Open JochenKorge opened 2 years ago
Files identified in the description:
If these files are incorrect, please update the component name
section of the description or use the !component
bot command.
cc @eryx12o45 @jtyr click here for bot help
After some more tests, I realized that "scope: subordinate" does not work at all.
Files identified in the description:
If these files are incorrect, please update the component name
section of the description or use the !component
bot command.
@JochenKorge were you able to get the results through this module if so how?
This looks like something on the LDAP server side. The module is quite simple and straightforward. Those responses come from the server. The module is only passing back the answer it receives from the LDAP server.
I disagree with russoz. Something is definitely wrong with the ldap_search module when using the scope 'subordinate' on the entire domain. While it is true that the response is being generates by the LDAP server, the testing indicates that the request to the LDAP server is the problem, that is the cause of the errors.
$ ansible-galaxy collection list | grep community.general
community.general 8.4.0
Common variables:
ldap_bind_user: "CN=bind_user,OU=ServiceAccounts,OU=<REDACTED>,DC=pro,DC=<REDACTED>,DC=com"
ldap_bind_password: <REDACTED>
ldap_server_url: ldap://ldap.pro.<redacted>.com
ldap_base_dn: "OU=ServiceAccounts,OU=<REDACTED>,DC=pro,DC=<REDACTED>,DC=com"
ldap_filter: cn=svc_account1
Here are 2 scenerios:
- name: TEST module
community.general.ldap_search:
server_uri: "{{ ldap_server_url }}" # -H
bind_dn: "{{ ldap_bind_user }}" # -D
bind_pw: "{{ ldap_bind_password }}" # -w
dn: "{{ ldap_base_dn }}" # -b
scope: onelevel # -s
filter: "{{ ldap_filter }}"
validate_certs: false
register: module_out
ignore_errors: true
- debug:
var: module_out
- name: TEST command line
ansible.builtin.command: ldapsearch -s "one" -b "{{ ldap_base_dn }}" -H "{{ ldap_server_url }}" -D "{{ ldap_bind_user }}" -w "{{ ldap_bind_password }}" "({{ ldap_filter }})"
changed_when: false
register: command_out
- debug:
var: command_out
In this first scenerio both the module and the command line provide the expected results.
- name: TEST module
community.general.ldap_search:
server_uri: "{{ ldap_server_url }}" # -H
bind_dn: "{{ ldap_bind_user }}" # -D
bind_pw: "{{ ldap_bind_password }}" # -w
dn: "{{ ldap_base_dn }}" # -b
scope: subordinate # -s
filter: "{{ ldap_filter }}"
validate_certs: false
#attrs: memberOf
register: module_out
ignore_errors: true
- debug:
var: module_out
- name: TEST command line
ansible.builtin.command: ldapsearch -s "sub" -b "{{ ldap_base_dn }}" -H "{{ ldap_server_url }}" -D "{{ ldap_bind_user }}" -w "{{ ldap_bind_password }}" "({{ ldap_filter }})"
changed_when: false
register: command_out
- debug:
var: command_out
In this second scenerio, the command line provides the expected results, but the module_out is
"module_out": {
"changed": false,
"details": "{'msgtype': 101, 'msgid': 4, 'result': 80, 'desc': 'Other (e.g., implementation specific) error', 'ctrls': [], 'info': '00000057: LdapErr: DSID-0C090DA2, comment: Error processing control, data 0, v4563'}",
"failed": true,
"msg": "Attribute action failed."
}
Summary
When I specify only the Domain-Component dn: 'DC=example,DC=com' the module bugs out. The Error message differs on scope: 'children/subordinate'
Issue Type
Bug Report
Component Name
ldap_search
Ansible Version
Community.general Version
Configuration
OS / Environment
Target is Debian11 Ldap-Server: Synology DSM 6.2.4 (Synology Directory Server 4.4.5, based on Samba 4.4.16)
Steps to Reproduce
Expected Results
print all users where "filter" matches
Actual Results
When Changing scope to subordinate the error changes to:
Code of Conduct