Allow removal of LDAP attribute regardless of its value

dnmvisser commented 1 year ago

Summary

I am trying to remove an attribute from an LDAP entry, in this case the password that was put in during installation of the slapd package on Debian. Initially I have this in my config database:

root@dick-dev1:~# ldapsearch -Q -LLL -Y EXTERNAL -b cn=config olcDatabase={1}mdb
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=geant,dc=org
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=foo,dc=bar
olcRootPW: {SSHA}tRU7YUk8WUdcA04ZbYAv1985nUcMrjRZ
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824

I am looking to remove the olcRootPW attribute entirely (in my example we're not going to use it, so we'd rather remove it to avoid it being (ab)used unintentionally).

I can't use community.general.ldap_entry because that can only remove entire entries. According to the community.general.ldap_attrs docs , this can "Add or remove multiple LDAP attribute values". Which seems like what I need.

But according to https://docs.ansible.com/ansible/latest/collections/community/general/ldap_attrs_module.html#parameter-attributes:

The attribute(s) and value(s) to add or remove.

That works, but I need to supply both the attribute and its value. I cannot seem to remove the attribute without supplying its value. Workarounds could be:

A helper task first to fetch the attribute value if it exists and register that
A shell/command to do things manually (see below)
Set the attribute to a value that makes it impossible to authenticate

But, since the LDIF to remove the attribute is pretty trivial:

dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcRootPW

I am thinking this could well be supported by the ldap_attrs module?

There is a possibility that the module does in fact already support what I'm after - in that case it's probably a matter of documentation...

Issue Type

Feature Idea

Component Name

ldap_attrs

Additional Information

Code of Conduct

[X] I agree to follow the Ansible Code of Conduct

ansibullbot commented 1 year ago

Files identified in the description:

plugins/modules/ldap_attrs.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

ansibullbot commented 1 year ago

cc @drybjed @jtyr @noles click here for bot help

felixfontein commented 1 year ago

I think you can use state=exact and provide the value [] for the attribute to remove it completely without knowing its value. See also the examples of the module, the task with name Remove specified attribute(s) from an entry.

russoz commented 1 year ago

hi @dnmvisser just out of curiosity: are you able to remove it using the LDIF and the command line? Just making sure that OpenLDAP is not the issue here.

ansible-collections / community.general