ldap_attrs: single-valued attribute has multiple values

[GamerGun]

Summary

When running this play;

    - name: "Change LDAP attributes"
      community.general.ldap_attrs:
        dn: "cn=config"
        attributes: "{{ config_modifications }}"
        bind_dn: "{{ bind_dn }}"
        bind_pw: "{{ bind_password }}"
        server_uri: "ldaps://{{ idm_server }}"

And the following attributes:

config_modifications:
  nsslapd-allow-anonymous-access: "rootdse"
  nsslapd-minssf: "56"
  nsslapd-auditlog-logging-enabled: "on"
  nsslapd-accesslog-logmaxdiskspace: "1000"
  nsslapd-accesslog-maxlogsize: "200"
  nsslapd-sizelimit: "5000"

It fails with the following error:

  "details": "{'msgtype': 103, 'msgid': 8, 'result': 65, 'desc': 'Object class violation', 'ctrls': [], 'info': 'single-valued attribute \"nsslapd-accesslog-logmaxdiskspace\" has multiple values\\n'}",

Removing just that attribute results in a working playbook, but i don't understand what is wrong with it?

Entire output;

{
  "details": "{'msgtype': 103, 'msgid': 8, 'result': 65, 'desc': 'Object class violation', 'ctrls': [], 'info': 'single-valued attribute \"nsslapd-accesslog-logmaxdiskspace\" has multiple values\\n'}",
  "msg": "Attribute action failed.",
  "invocation": {
    "module_args": {
      "dn": "cn=config",
      "attributes": {
        "nsslapd-allow-anonymous-access": "rootdse",
        "nsslapd-minssf": "56",
        "nsslapd-auditlog-logging-enabled": "on",
        "nsslapd-accesslog-logmaxdiskspace": "1000",
        "nsslapd-accesslog-maxlogsize": "200",
        "nsslapd-sizelimit": "5000"
      },
      "bind_dn": "cn=Directory Manager",
      "bind_pw": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
      "server_uri": "ldaps://XXX",
      "ordered": false,
      "state": "present",
      "referrals_chasing": "anonymous",
      "start_tls": false,
      "validate_certs": true,
      "sasl_class": "external",
      "xorder_discovery": "auto",
      "ca_path": null,
      "client_cert": null,
      "client_key": null
    }
  },
  "ansible_facts": {
    "discovered_interpreter_python": "/usr/libexec/platform-python"
  },
  "_ansible_no_log": null,
  "changed": false
}

Issue Type

Bug Report

Component Name

community.general.ldap_attrs

Ansible Version

Ansible Automation Platform Controller 4.4.7

Community.general Version

8.1.0 (Automation Hub)

Configuration

$ ansible-config dump --only-changed

OS / Environment

RHEL8

Steps to Reproduce

    - name: "Change LDAP attributes"
      community.general.ldap_attrs:
        dn: "cn=config"
        attributes: "{{ config_modifications }}"
        bind_dn: "{{ bind_dn }}"
        bind_pw: "{{ bind_password }}"
        server_uri: "ldaps://{{ idm_server }}"

And the following attributes:

config_modifications:
  nsslapd-allow-anonymous-access: "rootdse"
  nsslapd-minssf: "56"
  nsslapd-auditlog-logging-enabled: "on"
  nsslapd-accesslog-logmaxdiskspace: "1000"
  nsslapd-accesslog-maxlogsize: "200"
  nsslapd-sizelimit: "5000"

Expected Results

Changed LDAP attr

Actual Results

  "details": "{'msgtype': 103, 'msgid': 8, 'result': 65, 'desc': 'Object class violation', 'ctrls': [], 'info': 'single-valued attribute \"nsslapd-accesslog-logmaxdiskspace\" has multiple values\\n'}",

Code of Conduct

• [X] I agree to follow the Ansible Code of Conduct

[ansibullbot]

Files identified in the description:

• plugins/modules/ldap_attrs.py

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibullbot]

cc @drybjed @jtyr @noles click here for bot help

[felixfontein]

You might want to use state=exact instead of state=present. According to the docs:

If V(present), all given attribute values will be added if they're missing

Emphasesis mine. Apparently there's already a value, and you tell the module to add another one - which results in an invalid state. You want this behavior:

If V(exact), the set of attribute values will be forced to exactly those provided and no others.