@ANSIBLE.COM',
password='SuperSecret123') }}"
- name: Narrow down the search base to a an OU
set_fact:
ansible_password: "{{ lookup('laps_password', 'sql10',
domain='dc01.ansible.com',
search_base='OU=Databases,DC=ansible,DC=com') }}"
- name: Set certificate file to use when validating the TLS certificate
set_fact:
ansible_password: "{{ lookup('laps_password', 'windows-pc',
domain='dc01.ansible.com',
start_tls=True,
ca_cert='/usr/local/share/certs/ad.pem') }}"
Return Values¶
Common return values are documented here, the following are the fields unique to this lookup:
Key | Returned | Description |
---|---|---|
_raw
string
|
The LAPS password(s) for the host(s) requested.
|
Status¶
This lookup is not guaranteed to have a backwards compatible interface. [preview]
This lookup is maintained by the Ansible Community. [community]
Authors¶
Jordan Borean (@jborean93)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
Hint
Configuration entries for each entry type have a low to high priority order. For example, a variable that is lower in the list will override a variable that is higher up.